Source address validation method, apparatus, device and readable storage medium
By employing a priority mechanism for multiple SAV entries in the routing and forwarding device, a unified source address verification mechanism is formed, which solves the problem of packet legitimacy verification under conflicting SAV entries, ensures the consistency and accuracy of verification results, reduces the probability of false positives, and improves the security and efficiency of packet forwarding.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2025-12-30
- Publication Date
- 2026-07-09
AI Technical Summary
When conflicting SAV entries exist in a routing and forwarding device, existing technologies have failed to effectively solve the problem of accurately verifying the legitimacy of the packet source address.
A priority mechanism using multiple SAV entries is adopted to form a unified source address verification mechanism. Source address verification is performed by selecting the highest priority SAV entry or generating a SAV summary table to ensure the consistency and accuracy of verification results.
It achieves accurate message validity verification in scenarios with multiple SAV entry conflicts, reduces the probability of false positives, and improves the security and efficiency of message forwarding.
Smart Images

Figure CN2025147467_09072026_PF_FP_ABST
Abstract
Description
Source address verification method, apparatus, device and readable storage medium
[0001] This application claims priority to Chinese Patent Application No. 202411999544.3, filed with the State Intellectual Property Office of China on December 31, 2024, entitled “Source Address Verification Method, Apparatus, Device and Readable Storage Medium”, the entire contents of which are incorporated herein by reference. Technical Field
[0002] This application relates to the field of communication technology, and in particular to a source address verification method, apparatus, device, and readable storage medium. Background Technology
[0003] Source address validation (SAV) is a crucial method for eliminating source address spoofing attacks, aiming to ensure the authenticity and legitimacy of the source address of network packets. Routing and forwarding devices store SAV entries, which map address prefixes to the incoming interfaces of the routing and forwarding devices. When a routing and forwarding device receives a packet, if it has a stored SAV entry indicating the mapping between the packet's source address prefix and the incoming interface the packet arrived at, the packet is considered legitimate; otherwise, it is deemed illegitimate.
[0004] Currently, SAV entries in routing and forwarding devices are generated by the Border Gateway Protocol (BGP). In the future, when other routing protocols also generate SAV entries, conflicting entries may appear in the routing and forwarding devices, mapping different ingress interfaces to the same address prefix. Therefore, how to perform source address verification on packets when conflicting entries exist in the routing and forwarding device becomes a pressing issue. Summary of the Invention
[0005] This application provides a source address verification method, apparatus, device, and readable storage medium for accurately verifying the legitimacy of a packet source address in scenarios where the routing and forwarding device includes conflicting SAV entries.
[0006] To achieve the above objectives, the embodiments of this application adopt the following technical solutions:
[0007] Firstly, a source address verification method is provided, applied to a routing and forwarding device. The routing and forwarding device stores multiple SAV entries from different sources, each indicating verification information corresponding to the same address prefix. These SAV entries are assigned priorities; in one implementation, the priority of each SAV entry indicates its trustworthiness. Upon receiving a packet, if the source address prefix of the packet matches the address prefixes corresponding to the multiple SAV entries, the routing and forwarding device performs source address verification on the packet based on the priorities of the multiple SAV entries, thereby determining, for example, whether the packet is legitimate.
[0008] This application provides an implementation method for source address verification of packets when the routing and forwarding device includes multiple SAV entries from different sources. Since the verification information for the same address prefix indicated by multiple SAV entries may differ, performing source address verification on packets using multiple SAV entries separately will result in conflicting verification results. This application performs source address verification on packets based on the priority of multiple SAV entries. A unified source address verification mechanism can be formed based on a unified priority rule, which ensures the consistency of verification results. This allows for accurate verification of packet legitimacy and guarantees normal packet forwarding.
[0009] In one optional implementation, a SAV summary table can be generated based on the priority of multiple SAV entries. The generation process of the SAV summary table is as follows: select the highest-priority first SAV entry from among the multiple SAV entries and add it to the SAV summary table. When performing source address verification on a packet, the source address verification of the packet is performed based on the first SAV entry in the SAV summary table. In this embodiment, the highest-priority first SAV entry is selected for source address verification, which makes the verification conditions more stringent and the verification results of the source address verification more reliable.
[0010] In one optional implementation, when generating the SAV summary table based on the priority of SAV entries, multiple SAV entries can be selected and added to the SAV summary table according to filtering conditions. The SAV summary table includes a first SAV entry with the highest priority and at least one second SAV entry whose priority meets the filtering conditions. When performing source address verification on a message, the source address verification can be performed on the message based on the first SAV entry and at least one second SAV entry in the SAV summary table. For example, a message is considered valid as long as it meets one of the multiple verification messages corresponding to multiple SAV entries in the SAV summary table. This embodiment of the application can increase the probability of message validity and reduce the probability of false positives.
[0011] In an optional implementation, when generating the SAV summary table based on the priority of SAV entries, multiple SAV entries whose priorities meet the filtering criteria can be selected, and these multiple SAV entries can be merged into one entry in the SAV summary table. Specifically, the SAV summary table includes a first entry, which indicates the verification information corresponding to multiple SAV entries whose priorities meet the filtering criteria for the same address prefix. When performing source address verification on a packet, the source address verification can be performed based on the first entry in the SAV summary table. Merging multiple SAV entries into one entry can improve the query efficiency of the SAV summary table, thereby improving the efficiency of source address verification.
[0012] In one optional implementation, the authentication information corresponding to multiple SAV entries in the routing and forwarding device can be sequentially queried according to their priorities. A packet is considered valid as long as it satisfies one of the authentication criteria for each SAV entry in the SAV summary table. During the sequential query of multiple SAV entries, the query process stops when a packet satisfies the authentication criteria of the third entry, and subsequent SAV entries are not queried. Querying all SAV entries increases the probability of packet validity and reduces the probability of false positives; while querying SAV entries sequentially according to priority improves query efficiency.
[0013] In one alternative implementation, the multiple SAV entries from different sources in the routing and forwarding device can be entries generated by different routing protocols, entries issued by the controller, or statically configured entries.
[0014] In one optional implementation, if the source address verification result is that the packet is valid, the routing and forwarding device forwards the valid packet; if the source address verification result is that the packet is invalid, the routing and forwarding device discards the invalid packet or performs rate limiting on the invalid packet according to local policies. This reduces the risk of the packet receiver being attacked by invalid packets and improves the security of the packet receiver.
[0015] In one alternative implementation, the priority of an SAV entry includes the priority of the source of the SAV entry, thus ensuring consistency between the priority of the SAV entry and the priority of the source.
[0016] In one alternative implementation, the priority of SAV entries can be configured in a routing forwarding device, which includes priority configuration information indicating the priority of multiple SAV entries. In this way, the priority of each SAV entry can be updated by changing the priority configuration information; or, the SAV entries carry priority information, which is beneficial for the transmission of priority information.
[0017] Secondly, a routing and forwarding device is provided, comprising: an acquisition unit for acquiring the priority of multiple source address verification SAV entries, wherein the multiple SAV entries have different sources and each SAV entry indicates verification information corresponding to the same address prefix; a receiving unit for receiving a packet, wherein the packet includes information about the source address prefix, and the source address prefix is the same address prefix; and a processing unit for performing source address verification on the packet according to the priority of the multiple SAV entries.
[0018] In an optional implementation, the processing unit is specifically configured to: generate a SAV summary table based on the priority of multiple SAV entries, the SAV summary table including the first SAV entry with the highest priority among the multiple SAV entries, and perform source address verification on the message based on the SAV summary table.
[0019] In an optional implementation, the SAV summary table also includes at least one second SAV entry from among a plurality of SAV entries whose priority satisfies the filtering criteria.
[0020] In an optional implementation, the processing unit is specifically configured to: generate a SAV summary table based on the priority of multiple SAV entries, the SAV summary table including a first entry indicating multiple verification information corresponding to the same address prefix, the multiple verification information being the verification information corresponding to multiple SAV entries whose priority meets the filtering conditions; and perform source address verification on the packet based on the SAV summary table.
[0021] In an optional implementation, the processing unit is specifically configured to: sequentially query the verification information corresponding to the multiple SAV entries according to their priorities; and when a third SAV entry with a valid verification message is found, stop querying the SAV entries whose priority is after the priority of the third SAV entry.
[0022] In one alternative implementation, the sources of multiple SAV entries include: entries generated by routing protocols, entries issued by the controller, or statically configured entries.
[0023] In an optional implementation, the processing unit is further configured to: forward the packet if the source address verification result is valid; or discard the packet or rate-limit the packet if the source address verification result is invalid.
[0024] In an optional implementation, the priority of each SAV entry among a plurality of SAV entries includes the priority of the source of each SAV entry.
[0025] In one optional implementation, the routing and forwarding device includes priority configuration information, which includes the priorities of multiple SAV entries; or each of the multiple SAV entries includes priority information.
[0026] Thirdly, a routing and forwarding apparatus is provided, the apparatus comprising: a processor and a memory storing instructions that, when executed by the processor, cause the apparatus to perform a source address verification method as provided in the first aspect or any possible implementation thereof.
[0027] Fourthly, a chip is provided, the chip including a processor and an interface circuit, the processor and the interface circuit being used to support the chip in performing a source address verification method as provided in the first aspect or any possible implementation thereof.
[0028] Fifthly, a computer-readable storage medium is provided, wherein a computer program or instructions are stored therein, which, when executed, implement the source address verification method provided by the first aspect or any possible implementation thereof.
[0029] In a sixth aspect, a computer program product is provided, comprising: a computer program (or code, or instructions) that, when executed, causes a computer to perform a source address verification method as provided in the first aspect or any possible implementation thereof.
[0030] Understandably, the beneficial effects achieved by any of the routing and forwarding devices, chips, computer-readable storage media, and computer program products provided above can be referred to in the context of the beneficial effects of the message forwarding methods provided above, and will not be repeated here. Attached Figure Description
[0031] Figure 1 is a network architecture diagram of a routing and forwarding network provided in an embodiment of this application;
[0032] Figure 2 is a schematic diagram of a routing and forwarding device provided in an embodiment of this application;
[0033] Figure 3 is a flowchart illustrating a source address verification method provided in an embodiment of this application;
[0034] Figure 4 is a flowchart illustrating another source address verification method provided in an embodiment of this application;
[0035] Figure 5 is a flowchart illustrating another source address verification method provided in an embodiment of this application;
[0036] Figure 6 is a schematic diagram of generating an SAV summary table according to an embodiment of this application;
[0037] Figure 7 is a flowchart illustrating another source address verification method provided in an embodiment of this application;
[0038] Figure 8 is a priority order diagram of multiple SAV entries in a routing and forwarding device provided in an embodiment of this application;
[0039] Figure 9 is a schematic diagram of a routing and forwarding device provided in an embodiment of this application;
[0040] Figure 10 is a schematic diagram of another routing and forwarding device provided in an embodiment of this application. Detailed Implementation
[0041] The technical solutions in the embodiments of this application will be described below with reference to the accompanying drawings. In this application, "at least one" means one or more, and "more than one" means two or more. "And / or" describes the relationship between related objects, indicating that there are three relationships. For example, A and / or B means: A exists alone, A and B exist simultaneously, or B exists alone, where A and B can be singular or plural. The character " / " generally indicates that the related objects before and after are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c means: a, b, c, a and b, a and c, b and c, a, b, and c; where a, b, and c can be single or multiple.
[0042] The embodiments of this application use terms such as "first" and "second" to distinguish objects with similar names, functions, or roles. Those skilled in the art will understand that the terms "first" and "second" do not limit the quantity or order of execution. In this application, words such as "exemplarily" or "for example" are used to indicate that something is being described as an example, illustration, or illustration. Any embodiment or design described as "exemplarily" or "for example" in this application should not be construed as being more preferred or advantageous than other embodiments or design solutions. Specifically, the use of words such as "exemplarily" or "for example" is intended to present the relevant concepts in a concrete manner.
[0043] During packet forwarding in an IP network, if the routing device forwards packets solely based on their destination address, the IP network will be vulnerable to numerous source address spoofing attacks. For example, attackers can forge a large number of packets with the same source address to exhaust the bandwidth and resources of the legitimate holder of that source address; attackers can also impersonate source addresses to conceal their identity, making it difficult to trace illegal network activities; and attackers can interfere with the normal operation of services such as billing, management, and security authentication based on the real source address. Currently, source address verification is commonly used to eliminate source address spoofing attacks.
[0044] Source address verification (SAV), a network security technology, works by establishing a mapping between source addresses and incoming interfaces. Routing and forwarding devices determine the legitimacy of a packet by checking whether it arrives at the corresponding incoming interface from a given source address. Specifically, the routing and forwarding device stores Source Address Verification (SAV) entries. These entries store the mapping between address prefixes and the incoming interfaces of the routing and forwarding device. When the routing and forwarding device receives a packet, if it finds an SAV entry indicating the mapping between the packet's source address prefix and the incoming interface, the packet is considered legitimate; otherwise, it is deemed illegitimate.
[0045] Figure 1 is a network architecture diagram of a routing and forwarding network provided in an embodiment of this application. As shown in Figure 1, server H1 is connected to server H3 through router R1 and router R2 in sequence; server H2 is connected to server H3 through router R3 and router R2 in sequence; packets from server H1 are forwarded by router R1 to the ingress interface a of router R2, and packets from server H2 are forwarded by router R3 to the ingress interface b of router R2.
[0046] In one implementation, router R2 deploys SAV entries indicating the mapping between address prefix P1 and ingress interface a. This SAV entry indicates that when a packet with source address prefix P1 arrives at router R2, the legitimate ingress interface is ingress interface a. In one scenario, server H1 is the legitimate holder of source address prefix P1. When server H1 sends a packet to server H3, the packet carrying source address prefix P1 arrives at router R2 through ingress interface a. Router R2, based on the SAV entry, confirms that the packet carrying source address prefix P1 arrived from a legitimate ingress interface, thus verifying the packet as legitimate. However, if server H2 forges a packet with source address prefix P1, the forged packet carrying source address prefix P1 will arrive at router R2 through ingress interface b. Router R2, based on the SAV entry, determines that the forged packet arrived at an interface other than the legitimate ingress interface a, thus verifying the packet as illegitimate. Router R2 will allow legitimate packets to pass through and discard illegitimate packets. In this way, legitimate messages can reach server H3, while illegitimate messages cannot. Therefore, server H3 can effectively prevent attacks by server H2 that forge source addresses.
[0047] Therefore, the key to source address verification is the SAV entry. Understandably, SAV entries are related to the forwarding path of legitimate packets. Since different routing protocols may generate different packet forwarding paths, the SAV entries generated by different routing protocols may also be different. Currently, multiple routing protocols are developing schemes for generating SAV entries, such as: using the Intra Gateway Protocol (IGP) to propagate the relevant information needed for source address verification and then generating source address verification entries (see the draft-cheng-savnet-intra-domain-sav-igp and draft-li-lsr-igp-based-intra-domain-savnet documents); using the Border Gateway Protocol (BGP) to propagate the relevant information needed for source address verification and then generating source address verification entries (see the draft-geng-idr-bgp-savnet document); using the Border Gateway Protocol's flow rules (BGP flowspec) to publish source address verification entries (see the draft-geng-idr-flowspec-sav document); using the Border Gateway Protocol (BGP) to publish source address verification entries using newly defined private address families (see the draft-haas-savnet-bgp-sav-distribution document); and using BGP... Source address verification entries are generated after the SPE protocol propagates the relevant information required for source address verification (see the draft-lin-savnet-intra-domain-bgp-spf-extensions document); source address verification entries are generated using the Bar-Sav scheme (see the draft-ieft-sidrops-bar-sav document); source address verification entries are generated after the Open Shortest Path First (OSPF) protocol propagates the relevant information required for source address verification (see the draft-zhang-savnet-sav-ospf document); and source address verification entries are generated after the controller collects information from the forwarders (see the draft-tong-savnet-sav-enhanced-by-controller document). It is understood that the content related to generating source address verification entries from different sources in the above documents is generally incorporated into this text as a whole (incorporated by reference). For descriptions that contradict or conflict with this document, the description in this document shall prevail.
[0048] In scenarios where routing and forwarding devices deploy SAV entries from different sources, conflicting entries are likely to occur. A conflicting entry refers to multiple SAV entries that map the same source address prefix to different ingress interfaces. Currently, routing and forwarding devices have not proposed an effective solution to resolve SAV entry conflicts. Therefore, in scenarios where routing and forwarding devices contain SAV entries from different sources, accurately verifying the legitimacy of packet source addresses has become an urgent problem to be solved.
[0049] Based on the above description, this application provides a source address verification method. In the scheme of this application embodiment, multiple SAV entries from different sources stored in the routing and forwarding device are assigned priorities. After receiving a packet, when the source address prefix of the packet matches the same address prefix corresponding to the multiple SAV entries, the routing and forwarding device performs source address verification on the packet according to the priority of the multiple SAV entries, thereby determining whether the packet is legitimate. This application embodiment can form a unified source address verification mechanism based on a unified priority rule to ensure the consistency of verification results. This allows for accurate verification of packet legitimacy and ensures normal packet forwarding.
[0050] The technical solutions provided in this application embodiment can be applied to various network devices. The network devices described in this application embodiment will be introduced below. Figure 2 is a schematic diagram of a routing and forwarding device provided in this application embodiment. As shown in Figure 2, the routing and forwarding device is used to transmit packets, and includes SAV entries from different sources. For example, the routing and forwarding device stores: SAV entries generated by routing protocol 1, SAV entries generated by routing protocol 2, ..., SAV entries generated by routing protocol N, SAV entries issued by the controller, uRPF entries, statically configured SAV entries, etc.
[0051] Among them, uRPF entries are entries that indicate the mapping relationship between source addresses and legal inbound interfaces, generated based on unicast reverse path forwarding (uRPE) technology; statically configured SAVNET entries are manually configured entries.
[0052] In one possible implementation, the index (also called the key value) of a SAV entry can be an address prefix, and the format of the SAV entry can be as shown in Table 1:
[0053] Table 1
[0054] As shown in Table 1, a SAV entry indicates a valid inbound interface corresponding to an address prefix. For example, the SAV entries in Table 1 indicate that the valid inbound interfaces corresponding to address prefix A are inbound interface a and inbound interface b. When performing source address verification on a packet, the routing and forwarding device can query the SAV entry based on the packet's source address prefix to obtain the valid inbound interface corresponding to that source address prefix. Then, it verifies the validity of the packet by determining whether the inbound interface to which the packet arrives is a valid inbound interface corresponding to that source address prefix.
[0055] In another possible implementation, the index of the SAV entry can also be the ingress interface of the routing forwarding device, and the format of the SAV entry can be as shown in Table 2:
[0056] Table 2
[0057] As shown in Table 2, a SAV entry indicates a valid source address prefix corresponding to an incoming interface. For example, the SAV entries shown in Table 2 indicate that the valid source address prefixes corresponding to incoming interface 'a' include address prefix A, address prefix B, etc. When performing source address verification on a packet, the routing and forwarding device can query the SAV entry based on the incoming interface the packet arrives at, obtain the valid address prefix corresponding to that incoming interface, and then verify the validity of the packet by determining whether the source address prefix of the packet is a valid source address prefix corresponding to that incoming interface.
[0058] In another possible implementation, the index of the SAV entry can also be an address prefix plus the input interface. In this case, the format of the SAV entry can be as shown in Table 3:
[0059] Table 3
[0060] As shown in Table 3, a SAV entry indicates a valid incoming interface corresponding to an address prefix. When performing source address verification on a packet, the routing and forwarding device can query the SAV entry based on the incoming interface where the packet arrived and the packet's source address prefix. By determining whether there is an SAV entry in the routing and forwarding device that includes the incoming interface where the packet arrived and the packet's source address prefix, the device can verify whether the packet is valid.
[0061] Understandably, the format of the uRPF table can be referenced from the format of the SAVNET table mentioned above, and will not be repeated here.
[0062] In one implementation, the hardware implementation of the above-mentioned routing and forwarding device can be a network device such as a router or switch used for packet forwarding, and the embodiments of this application do not limit this.
[0063] Based on the above network device structure, Figure 3 is a flowchart illustrating a source address verification method provided in an embodiment of this application. This source address verification method is applied to a routing and forwarding device, which, exemplarily, can be the routing and forwarding device shown in Figure 2 above. The method includes the following steps:
[0064] S301, Receive message.
[0065] The message carries source address prefix information. In one implementation, the message arrives at the routing forwarding device from a first interface, which is an ingress interface of the routing forwarding device. The routing forwarding device verifies the source address of the message based on the address prefix carried in the message and the first interface to which the message arrives.
[0066] S302. Obtain multiple SAV entries and their priorities.
[0067] The multiple SAV entries obtained may come from different sources, including SAV entries generated by different routing protocols, SAV entries issued by the controller, or statically configured entries.
[0068] Multiple SAV entries indicate authentication information corresponding to the same address prefix, and the same address prefix corresponding to multiple SAV entries is the source address prefix carried by the aforementioned message. For example, if the index of a SAV entry is an address prefix, the routing device can match all SAV entries in the routing device according to the source address prefix of the message to obtain multiple SAV entries. Each of the multiple SAV entries indicates a valid inbound interface corresponding to the source address prefix of the message. For example, if the index of a SAV entry is an inbound interface, the routing device can match all SAV entries in the routing device according to the inbound interface (i.e., the first interface) to obtain multiple SAV entries. Each of the multiple SAV entries indicates a valid address prefix corresponding to the first interface, and the valid address prefixes included in the multiple SAV entries include the source address prefix of the message. Taking a packet with a source address prefix of address prefix A and an ingress interface a as an example, multiple SAV entries can be multiple entries indicating the valid ingress interface corresponding to address prefix A; or they can be multiple entries indicating the valid address prefix corresponding to ingress interface a, with at least one valid address prefix being address prefix A. This application does not limit this.
[0069] The multiple SAV entries correspond to priority information. For example, the priority of each SAV entry indicates its trustworthiness. In one possible implementation, the routing and forwarding device includes priority configuration information indicating the priorities of the multiple SAV entries; thus, the priority of each SAV entry can be determined by manually configuring the priority configuration information. In another possible implementation, each SAV entry includes priority information indicating the priority of its source. For example, a first SAV entry is generated by Protocol 1, and a second SAV entry is generated by Protocol 2. If the priority level of the first SAV entry configured by the routing and forwarding device is higher than the priority level of the second SAV entry, then the priority of the first SAV entry is greater than the priority of the second SAV entry. If the priority level of the first SAV entry configured by the routing and forwarding device is equal to the priority level of the second SAV entry, but the priority level of Protocol 1 is higher than the priority level of Protocol 2, then the priority of the first SAV entry is greater than the priority of the second SAV entry.
[0070] In one implementation, the priority configuration information included in the routing and forwarding device is shown in Table 4:
[0071] Table 4
[0072] The SAV entry type indicates the source of the source address verification entry, with different source types corresponding to different type values. For each SAV entry, there are SAV priority and source priority. SAV priority indicates the entry's priority, while source priority indicates the source priority (e.g., the priority of the routing protocol that generated the SAV entry). For example, the SAV priority is the default value and can be configured manually; smaller SAV priority and source priority values indicate higher priority levels.
[0073] Understandably, SAV priorities can be set with reference to source priorities. In one implementation, the source priority corresponding to a SAV entry can be used as the SAV priority, such as the uRPF entry in the table above, the SAV entry generated by the controller, and the SAV entry generated using the bar-sav scheme. In this way, the SAV priority of the source address verification entry is consistent with the source priority. When prioritizing multiple SAV entries whose SAV priorities are consistent with the source priority, it is only necessary to sort them according to the SAV priority of each SAV entry. In another implementation, the SAV priority of the source address verification entry is inconsistent with the source priority. In this case, when prioritizing multiple SAV entries, priority is first sorted according to the SAV priority of each SAV entry. When SAV priorities are the same, the final priority order is determined based on the source priority. For example, in the table above, the SAV entries generated after propagating the relevant information required for source address verification using the RIPv2 routing protocol and the SAV entries generated after propagating the relevant information required for source address verification using the RIPNG protocol have the same SAV priority. However, the source priority of the SAV entries generated after propagating the relevant information required for source address verification using the RIPv2 protocol is higher than that of the SAV entries generated after propagating the relevant information required for source address verification using the RIPNG routing protocol. Therefore, the priority of the SAV entries generated after propagating the relevant information required for source address verification using the RIPv2 protocol is higher than that of the SAV entries generated after propagating the relevant information required for source address verification using the RIPNG routing protocol.
[0074] S303. Verify the source address of the message based on the priority of multiple SAV entries.
[0075] In this case, the source address prefixes of the packets indicated by multiple SAV entries correspond to different valid inbound interfaces. The routing and forwarding device can determine a unified source address verification mechanism based on the priority of multiple SAV entries, and perform source address verification on the packets based on this source address verification mechanism.
[0076] For example, if the source address verification result indicates the packet is valid, the routing and forwarding device forwards the packet; if the source address verification result indicates the packet is invalid, the routing and forwarding device handles the illegal packet according to local policies. For example, it may discard the illegal packet or rate-limit it. Rate-limiting can involve traffic policing of illegal packets, controlling the packet forwarding rate. This reduces the risk of the packet receiver being attacked by illegal packets, improving the security of the receiver.
[0077] This application provides an implementation method for source address verification of packets when the routing and forwarding device includes multiple SAV entries from different sources. Since the verification information (legitimate ingress interface) for the same address prefix indicated by multiple SAV entries may differ, conflicting verification results will occur when using multiple SAV entries to verify the source address of packets separately. This application performs source address verification of packets based on the priority of multiple SAV entries. A unified source address verification mechanism can be formed based on a unified priority rule, which ensures the consistency of verification results. This allows for accurate verification of packet legitimacy and guarantees normal packet forwarding.
[0078] The following examples illustrate in detail the process by which a routing and forwarding device verifies the source address of a packet based on the priority of multiple SAV entries:
[0079] Example 1:
[0080] Figure 4 is a flowchart illustrating another source address verification method provided in an embodiment of this application. As shown in Figure 4, the method includes the following steps:
[0081] S401. Obtain multiple SAV entries and their priorities.
[0082] Among them, multiple SAV entries indicate the verification information corresponding to the same address prefix.
[0083] S402. Determine the first SAV entry with the highest priority among multiple SAV entries.
[0084] Based on the priority of each SAV entry among multiple SAV entries, the highest-priority SAV entry is determined. If the priority configuration information of the routing forwarding device shows that two SAV entries have the same priority, the final priority order can be further determined based on the priority of the sources of these two SAV entries.
[0085] S403. Add the first SAV entry to the SAV summary table.
[0086] The SAV summary table is generated based on the SAV entries in the routing and forwarding device. In this embodiment, for multiple SAV entries indicating the verification information corresponding to the same address prefix, the SAV summary table only records the first SAV entry with the highest priority among the multiple SAV entries.
[0087] S404: Receive the message and verify the source address of the message according to the SAV summary table.
[0088] When a routing and forwarding device receives a packet, it queries the SAV summary table to obtain the SAV entry corresponding to the packet's source address prefix. If an SAV entry exists in the SAV summary table indicating the mapping relationship between the packet's source address prefix and the ingress interface to which the packet arrived, the routing and forwarding device determines that the packet's source address verification result is valid; otherwise, it determines that the packet's source address verification result is invalid.
[0089] In this embodiment, the SAV summary table includes the highest priority SAV entries. Using the SAV entries in the SAV summary table for source address verification results in stricter verification conditions and higher reliability of the verification results.
[0090] Example 2:
[0091] Figure 5 is a flowchart illustrating another source address verification method provided in an embodiment of this application. As shown in Figure 5, the method includes the following steps:
[0092] S501, Obtain multiple SAV entries and their priorities.
[0093] Among them, multiple SAV entries indicate the verification information corresponding to the same address prefix.
[0094] S502. Determine multiple second SAV entries from among multiple SAV entries whose priority meets the filtering criteria.
[0095] Based on the priority of each SAV entry in the multiple SAV entries, several second SAV entries whose priorities meet the filtering criteria are determined. For example, SAV entries ranked in the top three in priority, or SAV entries ranked in the top ten in priority. This embodiment does not limit the specific priority filtering criteria.
[0096] S503. Add multiple second SAV entries to the SAV summary table.
[0097] In this embodiment, the SAV summary table includes multiple SAV entries indicating verification information corresponding to the same address prefix. In a specific example, the routing and forwarding device includes three SAV entries from different sources, but indicating verification information corresponding to the same address prefix: a first SAV entry, a second SAV entry, and a third SAV entry. The first SAV entry indicates that the legal ingress interface corresponding to address prefix A is 'a', the second SAV entry indicates that the legal ingress interface corresponding to address prefix A is 'b', and the third SAV entry indicates that the legal ingress interface corresponding to address prefix A is 'c'. If the priority filtering condition is to select the top two SAV entries by priority to add to the SAV summary table, then the SAV summary table includes the aforementioned first and second SAV entries, and the legal ingress interfaces corresponding to address prefix A determined based on the SAV summary table are 'a' and 'b'.
[0098] For example, when the SAV summary table includes multiple SAV entries indicating verification information corresponding to the same address prefix, the entries can be merged to generate a single SAV entry containing multiple verification information. Specifically, the SAV summary table merges multiple SAV entries whose priority meets the filtering criteria to generate a single entry. Taking the example above, when selecting the first and second SAV entries to add to the SAV summary table, a first entry can be generated, indicating that the valid ingress interfaces corresponding to address prefix A are a and b.
[0099] S504. Receive the message and verify the source address of the message according to the SAV summary table.
[0100] When a routing and forwarding device receives a packet, it queries the SAV summary table to obtain the SAV entry corresponding to the packet's source address prefix. If an SAV entry exists in the SAV summary table indicating the mapping relationship between the packet's source address prefix and the ingress interface to which the packet arrived, the routing and forwarding device determines that the packet's source address verification result is valid; otherwise, it determines that the packet's source address verification result is invalid.
[0101] In this embodiment, a message is considered valid as long as it satisfies one of the multiple verification messages corresponding to multiple SAV entries in the SAV summary table. This embodiment can increase the probability of message validity and reduce the probability of false positives. Merging multiple SAV entries into one entry can improve the query efficiency of the SAV summary table, thereby improving the efficiency of source address verification.
[0102] The process of generating the SAV summary table is described below with reference to Figure 6:
[0103] Figure 6 is a schematic diagram of generating an SAV summary table according to an embodiment of this application. When multiple protocols generate new SAV entries, the SAV entry selection module determines whether to add the new SAV entry to the SAV summary table based on the priority of the SAV entries and the priority filtering conditions. If it is determined to add, the SAV entry summary module summarizes the SAV entry into the SAV master table. Specifically, if there are related entries with the same index as the SAV entry in the SAV master table, the SAV entry is merged with the related entries; if there are no related entries with the same index as the SAV entry, the entry is directly added to the SAV summary table.
[0104] Example 3:
[0105] Figure 7 is a flowchart illustrating another source address verification method provided in an embodiment of this application. As shown in Figure 7, the method includes the following steps:
[0106] S701, Obtain Message.
[0107] The message carries information about the source address prefix.
[0108] S702, Obtain multiple SAV entries and their priorities.
[0109] For example, multiple SAV entries in the routing and forwarding device can be obtained based on the source address prefix carried in the message. Each SAV entry indicates the authentication information corresponding to the source address prefix, i.e., the legitimate inbound interface corresponding to the source address prefix.
[0110] In this embodiment, all SAV entries are trustworthy. For example, the routing and forwarding device needs to traverse all SAV entries corresponding to the source address prefix to determine whether the packet enters from a legitimate ingress interface.
[0111] S703. Query the verification information corresponding to multiple SAV entries in sequence according to their priority.
[0112] The routing and forwarding device queries the authentication information corresponding to multiple SAV entries sequentially according to their priority. In one implementation, once a valid ingress interface indicated by a certain SAV entry is found to include the ingress interface to which the packet arrived, the packet is determined to be valid. For example, the query order of multiple SAV entries is shown in Figure 8.
[0113] Understandably, when the routing device finds a third SAV entry indicating the mapping between the source address prefix of the packet and the ingress interface, it determines the packet is valid and stops querying SAV entries with a priority lower than the third entry. If the routing device has traversed all SAV entries and still hasn't found a matching entry, the packet is considered invalid. In this implementation, the routing device can verify packet validity based on a more comprehensive set of SAV entries, resulting in more accurate verification. Furthermore, querying multiple SAV entries sequentially from highest to lowest priority improves query efficiency and allows for more precise focus on frequently accessed SAV entries.
[0114] The foregoing mainly describes the solution provided by the embodiments of this application from the perspective of the method executed by the routing and forwarding device. It is understood that, in order to achieve the above functions, the routing and forwarding device includes corresponding hardware structures and / or software modules for executing each function. Those skilled in the art should readily recognize that, based on the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein, this application can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed in hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0115] This application embodiment can divide the routing and forwarding device into functional modules according to the above method example. For example, each function can be divided into its own functional modules, or two or more functions can be integrated into one module. The integrated module can be implemented in hardware or as a software functional module. It should be noted that the module division in this application embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods. The following description uses the division of functional modules according to each function as an example.
[0116] Figure 9 shows a schematic diagram of a routing forwarding device according to the above embodiments, in the case of using integrated units. This device can be a routing forwarding device or a chip applied to a routing forwarding device, and includes: an acquisition unit 901 and a processing unit 902. In one possible embodiment, the acquisition unit 901 is used to support the device in executing S301 and S302 in the above method embodiment, and the processing unit 902 is used to support the device in executing S303 in the above method embodiment; in another possible embodiment, the acquisition unit 901 is used to support the device in executing S401 in the above method embodiment, and the processing unit 902 is used to support the device in executing S402, S403, and S404 in the above method embodiment; in another possible embodiment, the acquisition unit 901 is used to support the device in executing S501 in the above method embodiment, and the processing unit 902 is used to support the device in executing S502, S503, and S504 in the above method embodiment; in another possible embodiment, the acquisition unit 901 is used to support the device in executing S701 and S702 in the above method embodiment, and the processing unit 902 is used to support the device in executing S703 in the above method embodiment.
[0117] All relevant content of each step involved in the above method embodiments can be referenced from the functional description of the corresponding functional module, and will not be repeated here in the embodiments of this application.
[0118] Based on hardware implementation, the acquisition unit 901 in this application embodiment can be the receiver of the device, the processing unit 902 can be the processor of the device, and the device can also include a transmitter. The transmitter can usually be integrated with the receiver as a transceiver. The specific transceiver can also be called a communication interface or interface circuit.
[0119] Figure 10 shows a schematic diagram of another routing forwarding device involved in the above embodiments provided in this application. The device can be used as a routing forwarding device or a chip applied to a routing forwarding device. The device includes a processor 1012 and a transceiver 1013. Further, the device also includes a memory 1011 and a bus 1014. The processor 1012, the memory 1011 and the transceiver 1013 are connected through the bus 1014.
[0120] The processor 1012 is used to control and manage the operation of the device. In one possible embodiment, the processor 1012 is used to support the device in executing S303 of the above method embodiment, and / or other technical processes described herein. The transceiver 1013 is used to support the device in communication, such as supporting the device in forwarding messages to other network devices.
[0121] In this embodiment, the processor 1012 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. The processor may also be a combination that implements computational functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, etc. The bus 1014 may include an address bus, a data bus, a control bus, etc.
[0122] In another embodiment of this application, a routing forwarding system is provided, which includes a routing forwarding device; wherein the routing forwarding device may be or include the device shown in FIG9 above, and is used to perform the steps performed by the routing forwarding device in the method embodiment provided above.
[0123] It is understood that all relevant content of each step involved in the above method embodiments can be referenced in the embodiments of the routing and forwarding device and the embodiments of the routing and forwarding system, and will not be repeated here.
[0124] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of modules or units is merely a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another apparatus, or some features may be ignored or not executed.
[0125] The units described as separate components may or may not be physically separate. A component shown as a unit can be one or more physical units; that is, it can be located in one place or distributed in multiple different locations. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0126] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium. This readable storage medium may include various media capable of storing program code, such as a USB flash drive, external hard drive, read-only memory, random access memory, magnetic disk, or optical disk. Based on this understanding, the technical solution of the embodiments of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product.
[0127] In another embodiment of this application, a chip is provided, which includes a processor and an interface circuit. The processor and the interface circuit are used to support the chip in performing one or more steps performed by the routing and forwarding device in the method embodiments provided above.
[0128] In another embodiment of this application, a computer-readable storage medium is provided, which stores a computer program or instructions that, when executed, implement one or more steps performed by the routing and forwarding device in the method embodiment provided above.
[0129] In another embodiment of this application, a computer program product is provided, comprising: a computer program (or code, or instructions) that, when executed, causes a computer to perform one or more steps performed by the routing and forwarding device as described in the method embodiments provided above.
[0130] Finally, it should be noted that the above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A source address verification method, applied to a routing and forwarding device, characterized in that, The method includes: Obtain the priority of multiple source address verification SAV entries, wherein the multiple SAV entries have different sources and each of the multiple SAV entries indicates verification information corresponding to the same address prefix; Receive a message, the message including information about the source address prefix, the source address prefix being the same address prefix; The message source address is verified based on the priority of the multiple SAV entries.
2. The method according to claim 1, characterized in that, The step of verifying the source address of the packet based on the priority of the plurality of SAV entries includes: A SAV summary table is generated based on the priority of the plurality of SAV entries, and the SAV summary table includes the first SAV entry with the highest priority among the plurality of SAV entries; The source address of the message is verified based on the SAV summary table.
3. The method according to claim 2, characterized in that, The SAV summary table also includes at least one second SAV entry among the plurality of SAV entries whose priority meets the filtering criteria.
4. The method according to claim 1, characterized in that, The step of verifying the source address of the packet based on the priority of the plurality of SAV entries includes: A SAV summary table is generated based on the priority of the multiple SAV entries. The SAV summary table includes a first entry, which indicates multiple verification information corresponding to the same address prefix. The multiple verification information are the verification information corresponding to multiple SAV entries whose priority meets the filtering conditions. The source address of the message is verified based on the SAV summary table.
5. The method according to claim 1, characterized in that, The step of verifying the source address of the packet based on the priority of the plurality of SAV entries includes: Based on the priority of the multiple SAV entries, the verification information corresponding to the multiple SAV entries is queried sequentially; When a third SAV entry that verifies the validity of the message is found, the querying of SAV entries whose priority is lower than that of the third SAV entry is stopped.
6. The method according to any one of claims 1 to 5, characterized in that, The sources of the multiple SAV entries include: entries generated by the routing protocol, entries issued by the controller, or statically configured entries.
7. The method according to any one of claims 1 to 6, characterized in that, The method further includes: If the source address verification result is valid, then the message is forwarded; If the source address verification result is invalid, the packet is discarded or the packet is rate-limited.
8. The method according to any one of claims 1 to 7, characterized in that, The priority of each SAV entry in the plurality of SAV entries includes the priority of the source of each SAV entry.
9. The method according to any one of claims 1 to 8, characterized in that, The routing and forwarding device includes priority configuration information, which includes the priorities of the plurality of SAV entries; or Each of the plurality of SAV entries includes priority information.
10. A routing and forwarding device, characterized in that, The device includes: The acquisition unit is used to acquire the priority of multiple source address verification SAV entries, wherein the multiple SAV entries have different sources and each of the multiple SAV entries indicates verification information corresponding to the same address prefix; A receiving unit is configured to receive a message, the message including information about a source address prefix, wherein the source address prefix is the same address prefix; The processing unit is used to perform source address verification on the message according to the priority of the plurality of SAV entries.
11. The apparatus according to claim 10, characterized in that, The processing unit is specifically configured to generate a SAV summary table based on the priority of the plurality of SAV entries, the SAV summary table including the first SAV entry with the highest priority among the plurality of SAV entries; and to perform source address verification on the packet based on the SAV summary table.
12. The apparatus according to claim 11, characterized in that, The SAV summary table also includes at least one second SAV entry among the plurality of SAV entries whose priority meets the filtering criteria.
13. The apparatus according to claim 10, characterized in that, The processing unit is specifically configured to generate a SAV summary table based on the priority of the plurality of SAV entries. The SAV summary table includes a first entry, which indicates multiple verification information corresponding to the same address prefix. The multiple verification information are verification information corresponding to multiple SAV entries whose priority meets the filtering conditions. The processing unit performs source address verification on the packet based on the SAV summary table.
14. The apparatus according to claim 10, characterized in that, The processing unit is specifically configured to query the verification information corresponding to the plurality of SAV entries sequentially according to their priorities; when a third SAV entry that verifies the validity of the message is found, the querying of SAV entries whose priority is after that of the third SAV entry is stopped.
15. The apparatus according to any one of claims 10 to 14, characterized in that, The sources of the multiple SAV entries include: entries generated by the routing protocol, entries issued by the controller, or statically configured entries.
16. The apparatus according to any one of claims 10 to 15, characterized in that, The processing unit is further configured to forward the packet if the source address verification result is valid, and discard the packet or rate-limit the packet if the source address verification result is invalid.
17. The apparatus according to any one of claims 10 to 16, characterized in that, The priority of each SAV entry in the plurality of SAV entries includes the priority of the source of each SAV entry.
18. The apparatus according to any one of claims 10 to 17, characterized in that, The routing and forwarding device includes priority configuration information, which includes the priority of the plurality of SAV entries; or each of the plurality of SAV entries includes priority information.
19. A routing and forwarding device, characterized in that, The routing and forwarding device includes a processor and a memory, wherein the memory stores instructions that, when executed by the processor, cause the routing and forwarding device to perform the source address verification method as described in any one of claims 1-9.
20. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores instructions that, when executed on the device, cause the device to perform the source address verification method as described in any one of claims 1-9.