CN114866313B - Path forwarding verification method, system, equipment and storage medium - Google Patents
Path forwarding verification method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN114866313B CN114866313B CN202210468520.XA CN202210468520A CN114866313B CN 114866313 B CN114866313 B CN 114866313B CN 202210468520 A CN202210468520 A CN 202210468520A CN 114866313 B CN114866313 B CN 114866313B
- Authority
- CN
- China
- Prior art keywords
- verification
- target
- data packet
- data
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 297
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 7
- 229910002056 binary alloy Inorganic materials 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012512 characterization method Methods 0.000 description 3
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
Abstract
The application discloses a path forwarding verification method, a system, equipment and a storage medium, comprising the following steps: when receiving a data stream through an entrance exchange, marking each data packet in the data stream to obtain each target data packet, if detecting that the target data packet has a verification tag through an intermediate exchange, generating target verification information based on the target data packet and a circumference ratio, reporting the target verification information to the controller and forwarding the target data packet, receiving the target verification information through the controller, and performing anti-verification processing on the target verification information to obtain a verification result, and if detecting that the target data packet has the verification tag through an exit exchange, acquiring a verification flow table issued by the controller based on the target data packet, and releasing or discarding the data stream based on the verification flow table. The method and the device solve the technical problem that potential safety hazards of data tampering are easy to exist only by verifying header information of the data stream.
Description
Technical Field
The present disclosure relates to the field of communications networks, and in particular, to a path forwarding verification method, system, device, and storage medium.
Background
SDN (Software Defined Network ) is a novel network innovation architecture, and the core idea is to separate the control layer and the forwarding layer of network equipment so as to realize flexible control of network traffic and adapt to changing service demands. Currently, a path verification method based on an SDN network performs verification on header information of a data stream, however, only performs verification on header information of the data stream, so that a situation that a forged data stream is easily verified, that is, a potential safety hazard of data tampering exists.
Disclosure of Invention
The main purpose of the application is to provide a path forwarding verification method, a system, equipment and a storage medium, which aim to solve the technical problem that in the prior art, verification is only carried out on header information of a data stream, and potential safety hazards of data tampering are easy to exist.
In order to achieve the above object, the present application provides a path forwarding verification method applied to a path forwarding verification system, where the path forwarding verification system includes an ingress switch, at least one intermediate switch, an egress switch, and a controller, the path forwarding verification method includes:
when receiving a data stream which meets the preset data stream marking option and is issued by the controller through the entrance exchange, marking each data packet in the data stream to obtain each target data packet, and forwarding each target data packet to the intermediate exchange, wherein the target data comprises a verification tag or a data packet of the data tag;
when receiving a data stream which meets the preset data stream marking option and is issued by the controller through the entrance exchange, marking each data packet in the data stream to obtain each target data packet, and forwarding each target data packet to the intermediate exchange, wherein the target data comprises a verification tag or a data packet of the data tag;
if the intermediate switch detects that the target data packet has the verification tag, generating target verification information based on the target data packet and the circumference ratio, reporting the target verification information to the controller, and forwarding the target data packet;
receiving target verification information reported by the intermediate switch through the controller, and performing anti-verification processing on the target verification information to obtain a verification result;
if the exit switch detects that the target data packet has the verification tag, a verification flow table issued by the controller based on the target data packet is obtained, and the data flow is released or discarded based on the verification flow table.
The application also provides a path forwarding verification system, which is a virtual system, and comprises an inlet switch, at least one intermediate switch, an outlet switch and a controller, wherein:
the ingress switch is configured to, when receiving a data stream that satisfies a preset data stream marking option issued by the controller, mark each data packet in the data stream to obtain each target data packet, and forward each target data packet to the intermediate switch, where the target data includes a data packet of an authentication tag or a data tag;
the intermediate switch is configured to generate target verification information based on the target data packet and a circumference ratio if the verification tag exists in the target data packet, report the target verification information to the controller, and forward the target data packet;
the controller is used for receiving the target verification information reported by the intermediate switch and performing anti-verification processing on the target verification information to obtain a verification result;
and the exit switch is used for acquiring a verification flow table issued by the controller based on the target data packet if the exit switch detects that the target data packet has the verification tag, and releasing or discarding the data flow based on the verification flow table.
The application also provides a path forwarding verification device, where the path forwarding verification device is an entity device, and the path forwarding verification device includes: the path forwarding verification method comprises a memory, a processor and a path forwarding verification program stored on the memory, wherein the path forwarding verification program is executed by the processor to realize the steps of the path forwarding verification method.
The present application also provides a storage medium that is a computer-readable storage medium, on which a path forwarding verification program is stored, the path forwarding verification program being executed by a processor to implement the steps of the path forwarding verification method as described above.
The application provides a path forwarding verification method, a system, equipment and a storage medium, firstly, when a data stream meeting a preset data stream marking option is received through an entrance exchange, marking each data packet in the data stream to obtain each target data packet, forwarding each target data packet to an intermediate switch, wherein the target data comprises a verification tag or the data packet of the data tag, further realizing marking the data stream meeting the preset data stream marking option, thus no forwarding flow which is not marked by the entrance switch is needed, ensuring the security of the data flowing through the system, further, if the intermediate switch detects that the verification tag exists in the target data packet, generating target verification information based on the target data packet and the circumference ratio, reporting the target verification information to the controller, further, receiving the target verification information reported by the intermediate switch through the controller, verifying the target verification information, further realizing the verification processing of the target verification information, ensuring that the data stream is not marked by the entrance switch, ensuring the security of the data stream is not verified by the entrance switch, further, generating the target verification information based on the target data packet and the circumference ratio, and further, if the data stream is not verified by the intermediate switch, obtaining the target verification table, and further, the data stream is not verified by the path has the unique verification table, thereby realizing the problem that the data stream is not verified by the path verification table, and the path is completely lost.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a schematic diagram of a path forwarding verification system architecture according to an embodiment of the path forwarding verification method of the present application;
fig. 2 is a schematic flow chart of a first embodiment of a path forwarding verification method according to the present application;
FIG. 3 is a flowchart of a second embodiment of a path forwarding verification method according to the present application;
FIG. 4 is a flowchart illustrating a third embodiment of a path forwarding verification method according to the present application;
fig. 5 is a schematic diagram of a path forwarding verification device of a hardware running environment according to an embodiment of the present application;
the achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of a path forwarding verification system architecture related to an embodiment scheme of a path forwarding verification method in the present application.
As shown in fig. 1, in the whole SDN network, the path forwarding verification system includes an ingress switch, at least one intermediate switch, an egress switch, and a controller, where the controller is communicatively connected to each switch, the ingress switch is communicatively connected to the intermediate switch, and the intermediate switch is communicatively connected to the egress switch.
Specifically, the interaction principle of the path forwarding verification system is as follows:
the controller issues an initial flow table to all switches on a network link, and it is to be noted that, the table items of the initial flow table integrate network configuration information of each layer in the network, and in the operation process of the switches, the basis of data forwarding is the initial flow table, so that richer rules can be used when the switches forward data;
when the entrance exchanger receives a data stream which is issued by the controller and meets the preset data stream marking option, marking each data packet in the data stream to obtain each target data packet, and forwarding each target data packet to the intermediate exchanger, wherein the target data comprises a verification tag or a data packet of the data tag;
if the intermediate switch detects that the target data packet has the verification tag, performing hamc hash processing on the target data packet to obtain a data abstract, generating target verification information based on the data abstract and the circumference ratio, reporting the target verification information to the controller, and forwarding the target data packet;
the controller receives target verification information reported by the intermediate switch and carries out anti-verification processing on the target verification information to obtain a verification result;
if the exit exchanger detects that the target data packet has the verification tag, the exit exchanger reports the target data packet to the controller; or if the exit switch detects that the target data packet has the verification tag, performing HMAC (Hash-based Message Authentication Code, hash operation message authentication code) processing on the target data packet to obtain a data abstract to be verified, and reporting the data abstract to the controller;
when the controller receives a target data packet reported by an outlet switch, performing HMAC (high-speed message authentication) processing on the target data packet to obtain a data abstract to be verified, and inquiring a verification result corresponding to the data abstract to be verified; when the controller receives a data abstract to be verified, which is reported by an export switch, and inquires a verification result corresponding to the data abstract to be verified; issuing a verification flow table corresponding to the verification result to the outlet switch, wherein the verification flow table comprises a discarded flow table and a released flow table;
the egress switch passes or discards the data stream based on the verification flow table.
In addition, after receiving the target verification information reported by the intermediate switch, the controller forms a forwarding path of the data stream according to the identification tag of the intermediate switch.
Based on the above-mentioned path forwarding verification system architecture, but not limited to the above-mentioned architecture, the path forwarding verification method embodiment of the present application is proposed.
Specifically, referring to fig. 2, in a first embodiment of the path forwarding verification method of the present application, the path forwarding verification method includes:
step S10, when a data stream which meets the preset data stream marking option and is issued by the controller is received through the entrance exchange, marking each data packet in the data stream to obtain each target data packet, and forwarding each target data packet to the intermediate exchange, wherein the target data comprises a data packet with a verification tag or a data tag;
in this embodiment, it should be noted that, before forwarding data, the initial flow table is issued to each switch on the network link by the controller, and because the table entry of the initial flow table integrates network configuration information of each layer in the network, in the running process of the switch in the SDN network environment, the controller may control the data forwarding operation of the switch by issuing the initial flow table to the switch, and additionally, the initial flow table includes a key, so that the switch may generate a corresponding data summary based on the key and the data packet.
Further, it should be noted that, the data flow of the preset data flow marking option is a data flow meeting the preset information of the IP address, the protocol, the port, and the like, that is, the specific information of the IP address, the protocol, the port, and the like is preset in the ingress switch, and when the data flow is received to meet the preset data flow marking option, the data flow is proved to be a data flow to be forwarded, where one data flow includes a plurality of data packets.
As an implementation manner, specifically, the controller issues a data stream to the ingress switch, and then receives the data stream issued by the controller through the ingress switch, further judges whether the received data stream meets a preset data stream marking option, if yes, extracts a preset number of data packets according to a preset marking extraction proportion, marks the verification label to obtain a plurality of target data packets with verification labels, adds the rest of data packets with the data labels to obtain a plurality of target data packets with the data labels, and forwards each target data packet to the intermediate switch, wherein the target data packet with the verification label is a data packet needing verification, the target data packet with the verification label is a data packet needing no verification, the preset marking extraction proportion is set manually according to practical conditions, and in order to improve the efficiency of data forwarding verification, the number of data packets with the verification label is usually far smaller than the number of data packets with the verification label, for example, 10% of the data packets with the verification label is extracted, and 90% of the data packets with the verification label is added. Additionally, if the received data stream does not meet the preset data stream marking option, marking labels are not needed, and the data stream is not needed to be forwarded.
Wherein after the step of forwarding each of the target data packets to the intermediate switch, further comprises:
step a1, if the intermediate switch detects that the data label exists in the target data packet, forwarding the target data packet;
and step a2, if the intermediate switch detects that the data label or the verification label does not exist in the target data packet, uploading the target data packet to the controller, and discarding the target data packet.
In this embodiment, specifically, if the intermediate switch detects that the target data packet has the data tag, it proves that the target data packet is not required to be submitted to a verification operation, so that all data packets in the data stream are not required to be submitted to a verification operation, and the forwarding verification efficiency of the data stream is improved.
Step S20, if the intermediate switch detects that the verification tag exists in the target data packet, generating target verification information based on the target data packet and the circumference ratio, reporting the target verification information to the controller, and forwarding the target data packet;
in this embodiment, specifically, the following steps are performed for each of the target data packets:
detecting whether the received target data packet has the verification tag by the intermediate switch, if so, based on a key in an initial flow table issued by a controller, performing hamc (Hash-based Message Authentication Code, hash operation message authentication code) processing on the content of a data segment in the target data packet, wherein the HMAC operation is to use a Hash algorithm, take a message M and a key K as inputs, generate a fixed-length data abstract as an output algorithm, thereby obtaining the data abstract of the target data packet, wherein the data abstract is characterized by using a code value of a preset system, the preset system comprises binary system, octal system, hexadecimal system and the like, in the implementation, preferably, the code of hexadecimal system is selected for characterization, and then the abstract information is cut according to a preset cutting number, for example, when the code characterization is selected, the data is cut according to a 4-bit cutting number, further, the data abstract is searched according to the infinite non-cyclic characteristic of a circle rate pi, each position of each data segment is further searched for, the data abstract is further subjected to the verification code, the data is further transferred to the position of each data segment by the intermediate switch, the data is further verified by the aid of the data, the data is further verified by the position of the intermediate switch, and the data is further verified by the position of the data.
Additionally, since there is at least one intermediate switch in the SDN network environment, when there are multiple intermediate switches, forwarding the target data packet to another intermediate switch through one intermediate switch, and returning to execute the step: if the intermediate switch detects that the target data packet has the verification tag, generating target verification information based on the target data packet and the circumference ratio, reporting the target verification information to the controller, and forwarding the target data packet, that is, all the intermediate switches need to perform verification encapsulation operation, and reporting the target verification information generated based on the target data packet and the circumference ratio to the controller until the intermediate switch forwards the target data packet to the outlet switch, further, when the intermediate switch reports the target verification information, the controller stores the reported identification tag of the intermediate switch, so that a corresponding forwarding path can be formed based on the identification tag reported by each intermediate switch.
Step S30, receiving target verification information reported by the intermediate switch through the controller, and performing anti-verification processing on the target verification information to obtain a verification result;
in this embodiment, specifically, the controller receives the target verification information reported by the intermediate switch, analyzes the target verification information to obtain information such as data header information, data abstract and verification code information of the target data packet, further verifies the data header information, checks the data abstract based on the circumference ratio pi and the verification code information, if the checking is successful, stores a verification success result of the data abstract, and if the checking is failed, stores a verification failure result of the data abstract.
Step S40, if the presence of the verification tag in the target data packet is detected by the egress switch, a verification flow table issued by the controller based on the target data packet is obtained, and the data flow is released or discarded based on the verification flow table.
In this embodiment, the following steps are performed for each of the target data packets:
as an implementation manner, specifically, if the presence of the verification tag in the target data packet is detected by the egress switch, the target data packet is directly reported to the controller by the egress switch, and when the target data packet reported by the egress switch is received by the controller, the hamc processing is performed on the target data packet to obtain a to-be-verified data abstract, and further, based on the to-be-verified data abstract, a corresponding verification result is queried. As another implementation manner, specifically, if the presence of the verification tag in the target data packet is detected by the egress switch, the egress switch performs hamc processing on the target data packet to obtain a data abstract to be verified, and then the data abstract to be verified is reported to the controller, and when the data abstract to be verified reported by the egress switch is received by the controller, a verification result corresponding to the data abstract to be verified is directly queried.
It should be further noted that, after flowing through the plurality of intermediate switches, the target data packet has a plurality of corresponding verification results, based on the to-be-verified data summary, the verification result corresponding to the to-be-verified data summary is queried, further if the verification result has a verification failure result, a discard flow table is issued to the exit switch, if the verification result does not have a verification failure result, a downstream flow table is issued to the exit switch, further if the release flow table issued by the controller is received through the exit switch, the data flow is released, and if the discard flow table is received, the data flow is discarded.
According to the scheme, namely, when the data flow meeting the preset data flow marking option is received through the entrance exchange, marking each data packet in the data flow to obtain each target data packet, forwarding each target data packet to the intermediate switch, wherein the target data comprises a verification tag or the data packet of the data tag, further, marking the data flow meeting the preset data flow marking option is achieved, therefore, the flow which is not marked by the entrance switch does not need to be forwarded, the safety of the data flowing through the system is ensured, further, if the fact that the target data packet exists in the verification tag is detected through the intermediate switch, target verification information is generated based on the target data packet and the circumference ratio, the target verification information is reported to the controller, further, the target verification information reported by the intermediate switch is received through the controller, the target verification information is subjected to anti-verification processing, further, if the data packet is detected through the exit switch, the data flow which is not marked by the entrance switch is detected, the data flow is not detected through the entrance switch, the data flow is guaranteed to be detected through the path, the data flow is guaranteed to be naturally, the data flow is not verified by the intermediate switch, the data flow is guaranteed to be detected through the path, the data flow is guaranteed to be under the condition that the data flow is verified by the original, and the data packet is verified by the path, and the data is guaranteed to be verified by the original, and the data flow is guaranteed.
Further, referring to fig. 3, based on the first embodiment of the present application, in another embodiment of the present application, the step of generating target verification information based on the target data packet and the circumference ratio, and reporting the target verification information to the controller includes:
step A10, performing HMAC hash operation message authentication code processing on the data segment content of the target data packet through the entrance switch to obtain a data abstract, wherein the data abstract is represented by a preset coded numerical value;
step A20, cutting the abstract information according to the preset cutting quantity to obtain a plurality of cutting data;
step A30, searching the position of each piece of cutting data corresponding to the circumference ratio to obtain each coordinate position, and converting each coordinate position into a numerical value of the preset system to obtain verification code information;
step A40, encapsulating the target data packet, the data abstract and the verification code information to form target verification information;
and step A50, uploading the target verification information to the controller through the intermediate switch based on a preset reporting mechanism.
In this embodiment, specifically, the entry switch performs HMAC hash processing on the content of the data segment of the target data packet based on the key in the initial flow table issued by the controller, to obtain a preset-system coded value with a certain length, and uses the coded value as the data summary, where the preset-system includes binary system, octal system, hexadecimal system, and the like, in this embodiment, preferably, hexadecimal system is selected for performing coding characterization, further, since the number represented by the 4-bit binary system can be represented by a 16-system number of 1 bit, cutting can be performed according to 4 bits, so as to obtain a plurality of hexadecimal cut data, further, each hexadecimal cut data is converted into decimal system, so as to obtain a plurality of decimal system values, further, according to the characteristics of infinite non-circulation of a circular frequency pi, the coordinate position of each decimal system in the circular frequency is searched, further, each coordinate position is converted into hexadecimal system, verification code information is formed, and then, the data, the 4-bit binary system is used for example, the hexadecimal system is converted into a 16-system, the hexadecimal system is further, the data is subjected to be subjected to the control data, and the data is further subjected to the query, and the data is further subjected to the 32-system, so as to obtain the 32-bit, and the data is further subjected to the 32-bit, and the data is subjected to the query.
According to the embodiment of the application, through the scheme, the position of the data abstract of the data packet in pi is searched through the data characteristic of pi of the peripheral rate, and verification code information is obtained, so that the content of the data segment of the data packet is verified, the safety of the content of the data segment is improved, and the data cannot be tampered.
Further, referring to fig. 4, based on the first embodiment of the present application, in another embodiment of the present application, the step of performing anti-verification processing on the target verification information to obtain a verification result includes:
step B10, analyzing the target verification information through the controller to obtain analysis information, wherein the analysis information comprises data header information, data abstract and verification code information of the target data packet;
step B20, performing anti-verification on the data header information, the data abstract and the verification code information through the controller;
step B30, if the reverse verification is successful, storing a verification success result corresponding to the data abstract;
and step B40, if the anti-verification fails, storing a verification failure result corresponding to the data abstract.
In this embodiment, when target verification information reported by an intermediate switch is received through the controller, the controller analyzes the target verification information to obtain a data digest, verification code information, data header information and an identification tag of the intermediate switch corresponding to the target data packet, so as to verify the data header information of the target data packet, where each data packet has the corresponding data header information, and in addition, the data digest and the verification code information need to be verified, specifically, because the verification code information is generated based on the data digest and the natural number pi, the data digest can be checked directly based on the verification code and the natural number pi, if the verification of the data header information is successful, and if the verification of the data digest and the verification code information is successful, the verification success result corresponding to the data digest is stored, and if the verification fails, the verification failure result corresponding to the data digest is stored.
According to the embodiment of the application, through the scheme, verification is performed on the data header information, and the content of the data segment of the data flow is verified by utilizing the unique property of the natural number pi, so that the network problem caused by malicious traffic in the switch is reduced, the data is ensured not to be tampered, and the path forwarding of the data traffic is completed.
Referring to fig. 5, fig. 5 is a schematic diagram of a path forwarding verification device of a hardware running environment according to an embodiment of the present application.
As shown in fig. 5, the path forwarding verification apparatus may include: a processor 1001, such as a CPU, memory 1005, and a communication bus 1002. Wherein a communication bus 1002 is used to enable connected communication between the processor 1001 and a memory 1005. The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Optionally, the path forwarding verification device may further include a rectangular user interface, a network interface, a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like. The rectangular user interface may include a Display screen (Display), an input sub-module such as a Keyboard (Keyboard), and the optional rectangular user interface may also include a standard wired interface, a wireless interface. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WIFI interface).
Those skilled in the art will appreciate that the path forwarding verification device structure shown in fig. 5 does not constitute a limitation of the path forwarding verification device, and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 5, an operating system, a network communication module, and a path transfer verification program may be included in a memory 1005, which is a type of computer storage medium. The operating system is a program that manages and controls the path forwarding verification device hardware and software resources, supporting the path forwarding verification program and the execution of other software and/or programs. The network communication module is used to implement communication between components within the memory 1005 and other hardware and software in the path forwarding verification system.
In the path forwarding verification apparatus shown in fig. 5, a processor 1001 is configured to execute a path forwarding verification program stored in a memory 1005, and implement the steps of the path forwarding verification method described in any one of the above.
The specific implementation manner of the path forwarding verification device in the present application is basically the same as the embodiments of the path forwarding verification method described above, and will not be repeated here.
In addition, the present application also provides a path forwarding verification system, which includes an ingress switch, at least one intermediate switch, an egress switch, and a controller, wherein:
the ingress switch is configured to, when receiving a data stream that satisfies a preset data stream marking option issued by the controller, mark each data packet in the data stream to obtain each target data packet, and forward each target data packet to the intermediate switch, where the target data includes a data packet of an authentication tag or a data tag;
the intermediate switch is configured to generate target verification information based on the target data packet and a circumference ratio if the verification tag exists in the target data packet, report the target verification information to the controller, and forward the target data packet;
the controller is used for receiving the target verification information reported by the intermediate switch and performing anti-verification processing on the target verification information to obtain a verification result;
and the exit switch is used for acquiring a verification flow table issued by the controller based on the target data packet if the exit switch detects that the target data packet has the verification tag, and releasing or discarding the data flow based on the verification flow table.
The ingress switch is further configured to:
and extracting a preset number of data packets according to a preset verification extraction proportion, marking the verification labels, and marking the data labels for the rest of the data packets to obtain each target data packet.
The intermediate switch is further configured to:
performing HMAC hash operation message authentication code processing on the data segment content of the target data packet to obtain a data abstract, wherein the data abstract is represented by a preset coded numerical value;
cutting the abstract information according to a preset cutting quantity to obtain a plurality of cutting data;
searching positions of the cutting data corresponding to the circumference ratio to obtain coordinate positions, and converting the coordinate positions into values of the preset system to obtain verification code information;
encapsulating the target data packet, the data abstract and the verification code information to form target verification information;
and uploading the target verification information to the controller based on a preset reporting mechanism.
The controller is further configured to:
analyzing the target verification information to obtain analysis information, wherein the analysis information comprises data header information, data abstract and verification code information of the target data packet;
performing anti-verification on the data header information, the data abstract and the verification code information;
if the anti-verification is successful, storing a verification success result corresponding to the data abstract;
if the anti-verification fails, storing a verification failure result corresponding to the data abstract.
The intermediate switch is further configured to:
if the target data packet is detected to have the data tag, forwarding the target data packet;
and if the target data packet is detected to be not provided with the data tag or the verification tag, uploading the target data packet to the controller, and discarding the target data packet.
The controller is further configured to: and forming a forwarding path of the data flow by the controller based on the identification tag of the intermediate switch in the target verification information.
The intermediate switch is further configured to: reporting the target data packet to the controller;
the controller is further configured to: carrying out hash processing on the target data packet to obtain a data abstract to be verified, and inquiring a verification result corresponding to the data abstract to be verified;
if the verification result has a verification failure result, the discarded flow table is issued to the outlet switch;
and if the verification result does not have the verification failure result, issuing the release flow table to the outlet switch.
The specific implementation manner of the path forwarding verification system of the present application is basically the same as the embodiments of the path forwarding verification method described above, and will not be described herein again.
Embodiments of the present application provide a storage medium that is a computer-readable storage medium, and the computer-readable storage medium stores one or more programs that are further executable by one or more processors to implement the steps of the path forwarding verification method described in any one of the above.
The specific implementation manner of the computer readable storage medium is basically the same as the above embodiments of the path forwarding verification method, and will not be repeated here.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the claims, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application, or direct or indirect application in other related technical fields are included in the scope of the claims.
Claims (10)
1. A path forwarding verification method, the method being applied to a path forwarding verification system including an ingress switch, at least one intermediate switch, an egress switch, and a controller, the path forwarding verification method comprising:
when receiving a data stream which meets the preset data stream marking option and is issued by the controller through the entrance exchange, marking each data packet in the data stream to obtain each target data packet, and forwarding each target data packet to the intermediate exchange, wherein the target data comprises a verification tag or a data packet of the data tag;
if the intermediate switch detects that the target data packet has the verification tag, generating target verification information based on the target data packet and the circumference ratio, reporting the target verification information to the controller, and forwarding the target data packet;
receiving target verification information reported by the intermediate switch through the controller, and performing anti-verification processing on the target verification information to obtain a verification result;
if the exit switch detects that the target data packet has the verification tag, a verification flow table issued by the controller based on the target data packet is obtained, and the data flow is released or discarded based on the verification flow table.
2. The path forwarding verification method of claim 1, wherein the step of generating target verification information based on the target data packet and a circumference ratio and reporting the target verification information to the controller comprises:
performing HMAC hash operation message authentication code processing on the data segment content of the target data packet through the intermediate switch to obtain a data abstract, wherein the data abstract is represented by a coded numerical value through a preset system;
cutting the data abstract according to a preset cutting quantity to obtain a plurality of cutting data;
searching positions of the cutting data corresponding to the circumference ratio to obtain coordinate positions, and converting the coordinate positions into values of the preset system to obtain verification code information;
encapsulating the target data packet, the data abstract and the verification code information to form target verification information;
and uploading the target verification information to the controller through the intermediate switch based on a preset reporting mechanism.
3. The path forwarding verification method of claim 1, wherein the step of marking each packet in the data stream to obtain each target packet comprises:
and extracting a preset number of data packets according to a preset verification extraction proportion, marking the verification labels, and marking the data labels for the rest of the data packets to obtain each target data packet.
4. The path forwarding verification method as claimed in claim 1, wherein said step of performing a reverse verification process on said target verification information to obtain a verification result comprises:
analyzing the target verification information through the controller to obtain analysis information, wherein the analysis information comprises data header information, data abstract and verification code information of the target data packet;
performing anti-verification on the data header information, the data abstract and the verification code information;
if the anti-verification is successful, storing a verification success result corresponding to the data abstract;
if the anti-verification fails, storing a verification failure result corresponding to the data abstract.
5. The path forwarding verification method of claim 1, wherein the verification flow table includes a discard flow table and a release flow table,
before the step of obtaining the verification flow table issued by the controller based on the target data packet, the method further comprises:
reporting the target data packet to the controller through the egress switch;
carrying out hash processing on the target data packet through the controller to obtain a data abstract to be verified, and inquiring a verification result corresponding to the data abstract to be verified;
if the verification result has a verification failure result, the discarded flow table is issued to the outlet switch;
and if the verification result does not have the verification failure result, issuing the release flow table to the outlet switch.
6. The path forwarding verification method of claim 1, wherein after the step of forwarding each of the target data packets to the intermediate switch, further comprising:
if the intermediate switch detects that the data label exists in the target data packet, forwarding the target data packet;
and if the intermediate switch detects that the data label or the verification label does not exist in the target data packet, uploading the target data packet to the controller, and discarding the target data packet.
7. The path forwarding verification method of claim 4, wherein the resolution information includes an identification tag of the intermediate switch,
after the step of analyzing the target verification information by the controller to obtain analysis information, the method further comprises the following steps:
and forming a forwarding path of the data flow by the controller based on the identification tag of the intermediate switch in the target verification information.
8. A path forwarding verification system, wherein the path forwarding verification system comprises an ingress switch, at least one intermediate switch, an egress switch, and a controller, wherein,
the ingress switch is configured to, when receiving a data stream that satisfies a preset data stream marking option issued by the controller, mark each data packet in the data stream to obtain each target data packet, and forward each target data packet to the intermediate switch, where the target data includes a data packet of an authentication tag or a data tag;
the intermediate switch is configured to generate target verification information based on the target data packet and a circumference ratio if the verification tag exists in the target data packet, report the target verification information to the controller, and forward the target data packet;
the controller is used for receiving the target verification information reported by the intermediate switch and performing anti-verification processing on the target verification information to obtain a verification result;
and the exit switch is used for acquiring a verification flow table issued by the controller based on the target data packet if the exit switch detects that the target data packet has the verification tag, and releasing or discarding the data flow based on the verification flow table.
9. A path forwarding verification apparatus, characterized in that the path forwarding verification apparatus comprises: a memory, a processor and a path forwarding verification program stored on the memory,
the path forwarding verification program is executed by the processor to implement the steps of the path forwarding verification method according to any one of claims 1 to 7.
10. A storage medium, which is a computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a path forwarding verification program that is executed by a processor to implement the steps of the path forwarding verification method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210468520.XA CN114866313B (en) | 2022-04-29 | 2022-04-29 | Path forwarding verification method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210468520.XA CN114866313B (en) | 2022-04-29 | 2022-04-29 | Path forwarding verification method, system, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114866313A CN114866313A (en) | 2022-08-05 |
| CN114866313B true CN114866313B (en) | 2024-04-09 |
Family
ID=82634605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210468520.XA Active CN114866313B (en) | 2022-04-29 | 2022-04-29 | Path forwarding verification method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114866313B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591754A (en) * | 2016-02-26 | 2016-05-18 | 上海斐讯数据通信技术有限公司 | Authentication header authentication method and authentication header authentication system based on SDN |
| CN107567704A (en) * | 2015-04-27 | 2018-01-09 | 思科技术公司 | Pass through checking using the network path with interior metadata |
| CN108696503A (en) * | 2017-03-31 | 2018-10-23 | 华为国际有限公司 | Software defined network based on data packet forwarding verification(SDN) |
| CN110225008A (en) * | 2019-05-27 | 2019-09-10 | 四川大学 | SDN network state consistency verification method under a kind of cloud environment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170012900A1 (en) * | 2015-07-08 | 2017-01-12 | Infinera Corporation | Systems, methods, and apparatus for verification of a network path |
| US10491513B2 (en) * | 2017-01-20 | 2019-11-26 | Hewlett Packard Enterprise Development Lp | Verifying packet tags in software defined networks |
-
2022
- 2022-04-29 CN CN202210468520.XA patent/CN114866313B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107567704A (en) * | 2015-04-27 | 2018-01-09 | 思科技术公司 | Pass through checking using the network path with interior metadata |
| CN105591754A (en) * | 2016-02-26 | 2016-05-18 | 上海斐讯数据通信技术有限公司 | Authentication header authentication method and authentication header authentication system based on SDN |
| CN108696503A (en) * | 2017-03-31 | 2018-10-23 | 华为国际有限公司 | Software defined network based on data packet forwarding verification(SDN) |
| CN110225008A (en) * | 2019-05-27 | 2019-09-10 | 四川大学 | SDN network state consistency verification method under a kind of cloud environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114866313A (en) | 2022-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6055548B2 (en) | Apparatus, method, and network server for detecting data pattern in data stream | |
| WO2020253083A1 (en) | Synchronization data verification method for primary and secondary storage volume, device, apparatus, and storage medium | |
| CN110177046B (en) | Security exchange chip based on mimicry thought, implementation method and network exchange equipment | |
| CN112994983B (en) | Flow statistical method and device and electronic equipment | |
| CN105430640B (en) | A kind of SMS encryption authentication method, terminal and system | |
| CN102598598B (en) | An apparatus for analyzing a data packet, a data packet processing system and a method | |
| CN112887274B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| US7333430B2 (en) | Systems and methods for passing network traffic data | |
| CN110717156A (en) | Identity authentication method, system, computer device and storage medium | |
| EP3948615A1 (en) | Applying attestation to segment routing | |
| US10355999B2 (en) | Flow control with network named fragments | |
| CN114866313B (en) | Path forwarding verification method, system, equipment and storage medium | |
| CN107508827B (en) | Message parsing method and device | |
| US9577669B2 (en) | Methods, systems, and computer readable media for optimized message decoding | |
| US20060080467A1 (en) | Apparatus and method for high performance data content processing | |
| CN111385360A (en) | Terminal equipment identification method and device and computer readable storage medium | |
| CN114745681B (en) | Rich media information display method, rich media information display equipment and computer storage medium | |
| CN113098873B (en) | Data transmission method, data transmission device, computer equipment and computer readable storage medium | |
| CN110581792A (en) | Message transmission method and device | |
| CN108683529A (en) | Data accelerate transmission method and device | |
| CN101416172A (en) | Method and system for obviating redundant actions in a network | |
| CN111324914B (en) | File transmission method, device, server, equipment and medium | |
| CN114567506A (en) | File uploading method and device, computer equipment and storage medium | |
| CN110620785B (en) | Parallel detection method, system and storage medium based on message marking data stream | |
| CN116319112B (en) | Message integrity verification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |