Method, apparatus, network device, and storage medium for generating security entries
The method generates security entries using link status information to verify packet authenticity, effectively preventing source address spoofing and enhancing network security.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- NEW H3C TECH CO LTD
- Filing Date
- 2023-09-12
- Publication Date
- 2026-06-16
AI Technical Summary
Attackers can compromise network security by forging source addresses, leading to unauthorized access, resource theft, and evasion of supervision, making it difficult to trace illegal activities.
A method and apparatus for generating security entries based on link status information, including ingress interface identifiers and source prefixes, to verify the authenticity of packets and prevent spoofing.
Enhances network security by identifying and blocking packets with spoofed source addresses, preventing resource theft and unauthorized access.
Smart Images

Figure 2026519465000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to the field of network communication technology, and particularly to a method, apparatus, network device, and storage medium for generating security entries.
Background Art
[0002] In a communication network, a network device transfers a packet according to the destination address of the packet. However, an attacker can attack the network by using a forged source address, resulting in many network security problems.
[0003] As shown in FIG. 1, each host can access the Internet via an access network. For example, attack host A forges the source address of legitimate host B and launches a malicious attack on an important site, rendering the important site inaccessible, thereby preventing legitimate users from using important services. Attack host E forges the source address of legitimate host D, accesses the Internet, and can perform illegal network activities. Moreover, the attacker can hide his identity and location, making it impossible for the supervision and management platform to trace illegal network activities. Further, for example, attack host H forges the source address of legitimate host G and can steal the network resources of legitimate host G, thus interfering with the billing, management, and security authentication, etc., performed by the billing system for the actual source address, and causing many network resources to be stolen.
Summary of the Invention
Problems to be Solved by the Invention
[0004] The objective of the embodiments of the present invention is to provide a method, apparatus, network device, and storage medium for generating security entries to improve network security. The specific technical solution is as follows.
Means for Solving the Problems
[0005] In the first aspect, an embodiment of the present invention provides a method for generating security entries, the method for generating security entries being applied to a first network device, the first network device including a first interface which is an ingress interface for receiving target link status information, and the method for generating security entries is Obtaining the target link status information from the link status database, wherein the target link status information includes a first source prefix, The method includes generating a security entry for the ingress interface, wherein the security entry includes the identifier of the ingress interface and the first source prefix.
[0006] In one possible embodiment, obtaining the target link status information from the link status database is: Retrieving the first link status information of the first network device from the link status database, wherein the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is defined as the current traversal layer, and for each network device in the current traversal layer, the second link status information of that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information shall be the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier shall be set as the current traversal tier. The process includes repeatedly performing the following steps for each network device in the current traversal hierarchy: searching the link state database for the second link state information of the network device until it is determined that the network device in the current traversal hierarchy does not have network devices in the hierarchy below it; if the second link state information includes a source prefix, setting the second link state information as the target link state information; and if the second link state information includes connection relationships between the network device and one or more network devices in the hierarchy below it, setting the hierarchy below it as the current traversal hierarchy.
[0007] In one possible embodiment, the network device one level below is another network device in the AS domain other than the first network device.
[0008] In one possible embodiment, the objective link state information further includes an access tag corresponding to the first source prefix, and after generating a security entry for the ingress interface, the method for generating the security entry further includes: The process involves retrieving third link status information, including the access tag, from the link status database, wherein the third link status information includes a second source prefix corresponding to the access tag. This includes adding the second source prefix to the security entry.
[0009] In one possible embodiment, an access tag is placed on the ingress interface, and the method for generating the security entry further includes: The process involves retrieving fourth link status information, including the access tag, from the link status database, wherein the fourth link status information includes a third source prefix corresponding to the access tag. This includes generating a security entry for the ingress interface that includes the identifier of the ingress interface and the third source prefix.
[0010] In one possible embodiment, before obtaining the target link state information from the link state database, the method for generating the security entry further: Receiving a first packet transmitted from a network device within the AS domain, wherein the first packet includes the target link status information. This includes storing the aforementioned link status information in the link status database.
[0011] In one possible embodiment, The first packet includes a first TLV containing a first flag bit and an address prefix, the first flag bit indicating that the address prefix is the first source prefix, or The first packet includes a second TLV containing an address prefix, the second TLV includes a first sub-TLV containing the second flag bit, the second flag bit is for indicating that the address prefix contained in the second TLV is the first source prefix, or, The first packet includes a third TLV containing the first source prefix.
[0012] In one possible embodiment, the first TLV, the second TLV, and the third TLV each include a second sub-TLV containing a tag field, the tag field carrying an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field that precedes the first source prefix and is adjacent to the first source prefix.
[0013] In a second aspect, an embodiment of the present invention provides a security entry generation device, the security entry generation device is applied to a first network device, the first network device includes a first interface which is an ingress interface for receiving target link status information, and the security entry generation device is An acquisition module that acquires the target link status information from a link status database, wherein the target link status information includes a first source prefix, A generation module that generates a security entry for the ingress interface, wherein the security entry includes the identifier of the ingress interface and the first source prefix.
[0014] In one possible embodiment, the acquisition module is The first link status information of the first network device is retrieved from the link status database, and the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is used, and for each network device in the current traversal layer, the second link status information for that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information is used as the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier is set as the current traversal tier. Until it is determined that the network device in the current traversal layer does not have a network device in the next lower layer, for each network device in the current traversal layer, search for the second link state information of the network device from the link state database. If the second link state information includes a source prefix, use the second link state information as the destination link state information. If the second link state information includes a connection relationship between the network device and one or more network devices in the next lower layer, repeat the process with the next lower layer as the current traversal layer.
[0015] In one possible embodiment, the network device in the next lower layer is a network device other than the first network device within the AS domain.
[0016] In one possible embodiment, the destination link state information further includes an access tag corresponding to the first source prefix. The acquisition module searches for third link state information including the access tag from the link state database. The third link state information includes a second source prefix corresponding to the access tag. The generation module adds the second source prefix to the security entry.
[0017] The acquisition module searches for fourth link state information including the access tag from the link state database. The fourth link state information includes a third source prefix corresponding to the access tag. In one possible embodiment, an access tag is arranged on the ingress interface. The acquisition module searches for fourth link state information including the access tag from the link state database. The fourth link state information includes a third source prefix corresponding to the access tag. The generation module generates a security entry including the identifier of the ingress interface and the third source prefix for the ingress interface.
[0018] In one possible embodiment, the security entry generation device further includes A receiving module that receives a first packet transmitted from a network device within an AS domain, wherein the first packet includes the destination link state information, and the receiving module; A storage module that stores the destination link state information in the link state database.
[0019] In one possible embodiment, the first packet includes a first TLV including a first flag bit and an address prefix, and the first flag bit is for indicating that the address prefix is the first source prefix, or The first packet includes a second TLV including an address prefix, and the second TLV includes a first sub-TLV including the second flag bit, and the second flag bit is for indicating that the address prefix included in the second TLV is the first source prefix, or The first packet includes a third TLV including the first source prefix.
[0020] In one possible embodiment, the first TLV, the second TLV, and the third TLV all include a second sub-TLV including a tag field, and the tag field carries an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field adjacent to and before the first source prefix.
[0021] In a third aspect, an embodiment of the present invention provides a first network device, and the first network device includes a first interface serving as an ingress interface for receiving destination link state information. The first network device includes a processor, a transceiver, and a machine-readable storage medium. The machine-readable storage medium stores machine-executable instructions that can be executed by the processor, and the machine-executable instructions are provided to the processor. Obtaining the target link status information from the link status database, wherein the target link status information includes a first source prefix, The system is configured to generate a security entry for the ingress interface, wherein the security entry includes the identifier of the ingress interface and the first source prefix.
[0022] In one possible embodiment, the machine-executable instruction is transmitted to the processor, Retrieving the first link status information of the first network device from the link status database, wherein the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is defined as the current traversal layer, and for each network device in the current traversal layer, the second link status information of that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information shall be the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier shall be set as the current traversal tier. Until it is determined that the network devices currently in the traversal hierarchy do not have network devices in the hierarchy below, the following steps are repeated for each network device in the current traversal hierarchy: the second link state information for that network device is retrieved from the link state database; if the second link state information includes a source prefix, the second link state information is set as the target link state information; and if the second link state information includes a connection relationship between the network device and one or more network devices in the hierarchy below, the hierarchy below is set as the current traversal hierarchy.
[0023] In one possible embodiment, the network device one level below is another network device in the AS domain other than the first network device.
[0024] In one possible embodiment, the objective link state information further includes an access tag corresponding to the first source prefix, The machine-executable instruction is given to the processor, The process involves retrieving third link status information, including the access tag, from the link status database, wherein the third link status information includes a second source prefix corresponding to the access tag. The following actions are performed: adding the aforementioned second source prefix to the security entry.
[0025] In one possible embodiment, an access tag is placed on the ingress interface, The machine-executable instruction is given to the processor, The process involves retrieving fourth link status information, including the access tag, from the link status database, wherein the fourth link status information includes a third source prefix corresponding to the access tag. Further, the system generates a security entry for the ingress interface that includes the identifier of the ingress interface and the third source prefix.
[0026] In one possible embodiment, the machine-executable instruction is transmitted to the processor, Receiving a first packet transmitted from a network device within the AS domain, wherein the first packet includes the target link status information. The process further involves saving the aforementioned target link status information to the link status database.
[0027] In one possible embodiment, the first packet includes a first TLV including a first flag bit and an address prefix, the first flag bit is for indicating that the address prefix is the first source prefix, or The first packet includes a second TLV containing an address prefix, the second TLV includes a first sub-TLV containing the second flag bit, the second flag bit is for indicating that the address prefix contained in the second TLV is the first source prefix, or, The first packet includes a third TLV containing the first source prefix.
[0028] In one possible embodiment, the first TLV, the second TLV, and the third TLV each include a second sub-TLV containing a tag field, the tag field carrying an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field that precedes the first source prefix and is adjacent to the first source prefix.
[0029] In a fourth aspect, an embodiment of the present invention provides a machine-readable storage medium that stores machine-executable instructions, which, when called and executed by a processor, cause the processor to implement the security entry generation method described in the first aspect.
[0030] In the fifth aspect, an embodiment of the present invention is provided, the computer program product causing the processor to implement the security entry generation method described in the first aspect. [Effects of the Invention]
[0031] According to the proposed technology described above, the first network device can obtain target link state information from a link state database. Since the first interface is an ingress interface that receives the target link state information, a packet with the first source prefix will then enter the first network device via the ingress interface. Therefore, the first network device generates a security entry that includes the identifier of the ingress interface and the first source prefix. Subsequently, based on the security entry, the ingress interface and source prefix of the packet can be verified. This makes it possible to identify packets that spoof the source IP address, prevent the theft of network resources, and improve network security. [Brief explanation of the drawing]
[0032] The drawings described herein are provided for a further understanding of the present invention and constitute part of the present invention. The schematic embodiments and descriptions thereof are used only for interpretation of the present invention and do not constitute an unreasonable limitation of the present invention.
[0033] [Figure 1] Figure 1 is a schematic diagram illustrating the process by which an attacking host attacks a network in the prior art. [Figure 2] Figure 2 is a flowchart of the method for generating security entries provided in an embodiment of the present invention. [Figure 3] Figure 3 is a network topology diagram within an AS domain provided in an embodiment of the present invention. [Figure 4] Figure 4 is an illustrative schematic diagram of a security verification scenario for egress traffic within a domain provided in an embodiment of the present invention. [Figure 5] Figure 5 is an illustrative schematic diagram of a security verification scenario for out-of-domain attack traffic provided in an embodiment of the present invention. [Figure 6] Figure 6 is a network topology diagram within another AS domain provided in an embodiment of the present invention. [Figure 7] Figure 7 is a schematic diagram of the ISIS prefix TLV provided in an embodiment of the present invention. [Figure 8] Figure 8 is a schematic diagram of the extended prefix TLV of OSPFv2 provided in an embodiment of the present invention. [Figure 9] Figure 9 is a schematic diagram of a sub-TLV provided in an embodiment of the present invention. [Figure 10] Figure 10 is a schematic diagram of another sub-TLV provided in the embodiment of the present invention. [Figure 11] Figure 11 is a schematic diagram of the third TLV in the IS-IS protocol provided in an embodiment of the present invention. [Figure 12] Figure 12 is a schematic diagram of an LSA in the OSPFv2 protocol provided in an embodiment of the present invention. [Figure 13] Figure 13 is a schematic diagram of the third TLV in the OSPFv2 protocol provided in an embodiment of the present invention. [Figure 14] Figure 14 is a schematic diagram of an LSA in the OSPFv3 protocol provided in an embodiment of the present invention. [Figure 15] Figure 15 is a schematic diagram of the third TLV in the OSPFv3 protocol provided in an embodiment of the present invention. [Figure 16]Figure 16 is a schematic diagram of the structure of a security entry generation device provided in an embodiment of the present invention. [Figure 17] Figure 17 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. [Modes for carrying out the invention]
[0034] To further clarify the object, claims, and advantages of the present invention, the invention will be described in more detail below with reference to the drawings and examples. Clearly, the examples described are only a selection of the present invention, not all examples. All other examples obtained by those skilled in the art based on the examples in the present invention are within the scope of protection of the present invention.
[0035] To improve network security, embodiments of the present invention provide a method for generating security entries to be applied to a first network device, which may be any network device within an Autonomous System (AS) domain that has Source Address Validation in Intra-domain and Inter-domain Networks (SAVNET) enabled. The first network device includes a first interface, which is an ingress interface for receiving target link state information. As shown in Figure 2, the method includes the following steps.
[0036] In S201, the target link status information is retrieved from the link status database, and the target link status information includes the first source prefix.
[0037] To make it easier to understand, there is a communication path between the network device that transmits the target link status information and the ingress interface of the first network device.
[0038] Here, the link state database in question is the Link State Database (LSDB) on the first network device. The link state database stores link state information that each network device within the AS domain notifies via the Interior Gateway Protocol (IGP).
[0039] If the IGP is an Intermediate System to Intermediate System (IS-IS) protocol, the link state information is LSP. If the IGP is an Open Shortest Path First (OSPF) protocol, the link state information is LSA.
[0040] In S202, a security entry is generated for the ingress interface, and the security entry includes the identifier of the ingress interface and the first source prefix.
[0041] Here, the security entry is for performing security verification on packets received from the ingress interface.
[0042] If the source IP address of a packet received from the ingress interface matches the first source prefix in the security entry, the packet can be determined to be a legitimate packet and allowed to pass through.
[0043] If the source IP address of a packet received from the ingress interface does not match the first source prefix in the security entry, it can be determined that the packet is a packet spoofing another source IP address, and the packet is blocked.
[0044] Furthermore, if the first network device searches for multiple target link status information, it can add the source prefix included in each target link status information to the security entry.
[0045] Here, steps S201 to S202 may be specifically performed by the SAVNET AGENT module in the first network device, that is, the SAVNET AGENT can generate security entries using the SAVNET LSDB information.
[0046] According to this method, the first network device can obtain target link state information from a link state database. Since the first interface is an ingress interface that receives the target link state information, a packet with the first source prefix indicates that it will subsequently enter the first network device via the ingress interface. Therefore, the first network device generates a security entry that includes the identifier of the ingress interface and the first source prefix. Subsequently, based on this security entry, the ingress interface and source prefix of the packet can be verified. This makes it possible to identify packets that spoof the source IP address, prevent the theft of network resources, and improve network security.
[0047] In the embodiment of the present invention, obtaining the target link status information from the link status database in S201 above is specifically achieved in the following steps.
[0048] In step 1, the first link status information of the first network device is retrieved from the link status database.
[0049] Here, the first link status information includes the connection relationship between the first network device and one or more network devices at a lower hierarchical level.
[0050] In the embodiments of the present invention, each network device is an IGP node, and the network device can be identified by its IGP ID. For the IS-IS protocol, the IGP ID is the system ID and level of the network device. For the OSPF protocol, the IGP ID is the routing ID and the area where the network device is located.
[0051] The connection relationships between network devices can be identified by their local address, the other device's address, their local IGP ID, and the other device's IGP ID.
[0052] Furthermore, after the first network device identifies the network device one level below it based on the first link status information, it needs to search in reverse to determine whether the network device one level below it has a link to the first network device. That is, it searches whether the link status information of the network device one level below it includes a connection relationship with the first network device. If there is a bidirectional link between the first network device and the network device one level below it, communication between the first network device and the network device one level below it can be determined, and traversal can be performed on the network device one level below it.
[0053] In the case of different protocols, the representation of the connection relationship in the link status information will differ. The specific representation may follow the provisions of the relevant protocol, and the embodiments of the present invention are not limited thereto.
[0054] If the two ingress interfaces of the first network device are connected to network devices A and B respectively, then devices A and B are network devices one level below the first network device.
[0055] In Step 2, the level one level below is designated as the current traversal level.
[0056] In step 3, for each network device in the current traversal hierarchy, the second link status information for that network device is retrieved from the link status database.
[0057] In step 4, if the second link status information includes a source prefix, the second link status information is used as the target link status information.
[0058] If the second link status information includes a source prefix, a security entry can then be generated that includes the source prefix and the ingress interface identifier.
[0059] For example, the current hierarchy includes network devices A and B, the second link status information of network device A includes source prefix P1, and the second link status information of network device B includes source prefix P2.
[0060] If both network devices A and B have a communication path to interface 1 of the first network device, they can then generate security entries that include interface 1 and source prefixes P1 and P2.
[0061] Alternatively, if network device A has a communication path to interface 1 of the first network device, and network device B has a communication path to interface 2 of the first network device, then a security entry including interface 1 and source prefix P1 can be generated for interface 1, and a security entry including interface 2 and source prefix P2 can be generated for interface 2.
[0062] In step 5, if the second link state information includes the connection relationship between the network device and one or more network devices in the next lower tier, the next lower tier is designated as the current traversal tier.
[0063] In step 6, steps 3 through 5 are repeated until it is confirmed that the network devices currently in the traversal layer do not have any network devices in the layer below them.
[0064] Furthermore, to avoid duplicate traversal, in the steps above, the network device at the next lower tier that is determined each time is always a network device other than the first network device.
[0065] Here, traversal can be performed for each network device at each layer that has a communication path with the first network device within the AS domain, as in steps 3 to 5. This allows the network devices within the AS domain to find the ingress interface corresponding to each source prefix in the first network device that they have learned. This enables the generation of security entries for each ingress interface, thereby improving network security.
[0066] Furthermore, according to this method, each network device can automatically generate security entries based on the link state database. Compared to manual ACL rule methods, in the embodiment of the present invention, manual operation is not required in the security entry generation process, and network devices can adjust security entries in a timely manner according to changes in the network topology, thereby efficiently achieving security for source addresses within a domain.
[0067] The process of generating security entries will be explained below with reference to a specific example. As shown in Figure 3, Figure 3 illustrates six network devices included within one AS domain, labeled Network Devices A through F.
[0068] Here, network device A has ingress interfaces A1 and A2, and an out-of-domain interface connected to an outside domain. Network device B has ingress interfaces B1 and B2. Network device E has ingress interface E1.
[0069] Network device C learned source prefix P1. Network device D learned source prefix P2. Network device F learned source prefix P3.
[0070] We assume that network devices A, B, and E all have the SAVNET function enabled. The following describes how network devices A, B, and E each generate security entries.
[0071] Regarding network device A, network device A retrieved its own LSA1 from the LSDB. LSA1 contains connection information between network device A and network device B, and connection information between network device A and network device E. In other words, the network devices one level down include network devices B and E.
[0072] Network device A then searched the LSDB for network device B's LSA2 and network device E's LSA3. LSA2 contains connection information between network device B and network device C, and between network device B and network device D. LSA3 contains connection information between network device E and network device F. Neither LSA2 nor LSA3 contains a source prefix. As can be seen from this, the network devices one level down include network devices C, D, and F.
[0073] Then, the network devices searched the LSDB for LSA4 of network device C, LSA5 of network device D, and LSA6 of network device F.
[0074] Here, LSA4 includes the source prefix P1. Furthermore, network device A can determine that the ingress interface corresponding to source prefix P1 on network device A is A1 via the communication link C->B->A, and further generates a security entry including P1 and A1.
[0075] LSA5 includes source prefix P2. Furthermore, network device A can determine that the ingress interface corresponding to source prefix P2 on network device A is A1 via the communication link D->B->A, and further generates a security entry including P2 and A1.
[0076] LSA6 includes source prefix P3. Furthermore, network device A can determine that the ingress interface corresponding to source prefix P2 on network device A is A2 via the communication link F->E->A, and further generates security entries including P2 and A2.
[0077] Since network devices C, D, and F do not have any network devices at the next lower tier, the traversal was completed. The security entries generated by network device A are shown in Table 1.
[0078] [Table 1]
[0079] Network devices B and E similarly generated security entries. The security entries generated by network device B are shown in Table 2, and the security entries generated by network device E are shown in Table 3.
[0080] [Table 2]
[0081] [Table 3]
[0082] The security entry described above is applied to a security verification scenario for egress traffic within a domain. As shown in Figure 4, Figure 4 shows two AS domains, AS X and AS Y, respectively. If subnet 2 sends a packet to AS X that spoofs the source address of subnet 1, and the destination address of the packet is an address of subnet 3, then according to the conventional principle of packet forwarding based on the destination address, the packet is forwarded from AS X to AS Y, which corresponds to subnet 2 spoofing the source address of subnet 1. According to an embodiment of the present invention, network equipment in AS X can verify and block the packet based on the security entry, thus avoiding forwarding the packet to AS Y.
[0083] Specifically, if a network device at the lowest level of the AS domain sends a packet with a spoofed source address, that packet will be blocked by the nearest network device one level above it.
[0084] Using Figure 3 as an example, when network device B transmits a packet sent from network device C via interface B1, it obtains the source address of the packet and, based on Table 2, blocks the packet if the source address does not match the source prefix P1.
[0085] Similarly, if network device B receives a packet sent from network device D via interface B2, it will block the packet if, based on Table 2, the source address of the packet does not match the source prefix P2.
[0086] In this way, verification of the authenticity of the source address can be achieved, preventing network devices from forwarding packets with spoofed source addresses, and thereby improving network security.
[0087] The security entry described above is applied to a security verification scenario for attack traffic outside the domain. As shown in Figure 5, Figure 5 shows two AS domains, AS X and AS Y, respectively. If AS X receives a packet sent from AS Y with a spoofed source address within AS X, the packet will be blocked by AS X according to the method of the embodiment of the present invention.
[0088] Using Figure 3 as an example, if network device A receives a packet from an interface connected outside the domain, and the address prefix of the source address of that packet is source prefix P1, the network device can search for a security entry containing that interface and source prefix P1 from the security entries shown in Table 1. If it does not exist, the network device can determine that the packet is an attack packet with a spoofed source address within the domain and blocks the packet.
[0089] In some embodiments of the present invention, the above objective link status information further includes an access tag corresponding to the first source prefix, and in S202 above, after generating a security entry for the ingress interface, the method further... The process involves retrieving third-party link status information containing the access tag from the link status database, wherein the third-party link status information includes a second-party source prefix corresponding to the access tag, and adding the second-party source prefix included in the third-party link status information to a security entry.
[0090] In a scenario where a single subnet is multihoming to an AS domain, that subnet may contain multiple source prefixes. In embodiments of the present invention, the same access tag can be set for source prefixes within the same subnet. This allows multiple source prefixes within the same subnet to be added to the security entry corresponding to the same ingress interface of the first network device, thereby avoiding false blocking of multihoming subnet traffic.
[0091] As shown in Figure 6, Figure 6 illustrates five network devices included within one AS domain, labeled Network Devices A through E.
[0092] Here, network device C has ingress interfaces C1 and C2, network device B has ingress interface B1, network device A has ingress interface A1, and network device D has ingress interface D1.
[0093] Network device A learned source prefix P1, and network device D learned source prefix P2. Furthermore, source prefixes P1 and P2 are source prefixes within the same subnet.
[0094] We assume that network devices A, B, C, and D all have the SAVNET function enabled. The following describes how network devices A, B, C, and D each generate security entries.
[0095] For network device A, it retrieved its own LSA1 from the LSDB. LSA1 contains source prefix P1 and access tag 100 corresponding to source prefix P1. Since the subnet to which source prefix P1 belongs is connected to network device A's ingress interface A1, network device A generated a security entry containing source prefix P1 and ingress interface A1. Furthermore, network device A retrieved other LSAs containing access tag 100 from the LSDB. If LSA2 contains source prefix P2 and access tag 100 corresponding to source prefix P2, P2 was also added to the security entry corresponding to ingress interface A1. The security entries generated by network device A are shown in Table 4.
[0096] [Table 4]
[0097] Regarding network device D, it retrieved its own LSA3 from the LSDB. LSA3 contains source prefix P2 and access tag 100 corresponding to source prefix P2. Since the subnet to which source prefix P2 belongs is connected to network device D's ingress interface D1, network device D generated a security entry containing source prefix P2 and ingress interface D1. Furthermore, network device D retrieved other LSAs containing access tag 100 from the LSDB. If LSA4 contains source prefix P1 and access tag 100 corresponding to source prefix P1, P1 was also added to the security entry corresponding to ingress interface D1. The security entries generated by network device D are shown in Table 5.
[0098] [Table 5]
[0099] Regarding network device B, network device B retrieved its own LSA5 from the LSDB. LSA5 contains connection information between network device B and network device A. Then, network device B retrieved network device A's LSA1 from the LSDB. LSA1 contains source prefix P1 and access tag 100 corresponding to source prefix P1. Since network device A connects to network device B's ingress interface B1, network device B generated a security entry containing source prefix P1 and ingress interface B1.
[0100] Furthermore, network device B searched the LSDB for other LSAs containing access tag 100. If LSA2 contained source prefix P2 and access tag 100 corresponding to source prefix P2, P2 was also added to the security entry corresponding to ingress interface B1. The security entries generated by network device B are shown in Table 6.
[0101] [Table 6]
[0102] Network device C can similarly generate security entries for ingress interface C1 and ingress interface C2, respectively, and the security entries generated by network device C are shown in Table 7.
[0103] [Table 7]
[0104] According to the security entries above, if network device A receives a packet via ingress interface A1 and the source prefix of the packet's source address is P2, network device A can allow the packet to pass through based on the security entries in Table 4, thus avoiding false blocking when subnets are multihoming to a single AS domain and in asymmetric routing scenarios.
[0105] In the above examples of embodiments, the P2P communication scenario in the OSPF protocol was used as an example. That is, the situation where the link status information is LSA was described as an example. In scenarios of other IGP protocols, the representation of link status information differs. Specifically, the rules of the relevant protocol may be referred to; for example, in the IS-IS protocol, the link status information may be LSP. Alternatively, the link status information in the embodiments of the present invention may be connection relationship information of each network device organized based on an LSDB database, and the embodiments of the present invention are not limited to this.
[0106] In some embodiments of the present invention, an access tag is placed on the ingress interface of a first network device. The method further includes retrieving a fourth link state information containing the access tag from a link state database, wherein the fourth link state information contains a third source prefix corresponding to the access tag, and generating a security entry for the ingress interface containing an identifier for the ingress interface and the third source prefix.
[0107] The ingress interface may be any ingress interface on which the access tag of the first network device is located. For example, suppose a subnet contains one source prefix P3, and the subnet can be dual-homing connected to the first network device, where the first network device receives link state information including source prefix P3 via its interface 1. In this case, the first network device can generate a security entry for interface 1 that includes interface 1 and source prefix P3. If the link state information further includes an access tag 200 corresponding to source prefix P3, and an access tag 200 is also located on interface 2 of the first network device, the first network device can further generate a security entry for interface 2 that includes interface 2 and source prefix P3.
[0108] In an embodiment of the present invention, before obtaining the target link status information from the link status database, the first network device can receive a first packet transmitted from a network device within the AS domain, the first packet contains the target link status information, and the first network device further stores the target link status information in the link status database.
[0109] To understand this, the first network device can learn the link status information of each network device within the AS domain and store this information in a link status database. Furthermore, the first network device obtains route connectivity information according to the link status database, that is, it obtains the connection relationships between the first network device and other network devices within the AS domain, searches for the target link status information based on the connection relationships, and generates security entries.
[0110] Here, the first packet is for notifying link status information, and may be, for example, an LSP or LSA in the IGP protocol. The first packet enables source prefix flooding.
[0111] In one embodiment, the first packet includes a first TLV which includes a first flag bit and an address prefix, the first flag bit which indicates that the address prefix is a first source prefix.
[0112] Here, the first TLV is a prefix TLV for carrying the address prefix in the first packet. In an embodiment of the present invention, one bit of the Flags field of the first TLV can be occupied to carry a first flag bit. This is equivalent to extending the Flags field contained in the prefix TLV. This indicates whether the address prefix contained in the prefix TLV is a source prefix for the implementation of SAVNET.
[0113] In another embodiment, the first packet includes a second TLV containing a first sub-TLV, the first sub-TLV containing a second flag bit, the second flag bit indicating that the address prefix contained in the second TLV is the first source prefix.
[0114] Here, the second TLV is a prefix TLV for carrying the address prefix in the first packet. In embodiments of the present invention, for the OSPF protocol, one new first sub-TLV may be added to the second TLV. The value field of this first sub-TLV is for carrying the second flag bit. For the IS-IS protocol, the first sub-TLV is a prefix attribute flag sub-TLV included in the prefix TLV, and can carry the second flag bit by occupying one bit in the Flags field of this prefix attribute flag sub-TLV. This is equivalent to extending the Flags field. This indicates whether the address prefix included in the prefix TLV is a source prefix for SAVNET implementation. In later embodiments, a source prefix for SAVNET implementation is simply called a SAVNET source prefix.
[0115] In embodiments of the present invention, both the first flag bit and the second flag bit are SAVNET Flags and are simply referred to as S-Flags in the following description.
[0116] When a subnet is connected to an AS domain via multihoming, both the first TLV and the second TLV include a second sub-TLV containing a tag field, the tag field being for carrying an access tag corresponding to the first source prefix. In embodiments of the present invention, the access tag may be represented as a SAVNET access tag or as a SAVNET access interface tag.
[0117] The following will provide an example by referring to a specific IGP protocol.
[0118] Using the IS-IS protocol as an example, one unused bit in the Flags field of the prefix attribute flags subTLV can be used to carry the S-Flag, and if the value of the S-Flag is 1, it indicates that the address prefix in the prefix TLV is a SAVNET source prefix.
[0119] Here, the prefix attribute flag sub-TLV is a sub-TLV defined in the RFC7794 standard for carrying IPv4 / IPv6 extended reachability attribute flags.
[0120] As shown in Figure 7, the prefix attribute flag subTLV includes Type, Length, and Value. Here, the value of Type can be 4, the value of Length can be the number of bytes in Value, and the size of Value can be (Length * 8) bits. Value is for carrying the Flags field. Currently, the Flags field includes X, R, and N, and in embodiments of the present invention, a new S-Flag can be added to the Flags field, represented by "S" in Figure 7. "X" in Figure 7 represents the X-Flag, which is an external prefix flag used to indicate that the source prefix has already been relocated according to another protocol. "R" in Figure 7 represents the R-Flag, which is a re-notification flag bit. "N" in Figure 7 represents the N-Flag, which is a node flag bit.
[0121] Alternatively, a sub-TLV can be extended within the prefix TLV, and this sub-TLV is intended to carry the S-Flag. If the S-Flag value is 1, it indicates that the address prefix in the prefix TLV is a SAVNET source prefix.
[0122] When a subnet establishes a multihoming connection to an AS domain, the prefix TLV extends other sub-TLVs, which carry access tags. In this sub-TLV, both the Type and Length fields are 1 byte, and the Value field is the access tag.
[0123] Using OSPFv2 as an example, the extended prefix TLV for OSPFv2 is shown in Figure 8. This extended prefix TLV includes Type, Length, Route Type, Prefix Length, AF (address family), Flags (flag bits), Address Prefix, and Sub-TLVs. Here, both Address Prefix and Sub-TLVs are variable.
[0124] In one embodiment, an S-Flag can be carried by occupying one unused bit in the Flags field. If the value of S-Flags is 1, it indicates that the address prefix in the extended prefix TLV is a SAVNET source prefix.
[0125] In another embodiment, an extended prefix TLV is extended with a sub-TLV that carries S-Flags. If the value of S-Flags is 1, it indicates that the address prefix in the extended prefix TLV is a SAVNET source prefix.
[0126] When a subnet establishes a multihoming connection to an AS domain, the extended prefix TLV extends other sub-TLVs, which are used to carry access tags.
[0127] Here, the Type and Length of the subTLV are both 2 bytes, and the Value portion is the access tag.
[0128] Using OSPFv3 as an example, one sub-TLV may be added to the OSPFv3 Intra-Area Prefix TLV (Inter-Domain Prefix TLV), Inter-Area Prefix TLV (Intra-Domain Prefix TLV), and External Prefix TLV (Extension Prefix TLV). As shown in Figure 9, the sub-TLV includes Type, Length, and Value, where Value is used to carry Prefix Attribute Flags (prefix attribute flag bits), which include an S-Flag. If the value of the S-Flag is 1, the address prefix in the prefix TLV to which the sub-TLV belongs is the SAVNET source prefix.
[0129] When a subnet has multihoming connections to an AS domain, additional sub-TLVs may be added to the Intra-Area Prefix TLV (inter-domain prefix TLV), Inter-Area Prefix TLV (intra-domain prefix TLV), and External Prefix TLV (extended prefix TLV). As shown in Figure 10, these TLVs include Type, Length, and Value, where Value is used to carry the access tag.
[0130] Furthermore, each of the sub-TLVs described in the embodiments of the present invention is applied to TLVs 135, 235, 236, and 237.
[0131] In another embodiment, the first packet includes a third TLV which includes a first source prefix.
[0132] Here, the third TLV is a TLV for carrying the SAVNET source prefix, which is newly added to the first packet in this embodiment of the present invention.
[0133] When a subnet is connected to an AS domain via multihoming, the third TLV includes a second sub-TLV containing a tag field, which carries an access tag corresponding to the first source prefix. Alternatively, the third TLV contains an access tag corresponding to the first source prefix, and this access tag is located before the first source prefix, in a tag field adjacent to it.
[0134] If the IGP protocol is the IS-IS protocol, then, as shown in Figure 11, the third TLV includes Type, Length, Reserved (reserved bits), Access Tag, Flags (flag bits), Algorithm (algorithm), SAVNET SrcSize (source prefix size), SAVNET Src (source prefix), Sub-TLV-len (sub-TLV length), and Sub-TLVs (sub-TLVs). Here, the sub-TLV is variable.
[0135] Here, SAVNET SrcSize represents the length of the SAVNET Src carried in the third TLV. SAVNET Src is the source prefix used in the SAVNET that requires notification. SAVNET Src occupies the bits adjacent to SAVNET SrcSize and is continuously variable. The access tag is the access tag corresponding to the SAVNET Src. The definitions of other fields included in the third TLV follow the rules of the IS-IS protocol and are omitted here.
[0136] If the IGP protocol is the OSPFv2 protocol, and the first packet contains a third TLV, then further extensions to the LSA are required. As shown in Figure 12, the LSA includes LS age (link state time), Options, LS Type (link state type), Opaque Type, Opaque ID, Advertising Router (advertising routing), LS sequence number (link state number), LS checksum (link state checksum), Length, and TLVs (type-length-value). The meaning of each field follows the rules of the OSPFv2 protocol. In embodiments of the present invention, an empty bit in Opaque Type may be used to indicate that the LSA contains one newly added third TLV.
[0137] The format of the third TLV, as shown in Figure 13, includes Type, Length, Route Type, Algorithm, Prefix Length, Prefix Options, Access Tag, SAVNET src, and sub-TLVs. Here, the length of the SAVNET src is 4 octets. The sub-TLV is variable.
[0138] If the IGP protocol is the OSPFv3 protocol, and the first packet contains a third TLV, then further extensions to the LSA are required. As shown in Figure 14, the LSA includes the LS age (link state time), U, S12, Function Code, Link State ID, Advertising Router, LS sequence number, LS checksum, Length field, and TLVs (type-length-value). The meaning of each field follows the rules of the OSPFv3 protocol. In embodiments of the present invention, free bits in the Function Code may be occupied to indicate that the LSA contains one newly added third TLV.
[0139] The format of the third TLV, as shown in Figure 15, includes Type, Length, Route Type, Algorithm, Prefix Length, Prefix Options, Access Tag, SAVNET src, and Sub-TLVs. Here, the SAVNET src occupies 16 consecutive octets.
[0140] Corresponding to the embodiments of the above method, an embodiment of the present invention further provides a security entry generation device, which is applied to a first network device, and the first network device includes a first interface which is an ingress interface for receiving target link status information, and as shown in Figure 16, the security entry generation device is An acquisition module 1601 that acquires target link status information from a link status database, wherein the target link status information includes a first source prefix, and the acquisition module 1601 A generation module 1602 that generates a security entry for an ingress interface, wherein the security entry includes an identifier for the ingress interface and a first source prefix.
[0141] Optionally, acquisition module 1601 is: The first link status information of the first network device is retrieved from the link status database, and the first link status information includes the connection relationships between the first network device and one or more network devices at a lower level. The next level down is designated as the current traversal level, and for each network device in the current traversal level, the second link status information for that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information will be used as the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in the next lower tier, the next lower tier is considered the current traversal tier. Until it is determined that the network devices currently in the traversal hierarchy do not have network devices in the hierarchy below, the second link state information for each network device in the current traversal hierarchy is retrieved from the link state database. If the second link state information includes a source prefix, the second link state information is set as the target link state information. If the second link state information includes connection relationships between the network device and one or more network devices in the hierarchy below, the hierarchy below is set as the current traversal hierarchy. This process is repeated until it is determined that the network devices in the current traversal hierarchy do not have network devices in the hierarchy below.
[0142] Optionally, the network device one level below is any network device other than the first network device within the AS domain.
[0143] Optionally, the target link status information may further include an access tag corresponding to the first source prefix. The acquisition module 1601 retrieves third link status information, including access tags, from the link status database. The third link status information includes a second source prefix corresponding to the access tag. The generation module 1602 adds the second source prefix to the security entry.
[0144] Optionally, an access tag is placed on the ingress interface. The acquisition module 1601 retrieves fourth link status information, including access tags, from the link status database. The fourth link status information includes a third source prefix corresponding to the access tag. The generation module 1602 generates a security entry for the ingress interface that includes the ingress interface identifier and a third-source prefix.
[0145] Optionally, the security entry generator may further: A receiving module that receives a first packet transmitted from a network device within an AS domain, wherein the first packet includes target link status information, and the receiving module... Includes a storage module that stores target link state information in a link state database.
[0146] Optionally, the first packet contains a first TLV containing a first flag bit and an address prefix, the first flag bit indicating that the address prefix is the first source prefix, or The first packet contains a second TLV containing an address prefix, the second TLV contains a first sub-TLV with a second flag bit, the second flag bit is to indicate that the address prefix contained in the second TLV is the first source prefix, or, The first packet contains the third TLV, which includes the first source prefix.
[0147] Optionally, the first TLV, second TLV, and third TLV each contain a second sub-TLV that includes a tag field, and the tag field carries an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field that precedes the first source prefix and is adjacent to the first source prefix.
[0148] Corresponding to the embodiments of the above method, an embodiment of the present invention further provides a first network device, the first network device including a first interface which is an ingress interface for receiving target link status information, as shown in Figure 17, The first network device includes a processor 1701, a transceiver 1704, and a machine-readable storage medium 1702. The machine-readable storage medium 1702 stores machine-executable instructions that can be executed by the processor 1701, and the machine-executable instructions are sent to the processor 1701. This involves obtaining the target link status information from the link status database, wherein the target link status information includes the first source prefix. This involves generating a security entry for the ingress interface, where the security entry includes the identifier of the ingress interface and the first source prefix.
[0149] Optionally, machine-executable instructions are sent to processor 1701. Retrieving the first link status information of the first network device from the link status database, wherein the first link status information includes the connection relationship between the first network device and one or more network devices at a lower level. The next level down is designated as the current traversal level, and for each network device in the current traversal level, the second link status information for that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information shall be used as the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in the next lower tier, the next lower tier will be the current traversal tier. Until it is determined that the network devices currently in the traversal hierarchy do not have network devices in the hierarchy below, the following steps are repeated for each network device in the current traversal hierarchy: retrieve the second link state information for that network device from the link state database; if the second link state information includes a source prefix, use the second link state information as the target link state information; and if the second link state information includes connection relationships between the network device and one or more network devices in the hierarchy below, set the hierarchy below as the current traversal hierarchy.
[0150] Optionally, the network device one level below is any network device other than the first network device within the AS domain.
[0151] Optionally, the target link status information further includes an access tag corresponding to the first source prefix. The machine-executable instructions are sent to processor 1701. This involves retrieving third-party link status information, including access tags, from a link status database, wherein the third-party link status information includes a second-party source prefix corresponding to the access tag. Adding a second source prefix to the security entry and performing the following further actions.
[0152] Optionally, an access tag is placed on the ingress interface. The machine-executable instructions are sent to processor 1701. This involves retrieving fourth-order link status information, including access tags, from the link status database, wherein the fourth-order link status information includes a third-order source prefix corresponding to the access tag. Further, the system generates a security entry for the ingress interface that includes the ingress interface identifier and a third-source prefix.
[0153] Optionally, machine-executable instructions are sent to processor 1701. Receiving a first packet transmitted from a network device within the AS domain, wherein the first packet contains target link status information, The objective is to save the link status information to the link status database, and to perform the following actions.
[0154] Optionally, the first packet contains a first TLV containing a first flag bit and an address prefix, the first flag bit indicating that the address prefix is the first source prefix, or The first packet contains a second TLV containing an address prefix, the second TLV contains a first sub-TLV containing a second flag bit, the second flag bit is to indicate that the address prefix contained in the second TLV is the first source prefix, or, The first packet contains the third TLV, which includes the first source prefix.
[0155] Optionally, the first TLV, second TLV, and third TLV each contain a second sub-TLV that includes a tag field, and the tag field carries an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field that precedes the first source prefix and is adjacent to the first source prefix.
[0156] As shown in Figure 17, the first network device further includes a communication bus 1703. The processor 1701, the machine-readable storage medium 1702, and the transceiver 1704 can communicate with each other via the communication bus 1703. The communication bus 1703 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus 1703 may be an address bus, a data bus, a control bus, or the like.
[0157] The transceiver 1704 may be a wireless communication module, and the transceiver 1704 performs data communication with other devices under the control of the processor 1701.
[0158] The machine-readable storage medium 1702 may include random access memory (RAM) and non-volatile memory (NVM), and may be, for example, at least one disk memory. The machine-readable storage medium 1702 may also be a storage device located away from at least one of the processors.
[0159] The processor 1701 may be a general-purpose processor and may include a Central Processing Unit (CPU), a Network Processor (NP), etc. It may also be a Digital Signal Processing (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware assembly.
[0160] Based on a similar inventive concept, and according to the method for generating security entries provided in the above embodiments of the present invention, the embodiments of the present invention further provide a machine-readable storage medium which stores machine-executable instructions, and when called and executed by a processor, the machine-executable instructions cause the processor to implement the above method for generating security entries.
[0161] Another embodiment provided by the present invention provides a computer program product including instructions, which, when executed on a computer, cause the computer to perform the steps of the method for generating security entries in the above embodiment.
[0162] In this specification, relational terms such as "first" and "second" are used solely to distinguish one entity or execution from another entity or execution, and do not necessarily require or imply that such an actual relationship or order exists between these entities or executions. Furthermore, "includes," "incorporates," or any other variation means non-exclusive inclusion, and therefore a process, method, article or equipment that includes a set of elements includes not only those elements but also other elements not expressly enumerated, or elements specific to such process, method, article or equipment. Unless otherwise specified, an element limited by the term "includes one..." does not preclude the existence of other identical elements in a process, method, article or equipment that includes the said element.
[0163] Each embodiment in this specification is described in a manner relevant to its own context, and common parts between embodiments should be referenced from one another. Each embodiment is described primarily in terms of its differences from the others. In particular, the apparatus embodiments are basically similar to the method embodiments, and therefore the description is relatively straightforward; relevant points should be referred to in part of the description of the method embodiments.
[0164] The above description represents preferred embodiments of the present invention and is not intended to limit it. Modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be considered to be within the scope of protection of the present invention.
Claims
1. A method for generating security entries, which is applied to a first network device, wherein the first network device includes a first interface that serves as an ingress interface for receiving target link status information, and the method for generating security entries is: The method involves obtaining the target link status information from the link status database, wherein the target link status information includes a first source prefix. The process involves generating a security entry for the ingress interface, wherein the security entry includes the identifier of the ingress interface and the first source prefix. A method for generating security entries characterized by the following:
2. Obtaining the target link status information from the aforementioned link status database is: The process involves retrieving the first link status information of the first network device from the link status database, wherein the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is defined as the current traversal layer, and for each network device in the current traversal layer, the second link status information of that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information shall be the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier shall be set as the current traversal tier. The process includes repeatedly performing the following steps until it is determined that the network devices currently in the traversal hierarchy do not have network devices in the hierarchy below them: searching for the second link state information of each network device in the current traversal hierarchy from the link state database; if the second link state information includes a source prefix, setting the second link state information as the target link state information; and if the second link state information includes connection relationships between the network device and one or more network devices in the hierarchy below it, setting the hierarchy below it as the current traversal hierarchy. The method for generating a security entry according to claim 1, characterized by the features described above.
3. The network device one level below is a network device other than the first network device within the AS domain. The method for generating a security entry according to claim 2, characterized by the features described above.
4. The aforementioned objective link status information further includes an access tag corresponding to the first source prefix, and after generating a security entry for the ingress interface, the method for generating the security entry further includes: The process involves searching the link status database for third link status information including the access tag, wherein the third link status information includes a second source prefix corresponding to the access tag. This includes adding the second source prefix to the security entry, The method for generating a security entry according to claim 1, characterized by the features described above.
5. An access tag is placed on the ingress interface, and the method for generating the security entry further includes: The process involves retrieving fourth link status information, including the access tag, from the link status database, wherein the fourth link status information includes a third source prefix corresponding to the access tag. This includes generating a security entry for the ingress interface that includes the identifier of the ingress interface and the third source prefix, The method for generating a security entry according to claim 1, characterized by the features described above.
6. Before obtaining the target link status information from the link status database, the method for generating the security entry further: Receiving a first packet transmitted from a network device within the AS domain, wherein the first packet includes the target link status information, This includes storing the aforementioned target link status information in the link status database. The method for generating a security entry according to claim 1, characterized by the features described above.
7. The first packet includes a first TLV including a first flag bit and an address prefix, the first flag bit is for indicating that the address prefix is the first source prefix, or The first packet includes a second TLV containing an address prefix, the second TLV includes a first sub-TLV containing a second flag bit, the second flag bit is for indicating that the address prefix contained in the second TLV is the first source prefix, or, The first packet includes a third TLV containing the first source prefix, The method for generating a security entry according to claim 6, characterized by the features described above.
8. The first TLV, the second TLV, and the third TLV each include a second sub-TLV containing a tag field, the tag field carrying an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field before the first source prefix and adjacent to the first source prefix. The method for generating a security entry according to claim 7, characterized by the features described above.
9. A security entry generation device, applied to a first network device, the first network device includes a first interface which is an ingress interface for receiving target link status information, and the security entry generation device is An acquisition module that acquires the target link status information from a link status database, wherein the target link status information includes a first source prefix, A generation module that generates security entries for the ingress interface, wherein the security entries include the identifier of the ingress interface and the first source prefix, A security entry generation device characterized by the following:
10. The acquisition module described above is The first link status information of the first network device is retrieved from the link status database, and the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is used, and for each network device in the current traversal layer, the second link status information for that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information is set as the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier is set as the current traversal tier. Until it is determined that the network devices in the current traversal hierarchy do not have network devices in the hierarchy below, the following steps are repeated for each network device in the current traversal hierarchy: the second link state information for the network device is retrieved from the link state database; if the second link state information includes a source prefix, the second link state information is set as the target link state information; and if the second link state information includes connection relationships between the network device and one or more network devices in the hierarchy below, the hierarchy below is set as the current traversal hierarchy. The security entry generating device according to feature 9.
11. The network device one level below is a network device other than the first network device within the AS domain. The security entry generation device according to claim 10, characterized in that it is a security entry generation device.
12. The aforementioned objective link status information further includes an access tag corresponding to the first source prefix, The acquisition module retrieves third link status information, including the access tag, from the link status database, and the third link status information includes a second source prefix corresponding to the access tag. The generation module adds the second source prefix to the security entry. The security entry generation device according to claim 9.
13. An access tag is placed on the aforementioned ingress interface, The acquisition module retrieves fourth link status information, including the access tag, from the link status database, and the fourth link status information includes a third source prefix corresponding to the access tag. The generation module generates a security entry for the ingress interface that includes the identifier of the ingress interface and the third source prefix. The security entry generation device according to claim 9.
14. The security entry generation device further, A receiving module that receives a first packet transmitted from a network device within an AS domain, wherein the first packet includes the target link status information, and the receiving module Includes a storage module that stores the aforementioned target link state information in the link state database, The security entry generation device according to claim 9.
15. The first packet includes a first TLV including a first flag bit and an address prefix, the first flag bit is for indicating that the address prefix is the first source prefix, or The first packet includes a second TLV containing an address prefix, the second TLV includes a first sub-TLV containing a second flag bit, the second flag bit is for indicating that the address prefix contained in the second TLV is the first source prefix, or, The first packet includes a third TLV containing the first source prefix, The security entry generation device according to claim 14.
16. The first TLV, the second TLV, and the third TLV each include a second sub-TLV containing a tag field, the tag field carrying an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field before the first source prefix and adjacent to the first source prefix. The security entry generation device according to claim 15, characterized in that it is a security entry generation device.
17. A first network device, which includes a first interface that serves as an ingress interface for receiving target link status information, The first network device includes a processor, a transceiver, and a machine-readable storage medium. The machine-readable storage medium stores machine-executable instructions that can be executed by the processor, and the machine-executable instructions are provided to the processor. The method involves obtaining the target link status information from the link status database, wherein the target link status information includes a first source prefix. To perform the following actions: generate a security entry for the ingress interface, wherein the security entry includes the identifier of the ingress interface and the first source prefix. A first network device characterized by the following:
18. The machine-executable instruction is given to the processor, The process involves retrieving the first link status information of the first network device from the link status database, wherein the first link status information includes the connection relationship between the first network device and one or more network devices of a lower hierarchy. The layer one level below the current traversal layer is defined as the current traversal layer, and for each network device in the current traversal layer, the second link status information of that network device is retrieved from the link status database. If the second link status information includes a source prefix, the second link status information shall be the target link status information. If the second link status information includes the connection relationship between the network device and one or more network devices in a lower tier, the lower tier shall be set as the current traversal tier. Until it is determined that the network devices currently in the traversal hierarchy do not have network devices in the hierarchy below, the following steps are repeated for each network device in the current traversal hierarchy: the second link state information for that network device is retrieved from the link state database; if the second link state information includes a source prefix, the second link state information is set as the target link state information; and if the second link state information includes a connection relationship between the network device and one or more network devices in the hierarchy below, the hierarchy below is set as the current traversal hierarchy. The first network device according to feature 17.
19. The network device one level below is a network device other than the first network device within the AS domain. The first network device according to feature 18.
20. The aforementioned objective link status information further includes an access tag corresponding to the first source prefix, The machine-executable instruction is given to the processor, The process involves searching the link status database for third link status information including the access tag, wherein the third link status information includes a second source prefix corresponding to the access tag. Adding the aforementioned second source prefix to the security entry, and further performing the following: The first network device according to feature 17.
21. An access tag is placed on the aforementioned ingress interface, The machine-executable instruction is given to the processor, The process involves retrieving fourth link status information, including the access tag, from the link status database, wherein the fourth link status information includes a third source prefix corresponding to the access tag. Further, the system generates a security entry for the ingress interface that includes the identifier of the ingress interface and the third source prefix. The first network device according to feature 17.
22. The machine-executable instruction is given to the processor, Receiving a first packet transmitted from a network device within the AS domain, wherein the first packet includes the target link status information, To further perform the following: save the aforementioned objective link status information to the link status database. The first network device according to feature 17.
23. The first packet includes a first TLV including a first flag bit and an address prefix, the first flag bit is for indicating that the address prefix is the first source prefix, or The first packet includes a second TLV containing an address prefix, the second TLV includes a first sub-TLV containing a second flag bit, the second flag bit is for indicating that the address prefix contained in the second TLV is the first source prefix, or, The first packet includes a third TLV containing the first source prefix, The first network device according to feature 22.
24. The first TLV, the second TLV, and the third TLV each include a second sub-TLV containing a tag field, the tag field carrying an access tag corresponding to the first source prefix, or The third TLV includes an access tag corresponding to the first source prefix, and the access tag is located in a tag field before the first source prefix and adjacent to the first source prefix. The first network device according to feature 23.
25. A machine-readable storage medium that stores machine-executable instructions, and when called and executed by a processor, the machine-executable instructions cause the processor to implement the method for generating security entries according to any one of claims 1 to 8. A machine-readable storage medium characterized by the following features.
26. A computer program, wherein the computer program causes a processor to implement the method for generating security entries described in any one of claims 1 to 8. A computer program characterized by the following features.