WO2024164678A1

WO2024164678A1 - Source address validation method, and communication apparatus and system

Info

Publication number: WO2024164678A1
Application number: PCT/CN2023/136556
Authority: WO
Inventors: 耿男; 谭镇; 黄明庆; 刘立全
Original assignee: 华为技术有限公司
Priority date: 2023-02-10
Filing date: 2023-12-05
Publication date: 2024-08-15
Also published as: CN118487785A

Abstract

The present application provides a source address validation method, and a communication apparatus and system, applied to the technical field of communications. The method comprises: a first node acquires a source address validation table and a forwarding table; the first node generates an independent validation table according to the source address validation table and the forwarding table, wherein the independent validation table comprises the mapping relationships in the source address validation table other than a first-type mapping relationship, and the first-type mapping relationship indicates the same mapping relationship in the forwarding table and the source address validation table; and when a received first packet passes the validation of the independent validation table and/or the validation of the forwarding table, the first node determines that the first packet is a legitimate packet. On the basis of the solution, the first node can reuse the forwarding table for source address validation, thereby saving table space occupied by entries for source address validation. Additionally, the rules in the independent validation table and the forwarding table are complementary to each other, thus achieving a similar effect as using the source address validation table for validation.

Description

Source address verification method, communication device and system

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office on February 10, 2023, with application number 202310152020.X and application name “Source Address Verification Method, Communication Device and System”, all contents of which are incorporated by reference in this application.

Technical Field

The present application relates to the field of communication technology, and in particular to a source address verification method, a communication device and a system.

Background Art

Source address validation (SAV) is an important means to eliminate source address forgery attacks. Many existing network defense solutions are based on source address validation. The basic principle of SAV technology is to establish a mapping relationship between the source address of the message and the message input interface, and then verify whether the input interface corresponding to the source address of the message is correct according to the mapping relationship during the subsequent message forwarding process.

However, the source address verification table used by SAV technology requires a lot of table space on the data plane. If the source address verification table and the forwarding table are stored on the same forwarding chip, the source address verification table will occupy the table space of the forwarding table. If the source address verification table is used on an independent forwarding chip, the cost of the device will be higher. In short, configuring a source address verification table on a device will have a significant impact on the device's capabilities and costs.

Summary of the invention

The present application provides a source address verification method, a communication device and a system, which are used to solve the problem that the source address verification table has a large demand for table space on the data plane, which affects the capacity and cost of the device.

In order to achieve the above purpose, this application adopts the following technical solutions:

In a first aspect, a source address verification method is provided, which can be executed by a first node, or by a component of the first node, such as a processor, chip, or chip system of the first node, or by a logic module or software that can realize all or part of the functions of the first node. The method may include: the first node obtains a source address verification table and a forwarding table, the source address verification table includes a mapping relationship between a source address of at least one message and a message input interface, and the forwarding table includes a mapping relationship between a destination address of at least one message and a message forwarding interface. The first node generates an independent verification table according to the source address verification table and the forwarding table, and the independent verification table includes other mapping relationships in the source address verification table except for the first type of mapping relationship, wherein the first type of mapping relationship includes the same mapping relationship in the forwarding table and the source address verification table. The first node determines that the first message is a legitimate message when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table.

Based on this solution, the first node can reuse the forwarding table to perform source address verification, so that the first-class mapping relationships that are the same in the source address verification table and the forwarding table do not need to be stored separately. In addition, the first node can also use an independent verification table to verify the source address, and the rules in the independent verification table can serve as a supplement to the rules of the forwarding table. Thus, this method set can achieve the same or similar verification effect as using the source address verification table for source address verification, and can reduce the number of rules that need to be stored separately for source address verification. Normally, the number of first-class mapping relationships in the source address verification table accounts for the majority, and other mapping relationships in the source address verification table except the first-class mapping relationships only account for a minority. Then, the independent verification table has a smaller demand for table space on the data plane, and will not have much impact on the capabilities and costs of the device.

In combination with the first aspect above, in a possible implementation, the first node determines that the first message is a legal message when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table, including: the first node verifies the first message according to the independent verification table. The first node determines that the first message is a legal message when the first message passes the verification of the independent verification table. Alternatively, the first node verifies the first message according to the forwarding table when the source address of the first message does not exist in the address of the independent verification table. And, the first node determines that the first message is a legal message when the first message passes the verification of the forwarding table.

In combination with the above-mentioned first aspect, in a possible implementation method, the first node determines that the first message is a legal message when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table. Specifically, it may include: the first node verifies the first message according to the forwarding table. The first node determines that the first message is a legal message when the first message passes the verification of the forwarding table. Alternatively, the first node verifies the first message according to the independent verification table when the first message fails to pass the verification of the forwarding table. And, the first node determines that the first message is a legal message when the first message passes the verification of the independent verification table.

In combination with the first aspect above, in a possible implementation, the source address of the first message is the first address, and the input interface of the first message is the first interface. The method may also include: when the first address does not exist in the addresses of the independent verification table or the independent verification table has a mapping relationship between the first address and the first interface, the first node determines that the first message has passed the verification of the independent verification table. When the first node has the first address in the addresses of the independent verification table, but the interface mapped to the first address is not the first interface, the first node determines that the first message has not passed the independent verification table. Verification of the established verification table.

In combination with the first aspect above, in a possible implementation, the source address of the first message is the first address, and the input interface of the first message is the first interface. The method may also include: the first node determines that the first message passes the verification of the forwarding table when the first address does not exist in the address of the forwarding table or the forwarding table has a mapping relationship between the first address and the first interface. The first node determines that the first message fails to pass the verification of the forwarding table when the first address exists in the address of the forwarding table but the interface mapped to the first address is not the first interface.

In a second aspect, a communication device is provided, which has the function of implementing the method described in the first aspect. The function can be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions.

In a third aspect, a communication device is provided, comprising: a processor and a memory; the memory is used to store computer execution instructions, and when the communication device is running, the processor executes the computer execution instructions stored in the memory to enable the communication device to perform a source address verification method as described in any one of the above-mentioned first aspects.

In a fourth aspect, a communication device is provided, comprising: a processor; the processor is used to couple with a memory, and after reading instructions in the memory, execute a source address verification method as described in any one of the first aspects above according to the instructions.

In a fifth aspect, a computer-readable storage medium is provided, wherein instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is run on a computer, the computer can execute the source address verification method described in any one of the first aspects above.

In a sixth aspect, a computer program product comprising instructions is provided, which, when executed on a computer, enables the computer to execute the source address verification method described in any one of the first aspects.

Among them, the technical effects brought about by any design method in the second to sixth aspects can refer to the technical effects brought about by different design methods in the first aspect, and will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of the structure of a communication network provided in an embodiment of the present application;

FIG2 is a schematic diagram of a process of performing source address verification and message forwarding based on a forwarding table provided in an embodiment of the present application;

FIG3 is a schematic diagram of the structure of another communication network provided in an embodiment of the present application;

FIG4 is a schematic diagram of a message processing flow provided in an embodiment of the present application;

FIG5 is a schematic diagram of a table space of a data plane provided in an embodiment of the present application;

FIG6 is a schematic diagram of a flow chart of a source address verification method provided in an embodiment of the present application;

7 is a schematic diagram of a set relationship between a source address verification table and a forwarding table provided in an embodiment of the present application;

FIG8 is a schematic diagram of a flow chart of a source address verification method provided in an embodiment of the present application;

FIG9 is a schematic diagram of a flow chart of a source address verification method provided in an embodiment of the present application;

FIG10 is a schematic diagram of comparing a data plane table space storage source address verification table and an independent verification table provided in an embodiment of the present application;

FIG11 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application;

FIG12 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application;

FIG13 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application.

DETAILED DESCRIPTION

To facilitate understanding, first, a brief introduction is given to the technical terms and related technologies involved in this application.

The routing table is also called the routing information base (RIB), and the forwarding table is also called the forwarding information base (FIB). The routing table can be constructed by the node based on the information obtained from various routing processes. The forwarding table can include the best route in the routing table. The routing table is located at the control layer, and the forwarding table is located at the data layer. The message forwarding node actually queries the forwarding table to forward the message. The forwarding table can include the destination address, the forwarding interface information corresponding to the destination address, and the next hop information.

Unicast reverse path forwarding (uRPF) technology mainly filters messages by checking the legitimacy of the source address of the message (also called data packet). uRPF can check the legitimacy of the source address of the message by querying the forwarding table.

uRPF modes can include strict and loose, which are introduced below.

Strict uRPF: Not only does it require that there is a route to the source address of the message in the forwarding table, but it also requires that the incoming interface of the message is consistent with the outgoing interface of the route to the source address in the forwarding table. Only messages that meet both of the above conditions are considered legal messages.

Loose uRPF: It only requires that there is a route to the source address of the message in the forwarding table. It does not check the incoming interface of the message and the outgoing interface in the forwarding table. Check whether the outbound interfaces of the routes to the source address of the packets are consistent.

Figure 1 shows a schematic diagram of the structure of a communication network. As shown in Figure 1, host H1 can be connected to host H3 through node R1 and node R2, and host H2 can be connected to host H3 through node R3 and node R2. The interface connecting node R2 to node R1 is a, and the interface connecting node R2 to node R3 is b.

Taking the communication network shown in FIG. 1 as an example, assuming that the address of host H1 is P1, the address of host H2 is P2, and the address of host H3 is P3, the forwarding table of node R2 may be as shown in Table 1.

Table 1

The following uses the forwarding table shown in Table 1 as an example to describe the process of performing uRPF filtering on node R2:

For example, assuming that host H1 sends message x to host H3, the source address of message x is P1, and node R2 can receive message x from interface a. If node R2 implements strict uRPF, then after receiving message x, node R2 can first query whether there is a route to the source address P1 of message x in the forwarding table. In the forwarding table shown in Table 1, node R2 can query the route to P1. Further, node R2 can query the route outbound interface to P1. As shown in the forwarding table in Table 1, the forwarding outbound interface corresponding to the route to P1 is a, and the incoming interface of message x is also a. In other words, the incoming interface of node R2 receiving message x is consistent with the route outbound interface to the source address of message x in the forwarding table of node R2. Therefore, node R2 can determine that message x is a legitimate message and has passed the uRPF filter. If node R2 executes loose uRPF, then after node R2 finds the route to P1 in the forwarding table, it can determine that message x is legal and has passed the uRPF filter.

As another example, suppose that host H2 sends a message y with a forged source address P1 to host H3, and node R2 can receive the message y from interface b. If node R2 implements strict uRPF, then after receiving message y, node R2 can first query whether there is a route to the source address P1 of message y in the forwarding table. In the forwarding table shown in Table 1, node R2 can query the route to P1. Further, node R2 can query the route outbound interface to P1. As shown in the forwarding table in Table 1, the forwarding outbound interface corresponding to the route to P1 is a, and the incoming interface of message y is b. In other words, the incoming interface of node R2 receiving message y is inconsistent with the route outbound interface to the source address of message y in the forwarding table of node R2. Therefore, node R2 can determine that message y is not a legitimate message and message y cannot pass the uRPF filter. If node R2 implements loose uRPF, then after node R2 finds the route to P1 in the forwarding table, it can determine that message y is legal, and message y will pass the uRPF filter.

In the prior art, the above uRPF technology can be used to check the legitimacy of the source address of the message to achieve message filtering. When the uRPF technology is used to filter the message, both the filtering and forwarding of the message can be implemented based on the forwarding table. For example, the process of the node performing source address verification and message forwarding based on the forwarding table can be shown in Figure 2. After receiving the message, the node can first enter the source address verification process, and the means for performing source address verification can be the above uRPF technology. In the source address verification process, the node can match based on the forwarding table to determine whether the message is legal/verified. If the source address verification of the message fails, the node can discard the message. If the source address verification of the message passes, the message forwarding process can be entered. In the message forwarding process, the node can further match based on the forwarding table to query the forwarding interface and next hop of the message. Then, the message is forwarded.

However, there are still some problems with the method of using uRPF technology to verify the legitimacy of the source address of the message. For example, in the scenario of asymmetric routing, the following two problems may occur:

1) False positive problem: In asymmetric routing scenarios, the routing outbound interface of the source address of a legitimate message is inconsistent with the inbound interface of the node receiving the legitimate message, resulting in the legitimate message being discarded.

2) False negative problem: In asymmetric routing scenarios, the routing outbound interface of the source address of the illegal message is consistent with the inbound interface of the node receiving the illegal message, resulting in the illegal message being passed.

Fig. 3 shows a schematic diagram of another communication network, which may include a host H4, a host H5, a node A, a node B, a node C, and a node D. Among them, node A is connected to node B through interface a1, connected to node D through interface a2, and connected to host H4 through interface a3; node B is connected to node A through interface b2, and connected to node C through interface b1; node C is connected to node B through interface c1, connected to node D through interface c2, and connected to host H5 through interface c3; node D is connected to node C through interface d1, and connected to node A through interface d2.

In the network shown in FIG3 , the forwarding path of the message sent from host H4 to host H5 can be: host H4 → node A → node B →node C→host H5, the forwarding path of the message sent by host H5 to host H4 can be: host H5→node C→node D→node A→host H4, and the route from host H4 to host H5 and the route from host H5 to host H4 can be asymmetric. Among them, node A can receive the message from host H4 from interface a3 and forward it from interface a1. Node C can receive the message from host H4 from interface c1 and forward it from interface c3. Node C can receive the message from host H5 from interface c3 and forward it from interface c2. Node A can receive the message from host H5 from interface a2 and forward it from interface a3.

Assuming that the address of host H4 is P4 and the address of host H5 is P5, the forwarding table of node A may be as shown in Table 2, and the forwarding table of node C may be as shown in Table 3.

Table 2

Table 3

Taking the communication network shown in Figure 3 as an example, suppose that host H4 sends a message m to host H5, and message m is forwarded to node C through node A and node B, and node C receives message m from interface c1. In this case, if node C implements strict uRPF, then after receiving message m, node C will query the route outbound interface to the source address of message m (that is, the address of host H4: P4). The route outbound interface to the source address of message m queried by node C is c2, which is different from the inbound interface c1 of receiving message m. Node C will consider message m to be illegal and discard message m. In this case, a false positive problem occurs.

Continuing with the communication network shown in Figure 3 as an example, node D can also be connected to host H6 through interface d3. Assume that host H6 sends message n with a forged source address P4 to host H5, and message n can be forwarded to node C through node D. Then, node C will receive message n from interface c2. If node C implements strict uRPF, then after receiving message n, node C will query the routing outbound interface to the source address of message n (i.e. P4). The routing outbound interface to the source address of message n queried by node C is c2, which is consistent with the inbound interface c2 of receiving message n. Node C will consider the message n to be legal, thereby allowing the message n to pass verification. But in fact, the message n is an illegal message. In this case, a false negative problem arises.

In order to avoid the false positive and false negative problems, in the prior art, the node can obtain the source address verification table with the help of routing information and other information, and then verify the source address of the message based on the source address verification table. The source address verification table includes the mapping relationship between the source address of the message and the legal input interface, and the mapping relationship between the source address and the legal input interface is generated based on the actual forwarding path information of the message. The result of the source address verification of the message based on the source address verification table is completely correct.

For example, taking the communication network shown in Figure 1 as an example, it is assumed that the address of host H1 is P1, the address of host H2 is P2, and the address of host H3 is P3. Since the message sent by host H1 to host H3 will enter node R2 through interface a, node R2 can establish a mapping relationship between source address P1 and legal input interface a. Since the message sent by host H2 to host H3 will enter node R2 through interface b, node R2 can establish a mapping relationship between source address P2 and legal input interface a. Since the message sent by host H3 to host H1 or host H2 will enter node R2 through interface c, node R2 can establish a mapping relationship between source address P3 and legal input interface c. Thus, the source address verification table on node R2 can be as shown in Table 4, which can include a mapping relationship between source address P1 and legal input interface a, a mapping relationship between source address P2 and legal input interface b, and a mapping relationship between source address P3 and legal input interface c.

Table 4

As another example, taking the communication network shown in FIG3 as an example, it is assumed that the address of host H4 is P4 and the address of host H5 is P5. Since node A can receive a message from host H4 from interface a3 and a message from host H5 from interface a2, the source address verification table of node A can be shown in Table 5. Node C can receive a message from host H4 from interface c1 and a message from host H5 from interface c3, so the source address verification table of node C can be shown in Table 6.

Table 5

Table 6

It is understandable that source address verification based on the source address verification table will not have false positive and false negative problems, because the source address verification table stores the mapping relationship between the source address and the legal input interface, and the mapping relationship is generated based on the actual message reception situation. For example, if node C performs source address verification on the received message according to the source address verification table shown in Table 6, the message with source address P4 received by node C from interface c1 can pass the source address verification, and there will be no false positive problem; the message with source address P4 received by node C from interface c2 cannot pass the source address verification, and there will be no false negative problem.

In the case where the node uses the source address verification table to perform source address verification, the processing flow of the message entering the node can be shown in Figure 4. After receiving the message, the node can first enter the source address verification process, and the means of performing source address verification can be the above-mentioned SAV technology. The node can match based on the source address verification table to determine whether the message is legal/verified. If the message fails the source address verification, the node can discard the message. If the message passes the source address verification, it can enter the message forwarding process. In the message forwarding process, the node can further match based on the forwarding table to query the forwarding interface and next hop of the message. Then, the message is forwarded.

Optionally, when a node performs source address verification according to a source address verification table, if the source address of the message to be verified is not in the source address verification table, the node may consider the message to be unknown. For messages whose source address verification result is unknown, the node may forward the message by default. From another perspective, if the source address of the message to be verified is not in the source address verification table, the node may assume that it has passed the source address verification and then forward it.

It should be noted that, when a node uses a source address verification table to verify the source address of a message, the node needs to configure a source address verification table and a forwarding table at the same time, which are used for source address verification and message forwarding, respectively. In the prior art, the source address verification table and the forwarding table share the table space of the data plane. For example, as shown in FIG5 , the table space of the data plane can be used to store the source address verification table and the forwarding table. It should be understood that the table space of the data plane is very precious and limited. If the source address verification table occupies a larger space, the space left for the forwarding table is smaller. Therefore, the method of using the source address verification table to verify the legitimacy of the source address of the message will have a great impact on the forwarding function of the node.

In order to prevent the source address verification table from occupying the address space of the forwarding table, in one implementation, the source address verification table entries can be configured in the access control list (ACL). By reusing the ACL, the address space occupied by the source address verification table can be saved. However, since the number of ACLs is limited and cannot be used for filtering (source address verification can be considered as a kind of filtering), this implementation can only configure a very small number of source address verification table entries.

For example, the introduction of some types of ACLs defined in the prior art may be shown in Table 7.

Table 7

As can be seen from Table 7, the interface-based ACL can be used to filter packets according to the inbound interface of the packets. Therefore, the source address verification table items can be configured in the interface-based ACL. However, the interface-based ACL table items can only be configured with a maximum of 1000 (numbered 1000 to 1999), while the number of source address verification table items is usually tens of thousands, hundreds of thousands, or millions. This implementation method is only suitable for special scenarios with few source address verification table items.

In another possible implementation, an independent chip may be used to store the source address verification table, but this requires that the table space of the independent chip be large enough, which makes the cost of the chip higher.

According to the above description, using uRPF technology for source address verification may result in false positive or false negative problems, and the accuracy of source address verification is poor. However, using the source address verification table for source address verification, the verification result is completely accurate. However, the source address verification table requires more table space on the data plane of the device. No matter which method is used to store the source address verification table, it will affect the capacity and cost of the device.

The technical solutions in the embodiments of the present application will be described below in conjunction with the accompanying drawings in the embodiments of the present application. Among them, in the description of the present application, unless otherwise specified, "/" indicates that the objects associated before and after are in an "or" relationship, for example, A/B can represent A or B; "and/or" in the present application is only a kind of association relationship describing the associated objects, indicating that there can be three relationships, for example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. And, in the description of the present application, unless otherwise specified, "multiple" refers to two or more than two. "At least one of the following" or its similar expressions refers to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple. In addition, in order to facilitate the clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second" and the like are used to distinguish the same items or similar items with substantially the same functions and effects. Those skilled in the art will understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like do not necessarily limit the differences. At the same time, in the embodiments of the present application, the words "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or design. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a concrete manner for ease of understanding.

The node in the embodiment of the present application may refer to a network device with a message forwarding function, which is uniformly described here and will not be repeated below.

The present application provides a source address verification method, which may include the following steps:

Step 601: The first node obtains a source address verification table and a forwarding table, wherein the source address verification table includes a mapping relationship between a source address of at least one message and a message input interface, and the forwarding table includes a mapping relationship between a destination address of at least one message and a message forwarding output interface.

In an embodiment of the present application, the source address verification table includes a mapping relationship between the source address of the message and its correct input interface (also called a legal input interface), and the source address verification table can indicate the correct input interface of the first node to receive the message. By way of example, taking the communication network shown in FIG. 1 as an example, the first node may be node R2, and the source address verification table of the first node may be as shown in Table 4 above. By way of another example, taking the communication network shown in FIG. 3 as an example, the first node may be node A, and the source address verification table of the first node may be as shown in Table 5 above; or, the first node may be node C, and the source address verification table of the first node may be as shown in Table 6 above.

Optionally, the source address verification table may be locally or remotely configured in the first node, or may be automatically generated by the first node according to a protocol, or may be obtained by the first node through other means, which is not limited in this application.

In an embodiment of the present application, the forwarding table may include a mapping relationship between the destination address of at least one message and the forwarding outbound interface of the message, and the forwarding table can indicate the correct outbound interface of the first node to forward the message. By way of example, taking the communication network shown in FIG. 1 as an example, the first node may be node R2, and the forwarding table of the first node may be as shown in Table 1 above. By way of example, taking the communication network shown in FIG. 3 as an example, the first node may be node A, and the forwarding table of the first node may be as shown in Table 2 above; or, the first node may be node C, and the forwarding table of the first node may be as shown in Table 3 above.

Optionally, the first node may obtain routing information according to a routing protocol or static configuration, and then generate a forwarding table according to the routing information. As a possible implementation, the first node may determine the best routing information among all routing information as an entry in the forwarding table.

Optionally, the present application provides a source address verification table and a forwarding table in a source address verification method. You may also refer to the previous description of the source address verification table and the forwarding table, which are described uniformly here.

Step 602: The first node generates an independent verification table based on the source address verification table and the forwarding table. The independent verification table includes other mapping relationships in the source address verification table except the first type of mapping relationship. The first type of mapping relationship includes the same mapping relationship in the forwarding table and the source address verification table. relation.

Optionally, if the transmission path of the message with the destination address being the first address sent by the first node and the transmission path of the message with the source address being the first address received by the first node are symmetrical, then the mapping relationship corresponding to the first address in the source address verification table and the forwarding table obtained by the first node may be the same. Otherwise, they may be different.

For example, taking the communication network shown in FIG1 as an example, the first node may be node R2, and the first address may be address P1 of host H1. The transmission path of the message sent by node R2 to host H1 and the transmission path of the message received by node R2 from host H1 are symmetrical, and the interface mapped to address P1 in the forwarding table of node R2 shown in Table 1 and the source address verification table of node R2 shown in Table 4 are both interface a, that is, the mapping relationship corresponding to address P1 is the same. Alternatively, the first node may be node R2, and the first address may be address P2 of host H2. The transmission path of the message sent by node R2 to host H2 and the transmission path of the message received by node R2 from host H2 are also symmetrical, and the interface mapped to address P2 in the forwarding table of node R2 shown in Table 1 and the source address verification table of node R2 shown in Table 4 are both interface b, that is, the mapping relationship corresponding to address P2 is the same. Alternatively, the first node may be node R2, and the first address may be address P3 of host H3. The transmission path of the message sent by node R2 to the host H3 and the transmission path of the message received by node R2 from the host H3 are symmetrical. The interface mapped to address P3 in the forwarding table of node R2 shown in Table 1 and the source address verification table of node R2 shown in Table 4 are both interface c, that is, the mapping relationship corresponding to address P3 is the same.

As another example, taking the communication network shown in FIG3 as an example, the transmission path of the message received by node A from host H4 and the transmission path of the message sent by node A to host H4 are symmetrical, and the interface mapped to address P4 in the forwarding table of node A shown in Table 2 and the source address verification table of node A shown in Table 5 are both interface a3, that is, the mapping relationship corresponding to address P4 is the same. The transmission path of the message received by node C from host H5 and the transmission path of the message sent by node C to host H5 are symmetrical, and the interface mapped to address P5 in the forwarding table of node C shown in Table 3 and the source address verification table of node C shown in Table 6 are both interface c3, that is, the mapping relationship corresponding to address P5 is the same. The transmission path of the message received by node A from host H5 and the transmission path of the message sent by node A to host H5 are asymmetric, and the interface corresponding to address P5 in the forwarding table of node A shown in Table 2 and the source address verification table of node A shown in Table 5 is different, that is, the mapping relationship corresponding to address P5 is different. The transmission path for node C to receive messages from host H4 and the transmission path for node C to send messages to host H4 are asymmetric. The interfaces corresponding to address P4 in the forwarding table of node C shown in Table 3 and the source address verification table of node C shown in Table 5 are different, that is, the mapping relationship corresponding to address P4 is different.

Optionally, at least part of the message forwarding paths in the network may be symmetric, so that at least part of the mapping relationships in the forwarding table and the source address verification table acquired by the first node may be the same.

It should be understood that, since the first type of mapping relationship in the forwarding table and the source address verification table is the same, the first type of mapping relationship in the forwarding table can be reused in the embodiment of the present application to verify the source address of the message, and a correct verification result can be obtained. Since the first node can reuse the first type of mapping relationship in the forwarding table, the first node does not need to separately store the first type of mapping relationship for source address verification, thereby saving table space on the data plane.

Optionally, other mapping relationships except the first type of mapping relationships in the source address verification table are second type of mapping relationships, and other mapping relationships except the first type of mapping relationships in the forwarding table are third type of mapping relationships.

Optionally, both the source address verification table and the forwarding table can be regarded as sets, and FIG7 shows a schematic diagram of a set relationship between a source address verification table and a forwarding table. As shown in FIG7 , the source address verification table and the forwarding table intersect, and three types of mapping relationships are divided. Among them, the intersection of the source address verification table and the forwarding table is a first type of mapping relationship, the difference between the source address verification table and the forwarding table is a second type of mapping relationship, and the difference between the forwarding table and the source address verification table is a third type of mapping relationship.

For example, taking node A in the communication network shown in FIG3 as an example, the mapping relationship between address P4 and interface a3 in Table 2 and Table 5 belongs to the first type of mapping relationship, the mapping relationship between address P5 and interface a2 in Table 5 belongs to the second type of mapping relationship, and the mapping relationship between address P5 and interface a1 in Table 2 belongs to the third type of mapping relationship. The mapping relationship between address P5 and interface c3 in Table 3 and Table 6 belongs to the first type of mapping relationship, the mapping relationship between address P4 and interface c1 in Table 6 belongs to the second type of mapping relationship, and the mapping relationship between address P4 and interface c2 in Table 3 belongs to the third type of mapping relationship.

Generally, the vast majority of the mapping relationships included in the source address verification table and the forwarding table are first-class mapping relationships, and a few are second-class mapping relationships and/or third-class mapping relationships. Therefore, the table space occupied by the first-class mapping relationship is much larger than the table space occupied by the second-class mapping relationship or the third-class mapping relationship. Therefore, the size of the independent verification table including the second-class mapping relationship is much smaller than that of the source address verification table including the first-class mapping relationship and the second-class mapping relationship.

It should be understood that, since the third type of mapping relationship does not belong to the source address verification table, the third type of mapping relationship is redundant and invalid for source address verification.

Optionally, in the embodiment of the present application, the addresses in the second type of mapping relationship all exist in the addresses in the third type of mapping relationship. In other words, The addresses in the third type of mapping relationship include the addresses in the second type of mapping relationship.

Step 603: When the received first message passes the verification of the independent verification table and/or the verification of the forwarding table, the first node determines that the first message is a legal message.

As a possible implementation, as shown in FIG8 , step 603 may specifically include the following steps:

Step 6031a: The first node verifies the first message according to the independent verification table.

Step 6032a: When the first message passes the verification of the independent verification table, the first node determines that the first message is a legal message.

Optionally, the first node may determine that the first message is an illegal message if the first message fails to pass the verification of the independent verification table.

Optionally, assuming that the source address of the first message is the first address and the input interface of the first message is the first interface. The first node may determine that the first message passes the verification of the independent verification table when the first address does not exist in the address of the independent verification table or the independent verification table has a mapping relationship between the first address and the first interface. Also, the first node may determine that the first message does not pass the verification of the independent verification table when the first address exists in the address of the independent verification table but the interface mapped to the first address is not the first interface.

Step 6033a: When the source address of the first message does not exist in the addresses in the independent verification table, the first node verifies the first message according to the forwarding table.

Step 6034a: When the first message passes the verification of the forwarding table, the first node determines that the first message is a legal message.

It should be understood that step 6033a is a prerequisite for executing step 6034a. Therefore, the essence of step 6034a is: the first node can determine that the first message is a legitimate message when the source address of the first message does not exist in the address of the independent verification table, but the first message passes the verification of the forwarding table.

Optionally, the first node may determine that the first message is an illegal message when the source address of the first message does not exist in the addresses in the independent verification table and the first message does not pass the verification of the forwarding table.

Optionally, assuming that the source address of the first message is the first address and the input interface of the first message is the first interface. The first node may determine that the first message passes the verification of the forwarding table when the first address does not exist in the address of the forwarding table or the forwarding table has a mapping relationship between the first address and the first interface. Also, the first node may determine that the first message fails to pass the verification of the forwarding table when the first address exists in the address of the forwarding table but the interface mapped to the first address is not the first interface.

Optionally, in the embodiment of the present application, when the first message is determined to be a legitimate message, the first node may further forward the first message according to the forwarding table. When the first message is determined to be an illegal message, the first node may discard the first message and no longer forward it.

As another possible implementation, as shown in FIG. 9 , step 603 may specifically include the following steps:

Step 6031b: The first node verifies the first message according to the forwarding table.

Step 6032b: When the first message passes the verification of the forwarding table, the first node determines that the first message is a legal message.

Optionally, the condition for the first message to pass the verification of the forwarding table can refer to the description in step 6034a, which will not be repeated here.

Step 6033b: When the first message fails to pass the verification of the forwarding table, the first node verifies the first message according to the independent verification table.

Step 6034b: When the first message passes the verification of the independent verification table, the first node determines that the first message is a legal message.

It should be understood that step 6033b is a prerequisite for executing step 6034b. Therefore, the essence of step 6034b is: the first node can determine that the first message is a legitimate message when the first message fails to pass the verification of the forwarding table but passes the verification of the independent verification table.

Optionally, the first node may determine that the first message is an illegal message when the first message fails to pass the verification of the forwarding table and the first message also fails to pass the verification of the independent verification table.

Optionally, the conditions for the first message to pass the verification of the independent verification table can refer to the description in step 6032a, which will not be repeated here.

Based on the scheme of steps 6031a to 6034a above, the first node may first verify the first message according to the independent verification table. If the source address of the first message is not included in the address of the independent verification table, the first node may perform a second verification according to the forwarding table. Based on the scheme of steps 6031b to 6034b above, the first node may first verify the first message according to the forwarding table. If the first message fails the verification of the forwarding table, the first node may perform a second verification according to the independent verification table. It can be seen that the rules of the independent verification table and the forwarding table can complement each other and jointly realize the verification of the source address of the first message.

It should be understood that the set of mapping relationships included in the independent verification table and the mapping relationships included in the forwarding table includes all mapping relationships in the source address verification table. The above-mentioned scheme of steps 6031a to 6034a or the scheme of steps 6031b to 6034b can be equivalent to using the source address verification table to verify the message, thereby achieving the same or similar effect of using the source address verification table to perform source address verification. This method can eliminate the false positive problem caused by uRPF technology.

Optionally, the address prefixes in the third type of mapping relationship may all be included in the second type of mapping relationship, and the above steps 6031a to step 6031b may be repeated. The 6034a scheme can also reduce or even avoid the problem of false negatives.

In addition, since the first node performs source address verification based on the independent verification table and the forwarding table, the table space of the data plane of the first node stores the independent verification table and the forwarding table. The independent verification table includes other mapping relationships in the source address verification table except the first type of mapping relationship, and the other mapping relationships in the source address verification table except the first type of mapping relationship account for a very small number, so the table space required for the independent verification table is very small.

For example, Figure 10 shows a comparison diagram of a data plane table space storing a source address verification table and an independent verification table. As shown in Figure 10, the table space occupied by the independent verification table is much smaller than the table space occupied by the source address verification table, so the forwarding table that can be stored in the data plane table space is larger.

In summary, the source address verification method provided in the embodiment of the present application can achieve the same or similar effect as using a source address verification table to perform source address verification, and can also greatly reduce the table space required for the rules/table items used for source address verification, thereby improving the performance of the node and reducing the cost of the node.

In addition, since the first node reuses the forwarding table for source address verification, when the routing information is updated and the forwarding table is updated, it means that the first type of mapping relationship used for source address verification is also updated synchronously, and the node information update rate is also increased, thereby improving the convergence performance.

Optionally, when the first node performs source address verification based on the forwarding table, the technology used by the first node may be uRPF technology, which is uniformly described here.

As a possible implementation, the independent verification table can be configured in the ACL. It should be understood that since there are fewer rules in the independent verification table, the space of the ACL is sufficient. Reusing the ACL space can save the table space of the data plane of the first node.

As another possible implementation, the independent verification table can also be configured in the same table space as the forwarding table, for example, configured in the forwarding chip. Since the table space required by the independent verification table in the embodiment of the present application is extremely small, it will not have much impact on the forwarding table.

As another possible implementation, the independent verification table can also be configured in a separate table space, such as in an independent chip of the first node. Since the table space required for the independent verification table in the embodiment of the present application is extremely small, the cost of adding an independent chip in the first node is not high.

As a possible example, assuming that in the source address verification table and forwarding table of the first node, the ratio of the first type of mapping relationship, the second type of mapping relationship, and the third type of mapping relationship is 8:1:1. Then, when the first node adopts the source address verification method provided by the present application, the overhead of the table space of the data plane of the first node will be reduced by 88.9%.

If the first node adopts the solution of steps 6031a to 6034a above, 90% of the traffic will be verified twice. Assume that the forwarding performance of a single traffic will be reduced by 6% when it is verified twice compared to one time. Then, the overall forwarding performance of the solution will be reduced by 5.4%. However, the 88.9% table space overhead in exchange for the 5.4% performance loss of the first node is beneficial. In addition, the solution can also eliminate false positives and false negatives.

If the first node adopts the solution of steps 6031b to 6034b above, 11.1% of the traffic will be verified twice. Assume that the forwarding performance of a single traffic will be reduced by 6% when it is verified twice compared to one verification. Then, the overall forwarding performance of the solution will be reduced by 0.6%. It is very beneficial for the first node to use 0.6% performance loss in exchange for 88.9% table space overhead. This solution will eliminate the false positive problem, but there will be false negative problems (accounting for 10% of the total traffic). This solution is suitable for scenarios where false positive problems are the focus.

Based on the above examples, it can be seen that the solution of the present application can exchange a small amount of performance loss for a larger table space overhead, which can effectively reduce the table space occupied by the data plane by source address verification.

Optionally, in the embodiment of the present application, the first node processing behavior is implemented on the control plane, and the independent verification table and forwarding table obtained by the first node are configured in the table space of the data plane. The first node performs source address verification and forwarding after receiving the message, which is also performed on the data plane.

Optionally, the above-mentioned source address verification method in the embodiment of the present application can be performed by a communication device, which can be the first node in the above-mentioned method embodiment, or a device including the above-mentioned first node, or a component that can be used for the first node. It is understandable that, in order to realize the above-mentioned functions, the communication device includes a hardware structure and/or software module corresponding to each function. It should be easily appreciated by those skilled in the art that, in combination with the units and algorithm steps of each example described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to exceed the scope of the present application.

The embodiment of the present application may divide the functional modules of the communication device according to the above method embodiment. For example, each functional module may be divided according to each function, or two or more functions may be integrated into one processing module. The above integrated modules may be implemented in the form of hardware or software functional modules. It should be noted that the modules in the embodiment of the present application are not necessarily divided into functional modules. The division is schematic and is only a logical function division. There may be other division methods in actual implementation.

11 shows a schematic diagram of the structure of a communication device 110 , which may be the first node in the above method embodiment. The communication device 110 includes a source address verification table acquisition module 1101 , a forwarding table acquisition module 1102 , an independent verification table generation module 1103 and a message verification module 1104 .

Among them, the source address verification table acquisition module 1101 can be used to obtain the source address verification table, the source address verification table includes the mapping relationship between the source address of at least one message and the message input interface. The forwarding table acquisition module 1102 can be used to obtain the forwarding table, the forwarding table includes the mapping relationship between the destination address of at least one message and the message forwarding interface. The independent verification table generation module 1103 can be used to generate an independent verification table based on the source address verification table and the forwarding table, the independent verification table includes other mapping relationships in the source address verification table except the first type of mapping relationship, wherein the first type of mapping relationship includes the same mapping relationship in the forwarding table and the source address verification table. The message verification module 1104 can be used to determine that the first message is a legal message when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table.

Optionally, the forwarding table acquisition module 1102 may be configured to obtain routing information according to a routing protocol or static configuration, and then generate a forwarding table according to the routing information.

Optionally, the message verification module 1104 can be specifically used to: verify the first message according to the independent verification table. If the first message passes the verification of the independent verification table, the first message is determined to be a legal message. Alternatively, if the source address of the first message does not exist in the address of the independent verification table, the first message is verified according to the forwarding table. And, if the first message passes the verification of the forwarding table, the first message is determined to be a legal message.

Optionally, the message verification module 1104 can be specifically used to: verify the first message according to the forwarding table. If the first message passes the verification of the forwarding table, determine that the first message is a legal message. Alternatively, if the first message fails to pass the verification of the forwarding table, verify the first message according to the independent verification table. And, if the first message passes the verification of the independent verification table, determine that the first message is a legal message.

Optionally, the source address of the first message is the first address, and the input interface of the first message is the first interface. The message verification module 1104 can also be used to: determine that the first message passes the verification of the independent verification table when the first address does not exist in the address of the independent verification table or the independent verification table has a mapping relationship between the first address and the first interface. When the first address exists in the address of the independent verification table, but the interface mapped to the first address is not the first interface, determine that the first message does not pass the verification of the independent verification table.

Optionally, the source address of the first message is the first address, and the input interface of the first message is the first interface. The message verification module 1104 can also be used to: determine that the first message passes the verification of the forwarding table when the first address does not exist in the address of the forwarding table or the forwarding table has a mapping relationship between the first address and the first interface. Determine that the first message does not pass the verification of the forwarding table when the first address exists in the address of the forwarding table, but the interface mapped to the first address is not the first interface.

It can be understood that the functional modules of the communication device can be divided according to actual conditions. The functions of the source address verification table acquisition module 1101 and the forwarding table acquisition module 1102 can be implemented by a transceiver module, and the functions of the independent verification table generation module 1103 and the message verification module 1104 can be implemented by a processing module. Therefore, the structure of the communication device can be shown in Figure 12, and the communication device 120 can include a transceiver module 1201 and a processing module 1202.

It should be noted that all relevant contents of each step involved in the above method embodiment can be referred to the functional description of the corresponding functional module, which will not be repeated here. Since the communication device 110 or the communication device 120 provided in this embodiment can execute the above source address verification method, the technical effects that can be obtained can refer to the above method embodiment, which will not be repeated here.

In this embodiment, the communication device 110 or the communication device 120 is presented in the form of dividing each functional module in an integrated manner. The "module" here may refer to a specific ASIC, a circuit, a processor and a memory that executes one or more software or firmware programs, an integrated logic circuit, and/or other devices that can provide the above functions. In a simple embodiment, those skilled in the art can imagine that the communication device 110 or the communication device 120 can take the form of the communication device 130 shown in Figure 13.

FIG13 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application. As shown in FIG13 , the communication device 130 includes one or more processors 1301, a communication line 1302, and at least one communication interface (FIG13 is only exemplary and takes a communication interface 1303 and a processor 1301 as an example for explanation). Optionally, a memory 1304 may also be included.

Processor 1301 can be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program of the present application.

The communication line 1302 may include a pathway for communication between different components.

The communication interface 1303 may be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), etc. For example, the transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 1303 may also be a transceiver circuit located in the processor 1301 to implement signal input and signal output of the processor.

The memory 1304 may be a device with a storage function. For example, it may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto. The memory may exist independently and be connected to the processor through the communication line 1302. The memory may also be integrated with the processor.

The memory 1304 is used to store computer-executable instructions for executing the solution of the present application, and the execution is controlled by the processor 1301. The processor 1301 is used to execute the computer-executable instructions stored in the memory 1304, thereby implementing the air interface concurrency method provided in the embodiment of the present application.

Alternatively, optionally, in an embodiment of the present application, the processor 1301 may also perform processing-related functions in the air interface concurrency method provided in the following embodiments of the present application, and the communication interface 1303 is responsible for communicating with other devices or communication networks, which is not specifically limited in the embodiments of the present application.

Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application code, which is not specifically limited in the embodiments of the present application.

In a specific implementation, as an embodiment, the processor 1301 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 13 .

In a specific implementation, as an embodiment, the communication device 130 may include multiple processors, such as the processor 1301 and the processor 1307 in FIG. 13 . Each of these processors may be a single-core processor or a multi-core processor. The processors here may include but are not limited to at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or an artificial intelligence processor and other types of computing devices running software, each of which may include one or more cores for executing software instructions to perform calculations or processing.

In a specific implementation, as an embodiment, the communication device 130 may also include an output device 1305 and an input device 1306. The output device 1305 communicates with the processor 1301 and may display information in a variety of ways. For example, the output device 1305 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. The input device 1306 communicates with the processor 1301 and may receive user input in a variety of ways. For example, the input device 1306 may be a mouse, a keyboard, a touch screen device, or a sensor device.

The above-mentioned communication device 130 may sometimes also be referred to as a communication device, which may be a general device or a dedicated device. For example, the communication device 130 may be a network device such as a router, a switch, a gateway, or a terminal device, or a controller in a network, or a device having a similar structure as shown in FIG. 13. The embodiment of the present application does not limit the type of the communication device 130.

The processor 1301 in the communication device 130 shown in FIG. 13 can call the computer-executable instructions stored in the memory 1304 to enable the communication device 130 to execute the source address verification method in the above method embodiment.

Since the communication device 130 provided in this embodiment can execute the above-mentioned source address verification method, the technical effects that can be obtained can refer to the above-mentioned method embodiment and will not be repeated here.

It should be understood that in the various embodiments of the present application, the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.

The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physically separate. The unit may not be a physical unit, that is, it may be located in one place, or it may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that a computer can access or may contain one or more servers, data centers and other data storage devices that can be integrated with the medium. The available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.

As used in this application, the terms "component", "module", "system", etc. are intended to refer to a computer-related entity, which can be hardware, firmware, a combination of hardware and software, software, or software in operation. For example, a component can be, but is not limited to: a process running on a processor, a processor, an object, an executable file, a thread in execution, a program, and/or a computer. As an example, an application running on a computing device and the computing device can both be components. One or more components can exist in a process and/or thread in execution, and a component can be located in a computer and/or distributed between two or more computers. In addition, these components can be executed from various computer-readable media with various data structures thereon. These components can communicate in a local and/or remote process manner, such as according to a signal with one or more data packets (for example, data from a component, which interacts with another component in a local system, a distributed system, and/or interacts with other systems in a signal manner through a network such as the Internet).

The present application presents various aspects, embodiments, or features around a system that may include multiple devices, components, modules, etc. It should be understood and appreciated that each system may include additional devices, components, modules, etc., and/or may not include all of the devices, components, modules, etc. discussed in conjunction with the figures. In addition, combinations of these schemes may also be used.

In addition, in the embodiments of the present application, the word "exemplary" is used to indicate an example, illustration or description. Any embodiment or design described as "exemplary" in the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the word "exemplary" is used to present concepts in a concrete way.

In the embodiments of the present application, information, signal, message, and channel can sometimes be used interchangeably. It should be noted that when the distinction between them is not emphasized, the meanings they intend to express are consistent. "Of," "corresponding," and "corresponding" can sometimes be used interchangeably. It should be noted that when the distinction between them is not emphasized, the meanings they intend to express are consistent. "System" and "network" can sometimes be used interchangeably. When the distinction between them is not emphasized, the meanings they intend to express are consistent. For example, "communication network" also refers to "communication system."

The network architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. A person of ordinary skill in the art can appreciate that with the evolution of the network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims

A source address verification method, characterized in that the method comprises:

Obtain a source address verification table and a forwarding table, wherein the source address verification table includes a mapping relationship between a source address of at least one message and a message input interface, and the forwarding table includes a mapping relationship between a destination address of at least one message and a message forwarding interface;

Generate an independent verification table according to the source address verification table and the forwarding table, wherein the independent verification table includes other mapping relationships in the source address verification table except the first type of mapping relationship, wherein the first type of mapping relationship includes the same mapping relationship in the forwarding table as in the source address verification table;

When the received first message passes the verification of the independent verification table and/or the verification of the forwarding table, it is determined that the first message is a legal message.
The method according to claim 1 is characterized in that, when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table, determining that the first message is a legitimate message comprises:

Verifying the first message according to the independent verification table;

If the first message passes the verification of the independent verification table, determining that the first message is a legitimate message;

or, in the case where the source address of the first message does not exist in the addresses of the independent verification table, verifying the first message according to the forwarding table;

When the first message passes the verification of the forwarding table, it is determined that the first message is a legal message.
The method according to claim 1 or 2, characterized in that, when the received first message passes the verification of the independent verification table and/or the verification of the forwarding table, determining that the first message is a legitimate message comprises:

Verifying the first message according to the forwarding table;

When the first message passes the verification of the forwarding table, determining that the first message is a legitimate message;

or, in the case where the first message fails to pass the verification of the forwarding table, verifying the first message according to the independent verification table;

When the first message passes the verification of the independent verification table, it is determined that the first message is a legal message.
The method according to any one of claims 1 to 3, characterized in that the source address of the first message is a first address, and the input interface of the first message is a first interface; the method further comprises:

When the first address does not exist in the addresses of the independent verification table or the independent verification table contains a mapping relationship between the first address and the first interface, determining that the first message passes the verification of the independent verification table;

When the first address exists in the addresses of the independent verification table but the interface mapped to the first address is not the first interface, it is determined that the first message fails to pass the verification of the independent verification table.
The method according to any one of claims 1 to 4, characterized in that the source address of the first message is a first address, and the input interface of the first message is a first interface; the method further comprises:

When the first address does not exist in the addresses of the forwarding table or a mapping relationship between the first address and the first interface exists in the forwarding table, determining that the first message passes the verification of the forwarding table;

When the first address exists in the addresses of the forwarding table but the interface mapped to the first address is not the first interface, it is determined that the first message fails to pass the verification of the forwarding table.
The method according to any one of claims 1-5 is characterized in that the independent verification table is configured in an access control list ACL, or the independent verification table and the forwarding table are configured in the same table space, or the independent verification table is configured in a separate table space.
A communication device, characterized in that the communication device comprises: a processor and a memory;

The memory is used to store computer-executable instructions. When the processor executes the computer-executable instructions, the communication device executes the method according to any one of claims 1 to 6.
A computer-readable storage medium, characterized in that a computer program is stored thereon, and when the computer program is executed by a computer, the computer is caused to execute the method according to any one of claims 1 to 6.