CN102255804A - Message processing method, device and network equipment - Google Patents
Message processing method, device and network equipment Download PDFInfo
- Publication number
- CN102255804A CN102255804A CN2011101881794A CN201110188179A CN102255804A CN 102255804 A CN102255804 A CN 102255804A CN 2011101881794 A CN2011101881794 A CN 2011101881794A CN 201110188179 A CN201110188179 A CN 201110188179A CN 102255804 A CN102255804 A CN 102255804A
- Authority
- CN
- China
- Prior art keywords
- address
- source
- filter table
- receiving port
- data message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a message processing method, a message processing device and network equipment. The method comprises that: a hardware chip forwards or discards a received data message according to a first filtering table and/or a second filtering table, wherein the first filtering table comprises a binding relationship between a corresponding source address and a corresponding receiving port of the data message permitted to be forwarded, and the second filtering table comprises the binding relationship between the corresponding source address and the corresponding receiving port of the data message processed by software; when the forwarding or discarding of the data message cannot be determined according to the first and second filtering tables, the hardware chip transmits the data message to a central processing unit (CPU) for software processing; and the CPU performs reachability detection on the source address of the data message according to the source message to forward or discard the data message, and discards the data message. By the technical scheme provided by the invention, message processing efficiency can be improved, and CPU resources can be saved.
Description
Technical field
The present invention relates to the network communications technology, relate in particular to a kind of message processing method, device and the network equipment.
Background technology
In traditional Internet architecture, message forwarding mainly is based on purpose Internet protocol (Internet Protocol; Abbreviate as: IP) address, source IP address cuts little ice, and therefore, the assailant often utilizes a large amount of attack messages of not traceable property forgery of source address to send to the network equipment, so that the network equipment is attacked.Message is transmitted and the fail safe of the network equipment in order to improve, the Internet engineering duty group (Internet Engineering Task Force; Abbreviate as: IETF) the source address checking improves (Source Address Validation Improvement; Abbreviate as: SAVI) working group has proposed the SAVI agreement so that source IP address is verified, prevents to attack.In SAVI, need evidence proof message really from the network equipment that its source IP address identified, so proposed the notion of binding anchor.The binding ground tackle has the forgery of being difficult for property, comparatively commonly used at present is to adopt the port numbers of the switch (the follow-up SAVI of abbreviating as equipment) of disposing SAVI as the binding anchor, i.e. identity of coming unique definite message sender by port numbers and IP address binding with SAVI equipment.
Wherein, SAVI equipment is mainly by filter table (Filtering Table; Abbreviate as: FT) with binding state table (Binding State Table; Abbreviate as: BST) write down binding relationship and binding state.Wherein, FT stores binding relationship, is the foundation that message is filtered.Binding state between BST record source IP address and the port numbers is used for controlling the foundation of FT list item and cancelling.Wherein, the foundation of binding relationship is to finish by smelling the control message of visiting in the address allocation procedure, the control message is meant in the initialization address assigning process sets up relevant message with binding relationship, for example: the 4th edition (Dynamic Host Configuration Protocol Version 4 of DHCP; Abbreviate as: DHCPv4) or the 6th edition (Dynamic Host Configuration Protocol Version 4 of DHCP; Abbreviate as: DHCPv6) request (Request) message, DHCPv6 confirm (Confirm) message, band DHCPV6 conflict (Solicitation) message, address duplicate detection (the Duplicate Address Detection of submission (Rapid Commit) option fast; Abbreviate as: DAD) (the Neighbor Solicitation of the neighbor request in the process; Abbreviate as: NS) message etc.
Automatically dispose (Stateless Address Auto Configuration in stateless address; Abbreviate as: SLAAC) in the network environment, the main frame that is connected with SAVI equipment after its port is learnt new IPv6 address or at its port status by after not connecting (link down) and entering connection (link up) state, send the NS message, detect to carry out DAD.SAVI equipment receives the control message, and promptly the NS message in the DAD process is set up the IP address of the main frame that sends the NS message and the binding state of port numbers based on the NS message in BST; And the newly-built binding relationship list item in the FT table of the state in duplicate address detection success back is shown according to BST.When by smelling of address allocation procedure visited set up binding relationship after, SAVI equipment filters the message that receives according to FT, promptly judges according to FT whether the source IP address of message exists among the FT; If the source IP address of message exists among the FT, then transmit this message; Otherwise, abandon this message.Because the main frame that is connected with SAVI equipment only can send a NS message in its port status changes very short time interval, back, if (for example payable reason of hardware) delay a period of time changes the port of SAVI equipment for some reason, the NS message arrives port before can entering link up at the port of SAVI equipment like this, cause the NS message to be dropped, and then cause SAVI equipment can't be the newly-built binding relationship list item of this main frame, make the data message of the follow-up transmission of this main frame to be forwarded.
At the problem that causes the follow-up data message to transmit because of the NS message dropping, prior art adopts following technical scheme: SAVI equipment receiving data message, and judge and then data message is reported central processing unit (Center Processing Unit by the source IP address that whether has data message among the BST; Abbreviate as: CPU), whether exist among the FT, if exist then E-Packet by the source IP address and the port information of CPU judgment data message; Otherwise CPU checks whether the port of SAVI equipment reception message is in listening state, if not, packet loss is not transmitted, if then close the port that receives message, and whether the main frame that detection sends datagram according to the address information in the data message can reach; If judged result is for reaching, then in FT and BST, set up corresponding binding respectively for this main frame, transmit this data message and open the port that receives message again; If judged result is unreachable, then abandons this data message, and open the port that receives message again.This technical scheme makes SAVI equipment under the situation of NS message dropping, can successfully transmit the data message that receives, and still, this technical scheme need consume a large amount of software resource of SAVI equipment, and the message forward efficiency is lower.
Summary of the invention
The invention provides a kind of message processing method, device and the network equipment,, improve the efficient of handling message in order to reduce the consumption of SAVI device software resource.
The invention provides a kind of message processing method, comprising:
The hardware chip that the source address checking improves SAVI equipment is transmitted or discard processing the data message that receives according to first filter table and/or second filter table; Described first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, and described second filter table comprises the source address of the data message correspondence of carrying out software processes and the binding relationship of receiving port;
In the time can't determining according to described first filter table and described second filter table to transmit or abandon described data message, described hardware chip sends to the central processor CPU of described SAVI equipment with described data message, to carry out software processes;
Described CPU is according to described data message, the source address of described data message is carried out accessibility to be detected, and upgrade described first filter table and described second filter table according to the accessibility testing result so that described hardware chip according to first filter table after upgrading and/or second filter table after upgrading the follow-up data message from described source address is transmitted or discard processing.
The invention provides a kind of message process device, comprising:
Message processing module (MPM) is used for according to first filter table and/or second filter table data message that receives being transmitted or discard processing; Described first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, and described second filter table comprises the source address of the data message correspondence of carrying out software processes and the binding relationship of receiving port;
Sending module is used for described data message being sent to the central processor CPU of described message process device when described message processing module (MPM) can't be determined to transmit according to described first filter table and described second filter table or abandon described data message;
Described CPU, be used for according to described data message, the source address of described data message is carried out accessibility to be detected, and upgrade described first filter table and described second filter table according to the accessibility testing result, so that described message processing module (MPM) according to first filter table after upgrading and/or second filter table after upgrading the follow-up data message from described source address is transmitted or discard processing, and abandon described data message.
The invention provides a kind of network equipment, comprise arbitrary message process device provided by the invention.
Message processing method of the present invention, the device and the network equipment, after hardware chip receives data message, directly the data message that receives is transmitted or discard processing according to first filter table and/or second filter table, compare with software processing mode, processing speed is very fast, and only can't determine that according to first filter table and second filter table forwarding still is when abandoning data message at hardware chip, data message is submitted to CPU, CPU detects by the source address of data message being carried out accessibility, and transmit or abandon follow-up data message from this source address according to testing result, all compare with all data messages of prior art by the scheme that CPU handles, the datagram literary talent that technical solution of the present invention has only hardware chip to handle is sent CPU, and for data message, have only first message that receives to be sent CPU to carry out software processes with same source and receiving port, alleviate the burden of CPU greatly, saved the cpu resource of equipment.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of the message processing method that Fig. 1 provides for one embodiment of the invention;
The flow chart of the execution mode of the step 101 that Fig. 2 A provides for one embodiment of the invention;
The flow chart of the execution mode of the step 101 that Fig. 2 B provides for further embodiment of this invention;
Fig. 3 A is the flow chart of the execution mode that step 103 is provided of one embodiment of the invention;
The flow chart of the execution mode of the step 103 that Fig. 3 B provides for another embodiment of the present invention;
The flow chart of the execution mode of the step 103 that Fig. 3 C provides for further embodiment of this invention;
The network topology schematic diagram that the SAVI equipment that Fig. 4 provides for one embodiment of the invention is connected with main frame;
The structural representation of the message process device that Fig. 5 provides for one embodiment of the invention;
The structural representation of the message process device that Fig. 6 provides for another embodiment of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The flow chart of the message processing method that Fig. 1 provides for one embodiment of the invention.As shown in Figure 1, the method for present embodiment comprises:
The hardware chip of step 101, SAVI equipment is transmitted or discard processing the data message that receives according to first filter table and/or second filter table.
SAVI equipment can be the various network device that is deployed with SAVI, for example switch etc.In an embodiment, the resource of SAVI equipment comprises hardware resource and software resource; Wherein, hardware resource mainly is meant various filter table, and its content of storing is more fixing, and flexibility is relatively poor, but processing speed is very fast relatively; Software resource is meant that mainly internal memory and CPU handle resource, and its flexibility is stronger, but processing speed is relatively slow.For SAVI equipment, the disposal ability of its CPU is limited, so in order to save cpu resource, in the present embodiment, when the hardware chip of SAVI equipment receives data message, handle through hardware chip earlier, when can't handling, hardware chip again data message is submitted to CPU, do further processing by CPU, alleviate the CPU burden, save cpu resource.
In implementation process, the hardware chip receiving data packets of SAVI equipment is resolved the data message then, obtains source address and receiving port in the data message.Wherein, source address mainly is meant source IP address and/or source medium access control (Medium Access Control; Abbreviate as: MAC) address, in order more reliably the data message to be filtered, in various embodiments of the present invention, source address comprises source IP address and source MAC simultaneously.Receiving port in the data message just hardware chip of SAVI equipment receives the port of data message, because each port has a unique port-mark, so available port mark for marking receiving port.Then, hardware chip goes to inquire about first filter table and/or second filter table according to the source IP address, source MAC and the receiving port that obtain, according to Query Result the data message is transmitted or discard processing.
Wherein, first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, in various embodiments of the present invention, mainly store the binding relationship between source IP address, source MAC and the receiving port of the data message of allow transmitting in first filter table.That is to say that if the binding relationship between the source IP address of the data message that hardware chip receives, source MAC and the receiving port (also can become mapping relations) exists in first filter table, then hardware chip is directly transmitted this data message.Usually, the binding relationship between source IP address, source MAC and the receiving port of being stored in first filter table mainly is to set up according to the control message by the spy of smelling to address allocation procedure; But in the present embodiment, also store because of the NS message dropping detects by the accessibility that spy can't set up by the source address of CPU by carrying out data message of smelling to address allocation procedure the binding relationship between source IP address, source MAC and receiving port that testing result is set up for can reach the time in first filter table.
Wherein, second filter table comprises the source address that the data message that carries out software processes (data message that promptly send CPU to handle) is corresponding and the binding relationship of receiving port.In various embodiments of the present invention, the source address of second filter table storage and the binding relationship of receiving port also mainly are meant the binding relationship between source IP address, source MAC and the receiving port of data message.What store in second filter table is that binding relationship between source IP address, source MAC and the receiving port does not exist the binding relationship between source IP address, source MAC and the receiving port of the data message in first filter table.That is to say, if the binding relationship between the source IP address of the data message that hardware chip receives, source MAC and the receiving port exists in second filter table, illustrating that this data message can't directly be forwarded according to smelling the binding relationship of visiting address allocation procedure foundation, is in order to prevent to attack or guarantee the fail safe of opposite equip. like this; Also explanation has been sent to CPU with another data message that this data message has identical source IP address and a source MAC and has handled simultaneously, is offloading the CPU, and hardware chip can abandon this data message.
But, the source IP address of the data message that receives when hardware chip, binding relationship between source MAC and the receiving port, neither in first filter table also not in second filter table time, the control message that a kind of possible situation is this data message correspondence fails to be smelt to visit, so fail in first filter table, to set up the source IP address of this data message, binding relationship between source MAC and the receiving port, and this data message is first data message that occurs, this in this case data message should be forwarded, but do not get rid of the possibility that this data message is an attack message yet, so in order not only to prevent attack message but also correctly to receive non-attack message, the hardware chip of present embodiment send CPU with this data message, do further processing by CPU, that is execution in step 102.
By as seen above-mentioned, hardware chip is according to first filter table and/or second filter table in this step, the data message that receives is transmitted or discard processing mainly comprises: when the binding relationship between the receiving port of source IP address, source MAC and the receiving data packets of data message was present in first filter table, hardware chip was transmitted this data message; When the binding relationship between source IP address, source MAC and the receiving port was present in second filter table, hardware chip abandoned this data message; When the binding relationship between source IP address, source MAC and the receiving port neither is present in when not being present in second filter table in first filter table again, hardware chip is determined can't determine to transmit or abandon data message according to first filter table and second filter table.
Wherein, hardware chip can send interrupt requests to CPU, and CPU receives the data message that hardware chip sends, but is not limited to this according to the request of interrupt requests preferential answering hardware chip.
After CPU receives data message, the data message is resolved, obtain the information such as source IP address, source MAC and receiving port in the data message; Then, CPU is according to the source IP address, source MAC and the receiving port that obtain, the source IP address of data message and source MAC are carried out accessibility detect, that is to say that CPU passes through the sender of certain way judgment data message (source IP address and source MAC corresponding equipment) whether can proper communication.Whether for example: CPU sends the echo request message to receiving port, and judges whether to receive the Echo Reply message from source IP address and source MAC, can reach to detect source IP address and source MAC.Wherein, the echo request message is the employed a kind of messages that source IP address and source MAC carried out sending to when accessibility detects source IP address and source MAC corresponding equipment of various embodiments of the present invention, various messages with detection effect all can be used as the echo request message in the various embodiments of the present invention, and the Echo Reply message is the message that adapts with the echo request message.For example, the echo request message of various embodiments of the present invention can be the Internet Internet Control Message Protocol (Internet Control Message Protocol; Abbreviate as: the ECHO message ICMP), correspondingly, the Echo Reply message can be Echo Reply message.
If testing result is source IP address and source MAC can reach the time, illustrate that this data message belongs to legal message, the equipment that sends this data message also is legitimate sender, not the assailant, just the control message that sends of this equipment is not visited by smelling and fail to set up the binding relationship of its source IP address, source MAC and receiving port in first filter table, so should be forwarded follow-up this data message from this equipment.If testing result is that source IP address and source MAC are unreachable, illustrates that this data message is an attack message, and, should be dropped for also belonging to attack message with follow-up data message that this data message has identical source IP address and a source MAC.And for the data message of being given CPU by hardware chip, regardless of the accessibility testing result, CPU can directly abandon it.Concrete, because detecting, the source address accessibility of carrying out CPU needs the time, therefore, even this data message belongs to legal message, this data message may be overtime when the accessibility testing result is come out, in addition, and for data flow transmission, the losing normally of a data message allows, so CPU can directly abandon this data message; And when this data message is attack message, should be dropped especially.
So far, forwarding or discard processing have been finished to various data messages.
The message processing method of present embodiment, after the hardware chip of SAVI equipment receives data message, directly the data message that receives is transmitted or discard processing according to first filter table and/or second filter table, compare with software processing mode, processing speed is very fast, and only can't determine that according to first filter table and second filter table forwarding still is when abandoning data message at hardware chip, just data message is submitted to CPU, CPU detects by the source address of data message being carried out accessibility, and upgrade first filter table and second filter table so that data message is transmitted or abandoned to hardware chip according to first filter table and second filter table after upgrading according to testing result, compared with prior art, present embodiment only just send CPU when the data message that hardware chip can't be handled, and for data message, have only first message that receives to be sent CPU with same source and receiving port, alleviate the burden of CPU greatly, saved the cpu resource of equipment.
The flow chart of the execution mode of the step 101 that Fig. 2 A provides for one embodiment of the invention.Shown in Fig. 2 A, the method for present embodiment comprises:
In the present embodiment, hardware chip preferentially carries out judgment processing according to first filter table, helps improving the efficient of transmitting data message.
The flow chart of the execution mode of the step 101 that Fig. 2 B provides for further embodiment of this invention.Shown in Fig. 2 B, the method for present embodiment comprises:
Step 101a, hardware chip receiving data packets.
Step 101b, hardware chip are resolved the data message, obtain source IP address, source MAC and the receiving port of data message.
Step 101c, hardware chip are inquired about second filter table, judge the binding relationship between source IP address, source MAC and the receiving port that whether has data message in second filter table; If judged result is for being promptly to have the binding relationship between source IP address, source MAC and the receiving port in second filter table, execution in step 101d; If promptly there is not the binding relationship between source IP address, source MAC and the receiving port in judged result, execution in step 101e for not in second filter table.
Step 101d, hardware chip abandon data message, and finish this time to handle operation.
Step 101e, hardware chip are inquired about first filter table, judge the binding relationship between source IP address, source MAC and the receiving port that whether has data message in first filter table; If judged result is for being promptly to have the binding relationship between source IP address, source MAC and the receiving port in first filter table, execution in step 101f; If promptly there is not the binding relationship between source IP address, source MAC and the receiving port in judged result, execution in step 101g for not in first filter table.
Step 101f, hardware chip are transmitted data message, and finish this time to handle operation.
Step 101g, hardware chip are determined can't determine to transmit or abandon data message according to first filter table and second filter table, and change and go execution in step 102.
In the present embodiment, hardware chip preferentially carries out judgment processing according to second filter table, helps improving the discard processing efficient to attack message.
Fig. 3 A is the flow chart of the execution mode that step 103 is provided of one embodiment of the invention.As shown in Figure 3A, the method for present embodiment comprises:
For example: CPU can call the interrupt handling routine receiving data packets according to the interrupt requests of hardware chip generation.
Whether in specific implementation process, CPU sends the echo request message to receiving port, and judges whether to receive the Echo Reply message from this source IP address and this source MAC, can reach to detect source IP address and source MAC.Wherein, the purpose IP address of echo request message is that source IP address, the target MAC (Media Access Control) address of data message are the source MAC of data message.If IP address and MAC Address are respectively the source IP address of data message and the equipment of source MAC, be legal sender, then it will receive the echo request message, and can return the Echo Reply message; And the receiving port of SAVI equipment will receive the Echo Reply message.Therefore, when the Echo Reply message that receives from the source IP address of data message and source MAC, CPU determines that source IP address and source MAC can reach; When the Echo Reply message that do not receive from the source IP address of data message and source MAC, CPU determines that source IP address and source MAC are unreachable.
Step 1034, CPU upgrade operation to first filter table, so that first filter table after upgrading comprises the binding relationship between source IP address, source MAC and the receiving port of this data message, and finish this time to handle operation.
When source IP address and source MAC can reach, CPU stores the binding relationship between source IP address, source MAC and the receiving port in first filter table into, so that hardware chip is transmitted follow-up other data messages from source IP address and source MAC fast according to the binding relationship that stores in first filter table, improve the forward efficiency of data message.
Step 1035, CPU upgrade second filter table, so that second filter table after upgrading comprises the binding relationship between source IP address, source MAC and the receiving port of this data message, and finish this time to handle operation.
When source IP address and source MAC are unreachable, CPU is updated to the binding relationship between this source IP address, source MAC and the receiving port in second filter table, so that hardware chip directly will abandon from the follow-up data message of source IP address and source MAC according to the second address filtering table, improve processing speed to the data message.At this moment, except the source address and the binding relationship between the receiving port that store the data message that carries out software processes, also comprise and carried out software processes and source address accessibility testing result is the source address of inaccessible data message and the binding relationship between the receiving port in second filter table.
In the present embodiment, CPU is by sending the echo request message to receiving port, and judge whether to receive Echo Reply message from this source IP address and source MAC, whether the sender who detects data message can reach, whether the sender who is the judgment data message can proper communication, and then upgrade first filter table and second filter table according to testing result, so that hardware chip is transmitted or discard processing the follow-up data message that receives according to first filter table and second filter table after upgrading, improve treatment effeciency to the data message; In addition, because the existence of second filter table is arranged, hardware chip can directly not be present in binding relationship according to second filter table and exists the data message in second filter table to abandon in first filter table, so in the process that CPU detects, the receiving port of hardware chip need not to close, can continue to receive other data messages, further improve treatment effeciency concurrent message.
The flow chart of the execution mode of the step 103 that Fig. 3 B provides for another embodiment of the present invention.Shown in Fig. 3 B, the method for present embodiment comprises:
For example: CPU can call the interrupt handling routine receiving data packets according to the interrupt requests of hardware chip generation.
Wherein, store the source address of the data message that is carrying out the accessibility detection and the binding relationship of receiving port in the 3rd filter table.In various embodiments of the present invention, what store in the 3rd filter table mainly is the binding relationship that is carrying out between source IP address, source MAC and the receiving port of the data message that accessibility detects.The data message that is carrying out the accessibility detection is meant the data message of being handled by CPU.
Because the 3rd filter table mainly is to be inquired about by CPU, can be regarded as the software filter table, for ease of the CPU inquiry, the 3rd filter table can be stored in internal memory or the buffer memory, and with the raising inquiry velocity, and then raising is to the processing speed of data message.And first filter table and second filter table mainly are to be handled by hardware chip, so can be regarded as the hardware filtering table, can be stored on the memory device (for example hard disk) outside internal memory or the buffer memory.In various embodiments of the present invention, qualification is not done in the concrete memory location of first filter table, second filter table and the 3rd filter table.
Present embodiment makes the further checking data message of CPU whether belong to the data message that carries out software processes by the 3rd filter table is set, when verification result when being, directly abandon data message, to improve treatment effeciency to the data message.
Further, in order to guarantee the disposal ability of CPU, can one binding relationship threshold value be set for each receiving port.When the quantity of the binding relationship of a receiving port correspondence reaches the binding relationship threshold value, directly data message is abandoned, no longer the data message is carried out software processes (being meant that mainly no longer carrying out accessibility detects), to guarantee the disposal ability of CPU.Wherein, corresponding with receiving port binding relationship is meant the binding relationship that comprises this receiving port.Based on this, whether the method for present embodiment can also comprise the binding relationship of judging the receiving port correspondence before step 103e number less than the operation of default binding relationship threshold value, and be the data of binding relationship of this receiving port correspondence ability execution in step 103e during less than the binding relationship threshold value in judged result only.Concrete, CPU inquires about the 3rd filter table according to the receiving port in the data message, and whether the number of judging the binding relationship that comprises this receiving port in the 3rd filter table is less than the preset relation threshold value; If judged result be less than execution in step 103e; If judged result then finishes operation this time, to alleviate the processing burden of CPU for being not less than (mainly be meant and equal default binding relationship threshold value).
Whether step 103e, CPU can reach to detect source IP address and source MAC to receiving port transmission echo request message, and judge whether to receive the Echo Reply message from source IP address and source MAC; If judged result is for being execution in step 103f; If judged result is for denying execution in step 103g.
CPU is by storing the binding relationship between source IP address, source MAC and the receiving port in first filter table into, realization is to the renewal of first filter table, so that hardware chip according to the quick follow-up data message of transmitting from source IP address and source MAC of binding relationship that stores in first filter table, improves the forward efficiency of data message.
Wherein, since CPU carry out accessibility when detecting beginning with source IP address, binding relationship between source MAC and the receiving port has stored in second filter table, so CPU mainly is meant the renewal of second filter table operation this source IP address is set in this step, the state of the binding relationship between source MAC and the receiving port is insincere, this source IP address and source MAC had been carried out with sign that accessibility detects and testing result is unreachable, hardware chip just can directly abandon the follow-up data message from this source IP address and source MAC like this, improves the processing speed of data message.At this moment, except the source address and the binding relationship between the receiving port that store the data message that carries out software processes, also comprise and carried out software processes and source address accessibility testing result is the source address of inaccessible data message and the binding relationship between the receiving port in second filter table.
Further, when the state of CPU binding relationship between source IP address, source MAC and the receiving port in second filter table is set is insincere, the starting state timer.The timing time of this status timer can preestablish, for example 5 minutes; This timing time is represented the entry-into-force time of the insincere state of binding relationship.For example: when the state of a binding relationship is set to when insincere, the starting state timer, for the data message that receives during the status timer timing, hardware chip can directly abandon it according to second filter table.When the state timer regularly finished, CPU deleted this binding relationship from second filter table.Can save the capacity of second filter table on the one hand by the binding relationship in second filter table being carried out regularly deletion, can avoid the data message of transition shielding on the other hand, make the user of this source IP address and source MAC correspondence after becoming validated user, can't normally insert from source IP address and source MAC in this binding relationship.
When CPU has carried out a source IP address and source MAC after accessibility detects and draw the accessibility testing result, binding relationship between source IP address, source MAC and the receiving port stored in the 3rd filter table is deleted, to discharge the memory space of the 3rd shared filter table, handle other data messages for follow-up continuation and lay foundation.
When the binding relationship between source IP address, source MAC and the receiving port exists in the 3rd filter table, illustrate that CPU carries out the accessibility detection to this source IP address and source MAC, next the result of waiting for CPU gets final product, and does not need CPU again source IP address and source MAC to be carried out the accessibility detection.Wherein, CPU is identical with above-mentioned steps 103d-step 103h to the processing procedure that this source IP address and source MAC carry out the accessibility detection.In addition, for the data message of being given CPU by hardware chip, CPU can abandon it at this moment.That is to say that in the present embodiment, CPU carries out the operation that data message is abandoned after carrying out inquiry the 3rd filter table.
In the present embodiment, CPU is by sending the echo request message to receiving port, and judge whether to receive Echo Reply message from source IP address and source MAC, and detect the execution mode whether sender of data message can reach, have advantage easy to implement; In addition, by each filter table is upgraded, further improved treatment effeciency to the data message.Moreover in the process that CPU detects, the receiving port of hardware chip need not to close, and can continue to receive other data messages, has further improved the treatment effeciency to concurrent message.
The flow chart of the execution mode of the step 103 that Fig. 3 C provides for further embodiment of this invention.Present embodiment realizes that based on Fig. 3 B illustrated embodiment shown in Fig. 3 C, the method for present embodiment comprises:
Whether step 103e, CPU can reach to detect source IP address and source MAC to receiving port transmission echo request message, and judge whether to receive the Echo Reply message from source IP address and source MAC; If judged result is for being execution in step 103f; If judged result is for denying execution in step 103g1.
Step 103g1, CPU judge whether the detection number of times is 0; If judged result is for being that promptly detecting number of times is 0, execution in step 103g3; If judged result is that promptly detecting number of times is not 0, execution in step 103g2.
Step 103g2, CPU will detect number of times and subtract 1, and wait for Preset Time at interval, change then and remove execution in step 103e.
In the present embodiment, preestablish source IP address and source MAC are carried out the frequency threshold value that accessibility detects, for example 2 times.When the number of times that carries out the accessibility detection does not reach the detection frequency threshold value of setting, wait for and proceed to detect for a moment next time.In the present embodiment, it is that predefined number of times presets that the initial value that detects number of times is set, and detects and just will detect number of times and deduct 1 whenever carrying out accessibility, and the purpose of accessibility detection is repeatedly carried out in realization.
Present embodiment detects the problem that can solve the detection failure that causes because of reasons such as network congestions by repeatedly carrying out accessibility, improves the accuracy that accessibility detects, and then improves the accuracy that the data message is handled.
Present embodiment is not done qualification to the occurrence of latency period, for example can be 10 seconds, 20 seconds etc., can be by the disposal ability decision of SAVI equipment CPU.
Further, can also store the state information of every binding relationship in the 3rd filter table, bide one's time when waiting, the state that current binding relationship can be set is for waiting for, so that binding relationship is managed.
Step 103g3, CPU determine that source IP address and source MAC are unreachable, and the state that the binding relationship between source IP address, source MAC and the receiving port in second filter table is set is insincere, and execution in step 103h.
Wherein, identical with Fig. 3 B illustrated embodiment step can be referring to the description among Fig. 3 B.
In the present embodiment, CPU is by sending the echo request message to receiving port, and judge whether to receive Echo Reply message from source IP address and source MAC, and detect the execution mode whether sender of data message can reach, have advantage easy to implement; In addition, by each filter table is upgraded, further improved treatment effeciency to the data message.Moreover in the process that CPU detects, the receiving port of hardware chip need not to close, and can continue to receive other data messages, has further improved the treatment effeciency to concurrent message.
Wherein, above-mentioned Fig. 2 A can carry out the different message processing method flow process of combination in any formation with Fig. 2 B, Fig. 3 A-Fig. 3 C.For example: Fig. 2 A and Fig. 3 A in conjunction with, Fig. 2 A and Fig. 3 B in conjunction with, Fig. 2 A and Fig. 3 C combination, Fig. 2 B and Fig. 3 A in conjunction with or the like all can realize the flow process of different message processing methods.Wherein, the overall flow of each message processing method is not done and is given unnecessary details.
In summary, the message processing method that the embodiment of the invention provides, at first the data message that enters SAVI equipment is handled by hardware chip, improved treatment effeciency, carry out software processes and only under the situation that hardware chip can not be handled, just send to CPU, reduce the burden of CPU, saved software resource.Simultaneously, CPU can replenish the binding relationship in first filter table in the process of carrying out software processes and set up or renewal, thereby realized flexible processing because the disposition of the data message of the binding relationship of shortage source address that factors such as control message dropping, SAVI apparatus bound loss of state cause and receiving port has obviously improved the reliability of source address filtration and the robustness of whole network.
Below in conjunction with the practical application scene, further specify technical solution of the present invention.
The network topology schematic diagram that the SAVI equipment that Fig. 4 provides for one embodiment of the invention is connected with main frame.As shown in Figure 4, the network topology of present embodiment comprises: SAVI equipment 41, main frame 42 and assailant 43.Main frame 42 is connected with SAVI equipment 41 respectively with assailant 43.Concrete, main frame 42 is connected with the port AN-X of SAVI equipment 41; Assailant 43 is connected with the port AN-Z of SAVI equipment 41.
In the present embodiment, suppose that main frame 42 is validated user, have 3 IPv6 addresses, be respectively: local link address (link-local address) FE80::B928:3FED:DF88:B7F0; Global address: 2001::B928:3FED:DF88:B7F0; Anonymous address: 2001::6D20:5522:D89A:6A46.The MAC Address of main frame 42 is: 0025.b343.c1de.Suppose that also there are 3 IPv6 addresses in assailant 43, is respectively: local link address: FE80::E489:3F50:29D6:68FE; Global address: 2001::E489:3F50:29D6:68FE; Anonymous address: 2001::A924:9CDC:8F19:50A9.And assailant 43 MAC Address is: 00d0.f865.eb5b.
Further, suppose that first filter table that causes SAVI equipment 41 to learn is as shown in table 1 owing to control losing of message.
Table 1
| Port (Anchor) | The IP address | MAC Address |
| AN-X | FE80::B928:3FED:DF88:B7F0 | 0025.b343.c1de |
| AN-X | 2001::B928:3FED:DF88:B7F0 | 0025.b343.c1de |
| AN-Z | FE80::E489:3F50:29D6:68FE | 00d0.f865.eb5b |
| AN-Z | 2001::A924:9CDC:8F19:50A9 | 00d0.f865.eb5b |
Wherein, the IP address 2001::6D20:5522:D89A:6A46 of main frame 42 does not set up binding relationship with the MAC Address and the port AN-X of main frame 42.And assailant 43 IP address 2001::E489:3F50:29D6:68FE does not set up binding relationship with assailant 43 MAC Address and port AN-Z.
And suppose second filter table and the 3rd filter table as interim filter table, also do not exist or be empty this moment.Further, suppose to preestablish 10 binding relationship list items of the maximum distribution of each port in first filter table.
For first kind of situation: main frame 42 uses IP address 2001::B928:3FED:DF88:B7F0 and MAC Address 0025.b343.c1de, send datagram to SAVI equipment 41 by port AN-X, the source IP address that is data message is that 2001::B928:3FED:DF88:B7F0, source MAC are 0025.b343.c1de, and receiving port is port AN-X.
The processing procedure of SAVI equipment 41 is as follows:
At first, the attribute of SAVI equipment 41 is that the port AN-X of Validation receives the data message that its main frame that connects 42 sends, its hardware chip extracts source IP address 2001::B928:3FED:DF88:B7F0 and the source MAC 0025.b343.c1de in the data message, and is designated as IP-X and MAC-X respectively.Then, the hardware chip of SAVI equipment 41 is inquired about first filter table, the receiving port of finding data message is that the binding relationship between port AN-X, source IP address IP-X and the source MAC MAC-X exists in first filter table, directly purpose IP address and the target MAC (Media Access Control) address that carries according to data message transmitted data message, and the end process flow process.
For second kind of situation: main frame 42 uses IP address 2001::6D20:5522:D89A:6A46 (anonymous address) and MAC Address 0025.b343.c1de, send datagram to SAVI equipment 41 by port AN-X, the source IP address that is data message is that 2001::6D20:5522:D89A:6A46, source MAC are 0025.b343.c1de, and receiving port is port AN-X.
The processing procedure of SAVI equipment 41 is as follows:
At first, the attribute of SAVI equipment 41 is that the port AN-X of Validation receives the data message that its main frame that connects 42 sends, its hardware chip extracts source IP address 2001::6D20:5522:D89A:6A46 and the source MAC 0025.b343.c1de in the data message, and is designated as IP-X and MAC-X respectively.Then, the hardware chip of SAVI equipment 41 is inquired about first filter table, and the receiving port of finding data message is that the binding relationship between port AN-X, source IP address IP-X and the source MAC MAC-X does not exist in first filter table; So the hardware chip of SAVI equipment 41 is inquired about second filter table, find that the binding relationship between port AN-X, source IP address IP-X and the source MAC MAC-X does not exist in second filter table yet; The hardware chip of SAVI equipment 41 is submitted to data message the CPU of SAVI equipment 41.
Then, after the CPU of SAVI equipment 41 receives data message, extract port that is receiving port AN-X, source IP address IP-X and source MAC MAC-X in the data message, and inquire about the 3rd filter table, find also not exist in the 3rd filter table binding relationship list item of port AN-X, promptly the binding relationship between port AN-X, source IP address IP-X and the source MAC MAC-X does not exist in the 3rd filter table yet; CPU is updated to the binding relationship between port AN-X, source IP address P-X and the source MAC MAC-X in the 3rd filter table, and with the status indicator of this binding relationship list item for determining (confirm), abandon data message.Simultaneously, CPU is updated to receiving port AN-X, the source IP address IP-X of data message and the binding relationship between the source MAC MAC-X in second filter table.Second filter table of this moment and the 3rd filter table are respectively shown in table 2 and table 3.
Then, CPU sends the echo request message to port AN-X, with IP address 2001::6D20:5522:D89A:6A46 is purpose IP address, with MAC Address 0025.b343.c1de is target MAC (Media Access Control) address, find that source IP address IP-X is the address that can communicate by letter with source MAC MAC-X, so CPU is that binding relationship between port AN-X, source IP address IP-X and the source MAC MAC-X is updated in first filter table with the receiving port of data message, first filter table of this moment is as shown in table 4.Simultaneously, CPU deletes the binding relationship list item in second filter table and the 3rd filter table.
Table 2
Table 3
Table 4
| Port (Anchor) | The IP address | MAC Address |
| AN-X | FE80::B928:3FED:DF88:B7F0 | 0025.b343.c1de |
| AN-X | 2001::B928:3FED:DF88:B7F0 | 0025.b343.c1de |
| AN-X | 2001::6D20:5522:D89A:6A46 | 0025.b343.c1de |
| AN-Z | FE80::E489:3F50:29D6:68FE | 00d0.f865.eb5b |
| AN-Z | 2001::A924:9CDC:8F19:50A9 | 00d0.f865.eb5b |
So far, first filter table is as shown in table 4, and there are not the binding relationship list item in second filter table and the 3rd filter table.
For the third situation: assailant 43 forges the IP address 2001::B928:3FED:DF88:B7F0 (global address) and the MAC Address 0025.b343.c1de of main frames 42, sends datagram to SAVI equipment 41.The source IP address that is data message is that 2001::B928:3FED:DF88:B7F0, source MAC are 0025.b343.c1de, and receiving port is port AN-Z.
The processing procedure of SAVI equipment 41 is as follows:
At first, the attribute of SAVI equipment 41 is that the port AN-Z of Validation receives the data message that its assailant who connects 43 sends, its hardware chip extracts source IP address 2001::B928:3FED:DF88:B7F0 and the source MAC 0025.b343.c1de in the data message, and is designated as IP-X and MAC-X respectively.Then, the hardware chip of SAVI equipment 41 is inquired about first filter table, and the receiving port of finding data message is that the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X does not exist in first filter table.So the hardware chip of SAVI equipment 41 is inquired about second filter table, find that the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X does not exist in second filter table yet; The hardware chip of SAVI equipment 41 is submitted to data message the CPU of SAVI equipment 41.
Then, after the CPU of SAVI equipment 41 receives data message, extract port AN-Z, source IP address IP-X and source MAC MAC-X in the data message, and inquire about the 3rd filter table, find also not exist in the 3rd filter table binding relationship list item of port AN-Z, promptly the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X does not exist in the 3rd filter table yet; CPU is updated to the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X in the 3rd filter table, and with the status indicator of this binding relationship list item for determining (confirm), abandon data message.Simultaneously, CPU is updated to the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X in second filter table.Second filter table of this moment and the 3rd filter table are respectively shown in table 5 and table 6.
Then, CPU sends the echo request message to port AN-Z, with IP address 2001::B928:3FED:DF88:B7F0 is purpose IP address, is target MAC (Media Access Control) address with MAC Address 0025.b343.c1de, finds that source IP address IP-X is the address that can not communicate by letter with source MAC MAC-X.Owing to be for the first time to carry out detecting operation,, for example waited for for 10 seconds so CPU is updated to wait (wait) with the state of this binding relationship list item correspondence in the 3rd filter table.After waiting for end, CPU upgrades attach most importance to definite (reconfirm) with the state of this binding relationship list item correspondence in the 3rd filter table, and send the echo request message to port AN-Z once more, be purpose IP address still with IP address 2001::B928:3FED:DF88:B7F0, with MAC Address 0025.b343.c1de is target MAC (Media Access Control) address, finds that once more source IP address IP-X and source MAC MAC-X are the addresses that can not communicate by letter.Hypothesis need the detection frequency threshold value be 2 in the present embodiment.Then CPU deletes the binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X from the 3rd filter table, and the state that the binding relationship between the second filter table middle port AN-Z, source IP address IP-X and the source MAC MAC-X is set is insincere.At this moment, first filter table does not change, and increased the state information of binding relationship between port AN-Z, source IP address IP-X and the source MAC MAC-X in second filter table still as shown in table 4, and will there be the binding relationship list item in the 3rd filter table.
Table 5
| Port (Anchor) | The IP address | MAC Address |
| AN-Z | 2001::B928:3FED:DF88:B7F0 | 0025.b343.c1de |
Table 6
For the 4th kind of situation: assailant 43 sends the data message that a large amount of source IP addresss and source MAC increase progressively gradually SAVI equipment 41 is attacked.
When the data message quantity of assailant's 43 transmissions is distributed the quantity (present embodiment is 10) of binding relationship list item at most above each default port, after assailant 43 sent datagram and arrives SAVI equipment 41, the handling process of SAVI equipment 41 was with the handling process under the third situation.When the binding relationship list item of the 3rd filter table middle port AN-Z correspondence reaches 10, SAVI equipment 41 is after the data message that receives the hardware chip transmission, judge that according to the receiving port of data message drawing binding relationship list item quantity that this receiving port supports has reached the maximum that allows the binding relationship that distributes, so directly data message is abandoned, detect and no longer carry out accessibility, reduced the processing burden of CPU.This shows; SAVI equipment 41 is when under attack, and maximum only can consume 10 list items in second filter table and the 3rd filter table for each port, and these list items can be recovered rapidly after attack stops; realize the purpose of anti-attack, protected CPU.
Can draw by above-mentioned analysis to various situations: various embodiments of the present invention are by the mode of software and hardware resources combination, the data message that utilizes a small amount of software and hardware resource to finish causing not setting up under the binding relationship situation because of the control message dropping replenishes binding, has stronger concurrent data-handling capacity and anti-attack ability.
The structural representation of the message process device that Fig. 5 provides for one embodiment of the invention.As shown in Figure 5, the device of present embodiment comprises: message processing module (MPM) 51, sending module 52 and CPU53.
Wherein, message processing module (MPM) 51 is used for according to first filter table and/or second filter table data message that receives being transmitted or discard processing; Described first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, and described second filter table comprises the source address of the data message correspondence of carrying out software processes and the binding relationship of receiving port.Sending module 52 is connected with message processing module (MPM) 51, is used for data message being sent to the CPU53 of message process device when message processing module (MPM) 51 can't be determined to transmit according to first filter table and second filter table or abandon data message.CPU53, be connected with sending module 52, be used for according to data message, the source address of data message is carried out accessibility to be detected, and upgrade first filter table and second filter table according to the accessibility testing result, so that message processing module (MPM) 51 according to first filter table after upgrading and/or second filter table after upgrading the follow-up data message from source address is transmitted or discard processing, and abandon data message.
Wherein, message processing module (MPM) 51 and sending module 52 belong to hardware module, can be realized by the hardware chip in the message process device.
Each functional module of the message process device of present embodiment can be used for carrying out the flow process of message processing method shown in Figure 1, and its concrete operation principle repeats no more, and sees the description of method embodiment for details.
The message process device of present embodiment, after receiving data message, directly the data message that receives is transmitted or discard processing by hardware module according to first filter table and/or second filter table, compare with software processing mode, processing speed is very fast, and only can't determine that according to first filter table and second filter table forwarding still is when abandoning data message in hardware module, just data message is submitted to CPU, CPU detects by the source address of data message being carried out accessibility, and upgrade first filter table and second filter table so that data message is transmitted or abandoned to hardware module according to first filter table and second filter table after upgrading according to testing result, compared with prior art, present embodiment only just send CPU when the data message that hardware module can't be handled, and for data message, have only first message that receives to be sent CPU with same source and receiving port, alleviate the burden of CPU greatly, saved the cpu resource of equipment.
The structural representation of the message process device that Fig. 6 provides for another embodiment of the present invention.Present embodiment is based on realization embodiment illustrated in fig. 5, and as shown in Figure 6, in the present embodiment, a kind of implementation structure of message processing module (MPM) 51 comprises: query unit 511, retransmission unit 512, first discarding unit 513 and first determining unit 514.
Wherein, query unit 511, be mainly used in inquiry first filter table and/or second filter table, whether be present in first filter table or second filter table with the binding relationship between the receiving port of source IP address, source MAC and the receiving data packets of judgment data message, and judged result is offered retransmission unit 512, first discarding unit 513 and first determining unit 514 respectively.
Above-mentioned each functional unit can be used for the flow process of method shown in execution graph 2A or Fig. 2 B, and its concrete operation principle repeats no more, and sees the description of method embodiment for details.Wherein, preferentially carry out judgment processing by the above-mentioned functions unit, help improving the efficient of transmitting data message according to first filter table when message processing module (MPM) 51.Preferentially carry out judgment processing when message processing module (MPM) 51 by the above-mentioned functions unit, help improving discard processing efficient attack message according to second filter table.
In the present embodiment, CPU53 comprises following functional unit: resolve acquiring unit 531, detecting unit 532, first updating block 533, second updating block 534 and second discarding unit 535.
Wherein, resolve acquiring unit 531, be connected, be used for receiving data packets and resolve source IP address, source MAC and the receiving port that obtains data message with sending module 52.Detecting unit 532 is connected with parsing acquiring unit 531, is used for according to source IP address, source MAC and receiving port, and source IP address and source MAC are carried out the accessibility detection.First updating block 533, be connected with detecting unit 532, when being used for testing result at detecting unit 532 and being source IP address and source MAC and can reach, first filter table is upgraded operation, so that first filter table after upgrading comprises the binding relationship between source IP address, source MAC and the receiving port.Second updating block 534, be connected with detecting unit 532, be used for testing result at detecting unit 532 and be source IP address and source MAC when unreachable, second filter table is upgraded, so that second filter table after upgrading comprises the binding relationship between source IP address, source MAC and the receiving port.Second discarding unit 535 is used to abandon the data message of resolving acquiring unit 531 receptions.
Above-mentioned each functional unit of CPU can be used for the flow process of execution graph 3A illustrated embodiment, and its concrete operation principle repeats no more, and sees the description of method embodiment for details.
Further, as shown in Figure 6, CPU53 also comprises: the first inquiry judging unit 536 and first trigger element 537.Wherein, the first inquiry judging unit 536, be used for carrying out before accessibility detects at 532 pairs of source IP addresss of detecting unit and source MAC, according to source IP address, source MAC and receiving port, inquire about the 3rd filter table, judge the binding relationship that whether exists in the 3rd filter table between source IP address, source MAC and the receiving port; Store the source address of the data message that carries out the accessibility detection and the binding relationship of receiving port in described the 3rd filter table.First trigger element 537, be connected with detecting unit 532 with the first inquiry judging unit 536, when being used for judging the 3rd filter table and not having binding relationship between source IP address, source MAC and the receiving port in the first inquiry judging unit 536, detection trigger unit 532 is carried out according to source IP address, source MAC and receiving port, and source IP address and source MAC are carried out the operation that accessibility detects.
Wherein, second discarding unit 535, be connected with the first inquiry judging unit 536, specifically be used for judging the 3rd filter table in the first inquiry judging unit 536, and judge after the binding relationship that whether exists in the 3rd filter table between source IP address, source MAC and the receiving port, carry out the operation that abandons data message according to first triggering of asking judging unit 536.
Wherein, CPU53 can also comprise the second inquiry judging unit 551, EO unit 552 and second trigger element 553.The second inquiry judging unit 551, be connected with parsing acquiring unit 531, be used for before the inquiry judging operation is carried out in the first inquiry judging unit 536, according to resolve the receiving port that acquiring unit 531 obtains from data message, inquire about the 3rd filter table, whether the number of judging the binding relationship that comprises receiving port in the 3rd filter table is less than default binding relationship threshold value.EO unit 552 is connected with the second inquiry judging unit 551, is used in the judged result of the second inquiry judging unit 551 finishing operation this time when being not less than.Second trigger element 553, be connected with the first inquiry judging unit 536 with the second inquiry judging unit 551, be used for the judged result of the second inquiry judging unit 551 for less than the time, triggering the first inquiry judging unit 536 carries out according to source IP address, source MAC and receiving port, inquire about the 3rd filter table, judge the operation that whether has the binding relationship between source IP address, source MAC and the receiving port in the 3rd filter table.
In the time of can being not less than default binding relationship threshold value at the number of the binding relationship of receiving port correspondence by above-mentioned each functional unit, direct end operation, the accessibility of no longer carrying out source IP address and source MAC detects, and helps alleviating the processing burden of CPU.
Based on above-mentioned, a kind of implementation structure of the detecting unit 532 of present embodiment comprises: subelement is determined in storing sub-units, transmission subelement and reception.Wherein, storing sub-units is used for storing the binding relationship between source IP address, source MAC and the receiving port into second filter table and the 3rd filter table respectively.Send subelement, be used for sending the echo request message to receiving port, and judge whether to receive Echo Reply message from source IP address and source MAC, whether can reach to detect source IP address and source MAC, the purpose IP address of described echo request message is that source IP address, target MAC (Media Access Control) address are source MAC.Receive and determine subelement, be used for when the Echo Reply message that receives from source IP address and source MAC, determine that source IP address and source MAC can reach, and be used for when the Echo Reply message that does not receive from source IP address and source MAC, determining that source IP address and source MAC are unreachable.
Based on above-mentioned, second updating block 534 specifically storing sub-units just the binding relationship between source IP address, source MAC and the receiving port store under the condition in second filter table, the state that the binding relationship between source IP address, source MAC and the receiving port in second filter table is set is insincere.
Further again, CPU53 also comprises startup delete cells 538.This starts delete cells 538, when the state that is used at second updating block 534 binding relationship between the second filter table source IP address, source MAC and the receiving port being set is insincere, the starting state timer, and when the status timer timing finishes, the binding relationship between source IP address, source MAC and the receiving port is deleted from second filter table.
Further, described CPU53 also comprises: delete cells 539.Delete cells 539, be used for carrying out after accessibility detects at 532 pairs of source IP addresss of detecting unit and source MAC, no matter testing result is can reach or unreachable, all the binding relationship between source IP address, source MAC and the receiving port is deleted from the 3rd filter table, to discharge the memory space of the 3rd filter table.
Wherein, above-mentioned each functional unit of above-mentioned CPU can be used for the flow process of execution graph 3B illustrated embodiment, and its concrete operation principle repeats no more, and sees the description of method embodiment for details.CPU sends the echo request message by above-mentioned functions unit or subelement to receiving port, detects the execution mode whether sender of data message can reach, and has advantage easy to implement; In addition, by each filter table is upgraded, further improved treatment effeciency to the data message.Moreover in the process that CPU detects, the receiving port of above-mentioned message processing module (MPM) need not to close, and can continue to receive other data messages, has further improved the treatment effeciency to concurrent message.
Further, CPU53 also comprises: judging unit 540, wait trigger element 541 and second determining unit 542.
Wherein, judging unit 540 is connected with detecting unit 532, is used for judging and detecting whether number of times is 0 when the reception of detecting unit 532 determines that subelement determines that source IP address and source MAC are unreachable.Wait for trigger element 541, be connected with judging unit 540, be used in the judged result of judging unit 540 for not the time, to detect number of times and subtract 1, and the transmission subelement of waiting for detection trigger unit, back, Preset Time interval 532 is carried out to receiving port transmission echo request message, to detect the operation whether source IP address and source MAC can reach.Second determining unit 542 is connected with judging unit 540, is used in the judged result of judging unit 540 determining that source IP address and source MAC are unreachable, and finishing the accessibility detecting operation when being.
Above-mentioned each functional unit can be used for the corresponding flow process among the described method embodiment of execution graph 3C, and its concrete operation principle repeats no more, and sees the description of method embodiment for details.CPU has carried out repeatedly the accessibility detection by the above-mentioned functions unit to source IP address and source MAC, can solve the problem of the detection failure that causes because of reasons such as network congestions, improve the accuracy that accessibility detects, and then improve the accuracy that the data message is handled.
In sum, the message process device of present embodiment is at first handled the data message that receives by hardware module, improved treatment effeciency, carry out software processes and only under the situation that hardware module can not be handled, just send to CPU, reduced the burden of CPU, saved software resource.Simultaneously, CPU can replenish the binding relationship in first filter table in the process of carrying out software processes and set up or renewal, thereby realized flexible processing because the disposition of the data message of the binding relationship of shortage source address that factors such as control message dropping, SAVI apparatus bound loss of state cause and receiving port has obviously improved the reliability of source address filtration and the robustness of whole network.
One embodiment of the invention provides a kind of network equipment, comprises message process device, is mainly used in message is transmitted processing.The network equipment of present embodiment can be any equipment that SVAI is installed, for example switch etc.Wherein, the structure of message process device can be referring to above-mentioned Fig. 5 or structure shown in Figure 6, and its operation principle can specifically repeat no more referring to the flow process of Fig. 1-arbitrary illustrated embodiment of Fig. 3 C.
The network equipment of present embodiment is owing to comprise the message process device that various embodiments of the present invention provide, and can carry out the flow process of the message processing method that the embodiment of the invention provides, can reduce the burden of its CPU equally, save software resource, and can obviously improve the reliability of source address filtration and the robustness of whole network.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (21)
1. a message processing method is characterized in that, comprising:
The hardware chip that the source address checking improves SAVI equipment is transmitted or discard processing the data message that receives according to first filter table and/or second filter table; Described first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, and described second filter table comprises the source address of the data message correspondence of carrying out software processes and the binding relationship of receiving port;
In the time can't determining according to described first filter table and described second filter table to transmit or abandon described data message, described hardware chip sends to the central processor CPU of described SAVI equipment with described data message, to carry out software processes;
Described CPU is according to described data message, the source address of described data message is carried out accessibility to be detected, and upgrade described first filter table and described second filter table according to the accessibility testing result, so that described hardware chip according to first filter table after upgrading and/or second filter table after upgrading the follow-up data message from described source address is transmitted or discard processing, and abandon described data message.
2. message processing method according to claim 1 is characterized in that, the hardware chip that the checking of described source address improves SAVI equipment is according to first filter table and/or second filter table, and the data message that receives is transmitted or discard processing comprises:
When Internet protocol IP address, the source of described data message, source medium access control MAC Address with when receiving binding relationship between the receiving port of described data message and being present in described first filter table, described hardware chip is transmitted described data message;
When the binding relationship between described source IP address, described source MAC and the described receiving port was present in described second filter table, described hardware chip abandoned described data message;
When the binding relationship between described source IP address, described source MAC and the described receiving port was not present in described first filter table and be not present in described second filter table, described hardware chip was determined can't determine to transmit or abandon described data message according to described first filter table and described second filter table.
3. message processing method according to claim 1 and 2, it is characterized in that, described CPU is according to described data message, the source address of described data message is carried out accessibility to be detected, and upgrade described first filter table and described second filter table according to the accessibility testing result, so that described hardware chip is transmitted or discard processing the follow-up data message from described source address according to first filter table after upgrading and/or second filter table after the renewal, comprising:
Described CPU resolves Internet protocol IP address, source, source medium access control MAC Address and the receiving port that obtains described data message;
Described CPU carries out the accessibility detection according to described source IP address, described source MAC and described receiving port to described source IP address and described source MAC;
When testing result is that described source IP address and described source MAC are can reach the time, described CPU upgrades operation to described first filter table, so that first filter table after upgrading comprises the binding relationship between described source IP address, described source MAC and the described receiving port;
When testing result is that described source IP address and described source MAC are when unreachable, described CPU upgrades operation to described second filter table, so that second filter table after upgrading comprises the binding relationship between described source IP address, described source MAC and the described receiving port.
4. message processing method according to claim 3 is characterized in that, described CPU carries out comprising before the accessibility detection to described source IP address and described source MAC according to described source IP address, described source MAC and described receiving port:
Described CPU inquires about the 3rd filter table according to described source IP address, described source MAC and described receiving port, judges the binding relationship that whether exists in described the 3rd filter table between described source IP address, described source MAC and the described receiving port; Store the source address of the data message that carries out the accessibility detection and the binding relationship of receiving port in described the 3rd filter table;
When the binding relationship that do not exist in described the 3rd filter table between described source IP address, described source MAC and the described receiving port, described CPU carries out the accessibility detection according to described source IP address, described source MAC and described receiving port to described source IP address and described source MAC.
5. message processing method according to claim 4 is characterized in that, described CPU is according to described source IP address, described source MAC and described receiving port, described source IP address and described source MAC is carried out accessibility detect and comprise:
Described CPU stores the binding relationship between described source IP address, described source MAC and the described receiving port respectively in described second filter table and described the 3rd filter table;
Described CPU sends the echo request message to described receiving port, and judge whether to receive Echo Reply message from described source IP address and described source MAC, whether can reach to detect described source IP address and described source MAC, the purpose IP address of described echo request message is that described source IP address, target MAC (Media Access Control) address are described source MAC;
When the Echo Reply message that receives from described source IP address and described source MAC, described CPU determines that described source IP address and described source MAC can reach;
When the Echo Reply message that do not receive from described source IP address and described source MAC, described CPU determines that described source IP address and described source MAC are unreachable.
6. message processing method according to claim 5, it is characterized in that, described CPU upgrades operation to described second filter table, so that second filter table after upgrading comprises that the binding relationship between described source IP address, described source MAC and the described receiving port comprises:
The state that described CPU is provided with the binding relationship between source IP address, described source MAC and the described receiving port described in described second filter table is insincere.
7. message processing method according to claim 6 is characterized in that, also comprises:
When described CPU is insincere at the state that the binding relationship between source IP address, described source MAC and the described receiving port described in described second filter table is set, the starting state timer;
When described status timer timing finished, described CPU deleted the binding relationship between described source IP address, described source MAC and the described receiving port from described second filter table.
8. message processing method according to claim 4, it is characterized in that, described CPU is according to described source IP address, described source MAC and described receiving port, inquire about the 3rd filter table, judge that the binding relationship that whether exists in described the 3rd filter table between described source IP address, described source MAC and the described receiving port comprises before:
Described CPU inquires about described the 3rd filter table according to described receiving port, and whether the number of judging the binding relationship that comprises described receiving port is less than default binding relationship threshold value;
When described judged result when being not less than, finish operation this time;
When described judged result be less than the time, described CPU carries out according to described source IP address, described source MAC and described receiving port, inquire about the 3rd filter table, judge the operation that whether has the binding relationship between described source IP address, described source MAC and the described receiving port in described the 3rd filter table.
9. according to claim 5 or 6 or 7 or 8 described message processing methods, it is characterized in that, described CPU carries out comprising after the accessibility detection to described source IP address and described source MAC according to described source IP address, described source MAC and described receiving port:
Described CPU deletes the binding relationship between described source IP address, described source MAC and the described receiving port from described the 3rd filter table.
10. according to claim 5 or 6 or 7 or 8 described message processing methods, it is characterized in that, also comprise:
When described CPU determined that described source IP address and described source MAC are unreachable, described CPU judged and detects whether number of times is 0;
When described detection number of times was not 0, described CPU subtracted 1 with described detection number of times, and after waiting for that Preset Time at interval, continued to carry out to described receiving port sending the echo request message, to detect the operation whether described source IP address and described source MAC can reach;
When described detection number of times was 0, described CPU determined that described source IP address and described source MAC are unreachable, and finished the accessibility detecting operation.
11. a message process device is characterized in that, comprising:
Message processing module (MPM) is used for according to first filter table and/or second filter table data message that receives being transmitted or discard processing; Described first filter table comprises the source address of the data message correspondence that allows forwarding and the binding relationship of receiving port, and described second filter table comprises the source address of the data message correspondence of carrying out software processes and the binding relationship of receiving port;
Sending module is used for described data message being sent to the central processor CPU of described message process device when described message processing module (MPM) can't be determined to transmit according to described first filter table and described second filter table or abandon described data message;
Described CPU, be used for according to described data message, the source address of described data message is carried out accessibility to be detected, and upgrade described first filter table and described second filter table according to the accessibility testing result, so that described message processing module (MPM) according to first filter table after upgrading and/or second filter table after upgrading the follow-up data message from described source address is transmitted or discard processing, and abandon described data message.
12. message process device according to claim 11 is characterized in that, described message processing module (MPM) comprises:
Retransmission unit is used in Internet protocol IP address, the source of described data message, source medium access control MAC Address and when receiving binding relationship between the receiving port of described data message and being present in described first filter table, transmits described data message;
First discarding unit when being used for binding relationship between described source IP address, described source MAC and described receiving port and being present in described second filter table, abandons described data message;
First determining unit, when being used for binding relationship between described source IP address, described source MAC and described receiving port and not being present in described first filter table and not being present in described second filter table, determine to determine to transmit or abandon described data message according to described first filter table and described second filter table.
13., it is characterized in that described CPU comprises according to claim 11 or 12 described message process devices:
Resolve acquiring unit, be used to resolve the Internet protocol IP address, source, source medium access control MAC Address and the receiving port that obtain described data message;
Detecting unit is used for according to described source IP address, described source MAC and described receiving port, and described source IP address and described source MAC are carried out the accessibility detection;
First updating block, when being used for testing result at described detecting unit and being described source IP address and described source MAC and can reach, described first filter table is upgraded operation, so that first filter table after upgrading comprises the binding relationship between described source IP address, described source MAC and the described receiving port;
Second updating block, be used for testing result at described detecting unit and be described source IP address and described source MAC when unreachable, described second filter table is upgraded, so that second filter table after upgrading comprises the binding relationship between described source IP address, described source MAC and the described receiving port;
Second discarding unit is used to abandon described data message.
14. message process device according to claim 13 is characterized in that, described CPU also comprises:
The first inquiry judging unit, be used for according to described source IP address, described source MAC and described receiving port, inquire about the 3rd filter table, judge the binding relationship that whether exists in described the 3rd filter table between described source IP address, described source MAC and the described receiving port; Store the source address of the data message that carries out the accessibility detection and the binding relationship of receiving port in described the 3rd filter table;
First trigger element, be used for when the described first inquiry judging unit judges goes out described the 3rd filter table and do not have binding relationship between described source IP address, described source MAC and the described receiving port, trigger described detecting unit and carry out, described source IP address and described source MAC are carried out the operation that accessibility detects according to described source IP address, described source MAC and described receiving port;
Described second discarding unit specifically is used for inquiring about described the 3rd filter table in the described first inquiry judging unit, judge after the binding relationship that whether exists in described the 3rd filter table between described source IP address, described source MAC and the described receiving port, abandon described data message.
15. message process device according to claim 14 is characterized in that, described detecting unit comprises:
Storing sub-units is used for storing the binding relationship between described source IP address, described source MAC and the described receiving port into described second filter table and described the 3rd filter table respectively;
Send subelement, be used for sending the echo request message to described receiving port, and judge whether to receive Echo Reply message from described source IP address and described source MAC, whether can reach to detect described source IP address and described source MAC, the purpose IP address of described echo request message is that described source IP address, target MAC (Media Access Control) address are described source MAC;
Receive and determine subelement, be used for when the Echo Reply message that receives from described source IP address and described source MAC, determine that described source IP address and described source MAC can reach, and be used for when the Echo Reply message that does not receive from described source IP address and described source MAC, determining that described source IP address and described source MAC are unreachable.
16. message process device according to claim 15, it is characterized in that the state that described second updating block specifically is used to be provided with the binding relationship between source IP address, described source MAC and the described receiving port described in described second filter table is insincere.
17. message process device according to claim 16 is characterized in that, described CPU also comprises:
Start delete cells, when the state that is used at described second updating block binding relationship between source IP address, described source MAC and the described receiving port described in described second filter table being set is insincere, the starting state timer, and when described status timer timing finishes, the binding relationship between described source IP address, described source MAC and the described receiving port is deleted from described second filter table.
18. message process device according to claim 14 is characterized in that, described CPU also comprises:
The second inquiry judging unit is used for according to described receiving port, inquires about described the 3rd filter table, and whether the number of judging the binding relationship that comprises described receiving port is less than default binding relationship threshold value;
The EO unit is used in the judged result of the described second inquiry judging unit finishing operation this time when being not less than;
Second trigger element, be used for the judged result of the described second inquiry judging unit for less than the time, triggering the described first inquiry judging unit carries out according to described source IP address, described source MAC and described receiving port, inquire about the 3rd filter table, judge the operation that whether has the binding relationship between described source IP address, described source MAC and the described receiving port in described the 3rd filter table.
19., it is characterized in that described CPU also comprises according to claim 15 or 16 or 17 or 18 described message process devices:
Delete cells is used for the binding relationship between described source IP address, described source MAC and the described receiving port is deleted from described the 3rd filter table.
20., it is characterized in that described CPU also comprises according to claim 15 or 16 or 17 or 18 described message process devices:
Judging unit is used for judging and detecting whether number of times is 0 when described reception determines that subelement determines that described source IP address and described source MAC are unreachable;
Wait for trigger element, be used in the judged result of described judging unit for not the time, described detection number of times is subtracted 1, and wait for that triggering described transmission subelement execution after Preset Time is at interval sends the echo request message to described receiving port, to detect the operation whether described source IP address and described source MAC can reach;
Second determining unit is used in the judged result of described judging unit determining that described source IP address and described source MAC are unreachable, and finishing the accessibility detecting operation when being.
21. a network equipment is characterized in that, comprises each described message process device of claim 11-20.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110188179.4A CN102255804B (en) | 2011-07-06 | 2011-07-06 | Message processing method, device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110188179.4A CN102255804B (en) | 2011-07-06 | 2011-07-06 | Message processing method, device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102255804A true CN102255804A (en) | 2011-11-23 |
| CN102255804B CN102255804B (en) | 2014-07-02 |
Family
ID=44982808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110188179.4A Expired - Fee Related CN102255804B (en) | 2011-07-06 | 2011-07-06 | Message processing method, device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102255804B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104639433A (en) * | 2015-01-07 | 2015-05-20 | 烽火通信科技股份有限公司 | Echo message-based multi-hop detection implementation method |
| CN104869153A (en) * | 2015-04-23 | 2015-08-26 | 北京海尔广科数字技术有限公司 | Message transmission method and apparatus for Internet of things |
| CN106921665A (en) * | 2017-03-06 | 2017-07-04 | 北京东土军悦科技有限公司 | A kind of message processing method and the network equipment |
| CN107124402A (en) * | 2017-04-12 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of packet filtering |
| CN108270800A (en) * | 2018-04-26 | 2018-07-10 | 济南浪潮高新科技投资发展有限公司 | A kind of message processing method and system based on Self-certified code |
| CN110392034A (en) * | 2018-09-28 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN111130847A (en) * | 2019-11-28 | 2020-05-08 | 深圳市元征科技股份有限公司 | Data configuration method and data filtering method of hardware filter and related products |
| CN113132262A (en) * | 2020-01-15 | 2021-07-16 | 阿里巴巴集团控股有限公司 | Data stream processing and classifying method, device and system |
| CN113595909A (en) * | 2021-07-05 | 2021-11-02 | 杭州迪普科技股份有限公司 | Message processing method, network authentication equipment and network card chip |
| WO2022089212A1 (en) * | 2020-10-26 | 2022-05-05 | 华为技术有限公司 | Fault handling method and device |
| WO2022100511A1 (en) * | 2020-11-13 | 2022-05-19 | 华为技术有限公司 | Method and device for processing forwarding entry |
| CN114598639A (en) * | 2022-01-28 | 2022-06-07 | 新华三技术有限公司合肥分公司 | Message processing method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6236654B1 (en) * | 1997-02-14 | 2001-05-22 | Advanced Micro Devices, Inc. | Method and apparatus for managing learning in an address table in memory |
| CN1402487A (en) * | 2002-10-14 | 2003-03-12 | 北京港湾网络有限公司 | Method for optimazed configuration of third layer exchange chip of network exchange apparatus |
| CN1411208A (en) * | 2002-04-23 | 2003-04-16 | 华为技术有限公司 | Method of guarding network attack |
| CN1750512A (en) * | 2005-09-27 | 2006-03-22 | 杭州华为三康技术有限公司 | Single broadcast reverse path repeating method |
| EP1713212A1 (en) * | 2005-04-12 | 2006-10-18 | Fujitsu Ltd. | Filtering frames at an input port of a switch |
| CN102014142A (en) * | 2010-12-31 | 2011-04-13 | 中国科学院计算技术研究所 | Source address validation method and system |
-
2011
- 2011-07-06 CN CN201110188179.4A patent/CN102255804B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6236654B1 (en) * | 1997-02-14 | 2001-05-22 | Advanced Micro Devices, Inc. | Method and apparatus for managing learning in an address table in memory |
| CN1411208A (en) * | 2002-04-23 | 2003-04-16 | 华为技术有限公司 | Method of guarding network attack |
| CN1402487A (en) * | 2002-10-14 | 2003-03-12 | 北京港湾网络有限公司 | Method for optimazed configuration of third layer exchange chip of network exchange apparatus |
| EP1713212A1 (en) * | 2005-04-12 | 2006-10-18 | Fujitsu Ltd. | Filtering frames at an input port of a switch |
| CN1750512A (en) * | 2005-09-27 | 2006-03-22 | 杭州华为三康技术有限公司 | Single broadcast reverse path repeating method |
| CN102014142A (en) * | 2010-12-31 | 2011-04-13 | 中国科学院计算技术研究所 | Source address validation method and system |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104639433A (en) * | 2015-01-07 | 2015-05-20 | 烽火通信科技股份有限公司 | Echo message-based multi-hop detection implementation method |
| CN104639433B (en) * | 2015-01-07 | 2018-09-18 | 烽火通信科技股份有限公司 | A kind of multi-hop detection implementation method based on Echo messages |
| CN104869153A (en) * | 2015-04-23 | 2015-08-26 | 北京海尔广科数字技术有限公司 | Message transmission method and apparatus for Internet of things |
| CN106921665A (en) * | 2017-03-06 | 2017-07-04 | 北京东土军悦科技有限公司 | A kind of message processing method and the network equipment |
| CN106921665B (en) * | 2017-03-06 | 2020-09-11 | 北京东土军悦科技有限公司 | Message processing method and network equipment |
| CN107124402A (en) * | 2017-04-12 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of packet filtering |
| CN108270800B (en) * | 2018-04-26 | 2020-08-04 | 浪潮集团有限公司 | Message processing method and system based on self-authentication code |
| CN108270800A (en) * | 2018-04-26 | 2018-07-10 | 济南浪潮高新科技投资发展有限公司 | A kind of message processing method and system based on Self-certified code |
| CN110392034A (en) * | 2018-09-28 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| US12132705B2 (en) | 2018-09-28 | 2024-10-29 | New H3C Security Technologies Co., Ltd. | Message processing |
| CN111130847A (en) * | 2019-11-28 | 2020-05-08 | 深圳市元征科技股份有限公司 | Data configuration method and data filtering method of hardware filter and related products |
| CN111130847B (en) * | 2019-11-28 | 2022-06-17 | 深圳市元征科技股份有限公司 | Data configuration method and data filtering method of hardware filter and related products |
| CN113132262A (en) * | 2020-01-15 | 2021-07-16 | 阿里巴巴集团控股有限公司 | Data stream processing and classifying method, device and system |
| CN113132262B (en) * | 2020-01-15 | 2024-05-03 | 阿里巴巴集团控股有限公司 | Data stream processing and classifying method, device and system |
| WO2022089212A1 (en) * | 2020-10-26 | 2022-05-05 | 华为技术有限公司 | Fault handling method and device |
| WO2022100511A1 (en) * | 2020-11-13 | 2022-05-19 | 华为技术有限公司 | Method and device for processing forwarding entry |
| CN113595909A (en) * | 2021-07-05 | 2021-11-02 | 杭州迪普科技股份有限公司 | Message processing method, network authentication equipment and network card chip |
| CN114598639A (en) * | 2022-01-28 | 2022-06-07 | 新华三技术有限公司合肥分公司 | Message processing method and device |
| CN114598639B (en) * | 2022-01-28 | 2023-12-26 | 新华三技术有限公司合肥分公司 | Message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102255804B (en) | 2014-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102255804B (en) | Message processing method, device and network equipment | |
| US8228848B2 (en) | Method and apparatus for facilitating push communication across a network boundary | |
| US6957276B1 (en) | System and method of assigning and reclaiming static addresses through the dynamic host configuration protocol | |
| CN101951417B (en) | Method, system and trunk equipment for assigning multiple server addresses | |
| CN100586106C (en) | Message processing method, system and equipment | |
| CN101834875B (en) | Method, device and system for defending DDoS (Distributed Denial of Service) attacks | |
| CN102739281B (en) | Implementation method, device and system of scheduling | |
| CN101094236A (en) | Method for processing message in address resolution protocol, communication system, and forwarding planar process portion | |
| CN110661897A (en) | Method and device for managing address | |
| WO2007143833A1 (en) | System and method for handling address resolution protocol requests | |
| CN102082835B (en) | Method and device for distributing IP (internet protocol) addresses | |
| CN106878326A (en) | The guard method of IPv6 neighbor caches and its device based on inverse detection | |
| US8964602B2 (en) | Network communication apparatus, method and program | |
| CN103414641B (en) | Neighbor table item release, device and the network equipment | |
| CN106464745A (en) | Dns server, client and data synchronization method | |
| JP6137178B2 (en) | COMMUNICATION INFORMATION DETECTING DEVICE AND COMMUNICATION INFORMATION DETECTING METHOD | |
| CN103856435A (en) | Address resolution protocol cache and caching method | |
| CN105635138B (en) | A kind of method and apparatus for preventing ARP from attacking | |
| US7536479B2 (en) | Local and remote network based management of an operating system-independent processor | |
| CN112165537A (en) | Virtual IP method for ping reply | |
| CN114793199B (en) | Message processing method, device and network equipment | |
| KR100545586B1 (en) | Dual stack transition mechanism router and method for cache table | |
| CN101888387B (en) | Method, device and snooping equipment for reestablishing binding table entry | |
| CN101980510A (en) | Method for processing domain name inquiry request, recurrence server and domain name system | |
| CN111565176A (en) | Intelligent disguising host method, system, device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140702 Termination date: 20210706 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |