[go: up one dir, main page]

CN101567886A - Method and equipment for list item safety management - Google Patents

Method and equipment for list item safety management Download PDF

Info

Publication number
CN101567886A
CN101567886A CNA2009100859940A CN200910085994A CN101567886A CN 101567886 A CN101567886 A CN 101567886A CN A2009100859940 A CNA2009100859940 A CN A2009100859940A CN 200910085994 A CN200910085994 A CN 200910085994A CN 101567886 A CN101567886 A CN 101567886A
Authority
CN
China
Prior art keywords
neighbor
level
security
entry
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100859940A
Other languages
Chinese (zh)
Other versions
CN101567886B (en
Inventor
林涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100859940A priority Critical patent/CN101567886B/en
Publication of CN101567886A publication Critical patent/CN101567886A/en
Application granted granted Critical
Publication of CN101567886B publication Critical patent/CN101567886B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and an equipment for list item safety management. The method comprises the following steps: a first equipment primarily generates a neighbor list item aiming at a second equipment; the safety level of the neighbor list item is set as a normal level and the neighbor list item is arranged to be allowed to be updated; subsequently, the first equipment and the second equipment run a safety characteristic protocol, approve the safety certification mutually and establish a neighbor relationship; the first equipment is increased as the safety protocol level according to the safety level of the neighbor list item of the second equipment and arranges that the neighbor list item is not allowed to be updated. The method and the equipment improve the safety of the list item and reduce the cost for deployment and management.

Description

表项安全管理方法及设备 Table item safety management method and equipment

技术领域 technical field

本发明涉及表项安全技术领域,具体涉及表项安全管理方法及设备。The invention relates to the technical field of table item security, in particular to a table item security management method and equipment.

背景技术 Background technique

IPv6邻居发现(ND,Neighbor Discovery)协议使用五种类型的第六代因特网控制消息协议(ICMPv6,Internet Control Message Protocol version6)消息,分别用于实现:地址解析、验证邻居是否可达、重复地址检测、路由器发现/前缀发现、地址自动配置和重定向等功能,如表1所示:The IPv6 Neighbor Discovery (ND, Neighbor Discovery) protocol uses five types of sixth-generation Internet Control Message Protocol (ICMPv6, Internet Control Message Protocol version 6) messages, which are used to implement: address resolution, verify whether neighbors are reachable, and duplicate address detection , router discovery/prefix discovery, address auto-configuration and redirection, as shown in Table 1:

Figure A20091008599400061
Figure A20091008599400061

表1ND协议使用的ICMPv6消息的类型及作用Table 1 Types and functions of ICMPv6 messages used by ND protocol

设备与邻居设备交互ICMPv6消息后,会生成针对该邻居设备的邻居表项。After the device exchanges ICMPv6 messages with a neighbor device, it generates a neighbor entry for the neighbor device.

IPv6邻居之间使用边界网关协议(BGP,Border Gateway Protocol)或开放式最短路径优先版本3(OSPFv3,Open Shortest Path First Version3)作为路由协议。Border Gateway Protocol (BGP, Border Gateway Protocol) or Open Shortest Path First Version 3 (OSPFv3, Open Shortest Path First Version 3) is used as a routing protocol between IPv6 neighbors.

BGP是一种用于自治系统(AS,Autonomous System)之间的动态路由协议。AS是拥有同一选路策略在同一技术管理部门下运行的一组路由器。发送BGP消息的路由器称为BGP发言者(BGP Speaker),BGP发言者接收或产生新的路由信息,并发布给其它BGP发言者。当BGP发言者收到来自其它自治系统的新路由时,如果该路由比当前已知路由更优或者当前还没有该路由,该BGP发言者就将该路由发布给自治系统内所有其它BGP发言者。相互交换消息的BGP发言者之间互称对等体,若干相关的对等体可以构成对等体组。BGP规定使用传输控制协议(TCP,Transferring ControlProtocol)作为传输层协议,为提高使用BGP的安全性,可以在BGP中规定:在建立TCP连接时进行MD5认证,即两台路由器必须配置相同的密码,才能建立TCP连接。IPv6BGP也支持MD5认证。BGP还支持使用IP安全(IPSEC)作为传输层加密方式进行认证和加密。BGP is a dynamic routing protocol used between autonomous systems (AS, Autonomous System). AS is a group of routers that have the same routing strategy and operate under the same technical management department. A router that sends BGP messages is called a BGP speaker. A BGP speaker receives or generates new routing information and publishes it to other BGP speakers. When a BGP speaker receives a new route from another autonomous system, if the route is better than the currently known route or there is no such route, the BGP speaker will advertise the route to all other BGP speakers in the autonomous system . BGP speakers that exchange messages with each other are called peers, and several related peers can form a peer group. BGP stipulates the use of Transmission Control Protocol (TCP, Transferring Control Protocol) as the transport layer protocol. In order to improve the security of using BGP, it can be stipulated in BGP: MD5 authentication is performed when establishing a TCP connection, that is, the two routers must be configured with the same password. To establish a TCP connection. IPv6 BGP also supports MD5 authentication. BGP also supports authentication and encryption using IP Security (IPSEC) as the transport layer encryption method.

OSPFv3主要提供对IPv6的支持,遵循的标准为RFC 5340。OSPFv3协议支持数据认证和加密,标准为RFC4552,规定了OSPFv3如何利用IPSec实现认证和机密性保护,要求必须支持IPSec的传输模式,隧道模式可选。无论认证还是机密性都要求采用IPSec的封装安全载荷(ESP,EncapsulatingSecurity Payload)协议,而对于认证也可以选择采用认证头(AH,Authentication Header)实现。使能了认证和机密性验证后,接收到的不受AH/ESP保护的OSPFv3报文以及检查失败的报文都要被丢弃。OSPFv3 mainly provides support for IPv6 and follows the standard RFC 5340. The OSPFv3 protocol supports data authentication and encryption. The standard is RFC4552, which stipulates how OSPFv3 uses IPSec to implement authentication and confidentiality protection. It is required to support the IPSec transmission mode, and the tunnel mode is optional. Both authentication and confidentiality require the use of IPSec's Encapsulating Security Payload (ESP, Encapsulating Security Payload) protocol, and authentication can also be implemented using Authentication Header (AH, Authentication Header). After authentication and confidentiality verification are enabled, received OSPFv3 packets that are not protected by AH/ESP and packets that fail to be checked are discarded.

无论路由器采用BGP还是OSPFv3,由于路由器之间传送ND或地址解析协议(ARP,Address Resolution Protocol)报文采用明文传送方式,因此在同一局域网内,可能存在以下针对邻居表项的攻击问题:Regardless of whether the routers use BGP or OSPFv3, since the ND or Address Resolution Protocol (ARP, Address Resolution Protocol) messages are transmitted between routers in plain text, the following attacks on neighbor entries may exist in the same LAN:

一、表项异常更新:接入者以非本机IP地址发送报文,包括回应NS、NA、RS、RA或重定向报文,从而仿冒其它设备,导致正常设备上的邻居表项被错误更改,实际上就是使路由表项的下一跳被错误更改,从而导致报文路由错误。1. Abnormal update of table entries: The accessor sends a message with a non-local IP address, including responding to NS, NA, RS, RA or redirection messages, thereby impersonating other devices, resulting in incorrect neighbor entries on normal devices. The change actually means that the next hop of the routing table entry is incorrectly changed, resulting in packet routing errors.

二、表项过多:接入者通过伪造他人的NS或NA报文,使得设备学习到过多表项,由于设备能存储的表项数目是有限制的,因此,会导致设备无法服务更多的用户,正常的邻居表项可能被误删除,进而导致报文路由错误。2. Too many entries: The accessor makes the device learn too many entries by forging other people's NS or NA messages. Since the number of entries that the device can store is limited, the device will not be able to serve more If there are too many users, normal neighbor entries may be deleted by mistake, resulting in packet routing errors.

上述问题出现在路由器之间,严重时可能造成网络瘫痪。The above-mentioned problems occur between routers, and may cause network paralysis in severe cases.

现有技术中,针对邻居表项的安全机制主要有以下两种:In the prior art, there are two main security mechanisms for neighbor entries:

一、静态地址分配方案1. Static address allocation scheme

在设备上针对每一个可能的接入者,预先分配IPv6地址,并将该IPv6地址与媒体接入控制(MAC,Media Access Control)地址、接入端口进行绑定,保证关键的邻居表项不被恶意更新。Pre-allocate an IPv6 address on the device for each possible accessor, and bind the IPv6 address with the Media Access Control (MAC, Media Access Control) address and access port to ensure that key neighbor entries are not been maliciously updated.

二、安全邻居发现(SEND,SEcure Neighbor Discovery)方案2. Secure Neighbor Discovery (SEND, SEcure Neighbor Discovery) scheme

采用SEND(RFC3971)机制对ND报文进行加密认证,保证生成的邻居表项都经过认证。The SEND (RFC3971) mechanism is used to encrypt and authenticate ND packets to ensure that all generated neighbor entries are authenticated.

采用静态地址分配方案,对于大规模的IPv6部署来说,部署和管理成本较高。采用SEND方案则需要当前设备和主机升级现有IPv6协议栈,目前的支持系统少,缺少部署可能性,部署和管理成本也高。Using the static address allocation scheme, for large-scale IPv6 deployment, the deployment and management costs are relatively high. The adoption of the SEND solution requires the current equipment and hosts to upgrade the existing IPv6 protocol stack. Currently, there are few support systems, lack of deployment possibilities, and high deployment and management costs.

发明内容 Contents of the invention

本发明提供表项安全管理方法及设备,以在保证表项安全性的前提下,降低安全管理成本。The invention provides a table item safety management method and equipment, so as to reduce the safety management cost on the premise of ensuring the safety of table items.

本发明的技术方案是这样实现的:Technical scheme of the present invention is realized like this:

一种表项安全管理方法,该方法包括:A table item security management method, the method comprising:

第一设备初次生成针对第二设备的邻居表项,将该邻居表项的安全级别设定为普通级,并设定允许更新该邻居表项;之后,第一设备与第二设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则第一设备将针对第二设备的邻居表项的安全级别升高为安全协议级,并设定不允许更新该邻居表项。The first device generates a neighbor entry for the second device for the first time, sets the security level of the neighbor entry to normal level, and sets the permission to update the neighbor entry; after that, the first device and the second device run security features protocol, have passed the security authentication and established a neighbor relationship, the first device raises the security level of the neighbor entry of the second device to the security protocol level, and sets that the neighbor entry is not allowed to be updated.

所述第一设备将针对第二设备的邻居表项的安全级别升高为安全协议级之后进一步包括:After the first device raises the security level of the neighbor entry for the second device to the security protocol level, it further includes:

第一设备与第二设备之间的邻居关系解除,则第一设备将针对第二设备的邻居表项的安全级别恢复为普通级,并设定允许更新该邻居表项。When the neighbor relationship between the first device and the second device is released, the first device restores the security level of the neighbor entry for the second device to the normal level, and sets the permission to update the neighbor entry.

所述第一设备与第二设备建立了邻居关系为:The first device establishes a neighbor relationship with the second device as follows:

第一设备与第二设备建立了边界网关协议BGP或开放式最短路径优先版本三OSPFv3邻居关系。The first device establishes a Border Gateway Protocol BGP or Open Shortest Path First version 3 OSPFv3 neighbor relationship with the second device.

所述第一设备初次生成针对第二设备的邻居表项为:The neighbor entry for the second device generated by the first device for the first time is:

第一设备与第二设备运行邻居发现ND协议或地址解析协议ARP,生成针对第二设备的邻居表项。The first device and the second device run a neighbor discovery ND protocol or an address resolution protocol ARP to generate a neighbor entry for the second device.

所述针对第二设备的邻居表项至少包括:第二设备的IP地址、第二设备的链路层地址、第二设备的接入端口标识。The neighbor entry for the second device at least includes: the IP address of the second device, the link layer address of the second device, and the access port identifier of the second device.

所述方法进一步包括:为安全级别为普通级的邻居表项设定较短的老化时长,为安全级别为安全协议级的邻居表项设定较长的老化时长。The method further includes: setting a shorter aging time for neighbor entries whose security level is normal, and setting a longer aging time for neighbor entries whose security level is security protocol level.

所述方法进一步包括:The method further comprises:

第一设备发现自身存储的表项数大于预设阈值,则先删除安全级别为普通级的邻居表项,若普通级的邻居表项删除完后,自身存储的表项数仍大于预设阈值,则再删除安全级别为安全协议级的邻居表项,直至自身存储的表项数不大于预设阈值。The first device finds that the number of entries stored by itself is greater than the preset threshold, and deletes the neighbor entries whose security level is normal. If the neighbor entries of the normal level are deleted, the number of entries stored by itself is still greater than the preset threshold. , then delete neighbor entries whose security level is the security protocol level, until the number of entries stored by itself is not greater than the preset threshold.

所述方法进一步包括:The method further comprises:

设置安全级别为安全协议级的邻居表项的存储方式为永久存储,或者,设置安全级别为安全协议级的邻居表项的存储方式为永久存储或非永久存储可选;Set the storage method of neighbor entries whose security level is security protocol level to permanent storage, or set the storage method of neighbor entries whose security level is security protocol level to permanent storage or non-permanent storage optional;

设置安全级别为普通级的邻居表项的存储方式为非永久存储。Set the storage mode of neighbor entries whose security level is normal to non-permanent storage.

所述方法进一步包括:The method further comprises:

第一设备为安全级别为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为安全级别为普通级的邻居表项对应的邻居设备分配较低的带宽。The first device allocates higher bandwidth to neighbor devices corresponding to neighbor entries whose security level is the security protocol level, and allocates lower bandwidth to neighbor devices corresponding to neighbor entries whose security level is normal.

一种表项安全管理设备,该设备包括:An entry security management device, the device includes:

表项生成模块,初次生成针对邻居设备的邻居表项,将该邻居表项的安全级别设定为普通级,并设定允许更新该邻居表项;The entry generation module generates a neighbor entry for the neighbor device for the first time, sets the security level of the neighbor entry to a normal level, and sets the permission to update the neighbor entry;

安全级别升级模块,与邻居设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则将表项生成模块生成的针对该邻居设备的邻居表项的安全级别升高为安全协议级,并设定不允许更新该邻居表项。The security level upgrade module runs the security feature protocol with the neighbor device, passes the security authentication with each other, and establishes a neighbor relationship, then raises the security level of the neighbor table entry generated by the table entry generation module for the neighbor device to security At the protocol level, it is not allowed to update the neighbor entry.

所述设备进一步包括:The device further includes:

安全级别降级模块,与邻居设备之间的邻居关系解除,则将表项生成模块中针对该邻居设备的邻居表项的安全级别恢复为普通级,并设定允许更新该邻居表项。The security level downgrading module, when the neighbor relationship with the neighbor device is released, restores the security level of the neighbor entry for the neighbor device in the entry generation module to the normal level, and sets the neighbor entry to be allowed to be updated.

所述设备进一步包括:The device further includes:

表项老化模块,为安全级别为安全协议级的邻居表项设定较长的老化时长,为安全级别为普通级的邻居表项设定较短的老化时长。The entry aging module sets a longer aging time for neighbor entries whose security level is the security protocol level, and sets a shorter aging time for neighbor entries whose security level is normal.

所述设备进一步包括:The device further includes:

表项数目管理模块,发现本设备存储的表项数大于预设阈值,则先删除安全级别为普通级的邻居表项,若普通级的邻居表项删除完后,本设备存储的表项数仍大于预设阈值,则再删除安全级别为安全协议级的邻居表项,直至本设备存储的表项数不大于预设阈值。The entry number management module finds that the number of entries stored by the device is greater than the preset threshold, and deletes the neighbor entries whose security level is normal. If the normal neighbor entries are deleted, the number of entries stored by the device If it is still greater than the preset threshold, then delete neighbor entries whose security level is the security protocol level until the number of entries stored by the device is not greater than the preset threshold.

所述设备进一步包括:The device further includes:

表项存储方式管理模块,设置安全级别为安全协议级的邻居表项的存储方式为永久存储,或者,设置安全级别为安全协议级的邻居表项的存储方式为永久存储或非永久存储可选;设置安全级别为普通级的邻居表项的存储方式为非永久存储。Table entry storage mode management module, set the storage mode of neighbor entries whose security level is security protocol level to permanent storage, or set the storage mode of neighbor entries whose security level is security protocol level to permanent storage or non-permanent storage optional ; Set the storage mode of the neighbor entries whose security level is normal to non-permanent storage.

所述设备进一步包括:The device further includes:

带宽分配模块,为安全级别为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为安全级别为普通级的邻居表项对应的邻居设备分配较低的带宽。The bandwidth allocation module allocates higher bandwidth to neighbor devices corresponding to neighbor entries whose security level is the security protocol level, and allocates lower bandwidth to neighbor devices corresponding to neighbor entries whose security level is normal.

与现有技术相比,本发明中,当第一设备与第二设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系后,就不允许更新针对第二设备的邻居表项了,这样就避免了表项被异常更新,也避免了设备学习到过多表项,从而降低了报文被错误路由的可能性,提高了表项的安全性,且,本发明无需静态分配地址,也无需升级现有IPv6协议栈,降低了部署和管理成本。Compared with the prior art, in the present invention, when the first device and the second device run the security feature protocol, pass the security authentication to each other, and establish a neighbor relationship, it is not allowed to update the neighbor table for the second device entry, which avoids the abnormal update of the table entry and avoids the device from learning too many entries, thereby reducing the possibility of the message being wrongly routed and improving the security of the table entry. In addition, the present invention does not require static Allocate addresses without upgrading the existing IPv6 protocol stack, reducing deployment and management costs.

附图说明 Description of drawings

图1为本发明实施例提供的表项安全管理方法流程图;FIG. 1 is a flow chart of a method for managing entry security provided by an embodiment of the present invention;

图2为本发明实施例提供的表项安全管理设备的组成图。FIG. 2 is a composition diagram of an entry security management device provided by an embodiment of the present invention.

具体实施方式 Detailed ways

下面结合附图及具体实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

本发明的核心思想是:预先为邻居表项定义两个安全级别:普通级和安全协议级,且普通级的邻居表项允许更新,安全协议级的邻居表项不允许更新。当第一设备初次生成针对第二设备的邻居表项时,将该邻居表项的安全级别设定为普通级;之后,第一设备与第二设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则第一设备将针对第二设备的邻居表项的安全级别升高为安全协议级,此后不允许再更新针对第二设备的邻居表项,除非该表项的安全级别恢复为普通级。The core idea of the present invention is to pre-define two security levels for neighbor entries: common level and security protocol level, and the normal level neighbor entries are allowed to be updated, and the security protocol level neighbor entries are not allowed to be updated. When the first device generates a neighbor entry for the second device for the first time, it sets the security level of the neighbor entry to normal; after that, the first device and the second device run the security feature protocol, and pass the security level between each other. authentication, and the neighbor relationship is established, the first device will raise the security level of the neighbor table entry for the second device to the security protocol level, and then it is not allowed to update the neighbor table entry for the second device, unless the entry of the table The security level is restored to normal level.

图1为本发明实施例提供的表项安全管理方法流程图,如图1所示,其具体步骤如下:Fig. 1 is a flow chart of the entry security management method provided by the embodiment of the present invention, as shown in Fig. 1, the specific steps are as follows:

步骤101:设备A与设备B之间运行ND或ARP协议,设备A生成针对设备B的邻居表项。Step 101: The ND or ARP protocol is run between device A and device B, and device A generates a neighbor entry for device B.

针对设备B的邻居表项的内容包括:设备B的IP地址、设备B的链路层地址、设备B的接入端口号等。The content of the neighbor entry for device B includes: the IP address of device B, the link layer address of device B, the access port number of device B, and the like.

设备A启动后,如果有其它访问者如:设备B向设备A发送NS报文,设备A在向设备B回应NA报文后,会记录设备B的IP地址、链路层地址和接入端口号,生成针对设备B的IPv6邻居表项。After device A is started, if there are other visitors such as: device B sends an NS message to device A, device A will record the IP address, link layer address and access port of device B after responding to device B with an NA message number to generate an IPv6 neighbor entry for device B.

在设备A发出ARP请求,并收到邻居设备B返回的ARP响应后,记录设备B的IP地址、链路层地址和接入端口号,生成针对设备B的IPv4邻居表项。After device A sends an ARP request and receives an ARP response from neighboring device B, it records device B's IP address, link layer address, and access port number, and generates an IPv4 neighbor entry for device B.

步骤102:设备A判断自身是否已存在针对设备B的邻居表项,若是,执行步骤104;否则,执行步骤103。Step 102: Device A judges whether it already has a neighbor entry for device B, and if so, executes step 104; otherwise, executes step 103.

这里,设备A根据设备B的IP地址,在自身查找针对设备B的邻居表项。Here, device A looks up the neighbor entry for device B according to the IP address of device B.

步骤103:设备A保存该针对设备B的邻居表项,并设定该表项的安全级别为普通级,转至步骤107。Step 103: Device A saves the neighbor entry for device B, and sets the security level of the entry as normal, and goes to step 107.

步骤104:设备A判断该已存在的针对设备B的邻居表项的安全级别为普通级还是安全协议级,若为普通级,执行步骤105;否则,执行步骤106。Step 104: Device A judges whether the security level of the existing neighbor entry for device B is normal level or security protocol level, if it is normal level, go to step 105; otherwise, go to step 106.

步骤105:设备A以步骤101中新生成的针对设备B的邻居表项更新该已存在的针对设备B的邻居表项,并保持该表项的安全级别:普通级不变,转至步骤107。Step 105: Device A updates the existing neighbor entry for device B with the newly generated neighbor entry for device B in step 101, and keeps the security level of the entry: normal level unchanged, go to step 107 .

步骤106:设备A丢弃该新生成的针对设备B的邻居表项,本流程结束。Step 106: Device A discards the newly generated neighbor entry for device B, and this process ends.

由于已存在的针对设备B的邻居表项的安全级别为安全协议级,不允许更新,因此,这里要将新生成的针对设备B的邻居表项丢弃。Since the security level of the existing neighbor entry for device B is the security protocol level, update is not allowed. Therefore, the newly generated neighbor entry for device B is discarded here.

步骤107:设备A与设备B之间运行安全特性协议,通过安全认证,建立了邻居关系,设备A将针对设备B的邻居表项的安全级别升级为安全协议级。Step 107: Device A and device B run a security feature protocol, pass security authentication, and establish a neighbor relationship, and device A upgrades the security level of the neighbor entry for device B to the security protocol level.

例如:设备A与设备B配置了相同的安全认证参数如:AH或MD5或IPSEC参数后,若相互之间正确建立了BGP邻居关系,设备A将针对设备B的邻居表项的安全级别升级为安全协议级。For example: after device A and device B are configured with the same security authentication parameters such as AH or MD5 or IPSEC parameters, if the BGP neighbor relationship is correctly established between them, device A will upgrade the security level of the neighbor entry of device B to security protocol level.

此后,当设备A与设备B的BGP邻居关系解除,设备A将针对设备B的邻居表项的安全级别恢复为普通级,此后可对针对设备B的邻居表项进行更新。Afterwards, when the BGP neighbor relationship between device A and device B is terminated, device A restores the security level of the neighbor entry for device B to the normal level, and then can update the neighbor entry for device B.

或者,设备A与设备B配置了相同的认证加密参数如:AH或ESP参数后,若相互之间正确建立了OSPFv3邻居关系,则设备A将针对设备B的邻居表项的安全级别升级为安全协议级。Or, after device A and device B are configured with the same authentication and encryption parameters such as AH or ESP parameters, if the OSPFv3 neighbor relationship is correctly established with each other, device A will upgrade the security level of the neighbor entry of device B to secure protocol level.

此后,当设备A与设备B之间的OSPFv3邻居关系解除,设备A将针对设备B的邻居表项的安全级别恢复为普通级,此后可对针对设备B的邻居表项进行更新。Afterwards, when the OSPFv3 neighbor relationship between device A and device B is terminated, device A restores the security level of the neighbor entry for device B to the normal level, and then can update the neighbor entry for device B.

本发明实施例中,为安全级别为普通级的邻居表项设定较短的老化时长,为安全级别为安全协议级的邻居表项设定较长的老化时长,以增加安全协议级的邻居表项的生存期。In the embodiment of the present invention, a shorter aging time is set for the neighbor entry whose security level is the normal level, and a longer aging time is set for the neighbor entry whose security level is the security protocol level, so as to increase the number of neighbors at the security protocol level. The lifetime of the entry.

通常,安全级别为普通级的邻居表项的老化时长为ND协议或ARP协议规定的老化时长。安全级别为安全协议级的邻居表项的老化时长可手工配置。Usually, the aging time of neighbor entries whose security level is normal is the aging time specified in the ND protocol or the ARP protocol. The aging time of neighbor entries whose security level is the security protocol level can be manually configured.

另外,本发明实施例中,对于一个设备A来说,若设备A发现自身存储的表项数大于预设阈值,则按照自身存储的邻居表项的安全级别,先删除普通级的邻居表项,普通级的邻居表项删除完后,若自身存储的表项数仍大于预设阈值,则再删除安全协议级的邻居表项,直至自身存储的表项数不大于预设阈值。In addition, in the embodiment of the present invention, for a device A, if the device A finds that the number of entries stored by itself is greater than the preset threshold, it first deletes the normal-level neighbor entries according to the security level of the neighbor entries stored by itself. , after the common-level neighbor entries are deleted, if the number of self-stored entries is still greater than the preset threshold, delete the security protocol-level neighbor entries until the number of self-stored entries is not greater than the preset threshold.

另外,本发明实施例中,为了保证安全协议级的邻居表项的可靠性,可以设置:安全协议级的邻居表项永久存储,或者,可以设置:安全协议级的邻居表项可以根据需要选择永久存储还是非永久存储;普通级的邻居表项的存储方式通常为非永久存储。非永久存储的邻居表项按照老化时长进行老化。In addition, in the embodiment of the present invention, in order to ensure the reliability of the neighbor entry at the security protocol level, it can be set that: the neighbor entry at the security protocol level is permanently stored, or it can be set that the neighbor entry at the security protocol level can be selected as required Permanent storage or non-permanent storage; common-level neighbor entries are usually stored in non-persistent storage. Neighbor entries that are not permanently stored are aged according to the aging time.

另外,本发明实施例中,对于一个设备来说,可根据自身存储的各邻居表项的安全级别,为各邻居设备分配带宽。具体地,为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为普通级的邻居表项对应的邻居设备分配较低的带宽。In addition, in the embodiment of the present invention, for a device, bandwidth can be allocated to each neighboring device according to the security level of each neighbor entry stored by itself. Specifically, higher bandwidth is allocated to neighbor devices corresponding to security protocol-level neighbor entries, and lower bandwidth is allocated to neighbor devices corresponding to common-level neighbor entries.

图2为本发明实施例提供的表项安全管理设备的组成图,如图2所示,其主要包括:表项生成模块21、安全级别升级模块22和安全级别降级模块23,其中:FIG. 2 is a composition diagram of an entry security management device provided by an embodiment of the present invention. As shown in FIG. 2 , it mainly includes: an entry generation module 21, a security level upgrade module 22, and a security level downgrade module 23, wherein:

表项生成模块21:初次生成针对邻居设备的邻居表项,将该邻居表项的安全级别设定为普通级,并设定允许更新该邻居表项。The entry generation module 21: initially generates a neighbor entry for the neighbor device, sets the security level of the neighbor entry to normal level, and sets that the neighbor entry is allowed to be updated.

安全级别升级模块22:与邻居设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则将表项生成模块21生成的针对该邻居设备的邻居表项的安全级别升高为安全协议级,并设定不允许更新该邻居表项。Security level upgrade module 22: run the security feature protocol with the neighbor device, pass the security authentication with each other, and establish a neighbor relationship, then increase the security level of the neighbor table entry generated by the table entry generation module 21 for the neighbor device It is at the security protocol level, and it is set that the update of the neighbor entry is not allowed.

安全级别降级模块23:与邻居设备之间的邻居关系解除,则将表项生成模块21中针对该邻居设备的邻居表项的安全级别恢复为普通级,并设定允许更新该邻居表项。Security level downgrading module 23: When the neighbor relationship with the neighbor device is terminated, the security level of the neighbor entry for the neighbor device in the entry generation module 21 is restored to the normal level, and the neighbor entry is allowed to be updated.

在实际应用中,本发明实施例提供的表项安全管理设备还可包括:In practical applications, the entry security management device provided by the embodiment of the present invention may further include:

表项老化模块:为表项生成模块21中保存的安全级别为安全协议级的邻居表项设定较长的老化时长,为安全级别为普通级的邻居表项设定较短的老化时长。Table entry aging module: set a longer aging time for neighbor entries whose security level is a security protocol level stored in the entry generation module 21, and set a shorter aging time for neighbor entries whose security level is a normal level.

表项数目管理模块:发现本设备存储的表项数大于预设阈值,则先删除安全级别为普通级的邻居表项,若普通级的邻居表项删除完后,本设备存储的表项数仍大于预设阈值,则再删除安全级别为安全协议级的邻居表项,直至本设备存储的表项数不大于预设阈值。Table item number management module: If the number of table items stored in the device is found to be greater than the preset threshold, delete the neighbor table entries with a security level of normal level first. If it is still greater than the preset threshold, then delete neighbor entries whose security level is the security protocol level until the number of entries stored by the device is not greater than the preset threshold.

表项存储方式管理模块:设置安全级别为安全协议级的邻居表项的存储方式为永久存储,或者,设置安全级别为安全协议级的邻居表项的存储方式为永久存储或非永久存储可选;设置安全级别为普通级的邻居表项的存储方式为非永久存储。Entry storage mode management module: set the storage mode of neighbor entries whose security level is security protocol level to permanent storage, or set the storage mode of neighbor entries whose security level is security protocol level to permanent storage or non-permanent storage optional ; Set the storage mode of the neighbor entries whose security level is normal to non-permanent storage.

带宽分配模块:为安全级别为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为安全级别为普通级的邻居表项对应的邻居设备分配较低的带宽。Bandwidth allocation module: allocate higher bandwidth to neighbor devices corresponding to neighbor entries whose security level is security protocol level, and allocate lower bandwidth to neighbor devices corresponding to neighbor entries whose security level is normal.

以上所述仅为本发明的过程及方法实施例,并不用以限制本发明,凡在本发明的精神和原则之内所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only process and method embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (15)

1、一种表项安全管理方法,其特征在于,该方法包括:1. A method for table item security management, characterized in that the method comprises: 第一设备初次生成针对第二设备的邻居表项,将该邻居表项的安全级别设定为普通级,并设定允许更新该邻居表项;之后,第一设备与第二设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则第一设备将针对第二设备的邻居表项的安全级别升高为安全协议级,并设定不允许更新该邻居表项。The first device generates a neighbor entry for the second device for the first time, sets the security level of the neighbor entry to normal level, and sets the permission to update the neighbor entry; after that, the first device and the second device run security features protocol, have passed the security authentication and established a neighbor relationship, the first device raises the security level of the neighbor entry for the second device to the security protocol level, and sets that the neighbor entry is not allowed to be updated. 2、如权利要求1所述的方法,其特征在于,所述第一设备将针对第二设备的邻居表项的安全级别升高为安全协议级之后进一步包括:2. The method according to claim 1, wherein after the first device raises the security level of the neighbor entry for the second device to the security protocol level, it further comprises: 第一设备与第二设备之间的邻居关系解除,则第一设备将针对第二设备的邻居表项的安全级别恢复为普通级,并设定允许更新该邻居表项。When the neighbor relationship between the first device and the second device is released, the first device restores the security level of the neighbor entry for the second device to the normal level, and sets the permission to update the neighbor entry. 3、如权利要求1所述的方法,其特征在于,所述第一设备与第二设备建立了邻居关系为:3. The method according to claim 1, wherein the neighbor relationship established between the first device and the second device is as follows: 第一设备与第二设备建立了边界网关协议BGP或开放式最短路径优先版本三OSPFv3邻居关系。The first device establishes a Border Gateway Protocol BGP or Open Shortest Path First version 3 OSPFv3 neighbor relationship with the second device. 4、如权利要求1所述的方法,其特征在于,所述第一设备初次生成针对第二设备的邻居表项为:4. The method according to claim 1, wherein the initial generation of the neighbor entry for the second device by the first device is: 第一设备与第二设备运行邻居发现ND协议或地址解析协议ARP,生成针对第二设备的邻居表项。The first device and the second device run a neighbor discovery ND protocol or an address resolution protocol ARP to generate a neighbor entry for the second device. 5、如权利要求1所述的方法,其特征在于,所述针对第二设备的邻居表项至少包括:第二设备的IP地址、第二设备的链路层地址、第二设备的接入端口标识。5. The method according to claim 1, wherein the neighbor entry for the second device at least includes: the IP address of the second device, the link layer address of the second device, the access Port ID. 6、如权利要求1所述的方法,其特征在于,所述方法进一步包括:为安全级别为普通级的邻居表项设定较短的老化时长,为安全级别为安全协议级的邻居表项设定较长的老化时长。6. The method according to claim 1, further comprising: setting a shorter aging time for neighbor entries whose security level is normal, and setting a shorter aging time for neighbor entries whose security level is security protocol level Set a longer aging time. 7、如权利要求1所述的方法,其特征在于,所述方法进一步包括:7. The method of claim 1, further comprising: 第一设备发现自身存储的表项数大于预设阈值,则先删除安全级别为普通级的邻居表项,若普通级的邻居表项删除完后,自身存储的表项数仍大于预设阈值,则再删除安全级别为安全协议级的邻居表项,直至自身存储的表项数不大于预设阈值。The first device finds that the number of entries stored by itself is greater than the preset threshold, and deletes the neighbor entries whose security level is normal. If the neighbor entries of the normal level are deleted, the number of entries stored by itself is still greater than the preset threshold. , then delete neighbor entries whose security level is the security protocol level, until the number of entries stored by itself is not greater than the preset threshold. 8、如权利要求1所述的方法,其特征在于,所述方法进一步包括:8. The method of claim 1, further comprising: 设置安全级别为安全协议级的邻居表项的存储方式为永久存储,或者,设置安全级别为安全协议级的邻居表项的存储方式为永久存储或非永久存储可选;Set the storage method of neighbor entries whose security level is security protocol level to permanent storage, or set the storage method of neighbor entries whose security level is security protocol level to permanent storage or non-permanent storage optional; 设置安全级别为普通级的邻居表项的存储方式为非永久存储。Set the storage mode of neighbor entries whose security level is normal to non-permanent storage. 9、如权利要求1所述的方法,其特征在于,所述方法进一步包括:9. The method of claim 1, further comprising: 第一设备为安全级别为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为安全级别为普通级的邻居表项对应的邻居设备分配较低的带宽。The first device allocates higher bandwidth to neighbor devices corresponding to neighbor entries whose security level is the security protocol level, and allocates lower bandwidth to neighbor devices corresponding to neighbor entries whose security level is normal. 10、一种表项安全管理设备,其特征在于,该设备包括:10. An entry security management device, characterized in that the device includes: 表项生成模块,初次生成针对邻居设备的邻居表项,将该邻居表项的安全级别设定为普通级,并设定允许更新该邻居表项;The entry generation module generates a neighbor entry for the neighbor device for the first time, sets the security level of the neighbor entry to a normal level, and sets the permission to update the neighbor entry; 安全级别升级模块,与邻居设备运行安全特性协议,相互之间通过了安全认证,并建立了邻居关系,则将表项生成模块生成的针对该邻居设备的邻居表项的安全级别升高为安全协议级,并设定不允许更新该邻居表项。The security level upgrade module runs the security feature protocol with the neighbor device, passes the security authentication with each other, and establishes a neighbor relationship, then raises the security level of the neighbor table entry generated by the table entry generation module for the neighbor device to security At the protocol level, it is not allowed to update the neighbor entry. 11、如权利要求10所述的设备,其特征在于,所述设备进一步包括:11. The device of claim 10, further comprising: 安全级别降级模块,与邻居设备之间的邻居关系解除,则将表项生成模块中针对该邻居设备的邻居表项的安全级别恢复为普通级,并设定允许更新该邻居表项。The security level downgrading module, when the neighbor relationship with the neighbor device is released, restores the security level of the neighbor entry for the neighbor device in the entry generation module to the normal level, and sets the neighbor entry to be allowed to be updated. 12、如权利要求10所述的设备,其特征在于,所述设备进一步包括:12. The device of claim 10, further comprising: 表项老化模块,为安全级别为安全协议级的邻居表项设定较长的老化时长,为安全级别为普通级的邻居表项设定较短的老化时长。The entry aging module sets a longer aging time for neighbor entries whose security level is the security protocol level, and sets a shorter aging time for neighbor entries whose security level is normal. 13、如权利要求10所述的设备,其特征在于,所述设备进一步包括:13. The device of claim 10, further comprising: 表项数目管理模块,发现本设备存储的表项数大于预设阈值,则先删除安全级别为普通级的邻居表项,若普通级的邻居表项删除完后,本设备存储的表项数仍大于预设阈值,则再删除安全级别为安全协议级的邻居表项,直至本设备存储的表项数不大于预设阈值。The entry number management module finds that the number of entries stored by the device is greater than the preset threshold, and deletes the neighbor entries whose security level is normal. If the normal neighbor entries are deleted, the number of entries stored by the device If it is still greater than the preset threshold, then delete neighbor entries whose security level is the security protocol level until the number of entries stored by the device is not greater than the preset threshold. 14、如权利要求10所述的设备,其特征在于,所述设备进一步包括:14. The device of claim 10, further comprising: 表项存储方式管理模块,设置安全级别为安全协议级的邻居表项的存储方式为永久存储,或者,设置安全级别为安全协议级的邻居表项的存储方式为永久存储或非永久存储可选;设置安全级别为普通级的邻居表项的存储方式为非永久存储。Table entry storage mode management module, set the storage mode of neighbor entries whose security level is security protocol level as permanent storage, or set the storage mode of neighbor entries whose security level is security protocol level as permanent storage or non-permanent storage optional ; Set the storage mode of the neighbor entries whose security level is normal to non-permanent storage. 15、如权利要求10所述的设备,其特征在于,所述设备进一步包括:15. The device of claim 10, further comprising: 带宽分配模块,为安全级别为安全协议级的邻居表项对应的邻居设备分配较高的带宽,为安全级别为普通级的邻居表项对应的邻居设备分配较低的带宽。The bandwidth allocation module allocates higher bandwidth to neighbor devices corresponding to neighbor entries whose security level is the security protocol level, and allocates lower bandwidth to neighbor devices corresponding to neighbor entries whose security level is normal.
CN2009100859940A 2009-06-03 2009-06-03 Entry security management method and device Expired - Fee Related CN101567886B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100859940A CN101567886B (en) 2009-06-03 2009-06-03 Entry security management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100859940A CN101567886B (en) 2009-06-03 2009-06-03 Entry security management method and device

Publications (2)

Publication Number Publication Date
CN101567886A true CN101567886A (en) 2009-10-28
CN101567886B CN101567886B (en) 2012-04-25

Family

ID=41283835

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100859940A Expired - Fee Related CN101567886B (en) 2009-06-03 2009-06-03 Entry security management method and device

Country Status (1)

Country Link
CN (1) CN101567886B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078799A (en) * 2013-01-28 2013-05-01 华为技术有限公司 Processing method and device of neighbor entries
CN104283795A (en) * 2014-10-11 2015-01-14 杭州华三通信技术有限公司 Method and device for refreshing multicast table item
CN106170946A (en) * 2015-03-13 2016-11-30 华为技术有限公司 The network equipment and the method for terminal equipment in communication, the network equipment and terminal unit

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100536474C (en) * 2006-09-14 2009-09-02 杭州华三通信技术有限公司 Method and equipment for preventing network attack by using address analytic protocol
CN101175080A (en) * 2007-07-26 2008-05-07 杭州华三通信技术有限公司 Method and system for preventing ARP message attack

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078799A (en) * 2013-01-28 2013-05-01 华为技术有限公司 Processing method and device of neighbor entries
CN103078799B (en) * 2013-01-28 2015-11-25 华为技术有限公司 The processing method of neighbor entry and device
CN104283795A (en) * 2014-10-11 2015-01-14 杭州华三通信技术有限公司 Method and device for refreshing multicast table item
CN104283795B (en) * 2014-10-11 2018-04-10 新华三技术有限公司 A kind of multicast list brush new method and apparatus
CN106170946A (en) * 2015-03-13 2016-11-30 华为技术有限公司 The network equipment and the method for terminal equipment in communication, the network equipment and terminal unit
US10469445B2 (en) 2015-03-13 2019-11-05 Huawei Technologies Co., Ltd. Method for communication between network device and terminal device, network device, and terminal device
CN106170946B (en) * 2015-03-13 2020-07-24 华为技术有限公司 Method for communication between network equipment and terminal equipment, network equipment and terminal equipment

Also Published As

Publication number Publication date
CN101567886B (en) 2012-04-25

Similar Documents

Publication Publication Date Title
Nikander et al. End-host mobility and multihoming with the host identity protocol
CN101577675B (en) Method and device for protecting neighbor table in IPv6 network
US7840708B2 (en) Method and system for the assignment of security group information using a proxy
EP2346205B1 (en) A method and device for preventing network attack
JP5398410B2 (en) Network system, packet transfer apparatus, packet transfer method, and computer program
US7333482B2 (en) Route optimization technique for mobile IP
CN101416176B (en) Dynamic host configuration and network access authentication
JP4105722B2 (en) Communication device
US9654482B2 (en) Overcoming circular dependencies when bootstrapping an RPKI site
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
CN107018056A (en) With MAC(L2)The enhanced EVPN MAC routes of level certification, safety and policy control are notified
CN101621525B (en) Method and equipment for treating legal entries
CN101635628A (en) Method and device for preventing ARP attacks
Thaler Evolution of the IP Model
CN1905495B (en) Network monitoring device, network monitoring method, network system and network communication method
JP2004166002A (en) Communication device, boundary router device, server device, system and method for communication, routing method, communication program, and routing program
CN101223761A (en) link management system
CN105207778A (en) Method of realizing package identity identification and digital signature on access gateway equipment
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
WO2021032126A1 (en) Data processing method and apparatus
US8893271B1 (en) End node discovery and tracking in layer-2 of an internet protocol version 6 network
CN101567886B (en) Entry security management method and device
US10708295B1 (en) Network route hijack protection
CN101557397B (en) Table item management method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120425