CN115208600A

CN115208600A - Method, device, equipment and storage medium for route verification and data transmission

Info

Publication number: CN115208600A
Application number: CN202110614675.5A
Authority: CN
Inventors: 庄顺万; 王海波; 顾钰楠
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-03-25
Filing date: 2021-06-02
Publication date: 2022-10-18

Abstract

The embodiment of the application discloses a method, a device, equipment and a storage medium for route verification and data transmission, belonging to the technical field of communication. The method comprises the following steps: the first network equipment acquires BGP routing information which comprises a target routing prefix, acquires an area identifier of an area to which the target routing prefix actually belongs based on the target routing prefix, and verifies the BGP routing information based on the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs. According to the embodiment of the application, the BGP routing information is verified through the area identification of the area to which the routing prefix actually belongs, so that the network security is improved, and the accuracy of routing source verification is improved.

Description

Method, device, equipment and storage medium for route verification and data transmission

The present application claims priority from chinese patent application No. 202110316535.X entitled "a method for preventing BGP route hijacking" filed on 25/3/2021, and incorporated herein by reference in its entirety.

Technical Field

The embodiment of the application relates to the technical field of communication, in particular to a method, a device, equipment and a storage medium for route verification and data transmission.

Background

In a network, security attacks based on Border Gateway Protocol (BGP) routing occur every day, for example, an external Internet Service Provider (ISP) may hijack user traffic through malicious attacks, thereby implementing interception of the user traffic.

In order to avoid eavesdropping of user traffic, a mainstream solution in the industry introduces a Resource Public Key Infrastructure (RPKI) mechanism based on the BGP protocol. The information needed for verifying BGP routing is issued to network equipment such as a router, a switch and the like by utilizing an RPKI mechanism, and then the content carried in the BGP routing information is compared with the information issued by the RPKI mechanism for validity verification.

However, for some ISPs, an Autonomous System (AS) of the ISPs and a plurality of routing prefixes belonging to the AS may be distributed in a plurality of areas. For example, for an ISP, the ISP uses the same AS number globally but distributes different routing prefixes in different areas. Under the circumstances, how to verify the BGP routing information becomes a problem to be solved urgently at present.

Disclosure of Invention

The embodiment of the application provides a method, a device, equipment and a storage medium for route verification and data transmission, which are used for solving the technical problem that user traffic is intercepted due to hijack of the user traffic.

In a first aspect, an embodiment of the present application provides a method for route verification, in which a first network device obtains BGP routing information, where the BGP routing information includes a target routing prefix. The first network equipment acquires the area identification of the area to which the target routing prefix actually belongs based on the target routing prefix, and verifies the BGP routing information based on the target routing prefix and the area identification of the area to which the target routing prefix actually belongs.

When the BGP routing information is verified, the area to which the routing prefix belongs is considered, so that the BGP routing information is verified through the area identifier of the area to which the routing prefix actually belongs, the accuracy of routing source verification is improved, and the network security is improved.

In some embodiments, the network further includes a second network device and a third network device, where the second network device establishes an External Border Gateway Protocol (EBGP) connection with the first network device, and the third network device establishes an Internal Border Gateway Protocol (IBGP) connection with the first network device. For the first network device, the second network device is an external BGP neighbor and the third network device is an internal BGP neighbor. The BGP routing information acquired by the first network device is BGP routing information of the ingress direction of the first network device, that is, routing information received by the first network device from other network devices, such as: the routing information received from the second network device, or the BGP routing information is the outgoing BGP routing information of the first network device, that is, the routing information that the first network device is about to send to other network devices, for example: routing information sent to the third network device. Alternatively, the BGP routing information may be from an inbound adjacency routing information base (Adj-rbs-In) or an outbound adjacency routing information base (Adj-rbs-Out) of the first network device.

For the outgoing BGP routing information, the BGP routing information may be stored locally at the first network device after the first network device receives the BGP routing information from the second network device and verifies the BGP routing information. Of course, the BGP routing information may also be directly stored locally in the first network device after the first network device receives the BGP routing information from the second network device without verifying the BGP routing information.

It should be noted that the BGP routing information may include a target originating AS number in addition to the target routing prefix. Of course, other information may also be included, which is not limited in this application.

One ISP may provide one or more ASs, each AS has an AS number, and one AS may include multiple network devices therein, which may initiate advertisement of BGP routing information. The AS number of the AS where the originating network device originating the BGP routing information is located may be referred to AS an originating AS number of the routing prefix included in the BGP routing information.

Optionally, the routing prefix is a prefix of a network address of the network device. For example, when the network device uses internet protocol version 4 (IPv 4) for communication, the routing prefix is the prefix of the IPv4 address. When the network device adopts the sixth version of internet protocol (ip v 6) communication, the routing prefix is the prefix of the IPv6 address.

The implementation process of the first network device obtaining the area identifier of the area to which the target routing prefix actually belongs based on the target routing prefix includes: the first network device may determine an area identifier of an area to which a starting network device of the multiple network devices actually passes through by the target routing prefix, so as to obtain the area identifier of the area to which the target routing prefix actually belongs. That is, the area identifier of the area to which the starting network device actually passes through the target routing prefix is determined as the area identifier of the area to which the target routing prefix actually belongs.

Since the originating network device in the plurality of network devices through which the target routing prefix actually passes is the network device of the area to which the target routing prefix actually belongs, the area identifier of the area to which the originating network device belongs can be determined as the area identifier of the area to which the target routing prefix actually belongs.

It should be noted that the area identifier is used to uniquely identify an area, and the area identifier may be local internet registry (RIR) information, but may also be in other forms, such as one or a combination of the following information: local internet registration authority (LIR) information, continent, region, country, or city, etc.

Based on the above description, the routing prefix is a prefix of the network address of the network device, and one network address corresponds to one geographic address, and the geographic area where the geographic address is located may be referred to as an area to which the routing prefix belongs. That is, the area to which the routing prefix belongs refers to the geographical area in which the network device is located.

After the first network device acquires the BGP routing information, the BGP routing information may be verified, and before verification, an ROA database may be further constructed, and after verification, the BGP routing information may be processed based on a verification result. Therefore, the several stages will be described separately below.

Phase of verifying BGP routing information

In some embodiments, the first network device may determine a first entry from a stored ROA database and verify BGP routing information based on the first entry and an area identification of an area to which the target routing prefix actually belongs.

Based on the above description, the BGP routing information may include target routing prefixes, AS well AS target routing prefixes and originating AS numbers. In the following, the two cases will be described separately.

In the first case, the BGP routing information includes a target routing prefix. In this way, the first network device may determine the first entry matching the target routing prefix from a stored ROA database, where the ROA database is used to store the correspondence between the routing prefix and the area identifier. And the first network equipment verifies the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

In the second case, the BGP routing information includes a target origination AS number and a target routing prefix. In this way, the first network device may determine the first entry matching the target originating AS number and the target routing prefix from a stored ROA database storing a correspondence of originating AS numbers, routing prefixes and area identifications. And the first network equipment verifies the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs. Of course, the first network device may also verify the target origin AS number, determine, from the stored ROA database, the first entry matching the target origin AS number and the target routing prefix, and then verify the BGP routing information based on the area identifier of the area to which the first entry and the target routing prefix actually belong, when the target origin AS number is verified.

The implementation process of the first network device for verifying the target origin AS number comprises the following steps: the first network equipment acquires an origin AS number corresponding to the target routing prefix from the ROA database, if the acquired origin AS number is the target origin AS number, the target origin AS number is determined to be verified to be passed, and if the acquired origin AS number is not the target origin AS number, the target origin AS number is determined to be not verified to be passed.

The implementation process of the first network device verifying the BGP routing information based on the first entry and the area identifier of the area to which the target routing prefix actually belongs includes: under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is the same as or matched with the area identifier of the area to which the target routing prefix actually belongs, the first network device determines that the BGP routing information is verified to be passed. If the area identifier in the first entry is different from or not matched with the area identifier of the area to which the target routing prefix actually belongs, the first network device determines that the BGP routing information verification fails. And under the condition that the area identifier in the first table entry is empty, the first network device determines that the area identifier in the first table entry is matched with the area identifier of the area to which the target routing prefix actually belongs, and determines that the BGP routing information is verified to be passed.

For some ases, the routing prefix of the AS may be applicable globally or only locally, i.e., the routing prefix of the AS may be applicable to any area or only locally. The area identifier in the corresponding entry in the ROA database may be null for the case that the routing prefix of the AS is applicable to any area, and the area identifier in the corresponding entry in the ROA database is not null for the case that the routing prefix of the AS is applicable to any area. That is, the region identifier in the corresponding entry in the ROA database may or may not be null.

Therefore, after the first entry is matched by the target originating AS number and the target routing prefix, if the area identifier in the first entry is not empty, it indicates that the routing prefix of this AS is applicable to the local area, at this time, the area identifier in the first entry needs to be compared with the area identifier of the area to which the target routing prefix actually belongs to determine whether the validity verification of the area to which the target routing prefix belongs passes. And in the case that the area identifier in the first entry is empty, it indicates that the routing prefix of the AS is applicable to any area, and at this time, the first network device may directly determine that the area identifier in the first entry matches the area identifier of the area to which the target routing prefix actually belongs, and determine that the BGP routing information passes verification.

Of course, for the case that the routing prefix of the AS is globally applicable, the area identifier in the corresponding entry in the ROA data may also be represented by other identifiers, such AS a specific identifier. At this time, for the case that the routing prefix of the AS is applicable to any area, the area identifier in the corresponding entry in the ROA database is also not null. Thus, after matching the first entry by the target originating AS number and the target routing prefix, the first network device needs to determine whether the area identifier in the first entry is a specific identifier. If the area identifier in the first entry is not the specific identifier, it indicates that the routing prefix of the AS is applicable to the local area, and at this time, the area identifier in the first entry needs to be compared with the area identifier of the area to which the target routing prefix actually belongs to determine whether the validity verification of the area to which the target routing prefix belongs passes. If the area identifier in the first entry is a specific identifier, it indicates that the routing prefix of this AS is applicable to any area, and at this time, the first network device may directly determine that the area identifier in the first entry matches the area identifier of the area to which the target routing prefix actually belongs, and determine that the BGP routing information is verified.

It should be noted that the routing prefix is applicable to any area, which means that the routing prefix can be used in any area, and the routing prefix is applicable to a local area, which means that the routing prefix can be used in a local area.

Stage of building ROA database

Optionally, the first network device may further construct an ROA database before determining the first entry matching the target origin AS number and the target routing prefix from the stored ROA database. The ROA database comprises one or more entries, each entry is used for storing the corresponding relation between a routing prefix and an area identifier, or the ROA database is used for storing the corresponding relation between an origin AS number, the routing prefix and the area identifier. The following description is also divided into two cases.

In a first case, taking the first entry as an example, the implementation process of the first network device to construct the ROA database includes: the first network equipment acquires a target routing prefix and target area indication information from the server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area. The first network device creates a first entry in the ROA database based on the target routing prefix and the target area indication information.

After acquiring the target routing prefix and the target area indication information, the server sends the target routing prefix and the target area indication information to the first network device. The first network device creates a first entry in the ROA database based on the target routing prefix and the target area indication information.

The first network device may obtain the target routing prefix and the target area indication information from the server through two implementation manners, or the server may send the target routing prefix and the target area indication information to the first network device through two implementation manners, and then introduces the two implementation manners.

In a first implementation manner, a server sends a message to a first network device, where the message carries a target routing prefix and target area indication information. The first network device receives a message from the server. In a first implementation manner, the server sends the target routing prefix and the target area indication information to the first network device through one message. In this way, after the first network device receives the packet, the target routing prefix and the target area indication information may be directly stored in the ROA database.

In a second implementation manner, the server sends a message to the first network device, where the message carries a target routing prefix. The first network equipment receives a message from the server. The first network equipment sends a request message to the server, wherein the request message carries a target routing prefix, and the request message is used for requesting to obtain area indication information corresponding to the target routing prefix. After receiving the request message sent by the first network device, the server acquires the target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix. The server sends the target area indication information to the first network equipment. The first network equipment receives target area indication information sent by the server.

In a second case, taking the first entry as an example, the implementation process of the first network device for building the ROA database includes: the first network equipment acquires a target origin AS number, a target routing prefix and target area indication information from the server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area. The first network device creates a first entry in the ROA database based on the target origination AS number, the target routing prefix, and the target area indication information.

After the server acquires the target origin AS number, the target routing prefix and the target area indication information, the server sends the target origin AS number, the target routing prefix and the target area indication information to the first network equipment. The first network device creates a first entry in the ROA database based on the target origination AS number, the target routing prefix, and the target area indication information.

The first network device may obtain the target origin AS number, the target routing prefix, and the target area indication information from the server through two implementation manners, or the server may send the target origin AS number, the target routing prefix, and the target area indication information to the first network device through two implementation manners. These two implementations are described below:

in a first implementation manner, a server sends a message to a first network device, where the message carries a target origination AS number, a target routing prefix, and target area indication information. The first network equipment receives a message from the server. In a first implementation, the server sends the target origination AS number, the target routing prefix, and the target area indication information to the first network device via a message, so that the target origination AS number, the target routing prefix, and the target area indication information can be directly stored in the ROA database after the first network device receives the message.

In a second implementation, a server sends a message to a first network device, where the message carries a target origination AS number and a target routing prefix. The first network device receives a message from the server. The first network equipment sends a request message to the server, wherein the request message carries a target routing prefix, and the request message is used for requesting to obtain area indication information corresponding to the target routing prefix. After receiving the request message sent by the first network device, the server acquires the target area indication information from the corresponding relationship between the stored routing prefix and the area indication information based on the target routing prefix. The server sends the target area indication information to the first network device. The first network equipment receives target area indication information sent by the server. The second implementation mode does not need to modify the existing message format or adopt the existing message format, and carries the target origin AS number and the target routing prefix in the same message. Thus, after the first network device receives the message, the target area indication information may be obtained from the server based on the target routing prefix, and the target origin AS number, the target routing prefix, and the target area indication information may be stored in the ROA database.

Processing phases of BGP routing information

Based on the above description, the BGP routing information obtained by the first network device may be in-direction BGP routing information, and may also be out-direction BGP routing information. When the BGP routing information is in a different direction, the BGP routing information is processed in a different manner based on the verification result of the BGP routing information. The following will explain the partial cases.

In the first case, the BGP routing information is inbound BGP routing information.

The BGP routing information is BGP routing information from the second network device, or the BGP routing information is routing information from an external BGP neighbor, and the BGP routing information corresponds to the first BGP route. In this way, the first network device may store the first BGP route if the BGP route information verifies. And under the condition that the BGP routing information is not verified, the first network equipment discards the first BGP route, or under the condition that the BGP routing information is not verified, the priority of the first BGP route is set to be low priority. For example, the priority of the first BGP route is set to a first priority, the first priority is lower than a second priority, the second priority refers to the priority of the second BGP route, and the prefix of the second BGP route is the same as the prefix of the first BGP route. Optionally, an area to which a routing prefix corresponding to the second BGP route belongs is the same as an area to which the second network device belongs.

Optionally, in a case that the BGP routing information fails to be verified, it indicates that the BGP routing information may be hijacked routing information, or that the BGP routing information may be fake routing information, and the security is relatively low. The second network device is an external BGP neighbor of the first network device, and an area to which a routing prefix corresponding to the second BGP route belongs is the same as an area to which the second network device belongs, that is, the second BGP route is a route issued by the second network device, so the priority of the first BGP route may be set lower than the priority of the second BGP route. In this way, in the process of sending the BGP route to the forwarding table, the second BGP route with the higher priority may be selected to be sent to the forwarding table, so as to avoid the user traffic being intercepted on the premise of being able to guide the forwarding of the user traffic.

Certainly, when the BGP routing information is not verified, the first BGP route included in the BGP routing information is directly discarded, so that the first BGP route may be prohibited from being used on the network device, and user traffic may also be prevented from being eavesdropped.

In the second case, the BGP routing information is outbound BGP routing information.

The BGP routing information is BGP routing information sent to the third network device, or the BGP routing information is routing information sent to an internal BGP neighbor, and the BGP routing information corresponds to the first BGP route. In this way, when the BGP routing information is verified, the first network device sends the BGP routing information to the third network device, so that the third network device stores the first BGP route, and further forwards the packet using the first BGP route.

Based on the above description, when receiving the BGP routing information of the ingress direction, the first network device may also store the BGP routing information without verifying the BGP routing information. Or after the first network device verifies the BGP routing information of the ingress direction, the first network device stores the BGP routing information. That is, the routing information stored locally by the first network device may or may not be validated. Regardless of whether the routing information stored locally by the first network device is verified, the BGP routing information may be directly sent to the third network device if it is determined that the BGP routing information is verified before being sent to the third network device.

However, when it is currently determined that the BGP routing information fails to be verified, the BGP routing information needs to be described separately in two cases. When the routing information locally stored in the first network device passes the verification, and when it is determined that the BGP routing information fails the verification before sending the BGP routing information to the third network device, the first network device may determine, from the stored ROA database, a second entry that matches the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs. The first network device modifies the originating AS number in the BGP routing information to the originating AS number in the second entry. In a case where the routing information locally stored in the first network device is not verified, and it is determined that the BGP routing information is not verified before the BGP routing information is sent to the third network device, the first network device may discard the first BGP route included in the BGP routing information, or set a priority of the first BGP route included in the BGP routing information to a first priority.

It should be noted that, after the first network device locally stores the BGP routing information, the originating AS number in the locally stored BGP routing information may be modified by an error due to a routing policy or a software problem, so that, in a case that the BGP routing information is not verified, if the BGP routing information is not verified before being stored locally in the first network device, it indicates that the originating AS number included in the BGP routing information may be modified by an error due to a routing policy or a software problem of the first network device, or may be the BGP routing information that is originally forged. For insurance purposes, the first BGP route included in the BGP routing information may be discarded or set to a low priority.

However, if the BGP routing information is verified before being stored locally in the first network device and the verification passes, it indicates that the originating AS number included in the BGP routing information is indeed modified by an error due to a routing policy or software problem of the first network device, so the first network device may determine, from the stored ROA database, a second entry matching the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs, and modify the originating AS number in the BGP routing information to the originating AS number in the second entry. Therefore, the problem that BGP routing information is illegal due to the fact that the original AS number is modified by mistake in routing strategy or software problem is solved, and the problem of internet failure is further solved.

In a second aspect, a method for data transmission is provided, in which a server acquires a target routing prefix and target area indication information, where the target area indication information includes an area identifier or indication information used to indicate that the target routing prefix is applicable to any area, and the server transmits the target routing prefix and the target area indication information to a first network device, where the first network device refers to any network device in a BGP-based network.

Optionally, the sending, by the server, the target routing prefix and the target area indication information to the first network device includes: and the server sends a message to the first network equipment, wherein the message carries a target routing prefix and target area indication information.

Optionally, the sending, by the server, the target routing prefix and the target area indication information to the first network device includes: the server sends a message to the first network equipment, wherein the message carries a target routing prefix; a server receives a request message sent by first network equipment, wherein the request message carries a target routing prefix; the server acquires target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix; the server sends the target area indication information to the first network equipment.

Optionally, the method further comprises: the server obtains a target origin AS number, and sends a target routing prefix and target area indication information to the first network equipment, wherein the method comprises the following steps: and the server sends the target origin AS number, the target routing prefix and the target area indication information to the first network equipment.

Optionally, the sending, by the server, the target origination AS number, the target routing prefix, and the target area indication information to the first network device includes: the server sends a message to the first network equipment, wherein the message carries a target origin AS number, a target routing prefix and target area indication information.

Optionally, the sending, by the server, the target origination AS number, the target routing prefix, and the target area indication information to the first network device includes: a server sends a message to first network equipment, wherein the message carries a target origin AS number and a target routing prefix; a server receives a request message sent by first network equipment, wherein the request message carries a target routing prefix; the server acquires target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix; the server sends the target area indication information to the first network device.

Optionally, the server is an RPKI server.

In a third aspect, a device for route verification is provided, where the device for route verification has a function of implementing the method behavior of route verification in the above first aspect or possible implementation manners of the first aspect. The apparatus for route verification includes at least one module, where the at least one module is configured to implement the method for route verification provided in the first aspect.

In a fourth aspect, a device for data transmission is provided, which has the function of implementing the method behavior of data transmission in the second aspect or possible implementation manners of the second aspect. The data transmission device comprises at least one module, and the at least one module is used for implementing the data transmission method provided by the second aspect.

In a fifth aspect, a network device is provided, which includes a processor and a memory, where the memory is used to store a program, an instruction, or a code for executing the route verification method provided in the first aspect, and store data involved in implementing the route verification method provided in the first aspect. The processor is configured to execute programs, instructions or code stored in the memory.

Optionally, the network device may further comprise a communication bus for establishing a connection between the processor and the memory.

In a sixth aspect, a server is provided, which includes a processor and a memory, wherein the memory is used for storing a program, an instruction or a code for executing the data transmission method provided by the second aspect, and storing data related to realizing the data transmission method provided by the second aspect. The processor is configured to execute programs, instructions or code stored in the memory.

In a seventh aspect, a computer-readable storage medium is provided, where the storage medium stores instructions that, when executed on a computer, cause the computer to perform the steps of the method for route verification described in the first aspect, or perform the steps of the method for data transmission described in the second aspect.

In an eighth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the method for route verification according to the first aspect described above, or to perform the steps of the method for data transmission according to the second aspect described above.

In other words, a computer program is provided, which, when running on a computer, causes the computer to perform the steps of the method for route verification according to the first aspect described above, or the steps of the method for data transmission according to the second aspect described above.

The technical effects obtained by the above second, third, fourth, fifth, sixth, seventh and eighth aspects are similar to the technical effects obtained by the corresponding technical means in the first aspect, and are not described herein again.

The technical scheme provided by the embodiment of the application can at least bring the following beneficial effects:

when the BGP routing information is verified, the area to which the routing prefix belongs is considered, so that the BGP routing information is verified through the area identifier of the area to which the routing prefix actually belongs, the network security is improved, and the accuracy of routing source verification is improved.

Drawings

FIG. 1 is a schematic diagram of an exemplary scenario provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of an implementation scenario provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of another implementation scenario provided by an embodiment of the present application;

fig. 4 is a flowchart of a route verification method according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an IPv4 packet according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an IPv6 packet according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an apparatus for route verification according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an apparatus for data transmission according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another network device according to an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.

The Internet (Internet) is a vast network of networks connected in series, and the networks are connected by a set of common protocols, relying on infrastructure to ensure network connectivity, service availability and service trustworthiness. Currently the Internet infrastructure mainly consists of: border Gateway Protocol (BGP), domain Name System (DNS), and Public Key Infrastructure (PKI). However, since the current infrastructure lacks a firm and secure root of trust, and BGP and DNS do not consider any secure trust factors at the beginning of design, and naturally lack security capabilities, security attacks based on BGP routes occur daily in the current situation, such as source hijacking, path hijacking, route leakage, and so on. Taking the network scenario shown in fig. 1 AS an example, when a server is accessed in ISP1 backbone and a user accesses the server through a terminal, the user traffic will reach the server through ISP1 metropolitan area belonging to AS1 and ISP1 backbone belonging to AS3 under normal conditions. However, if an external ISP belonging to the AS100 launches a malicious attack, the user traffic is hijacked to the external ISP to make a round and then transmitted to the ISP1 backbone, so that the user traffic is intercepted. Therefore, the Internet security problem is an urgent problem to be solved.

In order to avoid interception of user traffic, a current scheme mainstream in the industry introduces an RPKI mechanism based on a BGP protocol. The information needed for verifying BGP routing is issued to network equipment such as a router, a switch and the like by using an RPKI mechanism, and then the content carried in the BGP routing information is compared with the information issued by the RPKI mechanism for validity verification. Namely, an RPKI mechanism is introduced in the stage of learning the BGP route, and the source of the BGP route to be learned is legally verified through the RPKI mechanism. And then, in the process of issuing the BGP route to the forwarding table, the BGP route passing the validity verification is selected and issued to the forwarding table, so that the forwarding of the user flow is guided, and the eavesdropping of the user flow is avoided.

The RPKI mechanism is mainly used for collecting information such AS an origin AS number and a routing prefix of BGP routing information initiated by each Internet Service Provider (ISP) through an RPKI server. When each ISP distributes BGP routing information, the BGP routing information also needs to carry an origin AS number and a routing prefix. The network device establishes connection with the RPKI server, and stores a Route Origin Authentication (ROA) database locally, wherein the ROA database is used for storing the corresponding relation between the origin AS number and the route prefix obtained from the RPKI server. When the network equipment receives BGP routing information published by an external neighbor, an origin AS number and a routing prefix carried in the BGP routing information are matched with entries in an ROA database, so that whether the BGP routing information received from the external neighbor is legal or not is verified, and a host in a management domain can safely access external services.

However, for some ISPs, an AS of the ISPs and a plurality of routing prefixes belonging to the AS may be distributed in a plurality of areas. For example, for an ISP, the ISP uses the same AS number globally but distributes different routing prefixes in different regions. In this case, the network device cannot distinguish the area to which the routing prefix included in the BGP routing information belongs, and further cannot verify whether the BGP routing information received from the external neighbor is legitimate according to the above-described verification method, and thus cannot prevent this attack method.

The method provided by the embodiment of the application introduces the concept of the region attribution information, namely, introduces the region identification of the region to which the routing prefix belongs. Therefore, under the condition that a plurality of routing prefixes of one AS are distributed in a plurality of different areas, the areas to which the routing prefixes included in the BGP routing information belong are distinguished through the area identifiers of the areas to which the routing prefixes belong, and whether the BGP routing information received from external neighbors is legal or not is verified, so that the network security is improved.

Referring to fig. 2, fig. 2 is a schematic diagram of an exemplary implementation scenario provided in an embodiment of the present application. The implementation scenario includes a server 201, a first network device 202, a second network device 203, and a third network device 204. The first network device 202 and the second network device 203 belong to different ASs, and the first network device 202 and the third network device 204 belong to the same AS. That is, for the first network device 202, the second network device 203 is an external BGP neighbor and the third network device 204 is an internal BGP neighbor.

The server 201 and the first network device 202 communicate with each other in a wired or wireless manner. The first network device 202 and the second network device 203 communicate via BGP. First network device 202 and third network device 204 also communicate therebetween via BGP. As shown in fig. 3, the first network device 202 includes a BGP module, through which the first network device 202 may establish an EBGP connection with the second network device 203, and through which the first network device 202 may establish an IBGP connection with the third network device 201.

The server 201 is configured to collect information such as a routing prefix and an area identifier in BGP routing information initiated by each ISP, and send the information to the first network device 202. Optionally, the server 201 is further configured to collect origination AS numbers in BGP routing information initiated by each ISP, and send the collected origination AS numbers to the first network device 202.

The first network device 202 builds the ROA database locally based on the received information. The ROA database includes one or more entries, each entry is used for storing a corresponding relationship between a routing prefix and an area identifier, or storing a corresponding relationship between an origin AS number, a routing prefix, and an area identifier. Optionally, as shown in fig. 3, the first network device 202 further includes an ROA module, and the first network device 202 may construct an ROA database locally through the ROA module.

When the first network device 202 receives the BGP routing information sent by the second network device 203, the first network device 202 may verify, based on the BGP routing information and the ROA database, whether the BGP routing information is legitimate. This process may be referred to as ingress verification of BGP routes. Alternatively, in the event that the first network device 202 determines that the BGP routing information verifies, the first network device 202 may store the BGP routing information.

It should be noted that, after the first network device 202 verifies the BGP routing information from the second network device 203, the first network device 202 stores the BGP routing information locally. However, in the case where the BGP routing information includes an originating AS number, the first network device 202 may incorrectly modify the originating AS number stored locally in the BGP routing information due to routing policy or software issues. Therefore, before the first network device 202 sends the BGP routing information to the third network device 204, the BGP routing information may also be verified again. This process may be referred to as outbound verification of BGP routes. That is, the first network device 202 may not only verify the incoming direction of the BGP routing information from the second network device 203, but may also verify the outgoing direction of the BGP routing information.

Optionally, when receiving the BGP routing information sent by the second network device 203, the first network device 202 may also store the BGP routing information instead of verifying whether the BGP routing information is legal. Thereafter, before sending the BGP routing information to the third network device 204, the first network device 202 may verify, based on the BGP routing information and the ROA database, whether the BGP routing information is legitimate. That is, the first network device 202 does not verify the ingress direction of the BGP routing information from the second network device 203, but verifies the egress direction of the BGP routing information.

In general, the first network device 202 needs to verify BGP routing information, learn BGP routing, and forward a packet. Therefore, when the first network device 202 receives one BGP routing information and verifies the validity of the BGP routing information, the pressure of the first network device 202 may be relatively high. Thus, in some cases, the process of validating the validity of BGP routing information may be deployed on a validation device, such as a controller, network manager, or centralized analysis device.

In this case, when the first network device 202 receives a BGP routing information, the first network device 202 sends the BGP routing information to the verification device, and the verification device verifies the validity of the BGP routing information. The verification device then issues the verification result of the BGP routing information to the first network device 202. The process of verifying the BGP routing information by the verification device is similar to the process of verifying the BGP routing information by the first network device 202, and after the verification device issues the verification result of the BGP routing information to the first network device 202, the manner in which the first network device 202 processes the BGP routing information based on the verification result is similar to the manner in which the first network device 202 verifies the BGP routing information and then processes the BGP routing information based on the verification result. The following will explain in detail how the first network device 202 verifies the BGP routing information and the first network device 202 processes the BGP routing information based on the verification result, where the process of verifying the BGP routing information by the verification device may refer to the process of verifying the BGP routing information by the first network device 202. For a detailed procedure, see the description of the examples below.

Referring to fig. 4, fig. 4 is a flowchart of a route verification method according to an embodiment of the present application, where the route verification method is applied to a first network device in a BGP-based network, where the first network device may be the first network device 202 shown in fig. 2 or fig. 3. Referring to fig. 4, the method includes the following steps.

Step 401: the first network device obtains BGP routing information, which includes a target routing prefix.

Based on the foregoing description, the BGP network further includes a second network device and a third network device, where the second network device establishes an EBGP connection with the first network device, and the third network device establishes an IBGP connection with the first network device. For the first network device, the second network device is an external BGP neighbor and the third network device is an internal BGP neighbor.

The BGP routing information acquired by the first network device is BGP routing information of the ingress direction of the first network device, that is, the routing information received by the first network device from other network devices, for example: the routing information received from the second network device, or the BGP routing information is the outgoing BGP routing information of the first network device, that is, the routing information that the first network device is about to send to other network devices, for example: routing information sent to the third network device. Alternatively, the BGP routing information may be from an inbound adjacency routing information base (Adj-rbs-In) or an outbound adjacency routing information base (Adj-rbs-Out) of the first network device.

For the outgoing BGP routing information, the BGP routing information may be stored locally at the first network device after the first network device receives the BGP routing information from the second network device and verifies the BGP routing information. Of course, the BGP routing information may also be stored locally at the first network device directly after the first network device receives the BGP routing information from the second network device without verifying the BGP routing information.

It should be noted that the BGP routing information may include a target originating AS number in addition to the target routing prefix. Of course, other information may also be included, which is not limited in this embodiment of the present application.

One ISP may provide one or more ASs, each AS has an AS number, and one AS may include multiple network devices therein, which may initiate advertisement of BGP routing information. The AS number of the AS in which the originating network device originating the BGP routing information is located may be referred to AS an originating AS number of the routing prefix included in the BGP routing information, that is, the originating network device originating the BGP routing information is located in the AS identified by the originating AS number.

Optionally, the routing prefix is a prefix of a network address of the network device. For example, when the network device uses IPv4 communication, the routing prefix is the prefix of an IPv4 address. When the network equipment adopts IPv6 communication, the routing prefix is the prefix of the IPv6 address.

Step 402: the first network equipment acquires the area identification of the area to which the target routing prefix actually belongs based on the target routing prefix.

In some embodiments, the first network device may determine an area identifier of an area to which an originating network device in the plurality of network devices that the target routing prefix actually passes through belongs, to obtain the area identifier of the area to which the target routing prefix actually belongs. That is, the area identifier of the area to which the starting network device actually passes through the target routing prefix is determined as the area identifier of the area to which the target routing prefix actually belongs.

As an example, the first network device may detect each network device through which the target routing prefix actually passes, and obtain a plurality of network devices. The first network device determines the area identifier of the area to which the initial network device belongs in the plurality of network devices, and obtains the area identifier of the area to which the target routing prefix actually belongs. For example, the first network device obtains the current actual area of the routing prefix by tracing (traceroute) the target routing prefix and detecting the areas of the nodes actually passed by the target routing prefix.

The first network device may determine, in a reverse probing manner, each network device through which the target routing prefix actually passes according to the target routing prefix and the target origin AS number. The specific detection method includes multiple types, which is not limited in the embodiment of the present application.

Since the originating network device among the plurality of network devices through which the target routing prefix actually passes is the network device of the area to which the target routing prefix actually belongs, the area identifier of the area to which the originating network device belongs may be determined as the area identifier of the area to which the target routing prefix actually belongs.

It should be noted that the area identifier is used to uniquely identify an area, and the area identifier may be RIR information, but may also be in other forms, such as one or a combination of the following information: LIR information, continent, region, country, or city, etc.

Step 403: the first network device verifies the BGP routing information based on the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs.

After the first network device acquires the BGP routing information, the BGP routing information may be verified, an ROA database may be constructed before verification, and after verification, the BGP routing information may be processed based on a verification result. Therefore, the several stages will be described separately below.

Phase of verifying BGP routing information

Based on the above description, the BGP routing information may include the target routing prefix, and may also include the target routing prefix and the originating AS number. In the following, the two cases will be described separately.

In the first case, the BGP routing information includes a target routing prefix. In this way, the first network device may determine the first entry matching the target routing prefix from a stored ROA database, where the ROA database is used to store the correspondence between the routing prefix and the area identifier. The first network device verifies the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

In the second case, the BGP routing information includes a target origination AS number and a target routing prefix. In this way, the first network device may determine the first entry matching the target originating AS number and the target routing prefix from a stored ROA database storing a correspondence of originating AS numbers, routing prefixes and area identifications. And the first network equipment verifies the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

In the second case, of course, the first network device may also verify the target origin AS number, determine, from the stored ROA database, a first entry matching the target origin AS number and the target routing prefix, and then verify the BGP routing information based on the first entry and the area identifier of the area to which the target routing prefix actually belongs, when the target origin AS number is verified.

The implementation process of the first network device verifying the BGP routing information based on the first entry and the area identifier of the area to which the target routing prefix actually belongs includes: under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is the same as or matched with the area identifier of the area to which the target routing prefix actually belongs, the first network device determines that the BGP routing information is verified to be passed. If the area identifier in the first entry is different from or not matched with the area identifier of the area to which the target routing prefix actually belongs, the first network device determines that the BGP routing information verification fails. And under the condition that the area identifier in the first table entry is empty, the first network equipment determines that the area identifier in the first table entry is matched with the area identifier of the area to which the target routing prefix actually belongs, and determines that the BGP routing information passes verification.

For some ases, the routing prefix of the AS may be applicable globally or only locally, i.e., the routing prefix of the AS may be applicable to any area or only locally. The area identifier in the corresponding entry in the ROA database may be null for the case that the routing prefix of the AS is applicable to any area, and the area identifier in the corresponding entry in the ROA database is not null for the case that the routing prefix of the AS is applicable to any area. That is, the area identifier in the corresponding entry in the ROA database may or may not be empty.

Therefore, after the first entry is matched, if the area identifier in the first entry is not empty, it indicates that the routing prefix of the AS is applicable to the local area, and at this time, the area identifier in the first entry needs to be compared with the area identifier of the area to which the target routing prefix actually belongs to determine whether the validity verification of the area to which the target routing prefix belongs passes. And when the area identifier in the first entry is empty, it indicates that the routing prefix of the AS is applicable to any area, and at this time, the first network device may directly determine that the area identifier in the first entry matches the area identifier of the area to which the target routing prefix actually belongs, and determine that the BGP routing information is verified.

Of course, for the case that the routing prefix of the AS is globally applicable, the area identifier in the corresponding entry in the ROA data may also be represented by other identifiers, such AS a specific identifier. At this time, for the case that the routing prefix of the AS is applicable to any area, the area identifier in the corresponding entry in the ROA database is also not null. Thus, after matching the first entry, the first network device needs to determine whether the area identifier in the first entry is a specific identifier. If the area identifier in the first entry is not a specific identifier, it indicates that the routing prefix of the AS is applicable to a local area, and at this time, the area identifier in the first entry needs to be compared with the area identifier of the area to which the target routing prefix actually belongs to determine whether the validity verification of the area to which the target routing prefix belongs passes. If the area identifier in the first entry is the specific identifier, it indicates that the routing prefix of the AS is applicable to any area, and at this time, the first network device may directly determine that the area identifier in the first entry matches the area identifier of the area to which the target routing prefix actually belongs, and determine that the BGP routing information is verified.

In addition, in the case where the entries in the ROA database are used to store the originating AS number, the routing prefix, and the area identifier, the format of each entry in the ROA database may be AS shown in table 1 below.

TABLE 1

Origin AS number	Routing prefix	Region identification
			4807	5.10.136.0/24	A
4808	27.148.248.0/21	B
			4809	66.102.240.0/24	C
......	......	......

It should be noted that the ROA database shown in table 1 is only an example, and in practical applications, the ROA database may further include other information, which is not limited in this embodiment of the present application.

Stage of building ROA database

Optionally, before the first network device determines the first entry from the stored ROA database, the ROA database may be further constructed. The ROA database comprises one or more entries, each entry is used for storing the corresponding relation between a routing prefix and an area identifier, or the ROA database is used for storing the corresponding relation between an origin AS number, the routing prefix and the area identifier. The following description is also divided into two cases.

After the server acquires the target routing prefix and the target area indication information, the server sends the target routing prefix and the target area indication information to the first network device. The first network device creates a first entry in the ROA database based on the target routing prefix and the target area indication information.

In a first implementation manner, a server sends a message to a first network device, where the message carries a target routing prefix and target area indication information. The first network equipment receives a message from the server. In a first implementation manner, the server sends the target routing prefix and the target area indication information to the first network device through one message. In this way, after the first network device receives the packet, the target routing prefix and the target area indication information may be directly stored in the ROA database.

In a second implementation, the server sends a packet to the first network device, where the packet carries a target routing prefix. The first network device receives a message from the server. The first network equipment sends a request message to the server, wherein the request message carries a target routing prefix, and the request message is used for requesting to obtain the area indication information corresponding to the target routing prefix. After receiving the request message sent by the first network device, the server acquires the target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix. The server sends the target area indication information to the first network equipment. The first network equipment receives target area indication information sent by the server.

In a second case, taking the first entry as an example, the implementation process of the first network device for constructing the ROA database includes: the first network equipment acquires a target origin AS number, a target routing prefix and target area indication information from the server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area. The first network device creates a first entry in the ROA database based on the target origination AS number, the target routing prefix, and the target area indication information.

Based on the above description, the routing prefix of some AS may be applicable to any area, and may also be applicable only to a local area. Therefore, for the target routing prefix, the target routing prefix may be applicable to any area, and may also be applicable to only a local area. That is, the target area indication information may be indication information for indicating that the target routing prefix is applicable to any area, and may also be an area identifier of a local area. The indication information applicable to any area may be set in advance, which is not limited in the embodiment of the present application.

In addition, the server can periodically synchronously download information such AS resource certificates and ROA signatures from the RPKI database to acquire the origin AS number, routing prefix and area indication information of each AS. Of course, the server may also obtain the origination AS number, the routing prefix, and the area indication information of each AS by other manners, which is not limited in this embodiment of the present application. Moreover, the server may be an RPKI server, or may be another server, which is not limited in this embodiment of the present application.

in a first implementation manner, a server sends a message to a first network device, where the message carries a target origination AS number, a target routing prefix, and target area indication information. The first network device receives a message from the server. In a first implementation manner, the server sends the target origin AS number, the target routing prefix, and the target area indication information to the first network device through one message. In this way, after the first network device receives the message, the target origination AS number, the target routing prefix, and the target area indication information may be directly stored in the ROA database.

For IPv4, the format of the packet may be as shown in fig. 5, and each field included in the packet is described as follows:

protocol Version: the version number of a communication protocol between the server and the network equipment occupies 1 byte, the current value is 2, and the value is increased progressively after a field is added in the future;

PDU Type (protocol data unit Type): the type of the message occupies 1 byte, the current value is 4, and the message is represented as an IPv4 type message;

zero: a padding field of 0, occupying 2 bytes;

length: marking the length of the whole message, and fixing the length to 20 bytes;

flags (flag): 1 byte, set by bit, currently using bit 0, and the remaining 7 bits are unused; the value of bit 0 may be 0 or 1, when the value of bit 0 is 0, it indicates that the message is issued, and when the value of bit 0 is 1, it indicates that the message is cancelled;

prefix Length (Prefix mask Length): 1 byte is occupied;

max Length (maximum mask Length): 1 byte is occupied;

zero: a padding field of 0, occupying 1 byte;

IPv4 Prefix (IPv 4 Prefix): the length of the field is 4 bytes, and the field can carry a routing prefix;

autonomous System Number (Autonomous System Number): 4 bytes, by which the originating AS number can be carried;

region Identifier: the length of the occupied bytes of the field is determined according to the adopted coding format, and the area indication information can be carried through the field.

For IPv6, the format of the packet may be as shown in fig. 6, and each field included in the packet is described as follows:

PDU Type (protocol data unit Type): the type of the message occupies 1 byte, the current value is 6, and the message is represented as an IPv6 type message;

zero: a padding field of 0, occupying 2 bytes;

length: identifying the length of the whole message, and fixing the length to 32 bytes;

flags (flag): 1 byte, set by bit, currently using bit 0, and the remaining 7 bits are not used; the value of bit 0 may be 0 or 1, when the value of bit 0 is 0, it indicates that the message is issued, and when the value of bit 0 is 1, it indicates that the message is cancelled;

prefix Length (Prefix mask Length): occupy 1 byte;

max Length (maximum mask Length): occupies 1 byte

Zero: a padding field of 0, occupying 1 byte;

IPv6 Prefix (IPv 6 Prefix): occupying 16 bytes, and carrying a routing prefix through the field;

region Identifier: the length of the byte occupied by the field is determined according to the adopted coding format, and the region indication information can be carried by the field.

It should be noted that the above message structure is only an example, and in practical application, the target origin AS number, the target routing prefix, and the target area indication information may also be sent to the first network device through messages with other structures.

In a second implementation, a server sends a packet to a first network device, where the packet carries a target origination AS number and a target routing prefix. The first network device receives a message from the server. The first network equipment sends a request message to the server, wherein the request message carries a target routing prefix, and the request message is used for requesting to obtain the area indication information corresponding to the target routing prefix. After receiving the request message sent by the first network device, the server acquires the target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix. The server sends the target area indication information to the first network device. The first network equipment receives target area indication information sent by the server. The second implementation mode does not need to modify the existing message format, or adopts the existing message format, and carries the target origin AS number and the target routing prefix in the same message. Thus, after the first network device receives the message, the target area indication information may be obtained from the server based on the target routing prefix, and the target origin AS number, the target routing prefix, and the target area indication information may be stored in the ROA database.

Processing phases of BGP routing information

Based on the above description, the BGP routing information acquired by the first network device may be inbound BGP routing information or outbound BGP routing information. When the BGP routing information is in a different direction, the BGP routing information is processed in a different manner based on the verification result of the BGP routing information. The following will explain the partial cases.

After the first network device stores the first BGP route included in the BGP route information, the first network device may further learn the first BGP route.

Optionally, in a case that the BGP routing information fails to be verified, it indicates that the BGP routing information may be hijacked routing information, or that the BGP routing information may be fake routing information, and the security is relatively low. The second network device is an external BGP neighbor of the first network device, and an area to which a route prefix corresponding to the second BGP route belongs is the same as an area to which the second network device belongs, that is, the second BGP route is a route issued by the second network device, so that the priority of the first BGP route may be set lower than the priority of the second BGP route. In this way, in the process of issuing the BGP route to the forwarding table, the second BGP route with a higher priority may be selected to issue to the forwarding table, so as to avoid the user traffic being eavesdropped on the premise of being able to guide the forwarding of the user traffic.

Certainly, under the condition that the BGP routing information is not verified, the first BGP route included in the BGP routing information is directly discarded, so that the first BGP route may be prohibited from being used on the network device, and the user traffic may also be prevented from being eavesdropped.

Based on the above description, when receiving the BGP routing information of the ingress direction, the first network device may also store the BGP routing information without verifying the BGP routing information. Or after the first network device verifies the BGP routing information of the ingress side, the first network device stores the BGP routing information. That is, the routing information stored locally by the first network device may or may not be validated. Regardless of whether the routing information stored locally by the first network device is verified, the BGP routing information may be directly sent to the third network device if it is determined that the BGP routing information is verified before being sent to the third network device.

However, if the BGP routing information is verified before being stored locally in the first network device and the verification passes, it indicates that the originating AS number included in the BGP routing information is indeed modified by an error due to a routing policy or software problem of the first network device, so the first network device may determine, from the stored ROA database, a second entry matching the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs, and modify the originating AS number in the BGP routing information to the originating AS number in the second entry. Therefore, the problem that BGP routing information is illegal due to the fact that the original AS number is wrongly modified by a routing strategy or software problem is solved, and the problem of internet faults is further solved.

After the first network device sends the BGP routing information to the third network device, the third network device may store the first BGP route included in the BGP routing information, and may also learn the first BGP route.

To sum up, in the embodiment of the present application, when performing validity verification of BGP routing information, an area to which a routing prefix belongs is considered, so that when multiple routing prefixes are distributed in different areas, the area to which the routing prefix included in BGP routing information belongs is distinguished by an area identifier of the area to which the routing prefix belongs, and whether the BGP routing information is valid or not is verified, thereby improving network security and improving accuracy of routing source verification. That is, by verifying the area to which the routing prefix belongs, whether the BGP routing information is hijacked or not can be further detected, and thus, the source hijacking attack launched by the attacker can be effectively identified, thereby blocking a vulnerability of the attack launched by the attacker.

Fig. 7 is a schematic structural diagram of an apparatus for route verification according to an embodiment of the present application, where the apparatus for route verification may be implemented as part or all of a network device by software, hardware, or a combination of the two, and the network device may be the first network device shown in fig. 2 or fig. 3, and is used to implement the function of the first network device shown in fig. 2 or fig. 3. Referring to fig. 7, the apparatus includes: a first acquisition module 701, a second acquisition module 702, and a verification module 703.

A first obtaining module 701, configured to obtain BGP routing information, where the BGP routing information includes a target routing prefix, and the detailed implementation process refers to corresponding steps in the foregoing embodiments.

A second obtaining module 702, configured to obtain, based on the target routing prefix, an area identifier of an area to which the target routing prefix actually belongs, where the implementation process refers to corresponding steps in the foregoing embodiments in detail.

The verifying module 703 is configured to verify BGP routing information based on the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs, and refer to the corresponding steps in the foregoing embodiments in detail in the implementation process.

Optionally, the verification module 703 comprises:

the determining submodule is used for determining a first table item from a stored ROA database;

and the verification submodule is used for verifying the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

Optionally, the determining submodule is specifically configured to:

and determining a first table item matched with the target routing prefix from an ROA database, wherein the ROA database is used for storing the corresponding relation between the routing prefix and the area identifier.

Optionally, the BGP routing information further includes a target origin AS number;

the determination submodule is specifically configured to:

and determining a first table item matched with the target origin AS number and the target routing prefix from a stored ROA database, wherein the ROA database is used for storing the corresponding relation of the origin AS number, the routing prefix and the area identifier.

Optionally, the verification sub-module is specifically configured to:

and under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is the same as the area identifier of the area to which the target routing prefix actually belongs, determining that the BGP routing information passes verification.

Optionally, the verification sub-module is specifically configured to:

and under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is the specific identifier, determining that the BGP routing information is verified.

Optionally, the verification sub-module is specifically configured to:

and determining that the BGP routing information is verified under the condition that the area identifier in the first table entry is empty.

Optionally, the verification module 703 further includes:

the first acquisition submodule is used for acquiring a target routing prefix and target area indication information from the server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area;

and the first creating submodule is used for creating a first table entry in the ROA database based on the target routing prefix and the target area indication information.

Optionally, the first obtaining sub-module is specifically configured to:

and receiving a message from the server, wherein the message carries a target routing prefix and target area indication information.

Optionally, the first obtaining sub-module is specifically configured to:

receiving a message from a server, wherein the message carries a target routing prefix;

sending a request message to a server, wherein the request message carries a target routing prefix;

and receiving target area indication information sent by the server.

Optionally, the verification module 703 further comprises:

the second acquisition submodule is used for acquiring a target origin AS number, a target routing prefix and target area indication information from the server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area;

and the second creating submodule is used for creating a first table entry in the ROA database based on the target origin AS number, the target routing prefix and the target area indication information.

Optionally, the second obtaining sub-module is specifically configured to:

and receiving a message from the server, wherein the message carries a target origin AS number, a target routing prefix and target area indication information.

Optionally, the second obtaining sub-module is specifically configured to:

receiving a message from a server, wherein the message carries a target origin AS number and a target routing prefix;

and receiving target area indication information sent by the server.

Optionally, the server is an RPKI server.

Optionally, the second obtaining module 702 is specifically configured to:

and determining the area identifier of the area to which the starting network equipment belongs in the plurality of network equipment actually passed by the target routing prefix so as to obtain the area identifier of the area to which the target routing prefix actually belongs.

Optionally, the first obtaining module 701 is specifically configured to:

receiving BGP routing information from the second network device, wherein the BGP routing information corresponds to the first BGP route;

the device also includes:

and the storage module is used for storing the first BGP route under the condition that the BGP route information is verified to pass.

Optionally, the apparatus further comprises:

and the processing module is used for discarding the first BGP route under the condition that the BGP route information verification fails, or setting the priority of the first BGP route as a first priority, wherein the first priority is lower than a second priority, the second priority refers to the priority of the second BGP route, and the route prefix corresponding to the second BGP route is the same as the route prefix corresponding to the first BGP route.

Optionally, the first obtaining module 701 is specifically configured to:

acquiring BGP routing information from locally stored routing information, wherein the BGP routing information is verified before being stored locally in the first network equipment, and the BGP routing information corresponds to the first BGP route;

the device also includes:

and the sending module is used for sending the BGP routing information to the third network equipment under the condition that the BGP routing information passes verification so as to enable the third network equipment to store the first BGP route.

Optionally, the apparatus further comprises:

the determining module is used for determining a second table item matched with the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs from the stored ROA database under the condition that the BGP routing information verification fails;

and the modification module is used for modifying the origin AS number included in the BGP routing information into the origin AS number in the second table entry.

It should be noted that: in the route verification apparatus provided in the foregoing embodiment, only the division of each functional module is illustrated when performing route verification, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the apparatus for route verification and the method embodiment for route verification provided by the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and will not be described herein again.

Fig. 8 is a schematic structural diagram of a data transmission apparatus provided in an embodiment of the present application, where the data transmission apparatus may be implemented by software, hardware, or a combination of the two to be a part or all of a server, and the server may be the server shown in fig. 2 or fig. 3, and is used to implement the functions of the server shown in fig. 2 or fig. 3. Referring to fig. 8, the apparatus includes: a first obtaining module 801 and a sending module 802.

A first obtaining module 801, configured to obtain a target routing prefix and target area indication information, where the target area indication information includes an area identifier or indication information used to indicate that the target routing prefix is applicable to any area;

a sending module 802, configured to send the target routing prefix and the target area indication information to a first network device, where the first network device is any network device in a BGP-based network.

Optionally, the sending module 802 is specifically configured to:

and sending a message to the first network equipment, wherein the message carries the target routing prefix and the target area indication information.

Optionally, the sending module 802 is specifically configured to:

sending a message to a first network device, wherein the message carries a target routing prefix;

receiving a request message sent by first network equipment, wherein the request message carries a target routing prefix;

acquiring target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix;

and sending the target area indication information to the first network equipment.

Optionally, the apparatus further comprises:

the second acquisition module is used for acquiring a target origin AS number;

the sending module 802 is specifically configured to:

and sending the target origin AS number, the target routing prefix and the target area indication information to the first network equipment.

Optionally, the sending module 802 is specifically configured to:

and sending a message to the first network equipment, wherein the message carries a target origin AS number, a target routing prefix and target area indication information.

Optionally, the sending module 802 is specifically configured to:

sending a message to a first network device, wherein the message carries a target origin AS number and a target routing prefix;

Optionally, the server is an RPKI server.

To sum up, in the embodiment of the present application, the server sends the originating AS number, the routing prefix, and the area indication information to the first network device, and the first network device constructs the ROA database. In this way, when performing validity verification of the BGP routing information, the first network device may distinguish, based on the ROA database, an area to which a routing prefix included in the BGP routing information belongs, and may further verify, when the plurality of routing prefixes are distributed in different areas, whether the BGP routing information is valid, thereby improving network security and improving accuracy of routing source verification. That is, by verifying the area to which the routing prefix belongs, whether the BGP routing information is hijacked or not can be further detected, and thus, the source hijacking attack launched by the attacker can be effectively identified, thereby blocking a vulnerability of the attack launched by the attacker.

It should be noted that: in the data transmission apparatus provided in the foregoing embodiment, when data is transmitted, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules as needed, that is, the internal structure of the apparatus is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus for data transmission and the method for data transmission provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiments, and are not described herein again.

Fig. 9 shows another possible structure diagram of the network device involved in the above embodiment. The network device 900 includes: a processor 902, a network interface 903, a memory 901, and a bus 904. Wherein,

a memory 901 for storing instructions; in the case of implementing the embodiment shown in fig. 4, and in the case where each unit described in the embodiment of fig. 4 is implemented by software, software or program codes necessary for executing the functions of each unit in fig. 4 are stored in the memory 901.

A processor 902 for executing the instructions in the memory 901 to perform the above method applied to route verification in the embodiment shown in fig. 4; the processor 902 may be a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic, hardware components, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the application. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.

A network interface 903 for communicating with other network devices. The network interface 903 may be an ethernet (ethernet) interface or an Asynchronous Transfer Mode (ATM) interface, or the like.

The network interface 903, the processor 902, and the memory 901 are connected to each other by a bus 904; the bus 904 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.

In particular embodiments, processor 902 is configured to execute the instructions in memory 901 to cause network device 900 to obtain BGP routing information that includes a target routing prefix; the first network equipment acquires the area identification of the area to which the target routing prefix actually belongs based on the target routing prefix, and verifies the BGP routing information based on the target routing prefix and the area identification of the area to which the target routing prefix actually belongs. For a detailed processing procedure of the processor 902, please refer to the detailed description in the embodiment shown in fig. 4, which is not described herein again.

The network interface 903 is used for the network device 900 to receive BGP routing information and to send and receive messages. For a specific process, please refer to the detailed description in the embodiment shown in fig. 4, which is not repeated herein.

Fig. 10 shows another possible schematic structure of the network device involved in the above embodiments. The network device 1000 includes: a main control board 1001 and an interface board 1002. The main control board 1001 includes: a processor 1003 and a memory 1004. The interface board 1002 includes: a processor 1005, memory 1006, and an interface card 1007. A master control board 1001 and an interface board 1002 are coupled.

These hardware may implement the corresponding functions of the network device in the embodiment shown in fig. 4, for example, the memory 1006 is used for storing the program codes of the interface board 1002, and the processor 1005 is used for calling the program codes in the memory 1006 to trigger the interface card 1007 to perform various information receiving and transmitting operations performed by the network device in the above-described method embodiment. The memory 1004 may be configured to store program codes of the main control board 1001, and the processor 1003 is configured to call the program codes in the memory 1004 to perform other processing of the network device except for information transceiving in the foregoing method embodiments.

For example, the processor 1005 is configured to trigger the interface card 1007 to obtain BGP routing information, where the BGP routing information includes a target routing prefix; the first network equipment acquires the area identification of the area to which the target routing prefix actually belongs based on the target routing prefix, and verifies the BGP routing information based on the target routing prefix and the area identification of the area to which the target routing prefix actually belongs. A memory 1004 for storing program codes and data of the main control board 1001; a memory 1006 for storing program codes and data of the interface board 1002.

In one example, an inter-process communication (IPC) channel is established between the main control board 1001 and the interface board 1002, and the main control board 1001 and the interface board 1002 communicate with each other through the IPC channel. For example, the main control board 1001 receives BGP routing information or messages from the interface board 1002 through IPC channels.

The network device 1000 may be a router or a switch or a network device with a forwarding function, where the network device 1000 can implement the functions of the network device in the embodiment shown in fig. 4, and specific execution steps may refer to the foregoing method embodiments, and are not described herein again.

The present application further provides a non-transitory storage medium for storing software instructions used in the foregoing embodiments, which includes a program for executing the method shown in the foregoing embodiments, and when the program is executed on a computer or a network device, the computer or the network device is caused to execute the method in the foregoing method embodiments.

Embodiments of the present application also provide a computer program product comprising computer program instructions, which, when run on a network node, cause the network node to perform the method in the aforementioned method embodiments.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., digital Versatile Disk (DVD)), or a semiconductor medium (e.g., solid State Disk (SSD)), among others. It is noted that the computer-readable storage medium referred to in the embodiments of the present application may be a non-volatile storage medium, in other words, a non-transitory storage medium.

It should be understood that reference herein to "a plurality" means two or more. In the description of the embodiments of the present application, "/" indicates an alternative meaning, for example, a/B may indicate a or B; "and/or" herein is merely an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.

The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A method of route verification, the method comprising:

the method comprises the steps that first network equipment obtains BGP routing information, wherein the BGP routing information comprises a target routing prefix;

the first network equipment acquires the area identification of the area to which the target routing prefix actually belongs based on the target routing prefix;

and the first network equipment verifies the BGP routing information based on the target routing prefix and the area identification of the area to which the target routing prefix actually belongs.

2. The method of claim 1, wherein the first network device verifying the BGP routing information based on the target routing prefix and an area identification of an area to which the target routing prefix actually belongs, comprising:

the first network device determines a first entry from a stored route origin validation (ROA) database;

and the first network equipment verifies the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

3. The method of claim 2, wherein the first network device determining a first entry from a stored route origin validation (ROA) database, comprising:

and the first network equipment determines the first table item matched with the target routing prefix from the ROA database, wherein the ROA database is used for storing the corresponding relation between the routing prefix and the area identifier.

4. The method of claim 2, wherein the BGP routing information further comprises a target originating autonomous system AS number;

the first network device determining a first entry from a stored route origin validation, ROA, database, comprising:

the first network device determines the first entry matching the target origin AS number and the target routing prefix from the ROA database, where the ROA database is used to store a corresponding relationship between the origin AS number, the routing prefix, and the area identifier.

5. The method of any of claims 2 to 4, wherein the first network device verifying the BGP routing information based on the first entry and an area identification of an area to which the target routing prefix actually belongs, comprises:

and under the condition that the area identifier in the first entry is not empty, if the area identifier in the first entry is the same as the area identifier of the area to which the target routing prefix actually belongs, the first network device determines that the BGP routing information is verified to be passed.

6. The method of any of claims 2 to 4, wherein the verifying, by the first network device, the BGP routing information based on the first entry and an area identification of an area to which the target routing prefix actually belongs comprises:

and under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is a specific identifier, the first network device determines that the BGP routing information is verified.

7. The method of any of claims 2 to 4, wherein the verifying, by the first network device, the BGP routing information based on the first entry and an area identification of an area to which the target routing prefix actually belongs comprises:

and under the condition that the area identifier in the first table entry is empty, the first network device determines that the BGP routing information is verified to be passed.

8. The method of claim 3, wherein the first network device, prior to determining the first entry from the ROA database that matches the target routing prefix, further comprises:

the first network equipment acquires the target routing prefix and target area indication information from a server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area;

the first network device creates the first entry in the ROA database based on the target routing prefix and the target area indication information.

9. The method of claim 8, wherein the first network device obtaining the target routing prefix and target area indication information from a server comprises:

and the first network equipment receives a message from the server, wherein the message carries the target routing prefix and the target area indication information.

10. The method of claim 8, wherein the first network device obtaining the target routing prefix and target area indication information from a server comprises:

the first network equipment receives a message from the server, wherein the message carries the target routing prefix;

the first network equipment sends a request message to the server, wherein the request message carries the target routing prefix;

and the first network equipment receives the target area indication information sent by the server.

11. The method of claim 4, wherein the first network device, prior to determining the first entry from the ROA database that matches the target origin AS number and the target routing prefix, further comprises:

the first network equipment acquires the target origin AS number, the target routing prefix and target area indication information from a server, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area;

the first network device creates the first entry in the ROA database based on the target origin AS number, the target routing prefix, and the target area indication information.

12. The method of claim 11, wherein the first network device obtaining the target origin AS number, the target routing prefix, and target area indication information from a server, comprises:

and the first network equipment receives a message from the server, wherein the message carries the target origin AS number, the target routing prefix and the target area indication information.

13. The method of claim 11, wherein the first network device obtaining the target origin AS number, the target routing prefix, and target area indication information from a server, comprises:

the first network equipment receives a message from the server, wherein the message carries the target origin AS number and the target routing prefix;

14. The method of claim 1, wherein the first network device obtaining, based on the target routing prefix, an area identification of an area to which the target routing prefix actually belongs, comprises:

the first network device determines an area identifier of an area to which an initial network device of a plurality of network devices actually passed by the target routing prefix belongs, so as to obtain the area identifier of the area to which the target routing prefix actually belongs.

15. The method of any of claims 1 to 14, wherein the first network device obtaining BGP routing information comprises:

the first network equipment receives the BGP routing information from second network equipment, wherein the BGP routing information corresponds to a first BGP route;

after the first network device verifies the BGP routing information based on the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs, the method further includes:

and under the condition that the BGP routing information is verified, the first network equipment stores the first BGP route.

16. The method of claim 15, wherein the method further comprises:

and under the condition that the BGP routing information is not verified, the first network equipment discards the first BGP route, or sets the priority of the first BGP route as a first priority, wherein the first priority is lower than a second priority, the second priority refers to the priority of a second BGP route, and a route prefix corresponding to the second BGP route is the same as a route prefix corresponding to the first BGP route.

17. The method of any of claims 1 to 14, wherein the first network device obtaining BGP routing information comprises:

the first network device acquires the BGP routing information from locally stored routing information, wherein the BGP routing information is verified before being stored locally in the first network device, and the BGP routing information corresponds to a first BGP route;

and under the condition that the BGP routing information is verified to be passed, the first network equipment sends the BGP routing information to third network equipment so that the third network equipment stores the first BGP route.

18. The method of claim 17, wherein the method further comprises:

under the condition that the BGP routing information verification is failed, the first network equipment determines a second table item which is matched with the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs from a stored ROA database;

and the first network equipment modifies the origin AS number included in the BGP routing information into the origin AS number in the second table entry.

19. A method of data transmission, the method comprising:

a server acquires a target routing prefix and target area indication information, wherein the target area indication information comprises an area identifier or indication information used for indicating that the target routing prefix is applicable to any area;

and the server sends the target routing prefix and the target area indication information to first network equipment, wherein the first network equipment is any network equipment in a network based on a Border Gateway Protocol (BGP).

20. The method of claim 19, wherein the server sending the target routing prefix and the target area indication information to the first network device comprises:

and the server sends a message to the first network equipment, wherein the message carries the target routing prefix and the target area indication information.

21. The method of claim 19, wherein the server sending the target routing prefix and the target area indication information to the first network device comprises:

the server sends a message to the first network equipment, wherein the message carries the target routing prefix;

the server receives a request message sent by the first network device, wherein the request message carries the target routing prefix;

the server acquires the target area indication information from the corresponding relation between the stored route prefix and the area indication information based on the target route prefix;

and the server sends the target area indication information to the first network equipment.

22. The method of claim 19, wherein the method further comprises:

the server acquires an AS number of a target origin autonomous system;

the server sends the target routing prefix and the target area indication information to a first network device, and the method includes:

and the server sends the target origin AS number, the target routing prefix and the target area indication information to the first network equipment.

23. The method of claim 22, wherein the server sending the target origin AS number, the target routing prefix, and the target area indication information to the first network device, comprising:

and the server sends a message to the first network equipment, wherein the message carries the target origin AS number, the target routing prefix and the target area indication information.

24. The method of claim 22, wherein the server sending the target origin AS number, the target routing prefix, and the target area indication information to the first network device, comprising:

the server sends a message to the first network equipment, wherein the message carries the target origin AS number and the target routing prefix;

the server receives a request message sent by the first network equipment, wherein the request message carries the target routing prefix;

the server acquires target area indication information from the corresponding relation between the stored routing prefix and the area indication information based on the target routing prefix;

25. An apparatus for route verification, the apparatus comprising:

the first acquisition module is used for acquiring Border Gateway Protocol (BGP) routing information, and the BGP routing information comprises a target routing prefix;

a second obtaining module, configured to obtain, based on the target routing prefix, an area identifier of an area to which the target routing prefix actually belongs;

and the verification module is used for verifying the BGP routing information based on the target routing prefix and the area identifier of the area to which the target routing prefix actually belongs.

26. The apparatus of claim 25, wherein the authentication module comprises:

the determining submodule is used for determining a first table entry from a stored route origin verification ROA database;

and the verification sub-module is used for verifying the BGP routing information based on the first table entry and the area identifier of the area to which the target routing prefix actually belongs.

27. The apparatus of claim 26, wherein the determination submodule is specifically configured to:

and determining the first table item matched with the target routing prefix from the ROA database, wherein the ROA database is used for storing the corresponding relation between the routing prefix and the area identifier.

28. The apparatus of claim 26, wherein the BGP routing information further comprises a target originating autonomous system AS number;

the determination submodule is specifically configured to:

determining the first table entry matching the target origin AS number and the target routing prefix from the ROA database, wherein the ROA database is used for storing the corresponding relation between the origin AS number, the routing prefix and the area identifier.

29. The apparatus according to any one of claims 26 to 28, wherein the validation submodule is configured to:

and under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is the same as the area identifier of the area to which the target routing prefix actually belongs, determining that the BGP routing information is verified to be passed.

30. The apparatus according to any one of claims 26 to 28, wherein the validation submodule is specifically configured to:

and under the condition that the area identifier in the first table entry is not empty, if the area identifier in the first table entry is a specific identifier, determining that the BGP routing information is verified.

31. The apparatus according to any one of claims 26 to 28, wherein the validation submodule is configured to:

32. The apparatus of claim 27, wherein the authentication module further comprises:

a first obtaining sub-module, configured to obtain the target routing prefix and target area indication information from a server, where the target area indication information includes an area identifier or indication information used to indicate that the target routing prefix is applicable to any area;

a first creating sub-module, configured to create the first entry in the ROA database based on the target routing prefix and the target area indication information.

33. The apparatus of claim 32, wherein the first acquisition submodule is specifically configured to:

and receiving a message from the server, wherein the message carries the target routing prefix and the target area indication information.

34. The apparatus of claim 32, wherein the first acquisition submodule is specifically configured to:

receiving a message from the server, wherein the message carries the target routing prefix;

sending a request message to the server, wherein the request message carries the target routing prefix;

and receiving the target area indication information sent by the server.

35. The apparatus of claim 28, wherein the authentication module further comprises:

a second obtaining submodule, configured to obtain, from a server, the target origin AS number, the target routing prefix, and target area indication information, where the target area indication information includes an area identifier or indication information used to indicate that the target routing prefix is applicable to any area;

a second creating sub-module, configured to create the first entry in the ROA database based on the target origin AS number, the target routing prefix, and the target area indication information.

36. The apparatus of claim 35, wherein the second acquisition submodule is specifically configured to:

and receiving a message from the server, wherein the message carries the target origin AS number, the target routing prefix and the target area indication information.

37. The apparatus of claim 35, wherein the second obtaining submodule is specifically configured to:

receiving a message from the server, wherein the message carries the target origin AS number and the target routing prefix;

and receiving the target area indication information sent by the server.

38. An apparatus for data transmission, the apparatus comprising:

a first obtaining module, configured to obtain a target routing prefix and target area indication information, where the target area indication information includes an area identifier or indication information used to indicate that the target routing prefix is applicable to any area;

and the sending module is used for sending the target routing prefix and the target area indication information to a first network device, wherein the first network device refers to any network device in a network based on a Border Gateway Protocol (BGP).

39. The apparatus of claim 38, wherein the sending module is specifically configured to:

40. The apparatus of claim 38, wherein the sending module is specifically configured to:

sending a message to the first network equipment, wherein the message carries the target routing prefix;

receiving a request message sent by the first network device, wherein the request message carries the target routing prefix;

based on the target routing prefix, acquiring the target area indication information from the corresponding relation between the stored routing prefix and the area indication information;

41. The apparatus of claim 38, wherein the apparatus further comprises:

the second acquisition module is used for acquiring the AS number of the target origin autonomous system;

the sending module is specifically configured to:

42. The apparatus of claim 41, wherein the sending module is specifically configured to:

and sending a message to the first network equipment, wherein the message carries the target origin AS number, the target routing prefix and the target area indication information.

43. The apparatus of claim 41, wherein the sending module is specifically configured to:

sending a message to the first network device, wherein the message carries the target origin AS number and the target routing prefix;

44. A network device, comprising a memory and a processor;

the memory is configured to store a computer program, instructions or code, and the processor is configured to execute the computer program, instructions or code stored in the memory to implement the method of route verification according to any one of claims 1 to 18.

45. A server, comprising a memory and a processor;

the memory is used for storing computer programs, instructions or codes, and the processor is used for executing the computer programs, instructions or codes stored in the memory to realize the data transmission method of any one of claims 19 to 24.

46. A computer-readable storage medium having instructions stored therein, which when executed on the computer, cause the computer to perform the steps of the method of any one of claims 1 to 24.