This application relates to the communications field, and in particular, to a packet forwarding method and apparatus.
In the segment routing over internet protocol version 6 (SRv6) technology, the segment routing (SR) technology may be applied to forwarding an internet protocol version 6 (IPv6) packet.
Currently, security risks exist in forwarding a packet by using the SRv6 technology.
Embodiments of this application provide a packet forwarding method, to greatly reduce SRv6 trusted domain network resources occupied by an attack packet.
According to a first aspect, an embodiment of this application provides a packet forwarding method. The method may be performed by an edge node in an SRv6 trusted domain. When receiving an SRv6 packet from a place outside the trusted domain, the edge node in the trusted domain may verify the SRv6 packet, and forward the SRv6 packet when the SRv6 packet passes the verification. The method includes: The edge node in the trusted domain receives the first packet, where the first packet is an SRv6 packet, and a destination address of the first packet is a binding segment identifier (BSID). After receiving the first packet, the edge node in the trusted domain may verify the first packet based on the BSID in the first packet and a target field in a segment routing header (SRH) of the first packet, and discard the first packet when the first packet fails the verification. In this embodiment of this application, not only a node outside the trusted domain is required to access the trusted domain by using the BSID, but also the first packet needs to be verified with reference to the target field in the segment routing header. Compared with a solution in which the edge node in the trusted domain performs border filtering on the first packet only by using the BSID, the solution in this embodiment of this application can effectively identify an attack packet, discard, in a timely manner, a large quantity of attack packets that fail the verification, effectively reduce trusted domain network resources occupied by the attack packets, and effectively reduce security risks that are caused by forwarding a packet by using an SRv6 technology.
The SRv6 trusted domain described in this application may also be referred to as an SRv6 security domain.
In an implementation, the edge node may verify, as indicated by a control management device, the first packet based on the BSID and the target field in the SRH of the first packet. Specifically, the edge node may receive a security protection policy from the control management device, where the security protection policy indicates the edge node to verify the first packet based on the BSID and the target field in the SRH.
In an implementation, when an SRv6 packet needs to be forwarded across the trusted domain, the trusted domain may provide a BSID to indicate a forwarding path of the SRv6 packet in the trusted domain. Therefore, a next-hop SID of the BSID theoretically indicates a node outside the trusted domain that directly interacts with the trusted domain. Therefore, the target field may include the next-hop SID of the BSID. The edge node may determine, by using the next-hop SID of the BSID, whether the first packet is forwarded to a valid destination node, or the edge node may determine, by using the BSID, whether the first packet causes an attack to the trusted domain.
In an implementation, a first SID list including the BSID and N SIDs in a SID list may indicate a forwarding path of the first packet from the edge node to the destination node, or the first SID list indicates a forwarding path of the first packet from the edge node to a first node, where the first node is a node between the edge node and the destination node. Therefore, the target field may include the N SIDs in the SID list. In this way, the edge node may verify the first SID list, and forward the first packet only when it is ensured that the path indicated by the first SID list is a valid path, so that a node included on the path indicated by the SID list can avoid a network attack.
In an implementation, when a node outside the trusted domain needs to forward an SRv6 packet to the trusted domain, the trusted domain may provide a BSID to indicate a forwarding path of the SRv6 packet in the trusted domain. In this case, an SRH of the SRv6 packet does not contain a next-hop SID of the BSID. In other words, the BSID is the last SID that indicates the forwarding path of the SRv6 packet. In this case, the value of an SL field in the SRv6 packet is 0. Therefore, the target field may include the segment left SL field, to ensure that the SRv6 packet to be forwarded to the trusted domain can be normally forwarded to the trusted domain.
In an implementation, when the target field includes the next-hop SID of the BSID, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, the edge node may determine that the BSID is in the trusted domain, and determine whether the target field is in a valid network segment. A valid destination node of the first packet is located in the valid network segment. If the next-hop SID of the BSID is in the valid network segment, it indicates that a node indicated by the next-hop SID of the BSID is the valid destination node of the first packet. That is, after being forwarded through the path indicated by the BSID, the first packet is forwarded to the valid destination node of the first packet. In this case, it may be considered that the first packet passes the verification. Correspondingly, if the next-hop SID of the BSID is not in the valid network segment, it indicates that after being forwarded through the path indicated by the BSID, the first packet is not forwarded to the valid destination node of the first packet, but is forwarded to another node. In this case, the next-hop SID of the BSID may have been tampered with. Therefore, the first packet may probably to cause an attack to another node. Therefore, if the next-hop SID of the BSID is not in the valid network segment, the first packet fails the verification.
In an implementation, when an SRv6 packet is forwarded, a SID indicating a destination node of the packet may be a SID of a node, or may be a SID of a VPN instance deployed on the node. The SID of the VPN instance is referred to as a VPN SID for short. The SID list of the SRH may include both the SID of the destination node, and the VPN SID of the VPN instance deployed on the destination node. For a node, both a SID of the node and a VPN SID of the node are in a network segment indicated by a locator route of the node. The locator route of the node refers to a network segment route to which the node SID of the node belongs. Therefore, the valid network segment may be indicated by a locator route of the valid destination node. In this way, regardless of whether the next-hop SID of the BSID is the node SID or the VPN SID, whether the first packet is tampered with can be determined by using the valid network segment.
In an implementation, the valid network segment may be included by the control management device in the security protection policy and sent to the edge node.
In an implementation, the valid network segment is statically configured in the edge node.
In an implementation, when the target field includes the next-hop SID of the BSID, to avoid an attack by the first packet to the trusted domain, the edge node may determine, for example, whether the BSID is in the trusted domain. Then, the edge node determines whether the next-hop SID of the BSID is in a first network segment, where a node in the trusted domain belongs to the first network segment. If the next-hop SID of the BSID is in the first network segment, it indicates that a node indicated by the next-hop SID of the BSID is a node in the trusted domain. That is, after being forwarded through the path indicated by the BSID, the first packet does not leave the trusted domain, but continues to be forwarded in the trusted domain. In this case, the next-hop SID of the BSID may have been tampered with. Therefore, the first packet may probably cause a network attack to a node in the trusted domain. Therefore, if the next-hop SID of the BSID is in the first network segment, the first packet fails the verification. Correspondingly, if the next-hop SID of the BSID is not in the first network segment, it indicates that after being forwarded through the path indicated by the BSID, the first packet leaves the trusted domain and is forwarded to another node outside the trusted domain. In this case, it may be considered that the first packet passes the verification.
In an implementation, the first network segment may be included by the control management device in the security protection policy and sent to the edge node.
In an implementation, the first network segment is statically configured in the edge node.
In an implementation, when the target field includes the next-hop SID of the BSID, the edge node may prestore a SID list, and the SID list stored in the edge node indicates a valid path. Specifically, the edge node may prestore one or more SID lists, and one SID list indicates one valid path. The edge node may compare the first SID list with the locally stored SID lists. If the locally stored SID lists include the first SID list, it indicates that a path indicated by the first SID list is a valid path, and therefore the edge node may determine that the first packet passes the verification. On the contrary, if the locally stored SID lists do not include the first SID list, it is determined that the first packet fails the verification.
In an implementation, the SID lists stored in the edge node may be delivered by the control management device to the edge node by using the security protection policy.
In an implementation, the SID lists stored in the edge node may be statically configured in the edge node.
In an implementation, when the target field includes the next-hop SID of the BSID, the edge node may prestore several hash values. The hash values stored in the edge node are obtained by performing a hash operation on SID lists corresponding to valid paths. In this case, the edge node may perform a hash operation on the first SID list to obtain a first hash value. After obtaining the first hash value, the edge node may search the several hash values that are locally stored, to determine whether the locally stored hash values include the first hash value that is calculated. If the locally stored hash values include the first hash value, it indicates that the path indicated by the first SID list is a valid path. Therefore, it may be determined that the first packet passes the verification. On the contrary, if the locally stored hash values do not include the first hash value, it is determined that the first packet fails the verification.
In an implementation, the first packet may include a first field, and the first field may indicate a quantity of to-be-verified SIDs. After receiving the first packet, the edge node may parse the first packet to obtain the value of the first field, so as to further obtain the BSID and the N SIDs in the SRH, and verify the first packet based on the BSID and the N SIDs in the SRH.
In an implementation, when the target field includes the SL field, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, the edge node may determine that the BSID is in the trusted domain, and determine whether the value of the target field is 0. When the value of the target field is 0, it indicates that the first packet is a valid packet forwarded from a place outside the trusted domain to the trusted domain. Therefore, it may be determined that the first packet passes the verification. When the value of the target field is not 0, it may be determined that the first packet fails the verification.
In an implementation, the edge node may further receive a second packet. The second packet is similar to the first packet, the second packet is also an SRv6 packet, and a destination address of the second packet is the BSID. After receiving the second packet, the edge node may verify the second packet. Similarly as the edge node verifies the first packet, the edge node may verify the second packet based on the BSID in the second packet and a target field in an SRH of the second packet, and forward the second packet when the second packet passes the verification. During verification of the second packet, not only the BSID is verified, but also the target field is verified. Therefore, the second packet that passes the verification may be considered as a valid packet, and forwarding the second packet across the trusted domain does not bring security risks. The solution provided in this embodiment of this application can reduce security risks that are caused by forwarding a packet by using an SRv6 technology.
According to a second aspect, an embodiment of this application provides a packet forwarding method. The method includes: An edge node in a trusted domain receives a first packet, where the first packet is an SRv6 packet, and a destination address of the first packet is a binding segment identifier BSID; the edge node verifies the first packet based on the BSID in the first packet and a target field in a segment routing header SRH of the first packet; and the edge node forwards the first packet that passes the verification. In this embodiment of this application, not only a node outside the trusted domain is required to access the trusted domain by using the BSID, but also the first packet needs to be verified with reference to the target field in the segment routing header. Compared with a solution of verifying the first packet by using only the BSID, this solution considers more factors in verifying the first packet. That is, a verification standard for allowing an SRv6 packet to be forwarded across the trusted domain is stricter. Therefore, security risks that are caused by forwarding a packet by using an SRv6 technology are reduced.
According to a third aspect, an embodiment of this application provides a forwarding control method. The method includes: A control management device obtains a security protection policy, where the security protection policy indicates an edge node in a trusted domain to verify a received SRv6 packet based on a BSID and a target field in an SRH; and the control management device sends the security protection policy to the edge node in the trusted domain. In this embodiment of this application, the control management device delivers the security protection policy to indicate the edge node in the trusted domain to verify the received SRv6 packet based on the BSID and the target field in the SRH. Compared with a solution of verifying the first packet by using only the BSID, this solution considers more factors in verifying the first packet. That is, a verification standard for allowing an SRv6 packet to be forwarded across the trusted domain is stricter. Therefore, security risks that are caused by forwarding a packet by using an SRv6 technology can be reduced.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a path computation element communication protocol PCEP message. For example, a new object is extended in the PCEP message, or a new TLV field is extended in an existing object to carry the security protection policy.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a border gateway protocol BGP message. For example, an extended attribute may be added to the BGP message or a new TLV field may be extended in an existing attribute to carry the security protection policy. The existing attribute may be, for example, a border gateway protocol flow specification BGP FS attribute.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a network configuration protocol NETCONF packet.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a simple network management protocol SNMP packet.
In an implementation, the target field includes a next-hop SID of the BSID; the target field includes N SIDs in a field identifier SID list, where the first SID in the N SIDs is the next-hop SID of the BSID, and N is greater than or equal to 1; or the target field includes a segment left SL field.
In an implementation, when N is greater than 1, the N SIDs are N continuous SIDs in the SID list.
In an implementation, if the target field includes the next-hop SID of the BSID, the security protection policy carries a valid BSID and a valid network segment in the trusted domain.
In an implementation, the valid BSID and the valid network segment in the trusted domain may be carried in an extended attribute of the BGP FS. For example, the valid BSID in the trusted domain is carried in an extended attribute type 17 of the BGP FS, and the valid network segment is carried in an extended attribute type 18 of the BGP FS.
In an implementation, if the target field includes the next-hop SID of the BSID, the security protection policy carries a valid BSID and a first network segment in the trusted domain.
In an implementation, the valid BSID and the first network segment in the trusted domain may be carried in an extended attribute of the BGP FS. For example, the valid BSID in the trusted domain is carried in an extended attribute type 17 of the BGP FS, and the first network segment is carried in an extended attribute type 18 of the BGP FS.
In an implementation, if the target field includes the N SIDs in the segment identifier SID list, the security protection policy carries a SID list that indicates a valid path, and the SID list includes a valid BSID in the trusted domain.
In an implementation, the SID list that indicates a valid path may be carried in an extended attribute of the BGP FS message. For example, the SID list that indicates a valid path may be carried in an extended attribute type 19 of the BGP FS message.
According to a fourth aspect, an embodiment of this application provides an edge node, including a communication interface and a processor connected to the communication interface. The edge node is configured to perform the method according to any one of the first aspect or the implementations of the first aspect, or perform the method according to any one of the second aspect or the implementations of the second aspect by using the communication interface and the processor.
According to a fifth aspect, an embodiment of this application provides a control management device, including a communication interface and a processor connected to the communication interface. The control management device is configured to perform the method according to any one of the third aspect or the possible implementations of the third aspect by using the communication interface and the processor.
According to a sixth aspect, an embodiment of this application provides an edge node. The edge node includes a memory and a processor. The memory is configured to store program code. The processor is configured to run instructions in the program code, to enable the edge node to perform the method according to any one of the first aspect or the possible implementations of the first aspect, or to enable the edge node to perform the method according to any one of the second aspect or the possible implementations of the second aspect.
According to a seventh aspect, an embodiment of this application provides a control management device. The control management device includes a memory and a processor. The memory is configured to store program code. The processor is configured to run instructions in the program code, to enable the control management device to perform the method according to any one of the third aspect or the implementations of the third aspect.
According to an eighth aspect, an embodiment of this application provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the method according to any one of the first aspect or the possible implementations of the first aspect, the computer is enabled to perform the method according to any one of the second aspect or the possible implementations of the second aspect, or the computer is enabled to perform the method according to any one of the third aspect or the possible implementations of the third aspect.
According to a ninth aspect, an embodiment of this application provides a communication system. The communication system includes an edge node and a control management device. The control management device is configured to perform the method according to any one of the third aspect or the possible implementations of the third aspect.
According to a tenth aspect, an embodiment of this application provides a communication system. The communication system includes an edge node and a control management device. The edge node is configured to perform the method according to any one of the first aspect or the possible implementations of the first aspect, or the edge node is configured to perform the method according to any one of the second aspect or the possible implementations of the second aspect.
To describe the technical solutions in embodiments of this application or in the conventional technology more clearly, the following briefly describes the accompanying drawings used to describe embodiments or the conventional technology. It is clear that the accompanying drawings in the following descriptions show some embodiments of this application, and persons of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.
Embodiments of this application provide a packet forwarding method, to reduce security risks that exist in forwarding a packet by using an SRv6 technology.
For ease of understanding, forwarding a packet by using the SRv6 technology is briefly described first.
When the SRv6 technology is used to forward a packet, a head node specifies a packet forwarding path, and a transit node guides packet forwarding based on the forwarding path specified by the head node until the packet is forwarded to a destination node. A packet forwarded by using the SRv6 technology may also be referred to as an SRv6 packet. Specifically, refer to
The IPv6 header 101 includes a destination address (DA) field (not shown in
With reference to
The node 201, the node 202, the node 203, and the node 204 are all nodes that support an SRv6 technology. In a process in which the node 201 forwards the SRv6 packet to the node 202, the SRv6 packet may pass through several other nodes, which are not shown in
In some embodiments, in consideration that the length of an Ethernet packet needs to be within a proper range, if the SID list occupies a relatively large amount of data, the data amount of the payload 103 is affected. A larger amount of data occupied by the SID list affects the network performance of the entire network more. Therefore, the SID list in the SRv6 packet obtained by the node 201 may not include the address 2, so that the amount of data occupied by the SID list is reduced. In this scenario, the value of the SL field in the SRv6 packet obtained by node 201 is still 2. During SRv6 packet forwarding, if the SID list does not include the address 2, such an SRv6 packet forwarding mode may also be referred to as a Reduce mode. Correspondingly, if the SID list includes the address 2, such an SRv6 packet forwarding mode may also be referred to as a common mode.
It can be learned from the foregoing descriptions that when a packet is forwarded by using the SRv6 technology, a transit node forwards the packet based on a SID list, but does not verify the SID list. In this case, a network hacker may maliciously tamper with the SID list to perform a network attack, affecting network security.
Currently, an SRv6 trusted domain may be defined to avoid the network attack. The trusted domain indicates a network range of avoiding the network attack. The trusted domain may be determined in a plurality of manners, for example, may be determined based on a network scenario. For example, a core network part in a network is specified as the trusted domain. Alternatively, the trusted domain may be determined based on a service type. For example, a network range of transmitting a specific service packet is determined as the trusted domain. Specifically, to ensure that the trusted domain is not attacked, an access control list (ACL) traffic filtering policy may be configured in an edge node or a transit node in the trusted domain. For example, the edge node in the trusted domain verifies a received SRv6 packet. If a destination address of the SRv6 packet is an address of a node in the trusted domain, the edge node discards the SRv6 packet. For another example, the transit node in the trusted domain verifies a received SRv6 packet. If a source address of the SRv6 packet is an address of a node outside the trusted domain, the transit node discards the SRv6 packet. In this way, SRv6 packets outside the trusted domain cannot be transmitted to the trusted domain. SRv6 packets generated only in the trusted domain are forwarded, and the trusted domain is prevented from being attacked. The edge node in the trusted domain is a node that directly communicates with a node outside the trusted domain. The transit node in the trusted domain is a node other than the edge node.
In some embodiments, the SRv6 packet needs to be forwarded across the trusted domain. For example, an SRv6 packet outside the trusted domain needs to be forwarded to the trusted domain, or an SRv6 packet generated in a first domain needs to be forwarded to a second domain through the trusted domain, where the first domain and the second domain are different from the trusted domain. In this case, how to ensure the network security is an urgent problem to be resolved currently.
The inventor of this application finds that, to ensure the security of the trusted domain, prevent leakage of a network topology of the trusted domain, and reduce a possibility that the trusted domain is attacked, when an SRv6 packet needs to be forwarded across the trusted domain, the SRv6 packet can access the trusted domain by using a BSID. The BSID may identify a forwarding path.
Specifically, in an example, a control management device may generate a BSID that identifies a forwarding path in the trusted domain. Correspondingly, when computing the forwarding path of the SRv6 packet, the control management device may obtain a SID list including the BSID. In addition, after generating the BSID, the control management device may send a correspondence between the BSID and the forwarding path indicated by the BSID to the edge node in the trusted domain, so that the edge node in the trusted domain checks the SRv6 packet, and forwards the packet in the trusted domain if the SRv6 packet passes the verification. In another example, the edge node in the trusted domain may generate a BSID, and send a correspondence between the BSID and a forwarding path indicated by the BSID to the control management device, so that when computing a forwarding path of the SRv6 packet, the control management device obtains a SID list including the BSID. The control management device mentioned in embodiments of this application may be, for example, a device on which network management software is run, or may be, for example, a controller. This is not specifically limited in this embodiment of this application.
For the correspondence between the BSID and the forwarding path indicated by the BSID, an example is used herein for description: A BSID 1 indicates a forwarding path 1 in the trusted domain, and the correspondence may be, for example, a correspondence between the BSID 1 and a SID list that indicates the forwarding path 1. This may be understood with reference to the following Table 1.
As shown in Table 1, the forwarding path indicated by the BSID 1 is a path that passes through the node 1, the node 2, and the node 3 in sequence. Table 1 is shown only for ease of understanding, and does not constitute a limitation on this embodiment of this application.
With reference to
In this embodiment of this application, the trusted domain 200 may belong to an access network, a bearer network, a core network, an operator network, or a campus network. This is not specifically limited in this embodiment of this application. In an example, the trusted domain 200 may belong to the operator network, the node R2 is deployed in a customer equipment room as a cell site gateway (CSG) device, the first domain 100 belongs to an enterprise network, and the node R1 is a customer premise equipment (CPE) device.
In the scenario shown in
When forwarding the SRv6 packet, the node R2 may re-encapsulate the SRv6 packet, convert the BSID into a SID list that indicates a forwarding path, and encapsulate the SID list into the SID list of the SRH in the SRv6 packet. In this way, the SRv6 packet is forwarded in the trusted domain.
In this embodiment of this application, the node R2 may re-encapsulate the SRv6 packet in a plurality of encapsulation manners. A specific encapsulation manner is related to a forwarding manner of the SRv6 packet. The following describes two possible implementations for the node R2 to re-encapsulate the SRv6 packet.
In an implementation, if the SRv6 packet is forwarded based on a tunnel, when re-encapsulating the SRv6 packet, the node R2 may add an IPv6 header and an SRH to an original IPv6 header and an original SRH. The original IPv6 header and a destination address field and an SL field in the original SRH are updated by using a technology the same as the conventional technology. A source address in the added IPv6 header is an address of the node R2, and a destination address is a next-hop SID in the SID list corresponding to the BSID.
Refer to
In another implementation, if the SRv6 packet is not forwarded based on a tunnel, when re-encapsulating the SRv6 packet, the node R2 directly includes the SID list corresponding to the BSID in the original SRH.
Refer to
The foregoing manner in which the head node accesses the trusted domain by using the BSID can ensure, to some extent, that the network topology of the trusted domain is not disclosed. However, the edge node in the trusted domain verifies only the BSID and does not verify other SIDs in the SID list. In this case, if the other SIDs in the SID list are tampered with, the network may still be attacked. For example, refer to
The inventor of this application finds that, in still another implementation, a key-related hash-based message authentication code (HMAC) check may be configured in the edge node in the trusted domain, to prevent the SRH from being tampered with. An HMAC operation may use a key and data as inputs, and compress the data into a data digest of a fixed length. Specifically, refer to
In the SRv6 packet shown in
In a specific implementation, when the HMAC check is used to prevent the SRH from being tampered with, a head node outside a trusted domain may store a key and a hash algorithm. When generating an SRv6 packet, the node outside the trusted domain may calculate an HMAC by using the key, the hash algorithm, and the specific field, to obtain an SRv6 packet having a structure shown in
In some embodiments, to avoid a threat to the security of the entire network caused when the head node that has the key and the hash algorithm is attacked, alternatively, a control management device may calculate the HMAC and deliver the HMAC to the head node. This is not specifically limited in this embodiment of this application.
The foregoing manner can ensure that the SRv6 packet is not tampered with, but the key and the hash algorithm need to be prestored in the edge node in the trusted domain. Because the security of the key and the hash algorithm is particularly important to the reliability of a verification result, additional protection measures are required to protect the security of the key and the hash algorithm. Generally, the edge device in the trusted domain is a small forwarding device, and has a limited data processing capability. Protection of the security of the key and the hash algorithm consumes a relatively large quantity of computing resources of the edge device. In this case, if the foregoing manner is used to verify whether the SRv6 packet is tampered with, the performance of the edge device in the trusted domain is affected. As a result, the foregoing manner may not probably be used.
Therefore, how to minimize the security risks that exist in forwarding a packet by using an SRv6 technology while ensuring the performance of the edge node in the trusted domain is an urgent problem to be resolved currently.
To resolve this problem, embodiments of this application provide a packet forwarding method. The following describes, with reference to the network architecture shown in
S101: The node R2 receives a first packet, where the first packet is an SRv6 packet, and a destination address of the first packet is a BSID.
For the node R2, refer to the foregoing descriptions of
In this embodiment of this application, the first packet is sent by a node outside a trusted domain to the node R2, and the node outside the trusted domain may be, for example, the node R1 shown in
In this embodiment of this application, to ensure the network topology security of the trusted domain, the node outside the trusted domain can access the trusted domain only by using a valid BSID in the trusted domain.
S102: The node R2 verifies the first packet based on the BSID and a target field in an SRH of the first packet.
After the node R2 receives the first packet, to avoid a network attack, the node R2 may verify the first packet to determine whether the first packet is an attack packet. Specifically, when the first packet passes the verification, it indicates that the first packet is not an attack packet. Therefore, the node R2 may perform the step of forwarding the first packet in S103a, that is, allowing forwarding of the first packet across the trusted domain. When the first packet fails the verification, it indicates that the first packet may be an attack packet. In this case, if the first packet is forwarded across the trusted domain, a network attack may be caused to the trusted domain or another network (for example, the second domain 300 shown in
In this embodiment of this application, in one aspect, a node outside the trusted domain can access the trusted domain only by using a valid BSID in the trusted domain. Therefore, whether the first packet is an attack packet may be determined based on whether the destination address of the first packet is the valid BSID in the trusted domain. In another aspect, in consideration that the SRH of the SRv6 packet includes key information for guiding packet forwarding, for example, a SID list, whether the first packet is an attack packet may be determined by verifying the key information. Therefore, the node R2 may verify the first packet based on the BSID in the first packet and the target field in the SRH of the first packet.
In an implementation of this embodiment of this application, the node R2 may perform S102 as indicated by a control management device. Specifically, the control management device may send a security protection policy to the node R2, where the security protection policy carries indication information, and the indication information indicates the node R2 to verify the received SRv6 packet. Specifically, the indication information indicates the node R2 to verify the SRv6 packet based on the BSID in the received SRv6 packet and the target field in the SRH. Specifically, the control management device may send the security protection policy to the node R2 by using a network configuration protocol (NETCONF), a simple network management protocol (SNMP), a path computation element communication protocol (PCEP), a border gateway protocol (BGP), or the like. In a specific implementation, the security protection policy may be sent by using a border gateway protocol flow specification (BGP FS) route.
The following describes the BGP FS route.
The BGP FS route includes new BGP network layer reachability information and a new extended community attribute. By using the new network layer reachability information and the new extended community attribute, the BGP FS route may carry a corresponding BGP FS rule, and the BGP FS rule may also be considered as a traffic control policy. Specifically, the BGP FS rule may include a traffic matching condition and a corresponding traffic processing action after traffic matching. Currently, the traffic matching condition is carried in the BGP FS route as network layer reachability information, and the traffic processing action is carried in the BGP FS route as the extended community attribute. Currently, 16 types of traffic matching conditions (type 1 to type 16) have been defined in the BGP FS. The 16 types of traffic matching conditions are not detailed here. A specific implementation of S102 may be determined based on the target field. A specific implementation of S102 varies with the target field. The following describes specific content of the target field and a specific implementation of S102 corresponding to the target field.
Implementation 1: The target field is a next-hop SID of the BSID.
In this embodiment of this application, generally, when an SRv6 packet needs to be forwarded across the trusted domain, the trusted domain may provide a BSID to indicate a forwarding path of the SRv6 packet in the trusted domain. In other words, the next-hop SID of the BSID theoretically indicates a node outside the trusted domain that directly interacts with the trusted domain. Refer to
In some embodiments, if the first packet is a valid packet that is not tampered with, the next-hop SID of the BSID may indicate a valid destination node of the first packet. To ensure that the first packet can be accurately forwarded to the valid destination node and avoid causing a network attack to another node, in a specific implementation of S102, for example, the node R2 may determine whether the BSID is in the trusted domain. Then, the node R2 determines whether the next-hop SID of the BSID is in a valid network segment, where the valid destination node of the first packet is located in the valid network segment. If the next-hop SID of the BSID is in the valid network segment, it indicates that a node indicated by the next-hop SID of the BSID is the valid destination node of the first packet. That is, after being forwarded through the path indicated by the BSID, the first packet is forwarded to the valid destination node of the first packet. In this case, it may be considered that the first packet passes the verification. Correspondingly, if the next-hop SID of the BSID is not in the valid network segment, it indicates that after being forwarded through the path indicated by the BSID, the first packet is not forwarded to the valid destination node of the first packet, but is forwarded to another node. In this case, the next-hop SID of the BSID may have been tampered with. Therefore, the first packet may probably to cause an attack to another node. Therefore, in this embodiment of this application, if the next-hop SID of the BSID is not in the valid network segment, the first packet fails the verification.
In this embodiment of this application, for example, the valid network segment may be statically configured in the node R2, or may be sent by the control management device to the node R2. This is not specifically limited in this embodiment of this application. If the valid network segment is sent by the control management device to the node R2, for example, when sending the security protection policy to the node R2, the control management device may include the valid network segment in the security protection policy and send the security protection policy to the node R2. In this way, compared with a solution in which the control management device separately sends the security protection policy and the first network segment to the node R2, this solution can reduce a quantity of interactions between the control management device and the node R2, and save input-output (IO) resources of the control management device and the node R2.
As described above, the control management device may include the security protection policy in the BGP FS route and send the BGP FS route to the node R2. In addition, 16 types of traffic matching conditions have been defined in the BGP FS route. Therefore, in this embodiment of this application, the BGP FS message may be extended. For example, a traffic matching condition type 17 and a traffic matching condition type 18 are added, the added traffic matching condition type 17 may carry the BSID, and the added traffic matching condition type 18 may carry the valid network segment.
In some embodiments, in consideration that nodes included in the valid network segment may not be limited to the valid destination node of the first packet, to prevent a network hacker from tampering with the first packet to cause a network attack to another node in the valid network segment, in an implementation of this embodiment of this application, a mask of the valid network segment may be set as long as possible. In an example, the type 18 may further carry a mask length of the valid network segment. Certainly, the type 18 may further carry other information, which is not described one by one herein.
For a specific implementation in which the node R2 determines whether the BSID is in the trusted domain, refer to the related descriptions of
The foregoing valid network segment is not specifically limited in this embodiment of this application. In an actual application, when an SRv6 packet is forwarded, a SID indicating a destination node of the packet may be a node SID, or may be a SID of a virtual private network (VPN) instance deployed on the node. The SID of the VPN instance is referred to as a VPN SID for short. Certainly, the SID list of the SRH may include both the SID of the destination node, and the VPN SID of the VPN instance deployed on the destination node. For a node, both a SID of the node and a VPN SID of the node are in a network segment indicated by a locator route of the node. The locator route of the node refers to a network segment route to which the node SID of the node belongs. Therefore, in an embodiment, the valid network segment may be indicated by a locator route of the valid destination node. In this way, regardless of whether the next-hop SID of the BSID is the node SID or the VPN SID, whether the first packet is tampered with can be determined by using the valid network segment.
The following briefly describes the type 17 and the type 18 by using examples. It should be understood that a related solution in which the control management device delivers the security protection policy is merely described as an example, and this embodiment of this application is not limited thereto.
The type 17 includes two fields: type and BSID, that is, <type, BSID>. The BSID field carries a valid BSID in the trusted domain, and the type field has a fixed value of 17.
The type 18 field carries a type field, an operator field, and a value field, that is, <type, [operator, value]+>.
The type field has a value of 18.
The value field carries a valid network segment. The value field includes a network prefix and a mask length. The network prefix includes one byte, and the mask length includes 16 bytes.
The operator field includes eight bits, which are respectively a bit 0 to a bit 7.
The plus sign “+” indicates that a plurality of combinations of [operator, value] can be included.
The meaning of each bit in the operator field is shown in the following Table 2:
E: An end-of-list bit. The value of E is 1, indicating that the current <operator, value> is the last combination of <operator, value>.
A: An “and” bit. If the value of a is 1, it indicates that the current field of <operator, value> has an “OR” relationship with the previous field of <operator, value>. If the value of a is 0, it indicates that the current field of <operator, value> has an “AND” relationship with the previous field of <operator, value>.
Reserve: A “reserve” field.
Miss: Indicating a processing action taken when a next hop of the BSID is not in a network segment indicated by the value. If the value of Miss is 0, the packet is to be forwarded. If the value of Miss is 1, the packet is to be discarded.
Match: Indicating a processing action taken when a next hop of the BSID is in a network segment indicated by the value. If the value of Match is 0, the packet is to be forwarded. If the value of Match is 1, the packet is to be discarded.
For a security protection policy carrying a BSID and a valid network segment, an example is described herein: For a service, a BSID b::1 is provided for a node outside a trusted domain, to provide guidance about a forwarding path in the trusted domain. A valid destination node of a service packet corresponding to the service is in a network segment of c::1/64. For a edge node in the trusted domain, the BGP FS route is used to deliver the security protection policy. Specifically, the following security protection policy includes: <0x11, b::1> and <0x12, [0x82, c::1/64]>.
0x11 indicates the type 17. b::1 indicates the node R2 to verify whether a destination address of a received packet 1 is the valid BSID b::1.0x12 indicates the type 18. [0x82, c::1/64] indicates the node R2 to forward the packet 1 when the next-hop SID of the BSID is in the network segment indicated by c::1/64, or otherwise, discard the packet 1.
In some embodiments, to prevent the first packet from attacking the trusted domain, in a specific implementation of S102, for example, the node R2 may determine whether the BSID is in the trusted domain. Then, the node R2 determines whether the next-hop SID of the BSID is in a first network segment, where a node in the trusted domain belongs to the first network segment. If the next-hop SID of the BSID is in the first network segment, it indicates that a node indicated by the next-hop SID of the BSID is a node in the trusted domain. That is, after being forwarded through the path indicated by the BSID, the first packet does not leave the trusted domain, but continues to be forwarded in the trusted domain. In this case, the next-hop SID of the BSID may have been tampered with. Therefore, the first packet may probably cause a network attack to a node in the trusted domain. Therefore, in this embodiment of this application, if the next-hop SID of the BSID is in the first network segment, the first packet fails the verification. Correspondingly, if the next-hop SID of the BSID is not in the first network segment, it indicates that after being forwarded through the path indicated by the BSID, the first packet leaves the trusted domain and is forwarded to another node outside the trusted domain. In this case, it may be considered that the first packet passes the verification.
In this embodiment of this application, for example, the first network segment may be statically configured in the node R2, or may be sent by the control management device to the node R2. This is not specifically limited in this embodiment of this application. If the first network segment is sent by the control management device to the node R2, for example, when sending the security protection policy to the node R2, the control management device may include the first network segment in the security protection policy and send the security protection policy to the node R2. In this way, compared with a solution in which the control management device separately sends the security protection policy and the first network segment to the node R2, this solution can reduce a quantity of interactions between the control management device and the node R2, and save input-output IO resources of the control management device and the node R2.
As described above, the control management device may include the security protection policy in the BGP FS route and send the BGP FS route to the node R2. In addition, 16 types of traffic matching conditions have been defined in the BGP FS route. Therefore, in this embodiment of this application, the BGP FS route may be extended, a traffic matching condition type 17 and a traffic matching condition type 18 are added, the added traffic matching condition type 17 may carry the BSID, and the added traffic matching condition type 18 carries the first network segment. Certainly, the type 18 may further carry other information, for example, a mask length of the first network segment, which is not described one by one herein.
For the type 17 and the type 18, refer to the foregoing related descriptions. Details are not described herein again.
For a security protection policy carrying a BSID and a first network segment, an example is described herein: An address range in the trusted domain 200 corresponds to a network segment of a::1/64. For a service, a BSID b::1 is provided for a node outside a trusted domain, to provide guidance about a forwarding path in the trusted domain. For a edge node in the trusted domain, the BGP FS route is used to deliver the security protection policy. Specifically, the following security protection policy includes: <0x11, b::1> and <0x12, [0x81, a::1/64]>.
0x11 indicates the type 17. b::1 indicates the node R2 to verify whether a destination address of a received packet 1 is the valid BSID b::1.0x11 indicates the type 18. [0x81, a::1/64] indicates the node R2 to forward the packet 1 when the next-hop SID of the BSID is not in the network segment indicated by a::1/64, or otherwise, discard the packet 1.
For a specific implementation in which the node R2, for example, may determine whether the BSID is in the trusted domain, refer to the related descriptions of
It can be learned from the foregoing descriptions that, in implementation 1, after the SRv6 packet accesses the trusted domain by using the BSID, it can be ensured that the trusted domain is not attacked, or the first packet can be forwarded to the valid destination node, so as to prevent anode other than the valid destination node from being attacked. In addition, because the protection of the key and the hash algorithm is not involved, computing resources of the node R2 can be saved. Therefore, according to the solution in this embodiment of this application, the security risks that exist in forwarding a packet by using the SRv6 technology can be reduced as much as possible, on the premise of ensuring the performance of the node R2.
Implementation 2: The target field is the N SIDs in the SID list of the SRH of the first packet.
In this embodiment of this application, the value of N is greater than or equal to 1. When N is equal to 1, the SID is the next-hop SID of the BSID. When the value of N is greater than 1, the N SIDs are N continuous SIDs in the SID list of the SRH, and the first SID of the N SIDs is the next-hop SID of the BSID. In other words, the BSID and the N SIDs may form a first SID list, and the first SID list indicates a forwarding path. In this embodiment of this application, the first SID list may indicate a complete forwarding path of the first packet from the node R2 to the destination node, or the first SID list may indicate a part of the complete forwarding path, that is, indicate a forwarding path of the first packet from the node R2 to a first node. The first node is a node between the node R2 and the destination node of the first packet.
In an implementation of this embodiment of this application, if the target field is the N SIDs in the SID list of the SRH, in a specific implementation of S102, the node R2 may prestore a SID list, and the SID list stored in the node R2 indicates a valid path. Specifically, the node R2 may prestore one or more SID lists, and one SID list indicates one valid path. The node R2 may compare the first SID list with the locally stored SID lists. If the locally stored SID lists include the first SID list, it indicates that a path indicated by the first SID list is a valid path. Therefore, the node R2 may determine that the first packet passes the verification. On the contrary, if the locally stored SID lists do not include the first SID list, it is determined that the first packet fails the verification.
The SID lists stored in the node R2 may be understood with reference to the following Table 3. Table 3 shows two SID lists. Table 3 is output only for ease of understanding, and does not constitute a limitation on this embodiment of this application. The quantity of SID lists stored in the node R2 is not limited to two shown in Table 3. The SID lists stored in the node R2 are not limited to a BSID-SID 1-SID 2 and a BSID-SID 3 shown in Table 3.
As shown in Table 3, all first SIDs in the SID lists stored in the node R2 are BSIDs. In an implementation of this embodiment of this application, to improve the efficiency of determining, by the node R2, that the locally stored SID lists include the first SID list, when storing a SID list, the node R2 may store the first BSID in the SID list as an index of the SID list. When it is determined whether the locally stored SID lists include the first SID list, the BSID in the first SID list may be used as an index to determine whether the locally stored SID lists include the first SID list.
In an implementation, the SID list stored in the node R2 may be statically configured in the node R2. In still another implementation, the SID list stored in the node R2 may be delivered by the control management device to the node R2 by using the security protection policy.
As described above, the control management device may include the security protection policy in the BGP FS route and send the BGP FS route to the node R2. Specifically, the BGP FS message may be extended, a traffic matching condition type 17 and a traffic matching condition type 19 are added, the added traffic matching condition type 17 may carry the BSID, and the added traffic matching condition type 19 carries other to-be-verified SIDs.
For the type 17, refer to the foregoing descriptions of the type 17. Details are not described herein again. The following briefly describes the type 19.
Similar to the type 18, the type 19 includes a type field, an operator field, and a value field, that is, <type, [operator, value]+>.
The type field has a value of 19.
The value field is used for identifying a SID.
The operator field includes eight bits, which are respectively a bit 0 to a bit 7.
The plus sign “+” indicates that a plurality of combinations of [operator, value] can be included.
The meaning of each bit in the operator field is shown in the following Table 4:
E: An end-of-list bit. The value of E is 1, indicating that the current <operator, value> is the last combination of <operator, value>.
Segment list number: Carrying a SID number.
For a security protection policy carrying a BSID and N SIDs, an example is described herein: For a service, a BSID b::1 is provided for a node outside a trusted domain, to provide guidance about a forwarding path in the domain. A valid path for forwarding may be represented by a SID list shown in the following Table 5.
In this case, for a edge node in the trusted domain, the control management device may use the BGP FS route to deliver the security protection policy. Specifically, the security protection policy includes: <0x11, b::1>, <0x13, [0x00, D1::1], [0x01, D2::1], [0x02, D3::1], [0x83, B::1]>.
0x11 indicates the type 17. b::1 indicates a valid BSID. 0x13 indicates the type 19. [0x00, D1::1] identifies Segment list[0]=D1::1. <0x13, [0x01, D2::1] indicates Segment list[1]=D2::1. [0x02, D3::1] indicates Segment list[2]=D3::1. [0x83, B::1] indicates Segment list[3]=B::1 and <0x13. [0x83, B::1]> is the last combination of <operator, value>.
After receiving <0x11, b::1>, <0x13, [0x00, D1::1], [0x01, D2::1], [0x02, D3::1] and [0x83, B::1]>, the node R2 may store the SID list. The SID list includes b::1, B::1, D3::1, D2::1, and D3::1.
In still another implementation of this embodiment of this application, if the target field is the N SIDs in the SID list of the SRH, in a specific implementation of S102, the node R2 may prestore several hash values. For example, the node R2 may prestore a hash table, and the hash table includes several hash values. The hash values stored in the node R2 are obtained by performing a hash operation on SID lists corresponding to valid path. In this case, the node R2 may perform a hash operation on the first SID list to obtain a first hash value. After obtaining the first hash value, the node R2 may search the several hash values that are locally stored, and determine whether the locally stored hash values include the first hash value that is calculated. Specifically, the several locally stored hash values may be searched for by using the first hash value as an index, so as to determine whether the locally stored hash values include the first hash value. If the locally stored hash values include the first hash value, it indicates that the path indicated by the first SID list is a valid path. Therefore, it may be determined that the first packet passes the verification. On the contrary, if the locally stored hash values do not include the first hash value, it is determined that the first packet fails the verification.
In this embodiment of this application, the first SID in the SID list corresponding to the valid path is the BSID. To help the node R2 determine that the locally stored hash values include the first hash value, when storing a hash value, the node R2 may store, as an index of the hash value, the first BSID in a SID list by using which the hash value is calculated. Correspondingly, when it is determined whether the locally stored hash values include the first hash value, the BSID in the first SID list may be used as an index to determine whether the locally stored hash values include the first hash value. Certainly, when storing a hash value, the node R2 may also correspondingly store a SID list by using which the hash value is calculated. This is not specifically limited in this embodiment of this application.
The hash values locally stored in the node R2 may be understood with reference to the following Table 6. Table 6 shows three possible hash value storage manners. In a first manner, only the hash value is stored. In a second manner, the hash value and the BSID are stored. In a third manner, the hash value and the SID list by using which the hash value is calculated are stored. Table 6 is shown only for ease of understanding, and does not constitute a limitation on this embodiment of this application.
In an implementation this embodiment of this application, the first packet may include a first field, and the first field may indicate a quantity of to-be-verified SIDs. After receiving the first packet, the node R2 may parse the first packet to obtain the value of the first field, so as to further obtain the BSID and the N SIDs in the SRH, and perform S102 to verify the first packet. The first field is not specifically limited in this embodiment of this application. The first field may be a reserve field in the SRv6 packet, or the first field may be an extension field in the SRv6 packet. For example, the first field may be the last four bits of the flags field shown in
In some embodiments, when storing a hash value, the node R2 may further correspondingly store the quantity of SIDs included in a SID list by using which the hash value is calculated. Correspondingly, when matching is performed between the first hash value and the locally stored hash values, the node R2 further performs matching based on the value of the first field, and compares the quantity of SIDs included in the first SID list by using which the first hash value is calculated with the quantity of SIDs in the locally stored hash table. Only when the locally stored hash table includes the first hash value, and the quantity of SIDs corresponding to the locally stored first hash value is equal to the quantity of SIDs included in the first SID list, it is determined that the first packet passes the verification. Otherwise, it is determined that the first packet fails the verification.
In this case, the hash table locally stored in the node R2 may be understood with reference to the following Table 7.
A manner in which the node R2 verifies the first packet is described by using an example with reference to Table 7. It is assumed that a manner of storing a hash value in the node R2 is the first manner shown in Table 7. In this case, when verifying the first packet, the node R2 may, for example, find whether the locally stored hash values include the first hash value. If the first hash value is the hash value 1, the node R2 determines that the locally stored hash values include the first hash value. Further, because the quantity of SIDs included in a SID list by using which the hash value 1 is calculated is a, where the hash value 1 is among the locally stored hash values, if the quantity of SIDs included in the first SID list is a, the node R2 may determine that the first packet passes the verification. If the quantity of SIDs included in the first SID list is not a, the node R2 may determine that the first packet fails the verification. The quantity of SIDs included in the first SID list may be determined based on the value of the first field. Specifically, if to-be-verified SIDs indicated by the value of the first field do not include the BSID, the quantity of SIDs included in the first SID list is equal to the value of the first field plus 1. If to-be-verified SIDs indicated by the value of the first field include the BSID, the quantity of SIDs included in the first SID list is equal to the value of the first field.
It can be learned from the foregoing descriptions that when the first SID list indicates a complete forwarding path of the first packet from the node R2 to the destination node, in implementation 2, it can be ensured that the first packet can be forwarded to the valid destination node of the first packet. When the first SID list indicates a forwarding path of the first packet from the node R2 to the first node, in implementation 2, a network between the node R2 and the first node may avoid a network attack.
In addition, the computing resources consumed by the node R2 to maintain the locally stored SID lists or hash values are far less than the computing resources consumed by the node R2 to protect the key and ensure the security of the hash algorithm. Therefore, according to the solution in this embodiment of this application, the security risks that exist in forwarding a packet by using the SRv6 technology can be reduced as much as possible, on the premise of ensuring the performance of the node R2.
Implementation 3: The target field is the SL field.
As described above, the trusted domain may provide a BSID to indicate a forwarding path of the SRv6 packet in the trusted domain. In some embodiments, a node outside a domain needs to forward an SRv6 packet to the trusted domain. In this case, the SRH of the first packet does not contain a next-hop SID of the BSID. In other words, the BSID is the last SID that indicates the forwarding path of the first packet. In this case, the value of the SL field in the first packet is 0. Therefore, to ensure that the SRv6 packet to be forwarded to the trusted domain can be normally forwarded to the trusted domain, in a specific implementation of S102, for example, the node R2 may determine whether the BSID is in the trusted domain. Then, the node R2 determines whether the value of the SL field is 0. When the value of the SL field is 0, it indicates that the destination node of the first packet is a node in the trusted domain. Therefore, it may be determined that the first packet passes the verification. When the value of the SL field is not 0, the node R2 may verify the first packet in implementation 1 or implementation 2 above.
S103a: The node R2 discards the first packet that fails the verification.
That the node R2 discards the first packet may be: For example, the node R2 deletes the first packet from local storage.
S103b: The node R2 forwards the first packet that passes the verification.
In this embodiment of this application, in a specific implementation of forwarding the first packet, for example, the node R2 may obtain a SID list corresponding to the BSID, re-encapsulate the first packet based on the SID list, and forward the re-encapsulated first packet. For a specific implementation in which the node R2 re-encapsulates the first packet based on the SID list, refer to the foregoing descriptions of
It can be learned from the foregoing descriptions that, according to the packet forwarding method in this embodiment of this application, the security risks that exist in forwarding a packet by using the SRv6 technology can be reduced as much as possible, on the premise of ensuring the performance of the node R2.
In an embodiment of embodiments of this application, the node R2 may further obtain a second packet. Similar to the first packet, the second packet is also an SRv6 packet, and a destination address of the second packet is the BSID. After receiving the second packet, the node R2 may verify the second packet based on the BSID of the second packet and a target field in an SRH of the second packet. A specific implementation in which the node R2 verifies the second packet is similar to a method in which the node R2 verifies the first packet, and details are not described herein again. After verifying the second packet, the node R2 may forward the second packet when the second packet passes the verification. During verification of the second packet, not only the BSID is verified, but also the target field is verified. Therefore, the second packet that passes the verification may be considered as a valid packet, and forwarding the second packet across the trusted domain does not bring security risks.
Embodiments of this application further provide a packet forwarding method 200.
S201: An edge node in a trusted domain receives a first packet, where the first packet is an SRv6 packet, and a destination address of the first packet is a binding segment identifier BSID.
S202: The edge node verifies the first packet based on the BSID in the first packet and a target field in a segment routing header SRH.
S203: The edge node discards the first packet that fails the verification.
The method 200 may be used to implement S101, S102, and S103a that are performed by the node R2 in the method 100 mentioned in the foregoing embodiment. When the method 200 is used to implement S101, S102, and S103a that are performed by the node R2 in the method 100 mentioned in the foregoing embodiment, the edge node in the trusted domain corresponds to the node R2 in the method 100, and the first packet corresponds to the first packet in the method 100.
In an implementation, the edge node may further receive a security protection policy from a control management device, where the security protection policy indicates the edge node to verify the first packet based on the BSID and the target field in the SRH.
In an implementation, the target field includes a next-hop SID of the BSID; the target field includes N SIDs in a field identifier SID list, where the first SID in the N SIDs is the next-hop SID of the BSID, N is greater than or equal to 1, and when N is greater than 1, the N SIDs are continuous N SIDs in the SID list; or the target field includes a segment left SL field.
In an implementation, when the target field includes the next-hop SID of the BSID, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes: When the BSID is in the trusted domain and the target field is not in a valid network segment, the edge node determines that the first packet fails the verification, where a valid destination node of the first packet is located in the valid network segment.
In an implementation, the valid network segment is indicated by a locator route of the valid destination node. The valid destination node mentioned herein may correspond to, for example, the node R5 in the second domain 300 shown in
In an implementation, the security protection policy carries the valid network segment, or the valid network segment is statically configured in the edge node.
In an implementation, when the target field includes the next-hop SID of the BSID, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes: When the BSID is in the trusted domain and the target field is in a first network segment, the edge node determines that the first packet fails the verification, where a node in the trusted domain belongs to the first network segment. The first network segment mentioned herein may correspond to a network segment to which a node in the trusted domain 200 belongs, as shown in
In an implementation, the security protection policy carries the first network segment, or the first network segment is statically configured in the edge node.
In an implementation, when the target field includes the N SIDs in the SID list, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes: The edge node compares a first SID list including the BSID and the target field with a SID list stored in the edge node, and if the SID list stored in the edge node does not include the first SID list, the edge node determines that the first packet fails the verification, where the SID list stored in the edge node indicates a valid path.
In an implementation, when the target field includes the N SIDs in the SID list, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes: The edge node performs a hash operation on the first SID list including the BSID and the target field, to obtain a first hash value; and if a hash value stored in the edge node does not include the first hash value, the edge node determines that the first packet fails the verification, where the hash value stored in the edge node is obtained by performing the hash operation on the SID list that indicates a valid path.
In an implementation, the first packet includes a first field, and the first field indicates a quantity of to-be-verified SIDs.
In an implementation, the security protection policy carries the SID list that indicates a valid path, or the SID list that indicates a valid path is statically configured in the edge node.
In an implementation, when the target field includes the SL field, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes:
The edge node determines that the BSID is in the trusted domain; and when a value of the target field is not equal to 0, the edge node determines that the first packet fails the verification.
In an implementation, the edge node may further obtain a second packet, where the second packet is an SRv6 packet, and a destination address of the second packet is the binding segment identifier BSID. The edge node verifies the second packet based on the BSID in the second packet and a target field in an SRH of the second packet; and the edge node forwards the second packet that passes the verification.
For a specific implementation of the method 200, refer to the foregoing descriptions of S101, S102, and S103a in the method 100. Details are not described herein again.
Embodiments of this application further provide a packet forwarding method 300.
S301: An edge node in a trusted domain receives a first packet, where the first packet is an SRv6 packet, and a destination address of the first packet is a binding segment identifier BSID.
S302: The edge node verifies the first packet based on the BSID in the first packet and a target field in a segment routing header SRH of the first packet.
S303: The edge node forwards the first packet that passes the verification.
The method 300 may be used to implement S101, S102, and S103b that are performed by the node R2 in the method 100 mentioned in the foregoing embodiment. When the method 200 is used to implement S101, S102, and S103b that are performed by the node R2 in the method 100 mentioned in the foregoing embodiment, the edge node in the trusted domain corresponds to the node R2 in the method 100, and the first packet corresponds to the first packet in the method 100.
In an implementation, the edge node may further receive a security protection policy from a control management device, where the security protection policy indicates the edge node to verify the first packet based on the BSID and the target field in the SRH.
In an implementation, the target field includes a next-hop SID of the BSID; the target field includes N SIDs in a field identifier SID list, where the first SID in the N SIDs is the next-hop SID of the BSID, N is greater than or equal to 1, and when N is greater than 1, the N SIDs are continuous N SIDs in the SID list; or the target field includes a segment left SL field.
In an implementation, when the target field includes the next-hop SID of the BSID, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, when determining that the BSID is in the trusted domain and the target field is in a valid network segment, the edge node determines that the first packet passes the verification. A valid destination node of the first packet is located in the valid network segment.
In an implementation, the valid network segment is indicated by a locator route of the valid destination node. The valid destination node mentioned herein may correspond to, for example, the node R5 in the second domain 300 shown in
In an implementation, the security protection policy carries the valid network segment, or the valid network segment is statically configured in the edge node.
In an implementation, when the target field includes the next-hop SID of the BSID, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, for example, the edge node determines that the BSID is in the trusted domain and the target field is not in a first network segment, the edge node determines that the first packet passes the verification. Anode in the trusted domain belongs to the first network segment. The first network segment mentioned herein may correspond to a network segment to which a node in the trusted domain 200 belongs, as shown in
In an implementation, the security protection policy carries the first network segment, or the first network segment is statically configured in the edge node.
In an implementation, when the target field includes the N SIDs in the SID list, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, for example, the edge node may compare a first SID list including the BSID and the target field with a SID list stored in the edge node, and if the SID list stored in the edge node includes the first SID list, the edge node determines that the first packet passes the verification, where the SID list stored in the edge node indicates a valid path.
In an implementation, when the target field includes the N SIDs in the SID list, that the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH includes: The edge node performs a hash operation on the first SID list including the BSID and the target field, to obtain a first hash value; and if a hash value stored in the edge node includes the first hash value, the edge node determines that the first packet passes the verification, where the hash value stored in the edge node is obtained by performing the hash operation on the SID list that indicates a valid path.
In an implementation, the first packet includes a first field, and the first field indicates a quantity of to-be-verified SIDs.
In an implementation, the security protection policy carries the SID list that indicates a valid path, or the SID list that indicates a valid path is statically configured in the edge node.
In an implementation, when the target field includes the SL field, in a specific implementation in which the edge node verifies the first packet based on the BSID in the first packet and the target field in the segment routing header SRH, for example, when determining that the BSID is in the trusted domain and the value of the edge node in the target field is equal to 0, the edge node may determine that the first packet passes the verification.
For a specific implementation of the method 300, refer to the foregoing descriptions of S101, S102, and S103b in the method 100. Details are not described herein again.
Embodiments of this application further provide a forwarding control method 400.
S401: A control management device obtains a security protection policy, where the security protection policy indicates an edge node in a trusted domain to verify a received SRv6 packet based on a BSID and a target field in a segment routing header SRH.
S402: The control management device sends the security protection policy to the edge node in the trusted domain.
The method 400 may be used to implement the steps performed by the control management device in the method 100 mentioned in the foregoing embodiment. The trusted domain in the method 400 may be the trusted domain 200 shown in
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a PCEP message.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a BGP message.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using a NETCONF packet.
In an implementation, the control management device may send the security protection policy to the edge node in the trusted domain by using an SNMP packet.
In an implementation, the target field includes a next-hop SID of the BSID; the target field includes N SIDs in a field identifier SID list, where the first SID in the N SIDs is the next-hop SID of the BSID, N is greater than or equal to 1, and when N is greater than 1, the N SIDs are continuous N SIDs in the SID list; or the target field includes a segment left SL field.
In an implementation, if the target field includes the next-hop SID of the BSID, the security protection policy carries a valid BSID and a valid network segment in the trusted domain.
In an implementation, the valid BSID and the valid network segment in the trusted domain may be carried in an extended attribute of the BGP FS message. For example, the valid BSID in the trusted domain is carried in an extended attribute type 17 of the BGP FS message, and the valid network segment is carried in an extended attribute type 18 of the BGP FS message.
In an implementation, if the target field includes the next-hop SID of the BSID, the security protection policy carries a valid BSID and a first network segment in the trusted domain.
In an implementation, the valid BSID and the first network segment in the trusted domain may be carried in an extended attribute of the BGP FS message. For example, the valid BSID in the trusted domain is carried in an extended attribute type 17 of the BGP FS message, and the first network segment is carried in an extended attribute type 18 of the BGP FS message.
In an implementation, if the target field includes the N SIDs in the segment identifier SID list, the security protection policy carries a SID list that indicates a valid path, and the SID list includes a valid BSID in the trusted domain.
In an implementation, the SID list that indicates a valid path may be carried in an extended attribute of the BGP FS message. For example, the SID list that indicates a valid path may be carried in an extended attribute type 19 of the BGP FS message.
For a specific implementation of the method 400, refer to the foregoing descriptions of the steps performed by the control management device in the method 100. Details are not described herein again.
In addition, an embodiment of this application further provides an edge node 900.
In addition, an embodiment of this application further provides a control management device 1000, as shown in
In addition, an embodiment of this application further provides an edge node 1100.
In addition, an embodiment of this application further provides a control management device 1200.
In addition, an embodiment of this application further provides an edge node 1300.
In addition, an embodiment of this application further provides a control management device 1400.
An embodiment of this application further provides a computer-readable storage medium. The computer-readable storage medium stores instructions. When the instructions are run on a computer, the computer is enabled to perform the steps performed by the node R2 in the foregoing method 100, or the computer is enabled to perform the steps performed by the control management device in the foregoing method 100.
An embodiment of this application further provides a communication system. The communication system includes a control management device and an edge node. In some embodiments, the edge node is the node R2 that performs the foregoing method 100. In some embodiments, the control management device is the control management device that delivers the security protection policy to the node R2 in the foregoing method 100.
In the specification, claims, and accompanying drawings of this application, the terms “first”, “second”, “third”, “fourth”, and so on (if existent) are intended to distinguish between similar objects but do not necessarily indicate a specific order or sequence. It should be understood that the data termed in such a way are interchangeable in proper circumstances so that embodiments of the present disclosure described herein can be implemented in other orders than the order illustrated or described herein. Moreover, the terms “include”, “contain” and any other variants mean to cover the non-exclusive inclusion, for example, a process, method, system, product, or device that includes a list of steps or units is not necessarily limited to those units, but may include other units not expressly listed or inherent to such a process, method, system, product, or device.
It may be clearly understood by a person skilled in the art that, for the purpose of convenient and brief description, for a detailed working process of the foregoing system, apparatus, and unit, refer to a corresponding process in the foregoing method embodiments, and details are not described herein again.
In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the described apparatus embodiment is merely an example. For example, division into units is merely logical service division and may be other division during actual implementation. For example, a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented through some interfaces. The indirect couplings or communication connections between the apparatuses or units may be implemented in electrical, mechanical, or another form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, in other words, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected based on actual requirements to achieve the objectives of the solutions of embodiments.
In addition, service units in embodiments of this application may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units may be integrated into one unit. The integrated unit may be implemented in a form of hardware, or may be implemented in a form of a software service unit.
When the integrated unit is implemented in a form of a software service unit and sold or used as an independent product, the integrated unit may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of this application essentially, or a part contributing to the conventional technology, or all or some of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium and includes several instructions for instructing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods in embodiments of this application. The storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disc.
Persons skilled in the art should be aware that, in the foregoing one or more examples, services described in the present disclosure may be implemented by hardware, software, firmware, or any combination thereof. When the present disclosure is implemented by using the software, the services may be stored in a computer-readable medium or transmitted as one or more instructions or code in the computer-readable medium. The computer-readable medium includes a computer storage medium and a communication medium. The communication medium includes any medium that facilitates transmission of a computer program from one place to another. The storage medium may be any available medium accessible to a general-purpose or dedicated computer.
The objectives, technical solutions, and beneficial effects of the present disclosure have been further described in detail in the foregoing specific implementations. It should be understood that the foregoing descriptions are merely specific implementations of the present disclosure.
The foregoing embodiments are merely intended to describe the technical solutions of this application, but are not to limit this application. Although this application is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions recorded in the foregoing embodiments or make equivalent replacements to some technical features thereof. However, these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the foregoing embodiments of this application.
Number | Date | Country | Kind |
---|---|---|---|
202010256371.1 | Apr 2020 | CN | national |
202010333905.6 | Apr 2020 | CN | national |
This application is a continuation of International Application No. PCT/CN2021/079923, filed on Mar. 10, 2021, which claims priority to Chinese Patent Application No. 202010333905.6, filed on Apr. 24, 2020, and Chinese Patent Application No. 202010256371.1, filed on Apr. 2, 2020. All of the aforementioned patent applications are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2021/079923 | Mar 2021 | US |
Child | 17957972 | US |