A message processing method and device and related equipment

By establishing a preset routing protocol neighbor relationship between the security service chain link orchestrator and security network elements, dynamic routing rules are automatically generated, solving the problems of low deployment efficiency and high operation and maintenance costs in traditional service chain link orchestration. This achieves intelligent and centralized traffic management, improving the flexibility of business deployment and operation and maintenance efficiency.

CN122372479APending Publication Date: 2026-07-10NEW H3C TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NEW H3C TECH CO LTD
Filing Date
2026-06-09
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Traditional service chain orchestration schemes require manual configuration of complex policy routing in dual-arm mode, resulting in problems such as low deployment efficiency, high operation and maintenance costs, inconsistent policies, and slow fault recovery.

Method used

By establishing a preset routing protocol neighbor relationship between the security service chain orchestrator and each security network element, dynamic routing rules are automatically generated and dynamically sent to the data plane through the preset routing protocol, thereby realizing intelligent and centralized management of traffic guidance strategies.

Benefits of technology

It achieves complete decoupling between the network control layer and the forwarding layer, significantly shortens service launch time, reduces the risk of configuration errors, ensures the consistency and accuracy of network-wide policies, and improves operational efficiency and service deployment agility.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372479A_ABST
    Figure CN122372479A_ABST
Patent Text Reader

Abstract

This application relates to the field of network communication technology, and in particular to a message processing method, apparatus, and related equipment. The method includes: acquiring interface information of each security network element in a network; determining, based on service intent and network topology, the target security network elements included in the target service chain corresponding to the service intent, and the IP address of the target server protected by the target service chain; generating a first dynamic route for each target security network element, wherein the first dynamic route is used to match a first message whose destination IP address is the IP address of the target server, and modifying the next hop of the first message to the first gateway of the service interface connecting the target security network element to the target server; and sending the first dynamic route to the target security network element based on a preset routing protocol neighbor relationship, so that when the target security network element receives a first message whose destination IP address is the IP address of the target server, it forwards the first message based on the first dynamic route.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network communication technology, and in particular to a message processing method, apparatus and related equipment. Background Technology

[0002] With the migration of enterprise businesses to the cloud and digital transformation, it has become commonplace for enterprise intranet servers to provide web services to the outside world. To ensure business security, enterprises typically deploy multiple security network elements (such as service nodes (SNs)) in series at the network boundary or critical paths when providing web services from their intranet servers. For example, suppose SN1, SN2, and SN3 are an IPS (Intrusion Prevention System), a firewall, and a WAF (Web Application Firewall), respectively, forming a service chain.

[0003] Currently, traditional service chain orchestration schemes (such as SSLO (Secure Service Link Orchestration)) have two deployment modes when guiding traffic through these security network elements: single-arm mode and dual-arm mode. In dual-arm mode, traffic needs to enter sequentially from the ingress of the security network element (e.g., port 1), undergo security processing, and then exit from its egress (e.g., port 2) before being directed to the next hop.

[0004] However, in the traditional two-arm model of SSLO service chain orchestration, network engineers need to manually write complex policy-based routing (PBR) on each security network element to guide traffic in and out. This process is time-consuming, error-prone, and difficult to verify. Service chain deployment and changes are a serial, manual process involving logging into and configuring multiple devices one by one, resulting in long cycles for new service launches or policy adjustments. The configuration syntax for policy routing varies from vendor to vendor, making it complex and inconsistent. Daily maintenance and troubleshooting are difficult, requiring highly skilled engineers and incurring high operational costs. Policies are distributed across various network elements, making unified management and auditing difficult. Any configuration deviation can lead to traffic loops, outages, or security policy vulnerabilities. When a security network element fails, engineers need to manually locate the problem and modify the policy routes of related network elements one by one to bypass the fault point; recovery time is often measured in hours, resulting in significant business impact. Summary of the Invention

[0005] This application provides a message processing method, apparatus, and related equipment.

[0006] Firstly, this application provides a message processing method applied to a security service chain link orchestrator, wherein the security service chain link orchestrator establishes a preset routing protocol neighbor relationship with each security network element in the network; the method includes: Obtain the interface information of each security network element included in the network; Based on the business intent and network topology, determine the target security network elements included in the target service chain corresponding to the business intent, as well as the IP address of the target server protected by the target service chain; For each target security network element, a first dynamic route is generated, wherein the first dynamic route is used to match the first packet whose destination IP address is the IP address of the target server, and modify the next hop of the first packet to the first gateway of the service interface of the target security network element connecting to the target server. Based on the preset routing protocol neighbor relationship, the first dynamic route is sent to the target security network element, so that when the target security network element receives a first packet with the destination IP address being the IP address of the target server, it forwards the first packet based on the first dynamic route.

[0007] Optionally, the method further includes: Based on the source IP address of the first message, determine the client IP address that accesses the target server; For each target security network element, a second dynamic route is generated. The second dynamic route is used to match a second packet whose destination IP address is the client's IP address, and to modify the next hop of the second packet to the second dynamic route of the second gateway connecting the target security network element to the service interface on the client side. Based on the preset routing protocol neighbor relationship, the second dynamic route is sent to the target security network element, so that when the target security network element receives a second packet with the destination IP address being the client's IP address, it forwards the second packet based on the second dynamic route.

[0008] Optionally, the preset routing protocol neighbor relationship is a Border Gateway Protocol (BGP) neighbor relationship; or, The preset routing protocol neighbor relationship is the Interior Gateway Protocol (IGP) neighbor relationship.

[0009] Optionally, the first dynamic route and the second dynamic route are GUARD routes.

[0010] Optionally, the step of obtaining the interface information of each security network element included in the network includes: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

[0011] Secondly, this application provides a message processing apparatus applied to a security service chain link orchestrator, wherein the security service chain link orchestrator establishes a preset routing protocol neighbor relationship with each security network element in the network; the apparatus includes: The acquisition unit is used to acquire the interface information of each security network element included in the network. The determining unit is used to determine, based on the business intent and network topology, the target security network elements included in the target service chain corresponding to the business intent, and the IP address of the target server protected by the target service chain; The generation unit is used to generate a first dynamic route for each target security network element, wherein the first dynamic route is used to match a first packet whose destination IP address is the IP address of the target server, and modify the next hop of the first packet to the first gateway of the service interface connecting the target security network element to the target server. The sending unit is configured to send the first dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a first packet whose destination IP address is the IP address of the target server, it forwards the first packet based on the first dynamic route.

[0012] Optionally, the determining unit is further configured to determine the client IP address accessing the target server based on the source IP address of the first message; The generation unit is further configured to generate a second dynamic route for each target security network element, wherein the second dynamic route is used to match a second packet whose destination IP address is the client IP address, and modify the next hop of the second packet to the second dynamic route of the second gateway of the target security network element connecting to the service interface on the client side. The sending unit is further configured to send the second dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a second packet with the destination IP address being the client IP address, it forwards the second packet based on the second dynamic route.

[0013] Optionally, the preset routing protocol neighbor relationship is a Border Gateway Protocol (BGP) neighbor relationship; or, The preset routing protocol neighbor relationship is the Interior Gateway Protocol (IGP) neighbor relationship.

[0014] Optionally, the first dynamic route and the second dynamic route are GUARD routes.

[0015] Optionally, when obtaining the interface information of each security network element included in the network, the obtaining unit is specifically used for: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

[0016] Thirdly, embodiments of this application provide a message processing apparatus, which includes: Memory, used to store program instructions; A processor is configured to invoke program instructions stored in the memory and execute the steps of the method as described in any one of the first aspects above, according to the obtained program instructions.

[0017] Fourthly, embodiments of this application also provide a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the steps of the method as described in any of the first aspects above.

[0018] In summary, the message processing method provided in this application is applied to a security service chain orchestrator, which establishes a preset routing protocol neighbor relationship with each security network element in the network. The method includes: obtaining the interface information of each security network element in the network; determining the target security network element included in the target service chain corresponding to the service intent and the IP address of the target server protected by the target service chain based on the service intent and network topology; generating a first dynamic route for each target security network element, wherein the first dynamic route is used to match a first message whose destination IP address is the IP address of the target server, and modifying the next hop of the first message to the first gateway of the service interface of the target security network element connecting to the target server; and sending the first dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a first message whose destination IP address is the IP address of the target server, it forwards the first message based on the first dynamic route.

[0019] Using the message processing method provided in this application, the secure service chain orchestrator automatically generates dynamic routing rules based on the service chain's business intent and topology, and dynamically sends them to the data plane via a preset routing neighbor protocol. This achieves complete decoupling between the network control layer and the forwarding layer, making the generation, distribution, and management of traffic guidance policies fully intelligent and centralized, which is a key practice in building software-defined networked service chains.

[0020] This completely abandons the traditional model of manually configuring complex policy routes on numerous security network elements one by one, evolving into a unified orchestration and automatic deployment by the controller (an integrated security service chain orchestrator). This significantly shortens service deployment time to minutes and greatly reduces the risk of configuration errors caused by manual operation, while ensuring high consistency and accuracy of network-wide policies, thereby comprehensively improving operational efficiency and service deployment agility. Attached Figure Description

[0021] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments of this application or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this application. For those skilled in the art, other drawings can be obtained based on these drawings of the embodiments of this application.

[0022] Figure 1 A detailed flowchart of a message processing method provided for an embodiment of this application; Figure 2 A network topology diagram provided for an embodiment of this application; Figure 3 This is a schematic diagram of the structure of a message processing device provided in an embodiment of this application; Figure 4 This is a schematic diagram of the hardware architecture of a message processing device provided in an embodiment of this application. Detailed Implementation

[0023] The terminology used in the embodiments of this application is for the purpose of describing particular embodiments only and is not intended to limit the application. The singular forms “a,” “the,” and “the” as used in this application and claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to any and all possible combinations comprising one or more of the associated listed items.

[0024] It should be understood that although the terms first, second, third, etc., may be used to describe various information in embodiments of this application, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of this application, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" may also be interpreted as "when," "when," or "in response to a determination."

[0025] This application provides a new solution that enables centralized orchestration, automatic distribution, and intelligent scheduling of service chain traffic, thereby solving the problems of low deployment efficiency, high operation and maintenance costs, inconsistent policies, and slow fault recovery caused by relying on manual configuration of policy routing on each network element in the existing dual-arm mode service chain.

[0026] For example, see Figure 1 The diagram shown is a detailed flowchart of a message processing method provided in an embodiment of this application. This method is applied to a security service chain link orchestrator, which establishes a preset routing protocol neighbor relationship with each security network element in the network. The method includes the following steps: Step 100: Obtain the interface information of each security network element included in the network.

[0027] In this embodiment, the security service chain orchestrator can be integrated on the controller or it can be a separate third-party hardware device. In this embodiment, no specific limitation is made.

[0028] The security service chain orchestrator can sense and obtain the network topology of the managed network. That is, when any network device (including security network elements) in the network starts up and goes online, it will register with the security service chain orchestrator. Therefore, when a security network element starts up and goes online and registers with the security service chain orchestrator, the security service chain orchestrator can obtain the interface information of the security network element.

[0029] In this embodiment of the application, when obtaining the interface information of each security network element included in the network, a preferred implementation method is as follows: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

[0030] For example, see Figure 2 The diagram illustrates a network topology according to an embodiment of this application. A controller (not shown) manages the network, which integrates an SSLO. The network includes various network devices (e.g., switches, routers) within the SSLO service chain, as well as security network elements (e.g., IPS, firewalls, and WAFs) used for security checks on service traffic. The controller maintains the network topology. When a security network element (e.g., SN1) is launched and registered with the SSLO, the controller obtains the interface identifier (e.g., T1 / 0 / 1, port 1) and interface IP address (2.2.2.2) of the service interface connecting the security network element to the server (internal network server), and the interface identifier (e.g., T1 / 0 / 2, port 2) and interface IP address (1.1.1.2) of the service interface connecting the security network element to the client (external network client).

[0031] In this embodiment of the application, the actual IP address of the enterprise's internal network server is 6.6.6.6, and the virtual IP address displayed externally is 8.8.8.8, which will be used as an example for illustration.

[0032] Step 110: Based on the business intent and network topology, determine the target security network elements included in the target service chain corresponding to the business intent, and the IP address of the target server protected by the target service chain.

[0033] In practical applications, users need to orchestrate business intents, such as the SSLO service chain that external clients need to pass through when accessing business services provided by the enterprise's intranet server (e.g., VIP: 8.8.8.8), as well as security network elements that need to perform security checks on the forward traffic packets generated by the client accessing the enterprise's intranet server, and the reverse traffic packets of the enterprise's intranet server based on the client's access request response.

[0034] Then, the controller can determine the target security network element (e.g., SN1) included in the target service chain corresponding to the business intent and the network topology, as well as the IP address (e.g., 8.8.8.8) of the target server protected by the target service chain.

[0035] Step 120: Generate the first dynamic route for each target security network element.

[0036] The first dynamic route is used to match a first packet whose destination IP address is the IP address of the target server, and to modify the next hop of the first packet to the first gateway of the service interface of the target security network element connected to the target server.

[0037] In this embodiment, the service chain used by the client (IP address: 7.7.7.7) to access the enterprise intranet server (VIP: 8.8.8.8) is described as the target service chain. The target security network element that the client needs to pass through to access the enterprise intranet server is SN1. Therefore, a first dynamic route is generated for SN1.

[0038] The first dynamic route's matching item is the enterprise intranet server's VIP (8.8.8.8), and the action item is: modify the next hop of the matched packet to the first gateway of the service interface on the target server side connected to the target security network element.

[0039] For example, still refer to Figure 2As shown, the service interface of SN1 is T1 / 0 / 1, and its IP address is 2.2.2.2. According to the network topology, the interface directly connected to the service interface of SN1 on the SSLO service chain is T1 / 0 / 1 of the SSLO service chain device, and its IP address is 2.2.2.1. That is, the first gateway of the service interface on SN1 that connects to the enterprise intranet server is T1 / 0 / 1 of the SSLO service chain device, and the action of the first dynamic route is to modify the next hop of the matched packet to the IP address of the gateway corresponding to the service interface on SN1 that connects to the enterprise intranet server (2.2.2.1).

[0040] In this embodiment of the application, a preferred implementation is that the first dynamic route is a GUARD route.

[0041] Step 130: Based on the preset routing protocol neighbor relationship, send the first dynamic route to the target security network element, so that when the target security network element receives a first packet with the destination IP address being the IP address of the target server, it forwards the first packet based on the first dynamic route.

[0042] In this embodiment, the security service chain orchestrator (controller) pre-establishes a preset routing protocol neighbor relationship with each security network element in the network. In this embodiment, the preset routing protocol can be the Border Gateway Protocol (BGP) or the Interior Gateway Protocol (IGP).

[0043] The controller generates a first dynamic route (the first Guard route) and distributes it to the target security network element (e.g., SN1) through a preset routing protocol neighbor relationship. Taking BGP as the preset routing protocol as an example, the security service chain link orchestrator acts as the BGP Speaker, and SN1 acts as the BGP Listener. The security service chain link orchestrator encapsulates the generated first Guard route rules in a BGP update message and sends it to SN1. These rules are encoded in a specific BGP attribute (e.g., extended community attribute) or a specific NLRI (Network Layer Reachability Information) format so that SN1 can recognize and install them as Guard routes.

[0044] After receiving a BGP update message carrying the first Guard routing rule from the security service chain orchestrator, SN1 parses the message to obtain the first Guard routing rule and installs it into its local Guard routing table. Thus, when SN1 receives a traffic packet with a destination IP address of 8.8.8.8, it modifies the next hop of the traffic packet to 2.2.2.1 based on the first Guard routing rule and sends the traffic packet through the service interface (2.2.2.2).

[0045] Furthermore, in this embodiment of the application, after generating and issuing the first Guard route for the service request traffic packet (forward traffic packet) sent by the client corresponding to the target service chain, it is also necessary to issue the corresponding Guard route for the response traffic packet of the service request in order to guide SN1 to process the response traffic packet.

[0046] Therefore, in this embodiment of the application, the above-mentioned message processing method may further include the following steps: Based on the source IP address of the first message, determine the client IP address that accesses the target server; For each target security network element, a second dynamic route is generated. The second dynamic route is used to match a second packet whose destination IP address is the client's IP address, and to modify the next hop of the second packet to the second dynamic route of the second gateway connecting the target security network element to the service interface on the client side. Based on the preset routing protocol neighbor relationship, the second dynamic route is sent to the target security network element, so that when the target security network element receives a second packet with the destination IP address being the client's IP address, it forwards the second packet based on the second dynamic route.

[0047] In practical applications, the secure service chain orchestrator obtains the source IP address of the first packet in ways including but not limited to the following: Method 1: When defining a "business intent", the administrator defines the source IP of the first packet within the business intent. For example, the business intent may include not only the IP address of the server protected by the corresponding service chain (8.8.8.8), but also the IP address of the client accessing the protected server (7.7.7.7).

[0048] Method 2: Configure the security network element to send the first data packet of a new session to the security service chain link orchestrator. The security service chain link orchestrator extracts the five-tuple information from the data packet reported by the security network element, thereby learning the client IP address 7.7.7.7.

[0049] In other words, it is still combined Figure 2As shown, the client IP address is 7.7.7.7. The reverse traffic packet (service response traffic packet) corresponding to the service request traffic packet (forward traffic packet) sent by the client also needs to pass through SN1. Therefore, the security service chain link orchestrator generates a second dynamic route. The matching item of the second dynamic route is the client's IP address (7.7.7.7). The action item is: modify the next hop of the matched packet to the second gateway of the service interface on the client side connected to the target security network element.

[0050] The service interface of SN1 is T1 / 0 / 2, with an IP address of 1.1.1.2. According to the network topology, the interface directly connected to the service interface of SN1 on the SSLO service chain is T1 / 0 / 2 of the SSLO service chain device, with an IP address of 1.1.1.1. That is, the second gateway of the service interface on SN1 connecting to the enterprise intranet server is T1 / 0 / 2 of the SSLO service chain device. The action of the second dynamic route is to modify the next hop of the matched packet to the IP address (1.1.1.1) of the gateway corresponding to the service interface on SN1 connecting to the client.

[0051] In this embodiment of the application, a preferred implementation is that the second dynamic route is a GUARD route.

[0052] The controller generates a second dynamic route (second Guard route) and distributes it to the target security network element (e.g., SN1) through a preset routing protocol neighbor relationship. Taking BGP as the preset routing protocol as an example, the security service chain link orchestrator acts as the BGP Speaker, and SN1 acts as the BGP Listener. The security service chain link orchestrator encapsulates the generated second Guard route rules in a BGP update message and sends it to SN1. These rules are encoded in a specific BGP attribute (e.g., extended community attribute) or a specific NLRI (Network Layer Reachability Information) format so that SN1 can recognize and install them as Guard routes.

[0053] After receiving the BGP update message carrying the second Guard routing rule from the security service chain orchestrator, SN1 parses the second Guard routing rule and installs it into its local Guard routing table. Thus, when SN1 receives a traffic packet with a destination IP address of 7.7.7.7, it modifies the next hop of the traffic packet to 1.1.1.1 based on the second Guard routing rule and sends the traffic packet through the service interface (1.1.1.2).

[0054] For example, see Figure 3The diagram shown is a structural schematic of a message processing device provided in an embodiment of this application. This device is applied to a secure service chain link orchestrator, which establishes a preset routing protocol neighbor relationship with each secure network element in the network. The device includes: The acquisition unit 30 is used to acquire the interface information of each security network element included in the network; The determining unit 31 is used to determine, based on the business intent and network topology, the target security network elements included in the target service chain corresponding to the business intent, and the IP address of the target server protected by the target service chain; The generation unit 32 is used to generate a first dynamic route for each target security network element, wherein the first dynamic route is used to match a first packet whose destination IP address is the IP address of the target server, and modify the next hop of the first packet to the first gateway of the service interface of the target security network element connecting to the target server. The sending unit 33 is used to send the first dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a first packet whose destination IP address is the IP address of the target server, it forwards the first packet based on the first dynamic route.

[0055] Optionally, the determining unit 31 is further configured to determine the client IP address accessing the target server based on the source IP address of the first message; The generation unit 32 is further configured to generate a second dynamic route for each target security network element, wherein the second dynamic route is used to match a second packet whose destination IP address is the client IP address, and modify the next hop of the second packet to the second dynamic route of the second gateway of the target security network element connecting to the service interface on the client side. The sending unit 33 is further configured to send the second dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a second packet with the destination IP address being the client IP address, it forwards the second packet based on the second dynamic route.

[0056] Optionally, the preset routing protocol neighbor relationship is a Border Gateway Protocol (BGP) neighbor relationship; or, The preset routing protocol neighbor relationship is the Interior Gateway Protocol (IGP) neighbor relationship.

[0057] Optionally, the first dynamic route and the second dynamic route are GUARD routes.

[0058] Optionally, when obtaining the interface information of each security network element included in the network, the obtaining unit 30 is specifically used for: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

[0059] These units can be one or more integrated circuits configured to implement the above methods, such as one or more Application Specific Integrated Circuits (ASICs), one or more digital signal processors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs). Alternatively, when one of these units is implemented using processing element scheduler code, the processing element can be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. Furthermore, these units can be integrated together to form a system-on-a-chip (SOC).

[0060] Furthermore, regarding the message processing apparatus provided in this application embodiment, from a hardware perspective, the hardware architecture schematic diagram of the message processing apparatus can be found in [reference needed]. Figure 4 As shown, the message processing device may include: a memory 40 and a processor 41. The memory 40 is used to store program instructions; the processor 41 calls the program instructions stored in the memory 40 and executes the above method embodiment according to the obtained program instructions. The specific implementation method and technical effect are similar, and will not be described again here.

[0061] Optionally, this application also provides a controller, including at least one processing element (or chip) for performing the above method embodiments.

[0062] Optionally, this application also provides a program product, such as a computer-readable storage medium storing computer-executable instructions for causing the computer to perform the above-described method embodiments.

[0063] Here, a machine-readable storage medium can be any electronic, magnetic, optical, or other physical storage device that can contain or store information, such as executable instructions, data, etc. For example, a machine-readable storage medium can be: RAM (Random Access Memory), volatile memory, non-volatile memory, flash memory, storage drives (such as hard disk drives), solid-state drives, any type of storage disk (such as optical discs, DVDs, etc.), or similar storage media, or combinations thereof.

[0064] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which can take the form of a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email sending and receiving device, game console, tablet computer, wearable device, or any combination of these devices.

[0065] For ease of description, the above devices are described separately by function as various units. Of course, in implementing this application, the functions of each unit can be implemented in one or more software and / or hardware.

[0066] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of this application can take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0067] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0068] Furthermore, these computer program instructions can also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in the process. Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0069] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0070] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. A message processing method, characterized in that, The method is applied to a security service chain link orchestrator, wherein the security service chain link orchestrator establishes a preset routing protocol neighbor relationship with each security network element in the network; the method includes: Obtain the interface information of each security network element included in the network; Based on the business intent and network topology, determine the target security network elements included in the target service chain corresponding to the business intent, as well as the IP address of the target server protected by the target service chain; For each target security network element, a first dynamic route is generated, wherein the first dynamic route is used to match the first packet whose destination IP address is the IP address of the target server, and modify the next hop of the first packet to the first gateway of the service interface of the target security network element connecting to the target server. Based on the preset routing protocol neighbor relationship, the first dynamic route is sent to the target security network element, so that when the target security network element receives a first packet with the destination IP address being the IP address of the target server, it forwards the first packet based on the first dynamic route.

2. The method as described in claim 1, characterized in that, The method further includes: Based on the source IP address of the first message, determine the client IP address that accesses the target server; For each target security network element, a second dynamic route is generated. The second dynamic route is used to match a second packet whose destination IP address is the client's IP address, and to modify the next hop of the second packet to the second dynamic route of the second gateway connecting the target security network element to the service interface on the client side. Based on the preset routing protocol neighbor relationship, the second dynamic route is sent to the target security network element, so that when the target security network element receives a second packet with the destination IP address being the client's IP address, it forwards the second packet based on the second dynamic route.

3. The method as described in claim 1 or 2, characterized in that, The preset routing protocol neighbor relationship is a Border Gateway Protocol (BGP) neighbor relationship; or... The preset routing protocol neighbor relationship is the Interior Gateway Protocol (IGP) neighbor relationship.

4. The method as described in claim 2, characterized in that, The first dynamic route and the second dynamic route are GUARD routes.

5. The method as described in claim 1, characterized in that, The steps for obtaining the interface information of each security network element included in the network include: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

6. A message processing apparatus, characterized in that, An application is provided in a security service chain link orchestrator, wherein the security service chain link orchestrator establishes a preset routing protocol neighbor relationship with each security network element in the network; the device includes: The acquisition unit is used to acquire the interface information of each security network element included in the network. The determining unit is used to determine, based on the business intent and network topology, the target security network elements included in the target service chain corresponding to the business intent, and the IP address of the target server protected by the target service chain; The generation unit is used to generate a first dynamic route for each target security network element, wherein the first dynamic route is used to match a first packet whose destination IP address is the IP address of the target server, and modify the next hop of the first packet to the first gateway of the service interface connecting the target security network element to the target server. The sending unit is configured to send the first dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a first packet whose destination IP address is the IP address of the target server, it forwards the first packet based on the first dynamic route.

7. The apparatus as claimed in claim 6, characterized in that, The determining unit is further configured to determine the client IP address accessing the target server based on the source IP address of the first message; The generation unit is further configured to generate a second dynamic route for each target security network element, wherein the second dynamic route is used to match a second packet whose destination IP address is the client IP address, and modify the next hop of the second packet to the second dynamic route of the second gateway of the target security network element connecting to the service interface on the client side. The sending unit is further configured to send the second dynamic route to the target security network element based on the preset routing protocol neighbor relationship, so that when the target security network element receives a second packet with the destination IP address being the client IP address, it forwards the second packet based on the second dynamic route.

8. The apparatus as claimed in claim 6 or 7, characterized in that, The preset routing protocol neighbor relationship is a Border Gateway Protocol (BGP) neighbor relationship; or... The preset routing protocol neighbor relationship is the Interior Gateway Protocol (IGP) neighbor relationship.

9. The apparatus as claimed in claim 7, characterized in that, The first dynamic route and the second dynamic route are GUARD routes.

10. The apparatus as claimed in claim 6, characterized in that, When obtaining the interface information of each security network element included in the network, the obtaining unit is specifically used for: Obtain the interface identifier and interface IP address of the service interface connected to the server side and the interface identifier and interface IP address of the business interface connected to the client side on each security network element included in the network.

11. A message processing apparatus, characterized in that, The message processing device includes: Memory, used to store program instructions; A processor is configured to invoke program instructions stored in the memory and execute the steps of the method as described in any one of claims 1-5 according to the obtained program instructions.

12. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions for causing the computer to perform the steps of the method as described in any one of claims 1-5.