-
公开(公告)号:EP4145790A1
公开(公告)日:2023-03-08
申请号:EP21808353.3
申请日:2021-03-10
发明人: LU, Dongjie , GU, Rui , WEN, Huizhi , XIAO, Yaqun
IPC分类号: H04L29/06
摘要: Embodiments of this application disclose a method for verifying an SRv6 packet. An egress node of an IPsec tunnel may receive an SRv6 packet, where the SRv6 packet is a packet encapsulated in an IPsec transport mode. The SRv6 packet includes an AH and at least one SRH. The SRv6 packet carries first indication information, where the first indication information indicates the egress node to perform AH verification on the SRv6 packet. A verification range of the AH verification includes the at least one SRH. The method may prevent a network hacker from performing a network attack by using an SRH. For example, the method may prevent a network hacker from performing a network attack by tampering with an SRH or inserting a new SRH. In addition, this solution has the following advantages: consuming less resources, preventing replay attacks, supporting key agreement, verifying an SRH of an SRv6 packet when the SRH is used to forward the SRv6 packet, and the like.
-
公开(公告)号:EP4117227A1
公开(公告)日:2023-01-11
申请号:EP21780133.1
申请日:2021-03-10
发明人: LU, Dongjie , XIAO, Yaqun , WEN, Huizhi , FU, Jianzhong
IPC分类号: H04L9/32 , H04L12/723
摘要: A packet forwarding method is disclosed. The method includes: After an edge node in a trusted domain receives an SRv6 packet whose destination address is a BSID, the edge node may verify the packet based on a BSID in the packet and a destination field in an SRH of the packet. If the packet passes the verification, the edge node forwards the packet. If the packet fails the verification, the edge node discards the packet. Not only a node outside the trusted domain is required to access the trusted domain by using the BSID, but also the packet entering the trusted domain needs to be verified with reference to the target field in the segment routing header. Compared with a solution of performing SRv6 boundary filtering on a packet by using only a BSID, the foregoing method can effectively reduce network resources occupied by an attack packet, and therefore can reduce security risks that are caused by forwarding a packet by using an SRv6 technology.
-
公开(公告)号:EP4099657A1
公开(公告)日:2022-12-07
申请号:EP21767309.4
申请日:2021-03-06
发明人: LU, Dongjie , GU, Rui , WU, Di , ZHOU, Yu
摘要: This application provides a method and an apparatus for preventing a replay attack on an SRv6 HMAC verification. The method includes: After receiving an SRv6 packet, a network device obtains anti-replay attack verification information carried in the packet, performs anti-replay attack verification based on the anti-replay attack verification information, and continues to perform HMAC hash computation on a packet that passes the verification, or discards a packet that fails the verification. When an attacker sends a large quantity of replay attack packets to the network device, this method effectively reduces hash computation performed when an HMAC verification is performed on the large quantity of replay attack packets in a conventional technology, saves computing resources of the device, and improves efficiency of processing a normal packet.
-
-
搜索结果
3 条记录 (耗时 0.012 秒)
