阅读说明：本技术 报文转发方法、装置、网络设备及计算机可读存储介质 (Message forwarding method and device, network equipment and computer readable storage medium ) 是由 李�诚 于 2021-09-18 设计创作，主要内容包括：本申请提供一种报文转发方法、装置、网络设备及计算机可读存储介质。方法包括：接收带标签的报文；判断报文携带的当前标签是否为本设备预先向上游网络设备分配的目标标签,得到判断结果,目标标签包括与本设备中的目标接口集合对应的第一码段,以及与指定转发等价类对应的第二码段,其中,一个上游网络设备仅与一个接口集合对应；对报文执行与判断结果对应的处理操作。在本方案中,通过判断报文的当前标签是否为目标标签,有利于快速判断报文是否安全,以提高报文转发的安全性。另外,若当前标签为目标标签,便可以从当前标签的第一码段识别出上游网络设备,从而提高报文转发的可监控性。(The application provides a message forwarding method, a message forwarding device, network equipment and a computer readable storage medium. The method comprises the following steps: receiving a message with a label; judging whether a current label carried by a message is a target label pre-allocated to upstream network equipment by the equipment or not to obtain a judgment result, wherein the target label comprises a first code segment corresponding to a target interface set in the equipment and a second code segment corresponding to an appointed forwarding equivalence class, and one upstream network equipment only corresponds to one interface set; and executing the processing operation corresponding to the judgment result on the message. In the scheme, whether the current label of the message is the target label or not is judged, so that whether the message is safe or not can be judged quickly, and the safety of message forwarding is improved. In addition, if the current label is the target label, the upstream network equipment can be identified from the first code segment of the current label, so that the monitoring performance of message forwarding is improved.)

1. A message forwarding method is applied to a network device in a multi-protocol label switching (MPLS) network, and the method comprises the following steps:

receiving a message with a label;

judging whether a current label carried by the message is a target label pre-allocated to upstream network equipment by the equipment to obtain a judgment result, wherein the target label comprises a first code segment corresponding to a target interface set in the equipment and a second code segment corresponding to a specified forwarding equivalence class, an interface in the target interface set is an interface corresponding to a label distribution protocol session in the equipment, and one upstream network equipment only corresponds to one interface set;

and executing processing operation corresponding to the judgment result on the message.

2. The method of claim 1, wherein prior to receiving the tagged message, the method further comprises:

when the equipment establishes a label distribution protocol session, allocating a unique identifier corresponding to the label distribution protocol session, wherein the unique identifier is associated with the target interface set of the equipment;

creating the designated forwarding equivalence class based on routing information of the MPLS network;

and sending corresponding target labels to all upstream network equipment of the equipment, wherein each target label comprises a first code segment corresponding to the unique identifier and a second code segment corresponding to the appointed forwarding equivalence class.

3. The method of claim 2, further comprising:

when the label distribution protocol session is ended, deleting the corresponding relation between the label distribution protocol session and the unique identifier, and deleting the association relation between the unique identifier and the target interface set of the device.

4. The method according to claim 1, wherein determining whether the current tag carried in the packet is a target tag that is pre-allocated by the device to an upstream network device, and obtaining a determination result includes:

when the interface receiving the message is not any interface in the target interface set, or the current label does not include the first code segment, or the current label does not include the second code segment, obtaining a judgment result indicating that the current label is not the target label;

and when the interface for receiving the message is any interface in the target interface set and the current label comprises the first code segment and the second code segment, obtaining a judgment result indicating that the current label is the target label.

5. The method according to claim 1, wherein performing the processing operation corresponding to the determination result on the packet includes:

when the judgment result shows that the current label is not the target label, discarding the message;

and when the judgment result shows that the current label is the target label, forwarding the message.

6. The method according to claim 5, wherein when the determination result indicates that the current label is the target label, forwarding the packet includes:

and when the judgment result shows that the current label is the target label and the equipment is the last hop network equipment corresponding to the specified forwarding equivalence class in the MPLS network, forwarding the message according to the destination address of the message.

7. The method according to claim 5, wherein when the determination result indicates that the current label is the target label, forwarding the packet includes:

when the judgment result shows that the current label is the target label and the device is not the last hop network device corresponding to the specified forwarding equivalence class in the MPLS network, deleting the current label from the message and adding a new current label, wherein the new current label is the current label which is sent by the next hop network device of the device to the device and corresponds to the specified forwarding equivalence class;

and forwarding the message added with the new current label according to the new current label.

8. A message forwarding apparatus, applied to a network device in a multi-protocol label switching MPLS network, the apparatus comprising:

the receiving unit is used for receiving the message with the label;

a determining unit, configured to determine whether a current tag carried in the packet is a target tag that is pre-allocated by the device to an upstream network device, and obtain a determination result, where the target tag includes a first code segment corresponding to a target interface set in the device and a second code segment corresponding to a specified forwarding equivalence class, where an interface in the target interface set is an interface in the device corresponding to a tag distribution protocol session, and one upstream network device corresponds to only one interface set;

and the forwarding processing unit executes processing operation corresponding to the judgment result on the message.

9. A network device comprising a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the network device to perform the method of any one of claims 1-7.

10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.

Technical Field

The present application relates to the field of data communications, and in particular, to a method, an apparatus, a network device, and a computer-readable storage medium for forwarding a packet.

Background

As users pay more and more attention to network security and network monitoring, higher requirements are put forward on security and monitorability of MPLS (Multi-Protocol Label Switching) networks. At present, an MPLS network still has a potential safety hazard in some aspects, for example, an ILM (Incoming Label Map) does not have corresponding upstream information and Incoming interface information, even if an MPLS packet received from an upstream is not received, the ILM may be processed and forwarded as long as the ILM can be found in a matching manner, the validity of the MPLS packet cannot be checked, which may cause a safety problem to the MPLS network, and if a malicious attack that a large amount of MPLS packets are forged is received from a non-upstream network device, the network device may be busy in processing the malicious packet to affect the processing of a normal packet.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method, an apparatus, a network device, and a computer-readable storage medium for forwarding a packet, which are beneficial to improving security and monitorability of forwarding a packet in an MPLS network.

In order to achieve the above object, embodiments of the present application are implemented as follows:

in a first aspect, an embodiment of the present application provides a packet forwarding method, which is applied to a network device in an MPLS network, and the method includes: receiving a message with a label; judging whether a current label carried by the message is a target label pre-allocated to upstream network equipment by the equipment to obtain a judgment result, wherein the target label comprises a first code segment corresponding to a target interface set in the equipment and a second code segment corresponding to a specified forwarding equivalence class, an interface in the target interface set is an interface corresponding to a label distribution protocol session in the equipment, and one upstream network equipment only corresponds to one interface set; and executing processing operation corresponding to the judgment result on the message.

In the above embodiment, the message sent by the upstream network device usually carries a current tag, and the current tag is not necessarily a target tag. The target label is a label sent by the device to the upstream network device, carries a code segment corresponding to the target interface set, and can be used for verifying the safety of the message, that is, by judging whether the current label of the message is the target label, the method is beneficial to quickly judging whether the message is safe or not so as to improve the safety of message forwarding. In addition, if the current label is the target label, the upstream network equipment can be identified from the first code segment of the current label, so that the monitoring performance of message forwarding is improved.

With reference to the first aspect, in some optional implementations, before receiving the tagged message, the method further includes:

when the equipment establishes a label distribution protocol session, allocating a unique identifier corresponding to the label distribution protocol session, wherein the unique identifier is associated with the target interface set of the equipment;

creating the designated forwarding equivalence class based on routing information of the MPLS network;

and sending corresponding target labels to all upstream network equipment of the equipment, wherein each target label comprises a first code segment corresponding to the unique identifier and a second code segment corresponding to the appointed forwarding equivalence class.

In the foregoing embodiment, the device creates the target label in advance, and then sends the target label to the upstream network device, so that when the upstream network device receives the packet, the upstream network device can search for the corresponding routing information according to the destination address of the packet and encapsulate the corresponding current label, such as the target label. When the device receives the message sent by the upstream network device in the subsequent process, the device is favorable for rapidly judging the safety of the message by detecting the current label in the message, and can also identify the upstream network device sending the message if the message carries the target label.

With reference to the first aspect, in some optional embodiments, the method further comprises:

when the label distribution protocol session is ended, deleting the corresponding relation between the label distribution protocol session and the unique identifier, and deleting the association relation between the unique identifier and the target interface set of the device.

In the above embodiment, by deleting the correspondence relationship and the association relationship, the unique identifier can be recovered so as to be allocated to another tag distribution protocol session next time.

With reference to the first aspect, in some optional embodiments, determining whether a current tag carried in the packet is a target tag that is pre-allocated by the device to an upstream network device, and obtaining a determination result includes:

when the interface receiving the message is not any interface in the target interface set, or the current label does not include the first code segment, or the current label does not include the second code segment, obtaining a judgment result indicating that the current label is not the target label;

and when the interface for receiving the message is any interface in the target interface set and the current label comprises the first code segment and the second code segment, obtaining a judgment result indicating that the current label is the target label.

With reference to the first aspect, in some optional implementations, the performing, on the packet, a processing operation corresponding to the determination result includes:

when the judgment result shows that the current label is not the target label, discarding the message;

and when the judgment result shows that the current label is the target label, forwarding the message.

In the foregoing embodiment, if the current tag carried by the message received by the device is not the target tag, it indicates that the message is a suspicious message, and if the current tag is the target tag, it indicates that the message is safe, so that by determining whether the current tag of the message is the target tag, it is beneficial to quickly determine whether the message is safe, thereby improving network security.

With reference to the first aspect, in some optional implementations, when the determination result indicates that the current tag is the target tag, forwarding the packet includes:

and when the judgment result shows that the current label is the target label and the equipment is the last hop network equipment corresponding to the appointed forwarding equivalence class in the MPLS network, forwarding the message according to the destination address of the message.

With reference to the first aspect, in some optional implementations, when the determination result indicates that the current tag is the target tag, forwarding the packet includes:

when the judgment result shows that the current label is the target label and the equipment is not the last hop network equipment corresponding to the appointed forwarding equivalence class in the MPLS network, deleting the current label from the message and adding a new current label, wherein the new current label is the current label which is sent by the next hop network equipment of the equipment to the equipment and corresponds to the appointed forwarding equivalence class;

and forwarding the message added with the new current label according to the new current label.

In a second aspect, the present application further provides a packet forwarding apparatus, which is applied to a network device in an MPLS network, where the apparatus includes:

the receiving unit is used for receiving the message with the label;

a determining unit, configured to determine whether a current tag carried in the packet is a target tag that is pre-allocated by the device to an upstream network device, and obtain a determination result, where the target tag includes a first code segment corresponding to a target interface set in the device and a second code segment corresponding to a specified forwarding equivalence class, where an interface in the target interface set is an interface in the device corresponding to a tag distribution protocol session, and one upstream network device corresponds to only one interface set;

and the forwarding processing unit executes processing operation corresponding to the judgment result on the message.

In a third aspect, the present application further provides a network device, which includes a processor and a memory coupled to each other, where the memory stores a computer program, and when the computer program is executed by the processor, the network device is caused to execute the method described above.

In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the method described above.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic diagram of communication connection of a network system according to an embodiment of the present application.

Fig. 2 is a schematic structural diagram of a network device according to an embodiment of the present application.

Fig. 3 is a flowchart illustrating a message forwarding method according to an embodiment of the present application.

Fig. 4 is a block diagram of a message forwarding apparatus according to an embodiment of the present application.

Icon: 10-a network system; 21-a network device; 22-a network device; 23-a network device; 24-a network device; 25-a network device; 26-a network device; 30-a network device; 31-a processing module; 32-a storage module; 33-a communication module; 200-a message forwarding device; 210-a receiving unit; 220-a judging unit; 230-forwarding processing unit.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.

Referring to fig. 1, in a network system 10 based on an MPLS (Multi-Protocol Label Switching) network, the network system 10 may include a plurality of network devices, each of which serves as a node for forwarding data in the MPLS network. Illustratively, network system 10 shown in fig. 1 includes network device 21, network device 22, network device 23, network device 24, network device 25, network device 26, and so forth. The network device may be a switch, a router, etc.

In the network system 10, the network device at the Edge of the MPLS network is an Edge node, called a Label Edge Router (LER), and the Edge node may be communicatively connected to other networks or other devices for data interaction.

In network system 10, network devices that are not at the edge of the MPLS network are intermediate nodes, referred to as Label Switching Routers (LSRs). The intermediate nodes can be connected with edge nodes and other intermediate nodes in the MPLS network for data interaction.

For example, in fig. 1, the network device 21 and the network device 24 are edge nodes, and the network device 22, the network device 23, the network device 25, and the network device 26 are intermediate nodes.

It should be noted that the number of network devices included in the network system 10 can be flexibly determined according to actual situations, and is not limited specifically here.

Referring to fig. 2, the present application further provides a network device 30, where the network device 30 may be any device except a network device that transmits traffic most upstream in the network system 10. For example, it is assumed that, in the network system 10 shown in fig. 1, the transmission direction of the transmission traffic is shown by an arrow, and the most upstream of the transmission traffic is the network device 21. Network device 30 may be any network device in network system 10 other than network device 21.

The network device 30 may include a processing module 31 and a storage module 32. The storage module 32 stores therein a computer program which, when executed by the processing module 31, enables the network device 30 to perform the steps of the message forwarding method described below.

The network device 30 may also include its modules, for example, a communication module 33. The processing module 31, the storage module 32 and the communication module 33 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.

Referring to fig. 3, the present application further provides a message forwarding method, which can be applied to the network device 30, and the network device 30 executes or implements each step of the method. The method may comprise the steps of:

step S110, receiving a message with a label;

step S120, determining whether a current Label carried in the packet is a target Label pre-allocated by the device to an upstream network device, to obtain a determination result, where the target Label includes a first code segment corresponding to a target interface set in the device and a second code segment corresponding to a specified FEC (Forwarding Equivalence Class), where an interface in the target interface set is an interface in the device corresponding to an LDP (Label Distribution Protocol) session, and one upstream network device corresponds to only one interface set;

step S130, executing a processing operation corresponding to the determination result on the packet.

In the above embodiment, the message sent by the upstream network device usually carries a current tag, and the current tag is not necessarily a target tag. The target label is a label sent by the device to the upstream network device, carries a code segment corresponding to the target interface set, and can be used for verifying the safety of the message, that is, by judging whether the current label of the message is the target label, the method is beneficial to quickly judging whether the message is safe or not so as to improve the safety of message forwarding. In addition, if the current label is the target label, the upstream network equipment can be identified from the first code segment of the current label, so that the monitoring performance of message forwarding is improved.

The individual steps of the process are explained in detail below, as follows:

prior to step S110, the method may comprise:

when the device establishes an LDP session, allocating a unique identifier corresponding to the LDP session, wherein the unique identifier is associated with the target interface set of the device;

creating the designated FEC based on routing information for the MPLS network;

and sending corresponding target labels to all upstream network equipment of the equipment, wherein each target label comprises a first code segment corresponding to the unique identifier and a second code segment corresponding to the specified FEC.

Understandably, the upstream network device of the present device is a non-next-hop device of a route corresponding to the specified FEC in the present device in the MPLS network. In an LDP session of an MPLS network, one LDP session may correspond to multiple LDP link adjacencies, one LDP link adjacency corresponds to only one LDP session, and one LDP link adjacency corresponds to only one interface in the device. In the present device, a plurality of interfaces corresponding to LDP sessions are all target interfaces in the present device, that is, one LDP session corresponds to one target interface set of the present device.

LDP link adjacency may be understood as a connection relationship between two adjacent and link-directly connected network devices. For the present device, the upstream network device and the downstream network device directly connected to the present device are both LDP link adjacency bodies. For example, if the device receives an LDP link Hello packet sent by an opposite end (an upstream network device or a downstream network device) from a certain interface of the device, an LDP link adjacency is created to indicate that the opposite end is a direct connection device, and an interface corresponding to the opposite end enables an MPLS forwarding function.

When a unique LDP session is established with an upstream network device, the present device may assign a unique identifier for the LDP session, i.e., the unique identifier is associated with the LDP session, and in addition, the unique identifier is also associated with a target interface set of the present device. In the present device, the MPLS packet from the upstream network device can only be received from these target interfaces, and the present device may store the correspondence between the unique identifier of the LDP session and the target interface set, and the correspondence between the interface and the LDP link adjacency, so as to facilitate subsequent identification and detection.

The unique identifier can be flexibly determined according to actual conditions and can be a number or a character. In addition, in the MPLS network, the manner of creating the LDP session is well known to those skilled in the art, and will not be described herein.

FEC refers to a set of messages (the destination addresses of the messages may be different) that follow the same forwarding path in a network, and the messages of the same FEC are handled in the same manner by a network device during forwarding.

The designated FEC refers to FEC created by the present device based on current routing information.

The device can determine the downstream LDP session according to the next hop of the route, and other non-downstream LDP sessions are the upstream LDP sessions. The device may allocate a target label to the upstream network device corresponding to each upstream LDP session, that is, the device may send a corresponding label (that is, a target label) to the upstream network device. The same FEC advertises different labels to different upstream LDP sessions.

When the device creates the label (including the target label), the label can be created according to a preset format. In an MPLS network, a label includes 20 bits of content. When creating the label, a code segment with a first preset length of the 20-bit front part may be selected as a first code segment for identifying different LDP sessions, and the remaining part may be selected as a second code segment for identifying different FECs. Since the LDP session has an association relationship with the target interface set, the first code segment may also be used to identify a different target interface set.

The first code segment may be a code segment with a fixed number of bits or a code segment with a dynamic number of bits, and similarly, the second code segment may be a code segment with a fixed number of bits or a code segment with a dynamic number of bits, and may be flexibly determined according to actual conditions. Illustratively, the first code segment and the second code segment are both fixed length, for example, the first code segment may be the first 6 bits of the 20 bits, and the second code segment may be the last 14 bits of the 20 bits.

Wherein, in the 20-bit label, between the first code segment and the second code segment, there may be residual bits. That is, the sum of the first preset length of the first code segment and the second preset length of the second code segment is less than 20 bits, and both can be flexibly determined according to actual situations. In addition, the contents of the first code segment and the second code segment may be set according to actual situations, as long as the identification can be distinguished, and the contents are not specifically limited herein.

For example, assuming that the unique identifier of one LDP session can be a 6-digit number, the present device can use the 6-digit unique identifier of the LDP session as the first code segment of the label for distinguishing different LDP sessions. The 14-bit number corresponding to the specified FEC may be used as the second code segment, i.e. as the last 14-bit content of the label, so that the target label may be obtained. The 14-bit content of the second code segment can be flexibly determined according to actual conditions, as long as different FECs can be distinguished.

After the device creates the target label, the device can distribute the target label to the upstream network device. LDP sessions are different for different upstream network devices, and thus target labels received by different upstream network devices are different. The upstream network device may receive the labels sent by different downstream network devices, and may add corresponding labels to the packet according to actual conditions (e.g., according to FEC, label switching paths, etc. corresponding to the packet) when forwarding the packet.

In step S110, the device is the network device 30, and may be any other network device except the most upstream network device in the MPLS network. That is, in the MPLS network, the present device also has an upstream network device.

Referring to fig. 1 again, for example, the present device may be a network device 22, and may receive a message sent by an upstream network device 21 of the present device.

In the MPLS network, when a network device performs data forwarding, a corresponding label may be added. For example, when an upstream network device sends a message to the device, a tag is usually added to the message, where the tag is not necessarily a target tag sent by the device to the upstream network device. It should be noted that the manner of adding the tag is well known to those skilled in the art, and will not be described herein. In addition, when the packet is sent to a different network device in the MPLS network, the corresponding network device may delete the label added to the packet, and encapsulate another label for the packet again.

In step S120, the present device may parse the received packet. For example, whether a tag exists in the message is determined, and when the tag exists, whether the tag is a target tag that is sent to the upstream network device by the device in advance is determined. If the packet carries a label, the label is the current label of the packet, and the device can further analyze the current label.

As an alternative implementation, step S120 may include:

when the interface receiving the message is not any interface in the target interface set, or the current label does not include the first code segment, or the current label does not include the second code segment, obtaining a judgment result indicating that the current label is not the target label;

and when the interface for receiving the message is any interface in the target interface set and the current label comprises the first code segment and the second code segment, obtaining a judgment result indicating that the current label is the target label.

Understandably, the device stores the corresponding relation between the first code segment of the target label and the target interface set. Based on the corresponding relationship, the device may determine, from the first code segment of the current tag of the packet, all interfaces corresponding to the first code segment to serve as a target interface set, then determine whether an interface actually receiving the packet is in the target interface set, and if the interface receiving the packet is not any interface in the target interface set, it indicates that the packet has a security risk, and it is not necessary to perform further analysis on the current tag, and it may directly determine that the current tag is not the target tag and needs to be intercepted.

In addition, if the first code segment in the current label of the message is different from the first code segment of the target label; or if the second code segment in the current label is different from the second code segment of the target label, determining that the current label is not the target label, indicating that the message has a security risk and needs to be intercepted.

In step S130, two types of determination results exist, that is, the current tag is not the target tag, or the current tag is the target tag. The present apparatus can perform different processing based on different determination results. For example, step S130 may include:

when the judgment result shows that the current label is not the target label, discarding the message;

and when the judgment result shows that the current label is the target label, forwarding the message.

Understandably, if the current label is not the target label, the message is represented as a suspicious message and needs to be intercepted. Therefore, the safety of message forwarding can be improved.

If the current label is the target label, the message is safe, interception is not needed, and at the moment, the message can be continuously forwarded according to the current label or the label switching path of the message.

Because the label in the message is the target label, the first code segment of the target label is associated with the upstream LDP session, so that the upstream network equipment of the message can be determined. Therefore, the device can quickly identify the upstream network device which sends the message from the first code segment of the current label of the message.

As an optional implementation manner, when the determination result indicates that the current tag is the target tag, forwarding the packet includes:

and when the judgment result shows that the current label is the target label and the equipment is the last hop network equipment corresponding to the specified FEC in the MPLS network, forwarding the message according to the destination address of the message.

As an optional implementation manner, when the determination result indicates that the current tag is the target tag, forwarding the packet includes:

when the judgment result shows that the current label is the target label and the device is not the last hop network device corresponding to the specified FEC in the MPLS network, deleting the current label from the message and adding a new current label, wherein the new current label is the current label which is sent by the next hop network device of the device to the device and corresponds to the specified FEC;

and forwarding the message added with the new current label according to the new current label.

Understandably, if the device is not the last hop network device corresponding to the specified FEC in the MPLS network, the device needs to continuously re-encapsulate the label for the packet, so that the downstream network device can perform security detection and forwarding on the packet, thereby improving the security and reliability of MPLS network data forwarding. In addition, the first code segment of the added label can be used for identifying the upstream network equipment which sends the message, so that the monitoring performance of the message is favorably improved.

In this embodiment, if the first code segment and the second code segment in the Label are fixed bits, the generated ILM (Incoming Label Map) does not need to add new content, and the value for identifying the FEC portion can be used as an Incoming Label, so that the size of the ILM entry can be reduced. If the first code segment and the second code segment are dynamic digits, the digits of the first code segment and the second code segment need to be recorded in the generated ILM. Based on this, when the device receives the packet carrying the tag, if the first code segment and the second code segment are fixed numbers, it is not necessary to search the corresponding ILM first, and the fixed-length field is directly taken from the tag, so as to obtain the contents of the first code segment and the second code segment respectively.

If the first code segment and the second code segment are non-fixed digits, the corresponding ILM needs to be found first, digits for identifying the first code segment and the second code segment recorded in the ILM are obtained, corresponding fields are taken to obtain contents of the first code segment and the second code segment, and then an identifier of the LDP session is obtained according to the contents of the first code segment, so that the identifier of the LDP session sent from which upstream network device can be distinguished. In addition, whether the interface for receiving the message by the device can correspond to the interface corresponding to the LDP session is checked, if the interface for receiving the message does not belong to the target interface set corresponding to the first code segment, the message is considered not to be a legal message, and the message is directly discarded.

Based on the design, the device needs to newly store the corresponding relationship between the LDP session and the interface set so as to check the validity of the received message, the size of the data to be stored is in direct proportion to the number of LDP sessions, and the memory occupied is small.

As an optional implementation, the method may further include:

when the LDP session is ended, deleting the corresponding relation between the LDP session and the unique identifier and deleting the association relation between the unique identifier and the target interface set of the device.

In this embodiment, the present device may store a plurality of unique identifiers by a database. By deleting the corresponding relation between the LDP session and the unique identifier and the association relation between the unique identifier and the target interface set of the device, the recovery of the unique identifier can be realized, so that the unique identifier can be distributed to other new LDP sessions. In this way, without creating a new unique identifier, reuse of the unique identifier can be achieved.

Referring to fig. 4, an embodiment of the present application further provides a message forwarding apparatus 200, which can be applied to the network device and is used to execute each step in the method. The message forwarding apparatus 200 includes at least one software functional module which can be stored in the storage module 32 in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of a network device. The processing module 31 is used for executing executable modules stored in the storage module 32, such as software functional modules and computer programs included in the message forwarding apparatus 200.

The message forwarding apparatus 200 may include a receiving unit 210, a determining unit 220, and a forwarding processing unit 230, and may perform the following steps:

a receiving unit 210, configured to receive a packet with a tag;

a determining unit 220, configured to determine whether a current tag carried in the packet is a target tag that is pre-allocated by the device to an upstream network device, and obtain a determination result, where the target tag includes a first code segment corresponding to a target interface set in the device and a second code segment corresponding to a specified forwarding equivalence class, where an interface in the target interface set is an interface in the device corresponding to a tag distribution protocol session, and one upstream network device corresponds to only one interface set;

and a forwarding processing unit 230, configured to perform a processing operation corresponding to the determination result on the packet.

Optionally, the message forwarding apparatus 200 may further include an allocating unit, a creating unit, and a sending unit. Before the receiving unit 210 executes step S110, the allocating unit is configured to, when the device establishes a tag distribution protocol session, allocate a unique identifier corresponding to the tag distribution protocol session, where the unique identifier is associated with the target interface set of the device; the creating unit is used for creating the appointed forwarding equivalence class based on the routing information of the MPLS network; the sending unit is configured to send corresponding target labels to all upstream network devices of the device, where each target label includes a first code segment corresponding to the unique identifier and a second code segment corresponding to the specified forwarding equivalence class.

Optionally, the message forwarding apparatus 200 may further include a deleting unit, configured to delete, when the label distribution protocol session is ended, a correspondence between the label distribution protocol session and the unique identifier, and delete an association between the unique identifier and the target interface set of the device.

Alternatively, the determining unit 220 may be configured to: when the interface receiving the message is not any interface in the target interface set, or the current label does not include the first code segment, or the current label does not include the second code segment, obtaining a judgment result indicating that the current label is not the target label; and when the interface for receiving the message is any interface in the target interface set and the current label comprises the first code segment and the second code segment, obtaining a judgment result indicating that the current label is the target label.

Optionally, the forwarding processing unit 230 may further be configured to: when the judgment result shows that the current label is not the target label, discarding the message; and when the judgment result shows that the current label is the target label, forwarding the message.

Optionally, the forwarding processing unit 230 may further be configured to: and when the judgment result shows that the current label is the target label and the equipment is the last hop network equipment corresponding to the appointed forwarding equivalence class in the MPLS network, forwarding the message according to the destination address of the message. Optionally, the forwarding processing unit 230 may further be configured to: when the judgment result shows that the current label is the target label and the equipment is not the last hop network equipment corresponding to the appointed forwarding equivalence class in the MPLS network, deleting the current label from the message and adding a new current label, wherein the new current label is the current label which is sent by the next hop network equipment of the equipment to the equipment and corresponds to the appointed forwarding equivalence class; and forwarding the message added with the new current label according to the new current label.

In this embodiment, the processing module 31 may be an integrated circuit chip having signal processing capability. The processing module 31 may be a general-purpose processor. For example, the processor may be a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.

The memory module 32 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 32 may be configured to store a current label, a correspondence between the LDP session and the unique identifier, and the like. Of course, the storage module 32 may also be used for storing a program, and the processing module 31 executes the program after receiving the execution instruction.

The communication module 33 is used for establishing a communication connection between the network device and another device through the network, and transceiving data through the network.

It is understood that the configuration shown in fig. 2 is only a schematic configuration of a network device, and the network device may further include more components than those shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.

It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working process of the network device described above may refer to the corresponding process of each step in the foregoing method, and will not be described in detail herein.

The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the message forwarding method as described in the above embodiments.

From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.

In summary, in the present solution, the target label is a label sent by the device to the upstream network device, and carries a code segment corresponding to the target interface set, which can be used to verify the security of the packet, that is, by determining whether the current label of the packet is the target label, it is beneficial to quickly determine whether the packet is secure, so as to improve the security of packet forwarding. In addition, if the current label is the target label, the upstream network equipment can be identified from the first code segment of the current label, so that the monitoring performance of message forwarding is improved.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.

The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.