Packet forwarding method, apparatus and device

By configuring static ARP in network forwarding devices, the problem of delay in blocking operations of network security devices is solved, enabling timely blocking of illegal packets and improving network security.

CN122247965APending Publication Date: 2026-06-19ZHEJIANG UNIVIEW TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ZHEJIANG UNIVIEW TECH CO LTD
Filing Date
2024-12-18
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing network security devices suffer from latency issues during blocking operations, resulting in lower network security.

Method used

Configure static ARP in the network forwarding device, including the IP address of the first device and the MAC address of the admission device, to ensure that response packets are first sent to the admission device for analysis, and block the response packets when they are determined to be illegal, or forward them normally when they are legal.

Benefits of technology

It improves the timeliness of blocking operations, enhances network security, and prevents unauthorized packets from entering the network.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247965A_ABST
    Figure CN122247965A_ABST
Patent Text Reader

Abstract

This invention provides a packet forwarding method, apparatus, and device. The method includes: upon receiving a mirror image of a request packet sent by a first device to a second device, and determining that the mirror image packet is a suspicious packet, sending configuration information to the network forwarding device. The configuration information instructs the network forwarding device to configure static ARP, the static ARP including the IP address of the first device and the MAC address of the access device. The static ARP is used, after the network forwarding device receives a response packet sent by the second device, to send the response packet to the access device based on the IP address of the first device and the MAC address of the access device. If the suspicious packet is determined to be an illegal packet, the sending of the response packet to the first device through the network forwarding device is prohibited. This invention can promptly perform packet forwarding blocking operations, improving network security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer technology, and in particular to a message forwarding method, apparatus, and device. Background Technology

[0002] With the rapid development of information technology and the widespread adoption of network products, cybersecurity issues have become increasingly prominent, drawing significant public attention. The constantly evolving methods of cyberattacks place higher demands on network monitoring and protection. To address these challenges, various cybersecurity access control devices have emerged.

[0003] Existing access control devices employ a side-by-side blocking mode for network access. In this mode, the access control device does not directly participate in network data forwarding but is "side-by" on the user's network side. By configuring flow mirroring technology on the network device, a copy of the network traffic is sent to the access control device, enabling it to monitor and analyze whether the network traffic conforms to the preset access control policy. If the network traffic does not conform to the access control policy, the access control device will issue an instruction to the network device to block the traffic, thus preventing non-compliant network traffic from entering the network.

[0004] However, the above methods have the problem of delay in blocking operations, which reduces network security. Summary of the Invention

[0005] This invention provides a message forwarding method, apparatus, and device to address the shortcomings of existing technologies, such as delayed blocking operations and low network security, thereby achieving timely execution of message forwarding blocking operations and improving network security.

[0006] This invention provides a message forwarding method applied to an access control device, the method comprising: Upon receiving a mirror image of a request message sent by the first device to the second device, and determining that the mirror image message is a suspicious message, configuration information is sent to the network forwarding device. This configuration information instructs the network forwarding device to configure static ARP, which includes the IP address of the first device and the MAC address of the access device. The static ARP is used by the network forwarding device to send a response message to the access device based on the IP address of the first device and the MAC address of the access device after receiving the response message from the second device. If the suspicious message is determined to be an illegal message, the sending of the response message to the first device through the network forwarding device shall be prohibited.

[0007] According to a message forwarding method provided by the present invention, the method further includes: If the suspicious message is determined to be an illegal message, the response message is discarded, a rejection response message is generated, and the rejection response message is sent to the first device through the network forwarding device.

[0008] According to a message forwarding method provided by the present invention, the method further includes: If the suspicious packet is determined to be a legitimate packet, the network forwarding device is controlled to delete the static ARP, modify the source MAC address in the response packet to the MAC address of the second device, and modify the destination MAC address in the response packet to the MAC address of the network forwarding device. The modified response message is sent to the network forwarding device, and the modified response message is used to instruct the network forwarding device to forward the modified response message to the first device.

[0009] According to a message forwarding method provided by the present invention, the method further includes: If the suspicious message is determined to be a legitimate message, the pseudo-session tag of the session corresponding to the request message is deleted. The pseudo-session tag is a tag added to the session when the mirror message is determined to be a suspicious message.

[0010] According to a message forwarding method provided by the present invention, the method further includes: If a mirror image of a request message sent by the first device to the second device is obtained, the destination IP address and source IP address in the mirror image are determined. If the mirrored packet is determined to be a legitimate packet based on the destination IP address and the source IP address, the mirrored packet is discarded.

[0011] The present invention also provides a message forwarding method, applied to a network forwarding device, the method comprising: The access device receives configuration information sent by the access device, which is sent when the access device obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. Configure static ARP based on the configuration information, wherein the static ARP includes the IP address of the first device and the MAC address of the access device; Upon receiving a response message to the request message sent by the second device, the access device sends the response message to the access device based on the MAC address of the access device in the static ARP and the IP address of the first device. The response message is used to instruct the access device to prohibit the sending of the response message to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

[0012] According to a message forwarding method provided by the present invention, the method further includes: The system receives a modified response message sent by the admission device. The modified response message is sent by the admission device after receiving the response message and determining that the suspicious message is a legitimate message, by controlling the network forwarding device to delete the static ARP, modifying the source MAC address in the response message to the MAC address of the second device, and modifying the destination MAC address in the response message to the MAC address of the network forwarding device. The modified response message is forwarded to the first device.

[0013] The present invention also provides a message forwarding device, comprising: The sending module is configured to send configuration information to the network forwarding device when it receives a mirror image of a request message sent by the first device to the second device and determines that the mirror image message is a suspicious message. The configuration information is used to instruct the network forwarding device to configure static ARP, and the static ARP includes the IP address of the first device and the MAC address of the admission device. The static ARP is used to send the response message to the admission device based on the IP address of the first device and the MAC address of the admission device after the network forwarding device receives the response message sent by the second device. The processing module is configured to, upon determining that the suspicious message is an illegal message, prohibit the sending of the response message to the first device through the network forwarding device.

[0014] The present invention also provides a message forwarding device, comprising: The receiving module is used to receive configuration information sent by the access device. The configuration information is sent by the access device when it obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. The configuration module is used to configure static ARP based on the configuration information, wherein the static ARP includes the IP address of the first device and the MAC address of the access device; The sending module is configured to, upon receiving a response message to the request message sent by the second device, send the response message to the access device based on the MAC address of the access device in the static ARP and the IP address of the first device. The response message is used to instruct the access device to prohibit the sending of the response message to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

[0015] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the message forwarding method as described above.

[0016] The present invention also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the message forwarding method as described above.

[0017] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the message forwarding method as described above.

[0018] The packet forwarding method, apparatus, and device provided by this invention, upon obtaining a mirror packet of a request packet sent by a first device to a second device and determining that the mirror packet is a suspicious packet, sends configuration information to a network forwarding device. This configuration information instructs the network forwarding device to configure static ARP. The static ARP includes the IP address of the first device and the MAC address of the access device. After receiving a response packet from the second device, the static ARP, based on the IP address of the first device and the MAC address of the access device, sends the response packet to the access device. If the suspicious packet is determined to be an illegal packet, sending the response packet to the first device through the network forwarding device is prohibited. Because static ARP is configured in the network forwarding device, and this static ARP includes the IP address of the first device and the MAC address of the access device, the network forwarding device, upon receiving a response packet from the second device, will send the response packet to the access device based on the static ARP, instead of directly sending it to the first device. Once the access control analyzes the request message and determines that it is an illegal request, it will discard the response message, thereby promptly blocking the response message from being sent to the first device. This improves the timeliness of the blocking operation and enhances network security. Attached Figure Description

[0019] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0020] Figure 1 A schematic diagram of a network architecture for improving message forwarding using existing technologies.

[0021] Figure 2 This is one of the flowcharts illustrating the message forwarding method provided in this embodiment of the invention.

[0022] Figure 3 This is a second flowchart illustrating the message forwarding method provided in an embodiment of the present invention.

[0023] Figure 4 This is a signaling interaction diagram for message forwarding provided in an embodiment of the present invention.

[0024] Figure 5 This is one of the structural schematic diagrams of the message forwarding device provided in the embodiments of the present invention.

[0025] Figure 6 This is a second schematic diagram of the message forwarding device provided in an embodiment of the present invention.

[0026] Figure 7 This is a schematic diagram of the physical structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation

[0027] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0028] Currently, access control devices (ACCD) primarily access the network through two modes: access blocking and bypassing. In this mode, the ACCD acts as a forwarding device, forwarding network traffic. However, in this mode, the ACCD may become a faulty node; if it crashes or loses power, the network will be paralyzed. To address the issues in access blocking mode, another mode, bypass blocking, can be used. In this mode, the ACCD is "bypassed" in the user network. By configuring flow mirroring on the network device, the ACCD receives network traffic, and it performs blocking operations by analyzing whether the traffic matches the admission policy. In this mode, the ACCD does not become a faulty node; however, because it does not act as a forwarding device and does not participate in network traffic forwarding, there is often a problem of delayed blocking.

[0029] Figure 1 A diagram illustrating a network architecture for improving message forwarding capabilities compared to existing technologies, such as... Figure 1As shown, in actual use, the data packets of user equipment B accessing front-end device A are mirrored to the Ge2 port of admission device C, and the data packets of front-end device A accessing user equipment B are mirrored to the Ge1 port of admission device C. Since the packets on the user side are usually considered secure packets, while the packets on the front-end device side may be insecure packets, the Ge1 port is configured as the insecure domain and the Ge2 port is configured as the secure domain.

[0030] Since user device B responds normally to the request message from front-end device A to user device B, after the request message is mirrored to admission device C, admission device C needs to analyze the request message and determine whether to block it based on the admission policy. However, during the analysis of the request message by admission device C, user device B will normally return the response message to front-end device A. Therefore, even if the request message sent by front-end device A to user device B is malicious, user device B may have already sent the response message to front-end device A before admission device C blocks it, causing a delay in the blocking process by admission device C. On the other hand, the response message returned by user equipment B to front-end device A will also be mirrored to admission device C. Admission device C establishes a legitimate session based on the source and destination Internet Protocol (IP), source and destination ports and protocols in the response message. In this way, after receiving the response message from user equipment B, front-end device A will carry out subsequent interactions normally based on the legitimate session, which will lead to the risk of user equipment B being illegally intruded and reduce network security.

[0031] To address the aforementioned issues, this invention provides a packet forwarding method. In this method, when an access device determines that a mirror packet of a request packet sent from a first device to a second device is a suspicious packet, it controls the network forwarding device to configure a static Address Resolution Protocol (ARP). This static ARP configures the IP address of the first device and the MAC address of the access device. Consequently, the response packet returned from the second device to the first device will not be directly sent to the first device, but will first be sent to the access device. When the access device identifies the suspicious packet as an illegal packet, it will discard the response packet, thus preventing the operation of sending the response packet to the first device. This improves the timeliness of the access device's blocking operation and enhances network security.

[0032] The subject executing this method can be an access control device, security gateway, computer, server, server cluster, or specially designed message forwarding device, or a message forwarding device installed in such electronic equipment. This message forwarding device can be implemented through software, hardware, or a combination of both.

[0033] Figure 2 This is one of the flowcharts illustrating the message forwarding method provided in this embodiment of the invention, such as... Figure 2 As shown, the method includes: Step 201: If a mirror image of the request message sent by the first device to the second device is obtained, and the mirror image is determined to be a suspicious message, configuration information is sent to the network forwarding device. The configuration information is used to instruct the network forwarding device to configure static ARP. The static ARP includes the IP address of the first device and the MAC address of the admission device. The static ARP is used to send the response message to the admission device based on the IP address of the first device and the MAC address of the admission device after the network forwarding device receives the response message sent by the second device.

[0034] In this step, the first device can be a front-end device, such as a camera, drone, or industrial robot, etc., and the second device can be a user device, such as a computer or terminal device. Of course, the first device can also be a user device and the second device can be a front-end device.

[0035] When the first device needs to access the data of the second device, it sends a request message to the second device. This request message is also mirrored, and the mirrored message is sent to the admission device. The admission device performs an initial screening based on the source and destination IP addresses in the mirrored message. If the mirrored message is identified as legitimate, it is discarded. If the mirrored message is not deemed legitimate and further identification based on other admission policies is required, it is classified as a suspicious message.

[0036] Furthermore, the admission device is configured with a Simple Network Management Protocol (SNMP) for network forwarding devices. This network forwarding device can be any device capable of packet forwarding, such as a switch or router. After determining that a mirrored packet is suspicious, the admission device will send configuration information to the network forwarding device via SNMP. Upon receiving the configuration information, the network forwarding device will configure static ARP based on this information, writing the IP address of the first device and the Media Access Control (MAC) address of the admission device into the static ARP file.

[0037] Furthermore, after determining that the mirrored message is a suspicious message, the access control device adds a pseudo-session flag to the session corresponding to the request message. By marking the session corresponding to the request message as a pseudo-session, the access control device will not establish a legitimate session between the first and second devices based on the response message returned by the second device, thereby improving the security of data access.

[0038] After receiving the request message from the first device, the second device will respond normally and send the generated response message to the network forwarding device. The network forwarding device will parse the response message to determine that the destination IP address in the response message is the IP address of the first device, and by querying the static ARP, it will determine that the MAC address corresponding to the IP address of the first device is the MAC address of the access device. Therefore, it will forward the response message to the access device instead of sending it directly to the first device. This avoids the situation where the access device cannot block the first device from maliciously accessing the second device, and the second device has already sent the data to the first device.

[0039] Step 202: If it is determined that the suspicious message is an illegal message, the sending of a response message to the first device through the network forwarding device shall be prohibited.

[0040] In this step, during the process of the second device processing the request message sent by the first device and the second device sending the response message to the network forwarding device, the admission device will further identify suspicious messages according to the pre-set admission policy. For example, it can determine whether a suspicious message is an illegal message by using a five-tuple, where the five-tuple includes the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol.

[0041] When the access control device determines that a suspicious packet is an illegal packet, it will discard the response packet sent by the network forwarding device to prevent the response packet from being sent to the first device through the network forwarding device. This timely blocking of the response packet forwarding operation improves network security. Additionally, the access control device can also send a rejection response packet to the first device through the network forwarding device. This rejection response packet contains the IP address and MAC address of the second device, thereby terminating the access.

[0042] The access control device can analyze the request message during the process of the second device processing the request message sent by the first device, the second device sending the response message to the network forwarding device, and the network forwarding device sending the response message to the access control device, thereby improving the efficiency of message forwarding.

[0043] The packet forwarding method provided in this embodiment of the invention, upon obtaining a mirror packet of a request packet sent by a first device to a second device and determining that the mirror packet is a suspicious packet, sends configuration information to a network forwarding device. This configuration information instructs the network forwarding device to configure static ARP. The static ARP includes the IP address of the first device and the MAC address of the access device. After receiving a response packet from the second device, the static ARP, based on the IP address of the first device and the MAC address of the access device, sends the response packet to the access device. If the suspicious packet is determined to be an illegal packet, sending the response packet to the first device through the network forwarding device is prohibited. Because static ARP is configured in the network forwarding device, and this static ARP includes the IP address of the first device and the MAC address of the access device, the network forwarding device, upon receiving a response packet from the second device, will send the response packet to the access device based on this static ARP, instead of directly sending it to the first device. Once the access control analyzes the request message and determines that it is an illegal request, it will discard the response message, thereby promptly blocking the response message from being sent to the first device. This improves the timeliness of the blocking operation and enhances network security.

[0044] For example, based on the above embodiments, when the access device determines that a suspicious message is an illegal message, it discards the response message, generates a rejection response message, and sends the rejection response message to the first device through the network forwarding device.

[0045] Specifically, when the access control device determines that a suspicious packet is an illegal packet based on a pre-set access control policy, it discards the response packet and constructs a rejection response packet. This rejection response packet is then sent to the network forwarding device, which forwards it to the first device, thereby interrupting the first device's access to the second device. The source IP address in the rejection response packet is the IP address of the second device, and the destination IP address is the IP address of the first device.

[0046] It should be understood that in this scenario, the admission device will not modify the static ARP on the network forwarding device, and will clear the pseudo session identifier added to the session corresponding to the request packet.

[0047] In this embodiment, if a suspicious message is determined to be an illegal message, the response message is discarded, and a rejection response message is generated and forwarded to the first device via a network forwarding device. This promptly interrupts the first device's access to the second device, improving overall network security. Furthermore, the rejection response message promptly notifies the first device that its corresponding access request has been interrupted, allowing the first device to understand why it was unable to access the data on the second device.

[0048] For example, based on the above embodiments, when a suspicious packet is determined to be a legitimate packet, the network forwarding device is controlled to delete the static ARP, modify the source MAC address in the response packet to the MAC address of the second device, modify the destination MAC address in the response packet to the MAC address of the network forwarding device, and send the modified response packet to the network forwarding device. The modified response packet is used to instruct the network forwarding device to forward the modified response packet to the first device.

[0049] Specifically, when the access control device determines that a suspicious packet is a legitimate packet based on a pre-configured access policy, it means that the first device can normally access the second device. Therefore, the response packet returned by the second device should also be sent normally to the first device. In order to send the response packet normally to the first device, the access control device will first delete the static ARP that was originally added on the network forwarding device via SNMP, modify the source MAC address of the response packet to the MAC address of the second device, modify the destination MAC address in the response packet to the MAC address of the network forwarding device, and then send the modified response packet to the network forwarding device.

[0050] When a network forwarding device receives a modified response message and finds that the destination MAC address is its own MAC address, it will modify the destination MAC address in the response message to the MAC address of the first device, and then forward the modified response message to the first device.

[0051] In this embodiment, when a suspicious packet is determined to be a legitimate packet, by deleting static ARP and modifying the source MAC address and destination MAC address in the response packet, the response packet can be correctly sent to the network forwarding device, and then forwarded to the first device by the network forwarding device. This ensures that the first device can receive the response packet returned by the second device normally, thus improving the accuracy of packet forwarding.

[0052] For example, based on the above embodiments, when a suspicious message is determined to be a legitimate message, the pseudo-session tag of the session corresponding to the request message is deleted. The pseudo-session tag is a tag added to the session when the mirror message is determined to be a suspicious message.

[0053] Specifically, when the admission device determines that a request message is a suspicious message, it adds a pseudo-session tag to the session corresponding to the request message. When the suspicious message is determined to be a legitimate message through a preset admission policy, the pseudo-session tag in the session corresponding to the request message is deleted, and the session is converted into a legitimate session. If the request message sent by the first device subsequently matches the aforementioned five-tuple, it will be forwarded directly based on the legitimate session, and the admission device will not perform further analysis on the message forwarded based on the legitimate session.

[0054] In this embodiment, when a suspicious message is determined to be a legitimate message, the pseudo-session tag of the session corresponding to the request message will be deleted, thereby establishing a normal legitimate session. This not only ensures the normal forwarding of subsequent messages but also improves the efficiency of message forwarding.

[0055] For example, based on the above embodiments, when the access device obtains a mirror message of the request message sent by the first device to the second device, it determines the destination IP address and source IP address in the mirror message. If the mirror message is determined to be a legitimate message based on the destination IP address and source IP address, the mirror message is discarded.

[0056] Specifically, since determining the legitimacy of a mirrored packet based on its destination and source IP addresses is relatively fast, the destination and source IP addresses can be parsed from the mirrored packet first, and initial screening can be performed based on these addresses. Once the mirrored packet is determined to be legitimate, further legitimacy checks are unnecessary, and blocking operations are not required. Therefore, the access device can simply discard the mirrored packet. At this point, after responding to the request packet, the second device will send its response packet to the network forwarding device, which will then forward the response packet normally to the second device.

[0057] In this embodiment, when the mirrored packet is determined to be a legitimate packet based on the destination IP address and the source IP address, the mirrored packet is directly discarded without any blocking operation. This not only ensures network security but also improves the packet forwarding rate.

[0058] Figure 3 This is a second flowchart illustrating the message forwarding method provided in this embodiment of the invention. The execution entity of this method is a network forwarding device. Figure 3 As shown, the method includes: Step 301: Receive configuration information sent by the access device. The configuration information is sent by the access device when it obtains a mirror message of the request message sent by the first device to the second device and determines that the mirror message is a suspicious message.

[0059] In this step, when the first device needs to access the data of the second device, it sends a request message to the second device. This request message is also mirrored, and the mirrored message is sent to the admission device. The admission device performs an initial screening based on the source and destination IP addresses in the mirrored message. If the mirrored message is identified as legitimate, it is discarded. If the mirrored message is not deemed legitimate and further identification based on other admission policies is required, it is classified as a suspicious message.

[0060] After determining that a mirrored packet is a suspicious packet, the admission device will send configuration information to the network forwarding device based on SNMP. This configuration information is used to instruct the network forwarding device to configure static ARP.

[0061] Step 302: Configure static ARP based on the configuration information. The static ARP includes the IP address of the first device and the MAC address of the admitted device.

[0062] In this step, after receiving the configuration information, the network forwarding device will configure static ARP based on the configuration information and write the IP address of the first device and the MAC address of the admitted device into the static ARP.

[0063] Step 303: Upon receiving a response message to the request message sent by the second device, based on the MAC address of the admission device in the static ARP and the IP address of the first device, send a response message to the admission device. The response message is used to instruct the admission device to prohibit the sending of response messages to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

[0064] In this step, after receiving the request packet from the first device, the second device will respond normally and send the generated response packet to the network forwarding device. The network forwarding device, by parsing the response packet, determines that the destination IP address in the response packet is the IP address of the first device, and by querying static ARP, determines that the MAC address corresponding to the first device's IP address is the MAC address of the access device. Therefore, it will forward the response packet to the access device instead of sending it directly to the first device. This avoids the situation where, when the first device maliciously accesses the second device, the access device cannot block it in time before the second device has already sent data to the first device.

[0065] During the process of the second device processing the request message sent by the first device and the second device sending the response message to the network forwarding device, the admission device will further identify suspicious messages according to the pre-set admission policy. For example, it can determine whether a suspicious message is an illegal message by using a five-tuple, where the five-tuple includes the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol.

[0066] When the access control device determines that a suspicious packet is an illegal packet, it will discard the response packet sent by the network forwarding device to prevent the response packet from being sent to the first device through the network forwarding device. This timely blocking of the response packet forwarding operation improves network security. Additionally, the access control device can also send a rejection response packet to the first device through the network forwarding device. This rejection response packet contains the IP address and MAC address of the second device, thereby terminating the access.

[0067] The packet forwarding method provided in this embodiment of the invention involves a network forwarding device receiving configuration information sent by an admission device. This configuration information is sent by the admission device when it receives a mirror image of a request packet sent by a first device to a second device and determines that the mirror image packet is suspicious. Based on the configuration information, a static ARP is configured. This static ARP includes the IP address of the first device and the MAC address of the admission device. Upon receiving a response packet to the request packet sent by the second device, the admission device sends a response packet to the admission device based on the MAC address of the admission device and the IP address of the first device in the static ARP. This response packet instructs the admission device to prohibit the transmission of response packets to the first device through the network forwarding device if it determines that the suspicious packet is an illegal packet. Because a static ARP is configured in the network forwarding device, and this static ARP includes the IP address of the first device and the MAC address of the admission device, the network forwarding device, upon receiving a response packet from the second device, will send the response packet to the admission device based on the static ARP, instead of directly sending it to the first device. Once the access control analyzes the request message and determines that it is an illegal request, it will discard the response message, thereby promptly blocking the response message from being sent to the first device. This improves the timeliness of the blocking operation and enhances network security.

[0068] For example, based on the above embodiments, the network forwarding device receives a modified response message sent by the admission device. The modified response message is sent by the admission device after receiving the response message and determining that the suspicious message is a legitimate message. The admission device controls the network forwarding device to delete the static ARP, modify the source MAC address in the response message to the MAC address of the second device, and modify the destination MAC address in the response message to the MAC address of the network forwarding device. The modified response message is then forwarded to the first device.

[0069] Specifically, when the access control device determines that a suspicious packet is a legitimate packet based on a pre-configured access policy, it means that the first device can normally access the second device. Therefore, the response packet returned by the second device should also be sent normally to the first device. In order to send the response packet normally to the first device, the access control device will first delete the static ARP that was originally added on the network forwarding device via SNMP, modify the source MAC address of the response packet to the MAC address of the second device, modify the destination MAC address in the response packet to the MAC address of the network forwarding device, and then send the modified response packet to the network forwarding device.

[0070] When a network forwarding device receives a modified response message and finds that the destination MAC address is its own MAC address, it will modify the destination MAC address in the response message to the MAC address of the first device, and then send the modified response message to the first device.

[0071] In this embodiment, when a suspicious packet is determined to be a legitimate packet, by deleting static ARP and modifying the source MAC address and destination MAC address in the response packet, the response packet can be correctly sent to the network forwarding device. The network forwarding device then forwards the response packet to the first device, thereby ensuring that the first device can normally receive the response packet returned by the second device, thus improving the accuracy of packet forwarding.

[0072] Figure 4 The signaling interaction diagram for message forwarding provided in the embodiments of the present invention is as follows: Figure 4 As shown, the method includes: Step 401: The first device sends a request message to the second device.

[0073] Step 402: The access device obtains the mirror message of the request message and determines whether the mirror message is a suspicious message.

[0074] Step 403: If the access device determines that the mirrored packet is a suspicious packet, it sends configuration information to the network forwarding device.

[0075] Step 404: Configure static ARP on the network forwarding device. The static ARP includes the IP address of the first device and the MAC address of the admitted device.

[0076] Step 405: The second device sends a response message to the network forwarding device.

[0077] Step 406: The network forwarding device sends a response message to the admission device based on static ARP.

[0078] Step 407: The access control device analyzes the suspicious messages to determine whether they are legitimate.

[0079] The execution order of steps 407 and steps 404-406 is not restricted; they can be executed simultaneously or sequentially.

[0080] Step 408: The access control device determines that the suspicious message is an illegal message, discards the response message, and sends a rejection response message to the first device through the network forwarding device.

[0081] Step 409: The access control device determines that the suspicious packet is a legitimate packet, controls the network forwarding device to delete the static ARP, modifies the source MAC address in the response packet to the MAC address of the second device, modifies the destination MAC address in the response packet to the MAC address of the network forwarding device, and sends a response packet to the network forwarding device.

[0082] Step 410: The network forwarding message forwards the final modified response message to the first device.

[0083] The packet forwarding method provided in this embodiment of the invention configures a static ARP in the network forwarding device. This static ARP includes the IP address of the first device and the MAC address of the access device. Therefore, when the network forwarding device receives a response packet from the second device, it forwards the response packet to the access device based on the static ARP, instead of directly sending it to the first device. Once the access device analyzes the request packet and determines it to be an illegal request, it discards the response packet. This timely blocking of the response packet from being sent to the first device improves the timeliness of the blocking operation and enhances network security.

[0084] The message forwarding apparatus provided by the present invention is described below. The message forwarding apparatus described below can be referred to in correspondence with the message forwarding method described above.

[0085] Figure 5 This is one of the structural schematic diagrams of the message forwarding device provided in the embodiments of the present invention, with reference to... Figure 5 As shown, the message forwarding device 500 includes: The sending module 11 is configured to send configuration information to the network forwarding device when it obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. The configuration information is used to instruct the network forwarding device to configure static ARP, and the static ARP includes the IP address of the first device and the MAC address of the admission device. The static ARP is used to send the response message to the admission device based on the IP address of the first device and the MAC address of the admission device after the network forwarding device receives the response message sent by the second device. Processing module 12 is used to prohibit the sending of the response message to the first device through the network forwarding device when it is determined that the suspicious message is an illegal message.

[0086] In one example embodiment, the processing module 12 is further configured to, upon determining that the suspicious message is an illegal message, discard the response message, generate a rejection response message, and send the rejection response message to the first device through the network forwarding device.

[0087] In one example embodiment, the apparatus further includes: a modification module, wherein: The modification module is used to, when determining that the suspicious packet is a legitimate packet, control the network forwarding device to delete the static ARP, modify the source MAC address in the response packet to the MAC address of the second device, and modify the destination MAC address in the response packet to the MAC address of the network forwarding device; The sending module 11 is used to send the modified response message to the network forwarding device, wherein the modified response message is used to instruct the network forwarding device to forward the modified response message to the first device.

[0088] In one example embodiment, the apparatus further includes: a deletion module, wherein: The deletion module is used to delete the pseudo-session tag of the session corresponding to the request message when the suspicious message is determined to be a legitimate message. The pseudo-session tag is a tag added to the session when the mirror message is determined to be a suspicious message.

[0089] In one example embodiment, the apparatus further includes: a determining module and a discarding module, wherein: The determination module is used to determine the destination IP address and source IP address in the mirrored message when a mirrored message of a request message sent by the first device to the second device is obtained. The discarding module is used to discard the mirrored packet if it is determined to be a legitimate packet based on the destination IP address and the source IP address.

[0090] The message forwarding device of this embodiment can be used to execute the method of any embodiment in the message forwarding method side embodiment. Its specific implementation process and technical effects are similar to those in the message forwarding method side embodiment. For details, please refer to the detailed description in the message forwarding method side embodiment, which will not be repeated here.

[0091] Figure 6 This is a second schematic diagram of the structure of the message forwarding device provided in an embodiment of the present invention, referring to... Figure 6 As shown, the message forwarding device 600 includes: The receiving module 21 is used to receive configuration information sent by the access device. The configuration information is sent by the access device when it obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. Configuration module 22 is used to configure static ARP based on the configuration information, wherein the static ARP includes the IP address of the first device and the MAC address of the access device; The sending module 23 is configured to, upon receiving a response message to the request message sent by the second device, send the response message to the access device based on the MAC address of the access device in the static ARP and the IP address of the first device. The response message is used to instruct the access device to prohibit the sending of the response message to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

[0092] In one example embodiment, the apparatus further includes: a modification module, wherein: The receiving module 21 is further configured to receive a modified response message sent by the admission device. The modified response message is sent by the admission device after receiving the response message and determining that the suspicious message is a legitimate message, controlling the network forwarding device to delete the static ARP, modifying the source MAC address in the response message to the MAC address of the second device, and modifying the destination MAC address in the response message to the MAC address of the network forwarding device. The modification module is used to forward the modified response message to the first device.

[0093] The message forwarding device of this embodiment can be used to execute the method of any embodiment in the message forwarding method side embodiment. Its specific implementation process and technical effects are similar to those in the message forwarding method side embodiment. For details, please refer to the detailed description in the message forwarding method side embodiment, which will not be repeated here.

[0094] Figure 7 This is a schematic diagram of the physical structure of an electronic device provided in an embodiment of the present invention, such as... Figure 7 As shown, the electronic device may include: a processor 710, a communications interface 720, a memory 730, and a communication bus 740, wherein the processor 710, the communications interface 720, and the memory 730 communicate with each other through the communication bus 740. The processor 710 can call logical instructions in the memory 730 to execute a packet forwarding method. This method includes: upon obtaining a mirror packet of a request packet sent by a first device to a second device, and determining that the mirror packet is a suspicious packet, sending configuration information to the network forwarding device. The configuration information is used to instruct the network forwarding device to configure static ARP, the static ARP including the IP address of the first device and the MAC address of the access device; the static ARP is used to send the response packet to the access device based on the IP address of the first device and the MAC address of the access device after the network forwarding device receives a response packet sent by the second device; and if the suspicious packet is determined to be an illegal packet, prohibiting the sending of the response packet to the first device through the network forwarding device.

[0095] The processor 710 can also call logical instructions in the memory 730 to execute a packet forwarding method, the method comprising: receiving configuration information sent by an admission device, the configuration information being sent by the admission device when it obtains a mirror packet of a request packet sent by a first device to a second device and determines that the mirror packet is a suspicious packet; configuring a static ARP based on the configuration information, the static ARP including the IP address of the first device and the MAC address of the admission device; and, upon receiving a response packet of the request packet sent by the second device, sending a response packet to the admission device based on the MAC address of the admission device and the IP address of the first device in the static ARP, the response packet being used to instruct the admission device, if it determines that the suspicious packet is an illegal packet, to prohibit the sending of the response packet to the first device through the network forwarding device.

[0096] Furthermore, the logical instructions in the aforementioned memory 730 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, essentially, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0097] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the packet forwarding method provided by the above methods. The method includes: when a mirror packet of a request packet sent by a first device to a second device is obtained, and the mirror packet is determined to be a suspicious packet, sending configuration information to the network forwarding device, the configuration information being used to instruct the network forwarding device to configure static ARP, the static ARP including the IP address of the first device and the MAC address of the access device; the static ARP being used to send the response packet to the access device based on the IP address of the first device and the MAC address of the access device after the network forwarding device receives a response packet sent by the second device; and when the suspicious packet is determined to be an illegal packet, prohibiting the sending of the response packet to the first device through the network forwarding device.

[0098] The computer can also execute the packet forwarding methods provided by the above methods, the method comprising: receiving configuration information sent by an access device, the configuration information being sent by the access device when it obtains a mirror packet of a request packet sent by a first device to a second device and determines that the mirror packet is a suspicious packet; configuring a static ARP based on the configuration information, the static ARP including the IP address of the first device and the MAC address of the access device; and, upon receiving a response packet of the request packet sent by the second device, sending the response packet to the access device based on the MAC address of the access device and the IP address of the first device in the static ARP, the response packet being used to instruct the access device to prohibit the sending of the response packet to the first device through the network forwarding device when it determines that the suspicious packet is an illegal packet.

[0099] In another aspect, the present invention also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the packet forwarding method provided by the above methods. The method includes: upon obtaining a mirror image of a request packet sent by a first device to a second device, and determining that the mirror image packet is a suspicious packet, sending configuration information to the network forwarding device, the configuration information being used to instruct the network forwarding device to configure static ARP, the static ARP including the IP address of the first device and the MAC address of the access device; the static ARP being used, after the network forwarding device receives a response packet sent by the second device, to send the response packet to the access device based on the IP address of the first device and the MAC address of the access device; and, if the suspicious packet is determined to be an illegal packet, prohibiting the sending of the response packet to the first device through the network forwarding device.

[0100] When executed by a processor, this computer program implements the packet forwarding methods provided by the above methods. The method includes: receiving configuration information sent by an access device, the configuration information being sent by the access device when it receives a mirror image of a request packet sent by a first device to a second device and determines that the mirror image packet is a suspicious packet; configuring a static ARP based on the configuration information, the static ARP including the IP address of the first device and the MAC address of the access device; and, upon receiving a response packet of the request packet sent by the second device, sending the response packet to the access device based on the MAC address of the access device and the IP address of the first device in the static ARP, the response packet instructing the access device to prohibit sending the response packet to the first device through the network forwarding device when it determines that the suspicious packet is an illegal packet.

[0101] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0102] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0103] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A message forwarding method, characterized in that, Applied to access control devices, the method includes: Upon receiving a mirror image of a request message sent by the first device to the second device, and determining that the mirror image message is a suspicious message, configuration information is sent to the network forwarding device. This configuration information instructs the network forwarding device to configure static ARP, which includes the IP address of the first device and the MAC address of the access device. The static ARP is used by the network forwarding device to send a response message to the access device based on the IP address of the first device and the MAC address of the access device after receiving the response message from the second device. If the suspicious message is determined to be an illegal message, the sending of the response message to the first device through the network forwarding device shall be prohibited.

2. The message forwarding method according to claim 1, characterized in that, The method further includes: If the suspicious message is determined to be an illegal message, the response message is discarded, a rejection response message is generated, and the rejection response message is sent to the first device through the network forwarding device.

3. The message forwarding method according to claim 1, characterized in that, The method further includes: If the suspicious packet is determined to be a legitimate packet, the network forwarding device is controlled to delete the static ARP, modify the source MAC address in the response packet to the MAC address of the second device, and modify the destination MAC address in the response packet to the MAC address of the network forwarding device. The modified response message is sent to the network forwarding device, and the modified response message is used to instruct the network forwarding device to forward the modified response message to the first device.

4. The message forwarding method according to claim 3, characterized in that, The method further includes: If the suspicious message is determined to be a legitimate message, the pseudo-session tag of the session corresponding to the request message is deleted. The pseudo-session tag is a tag added to the session when the mirror message is determined to be a suspicious message.

5. The message forwarding method according to claim 1, characterized in that, The method further includes: If a mirror image of a request message sent by the first device to the second device is obtained, the destination IP address and source IP address in the mirror image are determined. If the mirrored packet is determined to be a legitimate packet based on the destination IP address and the source IP address, the mirrored packet is discarded.

6. A message forwarding method, characterized in that, Applied to network forwarding devices, the method includes: The access device receives configuration information sent by the access device, which is sent when the access device obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. Configure static ARP based on the configuration information, wherein the static ARP includes the IP address of the first device and the MAC address of the access device; Upon receiving a response message to the request message sent by the second device, the access device sends the response message to the access device based on the MAC address of the access device in the static ARP and the IP address of the first device. The response message is used to instruct the access device to prohibit the sending of the response message to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

7. The message forwarding method according to claim 6, characterized in that, The method further includes: The system receives a modified response message sent by the admission device. The modified response message is sent by the admission device after receiving the response message and determining that the suspicious message is a legitimate message, by controlling the network forwarding device to delete the static ARP, modifying the source MAC address in the response message to the MAC address of the second device, and modifying the destination MAC address in the response message to the MAC address of the network forwarding device. The modified response message is forwarded to the first device.

8. A message forwarding device, characterized in that, include: The sending module is configured to send configuration information to the network forwarding device when it receives a mirror image of a request message sent by the first device to the second device and determines that the mirror image message is a suspicious message. The configuration information is used to instruct the network forwarding device to configure static ARP, and the static ARP includes the IP address of the first device and the MAC address of the admission device. The static ARP is used to send the response message to the admission device based on the IP address of the first device and the MAC address of the admission device after the network forwarding device receives the response message sent by the second device. The processing module is configured to, upon determining that the suspicious message is an illegal message, prohibit the sending of the response message to the first device through the network forwarding device.

9. A message forwarding device, characterized in that, include: The receiving module is used to receive configuration information sent by the access device. The configuration information is sent by the access device when it obtains a mirror message of a request message sent by the first device to the second device and determines that the mirror message is a suspicious message. The configuration module is used to configure static ARP based on the configuration information, wherein the static ARP includes the IP address of the first device and the MAC address of the access device; The sending module is configured to, upon receiving a response message to the request message sent by the second device, send the response message to the access device based on the MAC address of the access device in the static ARP and the IP address of the first device. The response message is used to instruct the access device to prohibit the sending of the response message to the first device through the network forwarding device if it determines that the suspicious message is an illegal message.

10. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the message forwarding method as described in any one of claims 1 to 5, or the message forwarding method as described in claim 6 or 7.