Methods, apparatus, electronic devices, and storage media for implementing IPSG based on RAM and TCAM.

By storing a large number of binding entries in RAM and storing protocol messages in TCAM, the problem of IPSG specifications being limited by TCAM resources is solved, achieving cost optimization and network attack defense.

CN116471094BActive Publication Date: 2026-06-30SUZHOU CENTEC COMM CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SUZHOU CENTEC COMM CO LTD
Filing Date
2023-04-24
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

The IPSG specification is limited by TCAM resources, resulting in high costs and limited chip resources.

Method used

By combining RAM and TCAM, the IPSG function is achieved by using RAM to store a large number of binding entries and TCAM to store a small number of protocol messages.

Benefits of technology

Effectively saves costs, optimizes IPSG specifications, and avoids cyberattacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116471094B_ABST
    Figure CN116471094B_ABST
Patent Text Reader

Abstract

This invention discloses a method, apparatus, electronic device, and storage medium for implementing IPSG based on RAM and TCAM. The method includes receiving and parsing packets to obtain matching information; determining whether the port receiving the packet has IPSG enabled; if IPSG is enabled, searching the RAM and TCAM using the matching information; further determining whether a corresponding binding entry is found in both RAM and TCAM; and discarding the packet if no corresponding binding entry is found in either RAM or TCAM. This invention solves the problem of IPSG specifications being limited by TCAM resources.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network communication technology, and in particular to a method for implementing IPSG based on RAM and TCAM, as well as an apparatus, electronic device and storage medium for implementing the method. Background Technology

[0002] As networks grow larger, attacks based on source IP addresses are also increasing. Some attackers use deception to gain access to network resources and obtain legitimate access rights, causing victims to be unable to access the network or to have their information leaked.

[0003] Currently, IPSG technology is used to prevent source IP-based network attacks. IPSG provides a defense mechanism against source IP-based attacks, effectively preventing network attacks based on source address spoofing. In practice, IPSG performs a matching check on IP packets based on binding tables (DHCP dynamic and static binding tables). When a device forwards an IP packet, it compares the source IP, source MAC (Media Access Control), interface, and VLAN (Virtual Local Area Network) information in the IP packet with the information in the binding table. If the information matches, it indicates a legitimate user, and the packet is allowed to be forwarded normally; otherwise, it is considered an attack packet and discarded. (See below.) Figure 1 As shown, the DHCP server automatically provides IP addresses and other related information such as subnet masks and default gateways. Originally, the message would be replied to the client with IP address B from port 2. However, the attacker forged a message with the legitimate user's IP address B and tampered with the outgoing interface information of the MAC table on the switch, changing port 2 to port 1, causing the message replied by the server to be sent to the attacker.

[0004] To prevent such attacks, the IPSG function can be configured on the switch to perform a binding table check on incoming IP packets. If the information in a legitimate user's packet matches the binding table, it is allowed to pass; if the attacker's forged packet information does not match the binding table, the switch discards the packet. Currently, when a switch learns a dynamic entry or downloads a static binding table, it adds the corresponding entry to the chip's TCAM resource. TCAM is a tri-state content-addressable register, which allows for fast, large-scale parallel searches and supports masking. However, TCAM is expensive, and chip resources are limited, thus significantly restricting IPSG specifications.

[0005] The information disclosed in this background section is intended only to enhance the understanding of the overall background of the invention and should not be construed as an admission or in any way implying that the information constitutes prior art known to those skilled in the art. Summary of the Invention

[0006] The purpose of this invention is to provide a method for implementing IPSG based on RAM and TCAM, which can solve the problem that IPSG specifications are limited by TCAM resources.

[0007] Another objective of this invention is to provide an apparatus for implementing IPSG based on RAM and TCAM, which can solve the problem that IPSG specifications are limited by TCAM resources.

[0008] Another objective of this invention is to provide an electronic device that can solve the problem of IPSG specifications being limited by TCAM resources.

[0009] Another objective of this invention is to provide a computer-readable storage medium that can solve the problem of IPSG specifications being limited by TCAM resources.

[0010] To achieve the above objectives, embodiments of the present invention provide a method for implementing IPSG based on RAM and TCAM, the method comprising:

[0011] Receive and parse messages to obtain matching information;

[0012] Determine whether the port receiving the message has IPSG enabled;

[0013] In response to the port enabling the IPSG function, the matching information is used to search for RAM and TCAM respectively;

[0014] Determine whether the corresponding binding entry is not found in either RAM or TCAM;

[0015] The message is discarded in response to the absence of a corresponding binding entry in either RAM or TCAM.

[0016] In one or more embodiments of the present invention, the method further includes:

[0017] In response to finding the corresponding binding entry in RAM, further search the forwarding table;

[0018] Determine whether the result of searching the forwarding table is "found";

[0019] If the forwarding table lookup result is "found", the message is forwarded according to the lookup result; otherwise, if the forwarding table lookup result is "not found", the message is discarded.

[0020] In one or more embodiments of the present invention, the method further includes:

[0021] In response to finding the corresponding binding entry in TCAM, the message is sent to the CPU for processing.

[0022] In one or more embodiments of the present invention, the matching information includes at least one of the following: source IP address, source MAC address, and VLAN.

[0023] In one or more embodiments of the present invention, the step of using the matching information to search for RAM and TCAM respectively includes:

[0024] The matching information is used to first search the RAM, and then search the TCAM.

[0025] In one or more embodiments of the present invention, the RAM is configured with RAM binding entries that match data packets, and the TCAM is configured with TCAM binding entries that match protocol packets.

[0026] In one or more embodiments of the present invention, the type in the RAM binding entry or TCAM binding type includes at least one combination of port number and source IP address, source MAC address and VLAN.

[0027] Embodiments of the present invention provide an apparatus for implementing IPSG based on RAM and TCAM, the apparatus comprising:

[0028] The receiving module is used to receive and parse messages to obtain matching information;

[0029] The first judgment module is used to determine whether the port receiving the message has enabled the IPSG function;

[0030] The lookup module is used to look up RAM and TCAM respectively using the matching information when the IPSG function is enabled on the port;

[0031] The second judgment module is used to determine whether the corresponding binding entry is not found in either RAM or TCAM;

[0032] The message processing module is used to discard messages when no corresponding binding entry is found in either RAM or TCAM.

[0033] An embodiment of the present invention provides an electronic device, the electronic device comprising:

[0034] At least one processor; and

[0035] At least one memory is coupled to the at least one processor and stores a computer program for execution by the at least one processor, which, when executed by the at least one processor, causes the electronic device to perform the method described above.

[0036] An embodiment of the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a machine, implements the method described above.

[0037] Compared with existing technologies, this invention saves costs by combining RAM and TCAM, placing a large number of binding entries in the resource-rich RAM, while reducing the number of protocol messages by placing binding entries in TCAM, thus achieving an overall optimization scheme for IPSG and effectively solving the problem of IPSG specification-limited TCAM resources. Attached Figure Description

[0038] Figure 1 This is a diagram illustrating a network attack based on the source IP address.

[0039] Figure 2 This is a flowchart of a method for implementing IPSG based on RAM and TCAM according to an embodiment of the present invention;

[0040] Figure 3 This is a flowchart of a RAM-based message processing method according to an embodiment of the present invention.

[0041] Figure 4 This is a flowchart of a TCMA-based text processing method according to an embodiment of the present invention.

[0042] Figure 5 This is a schematic diagram of binding entries in RAM and TCAM according to an embodiment of the present invention;

[0043] Figure 6 This is a block diagram of an apparatus for implementing IPSG based on RAM and TCAM according to an embodiment of the present invention. Detailed Implementation

[0044] The specific embodiments of the present invention will now be described in detail with reference to the accompanying drawings, but it should be understood that the scope of protection of the present invention is not limited to the specific embodiments.

[0045] Unless otherwise expressly stated, throughout the specification and claims, the term "comprising" or its variations such as "including" or "comprises" shall be understood to include the stated elements or components without excluding other elements or other components.

[0046] like Figure 2 As shown, a method for implementing IPSG based on RAM and TCAM according to a preferred embodiment of the present invention can solve the problem that IPSG specifications are limited by TCAM resources. Specifically, the method includes the following steps:

[0047] S100: Receive and parse the message to obtain matching information;

[0048] Specifically, after receiving a packet, the packet processing chip in a network communication device (such as a switch) parses and processes the packet to obtain some information carried by the packet. In this embodiment, after receiving a packet, the packet processing chip parses the packet to obtain matching information for subsequent matching of the RAM binding table and the TCAM binding table. This matching information includes at least one of the following: source IP address, source MAC address, and VLAN; that is, the matching information includes at least one or more combinations of the following: source IP address, source MAC address, and VLAN.

[0049] S200, determine whether the port receiving the message has enabled the IPSG function;

[0050] S300, in response to the port enabling the IPSG function, uses the matching information to look up RAM and TCAM respectively;

[0051] Specifically, after obtaining matching information from the message, it is further determined whether the port receiving the message has IPSG enabled. In practice, to avoid network attacks based on the source IP, it is necessary to enable IPSG on the port receiving the message. Therefore, it is possible to determine or check whether the port receiving the message has IPSG enabled through the corresponding configuration file or command.

[0052] Once it's determined that the port receiving the packet has IPSG enabled, the matching information is further used to search the RAM and TCAM separately to obtain the corresponding RAM binding table and TCAM binding table. The RAM binding table is stored in RAM, and the entries in this table include at least one combination of port number and source IP address, source MAC address, and VLAN, such as... Figure 5 The table entry type can be a combination of port number and source IP address, or a combination of port number and source IP address, port number and source MAC address, port number and source IP address, source MAC address, etc. Once the RAM binding table type is determined, the packet processing chip stores all learned dynamic entries and configured static entries according to the above type for lookup using matching information. Similarly, the TCAM binding table is stored in the TCAM, and the table entry type in this TCAM binding table includes at least one combination of port number and source IP address, source MAC address, and VLAN, such as... Figure 5The table entry type can be a combination of port number and source IP address, or a combination of port number and source IP address, port number and source MAC address, or a combination of port number, source IP address, and source MAC address, etc. Once the RAM binding table type is determined, the packet processing chip stores all learned dynamic entries and configured static entries according to the above type for lookup using matching information.

[0053] In this embodiment, the RAM binding table configured in RAM targets data packets. These data packets, forwarded by network communication devices, do not have obvious characteristics, but there are many different types of flows, which occupy a large number of binding table entries. Therefore, RAM resources are used for implementation. Consequently, RAM is configured with a large number of RAM binding tables to ensure the forwarding of trusted data traffic.

[0054] The TCAM binding table in the TCAM configuration targets protocol messages. These messages are few in number, have clear identifiers, and are usually sent to the CPU for processing. It's undesirable for IPSG to discard them. For example, in DHCPv6... Figure 1 In IPv6 scenarios, DHCP servers and clients interact using the DHCPv6 protocol to allocate IP addresses. These interactions involve packets that are not intended to be discarded by the IPSG. These packets are characterized by addresses starting with fe80::, which can be easily masked using a subnet mask. Therefore, TCAM resources are used to implement this. Consequently, TCAMs are configured with a small number of TCAM binding tables to match specific protocol packets, ensuring normal protocol interaction.

[0055] As shown above, when dealing with a large number of binding table entries for IP addresses from various network segments, RAM can be used to configure the corresponding RAM binding table, offering a more cost-effective option than TCAM. For more flexible scenarios, such as when certain bits are not critical, TCAM can be used to configure the corresponding TCAM binding table. For example, regarding port numbers and source IP address types, if the goal is to add all IP addresses from the ABC0 / 24 network segment to the binding table, RAM would require entries like ABC1, ABC2, ABC3, ..., ABC255, while TCAM only needs to add ABC0 with a mask of 24. This demonstrates TCAM's higher flexibility. Of course, protocol messages can also be implemented using RAM, but for those that can be easily implemented using masks, the more flexible TCAM is preferred.

[0056] S400, determine whether the corresponding binding entry is not found in either RAM or TCAM;

[0057] S500, in response to the absence of a corresponding binding entry in either RAM or TCAM, discards the message.

[0058] Specifically, after searching the RAM and TCAM using matching information, the processing of the packet is further determined based on the search results. That is, it is determined whether a RAM binding entry is found in the RAM and whether a TCAM binding entry is found in the TCAM. If no RAM binding entry is found in the RAM and no TCAM binding entry is found in the TCAM, the packet is discarded. This process discards untrusted packets, thereby preventing network attacks.

[0059] In this embodiment, during the incoming message processing, the message processing chip uses matching information to first search the RAM, then searches the TCAM, and determines the final message processing method based on the search results. In specific implementation, the message is discarded only if both searches fail to find the message. Of course, in other embodiments, matching information can also be used to first search the TCAM, then search the RAM, and determine the final message processing method based on the search results.

[0060] Furthermore, such as Figure 3 As shown, during RAM lookup, after finding the corresponding RAM binding entry in RAM, the forwarding table is then searched. If a matching result is found in the forwarding table, the packet is forwarded accordingly, such as forwarding it through the corresponding output port. If no matching result is found in the forwarding table, the packet is discarded.

[0061] Furthermore, such as Figure 4 As shown, when searching for a TCAM, if the corresponding TCAM binding entry is found in the TCAM, the message is sent to the CPU for processing.

[0062] The method for implementing IPSG based on RAM and TCAM disclosed in this invention saves costs by combining RAM and TCAM, placing a large number of binding entries in the resource-rich RAM, while simultaneously reducing the number of entries by masking fewer protocol messages in the TCAM. Ultimately, this achieves an overall optimized IPSG solution and effectively solves the problem of limited TCAM resources in IPSG specifications.

[0063] like Figure 6As shown, a preferred embodiment of the present invention provides an apparatus for implementing IPSG based on RAM and TCAM, which can implement the aforementioned method for implementing IPSG based on RAM and TCAM, and can solve the problem that IPSG specifications are limited by TCAM resources. Specifically, the apparatus includes a receiving module, a first judgment module, a search module, a second judgment module, and a message processing module. The receiving module is used to receive and parse messages to obtain matching information; the first judgment module is used to determine whether the port receiving the message has IPSG enabled; the search module is used to search the RAM and TCAM respectively using the matching information when the port has IPSG enabled; the second judgment module is used to determine whether the port receiving the message has IPSG enabled; and the message processing module is used to discard the message when no corresponding binding entry is found in either RAM or TCAM.

[0064] Each module in the device corresponds to one of the steps in the above method, and will not be described in detail here.

[0065] The electronic device disclosed in one embodiment of the present invention may include, but is not limited to, personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile electronic devices, smartphones, tablet computers, cellular phones, personal digital assistants (PDAs), handheld devices, messaging devices, wearable electronic devices, consumer electronic devices, etc. This electronic device can implement the aforementioned method for implementing IPSG based on RAM and TCAM, and can solve the problem of IPSG specifications being limited by TCAM resources. Specifically, the electronic device includes at least one memory, at least one processor, and a computer program. The at least one memory is coupled to the at least one processor, wherein the computer program is stored in the memory and can be run in the processor, such as a program for implementing IPSG based on RAM and TCAM. In implementation, when the processor executes the computer program, it can implement various steps in the above method, such as receiving and parsing messages, obtaining matching information, etc.

[0066] The computer program here can be divided into one or more units, which are stored in the memory and executed by the memory to complete the present invention. The one or more units may be a series of computer program instruction segments capable of performing a specific function, which describe the execution process of the computer program in the electronic device.

[0067] It should be noted that the electronic devices mentioned here include, but are not limited to, the memory, processor, and computer program described above. They may also include other devices, such as input devices for inputting instructions (e.g., keyboards), displays for displaying negotiation results, communication interfaces, etc. These components communicate with each other via a bus.

[0068] This invention also discloses a computer-readable storage medium storing a computer program that, when executed by a processor, can implement the aforementioned method for implementing IPSG based on RAM and TCAM. The computer program includes computer program code, which can be in the form of source code, an executable file, or some intermediate form. The computer-readable medium can include any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM), a random access memory (RAM), etc.

[0069] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0070] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0071] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0072] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0073] The foregoing description of specific exemplary embodiments of the invention is for illustrative and explanatory purposes. These descriptions are not intended to limit the invention to the precise forms disclosed, and it will be apparent that many changes and variations can be made in accordance with the foregoing teachings. The exemplary embodiments were chosen and described in order to explain the specific principles of the invention and its practical application, thereby enabling those skilled in the art to implement and utilize various different exemplary embodiments of the invention, as well as various different choices and variations. The scope of the invention is intended to be defined by the claims and their equivalents.

Claims

1. A method for implementing IPSG based on RAM and TCAM, characterized in that, The method includes: Receive and parse messages to obtain matching information; Determine whether the port receiving the message has IPSG enabled; In response to the IPSG function being enabled on the port, the matching information is used to search the RAM and TCAM respectively. The RAM is configured with RAM binding entries for matching data packets, and the TCAM is configured with TCAM binding entries for matching protocol packets. Determine whether the corresponding binding entry is not found in either RAM or TCAM; The message is discarded in response to the absence of a corresponding binding entry in either RAM or TCAM.

2. The method as described in claim 1, characterized in that, The method further includes: In response to finding the corresponding binding entry in RAM, further search the forwarding table; Determine whether the result of searching the forwarding table is "found"; If the forwarding table lookup result is "found", the message is forwarded according to the lookup result; otherwise, if the forwarding table lookup result is "not found", the message is discarded.

3. The method as described in claim 1, characterized in that, The method further includes: In response to finding the corresponding binding entry in TCAM, the message is sent to the CPU for processing.

4. The method as described in claim 1, characterized in that, The matching information includes at least one of the following: source IP address, source MAC address, and VLAN.

5. The method as described in claim 1, characterized in that, The step of using the matching information to search for RAM and TCAM respectively includes: The matching information is used to first search the RAM, and then search the TCAM.

6. The method as described in claim 1, characterized in that, The type in the RAM binding entry or TCAM binding type includes at least one combination of port number and source IP address, source MAC address and VLAN.

7. An apparatus for implementing IPSG based on RAM and TCAM, characterized in that, The device includes: The receiving module is used to receive and parse messages to obtain matching information; The first judgment module is used to determine whether the port receiving the message has enabled the IPSG function; The lookup module is used to look up RAM and TCAM respectively using the matching information when the IPSG function is enabled on the port. The RAM is configured with RAM binding entries that match data packets, and the TCAM is configured with TCAM binding entries that match protocol packets. The second judgment module is used to determine whether the corresponding binding entry is not found in either RAM or TCAM; The message processing module is used to discard messages when no corresponding binding entry is found in either RAM or TCAM.

8. An electronic device, characterized in that, The electronic device includes: At least one processor; and At least one memory coupled to the at least one processor and storing a computer program for execution by the at least one processor, wherein, when executed by the at least one processor, the electronic device performs the method of any one of claims 1 to 6.

9. A computer-readable storage medium, characterized in that, It contains a computer program that, when executed by a machine, implements the method described in any one of claims 1 to 6.