[go: up one dir, main page]

CN102546387B - Method, device and system for processing data message - Google Patents

Method, device and system for processing data message Download PDF

Info

Publication number
CN102546387B
CN102546387B CN201110337497.2A CN201110337497A CN102546387B CN 102546387 B CN102546387 B CN 102546387B CN 201110337497 A CN201110337497 A CN 201110337497A CN 102546387 B CN102546387 B CN 102546387B
Authority
CN
China
Prior art keywords
data message
label
forwarding
table item
vpn label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110337497.2A
Other languages
Chinese (zh)
Other versions
CN102546387A (en
Inventor
熊怡
许健彬
宋玉金
陈凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201110337497.2A priority Critical patent/CN102546387B/en
Publication of CN102546387A publication Critical patent/CN102546387A/en
Priority to PCT/CN2012/083744 priority patent/WO2013064057A1/en
Application granted granted Critical
Publication of CN102546387B publication Critical patent/CN102546387B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method, a device and a system for processing a data message, and the method, the device and the system are used for improving the safety of a VPN (virtual private network) data message. The method disclosed by the embodiment of the invention comprises the following steps that: a provider edge (PE) identifies an inner label in the received data message, judges whether the inner label is the same as the label stored in a forwarding table of the PE or not, and forwards the data message if the inner label is the same as the label stored in the forwarding table of the PE.

Description

一种数据报文的处理方法、装置及系统Method, device and system for processing data message

技术领域 technical field

本发明涉及通信领域,尤其涉及一种数据报文的处理方法、装置及系统。The present invention relates to the communication field, in particular to a method, device and system for processing data messages.

背景技术 Background technique

随着互联网业务的不断发展,网络安全问题日益成为困扰运营商的难题之一。如何保护客户设备的安全成为网络建设中必须慎重考虑的问题。现网运行的设备经常遭受的攻击有传输控制协议/因特网互联协议(TCP/IP,Transmission Control Protocol/Internet Protocol)攻击,生存时间(TTL,TimeTo Live)超时攻击,互联网控制报文协议(ICMP,Internet Control MessageProtocol)攻击,地址解析协议(ARP,Address Resolution Protocol)攻击等,其中,TCP/IP协议攻击比较严重,如何防止TCP/IP协议攻击成为网络安全重点问题。因特网互联协议(IP,Internet Protocol)是无连接的,只要获得某台用户边缘设备(CE,Customer Edge)上的一个接口地址,就可向其发起攻击,对用户边缘设备的运营安全造成危害。With the continuous development of Internet services, network security has increasingly become one of the most difficult problems for operators. How to protect the security of customer equipment has become a problem that must be carefully considered in network construction. Devices running on the live network are often attacked by Transmission Control Protocol/Internet Internet Protocol (TCP/IP, Transmission Control Protocol/Internet Protocol) attacks, time-to-live (TTL, TimeTo Live) timeout attacks, Internet Control Message Protocol (ICMP, Internet Control Message Protocol) attacks, Address Resolution Protocol (ARP, Address Resolution Protocol) attacks, etc. Among them, TCP/IP protocol attacks are more serious, how to prevent TCP/IP protocol attacks has become a key issue in network security. The Internet Protocol (IP, Internet Protocol) is connectionless. As long as an interface address on a customer edge device (CE, Customer Edge) is obtained, an attack can be launched against it, which will endanger the operation security of the customer edge device.

现有技术中,在运营商边缘设备(PE,Provider Edge)上,配置访问控制列表(ACL,Access Control List)规则,对IP报文做一些限制,控制虚拟专用网络(VPN,Virtual Private Network)流量,从而达到保护用户设备的目的。In the prior art, an access control list (ACL, Access Control List) rule is configured on an operator's edge device (PE, Provider Edge), and some restrictions are made on IP packets to control a virtual private network (VPN, Virtual Private Network) Traffic, so as to achieve the purpose of protecting user equipment.

但在上述现有技术中,需要针对不同目的地址的流程手动配置ACL规则,无法实时响应网络设备规划的变化而变更ACL规则。However, in the above-mentioned prior art, ACL rules need to be manually configured for processes of different destination addresses, and ACL rules cannot be changed in real time in response to changes in network device planning.

发明内容 Contents of the invention

本发明实施例提供了一种数据报文的处理方法、装置及系统,用以提高VPN数据报文的安全性,避免非法数据报文的攻击。The embodiment of the present invention provides a method, device and system for processing data messages, which are used to improve the security of VPN data messages and avoid attacks from illegal data messages.

本发明实施例提供的数据报文的处理方法,包括:运营商边缘设备PE识别接收到的数据报文中的内层标签;比较所述内层标签与所述PE的转发表项中保存的标签是否相同,所述转发表项是所述数据报文目的地址对应的转发表项;若相同,则转发所述数据报文。The data message processing method provided by the embodiment of the present invention includes: the operator edge equipment PE identifies the inner label in the received data message; compares the inner label with the one stored in the forwarding entry of the PE Whether the labels are the same, the forwarding entry is a forwarding entry corresponding to the destination address of the data message; if they are the same, the data message is forwarded.

本发明实施例提供的数据报文的处理装置,包括:识别单元,用于识别接收到的数据报文中的内层标签;比较单元,用于比较识别单元识别的所述内层标签,与所述PE的转发表项中保存的标签是否相同,所述转发表项是所述数据报文目的地址对应的转发表项;转发单元,用于比较单元的比较结果若相同,则转发所述数据报文。The data message processing device provided by the embodiment of the present invention includes: an identification unit, configured to identify the inner label in the received data message; a comparison unit, used to compare the inner label identified by the identification unit, with the Whether the labels stored in the forwarding table items of the PEs are the same, the forwarding table items are the forwarding table items corresponding to the destination address of the data message; the forwarding unit is used to forward the comparison results of the comparison unit if the same. datagram.

本发明实施例提供的数据报文的处理系统,包括:运营商边缘设备PE,用于识别接收到的数据报文中的内层标签;比较识别的所述内层标签与所述PE的转发表项中保存的标签是否相同,所述转发表项是所述数据报文目的地址对应的转发表项;若相同,则转发所述数据报文;客户侧设备CE,用于接收所述PE发送的数据报文。The data packet processing system provided by the embodiment of the present invention includes: an operator edge device PE, configured to identify the inner label in the received data packet; compare the identified inner label with the translation of the PE Whether the tags stored in the posting items are the same, the forwarding table item is the forwarding table item corresponding to the destination address of the data message; if they are the same, the data message is forwarded; the client side equipment CE is used to receive the PE sent datagrams.

从以上技术方案可以看出,本发明实施例具有以下优点:PE识别接收到的数据报文中的内层标签,并与PE的转发表项中保存的标签进行比较,若比较结果相同,表示数据报文中的内层标签是之前由PE发送的,那么接收的数据报文是安全数据报文,转发该数据报文给目的CE,可提高VPN数据报文的安全性,避免非法报文的攻击。It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages: the PE identifies the inner label in the received data message, and compares it with the label stored in the forwarding entry of the PE. If the comparison results are the same, it means The inner label in the data packet was previously sent by the PE, so the received data packet is a secure data packet, forwarding the data packet to the destination CE can improve the security of the VPN data packet and avoid illegal packets s attack.

附图说明 Description of drawings

图1为VPN网络中各设备连接示意图;Figure 1 is a schematic diagram of the connection of each device in the VPN network;

图2为本发明实施例中的数据报文的处理方法的一个实施例示意图;FIG. 2 is a schematic diagram of an embodiment of a data packet processing method in an embodiment of the present invention;

图3为本发明实施例中的数据报文的处理方法的另一个实施例示意图;FIG. 3 is a schematic diagram of another embodiment of a data packet processing method in an embodiment of the present invention;

图4为本发明实施例中的数据报文的处理装置的一个实施例示意图;FIG. 4 is a schematic diagram of an embodiment of a device for processing data packets in an embodiment of the present invention;

图5为本发明实施例中的数据报文的处理装置的另一个实施例示意图;FIG. 5 is a schematic diagram of another embodiment of a device for processing data packets in an embodiment of the present invention;

图6为本发明实施例中的数据报文的处理系统的一个实施例示意图。FIG. 6 is a schematic diagram of an embodiment of a data packet processing system in an embodiment of the present invention.

具体实施方式 Detailed ways

本发明实施例提供了一种数据报文的处理方法、装置及系统,用于快速检测虚拟专用网络中的数据报文,保证VPN数据报文的安全性。The embodiment of the present invention provides a data message processing method, device and system, which are used to quickly detect data messages in a virtual private network and ensure the security of VPN data messages.

为便于理解,下面简要介绍VPN网络中产生非法攻击的过程,请参阅图1,CE1为PE1的客户侧设备,CE2为PE2的客户侧设备,PE1和PE2通过骨干网络核心设备P(Provider)连接。For ease of understanding, the following briefly introduces the process of illegal attacks in the VPN network. Please refer to Figure 1. CE1 is the client-side device of PE1, CE2 is the client-side device of PE2, and PE1 and PE2 are connected through the backbone network core device P (Provider) .

当CE1准备访问远端PE2的客户侧设备时,如,CE1访问CE2时,PE1需向PE2发送CE1的VPN路由信息,该VPN路由信息是由服务提供商统一分配的,在该VPN路由信息中携带路由标签,PE2收到该VPN路由信息后,根据VPN路由信息中携带的路由标签,添加数据报文的内层标签,而后将该数据报文发送给PE1,由PE1转发给CE1。When CE1 is going to access the client-side device of remote PE2, for example, when CE1 accesses CE2, PE1 needs to send CE1’s VPN routing information to PE2. The VPN routing information is uniformly distributed by the service provider. In the VPN routing information Carry the routing label. After receiving the VPN routing information, PE2 adds the inner layer label of the data packet according to the routing label carried in the VPN routing information, and then sends the data packet to PE1, and PE1 forwards it to CE1.

如果CE1只访问与PE1直接连接的其他客户侧设备,则PE1不需要向PE2发送CE1的VPN路由信息,但此时,若PE2非法向PE1发送需转发给CE1的数据报文,PE1收到该数据报文后,按照其中的VPN路由信息转发给CE1,但该VPN路由信息并不是PE1发送给PE2的,从而这种非法的数据报文会对PE1,CE1都造成攻击。If CE1 only accesses other client-side devices directly connected to PE1, PE1 does not need to send CE1’s VPN routing information to PE2. After the data packet is forwarded to CE1 according to the VPN routing information in it, but the VPN routing information is not sent from PE1 to PE2, so this illegal data packet will cause attacks on both PE1 and CE1.

下面介绍本发明实施例提供的数据报文的处理方法,本发明实施例中,PE可以为路由器,也可以为交换机,二者原理相似,为便于描述,本实施例以PE为路由器为例进行说明,可以理解的,PE的种类不构成对本发明的限制。The following describes the processing method of the data message provided by the embodiment of the present invention. In the embodiment of the present invention, the PE can be a router or a switch. The principles of the two are similar. For the convenience of description, this embodiment takes the PE as a router as an example. Note that it can be understood that the type of PE does not constitute a limitation to the present invention.

请参阅图2,本发明实施例中的数据报文的处理方法的一个实施例包括:Referring to Fig. 2, an embodiment of the processing method of the data message in the embodiment of the present invention comprises:

201、PE识别接收到的数据报文中的内层标签;201. The PE identifies the inner label in the received data packet;

PE接收到数据报文后,识别该数据报文中的内层标签。After receiving the data packet, the PE identifies the inner label in the data packet.

具体例子,可参见图1,假设PE1接收到PE2发送的数据报文,识别数据报文中的内层标签。For a specific example, refer to FIG. 1 , assuming that PE1 receives the data packet sent by PE2, and identifies the inner label in the data packet.

202、比较识别的内层标签与该PE的转发表项中保存的标签是否相同;202. Compare whether the identified inner label is the same as the label stored in the forwarding entry of the PE;

PE比较识别的内层标签,与该PE的转发表项中保存的标签是否相同,其中,转发表项是数据报文目的地址对应的转发表项。The PE compares and identifies whether the inner layer label is the same as the label stored in the forwarding table entry of the PE, wherein the forwarding table entry is a forwarding table entry corresponding to the destination address of the data message.

网络中,服务提供商为每一个虚拟专用网络(VPN,Virtual PrivateNetwork)分配一个内层标签,用于区别不同路由,PE包括控制平面和转发平面,在PE内部,由控制平面将该内层标签发送给转发平面,在转发平面的转发表中携带该内层标签。In the network, the service provider assigns an inner label to each virtual private network (VPN, Virtual Private Network), which is used to distinguish different routes. PE includes the control plane and the forwarding plane. Inside the PE, the inner label is assigned by the control plane. Send it to the forwarding plane, and carry the inner label in the forwarding table of the forwarding plane.

若识别的内层标签,与PE的转发表项中保存的标签相同,则执行步骤203。If the identified inner label is the same as the label stored in the forwarding entry of the PE, step 203 is executed.

203、若相同,则转发数据报文。203. If they are the same, forward the data packet.

若识别的内层标签,与PE的转发表项中保存的标签相同,PE则转发数据报文。If the identified inner layer label is the same as the label stored in the forwarding entry of the PE, the PE forwards the data packet.

参见图1,如果PE1接收到PE2发送的数据报文,识别数据报文中的内层标签,与PE1的转发表项中保存的标签相比较,比较结果是相同的,则表示数据报文中的内层标签是之前由PE1发送给PE2的,那么接收的数据报文是安全数据报文,转发该数据报文给目的用户边缘设备CE1。Referring to Figure 1, if PE1 receives the data packet sent by PE2, identifies the inner layer label in the data packet, and compares it with the label stored in the forwarding entry of PE1, and the comparison result is the same, it means that the data packet contains The inner layer label of PE1 was previously sent to PE2, then the received data packet is a security data packet, and the data packet is forwarded to the destination user edge device CE1.

本实施例中,PE识别接收到的数据报文中的内层标签,并与PE的转发表项中保存的标签进行比较,若比较结果相同,则表示数据报文中的内层标签是之前由PE发送的,那么接收的数据报文是安全数据报文,转发该数据报文给目的CE,可保证VPN数据报文的安全性,避免非法报文的攻击。In this embodiment, the PE identifies the inner label in the received data message, and compares it with the label stored in the forwarding entry of the PE. If the comparison results are the same, it means that the inner label in the data message is the previous one. If it is sent by the PE, the received data packet is a secure data packet, and forwarding the data packet to the destination CE can ensure the security of the VPN data packet and avoid the attack of illegal packets.

为便于理解,下面以另一实施例详细的描述本发明实施例中的数据报文的处理方法,请参见图3,本发明实施中的数据报文的处理方法的另一个实施例包括:For ease of understanding, the following describes in detail the processing method of the data message in the embodiment of the present invention in another embodiment. Please refer to FIG. 3. Another embodiment of the processing method of the data message in the implementation of the present invention includes:

301、PE识别接收到的数据报文中的内层标签;301. The PE identifies the inner label in the received data packet;

PE接收到数据报文后,识别其中的内层标签。After receiving the data packet, the PE identifies the inner label in it.

具体例子,继续参见图1,假设PE1接收到PE2发送的数据报文,识别数据报文中的内层标签。For a specific example, continue to refer to FIG. 1 , assuming that PE1 receives the data packet sent by PE2, and identifies the inner label in the data packet.

302、比较识别的内层标签与PE的转发表项中保存的标签是否相同;302. Compare whether the identified inner label is the same as the label stored in the forwarding entry of the PE;

PE比较识别的内层标签,与PE的转发表项中保存的标签是否相同,若相同,则转发该数据报文给目的CE,若不相同,则执行步骤303。The PE compares and identifies whether the internal label is the same as the label stored in the forwarding entry of the PE. If they are the same, the data packet is forwarded to the destination CE. If not, step 303 is performed.

303、若不同,则将数据报文进行计数、采样,并上报采样后的信息;303. If different, count and sample the data packets, and report the sampled information;

如果PE将识别的内层标签,与PE的转发表项中保存的标签比较后,若内层标签与PE的转发表项中保存的标签不同,则将数据报文确定为非法数据报文,将该数据报文进行计数,记录下接收到非法数据报文的次数。并将记录下的非法数据报文进行采样,上报给上层管理设备,以进行告警。If the PE compares the identified inner label with the label stored in the PE forwarding entry, if the inner label is different from the label stored in the PE forwarding entry, the data packet is determined to be an illegal data packet, Count the data packets, and record the number of received illegal data packets. The recorded illegal data packets are sampled and reported to the upper management device for alarming.

请继续参见图1,PE1接收到PE2发送的数据报文,识别数据报文中的内层标签,与PE1的转发表项中保存的标签相比较,比较结果是不同的,则表示数据报文中的内层标签不是PE1发送给PE2的,那么接收的数据报文为非法数据报文,则不需继续转发,此时,对该数据报文进行计数,记录下接收到非法数据报文的次数,并将数据报文采样,上报给上层管理设备,以进行告警。Please continue to refer to Figure 1. PE1 receives the data packet sent by PE2, identifies the inner label in the data packet, and compares it with the label stored in the forwarding entry of PE1. If the comparison result is different, it means that the data packet If the inner label in the label is not sent from PE1 to PE2, if the received data packet is an illegal data packet, there is no need to continue forwarding. At this time, count the data packet and record the number of illegal data packets received. The number of times, and the data packet is sampled and reported to the upper management device for alarm.

304、丢弃该数据报文。304. Discard the data packet.

将数据报文确定为非法数据报文,将该数据报文进行计数,记录下接收到非法数据报文的次数并将记录下的非法数据报文进行采样,上报给上层管理设备,以进行告警,丢弃该数据报文。Determine the data message as an illegal data message, count the data message, record the number of times the illegal data message is received, sample the recorded illegal data message, and report it to the upper management device for alarm , discarding the data packet.

需要说明的是,本实施例中,将数据报文进行计数、采样,并上报采样后的信息给上层管理设备可以在丢弃非法数据报文之前,也可以在丢弃非法数据报文之后,此两步骤执行的先后顺序不影响本发明技术方案的实施。It should be noted that, in this embodiment, counting and sampling data packets, and reporting the sampled information to the upper management device may be performed before discarding illegal data packets or after discarding illegal data packets. The order in which the steps are executed does not affect the implementation of the technical solution of the present invention.

本发明实施例中,若PE所识别的接收到数据报文的内层标签,与PE的转发表项中保存的标签不同,则表示该数据报文为非法数据报文,不需转发,可丢弃该数据报文,在丢弃该数据报文之前对该数据报文进行计数,记录下接收到非法数据报文的次数,并将数据报文采样,上报给上层管理设备,以进行告警,从而拦截非法数据报文的攻击,保证VPN中数据报文的安全。In the embodiment of the present invention, if the inner layer label of the received data message identified by the PE is different from the label stored in the forwarding entry of the PE, it means that the data message is an illegal data message, which does not need to be forwarded and can be Discard the data message, count the data message before discarding the data message, record the number of times the illegal data message is received, and sample the data message and report it to the upper management device for alarming, thereby Intercept attacks of illegal data packets to ensure the security of data packets in the VPN.

以上介绍的是本发明实施例提供的数据报文的处理方法,下面介绍本发明实施例中的数据报文的处理装置,请参阅图4,本发明实施例中的数据报文的处理装置的一个实施例包括:The above is the processing method of the data message provided by the embodiment of the present invention. The following describes the processing device of the data message in the embodiment of the present invention. Please refer to FIG. 4, the processing device of the data message in the embodiment of the present invention One embodiment includes:

识别单元401,比较单元402,转发单元403;An identification unit 401, a comparison unit 402, and a forwarding unit 403;

其中,识别单元401用于识别接收到的数据报文中的内层标签;Wherein, the identification unit 401 is used to identify the inner label in the received data message;

比较单元402,用于比较识别单元识别的内层标签,与PE的转发表项中保存的标签是否相同;A comparison unit 402, configured to compare whether the inner label identified by the identification unit is the same as the label stored in the forwarding entry of the PE;

转发单元403,用于比较单元的比较结果若相同,则转发数据报文。The forwarding unit 403 is configured to forward the data message if the comparison results of the comparing unit are the same.

本实施例中,PE接收到数据报文后,识别单元401识别数据报文中的内层标签,比较单元402比较识别单元识别的内层标签,与PE的转发表项中保存的标签是否相同,若比较结果相同,表示接收到的数据报文中的内层标签是之前由PE发送的,那么接收的数据报文是安全数据报文,转发单元则转发该数据报文给目的CE,可保证VPN数据报文的安全性,避免非法报文的攻击。In this embodiment, after the PE receives the data message, the identification unit 401 identifies the inner layer label in the data message, and the comparison unit 402 compares whether the inner layer label identified by the identification unit is the same as the label stored in the forwarding entry of the PE. , if the comparison results are the same, it means that the inner label in the received data packet was sent by the PE before, then the received data packet is a secure data packet, and the forwarding unit forwards the data packet to the destination CE. Ensure the security of VPN data packets and avoid illegal packet attacks.

为便于理解,下面以另一实施例详细的描述本发明实施例中的数据报文的处理装置,请参与图5,本发明实施中的数据报文的处理装置的另一个实施例包括:For ease of understanding, the following describes in detail the processing device of the data message in the embodiment of the present invention in another embodiment. Please refer to FIG. 5. Another embodiment of the processing device of the data message in the implementation of the present invention includes:

识别单元401,比较单元402,处理单元503,计数单元504,上报单元505;Identification unit 401, comparison unit 402, processing unit 503, counting unit 504, reporting unit 505;

其中,识别单元401,用于识别接收到的数据报文中的内层标签;Wherein, the identification unit 401 is used to identify the inner label in the received data message;

比较单元402,用于比较识别单元识别的内层标签,与PE的转发表项中保存的标签是否相同;A comparison unit 402, configured to compare whether the inner label identified by the identification unit is the same as the label stored in the forwarding entry of the PE;

处理单元503,用于若识别单元401识别的内层标签,与该PE的转发表项中保存的标签不同,则丢弃该数据报文。The processing unit 503 is configured to discard the data packet if the inner label identified by the identification unit 401 is different from the label stored in the forwarding entry of the PE.

需要说明的是,本实施例中,处理单元503还可以进一步包括:It should be noted that, in this embodiment, the processing unit 503 may further include:

计数单元5031,用于将该数据报文进行计数;A counting unit 5031, configured to count the data packets;

上报单元5032,用于将该数据报文进行采样,并上报采样后的信息;The reporting unit 5032 is configured to sample the data message and report the sampled information;

丢弃单元5033,用于丢弃该数据报文。The discarding unit 5033 is configured to discard the data packet.

需要说明的是,本实施例中,计数单元5031将数据报文进行计数,上报单元5032将数据报文进行采样,并上报采样后的信息上报给上层管理设备可以在丢弃单元5033丢弃非法数据报文之前,也可以在丢弃单元5033丢弃非法数据报文之后。It should be noted that, in this embodiment, the counting unit 5031 counts the data packets, the reporting unit 5032 samples the data packets, and reports the sampled information to the upper management device, and discards the illegal data packets at the discarding unit 5033 before the packet, or after the discarding unit 5033 discards the illegal data packet.

本实施例中,识别单元401识别PE接收到的数据报文中的内层标签,比较单元402,用于比较识别单元识别的内层标签与PE的转发表项中保存的标签是否相同,若不相同,则表示数据报文中的内层标签不是PE之前发送的,那么接收的数据报文为非法数据报文,则不需继续转发,而由处理单元503将丢弃该数据报文,在丢弃该数据报文之前,计数单元504对该数据报文进行计数,记录下接收到非法数据报文的次数,上报单元505将准备丢弃的数据报文进行采样,并上报给上层管理设备,以进行告警,从而拦截非法数据报文的攻击,保证VPN中数据报文的安全。In this embodiment, the identification unit 401 identifies the inner label in the data packet received by the PE, and the comparison unit 402 is used to compare whether the inner label identified by the identification unit is the same as the label stored in the forwarding entry of the PE, if If they are not the same, it means that the inner layer label in the data message was not sent by the PE before, and the received data message is an illegal data message, so there is no need to continue forwarding, and the data message will be discarded by the processing unit 503. Before discarding the data message, the counting unit 504 counts the data message, and records the number of times the illegal data message is received, and the reporting unit 505 samples the data message to be discarded, and reports it to the upper management device for Alarms are issued to block attacks from illegal data packets and ensure the security of data packets in the VPN.

以上各实施例中所有装置实现功能的具体过程,请参阅图2及图3所示实施例的具体描述内容,此处不再赘述。For the specific process of realizing the functions of all the devices in the above embodiments, please refer to the specific description content of the embodiments shown in FIG. 2 and FIG. 3 , which will not be repeated here.

下面介绍本发明实施例中的数据报文的处理系统,请参阅图6,本发明实施例中的数据报文的处理系统的一个实施例包括:The following describes the processing system of the data message in the embodiment of the present invention, please refer to FIG. 6, an embodiment of the processing system of the data message in the embodiment of the present invention includes:

运营商边缘设备PE601,客户侧设备CE602;Operator edge equipment PE601, customer side equipment CE602;

其中,PE601用于识别接收到的数据报文中的内层标签;比较识别的内层标签与PE601的转发表项中保存的标签是否相同,转发表项是数据报文目的地址对应的转发表项;若相同,则转发数据报文;Among them, PE601 is used to identify the inner layer label in the received data message; compare whether the identified inner layer label is the same as the label stored in the forwarding table item of PE601, and the forwarding table item is the forwarding table corresponding to the destination address of the data message items; if they are the same, forward the data message;

需要说明的是,PE601还用于,若内层标签与PE601的转发表项中保存的标签不同,则丢弃该数据报文。It should be noted that PE601 is also used to discard the data packet if the inner layer label is different from the label stored in the forwarding entry of PE601.

具体的,PE601用于若内层标签与PE601的转发表项中保存的标签不同,则将该数据报文进行计数;将该数据报文进行采样,并上报采样后的信息;丢弃该数据报文;Specifically, PE601 is used to count the data packets if the inner layer label is different from the label stored in the forwarding entry of PE601; sample the data packets and report the sampled information; discard the data packets arts;

CE602用于接收PE601发送的数据报文。CE602 is used to receive data packets sent by PE601.

本领域技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those skilled in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, the above-mentioned storage medium It can be read-only memory, disk or CD-ROM, etc.

以上对本发明所提供的一种数据报文的处理方法、装置及系统进行了详细介绍,对于本领域的技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The method, device and system for processing a data message provided by the present invention have been introduced in detail above. For those skilled in the art, according to the idea of the embodiment of the present invention, there will be changes in the specific implementation and application scope. In summary, the content of this specification should not be construed as limiting the present invention.

Claims (6)

1. a processing method for data message, is characterized in that, comprising:
Provider edge equipment PE identifies the vpn label in the data message received;
Whether more described vpn label is identical with the label preserved in the forwarding-table item of described PE, and described forwarding-table item is the forwarding-table item that described data message destination address is corresponding;
If identical, then represent that described vpn label is that described PE sends, forward described data message;
Described method also comprises:
If described vpn label is different from the label preserved in the forwarding-table item of described PE, then represents that described vpn label is not that described PE sends, abandon described data message.
2. method according to claim 1, is characterized in that, if described vpn label is different from the label preserved in the forwarding-table item of described PE, then abandons described data message and comprises:
If described vpn label is different from the label preserved in the forwarding-table item of described PE, then described data message is counted;
Described data message is sampled, and reports the information after sampling;
Abandon described data message.
3. a processing unit for data message, is characterized in that, comprising:
Recognition unit, for identifying the vpn label in the data message that receives;
Comparing unit, whether for the described vpn label of relative discern unit identification, identical with the label preserved in the forwarding-table item of described PE, described forwarding-table item is the forwarding-table item that described data message destination address is corresponding;
Retransmission unit, if identical for the comparative result of comparing unit, then represent that described vpn label is that described PE sends, forwards described data message;
Described device also comprises:
Processing unit, if different from the label preserved in the forwarding-table item of described PE for described vpn label, then represent that described vpn label is not that described PE sends, abandons described data message.
4. device according to claim 3, is characterized in that, described processing unit comprises:
Counting unit, for counting described data message;
Reporting unit, for being sampled by described data message, and reporting the information after sampling;
Discarding unit, for abandoning described data message.
5. a treatment system for data message, is characterized in that, comprising:
Provider edge equipment PE, for identifying the vpn label in the data message that receives; Whether the described vpn label of relative discern is identical with the label preserved in the forwarding-table item of described PE, and described forwarding-table item is the forwarding-table item that described data message destination address is corresponding; If identical, then represent that described vpn label is that described PE sends, forward described data message;
Client-side device CE, for receiving the data message that described PE sends;
Described PE also for, if described vpn label is different from the label preserved in the forwarding-table item of described PE, then represents that described vpn label is not that described PE sends, abandon described data message.
6. system according to claim 5, is characterized in that,
Described PE also for, if described vpn label is different from the label preserved in the forwarding-table item of described PE, then described data message is counted; Described data message is sampled, and reports the information after sampling; Abandon described data message.
CN201110337497.2A 2011-10-31 2011-10-31 Method, device and system for processing data message Active CN102546387B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110337497.2A CN102546387B (en) 2011-10-31 2011-10-31 Method, device and system for processing data message
PCT/CN2012/083744 WO2013064057A1 (en) 2011-10-31 2012-10-30 Data packet processing method, device, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110337497.2A CN102546387B (en) 2011-10-31 2011-10-31 Method, device and system for processing data message

Publications (2)

Publication Number Publication Date
CN102546387A CN102546387A (en) 2012-07-04
CN102546387B true CN102546387B (en) 2015-04-29

Family

ID=46352377

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110337497.2A Active CN102546387B (en) 2011-10-31 2011-10-31 Method, device and system for processing data message

Country Status (2)

Country Link
CN (1) CN102546387B (en)
WO (1) WO2013064057A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546387B (en) * 2011-10-31 2015-04-29 华为技术有限公司 Method, device and system for processing data message
CN110300033B (en) * 2018-03-22 2023-09-26 华为技术有限公司 Packet loss information recording method, network equipment and network system
CN108650237B (en) * 2018-04-13 2020-09-08 烽火通信科技股份有限公司 Message security check method and system based on survival time

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572669A (en) * 2009-05-27 2009-11-04 中兴通讯股份有限公司 Transmitting method of VPN message as well as allocating and deleting method of the router marks thereof
CN101248620B (en) * 2006-01-16 2010-05-19 中兴通讯股份有限公司 Method for realizing label message path validity check

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102132532B (en) * 2008-08-22 2014-05-21 艾利森电话股份有限公司 Method and apparatus for avoiding unwanted data packets
CN102546387B (en) * 2011-10-31 2015-04-29 华为技术有限公司 Method, device and system for processing data message

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101248620B (en) * 2006-01-16 2010-05-19 中兴通讯股份有限公司 Method for realizing label message path validity check
CN101572669A (en) * 2009-05-27 2009-11-04 中兴通讯股份有限公司 Transmitting method of VPN message as well as allocating and deleting method of the router marks thereof

Also Published As

Publication number Publication date
WO2013064057A1 (en) 2013-05-10
CN102546387A (en) 2012-07-04

Similar Documents

Publication Publication Date Title
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
JP4906504B2 (en) Intelligent integrated network security device
US9407602B2 (en) Methods and apparatus for redirecting attacks on a network
JP3954385B2 (en) System, device and method for rapid packet filtering and packet processing
EP1433076B1 (en) Protecting against distributed denial of service attacks
Gadge et al. Port scan detection
CN102055674B (en) Internet protocol (IP) message as well as information processing method and device based on same
US9531673B2 (en) High availability security device
JP2005517349A (en) Network security system and method based on multi-method gateway
WO2010108422A1 (en) Method, apparatus and system for botnet host detection
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
US9391954B2 (en) Security processing in active security devices
US20170019426A1 (en) Method for attribution security system
Data The defense against ARP spoofing attack using semi-static ARP cache table
CN102546387B (en) Method, device and system for processing data message
WO2019096104A1 (en) Attack prevention
KR101118398B1 (en) Method and apparatus for overriding denunciations of unwanted traffic in one or more packet networks
Trabelsi et al. On investigating ARP spoofing security solutions
US12368750B2 (en) Intelligent manipulation of denial-of-service attack traffic
WO2016014178A1 (en) Identifying malware-infected network devices through traffic monitoring
EP3073701B1 (en) Network protection entity and method for protecting a communication network against fraud messages
KR101088868B1 (en) How AP Packets Are Handled by Network Switches
US12058156B2 (en) System and method for detecting and mitigating port scanning attacks
US20060225141A1 (en) Unauthorized access searching method and device
JP2004096246A (en) Data transmission method, data transmission system and data transmission device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant