WO2023222028A1

WO2023222028A1 - Network programming technology processing method and system, and storage medium

Info

Publication number: WO2023222028A1
Application number: PCT/CN2023/094748
Authority: WO
Inventors: 杜宗鹏; 李志强; 孙滔
Original assignee: ***通信有限公司研究院; ***通信集团有限公司
Priority date: 2022-05-18
Filing date: 2023-05-17
Publication date: 2023-11-23
Also published as: CN117134925A

Abstract

The present disclosure provides a network programming technology processing method and system, and a storage medium. The method comprises: a router node receiving a packet containing network programming technology coding, the network programming technology coding indicating that one or more corresponding tasks need to be executed; the router node determining the load state of a processing chip corresponding to the packet input interface; when the load is greater than a predetermined value, skipping processing the packet containing network programming technology coding, and when the load is less than the predetermined value, processing the packet containing network programming technology coding.

Description

一种网络编程技术处理方法、***及存储介质A network programming technology processing method, system and storage medium

相关申请的交叉引用Cross-references to related applications

本申请主张在2022年05月18日在中国提交的中国专利申请No.202210546405.X的优先权，其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210546405.X filed in China on May 18, 2022, the entire content of which is incorporated herein by reference.

技术领域Technical field

本公开涉及通信技术领域，特别涉及一种网络编程技术处理方法、***及存储介质。The present disclosure relates to the field of communication technology, and in particular to a network programming technology processing method, system and storage medium.

背景技术Background technique

传统的网际协议(Internet Protocol，IP)网络技术主要关注的是将数据报文按照其目的地址，从源节点发送到目的节点，网络可编程技术指的是，允许网络运营商或应用程序通过对互联网协议第六版(Internet Protocol Version6，IPv6)数据包头中的指令序列进行编码。在段路由IPv6(Segment Routing IPv6，SRv6，即是在IPV6的基础上扩展了分段路由头(Segment Routing Header，SRH))中，这些指令(Instructions)通常被称为段标识(Segment Identify，SID，即段ID/Segment ID)。SRv6SID定义为由定位位(Locator，LOC):功能位(FUNCT):参数位(ARG)组成，其中LOC编码在SID的L个最重要的位中，后跟F个功能位(FUNCT)和A个参数位(ARG)。LOC用于定位节点以及路由转发，FUNCT部分用于指定操作，ARG的部分是可选的，有的FUNCT不需要参数。Traditional Internet Protocol (IP) network technology mainly focuses on sending data packets from source nodes to destination nodes according to their destination addresses. Network programmable technology refers to allowing network operators or applications to pass through The sequence of instructions in the Internet Protocol Version 6 (IPv6) data packet header is encoded. In segment routing IPv6 (Segment Routing IPv6, SRv6, which is based on IPV6 and extends the segment routing header (Segment Routing Header, SRH)), these instructions (Instructions) are usually called segment identifiers (Segment Identify, SID) , that is, segment ID/Segment ID). SRv6SID is defined as consisting of positioning bits (Locator, LOC): function bits (FUNCT): parameter bits (ARG), where LOC is encoded in the L most important bits of the SID, followed by F function bits (FUNCT) and A Parameter bit (ARG). LOC is used to locate nodes and route forwarding, the FUNCT part is used to specify operations, the ARG part is optional, and some FUNCT does not require parameters.

最常用的网络编程是指定数据包的经过的节点。假设S代表源节点IPv6地址，D代表目的节点IPv6地址，那么传统网络中IPv6数据包头主要信息就是<S，D>，在SRv6网络编程中，如果要指定路径，IPv6数据包头主要信息就可以是<S，SIDA><SIDA，SIDB，SIDC，D>，后面的尖括号中记录了数据包需要先到达A，再到达B，再到达C，然后再发给D。此处要求网络中的S，A，B，C，D节点都支持SRv6网络编程。The most commonly used network programming is to specify the nodes through which data packets pass. Assuming that S represents the IPv6 address of the source node and D represents the IPv6 address of the destination node, then the main information of the IPv6 packet header in the traditional network is <S, D>. In SRv6 network programming, if you want to specify a path, the main information of the IPv6 packet header can be <S, SIDA><SIDA, SIDB, SIDC, D>, the following angle brackets record that the data packet needs to arrive at A first, then B, then C, and then sent to D. Network required here The S, A, B, C, and D nodes all support SRv6 network programming.

相关技术的不足在于：目前的网络编程中对于执行操作的节点指定不够灵活。The shortcoming of the related technology is that the current network programming is not flexible enough for specifying the node to perform the operation.

发明内容Contents of the invention

本公开提供了一种网络编程技术处理方法、***及存储介质，用以解决目前的网络编程中对于执行操作的节点指定不够灵活的问题。The present disclosure provides a network programming technology processing method, system and storage medium to solve the problem of insufficient flexibility in specifying nodes for performing operations in current network programming.

本公开提供以下技术方案：This disclosure provides the following technical solutions:

一种网络编程技术处理方法，包括：A network programming technology processing method, including:

路由器节点收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；The router node receives a message containing a network programming technology code, and the network programming technology code indicates that one or more corresponding tasks need to be executed;

路由器节点确定所述报文入接口对应的处理芯片的负载状态；The router node determines the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed. When the load is less than the predetermined value, the packets containing the network programming technology code will be processed.

实施中，所述路由器节点确定所述报文入接口对应的处理芯片的负载状态，是参考如下的一个或者多个参数确定的：In implementation, the router node determines the load status of the processing chip corresponding to the packet incoming interface by referring to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率；The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量；The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中，对含有网络编程技术编码的报文进行处理，包括：During implementation, messages containing network programming technology codes are processed, including:

执行的处理对应了所述的需要被执行的一个或多个任务，一个或多个任务在数据报文中有对应的任务标记；The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记，如果路由器节点执行一个任务，那么修改对应的一个任务的标记，如果路由器节点执行了多个的任务，那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中，对含有网络编程技术编码的报文进行处理时，若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析，进一步包括：During implementation, when processing packets containing network programming technology codes, if the packets carry information The information indicates that the relevant tasks are to conduct distributed denial of service attack analysis, further including:

根据获取的一个或多个路由器节点的流量模型，对一种或多种网络流量进行分析，确定是否存在分布式拒绝服务攻击；According to the obtained traffic model of one or more router nodes, analyze one or more types of network traffic to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时，根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中，根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理，包括：During implementation, denial-of-service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和/或标记操作，Perform random packet dropping and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作，则数据报文中需要包含有可疑或异常标记，用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中，在进行随机丢包操作或标记操作时，进一步包括：In the implementation, when performing random packet loss operation or marking operation, it further includes:

如果判定流量没有异常，则修改指示希望进行异常检测任务对应的任务标识，指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中，确定是否存在分布式拒绝服务攻击，是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时，确定存在分布式拒绝服务攻击。In implementation, determining whether a distributed denial-of-service attack exists is when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中，在进行标记操作时，进一步包括：In implementation, when performing marking operations, it further includes:

如果判定有异常，则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中，获取一个或多个路由器节点的流量模型，包括：During implementation, the traffic model of one or more router nodes is obtained, including:

各路由器节点统计自身节点的流量模型，保存在各路由器上；Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型，并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中，所述的网络编程技术编码的任务标记，存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中。In implementation, the task mark encoded by the network programming technology is stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

在网络的入口路由器节点，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。At the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent the corresponding operations, and the operations correspond to one or several operations. The task you wish to perform on the network.

实施中，在标记***时，是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行***的。In the implementation, when the mark is inserted, it is inserted into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

一种路由器节点，包括：A router node consisting of:

处理器，用于读取存储器中的程序，执行下列过程：Processor, used to read the program in the memory and perform the following processes:

收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；Receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

确定所述报文入接口对应的处理芯片的负载状态；Determine the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理；When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed; when the load is less than the predetermined value, the packets containing the network programming technology code will be processed;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of a processor.

实施中，确定所述报文入接口对应的处理芯片的负载状态，是参考如下的一个或者多个参数确定的：In implementation, the load status of the processing chip corresponding to the packet incoming interface is determined with reference to one or more of the following parameters:

实施中，对含有网络编程技术编码的报文进行处理时，若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析，进一步包括：During implementation, when processing packets containing network programming technology coding, if the packet carries information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个路由器节点的流量模型，对一种或多种网络流量进行分析，确定是否存在分布式拒绝服务攻击； According to the obtained traffic model of one or more router nodes, analyze one or more types of network traffic to determine whether there is a distributed denial of service attack;

一种路由器节点，包括：A router node consisting of:

接收模块，用于收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；A receiving module, configured to receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

负载模块，用于确定所述报文入接口对应的处理芯片的负载状态；A load module, used to determine the load status of the processing chip corresponding to the message incoming interface;

处理模块，用于在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。The processing module is used to not process the packets containing the network programming technology code when the load is greater than a predetermined value, and to process the packets containing the network programming technology code when the load is less than the predetermined value. reason.

实施中，负载模块进一步用于确定所述报文入接口对应的处理芯片的负载状态，是参考如下的一个或者多个参数确定的：In implementation, the load module is further used to determine the load status of the processing chip corresponding to the message incoming interface, which is determined with reference to one or more of the following parameters:

实施中，处理模块进一步用于对含有网络编程技术编码的报文进行处理时，包括：During implementation, the processing module is further used to process messages containing network programming technology codes, including:

实施中，处理模块进一步用于在对含有网络编程技术编码的报文进行处理时，若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析时，包括：During implementation, the processing module is further used to process packets containing network programming technology codes, and if the packets carry information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, including:

实施中，处理模块进一步用于在根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理时，包括：In implementation, the processing module is further used to perform denial-of-service attack processing on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

实施中，处理模块进一步用于在进行随机丢包操作或标记操作时，包括： In implementation, the processing module is further used when performing random packet loss operations or marking operations, including:

实施中，处理模块进一步用于在确定是否存在分布式拒绝服务攻击时，是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时，确定存在分布式拒绝服务攻击。During implementation, the processing module is further used to determine whether a distributed denial-of-service attack exists when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中，处理模块进一步用于在进行标记操作时，包括：In the implementation, the processing module is further used when performing marking operations, including:

实施中，负载模块进一步用于在获取一个或多个路由器节点的流量模型时，包括：In implementation, the load module is further used to obtain the traffic model of one or more router nodes, including:

实施中，处理模块进一步用于对存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中的所述的网络编程技术编码的任务标记进行处理。In implementation, the processing module is further configured to process the task tag encoded by the network programming technology stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

一种路由器节点，包括：A router node consisting of:

在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务；When serving as the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several tasks that are expected to be performed in the network. ;

一种路由器节点，包括：A router node consisting of:

标记模块，用于在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。 The marking module is used to insert marks into messages according to the format encoded by network programming technology when serving as the entrance router node of the network. The marks represent corresponding operations, and the operations correspond to one or several operations on the network. the task you wish to perform.

实施中，标记模块进一步用于在标记***时，是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行***的。In the implementation, the marking module is further used to insert the mark into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序被处理器执行时实现上述网络编程技术处理方法。A computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the above-mentioned network programming technology processing method is implemented.

本公开有益效果如下：The beneficial effects of this disclosure are as follows:

本公开实施例提供的技术方案中，不需要指定相关的功能(Function)必须在哪个节点进行执行，而是根据目标路由器的算力情况以及报文头的任务执行情况，来决策是否执行相关的操作，例如是否执行对一种或多种异常流量进行拒绝服务攻击处理。由于不指定具体的执行位置，各个节点根据自身的算力情况决定是否执行相关的任务，可以充分利用网络中的算力能力，节点可以根据自身算力情况，决策是否进行相关的处理，从而提供了一种执行节点更加灵活，且支持执行节点之间相互协同的网络编程机制。In the technical solution provided by the embodiment of the present disclosure, there is no need to specify which node the relevant function (Function) must be executed on. Instead, it is decided whether to execute the relevant function based on the computing power of the target router and the task execution status of the message header. Actions, such as whether to perform denial-of-service attack processing on one or more types of abnormal traffic. Since the specific execution location is not specified, each node decides whether to perform related tasks based on its own computing power, which can make full use of the computing power in the network. The node can decide whether to perform related processing based on its own computing power, thereby providing It provides a network programming mechanism that makes execution nodes more flexible and supports mutual collaboration between execution nodes.

进一步的，这种机制支持提供了一种易于实现的在网安全(网络内生安全)机制，可以提供更好的DDoS防护能力。Furthermore, this mechanism supports an easy-to-implement online security (network intrinsic security) mechanism that can provide better DDoS protection capabilities.

附图说明Description of the drawings

此处所说明的附图用来提供对本公开的进一步理解，构成本公开的一部分，本公开的示意性实施例及其说明用于解释本公开，并不构成对本公开的不当限定。在附图中：The drawings described here are used to provide a further understanding of the present disclosure and constitute a part of the present disclosure. The illustrative embodiments of the present disclosure and their descriptions are used to explain the present disclosure and do not constitute an improper limitation of the present disclosure. In the attached picture:

图1为本公开实施例中在网计算的网络架构示意图；Figure 1 is a schematic diagram of the network architecture of online computing in an embodiment of the present disclosure;

图2为本公开实施例中路由器节点上的网络编程技术处理方法实施流程示意图；Figure 2 is a schematic flow chart of the implementation of the network programming technology processing method on the router node in the embodiment of the present disclosure;

图3为本公开实施例中入口路由器节点上的网络编程技术处理方法实施流程示意图；Figure 3 is a schematic flow chart of the implementation of the network programming technology processing method on the ingress router node in the embodiment of the present disclosure;

图4为本公开实施例中报文流经路径示意图；Figure 4 is a schematic diagram of a message flow path in an embodiment of the present disclosure;

图5为本公开实施例中实施例1的在网计算的网络结构示意图； Figure 5 is a schematic diagram of the network structure of online computing in Embodiment 1 of the present disclosure;

图6为本公开实施例中实施例1的DDoS攻击的检测示意图；Figure 6 is a schematic diagram of DDoS attack detection in Embodiment 1 of the present disclosure;

图7为本公开实施例中实施例2的在网计算的网络结构及报文路径示意图；Figure 7 is a schematic diagram of the network structure and message path of online computing in Embodiment 2 of the present disclosure;

图8为本公开实施例中IPv6的报文的扩展头示意图；Figure 8 is a schematic diagram of an extension header of an IPv6 message in an embodiment of the present disclosure;

图9为本公开实施例中IPv6的HBH的扩展头结构示意图；Figure 9 is a schematic structural diagram of the extension header of IPv6 HBH in an embodiment of the present disclosure;

图10为本公开实施例中路由器节点结构示意图一；Figure 10 is a schematic structural diagram of a router node in an embodiment of the present disclosure;

图11为本公开实施例中路由器节点结构示意图二。Figure 11 is a schematic diagram 2 of the structure of a router node in an embodiment of the present disclosure.

具体实施方式Detailed ways

发明人在发明过程中注意到：The inventor noticed during the invention process:

目前的SRv6网络编程，逻辑上比较固化，仅支持到达特定的节点，执行特定的操作。对于执行什么操作，有较强的灵活性，但是对于执行的节点，缺乏灵活指定的能力。The current SRv6 network programming is relatively rigid in logic and only supports reaching specific nodes and performing specific operations. It has strong flexibility in what operations to perform, but lacks the ability to flexibly specify the nodes to be executed.

以分布式拒绝服务攻击(Distributed Denial of Service，DDoS)防范为例，DDoS是指处于不同位置的多个攻击者同时向一个或数个目标发动攻击，或者一个攻击者控制了位于不同位置的多台机器并利用这些机器对受害者同时实施攻击。由于攻击的发出点是分布在不同地方的，这类攻击称为分布式拒绝服务攻击，其中的攻击者可以有多个。Take Distributed Denial of Service (DDoS) prevention as an example. DDoS means that multiple attackers in different locations launch attacks against one or several targets at the same time, or an attacker controls multiple targets in different locations. machines and use these machines to attack the victim simultaneously. Since the origin of the attack is distributed in different places, this type of attack is called a distributed denial of service attack, and there can be multiple attackers.

分布式拒绝服务攻击原理：分布式拒绝服务攻击DDoS是一种基于拒绝服务攻击(Denial of Service，DoS)的特殊形式的拒绝服务攻击，是一种分布的、协同的大规模攻击方式。单一的DoS攻击一般是采用一对一方式的，它利用网络协议和操作***的一些缺陷，采用欺骗和伪装的策略来进行网络攻击，使网站服务器充斥大量要求回复的信息，消耗网络带宽或***资源，导致网络或***不胜负荷以至于瘫痪而停止提供正常的网络服务。与DoS攻击由单台主机发起攻击相比较，分布式拒绝服务攻击DDoS是借助数百、甚至数千台被入侵后安装了攻击进程的主机同时发起的集团行为。 Principle of distributed denial-of-service attack: Distributed denial-of-service attack DDoS is a special form of denial-of-service attack based on Denial of Service (DoS). It is a distributed and coordinated large-scale attack method. A single DoS attack generally adopts a one-to-one approach. It takes advantage of some defects in network protocols and operating systems, and uses deception and disguise strategies to carry out network attacks, flooding the website server with a large amount of information requiring replies, consuming network bandwidth or system resources, causing the network or system to be overwhelmed and paralyzed and stop providing normal network services. Compared with a DoS attack initiated by a single host, a distributed denial of service attack (DDoS) is a group behavior initiated simultaneously by hundreds or even thousands of hosts that have been invaded and installed with attack processes.

目前的DDoS攻击的防范，主要是在特定的网络节点，进行攻击流量的识别和处理。所述的特殊的节点也被称为IDS，是“Intrusion Detection Systems”的缩写，中文意思是“入侵检测***”。但是这种集中处理的方式存在的问题是，攻击检测的位置通常较高，另外，集中节点的处理压力较大。目前，学术界和产业界也在探索基于在网计算的技术，来减轻IDS节点的计算压力。在网计算指的是，网络节点在转发报文的同时，支持一定的额外的报文处理，例如检测特定的流量是否是攻击流量。这种方式的潜在优势是低时延，高扩展性，反应更快，更接近源节点。在国际互联网工程任务组(Internet Engineering Task Force，IETF)有一个研究组COIN RG专门探索怎么基于在网计算来实现用户的安全和隐私保护，主要的思路是基于P4的可编程机制。The current prevention of DDoS attacks mainly focuses on identifying and processing attack traffic at specific network nodes. The special node is also called IDS, which is the abbreviation of "Intrusion Detection Systems", which means "intrusion detection system" in Chinese. However, the problem with this centralized processing method is that the location of attack detection is usually high, and in addition, the processing pressure on the centralized nodes is high. Currently, academia and industry are also exploring technologies based on online computing to reduce the computing pressure on IDS nodes. On-network computing means that while forwarding packets, network nodes support certain additional packet processing, such as detecting whether specific traffic is attack traffic. The potential advantages of this approach are low latency, high scalability, faster response, and closer to the source node. There is a research group COIN RG in the International Internet Engineering Task Force (IETF) that explores how to achieve user security and privacy protection based on online computing. The main idea is based on the programmable mechanism of P4.

但是目前的在网计算实现中，缺乏各个节点之间的灵活的协同机制。如果采用各个节点都由一个控制器管理协调的模式，这时控制器对每个节点进行调节，来执行什么任务。那么可能的问题是反应比较慢，这主要是由于转发节点，例如路由器(Router)上转发面的算力情况变化很快，受到流量的负载的影响，这时业务越多转发压力越大、业务处理越复杂转发压力越大。However, the current implementation of online computing lacks a flexible collaboration mechanism between various nodes. If a model is adopted in which each node is managed and coordinated by a controller, then the controller adjusts what tasks each node performs. Then the possible problem is that the response is relatively slow. This is mainly due to the rapid change of the computing power on the forwarding surface of the forwarding node, such as the router, which is affected by the traffic load. At this time, the more business there is, the greater the forwarding pressure will be. The more complex the processing, the greater the forwarding pressure.

如果是采用前面提到的SRv6的网络编程，那么就是一种基于数据面的每报文的编程。此时，还是在路径的头结点，就决定了在哪个节点，执行什么任务，并不支持具体看转发节点的负载来判定是否执行相关的操作。If you use the SRv6 network programming mentioned earlier, it is a per-message programming based on the data plane. At this time, it is still at the head node of the path that determines which node and what task to perform. It does not support specifically looking at the load of the forwarding node to determine whether to perform related operations.

在报文转发的过程中，在网计算支持进行一定的处理能力的叠加，在攻击防范方面，这些能力的实现节点可以灵活分布。In the process of packet forwarding, network computing supports the superposition of certain processing capabilities. In terms of attack prevention, the nodes that implement these capabilities can be flexibly distributed.

图1为在网计算的网络架构示意图，如图所示，在网计算的场景中，计算除了发生在端侧，例如客户端(Client)/移动边缘计算(Mobile Edge Computing，MEC)/云端(Cloud)之外，也可能发生在可编程的路由器1-5(Router1-5)，入口路由器(Ingress1)，出口路由器1-3(Egress1-3)上。Figure 1 is a schematic diagram of the network architecture of online computing. As shown in the figure, in the online computing scenario, calculations occur not only on the terminal side, such as client (Client)/Mobile Edge Computing (MEC)/Cloud ( Cloud), it may also occur on programmable routers 1-5 (Router1-5), ingress routers (Ingress1), and egress routers 1-3 (Egress1-3).

传统网络中，路由器仅仅负责报文转发，不负责计算；在网络可编程技术如SRv6(基于IPv6的源路由技术，Segment Routing IPv6；IPv6：互联网协议第6版，Internet Protocol Version 6)中，网络支持到节点X，执行FunctionY(功能)。In traditional networks, routers are only responsible for packet forwarding and not calculations; in network programmable technologies such as SRv6 (IPv6-based source routing technology, Segment Routing IPv6; IPv6: Internet In Internet Protocol Version 6), the network supports node X and executes FunctionY.

集中调度的在网计算/网络编程中，计算任务会分解到不同的节点，这种机制中控制器(Controller)感知算网信息，决策以及下策略。需要说明的是，图1中NMS为Network Management System缩写，即网络管理***。In network computing/network programming with centralized scheduling, computing tasks will be decomposed into different nodes. In this mechanism, the controller (Controller) perceives computing network information, makes decisions, and implements strategies. It should be noted that NMS in Figure 1 is the abbreviation of Network Management System, that is, network management system.

分布式的在网计算/网络编程中，分布式的入口路由器(Ingress)作为路径的头端(Headend)可以做一些决策。In distributed network computing/network programming, the distributed ingress router (Ingress) serves as the headend of the path and can make some decisions.

集中式调度的问题在于，Router上转发面的算力情况变化很快，受到流量的负载的影响(业务越多转发压力越大、业务处理越复杂转发压力越大)，集中式调度可能反应比较慢。The problem with centralized scheduling is that the computing power on the forwarding plane on the Router changes rapidly and is affected by the traffic load (the more services, the greater the forwarding pressure, the more complex the business processing, the greater the forwarding pressure). Centralized scheduling may be more responsive. slow.

分布式调度的问题在于，虽然决策点分布了，但是执行上也是比较固定，并不会管Router上的算力情况如何，或是否在执行其他的任务。The problem with distributed scheduling is that although the decision points are distributed, the execution is relatively fixed, and it does not care about the computing power on the Router or whether it is executing other tasks.

也即，在相关技术中，计算发生的位置比较固定，不够灵活。That is, in related technologies, the location where calculation occurs is relatively fixed and not flexible enough.

基于此，本公开实施例中提供了一种基于在网计算和网络可编程技术的处理方案，并将以分布式拒绝服务攻击的处理为例进行说明，下面结合附图对本公开的具体实施方式进行说明。Based on this, the embodiments of the present disclosure provide a processing solution based on online computing and network programmable technology, and will take the processing of distributed denial-of-service attacks as an example. The specific implementation of the present disclosure will be described below with reference to the accompanying drawings. Be explained.

图2为路由器节点上的网络编程技术处理方法实施流程示意图，如图所示，可以包括：Figure 2 is a schematic diagram of the implementation process of the network programming technology processing method on the router node. As shown in the figure, it can include:

步骤201、路由器节点收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；Step 201. The router node receives a message containing a network programming technology code. The network programming technology code indicates that one or more corresponding tasks need to be executed;

步骤202、路由器节点确定所述报文入接口对应的处理芯片的负载状态；Step 202: The router node determines the load status of the processing chip corresponding to the message incoming interface;

步骤203、在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。Step 203: When the load is greater than the predetermined value, the packets containing the network programming technology code are not processed. When the load is less than the predetermined value, the packets containing the network programming technology code are processed.

实施中，所述路由器节点确定所述报文入接口对应的处理芯片的负载状态，可以是参考如下的一个或者多个参数来确定的：In implementation, the router node determines the load status of the processing chip corresponding to the packet incoming interface, which may be determined by referring to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率； The current utilization rate of the processing chip corresponding to the packet incoming interface;

当存在分布式拒绝服务攻击时，根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理，例如进行丢包处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router, such as packet loss processing.

具体实施中，根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理，包括：In specific implementation, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

具体实施中，获取一个或多个路由器节点的流量模型，包括：In specific implementation, the traffic model of one or more router nodes is obtained, including:

各个路由器节点从其他位置，例如一个集中的控制或者管理节点，得到供参考的流量模型，并且保存在路由器上。Each router node obtains a traffic model for reference from another location, such as a centralized control or management node, and stores it on the router.

实施中，确定是否存在分布式拒绝服务攻击，例如可以是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时，确定存在分布式拒绝服务攻击。 During implementation, determine whether a distributed denial of service attack exists. For example, when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model, it may be determined that a distributed denial of service attack exists.

实施中，拒绝服务攻击处理，包括：对一种或多种异常流量进行随机丢包操作或标记操作。During implementation, denial of service attack processing includes: random packet dropping or marking operations for one or more types of abnormal traffic.

具体的，获取一个或多个路由器节点的流量模型；根据一种或多种流量模型对一种或多种网络流量进行分析，若所述网络流量大于阈值流量，则确定存在分布式拒绝服务攻击；当存在分布式拒绝服务攻击时，根据目标路由器的预定策略对一种或多种异常流量进行随机丢包操作或标记操作。Specifically, the traffic model of one or more router nodes is obtained; one or more network traffics are analyzed according to one or more traffic models. If the network traffic is greater than the threshold traffic, it is determined that a distributed denial of service attack exists. ; When there is a distributed denial of service attack, one or more types of abnormal traffic are randomly dropped or marked according to the predetermined policy of the target router.

实施中，在确定结果为不存在分布式拒绝服务攻击时，进一步包括：During implementation, when it is determined that there is no distributed denial of service attack, it further includes:

图3为入口路由器节点上的网络编程技术处理方法实施流程示意图，如图所示，可以包括：Figure 3 is a schematic diagram of the implementation process of the network programming technology processing method on the ingress router node. As shown in the figure, it can include:

步骤301、在网络的入口路由器节点，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。Step 301: At the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several operations that are expected to be performed in the network. Task.

实施中，在标记***时，是在IPv6报文的逐跳扩展头(Hop-by-hop Option，HBH)中或SRv6扩展头中进行***的。In the implementation, when the mark is inserted, it is inserted into the hop-by-hop extension header (Hop-by-hop Option, HBH) or SRv6 extension header of the IPv6 message.

下面以实例进行说明。The following is an example.

目前的网络编程/在网计算的典型的技术如SRv6(即到节点x1，执行F1)；在本公开实施例提供的分布式执行的在网计算机制中，不强制指定计算执行的位置(允许到x1/2/3/...节点，执行F1)，同理，F1未执行也可以。Typical technologies for current network programming/on-network computing include SRv6 (i.e., go to node Go to the x1/2/3/... node and execute F1). Similarly, it is okay if F1 is not executed.

图4为报文流经路径示意图，如图所示，假设总的任务情况是两个，路径上的节点根据自身的情况，选择性的进行处理，到Egress3都完成了。Figure 4 is a schematic diagram of the packet flow path. As shown in the figure, assuming that the total task situation is two, the nodes on the path selectively process according to their own conditions, and all are completed by Egress3.

在网络中动态协同：各个Router根据自身的情况，判定是否执行DDoS的攻击检测； Dynamic collaboration in the network: Each Router determines whether to perform DDoS attack detection based on its own situation;

在数据面进行协同：所有的报文或者相关的报文在入口路由器节点进行标记***，可选的，在中间路由器节点进行处理和标记修改，处理了的就不再重复做，可选的，IDS完成未处理的工作。Collaboration on the data plane: All messages or related messages are marked and inserted at the ingress router node. Optionally, processing and mark modification are performed at the intermediate router node. Once processed, the process will not be repeated. Optionally, IDS completes outstanding work.

实施例1：Example 1:

本例中，是在某个路由器上做DDoS的检测。In this example, DDoS detection is performed on a certain router.

图5为实施例1的在网计算的网络结构示意图，如图所示，在该网络中：Figure 5 is a schematic diagram of the network structure of online computing in Embodiment 1. As shown in the figure, in this network:

假设：Router1-5、Ingress1、Egress1-3，这些节点上部署了在网计算的能力，支持在负载较轻时进行DDoS攻击的检测。Assumption: Router1-5, Ingress1, and Egress1-3 have online computing capabilities deployed on these nodes to support DDoS attack detection when the load is light.

一种检测的方式例如，基于人工智能(Artificial Intelligence，AI)的机制，统计自身节点的流量模型，之后，如果需要做DDoS攻击的检测，则对流量进行分析，如果偏差较大，例如达到阈值，则认为可能存在DDoS攻击，并且进行随机丢包/标记。One detection method is, for example, based on the mechanism of Artificial Intelligence (AI) to count the traffic model of its own node. Then, if it is necessary to detect DDoS attacks, the traffic will be analyzed. If the deviation is large, such as reaching a threshold, , it is considered that there may be a DDoS attack, and random packet loss/marking is performed.

图6为实施例1的DDoS攻击的检测示意图，如图所示，通过Pa(基于历史数据的流量模型)与P2(目前监测到的流量模型)检测简单服务发现协议(Simple Service Discovery Protocol，SSDP)、内部控制信息协议(Internal Control Message Protocol，ICMP)、域名***(Domain Name System，DNS)、简单网络管理协议(Simple Network Management Protocol，SNMP)、网络时间协议(Network Time Protocol，NTP)到来的流量变化，可以判断是否存在DDoS攻击。Figure 6 is a schematic diagram of DDoS attack detection in Embodiment 1. As shown in the figure, Simple Service Discovery Protocol (SSDP) is detected through Pa (traffic model based on historical data) and P2 (currently monitored traffic model). ), Internal Control Message Protocol (ICMP), Domain Name System (DNS), Simple Network Management Protocol (SNMP), Network Time Protocol (Network Time Protocol, NTP) are coming Traffic changes can determine whether there is a DDoS attack.

在实施随机丢包处理时，可以如下：When implementing random packet loss processing, you can do the following:

(1)：Ingress节点对于需要进行分析的流量进行标记，例如在包头中***01000000，代表需要进行DDoS的过滤，但是并不指定具体的执行节点。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 01000000 into the packet header means that DDoS filtering is required, but the specific execution node is not specified.

(2)：收到报文的节点，例如Router1，此时负载较轻，则进行DDoS过滤，具体行为为对报文进行分析，看流量特征是否有异常；(2): The node that receives the message, such as Router1, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定有异常，则对相关的报文进行随机丢包；If it is determined that there is an abnormality, relevant packets will be randomly dropped;

如果判定没有异常，则清除标识位为00000000。 If it is determined that there is no exception, the clear flag is 00000000.

(3)：可选的，如果某个报文在Ingress标记了，但是在Ingress以及Router1-5都没有做处理(即检测DDoS攻击以及清除标记)，那么Egress1/2/3对没有处理的报文进行检测。(3): Optional, if a packet is marked on the Ingress, but is not processed on the Ingress or Router1-5 (that is, detecting DDoS attacks and clearing the mark), then Egress1/2/3 will not process the unprocessed packet. text for testing.

在实施标记处理时，可以如下：When implementing tag processing, you can do the following:

(1)：Ingress节点对于需要进行分析的流量进行标记，例如在包头中***01000000，代表需要进行DDoS的过滤，但是并不指定具体的执行节点，同时第一个标志位标识流量是否可疑。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 01000000 in the packet header means that DDoS filtering is required, but the specific execution node is not specified. At the same time, the first flag bit identifies whether the traffic is suspicious.

如果判定有异常，则对相关的报文进行标记，改为11000000；If it is determined that there is an abnormality, the relevant message will be marked and changed to 11000000;

如果判定没有异常，则清除标识位为00000000。If it is determined that there is no exception, the clear flag is 00000000.

(3)：可选的，Egress1/2/3对没有处理的报文进行检测，以及对首位标记为1的报文进行检测。(3): Optional, Egress1/2/3 detects unprocessed packets and detects packets whose first flag is 1.

实施例2：Example 2:

本例中，在多个路由器上协同做DDoS的检测。In this example, DDoS detection is performed collaboratively on multiple routers.

图7为实施例2的在网计算的网络结构及报文路径示意图，如图所示，在该网络中：Figure 7 is a schematic diagram of the network structure and message path of online computing in Embodiment 2. As shown in the figure, in this network:

例如，基于AI的机制，统计自身节点的流量模型，之后，如果需要做DDoS攻击的检测，则对流量进行分析，如果偏差较大，例如达到阈值，则认为可能存在DDoS攻击，并且进行随机丢包/标记操作。For example, the AI-based mechanism counts the traffic model of its own node. Then, if it is necessary to detect DDoS attacks, the traffic will be analyzed. If the deviation is large, such as reaching a threshold, it is considered that there may be a DDoS attack, and a random drop will be performed. Package/tagged operations.

在实施随机丢包时，可以如下：When implementing random packet loss, you can do the following:

(1)：Ingress节点对于需要进行分析的流量进行标记，例如在包头中***00101000，代表需要进行DDoS的过滤，但是并不指定具体的执行节点，任务为2个，例如一个要求检测DNS流量，一个要求检测ICMP流量，也即，实施中，流量是否异常是通过检测DNS流量和/或检测ICMP流量来确定的。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 00101000 in the packet header means that DDoS filtering is required, but it does not specify a specific execution node. There are two tasks. For example, one requires detecting DNS traffic. One requires detection of ICMP traffic, i.e., In implementation, whether traffic is abnormal is determined by detecting DNS traffic and/or detecting ICMP traffic.

(2)：收到报文的节点，例如Router1/3，此时负载较轻，则进行DDoS过滤，具体行为为对报文进行分析，看流量特征是否有异常；(2): The node that receives the message, such as Router1/3, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定没有异常，则清除对应的任务的标识位。If it is determined that there is no exception, the flag bit of the corresponding task is cleared.

(3)：可选的，Egress1/2/3对没有处理的报文进行检测。(3): Optional, Egress1/2/3 detects unprocessed packets.

在实施标记时，可以如下：When implementing markup, you can do the following:

(1)：Ingress节点对于需要进行分析的流量进行标记，例如在包头中***00101000，代表需要进行DDoS的过滤，但是并不指定具体的执行节点，同时第一个标志位标识流量是否可疑。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 00101000 in the packet header means that DDoS filtering is required, but the specific execution node is not specified. At the same time, the first flag bit identifies whether the traffic is suspicious.

如果判定有异常，则对相关的报文进行标记，改为10001000；If it is determined that there is an abnormality, the relevant message will be marked and changed to 10001000;

如果判定没有异常，则清除标识位为00001000。If it is determined that there is no exception, the clear flag is 00001000.

实施中，在标记操作时，是在IPv6头的扩展头或SRv6的扩展头中进行标记的。In the implementation, during the marking operation, the mark is performed in the extension header of the IPv6 header or the extension header of SRv6.

实施中，也不排斥类似于传统的网络编程的使用，即可以在报文中指定在特定的位置，做特定的功能，还可以在报文中指定在路径上任意的节点执行另一个特定的功能，它们的功能在报文中存放的位置不同。图8为IPv6的报文的扩展头示意图，IPv6的报文的扩展头如图所示，扩展头是可选携带的标识的，例如hop-by-hop(逐跳)选项头、目的地选项头、路由选项头。In the implementation, it does not exclude the use of traditional network programming, that is, you can specify a specific location in the message to perform a specific function, and you can also specify in the message to perform another specific function at any node on the path. Functions, their functions are stored in different locations in the message. Figure 8 is a schematic diagram of the extension header of an IPv6 packet. The extension header of an IPv6 packet is as shown in the figure. The extension header is an optional identifier, such as a hop-by-hop option header and a destination option. header, routing options header.

在SRv6中，可以携带段路由头(Segment Routing Header，SRH)的头，其中包括了SRH的SID列表(SID list；SID：段标识符，Segment IDentifier)(多个128bits的地址列表)。 In SRv6, the header of the Segment Routing Header (SRH) can be carried, which includes the SID list (SID list; SID: Segment IDentifier) of the SRH (multiple 128-bit address lists).

实施中，所述的网络编程技术编码，即任务标记，存储在IPv6报文的扩展头中，具***置是在IPv6的逐跳扩展头(Hop-by-hop Option Header，HBH)中或SRv6扩展头中。During implementation, the network programming technology code, that is, the task mark, is stored in the extension header of the IPv6 message. The specific location is in the IPv6 hop-by-hop Option Header (HBH) or SRv6 extension. Head.

在路径上任意的节点执行功能的机制中，可以使用HBH头，而不是SRH头。因为在处理逻辑上，HBH头的处理逻辑，是每跳都会看一下这个选项(option)，SRH头的处理逻辑是目的地址(Destination Address，DA)匹配之后，才会去看SRH头。其中，SA为Source Address的缩写，表示源地址。In the mechanism for performing functions at any node on the path, the HBH header can be used instead of the SRH header. Because in terms of processing logic, the processing logic of the HBH header is to look at this option (option) at every hop, and the processing logic of the SRH header is to look at the SRH header only after the destination address (Destination Address, DA) matches. Among them, SA is the abbreviation of Source Address, indicating the source address.

具体实施中，在标记操作时，是在IPv6的HBH的扩展头中进行标记的。In a specific implementation, during the marking operation, the marking is performed in the extension header of the IPv6 HBH.

图9为IPv6的HBH的扩展头结构示意图，如图所示，在每个报文中加入检测需求的信息，比较适合的位置是在IPv6的HBH的扩展头中，具体的，可以是8bits，也可以是更长，例如32bits。Figure 9 is a schematic diagram of the extension header structure of IPv6 HBH. As shown in the figure, the most suitable location to add detection requirement information to each packet is in the extension header of IPv6 HBH. Specifically, it can be 8 bits. It can also be longer, such as 32bits.

相关的封装，可以是在Ingress加入，可选的是在Egress删除掉。Relevant encapsulation can be added at Ingress, or optionally deleted at Egress.

具体的每个bit的含义，可以自定义，例如：The specific meaning of each bit can be customized, for example:

某个bit代表，流量是否可疑；A certain bit represents whether the traffic is suspicious;

某个bit代表，有某个任务需要执行，例如希望Router进行某类流量的过滤；A certain bit represents that there is a certain task that needs to be performed, for example, you want the Router to filter certain types of traffic;

某个bit代表，希望Router能使用某个特定的流量模型，对流量进行过滤。A certain bit represents the hope that the Router can use a specific traffic model to filter traffic.

例如向因特网分址机构(Internet Assigned Number Authority，IANA)申请option未占用的选项类型0x0D(option_type 0x0D)，同时这个option支持携带类型长度值(Tag Length Value，TLV，也即是类型(Tag)、长度(Length)、值(Value))，TLV用于每个节点进行处理，在TLV的value的部分的值可以被读取和修改。For example, apply to the Internet Assigned Number Authority (IANA) for option unoccupied option type 0x0D (option_type 0x0D). At the same time, this option supports carrying type length value (Tag Length Value, TLV, that is, type (Tag), Length, Value), TLV is used for processing by each node, and the value in the value part of the TLV can be read and modified.

基于同一发明构思，本公开实施例中还提供了一种路由器节点、及计算机可读存储介质，由于这些设备解决问题的原理与网络编程技术处理方法相似，因此这些设备的实施可以参见方法的实施，重复之处不再赘述。 Based on the same inventive concept, embodiments of the present disclosure also provide a router node and a computer-readable storage medium. Since the principles of problem solving by these devices are similar to the network programming technology processing methods, the implementation of these devices can be referred to the implementation of the method. , the repetitive parts will not be repeated.

在实施本公开实施例提供的技术方案时，可以按如下方式实施。When implementing the technical solution provided by the embodiments of the present disclosure, it can be implemented in the following manner.

图10为路由器节点结构示意图一，如图所示，路由器节点中包括：Figure 10 is a schematic diagram of the router node structure. As shown in the figure, the router nodes include:

处理器1000，用于读取存储器1020中的程序，执行下列过程：The processor 1000 is used to read the program in the memory 1020 and perform the following processes:

收发机1010，用于在处理器1000的控制下接收和发送数据。Transceiver 1010 for receiving and transmitting data under the control of processor 1000.

当存在分布式拒绝服务攻击时，根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。 When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中，所述获取一个或多个路由器节点的流量模型，包括：In implementation, obtaining the traffic model of one or more router nodes includes:

其中，在图10中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器1000代表的一个或多个处理器和存储器1020代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机1010可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器1000负责管理总线架构和通常的处理，存储器1020可以存储处理器1000在执行操作时所使用的数据。 In FIG. 10 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1000 and various circuits of the memory represented by memory 1020 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, which are all well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver 1010 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 can store data used by the processor 1000 when performing operations.

本公开实施例中还提供了一种路由器节点，包括：The embodiment of the present disclosure also provides a router node, including:

处理模块，用于在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。The processing module is used to not process the packets containing the network programming technology code when the load is greater than a predetermined value, and to process the packets containing the network programming technology code when the load is less than the predetermined value.

实施中，处理模块进一步用于在进行随机丢包操作或标记操作时，包括：In implementation, the processing module is further used when performing random packet loss operations or marking operations, including:

实施中，负载模块进一步用于在所述获取一个或多个路由器节点的流量模型时，包括：In implementation, the load module is further used to obtain the traffic model of one or more router nodes, including:

为了描述的方便，以上所述装置的各部分以功能分为各种模块或单元分别描述。当然，在实施本公开时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For the convenience of description, each part of the above-described device is divided into various modules or units by function and described separately. Of course, when implementing the present disclosure, the functions of each module or unit can be implemented in the same or multiple software or hardware.

图11为路由器节点结构示意图二，如图所示，路由器节点中包括：Figure 11 is a schematic diagram 2 of the router node structure. As shown in the figure, the router nodes include:

处理器1100，用于读取存储器1120中的程序，执行下列过程：The processor 1100 is used to read the program in the memory 1120 and perform the following processes:

在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务；When serving as the entrance router node of the network, the packets are encoded in the format encoded by network programming technology. Perform mark insertion, the mark represents the corresponding operation, and the operation corresponds to one or several tasks that are expected to be performed in the network;

收发机1110，用于在处理器1100的控制下接收和发送数据。Transceiver 1110 for receiving and transmitting data under the control of processor 1100.

其中，在图11中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器1100代表的一个或多个处理器和存储器1120代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机1110可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器1100负责管理总线架构和通常的处理，存储器1120可以存储处理器1100在执行操作时所使用的数据。In FIG. 11 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1100 and various circuits of the memory represented by memory 1120 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, which are all well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver 1110 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 can store data used by the processor 1100 when performing operations.

标记模块，用于在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。The marking module is used to insert marks into messages according to the format encoded by network programming technology when serving as the entrance router node of the network. The marks represent corresponding operations, and the operations correspond to one or several operations on the network. the task you wish to perform.

本公开实施例中还提供了一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序被处理器执行时实现上述网络编程技术处理方法。Embodiments of the present disclosure also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the above-mentioned network programming technology processing method is implemented.

具体实施可以参见路由器节点上，或者在作为网络的入口路由器节点时，网络编程技术处理方法的实施。The specific implementation can be found on the router node, or when serving as the entrance router node of the network, Implementation of technical approaches to network programming.

综上所述，本公开实施例提供的技术方案中，是基于数据面的新的网络可编程的实现机制的针对DDOS，在入口节点进行流量的标记，在事先不确定的某个网络节点，根据标记的内容进行处理。不需要指定相关的Function必须在哪个Location进行执行；支持在网络中执行若干个任务，但是不指定具体的执行位置，各个节点根据自身的算力情况决定是否执行相关的任务。To sum up, the technical solution provided by the embodiments of the present disclosure is based on the new network programmable implementation mechanism of the data plane for DDOS. Traffic is marked at the entry node and at a certain network node that is not determined in advance. Process according to the marked content. There is no need to specify the Location where the relevant Function must be executed; it supports the execution of several tasks in the network, but does not specify the specific execution location. Each node decides whether to execute related tasks based on its own computing power.

可以充分利用网络中的算力能力，节点可以根据自身算力情况，决策是否进行相关的处理，提供了一种易于实现的在网安全(网络内生安全)机制，可以提供更好的DDoS防护能力。It can make full use of the computing power in the network. Nodes can decide whether to perform relevant processing based on their own computing power. It provides an easy-to-implement online security (network endogenous security) mechanism that can provide better DDoS protection. ability.

本领域内的技术人员应明白，本公开的实施例可提供为方法、***、或计算机程序产品。因此，本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) embodying computer-usable program code therein.

本公开是参照根据本公开实施例的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for implementing the functions specified in one process or processes of the flowchart and/or one block or blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions means to implement a process in a flowchart or Multiple Processes and/or Block Diagrams Functionality specified in one box or multiple boxes.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

显然，本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样，倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内，则本公开也意图包含这些改动和变型在内。 Obviously, those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the disclosure. In this way, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies, the present disclosure is also intended to include these modifications and variations.

Claims

一种网络编程技术处理方法，包括：A network programming technology processing method, including:

路由器节点收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；The router node receives a message containing a network programming technology code, and the network programming technology code indicates that one or more corresponding tasks need to be executed;

路由器节点确定所述报文入接口对应的处理芯片的负载状态；The router node determines the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed. When the load is less than the predetermined value, the packets containing the network programming technology code will be processed.
如权利要求1所述的方法，其中，所述路由器节点确定所述报文入接口对应的处理芯片的负载状态，是参考如下的一个或者多个参数确定的：The method of claim 1, wherein the router node determines the load status of the processing chip corresponding to the message incoming interface by referring to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率；The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量；The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.
如权利要求1所述的方法，其中，对含有网络编程技术编码的报文进行处理，包括：The method of claim 1, wherein processing messages containing network programming technology codes includes:

执行的处理对应了所述的需要被执行的一个或多个任务，一个或多个任务在数据报文中有对应的任务标记；The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记，如果路由器节点执行一个任务，那么修改对应的一个任务的标记，如果路由器节点执行了多个的任务，那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.
如权利要求1所述的方法，其中，对含有网络编程技术编码的报文进行处理时，若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析，进一步包括：The method of claim 1, wherein when processing a message containing network programming technology coding, if the message carries information indicating that the relevant task is to perform distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个路由器节点的流量模型，对一种或多种网络流量进行分析，确定是否存在分布式拒绝服务攻击；According to the obtained traffic model of one or more router nodes, analyze one or more types of network traffic to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时，根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, one or more Perform denial-of-service attack processing on abnormal traffic.
如权利要求4所述的方法，其中，根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理，包括：The method of claim 4, wherein performing denial-of-service attack processing on one or more abnormal traffic according to a predetermined policy of the target router includes:

对一种或多种异常流量进行随机丢包操作和/或标记操作，Perform random packet dropping and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作，则数据报文中需要包含有可疑或异常标记，用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.
如权利要求5所述的方法，其中，在进行随机丢包操作或标记操作时，进一步包括：The method of claim 5, wherein when performing a random packet loss operation or a marking operation, it further includes:

如果判定流量没有异常，则修改指示希望进行异常检测任务对应的任务标识，指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.
如权利要求4所述的方法，其中，确定是否存在分布式拒绝服务攻击，是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时，确定存在分布式拒绝服务攻击。The method of claim 4, wherein determining whether a distributed denial-of-service attack exists is to determine whether a distributed denial-of-service attack exists when the network traffic of a specific protocol is monitored to be greater than the threshold traffic of the protocol in the traffic model.
如权利要求4所述的方法，其中，在进行标记操作时，进一步包括：The method of claim 4, wherein when performing the marking operation, further comprising:

如果判定有异常，则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.
如权利要求4所述的方法，其中，获取一个或多个路由器节点的流量模型，包括：The method of claim 4, wherein obtaining the traffic model of one or more router nodes includes:

各路由器节点统计自身节点的流量模型，保存在各路由器上；Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型，并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.
如权利要求1或3所述的方法，其中，所述的网络编程技术编码的任务标记，存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中。The method according to claim 1 or 3, wherein the task mark encoded by the network programming technology is stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.
一种网络编程技术处理方法，包括：A network programming technology processing method, including:

在网络的入口路由器节点，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。At the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent the corresponding operations, and the operations correspond to one or several operations. The task you wish to perform on the network.
如权利要求11所述的方法，其中，在标记***时，是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行***的。The method according to claim 11, wherein when the mark is inserted, it is inserted into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.
一种路由器节点，包括：A router node consisting of:

处理器，用于读取存储器中的程序，执行下列过程：Processor, used to read the program in the memory and perform the following processes:

收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；Receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

确定所述报文入接口对应的处理芯片的负载状态；Determine the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理；When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed; when the load is less than the predetermined value, the packets containing the network programming technology code will be processed;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of a processor.
一种路由器节点，包括：A router node consisting of:

接收模块，用于收到含有网络编程技术编码的报文，所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行；A receiving module, configured to receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

负载模块，用于确定所述报文入接口对应的处理芯片的负载状态；A load module, used to determine the load status of the processing chip corresponding to the message incoming interface;

处理模块，用于在负载大于预定值时，不对含有网络编程技术编码的报文进行处理，在负载小于预定值时，对含有网络编程技术编码的报文进行处理。The processing module is used to not process the packets containing the network programming technology code when the load is greater than a predetermined value, and to process the packets containing the network programming technology code when the load is less than the predetermined value.
一种路由器节点，包括：A router node consisting of:

处理器，用于读取存储器中的程序，执行下列过程：Processor, used to read the program in the memory and perform the following processes:

在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务；When serving as the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several tasks that are expected to be performed in the network. ;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of a processor.
一种路由器节点，包括：A router node consisting of:

标记模块，用于在作为网络的入口路由器节点时，按照网络编程技术编码的格式对报文进行标记***，所述标记代表了对应的操作，所述的操作是对应了一个或者几个在网络中希望执行的任务。The tag module is used to program according to network programming technology when serving as the entrance router node of the network. Marks are inserted into the packets in the format of the code, and the marks represent corresponding operations. The operations correspond to one or several tasks that are expected to be performed in the network.
一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序被处理器执行时实现权利要求1至12任一所述方法。 A computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method of any one of claims 1 to 12 is implemented.