CN118803062A - Message processing method, device, node, storage medium and computer program product - Google Patents
Message processing method, device, node, storage medium and computer program product Download PDFInfo
- Publication number
- CN118803062A CN118803062A CN202410773425.XA CN202410773425A CN118803062A CN 118803062 A CN118803062 A CN 118803062A CN 202410773425 A CN202410773425 A CN 202410773425A CN 118803062 A CN118803062 A CN 118803062A
- Authority
- CN
- China
- Prior art keywords
- message
- network
- node
- information
- arn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004590 computer program Methods 0.000 title claims abstract description 26
- 238000003860 storage Methods 0.000 title claims abstract description 16
- 238000003672 processing method Methods 0.000 title claims abstract description 11
- 238000012545 processing Methods 0.000 claims abstract description 88
- 238000000034 method Methods 0.000 claims abstract description 61
- 230000004044 response Effects 0.000 claims abstract 51
- 238000012795 verification Methods 0.000 claims description 52
- 230000015654 memory Effects 0.000 claims description 29
- 238000004891 communication Methods 0.000 claims description 10
- 238000013507 mapping Methods 0.000 description 42
- 238000005516 engineering process Methods 0.000 description 31
- 230000008569 process Effects 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 6
- 230000008447 perception Effects 0.000 description 5
- 230000001360 synchronised effect Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000005291 magnetic effect Effects 0.000 description 4
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 2
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 2
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 235000019800 disodium phosphate Nutrition 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 238000011065 in-situ storage Methods 0.000 description 1
- 238000009413 insulation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种报文处理方法、装置、节点、存储介质及计算机程序产品。其中,方法包括:第一节点接收第一报文,所述第一报文包含第一应用响应网络标识,所述第一节点包括第一网络的边界节点;在第一信息表征所述第一节点的第一接口可使用应用响应网络的情况下,在所述第一接口对所述第一报文进行与应用响应网络关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用应用响应网络的情况下,在所述第一接口对所述第一报文进行不与应用响应网络关联的转发相关处理。
The present application discloses a message processing method, device, node, storage medium and computer program product. The method includes: a first node receives a first message, the first message includes a first application response network identifier, and the first node includes a boundary node of the first network; when the first information indicates that the first interface of the first node can use the application response network, the first interface performs forwarding-related processing associated with the application response network on the first message, or when the first information indicates that the first interface of the first node disables the application response network, the first interface performs forwarding-related processing not associated with the application response network on the first message.
Description
技术领域Technical Field
本申请涉及网络传输领域,尤其涉及一种报文处理方法、装置、节点、存储介质及计算机程序产品。The present application relates to the field of network transmission, and in particular to a message processing method, device, node, storage medium and computer program product.
背景技术Background Art
应用响应网络(ARN,Application Responsive Networking)是一种新型应用和网络协同的技术,通过在应用的报文中携带ARN标识(也可以理解为ARN标签),使得应用能够调用ARN标识对应的网络路径;相应地,网络边界设备接收到报文后,可以识别报文中携带的ARN标识,将报文按照ARN标识对应的网络路径转发。Application Responsive Networking (ARN) is a new technology for collaboration between applications and networks. By carrying the ARN identifier (also known as the ARN tag) in the application message, the application can call the network path corresponding to the ARN identifier; accordingly, after receiving the message, the network edge device can identify the ARN identifier carried in the message and forward the message according to the network path corresponding to the ARN identifier.
然而,如何在可信度不相同的网络域之间对携带ARN标识的报文进行转发,目前尚未有有效的解决方案。However, there is currently no effective solution for how to forward messages carrying ARN identifiers between network domains with different trustworthiness.
发明内容Summary of the invention
为解决相关技术问题,本申请实施例提供一种报文处理方法、装置、节点、存储介质及计算机程序产品。To solve related technical problems, the embodiments of the present application provide a message processing method, device, node, storage medium and computer program product.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of the present application is implemented as follows:
本申请实施例提供一种报文处理方法,包括:The present application provides a message processing method, including:
第一节点接收第一报文,所述第一报文包含第一ARN标识,所述第一节点包括第一网络的边界节点;The first node receives a first message, where the first message includes a first ARN identifier, and the first node includes a border node of a first network;
在第一信息表征所述第一节点的第一接口可使用ARN的情况下,所述第一节点在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,所述第一节点在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。When the first information indicates that the first interface of the first node can use the ARN, the first node performs forwarding-related processing associated with the ARN on the first message at the first interface; or, when the first information indicates that the first interface of the first node disables the ARN, the first node performs forwarding-related processing not associated with the ARN on the first interface.
上述方案中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;在第一信息表征所述第一节点的第一接口可使用ARN的情况下,所述第一节点校验所述第二信息和第一ARN标识;校验成功后,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理。In the above scheme, the first message also includes second information, and the second information represents the source of the first message; when the first information represents that the first interface of the first node can use ARN, the first node verifies the second information and the first ARN identifier; after the verification is successful, the first message is subjected to forwarding-related processing associated with the ARN at the first interface.
上述方案中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;在第一信息表征所述第一节点的第一接口可使用ARN的情况下,所述第一节点校验所述第二信息和第一ARN标识;校验失败后,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。In the above scheme, the first message also includes second information, and the second information represents the source of the first message; when the first information represents that the first interface of the first node can use ARN, the first node verifies the second information and the first ARN identifier; after the verification fails, the first message is forwarded at the first interface without being associated with the ARN.
上述方案中,所述校验所述第二信息和第一ARN标识,包括:In the above solution, the verifying the second information and the first ARN identifier includes:
所述第一节点利用第三信息,对所述第二信息和第一ARN标识进行校验,所述第三信息表征一个或多个报文的源头信息与ARN标识的对应关系。The first node verifies the second information and the first ARN identifier by using the third information, where the third information represents the correspondence between the source information of one or more messages and the ARN identifier.
上述方案中,所述方法还包括:In the above scheme, the method further includes:
所述第一节点接收控制设备发送的所述第三信息;The first node receives the third information sent by the control device;
或者,or,
所述第一节点通过路由学习,确定所述第三信息。The first node determines the third information through routing learning.
上述方案中,所述第二信息包括以下一项或多项:In the above solution, the second information includes one or more of the following:
所述第一报文的用户信息;user information of the first message;
所述第一报文的源地址信息;source address information of the first message;
所述第一报文的端口信息。The port information of the first message.
上述方案中,所述对所述第一报文进行与ARN关联的转发相关处理,包括以下之一:In the above solution, the performing forwarding-related processing associated with the ARN on the first message includes one of the following:
所述第一节点将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,得到处理后的第一报文,所述第二ARN标识与第二网络关联,将所述处理后的第一报文转发至所述第二网络;The first node sets the first field carrying the first ARN identifier in the first message to the second ARN identifier, obtains a processed first message, the second ARN identifier is associated with the second network, and forwards the processed first message to the second network;
所述第一节点将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,得到处理后的第一报文,所述第三ARN标识与第一网络关联,在所述第一网络内按照第一方式转发所述处理后的第一报文,所述第一方式与所述第三ARN标识关联;The first node sets the first field carrying the first ARN identifier in the first message to a third ARN identifier, obtains a processed first message, the third ARN identifier is associated with the first network, and forwards the processed first message in the first network according to a first manner, the first manner is associated with the third ARN identifier;
所述第一节点将所述第一报文转发至所述第二网络,在所述第二网络能够按照第二方式转发报文,所述第二方式与所述第一报文对应的第二ARN标识关联;The first node forwards the first message to the second network, where the second network can forward the message in a second manner, where the second manner is associated with a second ARN identifier corresponding to the first message;
所述第一节点在所述第一网络内按照第三方式转发所述第一报文,所述第三方式与所述第一ARN标识关联。The first node forwards the first message in the first network according to a third manner, where the third manner is associated with the first ARN identifier.
上述方案中,所述第一节点利用第四信息,将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,或者,将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,所述第四信息表征一个或多个第一网络关联的ARN标识与第二网络关联的ARN标识的对应关系。In the above scheme, the first node uses the fourth information to set the first field carrying the first ARN identifier in the first message to the second ARN identifier, or sets the first field carrying the first ARN identifier in the first message to the third ARN identifier, and the fourth information represents the correspondence between one or more ARN identifiers associated with the first network and the ARN identifier associated with the second network.
上述方案中,所述方法还包括:In the above scheme, the method further includes:
所述第一节点接收控制设备发送的所述第四信息;The first node receives the fourth information sent by the control device;
或者,or,
所述第一节点通过路由学习,确定所述第四信息。The first node determines the fourth information through routing learning.
上述方案中,所述对所述第一报文进行不与ARN关联的转发相关处理,包括以下之一:In the above solution, the performing forwarding-related processing on the first message that is not associated with the ARN includes one of the following:
所述第一节点将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并在所述第一网络内按第四方式转发所述处理后的第一报文,所述第四方式不与ARN关联,所述第五信息表征所述第一报文禁用ARN;The first node sets the first field carrying the first ARN identifier in the first message to fifth information, obtains a processed first message, and forwards the processed first message in a fourth manner within the first network, where the fourth manner is not associated with the ARN, and the fifth information indicates that the first message disables the ARN;
所述第一节点将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并将所述处理后的第一报文转发至第二网络,所述第五信息表征所述第一报文禁用ARN;The first node sets the first field carrying the first ARN identifier in the first message as fifth information, obtains a processed first message, and forwards the processed first message to the second network, wherein the fifth information indicates that the first message disables the ARN;
所述第一节点丢弃所述第一报文。The first node discards the first message.
本申请实施例还提供一种报文处理装置,设置在第一节点,所述第一节点包括第一网络的边界节点,包括:The embodiment of the present application further provides a message processing device, which is arranged at a first node, wherein the first node includes a border node of a first network, including:
接收单元,用于接收第一报文,所述第一报文包含第一ARN标识;A receiving unit, configured to receive a first message, wherein the first message includes a first ARN identifier;
处理单元,用于在第一信息表征所述第一节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。A processing unit is used to perform forwarding related processing associated with the ARN on the first message at the first interface when the first information indicates that the first interface of the first node can use the ARN, or to perform forwarding related processing not associated with the ARN on the first interface when the first information indicates that the first interface of the first node disables the ARN.
本申请实施例还提供一种节点,其特征在于,所述节点包括第一网络的边界节点,包括:The embodiment of the present application further provides a node, characterized in that the node includes a border node of a first network, including:
通信接口,用于接收第一报文,所述第一报文包含第一ARN标识;A communication interface, configured to receive a first message, wherein the first message includes a first ARN identifier;
处理器,用于在第一信息表征所述节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。A processor is used to perform forwarding-related processing associated with the ARN on the first message at the first interface when the first information indicates that the first interface of the node can use the ARN, or to perform forwarding-related processing not associated with the ARN on the first interface when the first information indicates that the first interface of the node disables the ARN.
本申请实施例还提供一种节点,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,The embodiment of the present application further provides a node, comprising: a processor and a memory for storing a computer program that can be run on the processor,
其中,所述处理器用于运行所述计算机程序时,执行上述任一方法的步骤。Wherein, the processor is used to execute the steps of any of the above methods when running the computer program.
本申请实施例还提供一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。An embodiment of the present application further provides a storage medium having a computer program stored thereon, wherein the computer program implements the steps of any of the above methods when executed by a processor.
本申请实施例还提供一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。An embodiment of the present application also provides a computer program product, including a computer program, which implements the steps of any of the above methods when executed by a processor.
本申请实施例提供的报文处理方法、装置、节点、存储介质及计算机程序产品,第一节点接收第一报文,所述第一报文包含第一ARN标识,所述第一节点包括第一网络的边界节点;在第一信息表征所述第一节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。本申请实施例提供的方案,通过在第一网络边界(也可以理解为第一网络的网络域边界)的第一节点中设置第一信息,使得第一节点接收到跨网络域传输(比如进入第一网络或者离开第一网络)的第一报文时,能够根据第一信息确定是否对第一报文进行与ARN关联的转发相关处理,如此,当第一节点从与第一网络的可信度不相同的网络接收到第一报文时,或者,当第一节点将第一报文转发至与第一网络的可信度不相同的网络时,可以通过设置第一节点中与第一报文转发相关的接口是否可以使用ARN,来实现在可信度不相同的网络域之间对携带ARN标识的报文进行转发。The message processing method, device, node, storage medium and computer program product provided in the embodiments of the present application, the first node receives a first message, the first message includes a first ARN identifier, and the first node includes a border node of a first network; when the first information represents that the first interface of the first node can use the ARN, the first interface performs forwarding-related processing associated with the ARN on the first message, or when the first information represents that the first interface of the first node disables the ARN, the first interface performs forwarding-related processing not associated with the ARN on the first message. The solution provided by the embodiment of the present application sets the first information in the first node at the first network boundary (which can also be understood as the network domain boundary of the first network) so that when the first node receives the first message transmitted across network domains (such as entering the first network or leaving the first network), it can determine whether to perform forwarding-related processing associated with the ARN on the first message based on the first information. In this way, when the first node receives the first message from a network with a different credibility from the first network, or when the first node forwards the first message to a network with a different credibility from the first network, it can be achieved by setting whether the interface related to the forwarding of the first message in the first node can use the ARN to forward the message carrying the ARN identifier between network domains with different credibility.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为一种感知应用的互联网协议第六版网络(APN6,Application-AwareInternet Protocol version 6Networking)报文头部的结构示意图;FIG1 is a schematic diagram of the structure of an Application-Aware Internet Protocol version 6 Networking (APN6) message header;
图2为一种应用APN6技术的网络架构示意图;FIG2 is a schematic diagram of a network architecture using APN6 technology;
图3为另一种应用APN6技术的网络架构示意图;FIG3 is a schematic diagram of another network architecture using the APN6 technology;
图4为一种配置ARN ID的报文头部的结构示意图;FIG4 is a schematic diagram of the structure of a message header for configuring an ARN ID;
图5为本申请实施例一种报文处理方法的流程示意图;FIG5 is a flow chart of a message processing method according to an embodiment of the present application;
图6为本申请应用示例一种应用ARN技术的网络架构示意图;FIG6 is a schematic diagram of a network architecture using ARN technology in an application example of the present application;
图7为本申请应用示例一种ARN ID的访问控制方法的流程示意图;FIG7 is a flow chart of an ARN ID access control method according to an example of the present application;
图8为本申请实施例一种报文处理装置结构示意图;FIG8 is a schematic diagram of the structure of a message processing device according to an embodiment of the present application;
图9为本申请实施例第一节点结构示意图。FIG9 is a schematic diagram of the first node structure of an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
下面通过附图及实施例对本申请再作进一步详细的说明。The present application will be further described in detail below through the accompanying drawings and embodiments.
相关技术中,网络通常采用尽力而为(英文可以表达为Best-Effort)的转发模式转发报文(也可以理解为提供转发服务)。然而,随着互联网承载的业务类型增多,尽力而为的转发模式已经难以满足不同应用(英文可以表达为APP)对应的多样化转发服务需求,成为了网络发展的一大痛点。In related technologies, networks usually use a best-effort forwarding mode to forward messages (also known as providing forwarding services). However, with the increase in the types of services carried by the Internet, the best-effort forwarding mode has been unable to meet the diverse forwarding service requirements corresponding to different applications (APPs in English), becoming a major pain point in network development.
为了满足多样化的转发服务需求,催生了IPv6段路由(SRv6,Segment RoutingIPv6)、通用SRv6(G-SRv6,Generalized SRv6)以及网络切片等技术。然而,上述技术未能解决如何将不同应用映射到对应的网络路径上的问题,也即未能解决如何将不同应用的报文按照对应的网络路径进行转发的问题。这里,与应用对应的网络路径也可以理解为满足应用对应的业务等级协议(SLA,Service Level Agreement)需求的网络路径或隧道路径,网络路径具体可以包括网络隧道和/或网络切片等。In order to meet the diverse needs of forwarding services, technologies such as IPv6 Segment Routing IPv6 (SRv6), Generalized SRv6 (G-SRv6) and network slicing have been developed. However, the above technologies fail to solve the problem of how to map different applications to corresponding network paths, that is, they fail to solve the problem of how to forward the messages of different applications according to the corresponding network paths. Here, the network path corresponding to the application can also be understood as a network path or tunnel path that meets the service level agreement (SLA) requirements of the application. The network path can specifically include a network tunnel and/or network slices.
相关技术中,多协议标签交换(MPLS,Multi-Protocol Label Switching)技术使得网络可以根据不同应用的报文特性(比如拥塞(Congestion)或者服务质量(QoS,Qualityof Service)要求等)来规定转发的网络路径。然而,MPLS技术只能应用于有限的可信域(也可以称为MPLS域)中(也可以理解为在有限域中运行),此时,位于MPLS域边界的节点(比如路由器等)会将所有从MPLS域外部进入MPLS域的报文丢弃。因此,MPLS域内的网络(也可以理解为位于MPLS域内部的网络)对外不可见(也可以理解为对外可以视为黑盒),也就是说,MPLS技术仅能够实现网络感知不同应用的报文(也可以理解为网络能够感知应用),但是不能够实现应用调用网络能力(也可以理解为应用感知网络能力或者应用感知能力)。In the related art, Multi-Protocol Label Switching (MPLS) technology enables the network to specify the forwarding network path according to the message characteristics of different applications (such as congestion or quality of service (QoS) requirements, etc.). However, MPLS technology can only be applied to a limited trusted domain (also called MPLS domain) (can also be understood as running in a limited domain). At this time, the nodes located at the boundary of the MPLS domain (such as routers, etc.) will discard all messages entering the MPLS domain from outside the MPLS domain. Therefore, the network within the MPLS domain (can also be understood as the network located inside the MPLS domain) is not visible to the outside (can also be understood as being regarded as a black box to the outside). In other words, MPLS technology can only realize the network's perception of messages of different applications (can also be understood as the network's ability to perceive applications), but cannot realize the application's ability to call the network (can also be understood as application-aware network capabilities or application-aware capabilities).
实际应用时,如果不能够实现应用调用网络能力,就难以实现按需调整报文转发的优先级并合理地进行网络资源分配。举个例子来说,在数据快递业务中,网络接收到应用的数据报文后,当网络能够感知应用,而应用不能够调用网络能力时,网络仅能够感知不同应用对应的传输协议,而不能够进一步识别具有相同传输协议的应用的不同优先级需求。在这种情况下,可能会出现网络按照接收到的先后顺序,将具有高优先级需求的应用的报文以较低优先级进行转发(类似于普通的文件传输)的情况。当网络能够感知应用,且应用能够调用网络能力时,不同优先级的应用可以调用不同的网络路径进行报文转发,进而可以实现按需调整报文转发的优先级并合理地进行网络资源分配。In actual application, if the application cannot call the network capability, it will be difficult to adjust the priority of message forwarding on demand and reasonably allocate network resources. For example, in the data express service, after the network receives the data message of the application, when the network can perceive the application, but the application cannot call the network capability, the network can only perceive the transmission protocols corresponding to different applications, and cannot further identify the different priority requirements of applications with the same transmission protocol. In this case, the network may forward the messages of applications with high priority requirements at a lower priority according to the order of receipt (similar to ordinary file transfer). When the network can perceive the application and the application can call the network capability, applications of different priorities can call different network paths for message forwarding, thereby adjusting the priority of message forwarding on demand and reasonably allocating network resources.
相关技术中,为了实现应用调用网络能力,需要网络对外开放网络能力,通常情况下,可以通过控制器(也可以理解为网络控制器或控制设备)的北向接口实现网络能力开放。此时,应用需要调用控制器,以实现对网络能力的调用。然而,应用直接调用控制器可能对网络安全造成影响,基于运营商网络对安全的机制要求,通常难以广泛应用上述方案。In related technologies, in order to enable applications to call network capabilities, the network needs to open network capabilities to the outside world. Usually, network capabilities can be opened through the northbound interface of the controller (which can also be understood as a network controller or control device). At this time, the application needs to call the controller to call the network capabilities. However, direct calls to the controller by the application may affect network security. Based on the security mechanism requirements of the operator network, it is usually difficult to widely apply the above solution.
相关技术中,在SRv6的IPv6+技术体系中,定义了APN6技术,APN6技术可以用于协同应用和网络能力。在APN6技术中,定义了在IPv6报文中携带应用信息的方式;具体地,可以在IPv6报文中增加APN6头部,在APN6头部中携带应用的信息。其中,如图1所示,增加的APN6头部具体可以包含APN标识(比如APN ID,具体可以包含应用-类ID(APP-Group-ID)、用户-组ID(USER-Group-ID)、保留(Reserved)字段等)、意图(Intent)、APN参数(APN-Para)等信息。APN6头部可以用于指示报文对应的应用(或者应用组(也可以理解为应用所属的类))信息、使用该应用(或者应用组)的用户(或者用户组)信息、该应用中的关键流(比如云游戏中的动作指令等)以及SLA需求或网络性能需求的相关参数(比如带宽、时延、抖动、丢包率等)等信息,上述信息也可以统称为APN6应用信息或APN6信息。其中,实际应用时,可以基于分组规则将多个应用进行分组,得到多个应用组。这里,应用组的分组规则具体可以基于IPv6报文包含的五元组信息、IPv6报文对应的QinQ信息等进行设置。In the related technology, in the IPv6+ technology system of SRv6, APN6 technology is defined, and APN6 technology can be used for collaborative applications and network capabilities. In APN6 technology, a method for carrying application information in IPv6 messages is defined; specifically, an APN6 header can be added to the IPv6 message, and the application information can be carried in the APN6 header. As shown in Figure 1, the added APN6 header can specifically include an APN identifier (such as APN ID, which can specifically include an application-class ID (APP-Group-ID), a user-group ID (USER-Group-ID), a reserved (Reserved) field, etc.), an intent (Intent), an APN parameter (APN-Para) and other information. The APN6 header can be used to indicate the application (or application group (which can also be understood as the class to which the application belongs)) information corresponding to the message, the user (or user group) information using the application (or application group), the key flows in the application (such as action instructions in cloud games, etc.) and related parameters of SLA requirements or network performance requirements (such as bandwidth, latency, jitter, packet loss rate, etc.), etc. The above information can also be collectively referred to as APN6 application information or APN6 information. In actual application, multiple applications can be grouped based on grouping rules to obtain multiple application groups. Here, the grouping rules of the application group can be specifically set based on the five-tuple information contained in the IPv6 message, the QinQ information corresponding to the IPv6 message, etc.
实际应用时,如图2所示,应用APN6技术的网络中,端侧设备(比如终端等)或云侧设备(比如服务器等)(端侧设备和云测设备也可以统称为用户设备)上的应用在生成IPv6报文,并向网络发送IPv6报文。此时,端侧设备或云侧设备可以在IPv6报文的APN6头部设置该应用对应的APN6应用信息(也可以理解为填充APN6应用信息或者封装应用特征信息);网络接收到IPv6报文后,可以识别IPv6报文包含的APN6应用信息,从而感知与APN6应用信息对应的应用,网络进而可以将IPv6报文映射到感知到的应用对应的网络路径上进行转发(也可以理解为按照感知到的应用对应的网络路径转发IPv6报文)。如此,应用可以通过在报文中填充APN6应用信息,调用与APN6应用信息对应的网络能力,网络也可以根据报文中携带的APN6应用信息识别相应的应用。同时,应用不需要直接调用控制器就能够实现调用网络能力,能够满足运营商对网络安全的要求。In actual application, as shown in Figure 2, in a network that uses APN6 technology, the application on the end-side device (such as a terminal, etc.) or the cloud-side device (such as a server, etc.) (the end-side device and the cloud-side device can also be collectively referred to as a user device) generates an IPv6 message and sends the IPv6 message to the network. At this time, the end-side device or the cloud-side device can set the APN6 application information corresponding to the application in the APN6 header of the IPv6 message (it can also be understood as filling in the APN6 application information or encapsulating the application feature information); after the network receives the IPv6 message, it can identify the APN6 application information contained in the IPv6 message, thereby perceiving the application corresponding to the APN6 application information, and the network can then map the IPv6 message to the network path corresponding to the perceived application for forwarding (it can also be understood as forwarding the IPv6 message according to the network path corresponding to the perceived application). In this way, the application can call the network capability corresponding to the APN6 application information by filling in the APN6 application information in the message, and the network can also identify the corresponding application based on the APN6 application information carried in the message. At the same time, applications can call network capabilities without directly calling the controller, which can meet the operator's requirements for network security.
实际应用时,如图3所示,应用APN6技术的网络架构具体可以包括:In actual application, as shown in FIG3 , the network architecture using the APN6 technology may specifically include:
1)端侧设备、云侧设备:比如终端、服务器等,端侧设备或云侧设备可以通过应用感知程序,感知应用的特征信息;进而利用感知的特征信息作为APN6应用信息,生成包含APN6头部的IPv6报文,并将生成的IPv6报文发送至APN6网络域(比如应用APN6技术的SRv6网络域);1) Devices on the end side and cloud side: such as terminals and servers. Devices on the end side or cloud side can perceive the characteristic information of the application through the application perception program. Then, the perceived characteristic information is used as APN6 application information to generate an IPv6 message containing an APN6 header, and the generated IPv6 message is sent to the APN6 network domain (such as the SRv6 network domain using the APN6 technology).
2)网络边缘设备:比如APN6网络域边界(也可以理解为边缘)的节点。当端侧设备、云侧设备不具备应用感知能力(即不能够感知应用的APN6应用信息)时,端侧设备、云侧设备无法生成包含APN6头部的IPv6报文。此时,端侧设备、云侧设备可以将不包含APN6头部的IPv6报文发送至网络边缘设备,网络边缘设备接收到IPv6报文后,可以从IPv6报文包含的五元组信息、业务信息(比如双虚拟局域网(VLAN,Virtual Local Area Network)标签的映射关系(即用户VLAN(C-VLAN,Customer VLAN)和服务商VLAN(S-VLAN,Service ProviderVLAN)的映射关系))中解析出应用特征信息,并利用解析出的应用特征信息作为APN6应用信息,生成包含APN6头部的IPv6报文,再将生成的IPv6报文转发至网络策略执行设备;2) Network edge devices: such as nodes at the border of the APN6 network domain (also understood as the edge). When the end-side device and the cloud-side device do not have application awareness capabilities (that is, they cannot perceive the APN6 application information of the application), the end-side device and the cloud-side device cannot generate an IPv6 message containing an APN6 header. At this time, the end-side device and the cloud-side device can send the IPv6 message that does not contain the APN6 header to the network edge device. After receiving the IPv6 message, the network edge device can parse the application feature information from the five-tuple information and service information contained in the IPv6 message (such as the mapping relationship of the dual virtual local area network (VLAN) tags (that is, the mapping relationship between the user VLAN (C-VLAN, Customer VLAN) and the service provider VLAN (S-VLAN, Service ProviderVLAN))), and use the parsed application feature information as the APN6 application information to generate an IPv6 message containing the APN6 header, and then forward the generated IPv6 message to the network policy execution device;
3)网络策略执行设备:比如SRv6网络中提供报文转发服务的网络路径(也可以称为网络服务路径)中包含的节点,具体可以包括:3) Network policy execution device: For example, the nodes included in the network path (also called the network service path) that provides message forwarding services in the SRv6 network, which may include:
头节点(也可以理解为感知应用的头节点):网络路径的起始节点。头节点用于维护入方向(即进入APN6网络域方向)的报文流量与网络路径的匹配关系。头节点从网络边缘设备接收到IPv6报文后,头节点可以根据IPv6报文中携带的APN6应用信息以及APN ID与网络策略(即进行网络转发服务的路由策略,也可以称为网络服务策略或选路策略)的对应关系,确定IPv6报文对应的网络策略,并按照网络策略为IPv6报文选择网络路径(也可以理解为匹配与APN6应用信息对应的网络路径(即满足APN6应用信息对应的网络性能需求的网络路径)),并将IPv6报文转发至匹配的网络路径对应的中间节点(也可以理解为引入到满足需求的路径);同时,头节点还可以将APN6应用信息封装到外侧(也可以理解为外层)IPv6扩展头部中(也可以理解为进行路径隧道封装),以使中间节点能够从外侧IPv6扩展头部中获知APN6应用信息,以实现在SRv6网络中进一步提供感知应用服务(也可以理解为使网络中的其他节点能够感知应用信息);Head node (also known as the head node of the perception application): the starting node of the network path. The head node is used to maintain the matching relationship between the message flow in the inbound direction (i.e., the direction entering the APN6 network domain) and the network path. After the head node receives the IPv6 message from the network edge device, the head node can determine the network policy corresponding to the IPv6 message according to the APN6 application information carried in the IPv6 message and the correspondence between the APN ID and the network policy (i.e., the routing policy for network forwarding service, which can also be called network service policy or routing policy), and select a network path for the IPv6 message according to the network policy (which can also be understood as matching the network path corresponding to the APN6 application information (i.e., the network path that meets the network performance requirements corresponding to the APN6 application information)), and forward the IPv6 message to the intermediate node corresponding to the matched network path (which can also be understood as introducing it to the path that meets the requirements); at the same time, the head node can also encapsulate the APN6 application information into the outer (also understood as the outer layer) IPv6 extension header (which can also be understood as path tunnel encapsulation), so that the intermediate node can obtain the APN6 application information from the outer IPv6 extension header, so as to further provide perception application services in the SRv6 network (which can also be understood as enabling other nodes in the network to perceive the application information);
中间节点(也可以理解为感知应用的中间节点):网络路径中位于头节点与尾节点之间的一个或多个(一个或多个也可以理解为至少一个)节点都可以称为中间节点。中间节点可以从头节点获知为IPv6报文匹配的网络路径,从而在接收到来自头节点的IPv6报文后,可以按照匹配的网络路径为应用的IPv6报文提供网络转发服务;同时,中间节点还可以根据IPv6报文中携带的APN6应用信息提供其他的网络增值服务,比如感知应用的业务功能链(SFC,Service Function Chaining)、感知应用的随流检测(IFIT,In-situ FlowInformation Telemetry)等;Intermediate nodes (can also be understood as application-aware intermediate nodes): One or more (one or more can also be understood as at least one) nodes between the head node and the tail node in the network path can be called intermediate nodes. The intermediate node can obtain the network path that matches the IPv6 message from the head node, so that after receiving the IPv6 message from the head node, it can provide network forwarding services for the application's IPv6 message according to the matched network path; at the same time, the intermediate node can also provide other network value-added services based on the APN6 application information carried in the IPv6 message, such as application-aware service function chaining (SFC), application-aware in-situ flow information telemetry (IFIT), etc.
尾节点(也可以理解为感知应用的尾节点):网络路径的终结节点。尾节点可以将IPv6报文中包含的APN6应用信息和路径隧道封装信息删除(也可以理解为解除);同时,尾节点也可以保留(即不删除)在IPv6报文进入路径之前就已经存在于IPv6报文中的APN6应用信息,并将保留的APN6应用信息随IPv6报文继续传输;Tail node (also known as the tail node of the perception application): the end node of the network path. The tail node can delete (also known as release) the APN6 application information and path tunnel encapsulation information contained in the IPv6 message; at the same time, the tail node can also retain (i.e. not delete) the APN6 application information that already exists in the IPv6 message before the IPv6 message enters the path, and continue to transmit the retained APN6 application information with the IPv6 message;
4)控制器:控制器可以用于对APN ID、APN ID与应用(或者应用组)、网络策略之间的映射关系进行统一规划和维护。在网络边缘设备生成包含APN6头部的IPv6报文的情况下,控制器可以将APN ID以及映射关系下发到网络边缘设备和网络策略执行设备。具体地,控制器可以向网络边缘设备下发应用(或者应用组)和APN ID之间的映射关系;同时,控制器可以向网络策略执行设备下发APN ID和网络策略之间的映射关系。在端侧设备或云侧设备生成包含APN6头部的IPv6报文的情况(也可以理解为应用侧方案的情况)下,控制器可以通过与越过运营商(OTT,Over-The-Top)应用管理服务器之间的协同进行协调应用(或者应用组)对应的APN ID,并分发至端侧设备或云侧设备。4) Controller: The controller can be used to uniformly plan and maintain the mapping relationship between APN ID, APN ID and application (or application group), and network policy. When the network edge device generates an IPv6 message containing an APN6 header, the controller can send the APN ID and the mapping relationship to the network edge device and the network policy execution device. Specifically, the controller can send the mapping relationship between the application (or application group) and the APN ID to the network edge device; at the same time, the controller can send the mapping relationship between the APN ID and the network policy to the network policy execution device. In the case where the end-side device or cloud-side device generates an IPv6 message containing an APN6 header (which can also be understood as the case of the application-side solution), the controller can coordinate the APN ID corresponding to the application (or application group) through collaboration with the over-the-top (OTT) application management server, and distribute it to the end-side device or cloud-side device.
实际应用时,APN6技术虽然同时实现了应用对网络能力的调用以及网络对应用的识别。然而,APN6技术存在隐私、安全、管理、容量等一系列问题。具体包括:In actual application, APN6 technology can realize both the application's call to network capabilities and the network's recognition of applications. However, APN6 technology has a series of problems such as privacy, security, management, and capacity. Specifically, they include:
隐私方面,IPv6报文的APN6头部以明文方式携带了用户信息,容易泄露用户隐私;In terms of privacy, the APN6 header of the IPv6 message carries user information in plain text, which can easily leak user privacy;
安全方面,APN6应用信息仅与应用关联,可能存在IPv6报文中伪造APN6应用信息、仿冒APN6应用信息等问题;举例来说,用户购买APN6服务后,控制器为用户分配与用户签约的应用对应的APN ID,APN ID是固定且无法改变的,此时,如果APN ID泄露(比如被非法第三方截取),为保障网络安全,需要全面更新所有路由器内保存的APN ID,维护负担大;In terms of security, APN6 application information is only associated with applications, and there may be problems such as forged APN6 application information and counterfeit APN6 application information in IPv6 messages. For example, after a user purchases an APN6 service, the controller assigns the user an APN ID corresponding to the application signed by the user. The APN ID is fixed and cannot be changed. At this time, if the APN ID is leaked (for example, intercepted by an illegal third party), in order to ensure network security, the APN IDs saved in all routers need to be fully updated, which has a heavy maintenance burden.
管理方面,存在大量应用,且随时都会产生大量新的应用,如何统一编码(也可以理解为分配)这些应用对应的APN ID,以及对这些应用对应的APN ID进行管理(比如修改、删除等)实际上无法实现;In terms of management, there are a large number of applications, and a large number of new applications are generated at any time. It is actually impossible to uniformly encode (also understood as allocate) the APN IDs corresponding to these applications, and manage (such as modify, delete, etc.) the APN IDs corresponding to these applications;
容量方面,当前存在数亿级数量的应用,存储所有应用的APN ID以及APN ID和网络策略之间的映射关系的数据库占用大量容量,当将APN ID和映射关系下发至网络边界设备时,对网络边界设备的容量存在极大的挑战。In terms of capacity, there are currently hundreds of millions of applications. The database that stores the APN IDs of all applications and the mapping relationship between the APN IDs and network policies occupies a large amount of capacity. When the APN IDs and mapping relationships are sent to network edge devices, there is a great challenge to the capacity of the network edge devices.
同时,网络对APN6应用信息的访问控制有限,也即网络仅能够有限地控制对APN6应用信息的访问(也可以理解为接入)行为,难以满足网络复杂需求。具体地,IPv6报文的扩展头部携带APN6应用信息,而通常情况下,扩展头部(具体可以包括除逐跳(HBH,Hop-By-Hop)头部之外的扩展头部)包含的APN6应用信息在转发过程中不能被改变(比如不能被插入、修改、删除等),如此,当IPv6报文在不同网络域(也可以理解为管理域)之间传输时,由于不同网络域中APN6应用信息可能不相同,从而可能会导致位于网络域边界的节点丢弃IPv6报文,违反了互联网尽力而为的转发原则。At the same time, the network has limited access control over APN6 application information, that is, the network can only control the access (also understood as access) behavior to APN6 application information in a limited way, which makes it difficult to meet the complex needs of the network. Specifically, the extension header of the IPv6 message carries the APN6 application information, and usually, the APN6 application information contained in the extension header (specifically, it can include extension headers other than the hop-by-hop (HBH) header) cannot be changed (for example, it cannot be inserted, modified, deleted, etc.) during the forwarding process. In this way, when the IPv6 message is transmitted between different network domains (also understood as management domains), since the APN6 application information in different network domains may be different, it may cause the node at the boundary of the network domain to discard the IPv6 message, violating the Internet's best-effort forwarding principle.
换句话说,由于APN ID是全网统一分配的,而APN6应用信息中包含的应用信息和用户信息的编码方式可能在不同网络域中不相同。因此,当应用APN6技术的报文从一个网络域传输至另一个网络域时(即跨网络域传输时),如果两个网络域中应用信息和用户信息的编码方式相同,接收报文的网络域的边界节点能够准确识别报文包含的APN6应用信息,边界节点从而可以接收该报文,并根据APN6应用信息在该网络域内转发该报文;如果两个网络域中应用信息和用户信息的编码方式不相同,接收报文的网络域的边界节点不能够准确识别报文包含的APN6应用信息,边界节点只能选择丢弃该报文,而不能够忽略报文包含的APN6应用信息并让报文在该网络域内进行转发。In other words, since the APN ID is uniformly allocated for the entire network, the encoding method of the application information and user information contained in the APN6 application information may be different in different network domains. Therefore, when a message using the APN6 technology is transmitted from one network domain to another (i.e., when transmitted across network domains), if the encoding method of the application information and user information in the two network domains is the same, the boundary node of the network domain receiving the message can accurately identify the APN6 application information contained in the message, and the boundary node can thus receive the message and forward the message within the network domain according to the APN6 application information; if the encoding method of the application information and user information in the two network domains is different, the boundary node of the network domain receiving the message cannot accurately identify the APN6 application information contained in the message, and the boundary node can only choose to discard the message, but cannot ignore the APN6 application information contained in the message and forward the message within the network domain.
举例来说,假设与家庭用户的用户网络连接的城域网的边界节点为宽带远程接入服务器(BRAS,Broadband Remote Access Server),BRAS可以利用存储(也可以理解为配置)于BRAS上的用户信息对接收到的用户发送报文中包含的APN6应用信息进行检查,如果用户发送的报文中包含的APN6应用信息与BRAS上存储的用户信息不一致(也可以理解为校验失败),BRAS会丢弃该报文,不再进行转发处理;如果用户发送的报文中包含的APN6应用信息与BRAS上存储的用户信息一致(也可以理解为校验成功),BRAS可以根据APN6应用信息在城域网中转发该报文,并将该报文传递至骨干网,然而,当报文从城域网进入骨干网的网络边界(也可以理解为骨干边缘)时,骨干网的边界节点通常不会存储用户的任何业务信息,也就不能够对该报文包含的APN6应用信息进行有效控制和校验,这样可能就会导致该报文被骨干网的边界结点丢弃或导致难以在骨干网中为该报文选择合适的网络路径。这里,相关技术中可以通过构建端到端的网络隧道的方式实现跨域传输,然而,当前固定网络有近3亿的用户,在互联网访问的目的流向存在多样性的情况下,需要在网络中构建数亿条端到端的网络隧道,才能够满足大量用户的跨域传输需求,构建端到端的网络隧道的方式进行跨域传输是难以实现的。For example, suppose that the border node of the metropolitan area network connected to the user network of the home user is a Broadband Remote Access Server (BRAS). Server), BRAS can use the user information stored (also understood as configured) on BRAS to check the APN6 application information contained in the received message sent by the user. If the APN6 application information contained in the message sent by the user is inconsistent with the user information stored on BRAS (also understood as verification failure), BRAS will discard the message and no longer forward it. If the APN6 application information contained in the message sent by the user is consistent with the user information stored on BRAS (also understood as verification success), BRAS can forward the message in the metropolitan area network according to the APN6 application information and pass the message to the backbone network. However, when the message enters the network boundary of the backbone network (also understood as the backbone edge) from the metropolitan area network, the boundary node of the backbone network usually does not store any business information of the user, and it is impossible to effectively control and verify the APN6 application information contained in the message, which may cause the message to be discarded by the boundary node of the backbone network or make it difficult to select a suitable network path for the message in the backbone network. Here, in the relevant technology, cross-domain transmission can be achieved by building an end-to-end network tunnel. However, there are nearly 300 million users in the current fixed network. In the case of the diversity of the purpose of Internet access, it is necessary to build hundreds of millions of end-to-end network tunnels in the network to meet the cross-domain transmission needs of a large number of users. It is difficult to achieve cross-domain transmission by building an end-to-end network tunnel.
相关技术中,为了避免APN6技术存在的隐私、安全、管理、容量、访问控制等问题,提出了ARN技术。ARN技术基于控制面的算路参数(比如服务类型(英文可以表达为Color)参数)生成应用于转发面的ARN信息(也可以理解为应用调用接口信息,比如ARN ID)实现网络能力开放,也即实现应用调用网络能力。具体地,应用生成报文时,可以在报文的头部包含ARN ID,使得应用能够调用该ARN ID对应的网络能力,也可以理解为使得应用的报文能够根据ARN ID对应的选路策略在网络中进行转发;同时,网络在接收到报文时,能够根据报文头部包含的ARN ID识别对应的应用,并根据与ARN ID匹配的选路策略对报文进行转发处理,比如当报文对应的源地址和目的地址之间存在多条网络路径和/或多个切片的情况下,网络可以根据报文包含的ARN ID选择(也可以理解为确定)其中一条路径和/或切片进行转发处理。也就是说,ARN ID可以理解为应用与网络之间的中间层,通过引入ARN ID,实现应用的网络需求与网络的网络能力之间的桥接,ARN ID同时表征网络对外开放的网络能力信息,以及应用信息和用户信息。其中,每个ARN ID具体可以由一个数字表征,该数字可以包括随机生成的值或按照预设顺序分配的值,ARN ID的结构可以根据实际需要进行设置,也就是说,对ARN ID的结构不作限定,因此,也可以理解为ARN ID是一个无结构化的数字。In the related technology, in order to avoid the privacy, security, management, capacity, access control and other issues existing in the APN6 technology, the ARN technology is proposed. The ARN technology generates the ARN information (which can also be understood as the application call interface information, such as ARN ID) applied to the forwarding plane based on the path calculation parameters of the control plane (such as the service type (which can be expressed as Color in English) parameters) to realize the network capability opening, that is, to realize the application calling the network capability. Specifically, when the application generates a message, the ARN ID can be included in the header of the message, so that the application can call the network capability corresponding to the ARN ID, which can also be understood as enabling the application's message to be forwarded in the network according to the routing policy corresponding to the ARN ID; at the same time, when the network receives the message, it can identify the corresponding application according to the ARN ID contained in the message header, and forward the message according to the routing policy matching the ARN ID. For example, when there are multiple network paths and/or multiple slices between the source address and the destination address corresponding to the message, the network can select (can also be understood as determining) one of the paths and/or slices for forwarding processing according to the ARN ID contained in the message. In other words, ARN ID can be understood as the middle layer between the application and the network. By introducing ARN ID, the network requirements of the application and the network capabilities of the network are bridged. ARN ID also represents the network capability information open to the outside world, as well as application information and user information. Among them, each ARN ID can be specifically represented by a number, which can include a randomly generated value or a value assigned in a preset order. The structure of ARN ID can be set according to actual needs. In other words, there is no limitation on the structure of ARN ID. Therefore, ARN ID can also be understood as an unstructured number.
实际应用时,在IPv6报文中,由于IPv6报文头部的流标签(Flow Label)字段被设计为灵活可修改,因此ARN ID可以设置在Flow Label字段;或者,ARN ID可以设置在IPv6报文的扩展头部。示例性地,当ARN ID设置在IPv6报文头部的Flow Label字段时,如图4所示,可以复用Flow Label字段的20比特(bit)以设置ARN ID,并通过流量类型(TC,TrafficClass)字段的最高位(具体可以是第7位)指明报文的Flow Label字段是否转义为ARN ID。示例性地,当TC字段的最高位设置为1时,表示指示Flow Label字段被转义为ARN ID;当TC字段的最高位设置为0时,表示指示Flow Label字段未被转义为ARN ID。当然,也可以将TC字段的最高位设置为0时,表示指示Flow Label字段被转义为ARN ID;TC字段的最高位设置为1时,表示指示Flow Label字段未被转义为ARN ID。这里,相关技术中,TC字段的最高位可以被设置为表征显式拥塞通知(ECN,Explicit Congestion Notification),而在广域网的情况下,由于ECN不开启,因此,上述将TC字段的最高位设置为用于指示报文的Flow Label字段是否转义为ARN ID的方案与相关技术中将TC字段的最高位设置为表征ECN的方案不冲突。In actual application, in IPv6 packets, since the flow label field of the IPv6 packet header is designed to be flexible and modifiable, the ARN ID can be set in the Flow Label field; or, the ARN ID can be set in the extended header of the IPv6 packet. Exemplarily, when the ARN ID is set in the Flow Label field of the IPv6 packet header, as shown in FIG4, the 20 bits of the Flow Label field can be reused to set the ARN ID, and the highest bit of the traffic type (TC, TrafficClass) field (specifically, the 7th bit) indicates whether the Flow Label field of the packet is escaped to the ARN ID. Exemplarily, when the highest bit of the TC field is set to 1, it indicates that the Flow Label field is escaped to the ARN ID; when the highest bit of the TC field is set to 0, it indicates that the Flow Label field is not escaped to the ARN ID. Of course, the highest bit of the TC field can also be set to 0, indicating that the Flow Label field is escaped to the ARN ID; when the highest bit of the TC field is set to 1, it indicates that the Flow Label field is not escaped to the ARN ID. Here, in the related art, the highest bit of the TC field can be set to represent explicit congestion notification (ECN), and in the case of a wide area network, since ECN is not enabled, the above-mentioned scheme of setting the highest bit of the TC field to indicate whether the Flow Label field of the message is converted to an ARN ID does not conflict with the scheme of setting the highest bit of the TC field to represent ECN in the related art.
实际应用时,应用ARN技术进行网络传输能够取得以下优势:In actual applications, using ARN technology for network transmission can achieve the following advantages:
1)保障网络安全:网络服务商可以通过不同的ARN ID表征对外开放的不同网络能力,以实现为用户提供差异化的网络服务(比如根据应用需求提供低时延、大带宽的隧道和/或切片),而不需要直接对外开放段识别符(SID,Segment IDentifier)和/或绑定SID(BSID,Binding SID),从而实现有效保障网络安全;1) Ensure network security: Network service providers can use different ARN IDs to represent different network capabilities open to the outside world, so as to provide differentiated network services to users (such as providing low-latency, high-bandwidth tunnels and/or slices according to application requirements), without directly opening up segment identifiers (SIDs) and/or binding SIDs (BSIDs), thereby effectively ensuring network security.
2)保护用户隐私:由于ARN ID不显式携带应用信息和用户信息,如此,当网络接收到包含ARN ID的报文时,网络不能够根据报文包含的ARN ID直接获知应用信息和用户信息,因此,ARN技术能够避免用户隐私的泄露;2) Protect user privacy: Since the ARN ID does not explicitly carry application information and user information, when the network receives a message containing the ARN ID, the network cannot directly obtain the application information and user information based on the ARN ID contained in the message. Therefore, the ARN technology can prevent the leakage of user privacy.
3)能够实现对ARN ID灵活控制和管理:控制器可以为每个网络域单独进行ARN ID配置,如此,当报文进入网络域时,可以通过在报文中携带该报文在该网络域下与对应的ARN ID,以使该网络域中的节点可以根据报文携带的该网络域的ARN ID进行该网络域内的报文转发处理。也就是说,每个网络域的ARN ID能够根据实际需要灵活配置和管理;同时,报文包含的ARN ID可以根据网络域进行改变,以实现调用相应的网络域的网络能力。举个例子来说,在跨网络域传输的情况下,假设报文从网络域A传输至网络域B,网络域A中与网络域B连接的边界节点可以将报文包含的与网络域A对应的ARN ID替换为与网络域B对应的ARN ID,并将报文发送(也可以理解为传输或传递)至网络域B,以使网络域B中的节点接收到报文后,能够根据报文包含的与网络域B对应的ARN ID进行网络域B内的转发处理;或者,网络域A直接将报文发送至网路域B,网络域B中与网络域A连接的边界节点接收到报文后,可以将报文包含的与网络域A对应的ARN ID替换为与网络域B对应的ARN ID,并按照替换后的ARN ID进行后续网络域B内的转发处理。上述转发处理也可以称为与ARN关联的转发相关处理。3) Ability to flexibly control and manage ARN ID: The controller can configure ARN ID for each network domain separately. In this way, when a message enters a network domain, the message can be carried in the message with the corresponding ARN ID under the network domain, so that the nodes in the network domain can forward the message within the network domain according to the ARN ID of the network domain carried in the message. In other words, the ARN ID of each network domain can be flexibly configured and managed according to actual needs; at the same time, the ARN ID contained in the message can be changed according to the network domain to realize the network capability of calling the corresponding network domain. For example, in the case of cross-domain transmission, assuming that the message is transmitted from domain A to domain B, the border node in domain A connected to domain B can replace the ARN ID corresponding to domain A contained in the message with the ARN ID corresponding to domain B, and send (can also be understood as transmission or delivery) the message to domain B, so that after receiving the message, the node in domain B can perform forwarding processing within domain B according to the ARN ID corresponding to domain B contained in the message; or, domain A directly sends the message to domain B, and after receiving the message, the border node in domain B connected to domain A can replace the ARN ID corresponding to domain A contained in the message with the ARN ID corresponding to domain B, and perform subsequent forwarding processing within domain B according to the replaced ARN ID. The above forwarding processing can also be called forwarding-related processing associated with ARN.
然而,在应用ARN技术的场景下,如果在可信度不相同的两个网络域之间转发报文,网络域的边界节点如何设置报文中的ARN信息(比如ARN ID)以及如何进行转发相关处理,是目前亟待解决的问题。However, in the scenario of applying ARN technology, if messages are forwarded between two network domains with different trustworthiness, how the boundary nodes of the network domains set the ARN information (such as ARN ID) in the message and how to perform forwarding related processing are issues that need to be solved urgently.
基于此,在本申请的各种实施例中,通过在第一网络边界的第一节点(也可以理解为边界节点)中设置第一信息,使得第一节点接收到第一报文时,能够根据第一信息确定是否对第一报文进行与ARN关联的转发相关处理,如此,当第一节点从与第一网络的可信度不相同的网络域接收到第一报文时,或者,当第一节点将第一报文转发至与第一网络的可信度不相同的网络域时,可以通过设置第一节点中与第一报文转发相关的接口是否可以使用ARN,来实现在可信度不相同的网络域之间对携带ARN标识的报文进行转发。Based on this, in various embodiments of the present application, by setting the first information in the first node at the boundary of the first network (which can also be understood as the boundary node), when the first node receives the first message, it can determine whether to perform forwarding-related processing associated with the ARN on the first message based on the first information. In this way, when the first node receives the first message from a network domain with a different credibility from that of the first network, or when the first node forwards the first message to a network domain with a different credibility from that of the first network, it is possible to forward messages carrying ARN identifiers between network domains with different credibility by setting whether the interface related to the forwarding of the first message in the first node can use the ARN.
本申请实施例提供了一种报文处理方法,应用于第一节点,所述第一节点包括第一网络的边界节点,如图5所示,该方法包括:An embodiment of the present application provides a message processing method, which is applied to a first node, where the first node includes a border node of a first network. As shown in FIG5 , the method includes:
步骤501:接收第一报文,所述第一报文包含第一ARN标识;Step 501: Receive a first message, where the first message includes a first ARN identifier;
步骤502:在第一信息表征所述第一节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。Step 502: When the first information indicates that the first interface of the first node can use the ARN, forwarding-related processing associated with the ARN is performed on the first message at the first interface; or, when the first information indicates that the first interface of the first node disables the ARN, forwarding-related processing not associated with the ARN is performed on the first interface.
这里,实际应用时,所述第一网络具体可以包括用户网络、城域网、骨干网等中之一,本申请实施例对所述第一网络的具体实现不作限定。其中,用户网络也可以理解为用于连接用户网关设备(比如用户端设备(CPE,Customer Premise Equipment)等)与终端的网络,所述终端可以称为UE、终端设备、设备、或用户等,本申请实施例对此不作限定。Here, in actual application, the first network may specifically include one of a user network, a metropolitan area network, a backbone network, etc., and the specific implementation of the first network is not limited in the embodiment of the present application. The user network can also be understood as a network used to connect a user gateway device (such as a customer premises equipment (CPE)) and a terminal, and the terminal can be called a UE, a terminal device, a device, or a user, etc., and the embodiment of the present application does not limit this.
所述第一节点包括所述第一网络的边界节点,具体可以包括CPE、供应商边缘(PE,Provider Edge)设备(比如虚拟专用网(VPN,Virtual Private Network)边缘路由器)、BRAS、宽带网络网关(BNG,Broadband Network Gateway)等中之一,所述第一节点可以与第二网络连接,也就是说,所述第一网络与所述第二网络可以通过所述第一节点连接。其中,所述第二网络具体可以包括用户网络、城域网、骨干网等中之一,本申请实施例对所述第二网络的具体实现不作限定;所述第一网络与第二网络的可信度可以不相同,具体地,所述第一网络的可信度可以高于或者等于或者低于所述第二网络的可信度。The first node includes a border node of the first network, which may specifically include one of a CPE, a provider edge (PE) device (such as a virtual private network (VPN) edge router), a BRAS, a broadband network gateway (BNG), etc. The first node may be connected to the second network, that is, the first network and the second network may be connected through the first node. The second network may specifically include one of a user network, a metropolitan area network, a backbone network, etc. The embodiment of the present application does not limit the specific implementation of the second network; the credibility of the first network and the second network may be different, specifically, the credibility of the first network may be higher than, equal to, or lower than the credibility of the second network.
所述第一报文具体可以包括IPv6报文,所述第一报文包含的第一ARN标识具体可以包括ARN ID。所述第一ARN标识具体可以设置在所述第一报文的第一字段,也就是说,所述第一报文的第一字段携带所述第一ARN标识。具体地,所述第一字段具体可以包括所述第一报文的报文头部的Flow Lable字段。The first message may specifically include an IPv6 message, and the first ARN identifier included in the first message may specifically include an ARN ID. The first ARN identifier may specifically be set in the first field of the first message, that is, the first field of the first message carries the first ARN identifier. Specifically, the first field may specifically include a Flow Lable field in the message header of the first message.
所述第一接口包括所述第一节点与所述第二网络连接的接口,具体可以包括互联网协议(IP,Internet Protocol)接口。当所述第一节点需要将所述第一报文发送至所述第二网络时,所述第一节点的报文可以通过所述第一接口转发至所述第二网络,此时,所述第一接口也可以理解为出向接口或出接口;当所述第一节点从所述第二网络接收到所述第一报文时,所述第一节点可以通过所述第一接口从所述第二网络接收所述第一报文,此时,所述第一接口也可以理解为入向接口或入接口。The first interface includes an interface connecting the first node and the second network, and may specifically include an Internet Protocol (IP) interface. When the first node needs to send the first message to the second network, the message of the first node may be forwarded to the second network through the first interface, and in this case, the first interface may also be understood as an outbound interface or an outbound interface; when the first node receives the first message from the second network, the first node may receive the first message from the second network through the first interface, and in this case, the first interface may also be understood as an inbound interface or an inbound interface.
实际应用时,步骤501中,所述第一节点可以接收来自所述第一网络中的其他节点的第一报文,并需要将所述第一报文通过第一接口转发至第二网络;或者,所述第一节点可以通过第一接口接收来自第二网络的第一报文,并需要将所述第一报文在所述第一网络内进行转发。In actual application, in step 501, the first node can receive a first message from other nodes in the first network, and needs to forward the first message to the second network through the first interface; or, the first node can receive a first message from the second network through the first interface, and needs to forward the first message within the first network.
接收到所述第一报文后,所述第一节点需要确定如何对所述第一报文进行转发,也可以理解为确定针对所述第一报文的转发服务的服务类型。其中,转发服务的服务类型具体可以由网络路径、选路策略(也可以理解为路由策略,具体可以包括段路由策略(SRPolicy)等)、网络隧道和/或网络切片等中一项或多项(一项或多项也可以理解为至少一项)确定。After receiving the first message, the first node needs to determine how to forward the first message, which can also be understood as determining the service type of the forwarding service for the first message. The service type of the forwarding service can be determined by one or more (one or more can also be understood as at least one) of a network path, a routing strategy (which can also be understood as a routing strategy, which can specifically include a segment routing strategy (SRPolicy), etc.), a network tunnel, and/or a network slice.
具体地,所述第一节点可以根据与所述第一接口关联的第一信息确定如何对所述第一报文进行转发。其中,实际应用时,所述第一信息可以命名为trust_arn,当然也可以根据需要被命名为其他;由于所述第一信息与第一接口关联,因此,所述第一信息也可以理解为接口级属性信息;所述第一信息可以表征所述第一接口是否可以使用ARN,所述第一接口是否可以使用ARN与所述第一接口关联的第二网络的可行度关联。具体地,当所述第二网络为可信域(也可以理解为所述第二网络的可信度大于或等于可信度阈值)时,所述第一接口可以使用ARN,此时,所述第一节点可以按照与ARN关联的方式转发所述第一报文;当所述第二网络为非可信域(也可以理解为所述第二网络的可信度小于可信度阈值)时,所述第一接口禁止使用ARN,此时,所述第一节点可以按照不与ARN关联的方式转发所述第一报文。Specifically, the first node can determine how to forward the first message according to the first information associated with the first interface. In actual application, the first information can be named trust_arn, and of course it can also be named other as needed; since the first information is associated with the first interface, the first information can also be understood as interface-level attribute information; the first information can represent whether the first interface can use ARN, and whether the first interface can use ARN and the feasibility of the second network associated with the first interface. Specifically, when the second network is a trusted domain (it can also be understood that the trustworthiness of the second network is greater than or equal to the trustworthiness threshold), the first interface can use ARN, at which point the first node can forward the first message in a manner associated with ARN; when the second network is a non-trustworthy domain (it can also be understood that the trustworthiness of the second network is less than the trustworthiness threshold), the first interface is prohibited from using ARN, at which point the first node can forward the first message in a manner not associated with ARN.
基于此,所述第一信息的取值可以由所述第二网络是否为可信域确定,示例性地,假设所述第一信息的取值为正确(true)或者错误(false),当所述第二网络为可信域时,所述第一信息的取值为true,用于表征所述第一接口可使用ARN;当所述第二网络为非可信域时,所述第一信息的取值为false,表征所述第一节点的第一接口禁用ARN。当然,也可以当所述第二网络为可信域时,所述第一信息的取值为false,用于表征所述第一节点的第一接口可使用ARN;当所述第二网络为非可信域时,所述第一信息的取值为true,表征所述第一节点的第一接口禁用ARN。Based on this, the value of the first information can be determined by whether the second network is a trusted domain. For example, assuming that the value of the first information is correct (true) or wrong (false), when the second network is a trusted domain, the value of the first information is true, which is used to indicate that the first interface can use ARN; when the second network is an untrusted domain, the value of the first information is false, which indicates that the first interface of the first node is disabled for ARN. Of course, when the second network is a trusted domain, the value of the first information can also be false, which is used to indicate that the first interface of the first node can use ARN; when the second network is an untrusted domain, the value of the first information is true, which indicates that the first interface of the first node is disabled for ARN.
实际应用时,根据所述第二网络是否为可信域确定所述第一信息的取值后,可以在所述第一节点中配置(也可以理解为设置)所述第一信息的取值。具体地,在所述第一节点中配置所述第一信息的取值的具体实现方式可以根据实际需要进行选择,比如通过人工的方式(比如人工键入命令行)在所述第一节点中配置所述第一信息的取值、通过控制设备在所述第一节点中配置所述第一信息的取值等,本申请实施例对此不作限定。这里,所述控制设备也可以称为控制器或网络控制器,至少用于生成ARN标识,以及用于为网络中的节点配置ARN标识。In actual application, after determining the value of the first information according to whether the second network is a trusted domain, the value of the first information can be configured (also understood as setting) in the first node. Specifically, the specific implementation method of configuring the value of the first information in the first node can be selected according to actual needs, such as configuring the value of the first information in the first node manually (such as manually typing a command line), configuring the value of the first information in the first node through a control device, etc., which is not limited in this embodiment of the present application. Here, the control device may also be referred to as a controller or a network controller, which is at least used to generate an ARN identifier and to configure an ARN identifier for nodes in the network.
在所述第一信息的取值配置完成的情况下,所述第一节点接收到包含ARN标识的报文后,步骤502中,所述第一节点可以根据配置的第一信息的取值,确定如何对该报文进行转发相关处理。When the value configuration of the first information is completed, after the first node receives the message including the ARN identifier, in step 502, the first node can determine how to perform forwarding-related processing on the message according to the configured value of the first information.
具体地,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,所述第一节点对所述报文进行不与ARN关联的转发相关处理,具体可以包括以下两种方式:Specifically, when the first information indicates that the first interface of the first node disables the ARN, the first node performs forwarding-related processing on the message that is not associated with the ARN, which may include the following two methods:
第一种方式,所述第一节点直接丢弃所述第一报文;基于此,在一实施例中,所述对所述第一报文进行不与ARN关联的转发相关处理,包括:In the first manner, the first node directly discards the first message. Based on this, in one embodiment, the performing forwarding-related processing on the first message that is not associated with the ARN includes:
所述第一节点丢弃所述第一报文。The first node discards the first message.
第二种方式,所述第一节点将所述第一报文视为(也可以理解为当作)不包含ARN标识的报文,并按照不包含ARN标识的报文的转发方式(也可以理解为默认转发方式)对所述第一报文进行转发相关处理。In the second method, the first node regards the first message as (can also be understood as) a message that does not contain an ARN identifier, and performs forwarding-related processing on the first message according to the forwarding method of the message that does not contain an ARN identifier (can also be understood as the default forwarding method).
更具体地,在一实施例中,所述对所述第一报文进行不与ARN关联的转发相关处理,包括:More specifically, in one embodiment, the performing forwarding-related processing on the first message that is not associated with the ARN includes:
当所述第一接口为入向接口时,将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并在所述第一网络内按第四方式转发所述处理后的第一报文,所述第四方式不与ARN关联,所述第五信息表征所述第一报文禁用ARN;其中,所述第五信息的取值具体可以包括0或者无效值,所述第五信息的具体取值可以根据实际需要进行设置,本申请实施例对此不作限定。When the first interface is an inbound interface, the first field carrying the first ARN identifier in the first message is set to the fifth information to obtain a processed first message, and the processed first message is forwarded in the first network in a fourth manner, where the fourth manner is not associated with the ARN, and the fifth information indicates that the first message disables the ARN; wherein the value of the fifth information may specifically include 0 or an invalid value, and the specific value of the fifth information may be set according to actual needs, and the embodiment of the present application is not limited to this.
这里,如果所述第一字段设置为第五信息,所述第一节点按照默认的转发方式(即所述第四方式)在所述第一网络中转发所述第一报文,也可以理解为为所述第一报文提供默认的网络服务;Here, if the first field is set to the fifth information, the first node forwards the first message in the first network according to the default forwarding mode (that is, the fourth mode), which can also be understood as providing a default network service for the first message;
当所述第一接口为出向接口时,将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并将所述处理后的第一报文转发至第二网络,所述第五信息表征所述第一报文禁用ARN;When the first interface is an outgoing interface, the first field carrying the first ARN identifier in the first message is set to fifth information to obtain a processed first message, and the processed first message is forwarded to the second network, and the fifth information indicates that the first message disables ARN;
这里,如果所述第一字段设置为第五信息,所述第一节点不进行任何处理,直接将所述第一报文转发至第二网络。Here, if the first field is set to the fifth information, the first node does not perform any processing and directly forwards the first message to the second network.
从上述描述可以看出,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,也即所述第一网络为非可信域的情况下,所述第一节点可以在第一接口关联的第二网路为非可信域的情况下,将第一报文丢弃,或者,将第一报文包含的第一ARN标识修改为无效值,从而避免第一ARN标识泄露给非可信域,能够保障网络安全。From the above description, it can be seen that when the first information represents that the first interface of the first node disables ARN, that is, when the first network is a non-trusted domain, the first node can discard the first message when the second network associated with the first interface is a non-trusted domain, or modify the first ARN identifier contained in the first message to an invalid value, thereby avoiding leakage of the first ARN identifier to the non-trusted domain and ensuring network security.
相应地,在所述第一信息表征所述第一节点的第一接口可使用ARN的情况下,所述第一节点对所述报文进行与ARN关联的转发相关处理。同时,为了避免仿冒ARN标识造成的网络安全问题,步骤502之前,所述第一节点还可以对所述第一报文包含的ARN标识以及第一报文的源头进行校验,根据校验结果确定是否进行与ARN关联的转发相关处理。Accordingly, when the first information indicates that the first interface of the first node can use the ARN, the first node performs forwarding-related processing associated with the ARN on the message. At the same time, in order to avoid network security issues caused by counterfeiting the ARN identifier, before step 502, the first node may also verify the ARN identifier contained in the first message and the source of the first message, and determine whether to perform forwarding-related processing associated with the ARN based on the verification result.
基于此,在一实施例中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;在第一信息表征所述第一节点的第一接口可使用ARN的情况下,校验所述第二信息和第一ARN标识;校验成功后,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理;相应地,校验失败后,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。Based on this, in one embodiment, the first message further includes second information, wherein the second information represents the source of the first message; when the first information represents that the first interface of the first node can use the ARN, the second information and the first ARN identifier are verified; after successful verification, the first message is subjected to forwarding-related processing associated with the ARN at the first interface; correspondingly, after failed verification, the first message is subjected to forwarding-related processing not associated with the ARN at the first interface.
其中,在一实施例中,所述第二信息可以包括以下一项或多项(一项或多项也可以理解为至少一项):In one embodiment, the second information may include one or more of the following (one or more may also be understood as at least one):
所述第一报文的用户信息;user information of the first message;
所述第一报文的源地址信息;source address information of the first message;
所述第一报文的端口信息。The port information of the first message.
这里,实际应用时,当所述第一报文来自用户网络时,所述第二信息可以包括所述第一报文的用户信息,也就是说,所述第二信息可以表征所述第一报文源自哪个用户。此时,所述用户信息具体可以包括用户标识,所述第一报文的接入链路信息等。其中,当所述用户信息包含所述第一报文的接入链路信息时,所述第一节点可以根据所述第一报文的接入链路信息确定所述第一报文通过哪条接入链路发送至所述第一节点,进而根据该条接入链路与用户的对应关系确定用户第一报文源自哪个用户,这里,所述第一节点可以预先获知所述接入链路与用户的对应关系;当所述第一报文来自城域网或骨干网时,所述第二信息可以包括所述第一报文的源地址信息(比如源IP地址信息)和/或所述第一报文的端口信息(比如源端口信息)。Here, in actual application, when the first message comes from the user network, the second information may include the user information of the first message, that is, the second information may indicate which user the first message comes from. At this time, the user information may specifically include the user identifier, the access link information of the first message, etc. Among them, when the user information includes the access link information of the first message, the first node may determine through which access link the first message is sent to the first node according to the access link information of the first message, and then determine which user the first message of the user comes from according to the corresponding relationship between the access link and the user. Here, the first node may know the corresponding relationship between the access link and the user in advance; when the first message comes from the metropolitan area network or the backbone network, the second information may include the source address information of the first message (such as the source IP address information) and/or the port information of the first message (such as the source port information).
实际应用时,所述第一节点可以获取一个或多个报文的源头信息与ARN标识的对应关系,将第一报文包含的所述第二信息和第一ARN标识在获取的所述对应关系中进行匹配,当存在匹配项时,确定校验成功;当不存在匹配项时,确定校验失败。In actual application, the first node can obtain the correspondence between the source information of one or more messages and the ARN identifier, and match the second information contained in the first message and the first ARN identifier in the obtained correspondence. When there is a match, it is determined that the verification is successful; when there is no match, it is determined that the verification has failed.
基于此,在一实施例中,所述校验所述第二信息和第一ARN标识,包括:Based on this, in one embodiment, the verifying the second information and the first ARN identifier includes:
利用第三信息,对所述第二信息和第一ARN标识进行校验,所述第三信息表征一个或多个报文的源头信息与ARN标识的对应关系。The second information and the first ARN identifier are verified using the third information, wherein the third information represents a correspondence between source information of one or more messages and the ARN identifier.
其中,所述第三信息具体可以通过映射表的形式呈现,此时,所述第三信息也可以称为校验表。所述第三信息与所述第一接口关联,也就是说,当所述第一节点通过多个接口与多个网络连接时,每个接口对应一个第三信息,该第三信息用于校验与该接口关联的报文包含的第二信息和ARN标识。The third information can be specifically presented in the form of a mapping table, in which case the third information can also be referred to as a verification table. The third information is associated with the first interface, that is, when the first node is connected to multiple networks through multiple interfaces, each interface corresponds to a third information, and the third information is used to verify the second information and ARN identifier contained in the message associated with the interface.
在一实施例中,所述第一节点获取所述第三信息的方式可以包括:所述第一节点接收控制设备发送的所述第三信息、通过人工的方式在所述第一节点配置所述第三信息、所述第一节点利用接收到的所有包含ARN标识的报文对应路由协议进行路由学习,从而确定所述第三信息(即通过路由学习,确定所述第三信息),以及将第一节点对应的访问控制列表(ACL,Access Control List)作为所述第三信息等中之一。其中,所述路由协议具体可以包括边界网关协议(BGP,Border Gateway Protocol)、或内部网关协议(IGP,InteriorGateway Protocol)等,IGP可以进一步包含开放式最短路径优先(OSPF,Open ShortestPath First)协议、或中间系统到中间系统(ISIS,Intermediate System to IntermediateSystem)协议等;所述路由协议可以由在所述第一节点之前传输所述第一报文的任何一个节点进行配置。In one embodiment, the first node may obtain the third information in a manner that includes: the first node receives the third information sent by the control device, manually configures the third information at the first node, the first node uses all received messages containing the ARN identifier to perform routing learning corresponding to the routing protocol, thereby determining the third information (i.e., determining the third information through routing learning), and using the access control list (ACL) corresponding to the first node as the third information, etc. Among them, the routing protocol may specifically include the Border Gateway Protocol (BGP), or the Interior Gateway Protocol (IGP), etc., and the IGP may further include the Open Shortest Path First (OSPF) protocol, or the Intermediate System to Intermediate System (ISIS) protocol, etc.; the routing protocol may be configured by any node that transmits the first message before the first node.
实际应用时,如果校验失败,步骤502中,所述第一节点可以对所述第一报文进行不与ARN关联的转发相关处理,不与ARN关联的转发相关处理的具体实现方式已在上文详述,这里不再赘述;如果校验成功,步骤502中,所述第一节点可以对所述第一报文进行与ARN关联的转发相关处理,此时,所述与ARN关联的转发相关处理可以根据所述第一接口为入向接口或出向接口,以及所述第一节点是否需要重新设置所述第一报文包含的ARN标识(也可以理解为进行ARN ID映射),分以下四种情况进行讨论:In actual application, if the verification fails, in step 502, the first node may perform forwarding-related processing not associated with the ARN on the first message. The specific implementation method of the forwarding-related processing not associated with the ARN has been described in detail above and will not be repeated here; if the verification succeeds, in step 502, the first node may perform forwarding-related processing associated with the ARN on the first message. At this time, the forwarding-related processing associated with the ARN may be discussed in the following four cases according to whether the first interface is an inbound interface or an outbound interface, and whether the first node needs to reset the ARN identifier contained in the first message (which can also be understood as ARN ID mapping):
第一种情况,当所述第一接口为出向接口,且所述第一节点需要重新设置所述第一报文包含的ARN标识时,所述第一节点接收到第一报文后,可以将第一报文包含的与第一网络关联的第一ARN标识,映射(也可以理解为重新设置或替换)为与所述第二网络关联的ARN标识,并将进行映射后的第一报文转发至第二网络,以使所述第二网络能够根据映射后的ARN标识,在第二网络内转发所述第一报文(也可以理解为在所述第二网络内为所述第一报文提供映射后的ARN标识对应的网络服务)。In the first case, when the first interface is an outbound interface and the first node needs to reset the ARN identifier contained in the first message, after receiving the first message, the first node can map (also understood as resetting or replacing) the first ARN identifier associated with the first network contained in the first message to the ARN identifier associated with the second network, and forward the mapped first message to the second network, so that the second network can forward the first message within the second network according to the mapped ARN identifier (which can also be understood as providing the first message with a network service corresponding to the mapped ARN identifier within the second network).
基于此,在一实施例中,所述对所述第一报文进行与ARN关联的转发相关处理,包括:Based on this, in one embodiment, the performing forwarding-related processing associated with the ARN on the first message includes:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,得到处理后的第一报文,所述第二ARN标识与第二网络关联,将所述处理后的第一报文转发至所述第二网络;Setting the first field carrying the first ARN identifier in the first message to the second ARN identifier to obtain a processed first message, wherein the second ARN identifier is associated with the second network, and forwarding the processed first message to the second network;
其中,所述第一节点可以获取一个或多个第一ARN标识与第二ARN标识的对应关系,以使所述第一节点可以利用所述对应关系和第一报文包含的第一ARN标识,确定第一报文对应的第二ARN标识,进而实现在所述第一字段设置确定的所述第二ARN标识。Among them, the first node can obtain the correspondence between one or more first ARN identifiers and the second ARN identifier, so that the first node can use the correspondence and the first ARN identifier contained in the first message to determine the second ARN identifier corresponding to the first message, and then implement the second ARN identifier determined in the first field setting.
基于此,在一实施例中,利用第四信息,将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,或者,将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,所述第四信息表征一个或多个第一网络关联的ARN标识与第二网络关联的ARN标识的对应关系。Based on this, in one embodiment, the first field carrying the first ARN identifier in the first message is set to the second ARN identifier using the fourth information, or the first field carrying the first ARN identifier in the first message is set to the third ARN identifier, and the fourth information represents the correspondence between one or more ARN identifiers associated with the first network and the ARN identifier associated with the second network.
其中,在一实施例中,所述第一节点获取所述第四信息的方式可以包括:所述第一节点接收控制设备发送的所述第四信息、通过人工的方式在所述第一节点配置所述第四信息、所述第一节点利用接收到的所有包含ARN标识的报文对应路由协议进行路由学习,从而确定所述第四信息(即通过路由学习,确定所述第四信息)等中之一。Among them, in one embodiment, the way in which the first node obtains the fourth information may include: the first node receives the fourth information sent by the control device, the fourth information is configured at the first node manually, the first node uses all received messages containing the ARN identifier to perform routing learning corresponding to the routing protocol to thereby determine the fourth information (i.e., determining the fourth information through routing learning), etc.
第二种情况,当所述第一接口为出向接口,且所述第一节点不需要重新设置所述第一报文包含的ARN标识时,所述第一节点可以直接将接收到的第一报文转发至第二网络,所述第二网络的边界节点接收到所述第一报文后,可以将第一报文包含的与第一网络关联的第一ARN标识,映射为与所述第二网络关联的ARN标识,以使所述第二网络的边界节点能够根据映射后的ARN标识,在所述第二网络内转发所述第一报文。In the second case, when the first interface is an outbound interface and the first node does not need to reset the ARN identifier contained in the first message, the first node can directly forward the received first message to the second network. After the boundary node of the second network receives the first message, it can map the first ARN identifier associated with the first network contained in the first message to an ARN identifier associated with the second network, so that the boundary node of the second network can forward the first message within the second network according to the mapped ARN identifier.
基于此,在一实施例中,所述对所述第一报文进行与ARN关联的转发相关处理,包括:Based on this, in one embodiment, the performing forwarding-related processing associated with the ARN on the first message includes:
将所述第一报文转发至所述第二网络,在所述第二网络能够按照第二方式转发报文,所述第二方式与所述第一报文对应的第二ARN标识关联;Forwarding the first message to the second network, where the second network can forward the message in a second manner, where the second manner is associated with a second ARN identifier corresponding to the first message;
第三种情况,当所述第一接口为入向接口,且所述第一节点需要重新设置所述第一报文包含的ARN标识时,所述第一节点接收到来自第二网络的第一报文后,可以将第一报文包含的与第二网络关联的第一ARN标识,映射为与所述第一网络关联的ARN标识,并根据映射后的ARN标识,在所述第一网络内转发所述第一报文。In the third case, when the first interface is an inbound interface and the first node needs to reset the ARN identifier contained in the first message, after receiving the first message from the second network, the first node can map the first ARN identifier associated with the second network contained in the first message to the ARN identifier associated with the first network, and forward the first message within the first network according to the mapped ARN identifier.
基于此,在一实施例中,所述对所述第一报文进行与ARN关联的转发相关处理,包括:Based on this, in one embodiment, the performing forwarding-related processing associated with the ARN on the first message includes:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,得到处理后的第一报文,所述第三ARN标识与第一网络关联,在所述第一网络内按照第一方式转发所述处理后的第一报文,所述第一方式与所述第三ARN标识关联;Setting the first field carrying the first ARN identifier in the first message to a third ARN identifier to obtain a processed first message, wherein the third ARN identifier is associated with a first network, and forwarding the processed first message in the first network according to a first manner, wherein the first manner is associated with the third ARN identifier;
第四种情况,当所述第一接口为入向接口,且所述第一节点不需要重新设置所述第一报文包含的ARN标识时,所述第一节点接收到来自第二网络的第一报文后,可以直接根据第一报文包含的与第一网络关联的第一ARN标识,在所述第一网络内转发所述第一报文。其中,所述第二网络的边界节点向所述第一节点发送第一报文之前,已经将所述第一报文中包含的与第二网络关联的ARN标识映射为所述第一网络关联的第一ARN标识。In the fourth case, when the first interface is an inbound interface and the first node does not need to reset the ARN identifier contained in the first message, after receiving the first message from the second network, the first node can directly forward the first message within the first network according to the first ARN identifier associated with the first network contained in the first message. Before the boundary node of the second network sends the first message to the first node, the ARN identifier associated with the second network contained in the first message has been mapped to the first ARN identifier associated with the first network.
基于此,在一实施例中,所述对所述第一报文进行与ARN关联的转发相关处理,包括:Based on this, in one embodiment, the performing forwarding-related processing associated with the ARN on the first message includes:
在所述第一网络内按照第三方式转发所述第一报文,所述第三方式与所述第一ARN标识关联。The first message is forwarded in the first network according to a third manner, where the third manner is associated with the first ARN identifier.
从上述描述可以看出,所述第一节点能够利用所述第三信息对第一报文的源头以及第一ARN标识进行校验,并根据校验结果对所述第一报文进行转发相关处理。It can be seen from the above description that the first node can use the third information to verify the source of the first message and the first ARN identifier, and perform forwarding-related processing on the first message according to the verification result.
实际应用时,所述第三信息与第四信息可以进行合并,合并后的信息能够实现所述第三信息与第四信息的功能。基于此,当为所述第一节点同时配置了第三信息与第四信息时,所述第一节点可以仅存储合并后的信息,并利用合并后的信息实现所述第三信息与第四信息的功能,由于合并的信息占用的存储空间较小,能够节省存储资源;同时,如果所述第一节点同时配置有ACL和第三信息,所述第一节点在进行校验时,可以优先利用ACL对第一报文的源头以及第一ARN标识进行校验,也即ACL的校验优先级最高。示例性地,当利用ACL进行校验得到的校验结果与利用所述第三信息进行校验得到的校验结果不一致时,可以以ACL对应的校验结果为准。In actual application, the third information and the fourth information can be merged, and the merged information can realize the functions of the third information and the fourth information. Based on this, when the third information and the fourth information are configured for the first node at the same time, the first node can only store the merged information, and use the merged information to realize the functions of the third information and the fourth information. Since the merged information occupies a small storage space, storage resources can be saved; at the same time, if the first node is configured with ACL and the third information at the same time, the first node can give priority to using ACL to verify the source of the first message and the first ARN identifier when performing verification, that is, ACL verification has the highest priority. Exemplarily, when the verification result obtained by using ACL verification is inconsistent with the verification result obtained by using the third information verification, the verification result corresponding to the ACL can be used as the basis.
本申请实施例提供的报文处理方法,第一节点接收第一报文,所述第一报文包含第一ARN标识,所述第一节点包括第一网络的边界节点;在第一信息表征所述第一节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。本申请实施例提供的方案,通过在第一网络边界(也可以理解为第一网络的网络域边界)的第一节点中设置第一信息,使得第一节点接收到跨网络域传输(比如进入第一网络或者离开第一网络)的第一报文时,能够根据第一信息确定是否对第一报文进行与ARN关联的转发相关处理,如此,当第一节点从与第一网络的可信度不相同的网络接收到第一报文时,或者,当第一节点将第一报文转发至与第一网络的可信度不相同的网络时,可以通过在第一节点中与第一报文转发相关的接口是否可以使用ARN,来实现在可信度不相同的网络域之间对携带ARN标识的报文进行转发。The message processing method provided in the embodiment of the present application, the first node receives the first message, the first message includes the first ARN identifier, and the first node includes the border node of the first network; when the first information indicates that the first interface of the first node can use the ARN, the first interface performs forwarding-related processing associated with the ARN on the first message, or, when the first information indicates that the first interface of the first node disables the ARN, the first interface performs forwarding-related processing not associated with the ARN on the first message. The scheme provided in the embodiment of the present application, by setting the first information in the first node at the first network boundary (which can also be understood as the network domain boundary of the first network), when the first node receives the first message transmitted across the network domain (such as entering the first network or leaving the first network), it can determine whether to perform forwarding-related processing associated with the ARN on the first message according to the first information, so that when the first node receives the first message from a network with a different credibility from the first network, or when the first node forwards the first message to a network with a different credibility from the first network, it can be realized by whether the interface related to the forwarding of the first message in the first node can use the ARN to forward the message carrying the ARN identifier between network domains with different credibility.
下面结合应用示例对本申请再作进一步详细的描述。The present application is described in further detail below in conjunction with application examples.
本应用示例提供一种应用ARN技术的网络架构,如图6所示,所述网络架构包括控制器(即上述控制设备)、用户网络、城域网、骨干网。其中,用户网络与城域网连接,城域网与骨干网。示例性地,用户网络的CPE与城域网的BRAS连接,城域网的城域边界节点(也可以理解为城域边界设备)与骨干网的PE连接。其中,用户网络、城域网、骨干网也可以理解为不同的网络域,不同网络域之间的可信度可以不相同。This application example provides a network architecture that applies ARN technology, as shown in Figure 6, the network architecture includes a controller (i.e., the above-mentioned control device), a user network, a metropolitan area network, and a backbone network. Among them, the user network is connected to the metropolitan area network, and the metropolitan area network is connected to the backbone network. Exemplarily, the CPE of the user network is connected to the BRAS of the metropolitan area network, and the metropolitan area boundary node of the metropolitan area network (which can also be understood as a metropolitan area boundary device) is connected to the PE of the backbone network. Among them, the user network, the metropolitan area network, and the backbone network can also be understood as different network domains, and the credibility between different network domains may be different.
实际应用时,ARN ID(即上述ARN标识)主要应用于网络边界节点(也可以理解为网络边界业务接入点,比如PE、BRAS、或BNG等)。当控制器收到用户订阅ARN服务的订单信息(也可以理解为针对网络服务的订阅需求)后,可以根据接收到的订单信息设置与订单信息对应的一个或多个服务类型;针对每个服务类型,控制器可以根据SR Policy为该服务类型在与该用户对应的用户网络连接的城域网中进行选路,也即确定城域网中转发该服务类型对应的报文的选路策略(选路策略与转发报文的网络路径关联,网络路径具体可以包括网络切片和/或网络隧道等)。确定服务类型对应的选路策略后,针对该选路策略,如果该选路策略已有对应的ARN ID,控制器可以直接确定服务类型与ARN ID的对应关系(也可以通过二元组的形式表达,比如<服务类型,ARN ID>)以及ARN ID与选路策略的对应关系(也可以通过二元组的形式表达,比如<ARN ID,选路策略>);如果该选路策略尚未有对应的ARN ID,控制器可以按照预设策略(比如与应用管理服务器协商等)生成与该选路策略对应的ARNID,进而确定服务类型与ARN ID的对应关系以及ARN ID与选路策略的对应关系;确定所述两个对应关系后,控制器可以将服务类型与ARN ID的对应关系下发至用户设备(比如终端、服务器、CPE等),以使用户设备在生成报文时,可以根据报文对应的服务类型以及对应关系,确定报文对应的ARN ID,并在报文中携带确定的ARN ID;同时,控制器可以将ARN ID与选路策略的对应关系下发至城域网中与用户对应的用户网络连接的边界节点(比如BRAS),以使用户的报文进入城域网时,BRAS能够根据报文包含的ARN ID以及对应关系,确定转发该报文的选路策略(也可以理解为确定为该报文提供的网络转发服务),控制器向边界节点下发对应关系的过程也可以理解为进行网络侧配置。In actual application, ARN ID (i.e. the above-mentioned ARN identifier) is mainly used in network border nodes (which can also be understood as network border service access points, such as PE, BRAS, or BNG, etc.). When the controller receives the order information of the user subscribing to the ARN service (which can also be understood as the subscription demand for the network service), one or more service types corresponding to the order information can be set according to the received order information; for each service type, the controller can select a route for the service type in the metropolitan area network connected to the user network corresponding to the user according to the SR Policy, that is, determine the routing strategy for forwarding the message corresponding to the service type in the metropolitan area network (the routing strategy is associated with the network path for forwarding the message, and the network path can specifically include network slices and/or network tunnels, etc.). After determining the routing strategy corresponding to the service type, for the routing strategy, if the routing strategy already has a corresponding ARN ID, the controller can directly determine the correspondence between the service type and the ARN ID (which can also be expressed in the form of a two-tuple, such as <service type, ARN ID>) and the correspondence between the ARN ID and the routing strategy (which can also be expressed in the form of a two-tuple, such as <ARN ID, routing strategy>); if the routing strategy does not yet have a corresponding ARN ID, the controller can generate an ARNID corresponding to the routing strategy according to a preset strategy (such as negotiation with an application management server, etc.), and then determine the correspondence between the service type and the ARN ID and the correspondence between the ARN ID and the routing strategy; after determining the two correspondences, the controller can send the correspondence between the service type and the ARN ID to the user device (such as a terminal, server, CPE, etc.), so that when the user device generates a message, it can determine the ARN ID corresponding to the message according to the service type and the correspondence corresponding to the message, and carry the determined ARN ID in the message; at the same time, the controller can The correspondence between the ID and the routing strategy is sent to the border node (such as BRAS) connected to the user network corresponding to the user in the metropolitan area network, so that when the user's message enters the metropolitan area network, the BRAS can determine the routing strategy for forwarding the message based on the ARN ID contained in the message and the correspondence (it can also be understood as determining the network forwarding service provided for the message). The process of the controller sending the correspondence to the border node can also be understood as network-side configuration.
示例性地,假设控制器将服务类型与ARN ID的对应关系下发至终端和/或服务器,终端和/或服务器上的应用可以根据应用所需的服务类型以及所述对应关系,在生成应用对应的报文的过程中,在报文中携带与应用所需的服务类型对应的ARN ID,如此,用户网络的CPE接收到终端和/或服务器发送的报文时,报文已经携带ARN ID,可以直接转发至城域网;假设控制器将服务类型与ARN ID的对应关系下发至CPE,终端和/或服务器生成的报文可以不携带ARN ID,CPE接收到终端和/或服务器发送的报文后,可以利用ACL等方式对报文进行分类(也可以理解为进行流分配),从而,确定报文所需的服务类型,并根据保温所需的服务类型以及所述对应关系,在报文中携带与报文所需的服务类型对应的ARN ID,进而可以将报文转发至城域网。Exemplarily, assuming that the controller sends the correspondence between the service type and the ARN ID to the terminal and/or server, the application on the terminal and/or server can carry the ARN ID corresponding to the service type required by the application in the message when generating the message corresponding to the application based on the service type required by the application and the correspondence. In this way, when the CPE of the user network receives the message sent by the terminal and/or server, the message already carries the ARN ID and can be directly forwarded to the metropolitan area network; assuming that the controller sends the correspondence between the service type and the ARN ID to the CPE, the message generated by the terminal and/or server may not carry the ARN ID. After the CPE receives the message sent by the terminal and/or server, it can classify the message by using ACL or other methods (which can also be understood as flow allocation), thereby determining the service type required for the message, and carrying the ARN ID corresponding to the service type required for the message in the message based on the service type required for insulation and the correspondence, and then forwarding the message to the metropolitan area network.
基于上述网络架构,本应用示例提供了一种ARN ID的访问控制方法,如图7所示,包括以下步骤:Based on the above network architecture, this application example provides an ARN ID access control method, as shown in Figure 7, including the following steps:
步骤701:网络边界设备(即上述第一节点)接收包含ARN ID(即上述第一ARN标识)的报文(即上述第一报文);Step 701: a network edge device (ie, the first node) receives a message (ie, the first message) including an ARN ID (ie, the first ARN identifier);
实际应用时,所述网络边界设备具体可以包括用户网络的CPE、城域网的城域边界设备、城域网的BRAS、骨干网的PE等中之一。In actual application, the network edge device may specifically include one of a CPE of a user network, a metropolitan area edge device of a metropolitan area network, a BRAS of a metropolitan area network, a PE of a backbone network, and the like.
步骤702:网络边界设备根据与邻域网络(即上述第二网络)连接的接口(即上述第一接口,具体可以包括IP接口)对应的ARN可信度属性(trust_arn),对报文进行转发处理;其中,所述转发处理包括:Step 702: The network edge device forwards the message according to the ARN trust attribute (trust_arn) corresponding to the interface (i.e., the first interface, which may specifically include an IP interface) connected to the neighboring network (i.e., the second network); wherein the forwarding process includes:
当trust_arn的取值为false时,在报文转发时禁用ARN服务;When the value of trust_arn is false, the ARN service is disabled during packet forwarding;
当trust_arn的取值为true时,执行步骤703;When the value of trust_arn is true, execute step 703;
这里,所述邻域网络是指与所述网络边界设备所属的网络相邻的网络,示例性地,如图6所示,城域网的邻域网络包括用户网络和骨干网。当网络边界设备需要将接收到的报文转发至邻域网络时,所述接口也可以称为出向接口;当网络边界设备从邻域网络接收到所述报文,并需要在网络边界设备所属的网络内进行转发时,所述接口也可以称为入向接口。Here, the neighboring network refers to a network adjacent to the network to which the network edge device belongs. For example, as shown in Figure 6, the neighboring network of the metropolitan area network includes a user network and a backbone network. When the network edge device needs to forward the received message to the neighboring network, the interface can also be called an outbound interface; when the network edge device receives the message from the neighboring network and needs to forward it within the network to which the network edge device belongs, the interface can also be called an inbound interface.
实际应用时,trust_arn为接口级属性,可以通过人工或者控制器下发等之一的方式,根据网络边界设备所属的网络与邻域网络之间的可信度关系(也可以理解为邻域网络相对于网络边界设备所属的网络来说是否为可信域)预先在网络边界设备中进行设置。trust_arn的取值可以被设置为true或者false。In actual application, trust_arn is an interface-level attribute that can be set in advance in the network edge device by one of the following methods: manual or controller-issued, based on the trust relationship between the network to which the network edge device belongs and the neighboring network (it can also be understood as whether the neighboring network is a trusted domain relative to the network to which the network edge device belongs). The value of trust_arn can be set to true or false.
实际应用时,所述禁用ARN服务,是指网络边界设备将报文当做不携带ARN ID的报文进行转发处理,比如丢弃报文,或者按照默认选路策略转发报文等。具体地,当trust_arn的取值为false时,网络边界设备接收到包含ARN ID的报文(也可以理解为携带ARN信息的报文)后,可以将报文中携带ARN ID的字段(比如Flow Lable字段等)的取值置为0(也可以理解为擦写为0)或置为无效值(具体可以根据实际需要进行选择)。如此,网络边界设备可以将包含ARN ID为0或无效值的报文,按照不包含ARN ID的报文进行转发处理。In actual application, the disabling of ARN service means that the network edge device forwards the message as a message that does not carry the ARN ID, such as discarding the message, or forwarding the message according to the default routing policy. Specifically, when the value of trust_arn is false, after the network edge device receives a message containing an ARN ID (which can also be understood as a message carrying ARN information), the value of the field carrying the ARN ID in the message (such as the Flow Lable field, etc.) can be set to 0 (which can also be understood as being erased to 0) or set to an invalid value (specifically, it can be selected according to actual needs). In this way, the network edge device can forward the message containing an ARN ID of 0 or an invalid value as a message that does not contain an ARN ID.
步骤703:网络边界设备对报文包含的用户信息和ARN ID进行合法性校验;Step 703: The network edge device performs a validity check on the user information and ARN ID contained in the message;
如果校验成功,执行步骤704;If the verification is successful, execute step 704;
如果校验失败,禁用ARN服务;If the verification fails, disable the ARN service;
这里,当所述接口为出向接口时,所述合法性校验也可以称为ARN出方向校验或者出向校验;当所述接口为入向接口时,所述合法性校验也可以称为ARN入方向校验或者入向校验。Here, when the interface is an outbound interface, the legality check may also be referred to as an ARN outbound check or an outbound check; when the interface is an inbound interface, the legality check may also be referred to as an ARN inbound check or an inbound check.
实际应用时,为了避免第三方(比如未订阅ARN服务的用户)在发送的报文中仿冒ARN ID,网络边界设备可以获取用于校验用户身份的校验表(即上述第三信息),如此,网络边界设备接收到用户的报文时,可以利用所述校验表校验报文包含的ARN ID以及报文对应的用户信息,从而避免仿冒。其中,校验表可以用于出向校验和/或入向校验,用于出向校验的校验表也可以称为出向校验表;用于入向校验的校验表也可以称为入向校验表。In actual application, in order to prevent a third party (such as a user who has not subscribed to the ARN service) from counterfeiting the ARN ID in the sent message, the network edge device can obtain a verification table (i.e., the third information mentioned above) for verifying the user's identity. In this way, when the network edge device receives the user's message, it can use the verification table to verify the ARN ID contained in the message and the user information corresponding to the message, thereby avoiding counterfeiting. Among them, the verification table can be used for outbound verification and/or inbound verification. The verification table used for outbound verification can also be called an outbound verification table; the verification table used for inbound verification can also be called an inbound verification table.
实际应用时,所述网络边界设备可以通过人工配置、控制器下发、路由学习等中之一的方式获取所述校验表。示例性地,当所述网络边界设备通过控制器下发的方式获取所述校验表时,具体实现可以包括:控制器根据用户的订阅信息确定用户的源地址信息(比如源IP)和/或链路信息,并将用户的源地址信息和/或链路信息作为用户信息(也可以理解为用户的标识信息,即上述源头信息),从而控制器可以针对每个用户,确定该用户的用户信息与该用户订阅的服务类型对应的ARN ID之间的对应关系,也可以理解为该用户的报文可以包含哪些ARN ID(也可以通过二元组的形式表达,比如<用户信息,ARN ID>);控制器进而可以根据所有用户的用户信息与ARN ID的对应关系,确定所述校验表,并将校验表下发至网络边界设备。In actual application, the network edge device can obtain the verification table by one of the following methods: manual configuration, controller distribution, routing learning, etc. Exemplarily, when the network edge device obtains the verification table by means of controller distribution, the specific implementation may include: the controller determines the user's source address information (such as source IP) and/or link information based on the user's subscription information, and uses the user's source address information and/or link information as user information (which can also be understood as the user's identification information, i.e., the above-mentioned source information), so that the controller can determine the correspondence between the user information of the user and the ARN ID corresponding to the service type subscribed by the user for each user, which can also be understood as which ARN IDs can be contained in the user's message (which can also be expressed in the form of a binary, such as <user information, ARN ID>); the controller can then determine the verification table based on the correspondence between the user information and ARN ID of all users, and distribute the verification table to the network edge device.
示例性地,假设所述网络边界设备为用户网络的边界设备(比如CPE等)或者与用户网络连接的邻域网络的边界设备(比如BRAS、BNG等),所述网络边界设备可以根据接收到的报文确定用户信息,比如根据报文对应的接入链路信息确定用户信息;同时,网络边界设备可以根据接收到的报文确定报文包含的ARN ID,此时,网络边界设备也可以被称为用户网关设备。或者,假设所述网络边界设备为城域网与骨干网连接的边界设备(比如城域边界设备、PE等),网络边界设备可以根据报文包含的源IP信息或者端口信息确定用户信息,并确定报文包含的ARN ID,此时,网络边界设备也可以被称为网络网关设备。如此,确定用户信息、ARN ID后,网络边界设备可以根据确定的用户信息、ARN ID以及控制器下发的校验表,对报文进行合法性校验。Exemplarily, assuming that the network boundary device is a boundary device of a user network (such as CPE, etc.) or a boundary device of a neighboring network connected to the user network (such as BRAS, BNG, etc.), the network boundary device can determine the user information based on the received message, such as determining the user information based on the access link information corresponding to the message; at the same time, the network boundary device can determine the ARN ID contained in the message based on the received message. In this case, the network boundary device can also be called a user gateway device. Alternatively, assuming that the network boundary device is a boundary device connecting a metropolitan area network and a backbone network (such as a metropolitan area boundary device, PE, etc.), the network boundary device can determine the user information based on the source IP information or port information contained in the message, and determine the ARN ID contained in the message. In this case, the network boundary device can also be called a network gateway device. In this way, after determining the user information and ARN ID, the network boundary device can perform a legitimacy check on the message based on the determined user information, ARN ID, and the check table issued by the controller.
实际应用时,在进行入向校验时,网络边界设备接收到的报文包含的ARN ID可能与邻域网络关联,此时,网络边界设备需要对报文包含的ARN ID进行映射(也可以理解为替换、重写、更新等),使映射后的ARN ID与网络边界设备所属的网络关联,如此,网络边界设备才能够根据报文包含的ARN ID,在网络边界设备所属的网络内对报文进行转发;相应地,在进行出向校验时,网络边界设备接收到的报文包含的ARN ID与网络边界设备所属的网络关联,网络边界设备可以对报文包含的ARN ID进行映射,使映射后的ARN ID与邻域网络关联,如此,网络边界设备将报文转发至邻域网络后,邻域网络可以直接根据报文包含的ARNID在邻域网络内进行报文转发。In actual application, when performing inbound verification, the ARN ID contained in the message received by the network boundary device may be associated with the neighboring network. At this time, the network boundary device needs to map the ARN ID contained in the message (which can also be understood as replacement, rewriting, updating, etc.) so that the mapped ARN ID is associated with the network to which the network boundary device belongs. In this way, the network boundary device can forward the message within the network to which the network boundary device belongs according to the ARN ID contained in the message; accordingly, when performing outbound verification, the ARN ID contained in the message received by the network boundary device is associated with the network to which the network boundary device belongs. The network boundary device can map the ARN ID contained in the message so that the mapped ARN ID is associated with the neighboring network. In this way, after the network boundary device forwards the message to the neighboring network, the neighboring network can directly forward the message within the neighboring network according to the ARNID contained in the message.
实际应用时,由于控制器为网络边界设备所属的网络与邻域网络分别进行ARN ID的分配,因此,网络边界设备可以获取网络边界设备所属的网络的ARN ID与邻域网络的ARNID之间的对应关系(也可以理解为映射关系,也即上述第四信息),以实现对报文包含的ARNID进行映射。其中,所述对应关系具体可以通过映射表的形式呈现,所述映射表可以用于出向校验和/或入向校验,用于出向校验的映射表也可以称为出向映射表;用于入向校验的映射表也可以称为入向映射表。In actual application, since the controller allocates ARN IDs to the network and neighboring network to which the network boundary device belongs respectively, the network boundary device can obtain the correspondence between the ARN ID of the network to which the network boundary device belongs and the ARNID of the neighboring network (which can also be understood as a mapping relationship, that is, the fourth information mentioned above) to achieve the mapping of the ARNID contained in the message. Among them, the corresponding relationship can be specifically presented in the form of a mapping table, and the mapping table can be used for outbound verification and/or inbound verification. The mapping table used for outbound verification can also be called an outbound mapping table; the mapping table used for inbound verification can also be called an inbound mapping table.
实际应用时,所述网络边界设备可以通过人工配置、控制器下发、路由学习等中之一的方式获取所述映射表。示例性地,假设邻域网络为骨干网,网络边界设备所属的网络为城域网,当所述网络边界设备通过控制器下发的方式获取所述映射表时,具体实现可以包括:控制器根据城域网中的选路策略与骨干网中的选路策略的对应关系(也可以理解为在城域网中通过每种选路策略转发的报文在骨干网中分别应当通过哪种选路策略提供网络转发服务),确定控制器为城域网分配的ARN ID与为骨干网分配的ARN ID的对应关系;控制器进而可以根据所有ARN ID的对应关系,确定所述映射表,并将映射表下发至边界设备。如此,能够实现在不同网络之间转发报文的过程中,对报文包含的ARN ID进行灵活地访问控制。In actual application, the network edge device can obtain the mapping table by one of the following methods: manual configuration, controller distribution, routing learning, etc. Exemplarily, assuming that the neighboring network is a backbone network, and the network to which the network edge device belongs is a metropolitan area network, when the network edge device obtains the mapping table by means of a controller distribution, the specific implementation may include: the controller determines the correspondence between the ARN ID assigned by the controller to the metropolitan area network and the ARN ID assigned to the backbone network according to the correspondence between the routing strategy in the metropolitan area network and the routing strategy in the backbone network (it can also be understood as which routing strategy should be used in the backbone network to provide network forwarding services for the messages forwarded through each routing strategy in the metropolitan area network); the controller can then determine the mapping table according to the correspondence between all ARN IDs, and distribute the mapping table to the edge device. In this way, flexible access control of the ARN ID contained in the message can be achieved in the process of forwarding messages between different networks.
实际应用时,网络边界设备获取的校验表与映射表可以进行合并(这里,当由控制器下发校验表与映射表时,可以在控制器中进行合并),得到合并后的表。此时,网络边界设备可以根据确定的用户信息、ARN ID以及合并后的表,对报文进行合法性校验,并将报文包含的ARN ID映射为与网络边界设备所属的网络关联的ARN ID(也即目的ARN ID)。其中,合并后的表可以通过三元组的形式表达,比如<用户信息,ARN ID,目的ARN ID>,ARN ID与网络边界设备所属的网络关联,目的ARN ID与所述邻域网络关联。In actual application, the verification table and mapping table obtained by the network boundary device can be merged (here, when the verification table and the mapping table are sent down by the controller, they can be merged in the controller) to obtain a merged table. At this time, the network boundary device can perform a legitimacy check on the message based on the determined user information, ARN ID, and the merged table, and map the ARN ID contained in the message to the ARN ID associated with the network to which the network boundary device belongs (that is, the destination ARN ID). Among them, the merged table can be expressed in the form of a triple, such as <user information, ARN ID, destination ARN ID>, the ARN ID is associated with the network to which the network boundary device belongs, and the destination ARN ID is associated with the neighboring network.
示例性地,网络边界设备获取的入向校验表和入向映射表可以合并,出向校验表和出向映射表也可以合并。如图6所示,CPE的面向用户接口(也可以理解为面向终端和/或服务器的接口)的入向校验表可以表达为<用户信息,ARN ID>、出向校验表可以表达为<源IP,ARN ID>;CPE、其他网络边界设备(包括BRAS、PE、城域网边界设备等)的其他接口的入向校验表和出向校验表均可以表达为<源IP,ARN ID>;CPE的面向用户接口的入向映射表可以表达为<用户,ARN ID,目的ARN ID>、出向映射表可以表达为<源IP,ARN ID,目的ARN ID>;CPE、其他网络边界设备的其他接口的入向映射表和出向映射表均可以表达为<源IP,ARNID,目的ARN ID>。Exemplarily, the inbound check table and the inbound mapping table obtained by the network edge device can be merged, and the outbound check table and the outbound mapping table can also be merged. As shown in Figure 6, the inbound check table of the user-facing interface of the CPE (which can also be understood as an interface facing the terminal and/or server) can be expressed as <user information, ARN ID>, and the outbound check table can be expressed as <source IP, ARN ID>; the inbound check table and the outbound check table of other interfaces of the CPE and other network edge devices (including BRAS, PE, metropolitan area network edge devices, etc.) can both be expressed as <source IP, ARN ID>; the inbound mapping table of the user-facing interface of the CPE can be expressed as <user, ARN ID, destination ARN ID>, and the outbound mapping table can be expressed as <source IP, ARN ID, destination ARN ID>; the inbound mapping table and the outbound mapping table of other interfaces of the CPE and other network edge devices can both be expressed as <source IP, ARNID, destination ARN ID>.
实际应用时,当ACL、校验表、映射表均有同一ARN ID(也即一个ARN ID的相关信息同时存在于ACL、校验表、映射表中)时,网络边界设备优先使用ACL对该ARN ID进行合法性校验;当ACL中不包含该ARN ID的相关信息时,网络边界设备可以使用校验表对该ARN ID进行合法性校验;当ACL、校验表中均不包含该ARN ID的相关信息时,网络边界设备可以使用映射表对该ARN ID进行合法性校验。也就是说,网络边界设备可以按照ACL>校验表>映射表的优先级顺序对该ARN ID进行合法性校验。In actual application, when the ACL, check table, and mapping table all have the same ARN ID (that is, the relevant information of an ARN ID exists in the ACL, check table, and mapping table at the same time), the network boundary device will give priority to using the ACL to verify the legitimacy of the ARN ID; when the ACL does not contain the relevant information of the ARN ID, the network boundary device can use the check table to verify the legitimacy of the ARN ID; when the ACL and the check table do not contain the relevant information of the ARN ID, the network boundary device can use the mapping table to verify the legitimacy of the ARN ID. In other words, the network boundary device can verify the legitimacy of the ARN ID in the order of priority of ACL>check table>mapping table.
步骤704:网络边界设备执行与ARN关联的转发处理,所述与ARN关联的转发处理包括以下之一:Step 704: The network edge device performs forwarding processing associated with the ARN, where the forwarding processing associated with the ARN includes one of the following:
如果所述接口为入向接口,网络边界设备根据报文包含的ARN ID以及控制器下发的ARN ID与选路策略的对应关系,确定选路策略,并按照确定的选路策略转发报文;或者,网络边界设备根据报文包含的ARN ID以及所述映射表,将报文包含的ARN ID映射为与网络边界设备所属的网络关联的ARN ID,并根据映射后的ARN ID以及控制器下发的ARN ID与选路策略的对应关系,确定选路策略,并按照确定的选路策略转发报文;其中,按照确定的选路策略转发报文,包括:将报文映射到选路策略对应的网络隧道和/或网络切片;If the interface is an inbound interface, the network edge device determines the routing strategy according to the ARN ID contained in the message and the correspondence between the ARN ID issued by the controller and the routing strategy, and forwards the message according to the determined routing strategy; or, the network edge device maps the ARN ID contained in the message to an ARN ID associated with the network to which the network edge device belongs according to the ARN ID contained in the message and the mapping table, and determines the routing strategy according to the mapped ARN ID and the correspondence between the ARN ID issued by the controller and the routing strategy, and forwards the message according to the determined routing strategy; wherein forwarding the message according to the determined routing strategy includes: mapping the message to the network tunnel and/or network slice corresponding to the routing strategy;
如果所述接口为出向接口,网络边界设备根据报文包含的ARN ID以及所述映射表,将报文包含的ARN ID映射为与邻域网络关联的ARN ID,并将报文转发至邻域网络;或者,网络边界设备直接将报文转发至邻域网络。If the interface is an outbound interface, the network edge device maps the ARN ID contained in the message to an ARN ID associated with the neighboring network according to the ARN ID contained in the message and the mapping table, and forwards the message to the neighboring network; or, the network edge device directly forwards the message to the neighboring network.
实际应用时,当网络边界设备直接将报文转发至邻域网络时,邻域网络的边界设备可以将根据报文包含的ARN ID以及映射表,将报文包含的ARN ID映射为与邻域网络关联的ARN ID,以使邻域网络的边界设备可以根据与邻域网络关联的ARN ID在邻域网络内进行报文转发。In actual application, when the network edge device directly forwards the message to the neighboring network, the edge device of the neighboring network can map the ARN ID contained in the message to the ARN ID associated with the neighboring network based on the ARN ID contained in the message and the mapping table, so that the edge device of the neighboring network can forward the message within the neighboring network according to the ARN ID associated with the neighboring network.
本申请应用示例提供的方案,通过在网络边界设备部署一个IP接口级属性trust_arn来标识网络边界设备连接的邻域网络为可信域或非可信域,以使网络边界设备能够根据trust_arn的取值对包含ARN ID的报文进行转发处理。也就是说,即使网络边界设备连接非可信域,也可以对报文进行相应的转发处理,也即实现了构建从非可信域调用可信域的网络能力的基本安全框架。The solution provided by the application example of this application deploys an IP interface-level attribute trust_arn on the network edge device to identify the neighboring network connected to the network edge device as a trusted domain or an untrusted domain, so that the network edge device can forward and process the message containing the ARN ID according to the value of trust_arn. In other words, even if the network edge device is connected to an untrusted domain, the message can be forwarded accordingly, which realizes the basic security framework for building the network capability of calling the trusted domain from the untrusted domain.
同时,当IP接口的trust_arn取值为false时,网络边界设备可以整体禁用ARN服务,此时,如果进入或离开该接口的报文携带ARN信息,网络边界设备可以将ARN ID擦写为0或置为某个无效值,并将该报文当作不携带ARN信息的报文进行处理;At the same time, when the trust_arn value of the IP interface is false, the network edge device can disable the ARN service as a whole. At this time, if the message entering or leaving the interface carries ARN information, the network edge device can erase the ARN ID to 0 or set it to an invalid value and process the message as a message without ARN information.
当IP接口的trust_arn取值为true时,如果网络边界设备收到报文的ARN ID无效,比如ARN ID为0或无效值,网络边界设备将该报文当作不携带ARN信息的报文进行处理(也即禁用ARN服务);When the trust_arn value of the IP interface is true, if the network edge device receives a message with an invalid ARN ID, such as 0 or an invalid value, the network edge device processes the message as a message without ARN information (that is, the ARN service is disabled);
当IP接口的trust_arn为true,且网络边界设备为用户网关设备、IP接口为入向接口时,用户网关设备可以根据报文包含用户信息和ARN ID,在校验表和/或映射表中对<用户,ARN ID>两元组进行匹配(也可以理解为查询),如果存在匹配项,则用户网关设备可以对报文进行网络隧道和/或网络切片的映射并转发报文,或者,可以先将报文包含的ARN ID映射为目的ARN ID,再对报文进行网络隧道和/或网络切片的映射并转发报文;如果不存在匹配项,则用户网关设备可以将报文包含的ARN ID擦写为0或置为某个无效值,并将该报文当作不携带ARN信息的报文进行处理;When the trust_arn of the IP interface is true, and the network boundary device is a user gateway device and the IP interface is an inbound interface, the user gateway device can match the <user, ARN ID> two-tuple in the check table and/or mapping table according to the user information and ARN ID contained in the message (which can also be understood as a query). If there is a match, the user gateway device can map the message to a network tunnel and/or network slice and forward the message, or first map the ARN ID contained in the message to the destination ARN ID, and then map the message to a network tunnel and/or network slice and forward the message; if there is no match, the user gateway device can erase the ARN ID contained in the message to 0 or set it to an invalid value, and process the message as a message that does not carry ARN information;
当IP接口的trust_arn为true,且网络边界设备为网络网关设备、IP接口为入向接口时,如果报文的ARN ID有效,则网络网关设备在校验表和/或映射表中对<用户信息(比如用户或源IP),ARN ID>两元组进行匹配,如果存在匹配项,则网络网关设备可以直接对报文进行网络隧道和/或网络切片的映射并转发报文,或者,先将报文包含的ARN ID映射为目的ARN ID,再对报文进行网络隧道和/或网络切片的映射并转发报文;如果不存在匹配项,则网络网关设备将报文包含的ARN ID擦写为0或置为某个无效值,或者保留ARN ID(也即不改变报文包含的ARN ID),再对报文进行网络隧道和/或网络切片的映射并转发报文。When the trust_arn of the IP interface is true, and the network boundary device is a network gateway device and the IP interface is an inbound interface, if the ARN ID of the message is valid, the network gateway device matches the two-tuple of <user information (such as user or source IP), ARN ID> in the check table and/or mapping table. If there is a match, the network gateway device can directly map the message to the network tunnel and/or network slice and forward the message, or first map the ARN ID contained in the message to the destination ARN ID, and then map the message to the network tunnel and/or network slice and forward the message; if there is no match, the network gateway device erases the ARN ID contained in the message to 0 or sets it to an invalid value, or retains the ARN ID (that is, does not change the ARN ID contained in the message), and then maps the message to the network tunnel and/or network slice and forwards the message.
当IP接口的trust_arn为true,且IP接口为出向接口时,如果报文的ARN ID有效,则网络边界设备在校验表和/或映射表中对<用户信息(比如用户或源IP),ARN ID>两元组进行匹配,如果存在匹配项,则网络边界设备可以直接将报文转发至邻域网络,或者,先将报文包含的ARN ID映射为目的ARN ID,再将报文转发至邻域网络;如果不存在匹配项,则网络边界设备可以将报文包含的ARN ID擦写为0或置为某个无效值,或者保留ARN ID(也即不改变报文包含的ARN ID),再将报文转发至邻域网络。When the trust_arn of the IP interface is true and the IP interface is an outbound interface, if the ARN ID of the message is valid, the network edge device matches the two-tuple of <user information (such as user or source IP), ARN ID> in the check table and/or mapping table. If there is a match, the network edge device can directly forward the message to the neighboring network, or first map the ARN ID contained in the message to the destination ARN ID, and then forward the message to the neighboring network; if there is no match, the network edge device can erase the ARN ID contained in the message to 0 or set it to an invalid value, or retain the ARN ID (that is, do not change the ARN ID contained in the message), and then forward the message to the neighboring network.
如此,本申请应用示例提供的方案存在以下优势:Thus, the solution provided by the application example of this application has the following advantages:
在应用隐私方面,由于ARN ID是随机值,不携带应用隐私信息,并且可以映射到网络的切片和/或隧道,能够保障应用的安全;同时,ARN可以封装网络内部隐私信息,避免用户直接使用SRv6 Policy或BSID带来的网络内部信息泄露问题;In terms of application privacy, since the ARN ID is a random value, it does not carry application privacy information and can be mapped to network slices and/or tunnels, which can ensure application security. At the same time, ARN can encapsulate internal network privacy information to avoid the problem of internal network information leakage caused by users directly using SRv6 Policy or BSID.
在业务功能方面,通过在网络边界设备接口定义可信域和非可信域,使得对ARNID进行访问控制时,当接口连接的网络为非可信域时,网络边界设备可以完全忽略ARN(也即禁用ARN服务);当接口连接的网络为可信域时,网络边界设备可以在报文包含的ARN ID不存在匹配项(也可以理解为网络边界设备不认识报文包含的ARN ID)时,不丢弃报文,并将报文映射到默认隧道和/或切片(也即为报文提供默认的网络转发服务);In terms of business functions, by defining trusted domains and non-trusted domains at the network edge device interface, when access control is performed on the ARNID, when the network connected to the interface is a non-trusted domain, the network edge device can completely ignore the ARN (that is, disable the ARN service); when the network connected to the interface is a trusted domain, the network edge device can not discard the message when there is no match for the ARN ID contained in the message (it can also be understood that the network edge device does not recognize the ARN ID contained in the message), and map the message to the default tunnel and/or slice (that is, provide the default network forwarding service for the message);
在设备容量方面,由于网络边界设备中仅需要存储网络边界设备所属的网络,以及邻域网络的ARN相关信息(比如ARN ID、校验表、映射表等),而不需要存储全局网络的信息,因此,占用的存储空间较小,对设备容量的要求较低。In terms of device capacity, since the network edge device only needs to store the network to which the network edge device belongs and the ARN-related information of the neighboring network (such as ARN ID, verification table, mapping table, etc.), and does not need to store the global network information, the storage space occupied is small and the device capacity requirement is low.
为了实现本申请实施例的方法,本申请实施例还提供了一种报文处理装置,设置在第一节点上,如图8所示,该装置包括:In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a message processing device, which is arranged on the first node. As shown in FIG8 , the device includes:
接收单元801,用于接收第一报文,所述第一报文包含第一ARN标识;The receiving unit 801 is configured to receive a first message, where the first message includes a first ARN identifier;
处理单元802,用于在第一信息表征所述第一节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述第一节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。Processing unit 802 is used to perform forwarding related processing associated with the ARN on the first message at the first interface when the first information indicates that the first interface of the first node can use the ARN, or to perform forwarding related processing not associated with the ARN on the first interface when the first information indicates that the first interface of the first node disables the ARN.
其中,在一实施例中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;所述处理单元802,具体用于:In one embodiment, the first message further includes second information, and the second information represents the source of the first message; the processing unit 802 is specifically configured to:
在第一信息表征所述第一节点的第一接口可使用ARN的情况下,校验所述第二信息和第一ARN标识;校验成功后,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理。When the first information indicates that the first interface of the first node can use the ARN, the second information and the first ARN identifier are verified; after successful verification, the first message is forwarded in accordance with the ARN at the first interface.
在一实施例中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;所述处理单元802,具体用于:In one embodiment, the first message further includes second information, where the second information represents a source of the first message; the processing unit 802 is specifically configured to:
在第一信息表征所述第一节点的第一接口可使用ARN的情况下,校验所述第二信息和第一ARN标识;校验失败后,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。When the first information indicates that the first interface of the first node can use the ARN, verify the second information and the first ARN identifier; if the verification fails, perform forwarding-related processing on the first message that is not associated with the ARN on the first interface.
在一实施例中,所述处理单元802,具体用于:In one embodiment, the processing unit 802 is specifically configured to:
利用第三信息,对所述第二信息和第一ARN标识进行校验,所述第三信息表征一个或多个报文的源头信息与ARN标识的对应关系。The second information and the first ARN identifier are verified using the third information, wherein the third information represents a correspondence between source information of one or more messages and the ARN identifier.
在一实施例中,所述接收单元801,还用于接收控制设备发送的所述第三信息;In one embodiment, the receiving unit 801 is further configured to receive the third information sent by the control device;
或者,or,
所述处理单元802,还用于通过路由学习,确定所述第三信息。The processing unit 802 is further configured to determine the third information through routing learning.
在一实施例中,所述处理单元802,具体用于执行以下之一:In one embodiment, the processing unit 802 is specifically configured to perform one of the following:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,得到处理后的第一报文,所述第二ARN标识与第二网络关联,将所述处理后的第一报文转发至所述第二网络;Setting the first field carrying the first ARN identifier in the first message to the second ARN identifier to obtain a processed first message, wherein the second ARN identifier is associated with the second network, and forwarding the processed first message to the second network;
将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,得到处理后的第一报文,所述第三ARN标识与第一网络关联,在所述第一网络内按照第一方式转发所述处理后的第一报文,所述第一方式与所述第三ARN标识关联;Setting the first field carrying the first ARN identifier in the first message to a third ARN identifier to obtain a processed first message, wherein the third ARN identifier is associated with a first network, and forwarding the processed first message in the first network according to a first manner, wherein the first manner is associated with the third ARN identifier;
将所述第一报文转发至所述第二网络,在所述第二网络能够按照第二方式转发报文,所述第二方式与所述第一报文对应的第二ARN标识关联;Forwarding the first message to the second network, where the second network can forward the message in a second manner, where the second manner is associated with a second ARN identifier corresponding to the first message;
在所述第一网络内按照第三方式转发所述第一报文,所述第三方式与所述第一ARN标识关联。The first message is forwarded in the first network according to a third manner, where the third manner is associated with the first ARN identifier.
在一实施例中,所述处理单元802,具体用于:In one embodiment, the processing unit 802 is specifically configured to:
利用第四信息,将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,或者,将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,所述第四信息表征一个或多个第一网络关联的ARN标识与第二网络关联的ARN标识的对应关系。Using the fourth information, the first field carrying the first ARN identifier in the first message is set to the second ARN identifier, or the first field carrying the first ARN identifier in the first message is set to the third ARN identifier, and the fourth information represents the correspondence between one or more ARN identifiers associated with the first network and the ARN identifier associated with the second network.
在一实施例中,所述接收单元801,还用于接收控制设备发送的所述第四信息;In one embodiment, the receiving unit 801 is further configured to receive the fourth information sent by the control device;
或者,or,
所述处理单元802,还用于通过路由学习,确定所述第四信息。The processing unit 802 is further configured to determine the fourth information through routing learning.
在一实施例中,所述处理单元802,具体用于执行以下之一:In one embodiment, the processing unit 802 is specifically configured to perform one of the following:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并在所述第一网络内按第四方式转发所述处理后的第一报文,所述第四方式不与ARN关联,所述第五信息表征所述第一报文禁用ARN;Setting the first field carrying the first ARN identifier in the first message to fifth information to obtain a processed first message, and forwarding the processed first message in a fourth manner within the first network, where the fourth manner is not associated with the ARN, and the fifth information indicates that the first message disables the ARN;
将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并将所述处理后的第一报文转发至第二网络,所述第五信息表征所述第一报文禁用ARN;Setting the first field carrying the first ARN identifier in the first message to fifth information to obtain a processed first message, and forwarding the processed first message to the second network, wherein the fifth information indicates that the first message disables the ARN;
丢弃所述第一报文。The first message is discarded.
实际应用时,所述接收单元801可由报文处理装置中的通信接口实现,所述处理单元802可由报文处理装置中的处理器实现。In actual application, the receiving unit 801 can be implemented by a communication interface in a message processing device, and the processing unit 802 can be implemented by a processor in the message processing device.
需要说明的是:上述实施例提供的报文处理装置在进行报文处理时,仅以上述各程序单元的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序单元完成,即将装置的内部结构划分成不同的程序单元,以完成以上描述的全部或者部分处理。另外,上述实施例提供的报文处理装置与报文处理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the message processing device provided in the above embodiment performs message processing, only the division of the above program units is used as an example. In actual applications, the above processing can be assigned to different program units as needed, that is, the internal structure of the device is divided into different program units to complete all or part of the processing described above. In addition, the message processing device provided in the above embodiment and the message processing method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
基于上述程序模块的硬件实现,且为了实现本申请实施例的方法,本申请实施例还提供了一种节点,如图9所示,该节点900包括:Based on the hardware implementation of the above program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a node, as shown in FIG9 , the node 900 includes:
通信接口901,能够与其他设备(比如控制设备等)进行信息交互;Communication interface 901, capable of exchanging information with other devices (such as control devices, etc.);
处理器902,与所述通信接口901连接,以实现与其他设备进行信息交互,用于运行计算机程序时,执行上述一个或多个技术方案提供的方法;A processor 902, connected to the communication interface 901 to implement information interaction with other devices, and used to execute the method provided by one or more of the above technical solutions when running a computer program;
存储器903,所述计算机程序存储在存储器903上。A memory 903 , on which the computer program is stored.
具体地,所述通信接口901,用于:Specifically, the communication interface 901 is used to:
接收第一报文,所述第一报文包含第一ARN标识;Receive a first message, where the first message includes a first ARN identifier;
所述处理器902,用于:The processor 902 is configured to:
在第一信息表征所述节点的第一接口可使用ARN的情况下,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理,或者,在所述第一信息表征所述节点的第一接口禁用ARN的情况下,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。When the first information indicates that the first interface of the node can use the ARN, forwarding-related processing associated with the ARN is performed on the first message at the first interface; or, when the first information indicates that the first interface of the node disables the ARN, forwarding-related processing not associated with the ARN is performed on the first interface.
其中,在一实施例中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;所述处理器902,具体用于:In one embodiment, the first message further includes second information, where the second information represents a source of the first message; the processor 902 is specifically configured to:
在第一信息表征所述节点的第一接口可使用ARN的情况下,校验所述第二信息和第一ARN标识;校验成功后,在所述第一接口对所述第一报文进行与ARN关联的转发相关处理。When the first information indicates that the first interface of the node can use the ARN, the second information and the first ARN identifier are verified; after successful verification, the first message is forwarded in accordance with the ARN at the first interface.
在一实施例中,所述第一报文还包含第二信息,所述第二信息表征所述第一报文的源头;所述处理器902,具体用于:In one embodiment, the first message further includes second information, where the second information represents a source of the first message; the processor 902 is specifically configured to:
在第一信息表征所述节点的第一接口可使用ARN的情况下,校验所述第二信息和第一ARN标识;校验失败后,在所述第一接口对所述第一报文进行不与ARN关联的转发相关处理。When the first information indicates that the first interface of the node can use the ARN, verify the second information and the first ARN identifier; if the verification fails, perform forwarding-related processing on the first message not associated with the ARN at the first interface.
在一实施例中,所述处理器902,具体用于:In one embodiment, the processor 902 is specifically configured to:
利用第三信息,对所述第二信息和第一ARN标识进行校验,所述第三信息表征一个或多个报文的源头信息与ARN标识的对应关系。The second information and the first ARN identifier are verified using the third information, wherein the third information represents a correspondence between source information of one or more messages and the ARN identifier.
在一实施例中,所述通信接口901,还用于接收控制设备发送的所述第三信息;In one embodiment, the communication interface 901 is further used to receive the third information sent by the control device;
或者,or,
所述处理器902,还用于通过路由学习,确定所述第三信息。The processor 902 is further configured to determine the third information through routing learning.
在一实施例中,所述处理器902,具体用于执行以下之一:In one embodiment, the processor 902 is specifically configured to perform one of the following:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,得到处理后的第一报文,所述第二ARN标识与第二网络关联,将所述处理后的第一报文转发至所述第二网络;Setting the first field carrying the first ARN identifier in the first message to the second ARN identifier to obtain a processed first message, wherein the second ARN identifier is associated with the second network, and forwarding the processed first message to the second network;
将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,得到处理后的第一报文,所述第三ARN标识与第一网络关联,在所述第一网络内按照第一方式转发所述处理后的第一报文,所述第一方式与所述第三ARN标识关联;Setting the first field carrying the first ARN identifier in the first message to a third ARN identifier to obtain a processed first message, wherein the third ARN identifier is associated with a first network, and forwarding the processed first message in the first network according to a first manner, wherein the first manner is associated with the third ARN identifier;
将所述第一报文转发至所述第二网络,在所述第二网络能够按照第二方式转发报文,所述第二方式与所述第一报文对应的第二ARN标识关联;Forwarding the first message to the second network, where the second network can forward the message in a second manner, where the second manner is associated with a second ARN identifier corresponding to the first message;
在所述第一网络内按照第三方式转发所述第一报文,所述第三方式与所述第一ARN标识关联。The first message is forwarded in the first network according to a third manner, where the third manner is associated with the first ARN identifier.
在一实施例中,所述处理器902,具体用于:In one embodiment, the processor 902 is specifically configured to:
利用第四信息,将所述第一报文中携带所述第一ARN标识的第一字段设置为第二ARN标识,或者,将所述第一报文中携带所述第一ARN标识的第一字段设置为第三ARN标识,所述第四信息表征一个或多个第一网络关联的ARN标识与第二网络关联的ARN标识的对应关系。Using the fourth information, the first field carrying the first ARN identifier in the first message is set to the second ARN identifier, or the first field carrying the first ARN identifier in the first message is set to the third ARN identifier, and the fourth information represents the correspondence between one or more ARN identifiers associated with the first network and the ARN identifier associated with the second network.
在一实施例中,所述通信接口901,还用于接收控制设备发送的所述第四信息;In one embodiment, the communication interface 901 is further used to receive the fourth information sent by the control device;
或者,or,
所述处理器902,还用于通过路由学习,确定所述第四信息。The processor 902 is further configured to determine the fourth information through routing learning.
在一实施例中,所述处理器902,具体用于执行以下之一:In one embodiment, the processor 902 is specifically configured to perform one of the following:
将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并在所述第一网络内按第四方式转发所述处理后的第一报文,所述第四方式不与ARN关联,所述第五信息表征所述第一报文禁用ARN;Setting the first field carrying the first ARN identifier in the first message to fifth information to obtain a processed first message, and forwarding the processed first message in a fourth manner within the first network, where the fourth manner is not associated with the ARN, and the fifth information indicates that the first message disables the ARN;
将所述第一报文中携带所述第一ARN标识的第一字段设置为第五信息,得到处理后的第一报文,并将所述处理后的第一报文转发至第二网络,所述第五信息表征所述第一报文禁用ARN;Setting the first field carrying the first ARN identifier in the first message to fifth information to obtain a processed first message, and forwarding the processed first message to the second network, wherein the fifth information indicates that the first message disables the ARN;
丢弃所述第一报文。The first message is discarded.
需要说明的是:所述处理器902和所述通信接口901的具体处理过程可参照上述方法理解。It should be noted that the specific processing process of the processor 902 and the communication interface 901 can be understood by referring to the above method.
当然,实际应用时,节点900中的各个组件通过总线系统904耦合在一起。可理解,总线系统904用于实现这些组件之间的连接通信。总线系统904除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统904。Of course, in actual application, the various components in the node 900 are coupled together through the bus system 904. It can be understood that the bus system 904 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are marked as the bus system 904 in FIG. 9.
本申请实施例中的存储器903用于存储各种类型的数据以支持节点900的操作。这些数据的示例包括:用于在节点900上操作的任何计算机程序。The memory 903 in the embodiment of the present application is used to store various types of data to support the operation of the node 900. Examples of such data include: any computer program used to operate on the node 900.
上述本申请实施例揭示的方法可以应用于所述处理器902,或者由所述处理器902实现。所述处理器902可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述处理器902可以是通用处理器、数字信号处理器(DSP,Digital SignalProcessor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述处理器902可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器903,所述处理器902读取存储器903中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the processor 902, or implemented by the processor 902. The processor 902 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by an integrated logic circuit of the hardware in the processor 902 or an instruction in the form of software. The above-mentioned processor 902 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The processor 902 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, which is located in the memory 903, and the processor 902 reads the information in the memory 903 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,节点900可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,ProgrammableLogic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the node 900 may be implemented by one or more application specific integrated circuits (ASICs), DSPs, programmable logic devices (PLDs), complex programmable logic devices (CPLDs), field programmable gate arrays (FPGAs), general-purpose processors, controllers, microcontrollers (MCUs), microprocessors, or other electronic components to execute the aforementioned method.
可以理解,本申请实施例的存储器(存储器903)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-OnlyMemory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-OnlyMemory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-OnlyMemory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random AccessMemory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random AccessMemory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (memory 903) of the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include both volatile and non-volatile memories. Among them, the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (FRAM), a ferromagnetic random access memory, a flash memory, a magnetic surface memory, an optical disc, or a compact disc read-only memory (CD-ROM); the magnetic surface memory can be a disk memory or a tape memory. The volatile memory can be a random access memory (RAM), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory described in the embodiments of the present application is intended to include but is not limited to these and any other suitable types of memory.
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的存储器903,上述计算机程序可由节点900的处理器902执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the present application also provides a storage medium, namely a computer storage medium, specifically a computer-readable storage medium, for example, a memory 903 storing a computer program, and the computer program can be executed by the processor 902 of the node 900 to complete the steps of the aforementioned method. The computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface storage, optical disk, or CD-ROM.
在示例性实施例中,本申请实施例还提供了一种计算机程序产品,包括计算机程序,所述计算机程序可由节点900的处理器902执行,以完成前述方法所述步骤。In an exemplary embodiment, the embodiment of the present application further provides a computer program product, including a computer program, and the computer program can be executed by the processor 902 of the node 900 to complete the steps of the aforementioned method.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above description is only a preferred embodiment of the present application and is not intended to limit the protection scope of the present application.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410773425.XA CN118803062A (en) | 2024-06-14 | 2024-06-14 | Message processing method, device, node, storage medium and computer program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410773425.XA CN118803062A (en) | 2024-06-14 | 2024-06-14 | Message processing method, device, node, storage medium and computer program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118803062A true CN118803062A (en) | 2024-10-18 |
Family
ID=93019153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410773425.XA Pending CN118803062A (en) | 2024-06-14 | 2024-06-14 | Message processing method, device, node, storage medium and computer program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118803062A (en) |
-
2024
- 2024-06-14 CN CN202410773425.XA patent/CN118803062A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3759870B1 (en) | Network slicing with smart contracts | |
| WO2019105461A1 (en) | Packet sending and processing method and apparatus, pe node, and node | |
| US8121126B1 (en) | Layer two (L2) network access node having data plane MPLS | |
| WO2019105462A1 (en) | Method and apparatus for sending packet, method and apparatus for processing packet, pe node, and node | |
| US8085791B1 (en) | Using layer two control protocol (L2CP) for data plane MPLS within an L2 network access node | |
| US11451509B2 (en) | Data transmission method and computer system | |
| CN113691490B (en) | A method and device for verifying SRv6 message | |
| EP3306888A1 (en) | Method and apparatus to create and manage virtual private groups in a content oriented network | |
| EP2999172B1 (en) | Method and devices to certify a trusted path in a software defined network | |
| WO2021197003A1 (en) | Boundary filtering method and device for srv6 trust domain | |
| KR102621953B1 (en) | Packet detection method and first network device | |
| US12143293B2 (en) | Fast reroute for BUM traffic in ethernet virtual private networks | |
| US20240137338A1 (en) | Border gateway protocol (bgp) flowspec origination authorization using route origin authorization (roa) | |
| Bitar et al. | Requirements for Multi-Segment Pseudowire Emulation Edge-to-Edge (PWE3) | |
| CN109495370A (en) | A kind of message transmitting method and device based on VPLS | |
| CN111464443B (en) | Message forwarding method, device, equipment and storage medium based on service function chain | |
| CN113709091A (en) | Method, apparatus and system for policy-based packet processing | |
| CN109768929B (en) | Message transmission method and device based on VPWS | |
| CN118803062A (en) | Message processing method, device, node, storage medium and computer program product | |
| CN114884667B (en) | Communication authentication method, device and storage medium | |
| CN110602110A (en) | Method, device, equipment and storage medium for isolating ports of whole network | |
| WO2023246501A1 (en) | Message verification method and apparatus, and related device and storage medium | |
| WO2024002101A1 (en) | Packet transmission method and apparatus, related device, and storage medium | |
| CN118803010A (en) | A communication method, network device, storage medium, and computer program product | |
| CN118802068A (en) | Information processing method, device, equipment, storage medium and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |