CN107547345B - VXLAN dynamic access method, device, equipment and medium - Google Patents

VXLAN dynamic access method, device, equipment and medium Download PDF

Info

Publication number
CN107547345B
CN107547345B CN201710591196.XA CN201710591196A CN107547345B CN 107547345 B CN107547345 B CN 107547345B CN 201710591196 A CN201710591196 A CN 201710591196A CN 107547345 B CN107547345 B CN 107547345B
Authority
CN
China
Prior art keywords
authentication
access point
visitor
dynamic access
dynamic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710591196.XA
Other languages
Chinese (zh)
Other versions
CN107547345A (en
Inventor
黄李伟
王伟
王丽芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201710591196.XA priority Critical patent/CN107547345B/en
Publication of CN107547345A publication Critical patent/CN107547345A/en
Application granted granted Critical
Publication of CN107547345B publication Critical patent/CN107547345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a virtual extensible local area network VXLAN dynamic access method, a virtual extensible local area network VXLAN dynamic access device, virtual extensible local area network VXLAN dynamic access equipment and a virtual extensible local area network VXLAN dynamic access medium, which are applied to VXLAN tunnel endpoint VTEP equipment, and the virtual extensible local area network VXLAN dynamic access method comprises the following steps: receiving a login request message from a virtual machine VM, and initiating a first authentication request to an authentication server according to user information carried in the login request message; when a first authentication result corresponding to the received first authentication request is that authentication is not passed, a visitor dynamic access point corresponding to the VM is created; judging whether the login request message is a suspicious message or not according to the information recorded by the dynamic visitor access point and an access rule set for the visitor access point; if so, locally storing key information of the dynamic access point of the visitor, and deleting the dynamic access point of the visitor, wherein the key information comprises user information of the VM. By applying the embodiment of the application, the normal use of the user service can be ensured under the condition that the VTEP equipment receives a large number of attack messages.

Description

VXLAN dynamic access method, device, equipment and medium
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a Virtual Extensible LAN (VXLAN) dynamic access method, apparatus, device, and medium.
Background
With the rapid popularization of VXLAN technology, the volume of traffic carried by VXLAN is also increasing. To enable users to quickly access VXLAN, a VXLAN Tunnel End Point (VTEP) device provides automatic access functionality for users.
Referring to fig. 1, fig. 1 is a schematic diagram of a VXLAN network architecture in the prior art. As shown in fig. 1, the VXLAN includes a Virtual Machine (VM), a VTEP device, and an authentication server, wherein the VM and the VTEP device are in communication, and the VTEP device and the authentication server are in communication; specifically, the VXLAN automatic access process is as follows:
a user sends a login request message to VTEP equipment by using a VM, and the VTEP equipment initiates an authentication request to an authentication server according to a Media Access Control (MAC) address carried in the login request message;
the VTEP equipment receives an authentication result aiming at the source MAC address from the authentication server; when the authentication result is that the authentication is successful, the VTEP equipment creates a VXLAN service access point corresponding to the VM so that a user using the VM can access the VXLAN successfully; when the authentication result is authentication failure, the VTEP equipment creates a visitor dynamic access point corresponding to the VM;
the VTEP equipment initiates an authentication request to an authentication server according to a source MAC address corresponding to the visitor dynamic access point at intervals; when the authentication server successfully authenticates the source MAC address, the VTEP equipment deletes the visitor dynamic access point corresponding to the VM, and reestablishes the VXLAN service access point corresponding to the VM, so that the user using the VM can successfully access VXLAN.
Disclosure of Invention
An object of the embodiments of the present application is to provide a VXLAN dynamic access method, apparatus, device, and medium, so as to ensure normal use of user services when a VTEP device receives a large number of attack packets. The specific technical scheme is as follows:
the embodiment of the application provides a VXLAN dynamic access method, which is applied to VXLAN tunnel endpoint VTEP equipment, and comprises the following steps: receiving a login request message from a Virtual Machine (VM), and initiating a first authentication request to an authentication server according to a source Media Access Control (MAC) address carried in the login request message; when a first authentication result corresponding to the received first authentication request is that authentication is not passed, creating a visitor dynamic access point corresponding to the VM; judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point; if yes, locally saving key information of the visitor dynamic access point, and deleting the visitor dynamic access point, wherein the key information comprises: user information of the VM.
The embodiment of the present application further provides a VXLAN dynamic access device, where the device includes: the system comprises a first initiating unit, a second initiating unit and a third initiating unit, wherein the first initiating unit is used for receiving a login request message from a virtual machine VM and initiating a first authentication request to an authentication server according to user information carried in the login request message; a first creating unit, configured to create a dynamic visitor access point corresponding to the VM when a first authentication result corresponding to the received first authentication request is that authentication fails; the first judging unit is used for judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point; a first deleting unit, configured to locally store key information of the dynamic visitor access point and delete the dynamic visitor access point if the determination result of the first determining unit is that the login request packet is a suspicious packet, where the key information includes: user information of the VM.
An embodiment of the present application further provides a VTEP device, including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the VXLAN dynamic access method provided by the embodiment of the application is realized.
Embodiments of the present application further provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the VXLAN dynamic access method provided by the embodiment of the application is realized.
It can be seen from the above contents that, when the login request message is a suspicious message, such as an attack message, the VTEP device may control the number of created dynamic visitor access points by locally storing the key information of the dynamic visitor access points corresponding to the login request message and then deleting the dynamic visitor access points corresponding to the message, thereby avoiding a bad phenomenon that the VTEP device cannot create a new visitor access point for a normal user login request message any more when the number of the visitor access points reaches the specification, which affects the normal use of the user service, and thus ensuring the normal use of the user service. Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a VXLAN network architecture in the prior art;
fig. 2 is a schematic diagram of a VXLAN network architecture in an embodiment of the present application;
fig. 3 is a flowchart of a VXLAN dynamic access method according to an embodiment of the present application;
fig. 4 is another flowchart of a VXLAN dynamic access method according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating a detailed process of step 402 according to an embodiment of the present application;
FIG. 6 is a flowchart illustrating another embodiment of step 303 according to the present disclosure;
fig. 7 is a schematic structural diagram of a VXLAN dynamic access device according to an embodiment of the present application;
fig. 8 is a block diagram of a VTEP apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Currently, a widely used VXLAN network architecture is a two-layer network of a Leaf architecture (Leaf And Spine), as shown in fig. 2, fig. 2 is a schematic view of a VXLAN network architecture in the embodiment of the present application.
As shown in fig. 2, the VXLAN network architecture includes a VM, a Leaf-VTEP device, a Spine-VTEP device, and an authentication server; the Leaf-VTEP1 device is connected with the VM1 and the VM2, the Leaf-VTEP2 device is connected with the VM3, the Spine-VTEP device is connected with the Leaf-VTEP1 device and the Leaf-VTEP2 device, and the authentication server is connected with the Spine-VTEP device.
It should be noted that the VXLAN dynamic access method, apparatus, device and medium proposed in the embodiments of the present application are applied to VTEP devices having a function of automatically accessing VXLAN by a user; this functionality is typically implemented by Leaf-VTEP devices in the VXLAN network architecture, and thus, VTEP devices mentioned hereinafter default to Leaf-VTEP devices in the VXLAN network architecture.
Of course, the spin-VTEP device may also implement the function of automatically accessing the VXLAN by the user according to actual requirements, and in this case, the VTP device mentioned later may also be a spin-VTEP device in the VXLAN network architecture.
It should be further noted that the VXLAN network architecture shown in fig. 2 is only one application scenario of the embodiment of the present application, and the embodiment of the present application may also be applied to VTEP devices having a function of automatically accessing VXLAN by a user in other VXLAN network architectures.
In practical application, when the VTEP device receives a large number of suspicious messages, because the authentication server will not successfully authenticate the attack messages, the VTEP device will create a separate access point for each attack message, but the resources for creating the dynamic access points of the visitors are limited, and if the number of created dynamic access points of the visitors reaches the resource specification of the dynamic access points of the visitors, the VTEP device will not create a new dynamic access point of the visitors any more even if receiving the user login request message which is not authenticated and is not attacked, which will affect the normal use of the non-attack users.
The embodiment of the application provides a VXLAN dynamic access method which is applied to VTEP equipment. Referring to fig. 3, fig. 3 is a flowchart of a VXLAN dynamic access method according to an embodiment of the present application, including the following steps:
step 301, receiving a login request message from a VM, and initiating a first authentication request to an authentication server according to user information carried in the login request message;
in the step, a user sends a login request message to VTEP equipment through a VM;
after receiving a login request message from a VM, the VTEP device initiates a first authentication request to an authentication server according to user information (such as a source MAC address) carried in the login request message;
the authentication server determines whether the source MAC address is authorized to be logged in or not according to the source MAC address in the first authentication request, if the source MAC address is authorized to be logged in, the authentication result returned to the VTEP device by the authentication server is that the authentication is passed, and if the source MAC address is not authorized to be logged in, the authentication result returned to the VTEP device by the authentication server is that the authentication is not passed.
In general, the login request message carrying the user information of the VM includes: a source MAC address, a source IP address, a destination IP address, a virtual network number vlan id to which the VM belongs, and a port number.
Step 302, when a first authentication result corresponding to the received first authentication request is that authentication fails, creating a guest dynamic access point corresponding to the VM;
in this step, when the first authentication result received by the VTEP device is that the authentication fails, a GUEST dynamic access point corresponding to the VM is created, which may specifically be a GUEST VSI dynamic access point.
The visitor access point comprises user information carried in the login request message.
Step 303, judging whether the login request message is a suspicious message according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
in this step, the VTEP apparatus determines whether the login request packet is a suspicious packet according to the guest dynamic access point established in step 302 and the access rule set for the guest access point.
In practical applications, the information recorded by the guest dynamic access point and the access rule set for the guest access point may specifically include: judging whether the login request message is a suspicious message according to the failure times of an authentication result corresponding to an authentication request sent by the login request message or the existence duration of a visitor access point corresponding to the login request message; of course, the specific manner of determining whether the login request message is a suspicious message may also be determined according to the actual situation.
And 304, if the login request message is a suspicious message, locally storing key information of the dynamic visitor access point, and deleting the dynamic visitor access point.
Wherein the key information comprises: user information of the VM.
In this step, when the VTEP device determines that the login request packet is a suspicious packet, the VTEP device locally stores key information of the dynamic visitor access point, and deletes the dynamic visitor access point.
The key information includes user information of the VM obtained from the guest dynamic access point, such as a source MAC address, a vlan id, and a port number.
The VXLAN dynamic access method provided by the embodiment of the application can delete the visitor dynamic access point corresponding to the suspicious message after the key information of the visitor dynamic access point is locally stored when the VETP equipment determines that the login application message is the suspicious message, so that the condition that the number of the created visitor dynamic access points is too large to meet the specification of the visitor dynamic access points is avoided.
In one embodiment provided herein, after step 304, the method may further include:
generating a record table according to the locally stored key information of the visitor dynamic access point;
and establishing a public visitor dynamic access point aiming at VMs corresponding to all visitor dynamic access points stored in the record table.
In practical application, all locally stored key information of the visitor dynamic access point may be compiled into a record table, and the specific form of the record table may refer to table 1:
source MAC address VLANID Port number
0-0-1 100 port1
TABLE 1
In table 1, the VM key information obtained from the guest access point includes: the source MAC address of the VM is 0-0-1, the VLANID of the VM is 100, and the port number of the VM is port 1.
In this way, in a scenario where the guest dynamic access point corresponding to the VM used by the user is deleted and the user information of the deleted guest dynamic access point is stored in the local record table, the user can still access the public network resource using the public guest dynamic access point corresponding to the record table.
Therefore, in the embodiment of the application, even if the VTEP equipment receives a large number of suspicious messages, the situation that resources for establishing the visitor dynamic access points are insufficient due to the fact that the number of the created visitor dynamic access points is too large can not occur, and when the VTEP equipment subsequently receives a normal user login request message, a new visitor dynamic access point can be created, and normal use of user services can not be influenced; moreover, since the key information of the dynamic visitor access point is locally stored, the subsequent VETP equipment can periodically send an authentication request to an authentication server according to the source MAC address stored in the key information so as to protect the normal use of each user service to the maximum extent and avoid the problem that the user cannot normally log in due to the fact that the log-in request message of the user is misjudged as a suspicious message to the greatest extent; and aiming at the users corresponding to the user information of the visitor dynamic access points which are deleted but stored in the local record table, the public visitor dynamic access points corresponding to the record table can still be used for accessing the public network resources.
In one embodiment of the present application, after "deleting the guest dynamic access point" in step 304, the method further comprises:
according to a preset first authentication period, according to the source MAC address in the locally stored key information, a second authentication request is sent to the authentication server;
when the received second authentication results corresponding to the second authentication request are all authentication failures, deleting the key information from the local;
and when the received second authentication result is that the authentication is passed, creating a VXLAN service access point corresponding to the VM, and deleting the key information from the local.
That is, in practical applications, referring to fig. 4, fig. 4 is another flowchart of the VXLAN dynamic access method according to the embodiment of the present application, and after step 304, the method further includes:
step 401, according to a preset first authentication period, initiating a second authentication request to the authentication server according to the locally stored user information of the VM;
the first authentication period may be 5 minutes, and may be specifically determined according to actual requirements.
In the step, the VETP equipment periodically initiates an authentication request to an authentication server according to a source MAC address in the user information of the VM, so as to judge whether a login request message is a malicious request message according to an authentication result; therefore, the normal use of each user service can be protected to the maximum extent, the problem that the user cannot normally log in due to the fact that the login request message of the user is judged as the malicious request message by mistake is avoided, and specific processing can be carried out on the malicious request message so as to prevent the message from occupying system resources.
Step 402, when the second authentication results corresponding to the received second authentication request are all authentication failed, deleting the key information from the local area;
in this step, when the authentication result received by the VETP device is that the authentication fails, it can be determined that the suspicious message is not a normal user login request message, and may be a malicious request message such as an attack message; at this time, the key information corresponding to the suspicious packet may be deleted locally.
Step 403, when the received second authentication result is that the authentication is passed, creating a VXLAN service access point corresponding to the VM.
In this step, when the authentication result received by the VETP device is that the authentication is passed, the VXLAN service access point corresponding to the VM is created according to the key information of the dynamic visitor access point stored locally, so that the user of the VM can successfully access the VXLAN.
Therefore, in the embodiment of the application, when the suspicious message is determined to be the malicious request message, the key information corresponding to the suspicious message is deleted from the local in a suspicious manner, so that the influence on the performance of the equipment caused by excessive amount of locally stored key information is avoided.
In yet another embodiment of the present application, referring to fig. 5, fig. 5 is a specific flowchart of step 402 in this embodiment of the present application, and step 402 "when all second authentication results corresponding to the received second authentication request are authentication failed, deleting the key information from the local" may specifically include the following sub-steps:
substep 11, obtaining the IP address of the VM from the visitor dynamic access point;
substep 12, generating a detection message aiming at the VM according to the IP address;
in practical applications, the detection message may be an Address Resolution Protocol (ARP) message, or may be other types of messages, and of course, the self-defined message may also be used as the detection message.
Substep 13, sending the detection message to the VM according to a preset detection period;
the detection period can be preset to 5 minutes, and can be specifically determined according to actual requirements.
Substep 14, determining whether a detection message response from the VM is received within a preset detection time period, if not, executing substep 15;
the detection time period can be preset to 5 minutes, and can be specifically determined according to actual requirements.
In this step, in a detection time period after the detection message is sent, the VETP device determines whether a detection message response from the VM is received.
Substep 15, determining the login request message as a malicious request message;
in this step, if the VETP device does not receive a probe message response from the VM within the preset probe time period, it may be further determined that the login request message is not only a suspicious message but a malicious request message.
It should be noted that, even if the VETP device receives the probe message response in the current preset probe period, in the subsequent preset probe period, the VETP device still sends the probe message to the VM, and continuously monitors whether the login request message is a malicious request message.
And substep 16, when the login request message is a malicious request message and the second authentication results corresponding to the received second authentication request are all authentication failed, deleting the key information from the local.
In this step, if the login request message is a malicious request message and the second authentication results corresponding to the second authentication request are all authentication failures, the key information of the login request message is deleted locally.
Therefore, the VXLAN dynamic access method provided by the embodiment of the application can judge whether the login request message is a malicious request message by sending the detection message to the VM; and then the key information of the malicious request stored locally is deleted, so that the excessive quantity of the key information stored locally is avoided.
In practical application, referring to fig. 6, fig. 6 is another specific flowchart of step 303 in the embodiment of the present application; step 303 "determining whether the login request message is a suspicious message according to the information recorded by the visitor dynamic access point and the access rule set for the visitor access point" may specifically include the following sub-steps:
substep 21, obtaining the source MAC address of the VM from the guest dynamic access point;
wherein the information recorded by the visitor dynamic access point may include the source MAC address.
Substep 22, according to a preset second authentication period, initiating a third authentication request to the authentication server according to the source MAC address;
in the step, the VETP equipment periodically initiates an authentication request to an authentication server according to the source MAC address of the VM; therefore, the normal use of each user service can be protected to the greatest extent, and the problem that the user can not normally log in due to the fact that the login request message of the user is 'misjudged' as a suspicious message is avoided as much as possible.
Substep 23, determining whether the third authentication results corresponding to the received third authentication request are both authentication failures and whether the times of the third authentication results that the authentication failures exceed a preset time threshold, or determining whether the third authentication results corresponding to the received third authentication request are authentication failures and whether the existence time of the dynamic access point of the visitor exceeds a preset time threshold, if so, executing substep 24;
in this step, it may be specifically determined whether the login request packet is a suspicious packet in two ways, one is to determine whether the third authentication results corresponding to the received third authentication request are both authentication failures and whether the number of times that the third authentication result is that the authentication failures exceeds a preset number threshold, and the other is to determine whether the third authentication result corresponding to the received third authentication request is that the authentication failures occur and whether the existence duration of the dynamic access point of the visitor exceeds a preset duration threshold.
Of course, other ways may be selected to determine whether the login request message is a suspicious message according to the actual situation.
And a substep 24 of determining that the login request message is a suspicious message.
Therefore, the VXLAN dynamic access method provided in the embodiment of the present application may determine whether the login request message is a suspicious message by determining whether the received authentication results are both authentication failures, whether the times of the authentication failures in the authentication results exceed a preset time threshold, or whether the existence duration of the visitor access point exceeds a preset time threshold; and then the suspicious message is deleted, so that the problem that the normal use of the user service is influenced because the number of the created dynamic visitor access points is too much to reach the specification of the dynamic visitor access points is solved.
It should be noted that, a first authentication period and a second authentication period have been presented in the foregoing, where the first authentication period corresponds to the second authentication request in step 401, and the second authentication period corresponds to the third authentication request in sub-step 22; since sub-step 22 belongs to the prior art, the second authentication period can be determined according to the application of the prior art; the first authentication period is a parameter value in the VXLAN dynamic access method proposed in the embodiment of the present application, and may be determined according to the application requirements and the application scenario in the embodiment of the present application.
In another embodiment of the present application, after "receiving a login request packet from a virtual machine VM" in step 301, the method further includes:
judging whether an MAC address matched with the source MAC address carried in the login request message is stored locally;
if not, executing the step of initiating a first authentication request to an authentication server according to the source MAC address carried in the login request message;
if so, executing the first authentication period according to the preset, and initiating a second authentication request to the authentication server according to the access information of the VM in the locally stored key information.
The MAC address matched with the source MAC address is an MAC address having a correspondence with the source MAC address.
In practical application, when a login request message from a virtual machine VM is received, firstly, whether an MAC address matching a source MAC address carried in the login request message is locally stored is judged;
if so, it indicates that the user has previously sent a login request message using the VM and has not yet authenticated, at this time, a step of "according to a preset first authentication period, initiating a second authentication request to the authentication server according to the access information of the VM in the locally stored key information" may be performed instead of creating a corresponding guest dynamic access point for the VM, that is, step 401 in the VXLAN dynamic access method in the embodiment of the present application shown in fig. 4;
if not, it indicates that the user has not previously sent a login request message using the VM, then, according to a normal flow, a corresponding dynamic guest access point is created for the VM, and a step of initiating a first authentication request to an authentication server according to user information carried in the login request message is executed, that is, step 301 in the VXLAN dynamic access method in the embodiment of the present application shown in fig. 3.
Therefore, when the same user repeatedly reports a large number of authentication request messages due to authentication failure, the user can be identified according to the locally stored key information, so that repeated visitor dynamic access points are prevented from being established for the same user, meanwhile, the authentication server is prevented from receiving a large number of repeated authentication request messages, and the task load of the authentication server is reduced.
The embodiment of the application also provides a VXLAN dynamic access device. Referring to fig. 7, fig. 7 is a schematic structural diagram of a VXLAN dynamic access device according to an embodiment of the present application, where the device includes: a first initiating unit 701, a first creating unit 702, a first judging unit 703 and a first deleting unit 704;
the system comprises a first initiating unit, a second initiating unit and a third initiating unit, wherein the first initiating unit is used for receiving a login request message from a virtual machine VM and initiating a first authentication request to an authentication server according to user information carried in the login request message;
a first creating unit, configured to create a dynamic visitor access point corresponding to the VM when a first authentication result corresponding to the received first authentication request is that authentication fails;
the first judging unit is used for judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
a first deleting unit, configured to locally store key information of the dynamic visitor access point and delete the dynamic visitor access point if the determination result of the first determining unit is that the login request packet is a suspicious packet, where the key information includes: user information of the VM.
In one embodiment of the present application, the apparatus further comprises:
a second initiating unit, configured to initiate a second authentication request to the authentication server according to the locally stored user information of the VM in a preset first authentication period;
a second deleting unit, configured to delete the key information from the local area when a second authentication result corresponding to the received second authentication request is that authentication fails;
and the second creating unit is used for creating the VXLAN service access point corresponding to the VM when the received second authentication result is that the authentication is passed.
In another embodiment of the present application, the second deleting unit includes: the system comprises a first acquisition subunit, a generation subunit, a sending subunit, a first judgment subunit, a first determination subunit and a deletion subunit;
the first obtaining subunit is configured to obtain an IP address of the VM from the guest dynamic access point;
the generating subunit is configured to generate a detection packet for the VM according to the IP address;
the sending subunit is configured to send the detection packet to the VM according to a preset detection period;
the first judging subunit is configured to judge whether a detection message response from the VM is received within a preset detection time period;
the first determining subunit is configured to determine that the login request packet is a malicious request packet if the determination result of the determining subunit is that no probe packet response from the VM is received within a preset probe time period;
and the deleting subunit is configured to delete the key information from the local area when the login request message is a malicious request message and the second authentication results corresponding to the received second authentication request are all authentication failures.
In another embodiment of the present application, the apparatus further comprises:
a second judging unit, configured to judge whether an MAC address matching the source MAC address carried in the login request packet is stored locally;
a first executing unit, configured to execute the step of initiating a first authentication request to an authentication server according to user information carried in the login request message if a determination result of the second determining unit is that an MAC address matched with a source MAC address carried in the login request message is not locally stored;
a second executing unit, configured to execute the second authentication request to the authentication server according to a preset first authentication period and according to the access information of the VM in the locally stored key information, if a determination result of the second determining unit is that an MAC address matching a source MAC address carried in the login request message is locally stored.
In another embodiment of the present application, the first determining unit 703 includes: the second acquiring subunit, the initiating subunit, the second judging subunit and the second determining subunit;
the second obtaining subunit is configured to obtain the source MAC address from information recorded by the visitor dynamic access point;
the initiating subunit is configured to initiate, according to a preset second authentication period, a third authentication request to the authentication server according to the source MAC address;
the second judging subunit is configured to judge whether the third authentication results corresponding to the received third authentication request are both authentication failures and whether the number of times that the third authentication results are authentication failures exceeds a preset number-of-times threshold, or whether the third authentication results corresponding to the received third authentication request are authentication failures and whether the existence duration of the dynamic visitor access point exceeds a preset duration threshold;
the second determining subunit is configured to determine that the login request packet is a suspicious packet if the determination result of the second determining subunit indicates that the third authentication results corresponding to the received third authentication request are both authentication failures and the times of the third authentication results that the authentication failures exceed a preset time threshold, or the determination result of the second determining subunit indicates that the third authentication results corresponding to the received third authentication requests are authentication failures and the existence duration of the dynamic access point of the visitor exceeds a preset time threshold.
In yet another embodiment of the present application, the apparatus further comprises;
the generation unit is used for generating a record table according to the locally stored key information of the visitor dynamic access point;
and the establishing unit is used for establishing a public visitor dynamic access point aiming at the VMs corresponding to all the visitor dynamic access points stored in the record table.
Therefore, when the VXLAN dynamic access device provided in the embodiment of the present application determines that the login application packet is a suspicious packet, the VXLAN dynamic access device can locally store key information of the guest dynamic access point corresponding to the suspicious packet, and delete the guest dynamic access point corresponding to the suspicious packet, thereby avoiding that the number of created guest dynamic access points is too large, so as to achieve the specification of the guest dynamic access points. Therefore, even if the VTEP equipment receives a large amount of attack messages, the situation that the number of the created visitor dynamic access points is excessive can not occur, and when the VTEP equipment subsequently receives normal user login request messages, new visitor dynamic access points can be created without influencing the normal use of user services.
An embodiment of the present application further provides a VTEP device, as shown in fig. 8, fig. 8 is a structural diagram of the VTEP device according to the embodiment of the present application; in fig. 8, the VTEP apparatus comprises a processor 801, a communication interface 802, a memory 803 and a communication bus 804, wherein the processor 801, the communication interface 802 and the memory 803 are communicated with each other through the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to implement the following steps when executing the program stored in the memory 803:
receiving a login request message from a Virtual Machine (VM), and initiating a first authentication request to an authentication server according to user information carried in the login request message;
when a first authentication result corresponding to the received first authentication request is that authentication is not passed, creating a visitor dynamic access point corresponding to the VM;
judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
if yes, locally saving key information of the visitor dynamic access point, and deleting the visitor dynamic access point, wherein the key information comprises: user information of the VM.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. The memory may also be at least one memory device located remotely from the aforementioned processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
Therefore, when the VETP device provided by the embodiment of the application determines that the login application message is a suspicious message, the VETP device can locally store the key information of the visitor dynamic access point corresponding to the suspicious message, delete the visitor dynamic access point corresponding to the suspicious message, and avoid the situation that the number of the created visitor dynamic access points is too large, so that the specification of the visitor dynamic access points is met. Therefore, even if the VTEP equipment receives a large amount of attack messages, the situation that the number of the created visitor dynamic access points is excessive can not occur, and when the VTEP equipment subsequently receives normal user login request messages, new visitor dynamic access points can be created without influencing the normal use of user services.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
receiving a login request message from a Virtual Machine (VM), and initiating a first authentication request to an authentication server according to user information carried in the login request message;
when a first authentication result corresponding to the received first authentication request is that authentication is not passed, creating a visitor dynamic access point corresponding to the VM;
judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
if yes, locally saving key information of the visitor dynamic access point, and deleting the visitor dynamic access point, wherein the key information comprises: user information of the VM.
As can be seen, when determining that the login application packet is a suspicious packet, the computer-readable storage medium provided in the embodiment of the present application can locally store key information of the dynamic visitor access point corresponding to the suspicious packet, and delete the dynamic visitor access point corresponding to the suspicious packet, thereby avoiding that the number of created dynamic visitor access points is too large, so as to achieve the specification of the dynamic visitor access points. Therefore, even if the VTEP equipment receives a large amount of attack messages, the situation that the number of the created visitor dynamic access points is excessive can not occur, and when the VTEP equipment subsequently receives normal user login request messages, new visitor dynamic access points can be created without influencing the normal use of user services.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (14)

1. A VXLAN dynamic access method is applied to VXLAN tunnel endpoint VTEP equipment, and comprises the following steps:
receiving a login request message from a Virtual Machine (VM), and initiating a first authentication request to an authentication server according to user information carried in the login request message;
when a first authentication result corresponding to the received first authentication request is that authentication is not passed, creating a visitor dynamic access point corresponding to the VM;
judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
if yes, locally saving key information of the visitor dynamic access point, and deleting the visitor dynamic access point, wherein the key information comprises: user information of the VM.
2. The method of claim 1, wherein after the step of deleting the guest dynamic access point, the method further comprises:
according to a preset first authentication period, a second authentication request is sent to the authentication server according to the locally stored user information of the VM;
when a second authentication result corresponding to the received second authentication request is that authentication is not passed, deleting the key information from the local area;
and when the received second authentication result is that the authentication is passed, creating the VXLAN service access point corresponding to the VM.
3. The method according to claim 2, wherein the step of locally deleting the key information when the second authentication result corresponding to the received second authentication request is authentication failure comprises:
acquiring the IP address of the VM from the key information of the dynamic visitor access point;
generating a detection message aiming at the VM according to the IP address;
sending the detection message to the VM according to a preset detection period;
judging whether a detection message response from the VM is received or not within a preset detection time period;
if the detection message response from the VM is not received within a preset detection time period, determining that the login request message is a malicious request message;
and when the login request message is a malicious request message and the second authentication results corresponding to the received second authentication request are all authentication failures, deleting the key information from the local.
4. The method according to claim 2, wherein after the step of receiving the login request message from the virtual machine VM, the method further comprises:
judging whether an MAC address matched with the source MAC address carried in the login request message is stored locally;
if not, executing the step of initiating a first authentication request to an authentication server according to the user information carried in the login request message;
and if so, executing the step of initiating a second authentication request to the authentication server according to the locally stored user information of the VM according to a preset first authentication period.
5. The method of claim 1, wherein the step of determining whether the login request message is a suspicious message according to the information recorded by the visitor dynamic access point and the access rule set for the visitor access point comprises:
acquiring a source MAC address from information recorded by the visitor dynamic access point;
according to a preset second authentication period, a third authentication request is sent to the authentication server according to the source MAC address;
judging whether the third authentication results corresponding to the received third authentication request are both authentication failures and whether the times of the third authentication results that the authentication failures exceed a preset time threshold or not, or judging whether the third authentication results corresponding to the received third authentication request are authentication failures and whether the existence duration of the visitor dynamic access point exceeds a preset time threshold or not;
if so, determining that the login request message is a suspicious message.
6. The method of claim 1, wherein after the steps of locally saving key information of the guest dynamic access point and deleting the guest dynamic access point, the method further comprises:
generating a record table according to the locally stored key information of the visitor dynamic access point;
and establishing a public visitor dynamic access point aiming at VMs corresponding to all visitor dynamic access points stored in the record table.
7. A virtual extensible local area network, VXLAN, dynamic access apparatus, comprising:
the system comprises a first initiating unit, a second initiating unit and a third initiating unit, wherein the first initiating unit is used for receiving a login request message from a virtual machine VM and initiating a first authentication request to an authentication server according to user information carried in the login request message;
a first creating unit, configured to create a dynamic visitor access point corresponding to the VM when a first authentication result corresponding to the received first authentication request is that authentication fails;
the first judging unit is used for judging whether the login request message is a suspicious message or not according to the information recorded by the visitor dynamic access point and an access rule set for the visitor access point;
a first deleting unit, configured to locally store key information of the dynamic visitor access point and delete the dynamic visitor access point if the determination result of the first determining unit is that the login request packet is a suspicious packet, where the key information includes: user information of the VM.
8. The apparatus of claim 7, further comprising:
a second initiating unit, configured to initiate a second authentication request to the authentication server according to the locally stored user information of the VM in a preset first authentication period;
a second deleting unit, configured to delete the key information from the local area when a second authentication result corresponding to the received second authentication request is that authentication fails;
and the second creating unit is used for creating the VXLAN service access point corresponding to the VM when the received second authentication result is that the authentication is passed.
9. The apparatus of claim 8, wherein the second deleting unit comprises: the system comprises a first acquisition subunit, a generation subunit, a sending subunit, a first judgment subunit, a first determination subunit and a deletion subunit;
the first obtaining subunit is configured to obtain an IP address of the VM from key information of the dynamic visitor access point;
the generating subunit is configured to generate a detection packet for the VM according to the IP address;
the sending subunit is configured to send the detection packet to the VM according to a preset detection period;
the first judging subunit is configured to judge whether a detection message response from the VM is received within a preset detection time period;
the first determining subunit is configured to determine that the login request packet is a malicious request packet if the determination result of the determining subunit is that no probe packet response from the VM is received within a preset probe time period;
and the deleting subunit is configured to delete the key information from the local area when the login request message is a malicious request message and the second authentication results corresponding to the received second authentication request are all authentication failures.
10. The apparatus of claim 8, further comprising:
a second judging unit, configured to judge whether an MAC address matching the source MAC address carried in the login request packet is stored locally;
a first executing unit, configured to execute the step of initiating a first authentication request to an authentication server according to user information carried in the login request message if a determination result of the second determining unit is that an MAC address matched with a source MAC address carried in the login request message is not locally stored;
a second executing unit, configured to execute the step of initiating a second authentication request to the authentication server according to the locally stored user information of the VM according to a preset first authentication period if the determination result of the second determining unit is that the MAC address matching the source MAC address carried in the login request message is locally stored.
11. The apparatus according to claim 7, wherein the first determining unit comprises: the second acquiring subunit, the initiating subunit, the second judging subunit and the second determining subunit;
the second obtaining subunit is configured to obtain the source MAC address from information recorded by the visitor dynamic access point;
the initiating subunit is configured to initiate, according to a preset second authentication period, a third authentication request to the authentication server according to the source MAC address;
the second judging subunit is configured to judge whether the third authentication results corresponding to the received third authentication request are both authentication failures and whether the number of times that the third authentication results are authentication failures exceeds a preset number-of-times threshold, or whether the third authentication results corresponding to the received third authentication request are authentication failures and whether the existence duration of the dynamic visitor access point exceeds a preset duration threshold;
the second determining subunit is configured to determine that the login request packet is a suspicious packet if the determination result of the second determining subunit indicates that the third authentication results corresponding to the received third authentication request are both authentication failures and the times of the third authentication results that the authentication failures exceed a preset time threshold, or the determination result of the second determining subunit indicates that the third authentication results corresponding to the received third authentication requests are authentication failures and the existence duration of the dynamic access point of the visitor exceeds a preset time threshold.
12. The apparatus of claim 7, further comprising;
the generation unit is used for generating a record table according to the locally stored key information of the visitor dynamic access point;
and the establishing unit is used for establishing a public visitor dynamic access point aiming at the VMs corresponding to all the visitor dynamic access points stored in the record table.
13. A virtual extended local area network, VTEP, device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 6.
14. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 6.
CN201710591196.XA 2017-07-19 2017-07-19 VXLAN dynamic access method, device, equipment and medium Active CN107547345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710591196.XA CN107547345B (en) 2017-07-19 2017-07-19 VXLAN dynamic access method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710591196.XA CN107547345B (en) 2017-07-19 2017-07-19 VXLAN dynamic access method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN107547345A CN107547345A (en) 2018-01-05
CN107547345B true CN107547345B (en) 2021-01-29

Family

ID=60970334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710591196.XA Active CN107547345B (en) 2017-07-19 2017-07-19 VXLAN dynamic access method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN107547345B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113645174B (en) * 2020-04-27 2023-04-18 华为技术有限公司 VXLAN access authentication method and VTEP device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188662A (en) * 2011-12-30 2013-07-03 ***通信集团广西有限公司 Method and device for verifying wireless access point
CN105516987A (en) * 2014-09-25 2016-04-20 中兴通讯股份有限公司 Malicious attack detection method and terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080250500A1 (en) * 2007-04-05 2008-10-09 Cisco Technology, Inc. Man-In-The-Middle Attack Detection in Wireless Networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188662A (en) * 2011-12-30 2013-07-03 ***通信集团广西有限公司 Method and device for verifying wireless access point
CN105516987A (en) * 2014-09-25 2016-04-20 中兴通讯股份有限公司 Malicious attack detection method and terminal

Also Published As

Publication number Publication date
CN107547345A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
US10264001B2 (en) Method and system for network resource attack detection using a client identifier
US20200304853A1 (en) Internet anti-attack method and authentication server
CN104601568B (en) Virtualization security isolation method and device
WO2019037775A1 (en) Issuance of service configuration file
US10601863B1 (en) System and method for managing sensor enrollment
US9537886B1 (en) Flagging security threats in web service requests
CN111131310B (en) Access control method, device, system, computer device and storage medium
KR102379721B1 (en) System for controlling network access of application based on tcp session control and method therefor
US10542044B2 (en) Authentication incident detection and management
US8990917B2 (en) Authentication of applications that access web services
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
EP3545451B1 (en) Automatic forwarding of access requests and responses thereto
US11743101B2 (en) Techniques for accessing logical networks via a virtualized gateway
US20170303065A1 (en) Method and device for creating subscription resource
CN110784457B (en) Service access method and device
CN110704820A (en) Login processing method and device, electronic equipment and computer readable storage medium
CN111182537A (en) Network access method, device and system for mobile application
US9762444B1 (en) Detecting a configuration profile from a management agent
US11677765B1 (en) Distributed denial of service attack mitigation
CN107547345B (en) VXLAN dynamic access method, device, equipment and medium
CN112491836B (en) Communication system, method, device and electronic equipment
US10148619B1 (en) Identity-based application-level filtering of network traffic
CN110166474B (en) Message processing method and device
US11128665B1 (en) Systems and methods for providing secure access to vulnerable networked devices
CN113890864B (en) Data packet processing method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230627

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.