[go: up one dir, main page]

CN104853001B - A kind of processing method and equipment of ARP message - Google Patents

A kind of processing method and equipment of ARP message Download PDF

Info

Publication number
CN104853001B
CN104853001B CN201510191414.1A CN201510191414A CN104853001B CN 104853001 B CN104853001 B CN 104853001B CN 201510191414 A CN201510191414 A CN 201510191414A CN 104853001 B CN104853001 B CN 104853001B
Authority
CN
China
Prior art keywords
controller
port
flow table
reported
arp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510191414.1A
Other languages
Chinese (zh)
Other versions
CN104853001A (en
Inventor
高庆光
张圣彦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510191414.1A priority Critical patent/CN104853001B/en
Publication of CN104853001A publication Critical patent/CN104853001A/en
Application granted granted Critical
Publication of CN104853001B publication Critical patent/CN104853001B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

By applying the technical scheme of the present invention, the registration information that the virtual machine in the SDN network received by the first port of itself is sent is reported to the controller in SDN network by the forwarding device in SDN network;And the first filtering flow table for first port that controller issues is received, the first filtering flow table includes the IP address and MAC Address of virtual machine in registration information;The IP address filtered in the ARP message received by first port with first in flow table and the consistent ARP message of MAC Address are reported to controller.It can be seen that, the present invention is by being filtered ARP message, illegal ARP message (the ARP message of attack or deception) is filtered out, not only increase the safety of network, a large amount of illegal ARP message is also avoided to occupy more bandwidth resources and lead to the higher problem of the CPU usage of controller, and then improve controller and efficiency is answered to the generation of ARP message, reduce hardware resource consumption.

Description

ARP message processing method and equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for processing an address resolution protocol (arp) packet.
Background
Fig. 1 is a schematic diagram of a networking structure of an existing SDN (Software Defined Network). In the existing SDN network, all ARP packets are not broadcast and forwarded, but are answered by a Controller (Controller). That is, forwarding devices (e.g., Virtual switches) in the SDN network collectively report the received ARP packets to the controller, and the controller collectively responds to the ARP packets.
Specifically, a port of a virtual machine in the SDN network is to be registered with a controller, and the registration information includes information such as an IP address (i.e., an internet protocol address) and a MAC address (i.e., a media access control address) of the port. Thus, when the virtual machine needs to communicate with other virtual machines, the virtual machine sends an ARP message to forwarding equipment connected with the virtual machine; after the forwarding equipment receives the ARP message, the default action is to report the ARP message to a controller, namely, the ARP message is reported to the controller; the controller searches for a local table item, performs ARP (address resolution protocol) response according to the registration information of the virtual machine, and transmits an ARP response message to the port through an openflow protocol; subsequently, the virtual machine obtains an IP Address (Internet Protocol Address) and a MAC Address (Media Access Control Address) of the other virtual machine, and starts communication with the other virtual machine.
As can be seen from the above processing process of the ARP packet in the SDN network, the forwarding device reports the received ARP packet to the controller by default, and if the forwarding device receives a large amount of ARP packets of forged IP addresses and MAC addresses for attack and spoofing, and directly reports these ARP packets to the controller, this results in poor network security.
Disclosure of Invention
The application provides a method and equipment for processing an ARP message, which are used for solving the problem of poor network security caused by a processing mechanism of the ARP message in the existing SDN.
In order to achieve the above object, the present invention provides an ARP packet processing method, which at least comprises the following steps:
a forwarding device in an SDN (software defined network) reports registration information, received through a first port of the forwarding device, sent by a virtual machine in the SDN to a controller in the SDN;
the forwarding device receives a first filtering flow table which is issued by the controller and aims at the first port, wherein the first filtering flow table comprises the IP address and the MAC address of the virtual machine in the registration information;
when the forwarding device receives an ARP message through the first port, judging whether a source IP address and a source MAC address carried in the ARP message are consistent with an IP address and an MAC address in the first filtering flow table or not;
and when the judgment result is yes, reporting the ARP message to the controller.
The present invention also provides a forwarding device, including:
a reporting module, configured to report, to a controller in a Software Defined Network (SDN), registration information sent by a virtual machine in the SDN, which is received through a first port of the forwarding device in the SDN; when the judging module judges that the source IP address and the source MAC address carried in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table, the ARP message is reported to the controller;
a receiving module, configured to receive a first filtering flow table issued by the controller for the first port, where the first filtering flow table includes an IP address and a MAC address of the virtual machine in the registration information;
and the judging module is used for judging whether a source IP address and a source MAC address carried in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not when the ARP message is received through the first port.
The invention also provides an ARP message processing method, which at least comprises the following steps:
a controller in a Software Defined Network (SDN) receives registration information reported by a forwarding device in the SDN after receiving the registration information sent by a virtual machine in the SDN through a first port of the forwarding device;
the controller issues a first filtering flow table which is specific to the first port and contains the IP address and the MAC address of the virtual machine in the registration information to the forwarding equipment, so that when the forwarding equipment receives an ARP message through the first port, whether a source IP address and a source MAC address in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not is judged, and when the judgment result is yes, the ARP message is reported to the controller.
The present invention also provides a controller, comprising:
a receiving module, configured to receive registration information reported by a forwarding device in the SDN network after receiving the registration information sent by a virtual machine in the SDN network through a first port of the forwarding device;
and the issuing module is used for issuing a first filtering flow table which is specific to the first port and contains the IP address and the MAC address of the virtual machine in the registration information to the forwarding equipment, so that when the forwarding equipment receives an ARP message through the first port, whether the source IP address and the source MAC address in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not is judged, and when the judgment result is yes, the ARP message is reported to the controller.
Compared with the prior art, the invention has the following advantages:
by applying the technical scheme of the invention, the forwarding device in the SDN network reports the registration information sent by the virtual machine in the SDN network and received by the first port of the forwarding device to the controller in the SDN network; receiving a first filtering flow table which is issued by the controller and aims at the first port, wherein the first filtering flow table comprises an IP address and an MAC address of the virtual machine in the registration information; and reporting the ARP message which is consistent with the IP address and the MAC address in the first filtering flow table in the ARP message received by the first port to the controller. Therefore, the invention filters the ARP message to filter the illegal ARP message (the attacked or deceased ARP message), thereby not only improving the network security, but also avoiding the problems that a large amount of illegal ARP messages occupy more bandwidth resources and cause higher CPU occupancy rate of the controller, further improving the response efficiency of the controller to the ARP message and reducing the hardware resource consumption.
Drawings
Fig. 1 is a schematic networking diagram of an existing SDN;
FIG. 2 is a schematic flow chart of an ARP packet processing method according to the present invention;
fig. 3 is a schematic diagram of an SDN network structure suitable for the ARP packet processing method provided in the present invention;
FIG. 4 is a second flowchart illustrating an ARP packet processing method according to the present invention;
fig. 5 is a schematic structural diagram of a forwarding device proposed in the present invention;
FIG. 6 is a third schematic flow chart of the ARP packet processing method according to the present invention;
FIG. 7 is a fourth flowchart illustrating an ARP packet processing method according to the present invention;
FIG. 8 is a schematic structural diagram of a controller according to the present invention;
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative effort belong to the protection scope of the embodiments of the present invention.
Fig. 2 is a schematic flowchart of an ARP packet processing method provided in an embodiment, where the ARP packet processing method is applied to an SDN network including a virtual machine, a forwarding device, and a controller, and the method is described in detail below on the forwarding device side.
The method specifically comprises the following steps:
step S201, the forwarding device reports the registration information sent by the virtual machine received through the first port of the forwarding device to the controller.
For example, in fig. 3, the forwarding device is connected to the virtual machine through its own first port P1, and when the virtual machine registers, the virtual machine reports registration information carrying the IP address and the MAC address of the virtual machine to the controller through the forwarding device.
Step S202, the forwarding device receives a first filtering flow table which is issued by the controller and aims at the first port, wherein the first filtering flow table comprises an IP address and an MAC address of the virtual machine in the registration information.
After obtaining the registration information carrying the IP address and MAC address of the virtual machine, the controller generates a first filtering flow table containing the IP address and MAC address of the virtual machine for a first port P1 connected to the virtual machine on the forwarding device, and issues the first filtering flow table to a first port P1. It should be noted that the first filtering flow table sent by the controller and containing the IP address and the MAC address of the virtual machine is a non-aging flow table.
Step S203, when the forwarding device receives the ARP message through the first port, whether a source IP address and a source MAC address carried in the ARP message are consistent with an IP address and an MAC address in the first filtering flow table or not is judged;
after the virtual machine is registered, when the virtual machine needs to communicate with other virtual machines, an ARP message is sent to forwarding equipment connected with the virtual machine, and when the forwarding equipment receives the ARP message at a first port, whether a source IP address and a source MAC address carried in the ARP message are consistent with an IP address and an MAC address in a first filtering flow table issued to the first port by a controller or not is judged.
If yes, the following step S204 is executed.
And step S204, sending the ARP message to the controller.
That is, if the source IP address and the source MAC address in the ARP packet are consistent with the IP address and the MAC address in the first filtering flow table, the ARP packet is considered to be a valid ARP packet sent by the virtual machine, and the forwarding device reports the ARP packet to the controller.
Preferably, in this case, the forwarding device may implement reporting of the ARP packet according to an execution action in the first filtering flow table, for example, the execution action in the first filtering flow table is reporting after executing an operation in another flow table, and at this time, the forwarding device needs to report the ARP packet to the controller after processing the ARP packet according to an operation in another flow table.
If the source IP address in the ARP message is inconsistent with the IP address in the first filtering flow table, and the source MAC address in the ARP message is inconsistent with the MAC address in the first filtering flow table; or,
the source IP address in the ARP message is consistent with the IP address in the first filtering flow table, but the source MAC address in the ARP message is inconsistent with the MAC address in the first filtering flow table; or,
if the source IP address in the ARP message is not consistent with the IP address in the first filtering flow table, but the source MAC address in the ARP message is consistent with the MAC address in the first filtering flow table, the following step S205 is executed.
And step S205, discarding the ARP message.
That is, in some cases except the determination result, the ARP packet is regarded as an illegal ARP packet, and the forwarding device discards the ARP packet, so as to avoid excessive occupation of bandwidth resources of the controller.
Preferably, in this case, the forwarding device may implement the discarding of the ARP packet according to an execution action in the first filtering flow table, for example, the execution action in the first filtering flow table is to execute a discarding operation in a default discarding flow table, and at this time, the forwarding device performs the discarding operation according to an indication of the default discarding flow table.
Further, to further improve the security of the SDN network, the method further includes:
the forwarding equipment receives a measurement meter flow table which is issued by the controller and is used for limiting the speed of the ARP message which is received through the first port and reported to the controller, wherein the meter flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than a preset limited rate;
and the forwarding equipment limits the speed of the ARP message which is received through the first port and reported to the controller according to the speed limit strategy corresponding to the limited speed in the meter flow table.
In this flow, for the controller, it sets the receiving rate of the ARP packet received by itself from the first port and reported to the controller (i.e. the legitimate ARP packet from the first port) in advance, and when the receiving rate of the legitimate ARP packet from the first port is not less than the preset limit rate, although the received ARP packet is a legitimate ARP packet, it is considered that the first port may be performing ARP attack, at this time, the controller issues the above-mentioned meter flow table to the forwarding device, and at the same time, may trigger the ARP alarm of the first port.
Correspondingly, for the forwarding device, when the receiving rate of the ARP packet received by the first port and reported to the controller is greater than or equal to the limited rate in the meter flow table, the ARP packet received by the first port greater than or equal to the limited rate and required to be reported to the controller is discarded according to the speed limit policy corresponding to the limited rate in the meter flow table. For example, the controller presets that the receiving rate of the ARP messages received by the controller from the first port and reported to the controller is 100 ARP messages received per second, and when the number of the ARP messages received by the controller from the port and reported to the controller exceeds 100 ARP messages within the second, the controller sends the meter flow table to the forwarding device, and the forwarding device discards 100 ARP messages and the following ARP messages which are received by the controller through the first port within the second and need to be reported to the controller according to the meter flow table.
Still further, the method further comprises:
the forwarding equipment receives a discard flow table which is issued by the controller and is used for discarding the ARP message which is received through the first port and reported to the controller, wherein the discard flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than a limited rate in a plurality of specified periods;
the forwarding equipment discards the ARP message which is received through the first port and needs to be reported to the controller according to the discarded flow table;
specifically, in the process, for the controller, it may periodically query the statistical information of the meter flow table, where the statistical information includes the number of ARP packets reported by the forwarding device in a specified period and the number of ARP packets discarded according to the speed limit policy, if the ARP message receiving rate which is received from the first port and reported to the controller is always kept above the limited rate (the ARP message receiving rate is calculated by the controller according to the ARP message quantity reported by the forwarding equipment in the specified period and the ARP message quantity discarded according to the speed limit strategy) in a plurality of specified periods, the ARP alarm of the first port is triggered, and the discarded flow table is sent to the forwarding equipment, and discarding the ARP message which is received through the first port and needs to be reported to the controller according to the discarded flow table, and subsequently, manually recovering only by an administrator.
Or,
the forwarding equipment receives a deletion message which is sent by the controller and used for deleting the meter flow table, wherein the deletion message is sent by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is smaller than a limited rate;
and the forwarding equipment deletes the meter flow table according to the deletion message.
Specifically, in this flow, for the controller, it still periodically queries the statistical information of the meter flow table, and once it is found that the receiving rate of the ARP packet received from the first port and reported to the controller is lower than the limit rate, it issues the deletion message to the forwarding device to instruct the forwarding device to delete the meter flow table, that is, it is no longer performing the ARP packet speed limit on the first port.
It should be noted that the preset limited rate may be valued according to the actual situation of the SDN network.
As shown in fig. 4, a flowchart of another ARP packet processing method provided in the second embodiment is applied to an SDN network including a forwarding device, a gateway of the forwarding device, and a controller, and the method will be described in detail in the forwarding device.
The method specifically comprises the following steps:
step S401, the forwarding device reports an ARP message sent by a gateway and received for the first time through a second port of the forwarding device to the controller; the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding device is determined to be configured with the gateway through the forwarding device.
For example, in fig. 3, the forwarding device is connected to the gateway through its second port eth1, and this kind of networking architecture is mainly used to implement interaction between the forwarding device and a forwarding device in the SDN network that is in a different VLAN from the forwarding device. In this case
Step S402, the forwarding device receives a second filtering flow table which is issued by the controller and aims at a second port, wherein the second filtering flow table contains an IP address and an MAC address of the gateway carried in an ARP message sent by the gateway.
Specifically, for the controller, it needs to know the IP address and the MAC address of the gateway of the network segment where the forwarding device is located before performing the ARP reply for the forwarding device configured with the gateway, and under this condition, the controller generates an ARP request message requesting the MAC address of the gateway according to the IP address of the gateway, and sends the ARP request message to the forwarding device, and designates the ARP request message to be sent from eth1, and subsequently, the gateway receives the ARP request message and then responds, and reports the ARP response message to the controller through the forwarding device, and the controller generates the second filtering flow table according to the IP address and the MAC address of the gateway carried in the ARP response message, and sends the second filtering flow table to the forwarding device.
In addition, the controller also issues the ARP response message to the forwarding equipment again so that the forwarding equipment learns the ARP table entry and sets the learned ARP table entry as a static table entry, so that the ARP table entry and the second filtering flow table can be refreshed only when the controller actively initiates an ARP request flow, and the network security is further improved.
Step S403, when the forwarding device receives the ARP packet again through the second port, it determines whether the source IP address and the source MAC address in the ARP packet received again are both consistent with the IP address and the MAC address in the second filtering flow table.
If the determination result is yes, the following step S404 is executed.
And step S404, reporting the ARP message received again to the controller.
That is, if the source IP address and the source MAC address in the re-received ARP packet are consistent with the IP address and the MAC address in the second filtering flow table, the ARP packet is considered to be a valid ARP packet sent by the gateway, and the forwarding device reports the ARP packet to the controller.
Preferably, in this case, the forwarding device may implement reporting of the re-received ARP packet according to the second filtering flow table, and the specific implementation manner is similar to that of the ARP packet on the virtual machine side, which is not described herein again.
If the source IP address in the ARP message received again is inconsistent with the IP address in the second filtering flow table, and the source MAC address in the ARP message received again is inconsistent with the MAC address in the second filtering flow table; or,
the source IP address in the ARP message received again is consistent with the IP address in the second filtering flow table, but the source MAC address in the ARP message received again is inconsistent with the MAC address in the second filtering flow table; or,
if the source IP address in the re-received ARP packet is not consistent with the IP address in the second filtering flow table, but the source MAC address in the re-received ARP packet is consistent with the MAC address in the second filtering flow table, the following step S405 is executed.
And step S405, discarding the ARP message received again.
That is, in some cases except the case where the determination result is yes, the re-received ARP packet is regarded as an illegal ARP packet, and the forwarding device discards the ARP packet, so as to avoid occupying bandwidth resources of the controller.
Preferably, in this case, the forwarding device may implement discarding of the ARP packet received again according to the execution action in the second filtering flow table, and the specific implementation manner is similar to that of the above-mentioned ARP packet discarded on the virtual machine side, and is not described herein again.
Further, in the second embodiment, similar to the above embodiments, the forwarding device also performs operations of limiting the speed, discarding and canceling the speed of the valid ARP packet of the second port, and the specific implementation process is as follows:
the forwarding device receives a measurement meter flow table which is issued by the controller and is used for limiting the speed of the ARP message which is received through the second port and reported to the controller, wherein the measurement meter flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than a preset limited rate.
And the forwarding equipment limits the speed of the ARP message which is received through the second port and reported to the controller according to the speed limit strategy corresponding to the limited speed in the meter flow table.
Subsequently, the forwarding device receives a discard flow table which is issued by the controller and is aimed at the second port and used for discarding the ARP message which is received through the second port and reported to the controller, wherein the discard flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than a limited rate in a plurality of specified periods;
the forwarding equipment discards the ARP message which is received through the second port and needs to be reported to the controller according to the discarded flow table;
or, the forwarding device receives a deletion message for deleting the meter flow table, which is issued by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is less than the limited rate;
and the forwarding equipment deletes the meter flow table according to the deletion message.
Based on the same inventive concept of the foregoing embodiment, a third embodiment of the present invention further provides a forwarding device, as shown in fig. 5, including:
a reporting module 51, configured to report, to a controller in a Software Defined Network (SDN), registration information sent by a virtual machine in the SDN, which is received through a first port of the forwarding device in the SDN; when the judging module judges that the source IP address and the source MAC address carried in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table, the ARP message is reported to the controller;
a receiving module 52, configured to receive a first filtering flow table issued by the controller for the first port, where the first filtering flow table includes an IP address and a MAC address of the virtual machine in the registration information.
The determining module 53 is configured to determine, when an ARP packet is received through the first port, whether a source IP address and a source MAC address carried in the ARP packet are both consistent with an IP address and an MAC address in the first filtering flow table.
The receiving module 52 is further configured to receive a meter flow table issued by the controller, the meter flow table being for the first port and used for limiting the speed of the ARP packet received through the first port and reported to the controller, where the meter flow table is issued by the controller after determining that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than a preset limit rate.
The reporting module 51 is further configured to limit the speed of the ARP packet received through the first port and reported to the controller according to the speed limit policy corresponding to the limited speed in the meter flow table.
The receiving module 52 is further configured to receive a discard flow table issued by the controller, and the discard flow table is used for discarding the ARP packet received through the first port and reported to the controller, where the discard flow table is issued after the controller determines that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than the limit rate in a plurality of specified periods.
The reporting module 51 is further configured to discard, according to the discard flow table, the ARP packet that is received through the first port and needs to be reported to the controller; or,
the receiving module 52 is further configured to receive a deletion message that is sent by the controller and deletes the meter flow table, where the deletion message is sent by the controller after determining that a receiving rate of an ARP packet that is received by the controller from the first port and reported to the controller is smaller than the limit rate; the reporting module 51 is further configured to delete the meter flow table according to the deletion message.
The reporting module 51 is further configured to report, to the controller, an ARP packet sent by a gateway of the forwarding device in the SDN network, where the ARP packet is received for the first time through a second port of the forwarding device; when the judging module judges that the source IP address and the source MAC address in the ARP message received again are consistent with the IP address and the MAC address in the second filtering flow table, the judging module reports the ARP message received again to the controller; and the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding equipment is determined to be configured with the gateway through the forwarding equipment.
The receiving module 52 is further configured to receive a second filtering flow table, which is sent by the controller and is addressed to the second port, where the second filtering flow table includes the IP address and the MAC address of the gateway, which are carried in the ARP packet sent by the gateway.
The determining module 53 is further configured to determine, when the ARP packet is received again through the second port, whether the source IP address and the source MAC address in the ARP packet received again are both consistent with the IP address and the MAC address in the second filtering flow table.
The receiving 52 module is further configured to receive a measurement meter flow table issued by the controller for the second port and used for limiting the speed of the ARP packet received through the second port and reported to the controller, where the meter flow table is issued by the controller after determining that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than a preset limit rate.
The reporting module 51 is further configured to limit the ARP that is received through the second port and reported to the controller according to the speed limit policy corresponding to the limited rate in the meter flow table.
The receiving module 52 is further configured to receive a discard flow table, which is issued by the controller and is specific to the second port, and is used to discard the ARP packet that is received through the second port and reported to the controller, where the discard flow table is issued after the controller determines that a receiving rate of the ARP packet that is received by the controller from the second port and reported to the controller is not less than the limit rate in a plurality of specified periods;
the reporting module 51 is further configured to discard, according to the discard flow table, the ARP packet that is received through the second port and needs to be reported to the control; or,
the receiving module 52 is further configured to receive a deletion message that is sent by the controller and deletes the meter flow table, where the deletion message is sent by the controller after determining that a receiving rate of an ARP packet that is received by the controller from the second port and reported to the controller is smaller than the limit rate;
the reporting module 51 is further configured to delete the meter flow table according to the deletion message.
Fig. 6 is a schematic flowchart of an ARP packet processing method according to a fourth embodiment, where the ARP packet processing method is applied to an SDN network including a virtual machine, a forwarding device, and a controller, and the method is described in detail below on the controller side.
The method specifically comprises the following steps:
step S601, the controller receives the registration information reported by the forwarding device after receiving the registration information sent by the virtual machine through the first port of the forwarding device.
Step S602, the controller issues a first filtering flow table, which is specific to the first port and includes the IP address and the MAC address of the virtual machine in the registration information, to the forwarding device, so that when the forwarding device receives an ARP packet through the first port, it is determined whether the source IP address and the source MAC address in the ARP packet are both consistent with the IP address and the MAC address in the first filtering flow table, and when the determination result is yes, the ARP packet is reported to the controller.
Preferably, the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than a preset limited rate, the controller issues a measurement meter flow table which is specific to the first port and used for limiting the speed of the ARP message which is received by the first port and reported to the controller, to the forwarding equipment, so that the forwarding equipment limits the speed of the ARP message which is received by the first port and reported to the controller according to a speed limit strategy corresponding to the limited rate in the meter flow table.
When the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than the limited rate in a plurality of specified periods, the controller sends a discard flow table which is specific to the first port and used for discarding the ARP message which is received by the first port and reported to the controller to the forwarding equipment, so that the forwarding equipment discards the ARP message which is received by the first port and needs to be reported to the controller according to the discard flow table; or,
and when the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is less than the limited rate, the controller transmits a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
Fig. 7 is a schematic flowchart of an ARP packet processing method proposed in the fifth embodiment, which is applied to an SDN network including a forwarding device, a gateway of the forwarding device, and a controller, and the method will be described in detail in the controller side below.
The method specifically comprises the following steps:
step S701, the controller receives an ARP message reported by the forwarding device after receiving the ARP message sent by the gateway through a second port of the forwarding device, wherein the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding device is determined to be configured with the gateway through the forwarding device;
step S702, the controller issues a second filtering flow table, which is specific to the second port and includes the IP address and the MAC address of the gateway carried in the ARP packet sent by the gateway, to the forwarding device, so that when the forwarding device receives the ARP packet again through the second port, it determines whether the source IP address and the source MAC address in the ARP packet received again are both consistent with the IP address and the MAC address in the second filtering flow table, and if the determination result is yes, reports the ARP packet received again to the controller.
Preferably, the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than a preset limited rate, the controller issues a measurement meter flow table which is specific to the second port and used for limiting the speed of the ARP message which is received through the second port and reported to the controller to the forwarding equipment, so that the forwarding equipment limits the speed of the ARP message which is received through the second port and reported to the controller according to a speed limit strategy corresponding to the limited rate in the meter flow table.
When the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than the limited rate in a plurality of specified periods, the controller sends a discard flow table which is specific to the second port and used for discarding the ARP message which is received by the second port and reported to the controller to the forwarding equipment, so that the forwarding equipment discards the ARP message which is received by the second port and needs to be reported to the controller according to the discard flow table; or,
and when the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is less than the limited rate, the controller transmits a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
Based on the fifth and sixth embodiments, the present invention also provides a controller, as shown in fig. 8, including:
a receiving module 81, configured to receive registration information reported by a forwarding device in the SDN network after receiving the registration information sent by a virtual machine in the SDN network through a first port of the forwarding device;
an issuing module 82, configured to issue a first filtering flow table, which is specific to the first port and includes the IP address and the MAC address of the virtual machine in the registration information, to the forwarding device, so that when the forwarding device receives an ARP packet through the first port, it determines whether a source IP address and a source MAC address in the ARP packet are both consistent with the IP address and the MAC address in the first filtering flow table, and when a determination result is yes, it reports the ARP packet to the controller.
The issuing module 82 is further configured to issue, to the forwarding device, a measurement meter flow table which is specific to the first port and used for limiting the speed of the ARP packet received through the first port and reported to the controller, when it is determined that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than a preset limited rate, so that the forwarding device limits the speed of the ARP packet received through the first port and reported to the controller according to a speed-limiting policy corresponding to the limited rate in the meter flow table.
The issuing module 82 is further configured to, when it is determined that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than the limit rate in a plurality of specified periods, issue, to the forwarding device, a discard flow table that is specific to the first port and used for discarding the ARP packet received by the first port and reported to the controller, so that the forwarding device discards the ARP packet received by the first port and required to be reported to the controller according to the discard flow table; or,
and when the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is determined to be smaller than the limited rate, sending a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
The receiving module 81 is further configured to receive an ARP packet that is reported by the forwarding device after receiving, through the second port of the forwarding device, an ARP packet that is sent by a gateway of the forwarding device in the SDN network, where the ARP packet sent by the gateway is responded by the gateway after receiving, through the forwarding device, an ARP packet that is sent by the controller when it is determined that the forwarding device is configured with the gateway;
the issuing module 82 is further configured to issue a second filtering flow table, which is specific to the second port and includes the IP address and the MAC address of the gateway carried in the ARP packet sent by the gateway, to the forwarding device, so that when the forwarding device receives the ARP packet again through the second port, it is determined whether the source IP address and the source MAC address in the ARP packet received again are both consistent with the IP address and the MAC address in the second filtering flow table, and when the determination result is yes, the ARP packet received again is reported to the controller.
The issuing module 82 is further configured to issue, to the forwarding device, a measurement meter flow table which is specific to the second port and used for limiting the speed of the ARP packet received through the second port and reported to the controller, when it is determined that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than a preset limited rate, so that the forwarding device limits the speed of the ARP packet received through the second port and reported to the controller according to a speed-limiting policy corresponding to the limited rate in the meter flow table.
The issuing module 82 is further configured to, when it is determined that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than the limit rate in a plurality of specified periods, issue, to the forwarding device, a discard flow table that is specific to the second port and used for discarding the ARP packet received by the second port and reported to the controller, so that the forwarding device discards the ARP packet received by the second port and required to be reported to the controller according to the discard flow table; or,
and when the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is determined to be smaller than the limited rate, sending a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
In conclusion, the invention filters the ARP message to filter the illegal ARP message (the attacked or deceptive ARP message), thereby not only improving the network security, but also avoiding the problems that a large amount of illegal ARP messages occupy more bandwidth resources and cause higher CPU occupancy rate of the controller, further improving the response efficiency of the controller to the ARP message and reducing the hardware resource consumption.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present invention.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above-mentioned invention numbers are merely for description and do not represent the merits of the implementation scenarios.
The above disclosure is only a few specific implementation scenarios of the present invention, however, the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.

Claims (24)

1. A method for processing an Address Resolution Protocol (ARP) message is characterized by comprising the following steps:
a forwarding device in a Software Defined Network (SDN) reports registration information, received through a first port of the forwarding device, sent by a virtual machine in the SDN to a controller in the SDN;
the forwarding device receives a first filtering flow table which is issued by the controller and aims at the first port, wherein the first filtering flow table comprises the IP address and the MAC address of the virtual machine in the registration information;
when the forwarding device receives an ARP message through the first port, judging whether a source IP address and a source MAC address carried in the ARP message are consistent with an IP address and an MAC address in the first filtering flow table or not;
and when the judgment result is yes, reporting the ARP message to the controller.
2. The method of claim 1, wherein the method further comprises:
the forwarding equipment receives a measurement meter flow table which is issued by the controller and aims at the first port and is used for limiting the speed of the ARP message which is received through the first port and needs to be reported to the controller, wherein the meter flow table is issued by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and is reported to the controller is not less than a preset limited rate;
and the forwarding equipment limits the speed of the ARP message which is received through the first port and needs to be reported to the controller according to the speed limit strategy corresponding to the limited speed in the meter flow table.
3. The method of claim 2, wherein the method further comprises:
the forwarding device receives a discarded flow table which is issued by the controller and is aimed at the first port and used for discarding the ARP message which is received through the first port and needs to be reported to the controller, wherein the discarded flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and is reported to the controller is not less than the limited rate in a plurality of specified periods;
the forwarding equipment discards the ARP message which is received through the first port and needs to be reported to the controller according to the discarding flow table; or,
the forwarding equipment receives a deletion message which is sent by the controller and used for deleting the meter flow table, wherein the deletion message is sent by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is smaller than the limited rate;
and the forwarding equipment deletes the meter flow table according to the deletion message.
4. The method of claim 1, further comprising:
the forwarding device reports an ARP message sent by a gateway of the forwarding device in the SDN and received for the first time through a second port of the forwarding device to the controller; the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding device is determined to be configured with the gateway through the forwarding device;
the forwarding device receives a second filtering flow table which is issued by the controller and aims at the second port, wherein the second filtering flow table contains the IP address and the MAC address of the gateway carried in the ARP message sent by the gateway;
when the forwarding device receives the ARP message again through the second port, judging whether a source IP address and a source MAC address in the ARP message received again are consistent with the IP address and the MAC address in the second filtering flow table;
and if so, reporting the re-received ARP message to the controller.
5. The method of claim 4, wherein the method further comprises:
the forwarding device receives a measurement meter flow table which is issued by the controller and aims at the second port and is used for limiting the speed of the ARP message which is received through the second port and needs to be reported to the controller, wherein the meter flow table is issued by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and is reported to the controller is not less than a preset limited rate; and the forwarding equipment limits the speed of the ARP message which is received through the second port and needs to be reported to the controller according to the speed limit strategy corresponding to the limited speed in the meter flow table.
6. The method of claim 5, wherein the method further comprises:
the forwarding device receives a discard flow table which is issued by the controller and is aimed at the second port and used for discarding the ARP message which is received through the second port and needs to be reported to the controller, wherein the discard flow table is issued after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and is reported to the controller is not less than the limit rate in a plurality of specified periods; the forwarding equipment discards the ARP message which is received through the second port and needs to be reported to the controller according to the discarding flow table; or,
the forwarding device receives a deletion message which is sent by the controller and used for deleting the meter flow table, wherein the deletion message is sent by the controller after the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is smaller than the limited rate; and the forwarding equipment deletes the meter flow table according to the deletion message.
7. A forwarding device, characterized in that the forwarding device comprises:
a reporting module, configured to report, to a controller in an SDN, registration information sent by a virtual machine in the SDN and received through a first port of the forwarding device in the SDN; when the judging module judges that the source IP address and the source MAC address carried in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table, the ARP message is reported to the controller;
a receiving module, configured to receive a first filtering flow table issued by the controller for the first port, where the first filtering flow table includes an IP address and a MAC address of the virtual machine in the registration information;
and the judging module is used for judging whether a source IP address and a source MAC address carried in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not when the ARP message is received through the first port.
8. The forwarding device of claim 7,
the receiving module is further configured to receive a meter flow table which is issued by the controller and is used for limiting the speed of the ARP packet which is received through the first port and needs to be reported to the controller, where the meter flow table is issued by the controller after determining that the receiving rate of the ARP packet which is received by the controller from the first port and is reported to the controller is not less than a preset limit rate;
and the reporting module is further configured to limit the speed of the ARP packet that is received through the first port and needs to be reported to the controller according to the speed limit policy corresponding to the limited speed in the meter flow table.
9. The forwarding device of claim 8,
the receiving module is further configured to receive a discard flow table, which is issued by the controller and is specific to the first port, and is used for discarding the ARP packet that is received through the first port and needs to be reported to the controller, where the discard flow table is issued after the controller determines that a receiving rate of the ARP packet that is received by the controller from the first port and is reported to the controller is not less than the limit rate in a plurality of specified periods;
the reporting module is further configured to discard, according to the discard flow table, an ARP packet that is received through the first port and needs to be reported to the controller; or,
the receiving module is further configured to receive a deletion message sent by the controller to delete the meter flow table, where the deletion message is sent by the controller after determining that a receiving rate of an ARP packet received by the controller from the first port and reported to the controller is smaller than the limit rate;
and the reporting module is further configured to delete the meter flow table according to the deletion message.
10. The forwarding device of claim 7,
the reporting module is further configured to report, to the controller, an ARP packet sent by a gateway of the forwarding device in the SDN, where the ARP packet is received for the first time through a second port of the forwarding device; when the judging module judges that the source IP address and the source MAC address in the ARP message received again are consistent with the IP address and the MAC address in the second filtering flow table, the judging module reports the ARP message received again to the controller; the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding device is determined to be configured with the gateway through the forwarding device;
the receiving module is further configured to receive a second filtering flow table, which is issued by the controller and is addressed to the second port, where the second filtering flow table includes an IP address and an MAC address of the gateway, which are carried in an ARP packet sent by the gateway;
the judging module is further configured to judge whether a source IP address and a source MAC address in the re-received ARP packet are both consistent with an IP address and an MAC address in the second filtering flow table when the ARP packet is re-received through the second port.
11. The forwarding device of claim 10,
the receiving module is further configured to receive a measurement meter flow table issued by the controller for the second port and used for limiting the speed of the ARP packet received through the second port and to be reported to the controller, where the meter flow table is issued by the controller after determining that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than a preset limit rate;
and the reporting module is further configured to limit the speed of the ARP received through the second port and to be reported to the controller according to the speed limit policy corresponding to the limited speed in the meter flow table.
12. The forwarding device of claim 11,
the receiving module is further configured to receive a discard flow table, which is issued by the controller and is specific to the second port, and is used to discard the ARP packet that is received through the second port and needs to be reported to the controller, where the discard flow table is issued after the controller determines that a receiving rate of the ARP packet that is received by the controller from the second port and is reported to the controller is not less than the limit rate in a plurality of specified periods;
the reporting module is further configured to discard, according to the discard flow table, the ARP packet that is received through the second port and that needs to be reported to the control; or,
the receiving module is further configured to receive a deletion message sent by the controller to delete the meter flow table, where the deletion message is sent by the controller after determining that a receiving rate of an ARP packet received by the controller from the second port and reported to the controller is smaller than the limit rate;
and the reporting module is further configured to delete the meter flow table according to the deletion message.
13. A method for processing an Address Resolution Protocol (ARP) message is characterized by comprising the following steps:
a controller in a Software Defined Network (SDN) receives registration information reported by a forwarding device in the SDN after receiving the registration information sent by a virtual machine in the SDN through a first port of the forwarding device;
the controller issues a first filtering flow table which is specific to the first port and contains the IP address and the MAC address of the virtual machine in the registration information to the forwarding equipment, so that when the forwarding equipment receives an ARP message through the first port, whether a source IP address and a source MAC address in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not is judged, and when the judgment result is yes, the ARP message is reported to the controller.
14. The method of claim 13, wherein the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than a preset limited rate, the controller issues a measurement meter flow table which is specific to the first port and used for limiting the speed of the ARP message which is received by the first port and needs to be reported to the controller to the forwarding equipment, so that the forwarding equipment limits the speed of the ARP message which is received by the first port and needs to be reported to the controller according to a speed-limiting strategy corresponding to the limited rate in the meter flow table.
15. The method of claim 14, wherein the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is not less than the limited rate in a plurality of specified periods, the controller sends a discard flow table which is specific to the first port and used for discarding the ARP message which is received by the first port and needs to be reported to the controller to the forwarding equipment, so that the forwarding equipment discards the ARP message which is received by the first port and needs to be reported to the controller according to the discard flow table; or,
and when the controller determines that the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is less than the limited rate, the controller transmits a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
16. The method of claim 13, wherein the method further comprises:
the controller receives an ARP message reported by the forwarding device after the forwarding device receives the ARP message sent by a gateway of the forwarding device in the SDN through a second port of the forwarding device, wherein the ARP message sent by the gateway is responded after the gateway receives the ARP message sent by the controller when the forwarding device is determined to be configured with the gateway through the forwarding device;
and the controller issues a second filtering flow table which is specific to the second port and contains the IP address and the MAC address of the gateway carried in the ARP message sent by the gateway to the forwarding equipment, so that when the forwarding equipment receives the ARP message again through the second port, whether the source IP address and the source MAC address in the ARP message received again are consistent with the IP address and the MAC address in the second filtering flow table is judged, and when the judgment result is yes, the ARP message received again is reported to the controller.
17. The method of claim 16, wherein the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than a preset limited rate, the controller issues a measurement meter flow table which is specific to the second port and used for limiting the speed of the ARP message which is received through the second port and needs to be reported to the controller to the forwarding equipment, so that the forwarding equipment limits the speed of the ARP message which is received through the second port and needs to be reported to the controller according to a speed-limiting strategy corresponding to the limited rate in the meter flow table.
18. The method of claim 17, wherein the method further comprises:
when the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is not less than the limited rate in a plurality of specified periods, the controller sends a discard flow table which is specific to the second port and used for discarding the ARP message which is received by the second port and needs to be reported to the controller to the forwarding equipment, so that the forwarding equipment discards the ARP message which is received by the second port and needs to be reported to the controller according to the discard flow table; or,
and when the controller determines that the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is less than the limited rate, the controller transmits a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
19. A controller, characterized in that the controller comprises:
a receiving module, configured to receive registration information reported by a forwarding device in an SDN after receiving the registration information sent by a virtual machine in the SDN through a first port of the forwarding device;
and the issuing module is used for issuing a first filtering flow table which is specific to the first port and contains the IP address and the MAC address of the virtual machine in the registration information to the forwarding equipment, so that when the forwarding equipment receives an ARP message through the first port, whether the source IP address and the source MAC address in the ARP message are consistent with the IP address and the MAC address in the first filtering flow table or not is judged, and when the judgment result is yes, the ARP message is reported to the controller.
20. The controller of claim 19,
the sending module is further configured to send a measurement meter flow table to the forwarding device, the measurement meter flow table being specific to the first port and being used for limiting the speed of the ARP packet received through the first port and needing to be reported to the controller, when it is determined that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than a preset limit rate, so that the forwarding device limits the speed of the ARP packet received through the first port and needing to be reported to the controller according to a speed limit policy corresponding to the limit rate in the meter flow table.
21. The controller of claim 20,
the forwarding device is further configured to send, when it is determined that the receiving rate of the ARP packet received by the controller from the first port and reported to the controller is not less than the limit rate in a plurality of specified periods, a discard flow table, which is specific to the first port and used for discarding the ARP packet received by the first port and needing to be reported to the controller, to the forwarding device, so that the forwarding device discards the ARP packet received by the first port and needing to be reported to the controller according to the discard flow table; or,
and when the receiving rate of the ARP message which is received by the controller from the first port and reported to the controller is determined to be smaller than the limited rate, sending a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
22. The controller of claim 19,
the receiving module is further configured to receive an ARP packet that is reported by the forwarding device after receiving, through a second port of the forwarding device, an ARP packet sent by a gateway of the forwarding device in the SDN, where the ARP packet sent by the gateway is responded by the gateway after receiving, through the forwarding device, an ARP packet sent by the controller when it is determined that the forwarding device is configured with the gateway;
and the issuing module is further configured to issue a second filtering flow table, which is specific to the second port and includes the IP address and the MAC address of the gateway carried in the ARP packet sent by the gateway, to the forwarding device, so that when the forwarding device receives the ARP packet again through the second port, it is determined whether the source IP address and the source MAC address in the ARP packet received again are both consistent with the IP address and the MAC address in the second filtering flow table, and when the determination result is yes, the ARP packet received again is reported to the controller.
23. The controller of claim 22,
the sending module is further configured to send, to the forwarding device, a measurement meter flow table which is specific to the second port and used for limiting a speed of the ARP packet received through the second port and to be reported to the controller, when it is determined that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than a preset limit rate, so that the forwarding device limits the speed of the ARP packet received through the second port and to be reported to the controller, according to a speed-limiting policy corresponding to the limit rate in the meter flow table.
24. The controller of claim 23,
the forwarding device is further configured to send, when it is determined that the receiving rate of the ARP packet received by the controller from the second port and reported to the controller is not less than the limit rate in a plurality of specified periods, a discard flow table, which is specific to the second port and used for discarding the ARP packet received by the second port and to be reported to the controller, to the forwarding device, so that the forwarding device discards the ARP packet received by the second port and to be reported to the controller according to the discard flow table; or,
and when the receiving rate of the ARP message which is received by the controller from the second port and reported to the controller is determined to be smaller than the limited rate, sending a deleting message for deleting the meter flow table to the forwarding equipment, so that the forwarding equipment deletes the meter flow table according to the deleting message.
CN201510191414.1A 2015-04-21 2015-04-21 A kind of processing method and equipment of ARP message Active CN104853001B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510191414.1A CN104853001B (en) 2015-04-21 2015-04-21 A kind of processing method and equipment of ARP message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510191414.1A CN104853001B (en) 2015-04-21 2015-04-21 A kind of processing method and equipment of ARP message

Publications (2)

Publication Number Publication Date
CN104853001A CN104853001A (en) 2015-08-19
CN104853001B true CN104853001B (en) 2019-06-07

Family

ID=53852349

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510191414.1A Active CN104853001B (en) 2015-04-21 2015-04-21 A kind of processing method and equipment of ARP message

Country Status (1)

Country Link
CN (1) CN104853001B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105227466B (en) 2015-08-20 2019-01-11 北京百度网讯科技有限公司 Communication processing method and device
CN105357180B (en) * 2015-09-30 2019-06-07 华为技术有限公司 Network system, the hold-up interception method of attack message, device and equipment
EP3261290B1 (en) 2015-12-31 2020-11-25 Huawei Technologies Co., Ltd. Software defined data center and method for deploying service cluster therein
JP6835444B2 (en) 2015-12-31 2021-02-24 ホアウェイ・テクノロジーズ・カンパニー・リミテッド Software-defined data center and service cluster scheduling method and traffic monitoring method for that purpose
CN106789864B (en) * 2016-04-29 2020-08-21 新华三技术有限公司 Message anti-attack method and device
CN106060085B (en) * 2016-07-15 2019-09-17 新华三技术有限公司 Prevent ARP message aggression method and device
CN107690004B (en) * 2016-08-04 2021-10-08 中兴通讯股份有限公司 Method and device for processing address resolution protocol message
CN106911724B (en) * 2017-04-27 2020-03-06 杭州迪普科技股份有限公司 Message processing method and device
CN107295020A (en) * 2017-08-16 2017-10-24 北京新网数码信息技术有限公司 A kind of processing method and processing device of attack of address resolution protocol
CN107689963A (en) * 2017-09-26 2018-02-13 杭州迪普科技股份有限公司 A kind of detection method and device for arp reply message aggression
CN114221928A (en) * 2021-11-05 2022-03-22 济南浪潮数据技术有限公司 Method, system, device and storage medium for defending IP conflict of management network
CN119046208B (en) * 2024-10-30 2025-02-18 湖南戎腾网络科技有限公司 A method, device, equipment and storage medium for reporting flow table statistics information

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466341A (en) * 2002-06-22 2004-01-07 ��Ϊ�������޹�˾ A Method of Preventing IP Address Spoofing in Dynamic Address Assignment
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN102014109A (en) * 2009-09-08 2011-04-13 华为技术有限公司 Flood attack prevention method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466341A (en) * 2002-06-22 2004-01-07 ��Ϊ�������޹�˾ A Method of Preventing IP Address Spoofing in Dynamic Address Assignment
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN102014109A (en) * 2009-09-08 2011-04-13 华为技术有限公司 Flood attack prevention method and device

Also Published As

Publication number Publication date
CN104853001A (en) 2015-08-19

Similar Documents

Publication Publication Date Title
CN104853001B (en) A kind of processing method and equipment of ARP message
EP3863317B1 (en) Method and device for determining category information
EP3355514B1 (en) Method and device for transmitting network attack defense policy and method and device for defending against network attack
CN102111394B (en) Network attack protection method, equipment and system
CN109450841B (en) Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode
CN101834870A (en) Method and device for preventing deceptive attack of MAC (Medium Access Control) address
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
CN104883360B (en) A kind of the fine granularity detection method and system of ARP deceptions
US11895533B2 (en) Method for controlling connection between terminal and network, and related apparatus
TWI506472B (en) Network device and method for avoiding arp attacks
CN107690004B (en) Method and device for processing address resolution protocol message
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN103179223B (en) The method, apparatus and system of distributing IP address in a kind of WLAN (wireless local area network)
CN107682267B (en) Network data forwarding method and system of Linux equipment
KR101064382B1 (en) System and method for preventing ARP attack in communication network
CN106878326A (en) IPv6 Neighbor Cache Protection Method and Device Based on Reverse Detection
CN106487790A (en) Cleaning method and system that a kind of ACK FLOOD is attacked
CN102347903B (en) Data message forwarding method as well as device and system
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
WO2019096104A1 (en) Attack prevention
CN101494536B (en) Method, apparatus and system for preventing ARP aggression
CN101771575B (en) Method, device and system for processing IP partitioned message
CN107786499A (en) Early warning method and device for ARP gateway spoofing attack
CN106470421A (en) A kind of method and apparatus preventing malicious peer from illegally occupying resources of core network
CN107786496B (en) Early warning method and device for ARP (Address resolution protocol) table entry spoofing attack of local area network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant