[go: up one dir, main page]

CN1921394A - Actual IPv6 source address verification method based on autonomy system interconnecting relation - Google Patents

Actual IPv6 source address verification method based on autonomy system interconnecting relation Download PDF

Info

Publication number
CN1921394A
CN1921394A CN 200610113189 CN200610113189A CN1921394A CN 1921394 A CN1921394 A CN 1921394A CN 200610113189 CN200610113189 CN 200610113189 CN 200610113189 A CN200610113189 A CN 200610113189A CN 1921394 A CN1921394 A CN 1921394A
Authority
CN
China
Prior art keywords
autonomous system
engine
autonomous
address
proof rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610113189
Other languages
Chinese (zh)
Other versions
CN100483997C (en
Inventor
吴建平
任罡
毕军
段海新
徐恪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CNB2006101131890A priority Critical patent/CN100483997C/en
Publication of CN1921394A publication Critical patent/CN1921394A/en
Application granted granted Critical
Publication of CN100483997C publication Critical patent/CN100483997C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明属于互联网技术领域,是一种基于自治系统互联关系的IPv6网络下真实源地址验证方法。本发明的特征在于:所述方法是在由验证规则生成引擎、验证引擎和自治系统号到IPv6地址前缀映射服务器组成的系统上实现的,利用自治系统互联关系,在自治系统边界路由器上生成和每一个路由器接口关联的真实IPv6源地址验证规则表,并利用其在自治系统边界路由器上对伪造IPv6源地址的的分组进行验证检查。该方法配置简单,可以在分组转发的过程中实时验证分组源IP地址的真实性,便于运营商部署,并且适用于复杂拓扑结构下的IPv6网络。

Figure 200610113189

The invention belongs to the technical field of the Internet, and relates to a method for verifying a real source address in an IPv6 network based on an autonomous system interconnection relationship. The present invention is characterized in that: the method is implemented on a system composed of a verification rule generation engine, a verification engine and an autonomous system number to an IPv6 address prefix mapping server, using the interconnection relationship of the autonomous system to generate and The real IPv6 source address verification rule table associated with each router interface is used to verify and check packets with forged IPv6 source addresses on the autonomous system border router. The method is simple to configure, can verify the authenticity of the packet source IP address in real time during packet forwarding, is convenient for operators to deploy, and is suitable for IPv6 networks under complex topological structures.

Figure 200610113189

Description

基于自治系统互联关系的真实IPv6源地址验证方法Real IPv6 Source Address Verification Method Based on Autonomous System Interconnection

技术领域technical field

基于自治系统互联关系的真实IPv6源地址验证方法属于互联网技术领域,尤其涉及IPv6网络下自治系统间的真实源地址验证技术。A real IPv6 source address verification method based on autonomous system interconnection relationship belongs to the technical field of the Internet, and in particular relates to a real source address verification technology between autonomous systems under an IPv6 network.

背景技术Background technique

现有互联网的路由转发基于目的IP地址,对于转发分组的源IP地址不做检查,这使得伪造源地址的分组难以追踪,伪造源地址的攻击轻易而频繁。实现真实IP源地址验证,确保网络中每一台主机都使用合法的真实IP地址来访问网络,可以带来以下好处:首先,互联网中的流量更加容易追踪,伪造源地址的攻击易于控制;第二,网络精细管理和基于用户地址的计费可以更加方便的实现;第三,身份认证可以基于真实IP地址得到简化。The routing and forwarding of the existing Internet is based on the destination IP address, and the source IP address of the forwarded packet is not checked, which makes it difficult to trace the packet with forged source address, and the attack of forged source address is easy and frequent. Realizing the verification of the real IP source address and ensuring that each host in the network uses a legitimate real IP address to access the network can bring the following benefits: first, the traffic on the Internet is easier to track, and the attack of forged source address is easy to control; second Second, fine network management and billing based on user addresses can be realized more conveniently; third, identity authentication can be simplified based on real IP addresses.

现有源地址验证方案可以分为加密认证方法,基于事前预防的过滤验证方法和基于事后追查的回溯方法三类。加密认证方法增加了独立的密钥分发和管理开销,基于事后追查的回溯方法所采用的回溯算法复杂,并且是事后措施,而基于事前预防的过滤验证方法可以实时的在分组转发过程中对真实地址进行验证,在实际应用中最为合理。Existing source address verification schemes can be divided into three categories: encryption authentication methods, pre-prevention-based filtering verification methods, and post-tracing-based backtracking methods. The encryption authentication method increases independent key distribution and management overhead. The backtracking algorithm adopted by the backtracking method based on post-event tracing is complex and is an after-event measure, while the filtering verification method based on pre-prevention can real-time in the process of packet forwarding. Address verification is the most reasonable in practical applications.

互联网由很多自治系统组成,各个自治系统决定自己的路由策略和管理机制,各个自治系统有自己的地址前缀范围,负责管理该地址前缀范围的管理和使用。自治系统间的真实IP源地址验证是一个非常重要的问题,它的目标是确保在网络中的分组应该来自拥有该分组源地址所有权的自治系统。The Internet is composed of many autonomous systems. Each autonomous system determines its own routing strategy and management mechanism. Each autonomous system has its own address prefix range and is responsible for managing the management and use of the address prefix range. Verification of real IP source addresses between autonomous systems is a very important issue, and its goal is to ensure that packets in the network should come from the autonomous system that owns the source address of the packet.

本发明采用事前预防的过滤验证策略,是一种基于自治系统互联关系的自治系统间真实IPv6源地址验证方法。该方法具有配置简单和可以在分组转发的过程中实时验证分组源IP地址的真实性的特点,便于运营商部署,适用于复杂拓扑结构下的IPv6网络,实现自治系统间的真实IP地址访问,为可信任的下一代互联网安全服务和应用提供支持,是高可信下一代互联网整体技术框架中的重要组成部分。The present invention adopts a pre-preventive filtering and verification strategy, and is a method for verifying real IPv6 source addresses between autonomous systems based on the interconnection relationship of the autonomous systems. This method has the characteristics of simple configuration and real-time verification of the authenticity of the source IP address of the packet during the packet forwarding process, which is convenient for operators to deploy, and is suitable for IPv6 networks under complex topological structures, and realizes real IP address access between autonomous systems. Providing support for trusted next-generation Internet security services and applications is an important part of the overall technical framework of the highly reliable next-generation Internet.

发明内容Contents of the invention

本发明的目的在于提供一种IPv6网络上基于自治系统互联关系的真实源地址验证方法。The purpose of the present invention is to provide a real source address verification method based on autonomous system interconnection relationship on IPv6 network.

本发明所提出的方法的思路在于利用自治系统互联关系,在自治系统边界路由器上生成和每一个路由器接口关联的真实IPv6源地址验证规则表,并利用其在自治系统边界路由器上对伪造IPv6源地址的的分组进行验证检查。The idea of the method proposed by the present invention is to use the interconnection relationship of the autonomous system to generate a real IPv6 source address verification rule table associated with each router interface on the autonomous system boundary router, and use it to verify the fake IPv6 source address on the autonomous system boundary router. The grouping of addresses is checked for validation.

本发明的特征在于所述方法是在由验证规则生成引擎、验证引擎和自治系统号到IPv6地址前缀映射服务器组成的系统中依次按以下步骤实现:The present invention is characterized in that described method is to realize by the following steps successively in the system that is made up of verification rule generation engine, verification engine and autonomous system number to IPv6 address prefix mapping server:

步骤(1),每个自治系统有一个专用服务器,称为验证规则生成引擎,其上拥有两个数据表,一个是与该自治系统相邻接的自治系统列表,一个是该自治系统所拥有的验证引擎的IP地址列表,每个自治系统的验证规则生成引擎初始化,读邻接自治系统表和本自治系统的验证引擎表,分别与邻接自治系统的验证规则生成引擎和本自治系统的各个验证引擎建立TCP连接;Step (1), each autonomous system has a dedicated server, called the verification rule generation engine, which has two data tables, one is the list of autonomous systems adjacent to the autonomous system, and the other is the list of autonomous systems owned by the autonomous system. The IP address list of the verification engine of the autonomous system, the verification rule generation engine initialization of each autonomous system, read the adjacent autonomous system table and the verification engine table of the autonomous system, and respectively communicate with the verification rule generation engine of the adjacent autonomous system and each verification rule of the autonomous system The engine establishes a TCP connection;

步骤(2),各个自治系统的验证规则生成引擎生成验证规则更新,目的是把该自治系统的源地址空间信息发给邻居,这一信息用自治系统号表示;Step (2), the verification rule generation engine of each autonomous system generates a verification rule update, the purpose is to send the source address space information of the autonomous system to the neighbor, and this information is represented by the autonomous system number;

步骤(3),一个自治系统的验证规则生成引擎收到来自邻居自治系统的验证规则生成引擎发来的更新,查导出规则表来判断是否接受这一地址空间和判断是否将其转发给其他邻居自治系统,这里导出规则表按照如下规则确定是否将自己所收到的来自其他自治系统的合法真实地址前缀集合向其他相邻自治系统传递:Step (3), the verification rule generation engine of an autonomous system receives the update from the verification rule generation engine of the neighbor autonomous system, checks out the rule table to judge whether to accept this address space and whether to forward it to other neighbors For the autonomous system, the rule table is exported here to determine whether to pass the set of legal real address prefixes it receives from other autonomous systems to other adjacent autonomous systems according to the following rules:

其一,一个自治系统将它自己的,它客户自治系统的,以及它兄弟自治系统的真实地址空间集合传递给它的服务者自治系统和对等互联自治系统;First, an AS transmits the set of real address spaces of its own, its client AS, and its sibling AS to its server AS and peer AS;

其二,一个自治系统将它自己的,它客户自治系统的,它兄弟自治系统的,它服务者自治系统的,它对等互联自治系统的真实地址空间集合传递给它的客户自治系统和兄弟自治系统;Second, an AS transmits the set of real address spaces of its own, its client AS, its sibling AS, its server AS, and its peer AS to its client AS and siblings autonomous system;

步骤(4),如果这一次的验证规则更新被该自治系统的验证规则生成引擎接受,查自治系统号到IPv6地址前缀映射表,将以自治系统号形式表达的验证规则转换为以IPv6地址前缀形式表达的验证规则;Step (4), if the verification rule update this time is accepted by the verification rule generation engine of the autonomous system, check the autonomous system number to IPv6 address prefix mapping table, and convert the verification rule expressed in the form of autonomous system number into IPv6 address prefix Validation rules for formal expressions;

步骤(5),该验证规则生成引擎将新生成的以IPv6地址前缀形式表示的验证规则下装到本自治系统的各个边界路由器上的验证引擎;Step (5), this verification rule generation engine downloads the verification rule represented by the IPv6 address prefix form newly generated to the verification engine on each border router of this autonomous system;

步骤(6),该自治系统边界路由器上的验证引擎利用生成的验证规则验证检查转发的IP分组是否具有真实地址,如果真实则转发分组,如果不真实则丢弃分组。Step (6), the verification engine on the autonomous system border router utilizes the generated verification rules to verify and check whether the forwarded IP packet has a real address, if true then forward the packet, if not true then discard the packet.

本发明所提出的基于自治系统互联关系的IPv6网络下自治系统间真实源地址验证方法,具有配置简单和可以在分组转发的过程中实时验证分组源IP地址的真实性的特点,便于运营商部署,适用于复杂拓扑结构下的IPv6网络,目前清华大学已经将该项研究成果运用在下一代互联网实验床和CNGI-CERNET2上,以此为基础,构建可信任下一代互联网。我们计划在下一代网络建设中,进一步验证推广本发明。The authentic source address verification method between autonomous systems under the IPv6 network based on the interconnection of autonomous systems proposed by the present invention has the characteristics of simple configuration and can verify the authenticity of the packet source IP address in real time during the packet forwarding process, which is convenient for operators to deploy , suitable for IPv6 networks under complex topological structures. At present, Tsinghua University has applied this research result to the next-generation Internet test bed and CNGI-CERNET2, and based on this, builds a trustworthy next-generation Internet. We plan to further verify and promote the invention in the next generation network construction.

附图说明Description of drawings

图1.基于自治系统互联关系的真实IPv6源地址验证方法原理图;Fig. 1. Schematic diagram of a real IPv6 source address verification method based on autonomous system interconnection;

图2.基于自治系统互联关系的真实IPv6源地址验证方法导出规则表;Fig. 2. The real IPv6 source address verification method based on autonomous system interconnection derives a rule table;

图3.基于自治系统互联关系的真实IPv6源地址验证方法协议流程图;Fig. 3. protocol flowchart of the authentic IPv6 source address verification method based on autonomous system interconnection;

图4.基于自治系统互联关系的真实IPv6源地址验证方法部署实例。Figure 4. Deployment example of authentic IPv6 source address verification method based on autonomous system interconnection.

具体实施方式Detailed ways

本发明的实现系统由三个部分组成,如图1所示,验证规则生成引擎,验证引擎,和自治系统号到IPv6地址映射服务器。而验证规则的表现形式是IPv6地址前缀的集合。The realization system of the present invention is made up of three parts, as shown in Fig. 1, verification rule generation engine, verification engine, and autonomous system number to IPv6 address mapping server. The form of verification rules is a collection of IPv6 address prefixes.

●验证规则生成引擎生成验证规则,一个自治系统一台,采用Linux服务器实现;●Verification rule generation engine generates verification rules, one for each autonomous system, implemented by Linux server;

●验证引擎则利用验证规则生成引擎下装的验证规则,验证转发的IP分组的源地址的真实性,采用Linux主机模拟数据链路层设备,部署于自治系统边界路由器的每一个接口上;The verification engine uses verification rules to generate the verification rules downloaded by the engine to verify the authenticity of the source address of the forwarded IP packet, and uses Linux hosts to simulate data link layer devices and deploy them on each interface of the autonomous system border router;

●而自治系统号到IPv6地址映射服务器维护一个从自治系统号映射到属于该自治系统的一组IPv6地址前缀的目录服务。● The autonomous system number to IPv6 address mapping server maintains a directory service that maps from the autonomous system number to a set of IPv6 address prefixes belonging to the autonomous system.

依据自治系统是否提供流量穿越和自治系统与其他自治系统的连接情况,可以将自治系统划分为多连接非穿越自治系统,多连接穿越自治系统和单连接非穿越自治系统三类。According to whether the autonomous system provides traffic traversal and the connection between the autonomous system and other autonomous systems, the autonomous system can be divided into three types: multi-connection non-traversal autonomous system, multi-connection traversal autonomous system and single-connection non-traversal autonomous system.

而自治系统互联关系则具有以下四类:The autonomous system interconnection has the following four types:

●客户到服务者关系和服务者到客户关系,其中服务者自治系统为客户自治系统提供穿越服务;●Customer-to-server relationship and server-to-customer relationship, in which the server autonomous system provides traversal services for the client autonomous system;

●兄弟关系,两个自治系统互相提供穿越服务;●Brother relationship, two autonomous systems provide traversal services to each other;

●对等互联关系,两个自治系统互相提供到对方内部的访问。●Peer-to-peer interconnection relationship, two autonomous systems provide access to each other's interior.

图3指出了本发明所提出的基于自治系统互联关系的IPv6网络下自治系统间真实源地址验证方法的的具体协议交互流程。Fig. 3 points out the specific protocol interaction process of the authentic source address verification method between autonomous systems under the IPv6 network based on the interconnection of autonomous systems proposed by the present invention.

首先,每个自治系统的验证规则生成引擎初始化,读邻接自治系统表和本自治系统的验证引擎表,分别与邻接自治系统的验证规则生成引擎和本自治系统的各个验证引擎建立TCP连接;First, the verification rule generation engine of each autonomous system is initialized, reads the adjacent autonomous system table and the verification engine table of this autonomous system, and establishes a TCP connection with the verification rule generation engine of the adjacent autonomous system and each verification engine of this autonomous system respectively;

然后,各个自治系统的验证规则生成引擎生成验证规则更新,目的是把该自治系统的源地址空间信息发给邻居,这一信息用自治系统号表示;Then, the verification rule generation engine of each autonomous system generates a verification rule update, the purpose is to send the source address space information of the autonomous system to the neighbor, and this information is represented by the autonomous system number;

其三,一个自治系统的验证规则生成引擎收到来自邻居自治系统的验证规则生成引擎发来的更新,查导出规则表来判断是否接受这一地址空间和判断是否将其转发给其他邻居自治系统。Third, the verification rule generation engine of an autonomous system receives the update from the verification rule generation engine of the neighbor autonomous system, checks out the rule table to judge whether to accept this address space and whether to forward it to other neighbor autonomous systems .

导出规则表,如图2所示,按照如下四条规则确定是否将自己所收到的来自其他自治系统的合法真实地址前缀集合向其他相邻自治系统传递:Export the rule table, as shown in Figure 2, determine whether to pass the legal real address prefix set received from other autonomous systems to other adjacent autonomous systems according to the following four rules:

●一个自治系统将它自己的,它客户自治系统的,以及它兄弟自治系统的真实地址空间集合传递给它的服务者自治系统;● An AS communicates to its server AS the set of real address spaces of its own, its client AS's, and its sibling ASs;

●一个自治系统将它自己的,它客户自治系统的,以及它兄弟自治系统的真实地址空间集合传递给它的对等互联自治系统;● An AS communicates to its peer AS the set of real address spaces of its own, its client AS's, and its sibling ASs;

●一个自治系统将它自己的,它客户自治系统的,它兄弟自治系统的,它服务者自治系统的,它对等互联自治系统的真实地址空间集合传递给它的客户自治系统;● An autonomous system transmits to its client autonomous system the set of real address spaces of its own, its client autonomous system, its sibling autonomous system, its server autonomous system, and its peer autonomous system;

●一个自治系统将它自己的,它客户自治系统的,它兄弟自治系统的,它服务者自治系统的,它对等互联自治系统的真实地址空间集合传递给它的兄弟自治系统。● An AS transmits to its sibling AS the set of real address spaces of its own, its client AS, its sibling AS, its server AS, and its peer AS.

其四是验证规则翻译,如果这一次的验证规则更新被该自治系统的验证规则生成引擎接受,查自治系统号到IPv6地址前缀映射表,将以自治系统号形式表达的验证规则转换为以IPv6地址前缀形式表达的验证规则;The fourth is the translation of verification rules. If the verification rule update of this time is accepted by the verification rule generation engine of the autonomous system, check the mapping table from the autonomous system number to the IPv6 address prefix, and convert the verification rule expressed in the form of the autonomous system number into IPv6 Validation rules expressed in the form of address prefixes;

最后,该验证规则生成引擎将新生成的以IPv6地址前缀形式表示的验证规则下装到本自治系统的各个边界路由器上的验证引擎;Finally, the verification rule generation engine downloads the newly generated verification rules expressed in the form of IPv6 address prefixes to the verification engines on each border router of the autonomous system;

当分组流通过自治系统的边界路由器时,变该自治系统边界路由器上的验证引擎利用生成的验证规则验证检查转发的IP分组是否具有真实地址,如果真实则转发分组,如果不真实则丢弃分组。When the packet flow passes through the border router of the autonomous system, the verification engine on the border router of the autonomous system uses the generated verification rules to verify and check whether the forwarded IP packet has a real address, if it is true, the packet is forwarded, and if it is not true, the packet is discarded.

具体的实验环境见图4,我们在实验环境中模拟了四个自治系统。各自治系统全部部署了本方案。从自治系统4发送伪造分组给自治系统1的时候,可以看到伪造源地址的分组在自治系统1的边界就被验证规则检查然后丢弃了。而当我们从自治系统2发送源地址真实的分组到自治系统3的时候,可以看到分组正常通过。The specific experimental environment is shown in Figure 4. We simulated four autonomous systems in the experimental environment. All autonomous systems have deployed this solution. When a forged packet is sent from AS 4 to AS 1, it can be seen that the packet with the forged source address is checked by the verification rules at the boundary of AS 1 and discarded. And when we send packets with the real source address from AS 2 to AS 3, we can see that the packets pass through normally.

实验证明,本发明配置简单,可以在分组转发的过程中实时验证分组源IP地址的真实性,而且便于运营商部署。Experiments prove that the present invention is simple in configuration, can verify the authenticity of the packet source IP address in real time during packet forwarding, and is convenient for operators to deploy.

Claims (1)

1. be characterised in that based on the real IPv 6 source address verification method of autonomy system interconnecting relation described method is to be generated engine, validation engine and autonomous system number realization according to the following steps successively in the system that IPv6 address prefix mapping server is formed by proof rule:
Step (1), each autonomous system has a private server, be called proof rule and generate engine, have two tables of data on it, one is the autonomous system tabulation adjacent with this autonomous system, one is the IP address list of the validation engine that has of this autonomous system, the proof rule of each autonomous system generates the engine initialization, read validation engine table, set up TCP with each validation engine that the proof rule of adjacency autonomous system generates engine and this autonomous system respectively and be connected in abutting connection with autonomous system table and this autonomous system;
Step (2), the proof rule of each autonomous system generate engine and generate proof rule and upgrade, and purpose is that the source address spatial information of this autonomous system is issued neighbours, and this information number is represented with autonomous system;
Step (3), the proof rule of an autonomous system generates engine and receives that the proof rule from neighbor autonomous system generates the renewal that engine is sent, look into the derived rule table and judge whether to accept this address space and judge whether it is transmitted to other neighbor autonomous system, here the derived rule table according to following rule determine whether with own received from the legal true address prefix sets of other autonomous systems to other adjacent autonomous system transmission:
One, autonomous system with it, its client's autonomous system, and the actual IPv 6 address prefix spatial aggregation of its fraternal autonomous system passes to its server's autonomous system and reciprocity interconnected autonomous system;
Its two, autonomous systems with it, its client's autonomous system, its fraternal autonomous system, its server's autonomous system, the set of the real address space of its reciprocity interconnected autonomous system passes to its client's autonomous system and fraternal autonomous system;
Step (4), if upgrading by the proof rule of this autonomous system, proof rule this time generates engine acceptance, look into autonomous system number to IPv6 address prefix mapping server, will be converted to proof rule with the proof rule of autonomous system formal representation with IPv6 address prefix formal representation;
Step (5), this proof rule generate engine with the validation engine that installs under the newly-generated proof rule of representing with IPv6 address prefix form on each border router of this autonomous system;
Step (6), the proof rule checking that validation engine utilization on this Autonomous System Boundary Router, AS Boundary Router generates check whether the IP grouping of transmitting has true address, if truly then transmit grouping, if untrue then abandon grouping.
CNB2006101131890A 2006-09-19 2006-09-19 Actual IPv6 source address verification method based on autonomy system interconnecting relation Expired - Fee Related CN100483997C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101131890A CN100483997C (en) 2006-09-19 2006-09-19 Actual IPv6 source address verification method based on autonomy system interconnecting relation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101131890A CN100483997C (en) 2006-09-19 2006-09-19 Actual IPv6 source address verification method based on autonomy system interconnecting relation

Publications (2)

Publication Number Publication Date
CN1921394A true CN1921394A (en) 2007-02-28
CN100483997C CN100483997C (en) 2009-04-29

Family

ID=37778979

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101131890A Expired - Fee Related CN100483997C (en) 2006-09-19 2006-09-19 Actual IPv6 source address verification method based on autonomy system interconnecting relation

Country Status (1)

Country Link
CN (1) CN100483997C (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010022535A1 (en) * 2008-08-26 2010-03-04 上海贝尔股份有限公司 Method and device for transferring packet in ipv6 access node
CN101170564B (en) * 2007-11-30 2010-08-11 清华大学 A method for preventing IP source address forgery with end-to-end automatic synchronization
CN101902474A (en) * 2010-07-21 2010-12-01 清华大学 Verification method of IPv6 real source address between autonomous domains based on label replacement
CN101374159B (en) * 2008-10-08 2012-05-23 中国科学院计算技术研究所 P2P network trusted control method and system
CN110493367A (en) * 2019-08-20 2019-11-22 清华大学 Addressless IPv6 non-public server, client and communication method
CN111147380A (en) * 2018-11-02 2020-05-12 华为技术有限公司 Routing processing method and network equipment
CN111211976A (en) * 2020-03-02 2020-05-29 清华大学 BGP routing information verification method and device
CN112003959A (en) * 2020-07-13 2020-11-27 互联网域名系统北京市工程研究中心有限公司 Automatic issuing method and device for route origin authorization
CN112929269A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table between internet domains
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain
CN113810354A (en) * 2020-09-08 2021-12-17 北京航空航天大学 Data authentication method and device for autonomous system
WO2024193420A1 (en) * 2023-03-17 2024-09-26 华为技术有限公司 Validation information sending method and apparatus, validation table entry acquisition method and apparatus, and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201611555A (en) * 2014-09-15 2016-03-16 Chunghwa Telecom Co Ltd Automatic packet characteristic analysis system for use in IPv6 (Internet protocol version 6) test and method thereof

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170564B (en) * 2007-11-30 2010-08-11 清华大学 A method for preventing IP source address forgery with end-to-end automatic synchronization
US8509153B2 (en) 2008-08-26 2013-08-13 Alcatel Lucent Method and apparatus for forwarding packets in IPV6 access code
CN101971569B (en) * 2008-08-26 2013-12-25 上海贝尔股份有限公司 Method and device for transferring packet in IPV6 access node
US9391894B2 (en) 2008-08-26 2016-07-12 Alcatel Lucent Method and apparatus for forwarding packets in IPV6 access node
WO2010022535A1 (en) * 2008-08-26 2010-03-04 上海贝尔股份有限公司 Method and device for transferring packet in ipv6 access node
CN101374159B (en) * 2008-10-08 2012-05-23 中国科学院计算技术研究所 P2P network trusted control method and system
CN101902474A (en) * 2010-07-21 2010-12-01 清华大学 Verification method of IPv6 real source address between autonomous domains based on label replacement
CN101902474B (en) * 2010-07-21 2012-11-14 清华大学 Label replacement based verification method of IPv6 true source address between every two autonomous domains
US11863447B2 (en) 2018-11-02 2024-01-02 Huawei Technologies Co., Ltd. Route processing method and network device
CN111147380A (en) * 2018-11-02 2020-05-12 华为技术有限公司 Routing processing method and network equipment
CN110493367A (en) * 2019-08-20 2019-11-22 清华大学 Addressless IPv6 non-public server, client and communication method
CN110493367B (en) * 2019-08-20 2020-07-28 清华大学 Address-free IPv6 non-public server, client and communication method
CN111211976A (en) * 2020-03-02 2020-05-29 清华大学 BGP routing information verification method and device
CN111211976B (en) * 2020-03-02 2021-03-19 清华大学 BGP routing information verification method and device
CN112003959B (en) * 2020-07-13 2023-06-16 深圳网基科技有限公司 Automatic issuing method and device for route origin authorization
CN112003959A (en) * 2020-07-13 2020-11-27 互联网域名系统北京市工程研究中心有限公司 Automatic issuing method and device for route origin authorization
CN113810354A (en) * 2020-09-08 2021-12-17 北京航空航天大学 Data authentication method and device for autonomous system
CN112929269A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table between internet domains
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain
CN112929269B (en) * 2021-03-09 2021-10-26 清华大学 Distributed generation method and device for source address verification table between internet domains
CN112929279B (en) * 2021-03-09 2021-11-30 清华大学 Distributed generation method and device for source address verification table in internet domain
WO2024193420A1 (en) * 2023-03-17 2024-09-26 华为技术有限公司 Validation information sending method and apparatus, validation table entry acquisition method and apparatus, and device

Also Published As

Publication number Publication date
CN100483997C (en) 2009-04-29

Similar Documents

Publication Publication Date Title
CN1921394A (en) Actual IPv6 source address verification method based on autonomy system interconnecting relation
CN110945853B (en) Method for generating and managing multimode identification network based on alliance chain voting consensus algorithm
US8281023B2 (en) Systems and methods for data authorization in distributed storage networks
CN102045413B (en) DHT expanded DNS mapping system and method for realizing DNS security
CN101917434B (en) Method for verifying intra-domain Internet protocol (IP) source address
CN101374159B (en) P2P network trusted control method and system
CN106657144B (en) A dynamic protection path planning method based on reinforcement learning
Srinath et al. Detection and Prevention of ARP spoofing using Centralized Server
CN110753054A (en) An anonymous communication method based on SDN
CN111241549B (en) A trusted analysis method under heterogeneous identification system
Liu et al. Swarm learning and knowledge distillation empowered self-driving detection against threat behavior for intelligent IoT
Malliga et al. A hybrid scheme using packet marking and logging for IP traceback
CN108243190A (en) A trusted management method and system for network identification
CN112235336A (en) A method for active discovery of blockchain nodes based on protocol fingerprints
CN120658461A (en) Optimized node selection method based on BGP-iSec protocol part deployment scene
CN100508453C (en) A method to filter and verify open real IPv6 source address
Xu et al. NetSpirit: A smart collaborative learning framework for DDoS attack detection
CN110417758A (en) Security Neighbor Discovery Operation Mode Detection Method Based on Certificate Request
CN1741502A (en) IPv6 and IPv4 internetwork mutual communicating method based on 4over6
CN112995139B (en) Trusted network, trusted network construction method and trusted network construction system
CN113949655B (en) Network reachability solving method based on formal verification
Bao et al. Smart-pki: A blockchain-based distributed identity validation scheme for iot devices
Chen et al. Where the Sidewalk Ends: Extending theInternet AS Graph Using Traceroutesfrom P2P Users
CN115348088B (en) Communication network security encryption method
Palmieri et al. Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090429

Termination date: 20200919