Search

CN-115883114-B - Route leakage determination method, device, equipment and storage medium

CN115883114BCN 115883114 BCN115883114 BCN 115883114BCN-115883114-B

Abstract

The application provides a route leakage determination method, a device, equipment and a storage medium. In the method, when a first AS node receives a BGP update message issued by a second AS node, an AS path in the BGP update message is acquired, so that the AS path is detected by utilizing routing information issued to a blockchain by a plurality of AS nodes in the AS path, and whether the AS path has route leakage or not is timely determined. In the process, the routing information of the AS nodes is disclosed through the blockchain, and the method has the characteristics of non-tampering and credibility, so that the accuracy of the routing information is ensured, and the accuracy of the routing leakage determination is improved. Moreover, the routing information does not disclose the business relationship among the ASs, so that the privacy of the AS economic decision is protected, the method is easy to adopt, and when most ASs in the network determine the routing leakage based on the method, the accuracy of the routing leakage determination can be greatly improved.

Inventors

  • YANG YAN
  • CHEN ZHE
  • WANG CHUANG

Assignees

  • 华为技术有限公司

Dates

Publication Date
20260508
Application Date
20210927

Claims (17)

  1. 1. A method of route leakage determination performed by a first autonomous system AS node, the method comprising: Receiving a Border Gateway Protocol (BGP) update message issued by a second AS node; based on the BGP update message, an AS path is acquired, wherein the AS path indicates a plurality of AS nodes passing from the second AS node to the first AS node; Obtaining routing information issued by the plurality of AS nodes to a blockchain in the AS path, wherein the routing information comprises one or more forwarding triplets corresponding to the AS nodes, the forwarding triplets comprise corresponding AS nodes and two adjacent AS nodes corresponding to the AS nodes, the forwarding triplets are expressed AS (a, b, c), a is the identifier of the AS node to which the BGP update message is to be sent, b is the identifier of the corresponding AS node, c is the identifier of the AS node sending the BGP update message, and the AS node to which the BGP update message is to be sent and the AS node sending the BGP update message are both the adjacent AS nodes; For each AS node in the plurality of AS nodes, generating a route detection identifier of each AS node based on whether the adjacent node included in each forwarding triplet in the route information of each AS node is the same AS the adjacent node of each AS node in the AS path, wherein the route detection identifier indicates whether the corresponding AS node accords with a route forwarding condition; And obtaining route detection information based on the route detection identification of each AS node, wherein the route detection information indicates whether the AS path is a path with route leakage.
  2. 2. The method of claim 1, wherein the routing information further includes at least one target routing prefix of the corresponding AS node, and wherein the obtaining routing information published to a blockchain by the plurality of AS nodes in the AS path comprises: based on the BGP update message, at least one first routing prefix is obtained, wherein the first routing prefix is an Internet Protocol (IP) prefix announced by the second AS node; and acquiring routing information issued by the AS nodes on the blockchain based on the at least one first routing prefix, wherein the at least one first routing prefix is matched with the at least one target routing prefix.
  3. 3. The method of claim 1, wherein the generating, for each AS node in the plurality of AS nodes, the route detection identifier for each AS node based on whether a neighboring node included in each forwarding triplet in the route information of the each AS node is the same AS a neighboring node of the each AS node in the AS path comprises: For any AS node in the plurality of AS nodes, if the adjacent node indicated by the routing information of the any AS node is the same AS the adjacent node of the any AS node in the AS path, generating a first routing detection identifier of the any AS node, wherein the first routing detection identifier indicates that the any AS node accords with the routing forwarding condition; If the adjacent node indicated by the route information of any AS node is different from the adjacent node of any AS node in the AS path, generating a second route detection identifier of any AS node, wherein the second route detection identifier indicates that any AS node does not accord with the route forwarding condition; If the routing information of any AS node is not acquired, generating a third routing detection identifier of the any AS node, wherein the third routing detection identifier indicates that the routing information of any AS node is not acquired.
  4. 4. The method of claim 3, wherein the obtaining the route detection information based on the route detection identifier of each AS node includes: If a first target AS node and a second target AS node do not exist in the plurality of AS nodes, generating first route detection information, wherein a route detection identifier of the first target AS node is the second route detection identifier, a route detection identifier of the second target AS node is the third route detection identifier, and the first route detection information indicates that the AS path is a safe path; If the first target AS node exists in the plurality of AS, generating second route detection information, wherein the second route detection information indicates that the AS route is a route with route leakage; If the second target AS node exists in the plurality of AS and the first target AS node does not exist in the plurality of AS, third route detection information is generated, and the third route detection information indicates that the AS route is a route with unknown safety.
  5. 5. The method according to any one of claims 1 to 4, further comprising: and if the route detection information indicates that the AS path is a path with route leakage, discarding the BGP update message.
  6. 6. The method according to any one of claims 1 to 4, further comprising: and if the route detection information indicates that the AS path is a path with unknown security, determining the AS path AS an alternative path, and adding the alternative path into a routing table of the first AS node.
  7. 7. The method according to any one of claims 1 to 4, further comprising: Issuing the routing information of the first AS node to the blockchain; The routing information of the first AS node comprises an identifier of the first AS node, at least one second routing prefix of the first AS node and adjacent nodes of the first AS node, wherein the second routing prefix is an IP prefix announced by the first AS node.
  8. 8. A route leakage determination device, the device comprising: The receiving module is used for receiving the BGP update message issued by the second AS node; A first obtaining module, configured to obtain an AS path based on the BGP update message, where the AS path indicates a plurality of AS nodes that pass from the second AS node to the first AS node; A second obtaining module, configured to obtain routing information that is issued by the plurality of AS nodes to a blockchain in the AS path, where the routing information includes one or more forwarding triplets corresponding to the AS nodes, the forwarding triplets include two neighboring AS nodes corresponding to the AS nodes and to the AS nodes, the forwarding triplets are represented AS (a, b, c), a is an identifier of an AS node to which the BGP update message is to be sent, b is an identifier of a corresponding AS node, c is an identifier of an AS node that sends the BGP update message, and both the AS node to which the BGP update message is to be sent and the AS node that sends the BGP update message are the neighboring AS nodes; the detection module is used for: For each AS node in the plurality of AS nodes, generating a route detection identifier of each AS node based on whether the adjacent node included in each forwarding triplet in the route information of each AS node is the same AS the adjacent node of each AS node in the AS path, wherein the route detection identifier indicates whether the corresponding AS node accords with a route forwarding condition; And obtaining route detection information based on the route detection identification of each AS node, wherein the route detection information indicates whether the AS path is a path with route leakage.
  9. 9. The apparatus of claim 8, wherein the routing information further comprises at least one target routing prefix of the corresponding AS node, and wherein the second obtaining module is configured to: based on the BGP update message, at least one first routing prefix is obtained, wherein the first routing prefix is an Internet Protocol (IP) prefix announced by the second AS node; and acquiring routing information issued by the AS nodes on the blockchain based on the at least one first routing prefix, wherein the at least one first routing prefix is matched with the at least one target routing prefix.
  10. 10. The apparatus of claim 8, wherein the detection module is configured to: For any AS node in the plurality of AS nodes, if the adjacent node indicated by the routing information of the any AS node is the same AS the adjacent node of the any AS node in the AS path, generating a first routing detection identifier of the any AS node, wherein the first routing detection identifier indicates that the any AS node accords with the routing forwarding condition; If the adjacent node indicated by the route information of any AS node is different from the adjacent node of any AS node in the AS path, generating a second route detection identifier of any AS node, wherein the second route detection identifier indicates that any AS node does not accord with the route forwarding condition; If the routing information of any AS node is not acquired, generating a third routing detection identifier of the any AS node, wherein the third routing detection identifier indicates that the routing information of any AS node is not acquired.
  11. 11. The apparatus of claim 10, wherein the detection module is configured to: If a first target AS node and a second target AS node do not exist in the plurality of AS nodes, generating first route detection information, wherein a route detection identifier of the first target AS node is the second route detection identifier, a route detection identifier of the second target AS node is the third route detection identifier, and the first route detection information indicates that the AS path is a safe path; If the first target AS node exists in the plurality of AS, generating second route detection information, wherein the second route detection information indicates that the AS route is a route with route leakage; If the second target AS node exists in the plurality of AS and the first target AS node does not exist in the plurality of AS, third route detection information is generated, and the third route detection information indicates that the AS route is a route with unknown safety.
  12. 12. The apparatus according to any one of claims 8 to 11, further comprising: and the discarding module is used for discarding the BGP update message if the route detection information indicates that the AS route is a route with route leakage.
  13. 13. The apparatus according to any one of claims 8 to 11, further comprising: And the adding module is used for determining the AS path AS an alternative path if the route detection information indicates that the AS path is a path with unknown security, and adding the AS path AS the alternative path into the routing table of the first AS node.
  14. 14. The apparatus according to any one of claims 8 to 11, further comprising: The issuing module is used for issuing the route information of the first AS node to the blockchain; The routing information of the first AS node comprises an identifier of the first AS node, at least one second routing prefix of the first AS node and adjacent nodes of the first AS node, wherein the second routing prefix is an IP prefix announced by the first AS node.
  15. 15. A network device comprising a processor and a memory for storing at least one piece of program code, the at least one piece of program code being loaded by the processor and performing the route leakage determination method of any one of claims 1 to 7.
  16. 16. A computer readable storage medium storing at least one piece of program code for performing the route leakage determination method according to any one of claims 1 to 7.
  17. 17. A computer program product comprising one or more program instructions which, when loaded and run on a network device, cause the network device to perform the route leakage determination method of any one of claims 1 to 7.

Description

Route leakage determination method, device, equipment and storage medium Technical Field The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for determining route leakage. Background The border gateway protocol (border gateway protocol, BGP) is a dynamic routing protocol for use between autonomous systems (autonomous system, AS) that ensures basic communication capabilities between AS. In general, there are various business relationships between ases, and according to these business relationships, the routing forwarding of the ases follows a certain routing forwarding policy. However, once the AS violates its own routing forwarding policy due to misconfiguration or malicious behavior, the received routing information is forwarded to the AS that should not receive the routing information, which causes leakage of the route that should not be announced, resulting in security problems such AS network congestion, route hijacking, traffic discarding, and the like. Currently, detection devices are commonly utilized to determine whether route leakage has occurred in the network. For example, the detecting device gathers the historical route information issued by each AS, when a certain AS issues route information, the detecting device deduces the business relationship between the AS and other AS according to the historical route information issued by the AS, so AS to determine whether the route leakage occurs according to the route forwarding policy of the AS. However, not all the historical routing information can be collected by the detection device (e.g., some routing information that needs to be kept secret cannot be collected by the detection device), so the above method sometimes causes a business relationship between ases to infer errors, resulting in lower accuracy in determining route leakage. Disclosure of Invention The embodiment of the application provides a route leakage determination method, a device, equipment and a storage medium, which can effectively improve the accuracy of route leakage determination. The technical scheme is as follows: in a first aspect, a route leakage determination method is provided, performed by a first AS node, the method comprising: Receiving a Border Gateway Protocol (BGP) update message issued by a second AS node; Based on the BGP update message, an AS path is acquired, wherein the AS path indicates a plurality of AS nodes passing from the second AS node to the first AS node; Acquiring routing information issued to a blockchain by the AS nodes in the AS path, wherein the routing information comprises adjacent AS nodes corresponding to the AS nodes; And detecting the AS path based on the route information issued to the blockchain by the plurality of AS nodes to obtain route detection information, wherein the route detection information indicates whether the AS path is a path with route leakage. In the method, when a first AS node receives a BGP update message issued by a second AS node, an AS path in the BGP update message is acquired, so that the AS path is detected by utilizing routing information issued to a blockchain by a plurality of AS nodes in the AS path, and whether the AS path has route leakage or not is timely determined. In the process, the routing information of the AS nodes is disclosed through the blockchain, and the method has the characteristics of non-tampering and credibility, so that the accuracy of the routing information is ensured, and the accuracy of the routing leakage determination is improved. Moreover, the routing information does not disclose the business relationship among the ASs, so that the privacy of the AS economic decision is protected, the method is easy to adopt, and when most ASs in the network determine the routing leakage based on the method, the accuracy of the routing leakage determination can be greatly improved. In some embodiments, the routing information further includes at least one target routing prefix of the corresponding AS node, and the obtaining the routing information issued by the plurality of AS nodes to the blockchain in the AS path includes: based on the BGP update message, at least one first routing prefix is obtained, wherein the first routing prefix is an Internet Protocol (IP) prefix announced by the second AS node; and acquiring routing information issued by the AS nodes on the blockchain based on the at least one first routing prefix, wherein the at least one first routing prefix is matched with the at least one target routing prefix. By carrying at least one target route prefix in the route information, the route leakage determination at the AS level can be refined to the route prefix level, and when the subsequent first AS node detects whether the AS path is a path with the route leakage, the communication assurance of the path corresponding to the route prefix conforming to the route forwarding strategy