WO2007006193A1 - A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof - Google Patents

A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof Download PDF

Info

Publication number
WO2007006193A1
WO2007006193A1 PCT/CN2006/000935 CN2006000935W WO2007006193A1 WO 2007006193 A1 WO2007006193 A1 WO 2007006193A1 CN 2006000935 W CN2006000935 W CN 2006000935W WO 2007006193 A1 WO2007006193 A1 WO 2007006193A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
user
packet
icmp
router
Prior art date
Application number
PCT/CN2006/000935
Other languages
French (fr)
Chinese (zh)
Inventor
Fuyou Miao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007006193A1 publication Critical patent/WO2007006193A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof, wherein the method of the present invention includes mainly: the edge router between the service provider network and the user network is determined; the edge router perform filtration process for the overtime message of the received internet control message protocol ICMP which is sent from the provider network to the user network. By using the present invention, it could avoid the service provider returning the ICMP overtime message including the service provider network path information to the user. The present invention also ensures that the path tracking program such as TraceRoute could be used successfully in the service provider network. In addition, since the present invention adds the judgement of the ICMP overtime message source, so it could forward the ICMP over message which is from the user network to the user network normally.

Description

防止用户获得运营商网络信息的方法和装置及系统 技术领域 本发明涉及通讯领域, 尤其涉及一种防止用户获得运营商网络信 息的方法和装置及系统。  TECHNICAL FIELD The present invention relates to the field of communications, and in particular, to a method, apparatus, and system for preventing a user from obtaining operator network information.
背景技术 Background technique
IP协议是因特网协议系列的核心部分,它以统一的选路机制屏蔽了底 层物理网络,从而实现了异种网络的广域互联。 目前在因特网上使用的 IP 协议版本为 IPv4协议。  The IP protocol is the core part of the Internet Protocol series. It shields the underlying physical network with a unified routing mechanism, thus enabling wide-area interconnection of heterogeneous networks. The IP protocol version currently used on the Internet is the IPv4 protocol.
IP协议虽然具有强大的传递报文的能力,但 IP协议并不负责报文的丟 失、 重复、 延迟和乱序等情况, 因此, IP协议并不能保证报文一定能够投 递到目的地。 于是, 为了提高 IP报文交付成功的概率, 准确反映报文的投 递情况, 因特网工程部 (IETF )设计了互联网控制报文协议 ( ICMP ) 。  Although the IP protocol has a strong ability to deliver messages, the IP protocol is not responsible for packet loss, duplication, delay, and out-of-order. Therefore, the IP protocol does not guarantee that packets can be delivered to the destination. Therefore, in order to improve the probability of successful IP packet delivery and accurately reflect the delivery of the message, the Internet Engineering Department (IETF) designed the Internet Control Message Protocol (ICMP).
从因特网的结构看 , 因特网是由收发报文的主机和中转报文的路由 器组成。 鉴于 IP协议本身的一些不可靠性, ICMP主要用于传输网络设备 和结点之间的控制和差错报告报文。 即 ICMP的目的仅仅是向源发主机告 知网络环境中出现的问题, 其通过路由器将报文传输的结果信息反馈回 源发主机, 以实现其目的。  From the perspective of the structure of the Internet, the Internet consists of a host that sends and receives messages and a router that relays messages. In view of some unreliability of the IP protocol itself, ICMP is mainly used to transmit control and error reporting messages between network devices and nodes. That is, the purpose of the ICMP is to inform the source host of the problem in the network environment. The router feeds back the result of the message transmission back to the source host to achieve its purpose.
ICMP的使用者主要是路由器,接收者为 IP报文的源发主机端, ICMP 报文的筒单传输过程如下:  The ICMP user is mainly a router, and the receiver is the source of the IP packet. The transmission process of the ICMP packet is as follows:
1、 当路由器发现某份 IP报文因为某种原因无法继续转发和投递时, 相关的实体, 一般为上层实体, 便形成 ICMP报文。  1. When the router finds that an IP packet cannot be forwarded and delivered for some reason, the related entity, usually the upper layer entity, forms an ICMP packet.
2、 路由器根据判断的故障类别, 在该 ICMP报文中分别填入报文类 型、 报文代码、 报文检验和以及报文的数据部分。  2. The router fills in the ICMP message with the message type, the message code, the message checksum, and the data part of the message according to the determined fault type.
3、 路由器从出现故障的 IP报文中截取源发送主机的 IP地址, 形成新 的携带该 ICMP报文的 IP报文;  3. The router intercepts the IP address of the source sending host from the failed IP packet, and forms a new IP packet carrying the ICMP packet.
4、 路由器利用信道通过一定的路由把该 IP报文转发给源发主机; 4. The router uses the channel to forward the IP packet to the source host through a certain route;
5、 源发主机端收到携带 ICMP报文的 IP报文后, 从中提取出 ICMP报 文, 读取 ICMP报文各字段值, 进而判断出现故障的 IP报文的故障类型及 其故障原因。 After receiving the IP packet carrying the ICMP packet, the source host extracts the ICMP packet, reads the field value of the ICMP packet, and determines the fault type of the faulty IP packet. The cause of the failure.
携带 ICMP报文的 IP报文在反馈传输过程中不具有任何优先級, 与正 常的 IP报文一样进行转发, 唯一不同的是如果携带 ICMP报文的 IP报文在 传输过程中出现故障,转发该 IP报文的路由器将不再产生任何新的差错报 文。  The IP packet carrying the ICMP packet does not have any priority in the process of the feedback transmission. It is forwarded in the same way as the normal IP packet. The only difference is that if the IP packet carrying the ICMP packet fails during the transmission, the packet is forwarded. The router of the IP packet will no longer generate any new error packets.
ICMP报文主要可分为两类报文, 即 ICMP错误性报告报文和 ICMP信 息性报文。  ICMP packets can be classified into two types of packets, namely, ICMP error reporting packets and ICMP information packets.
ICMP错误性报告报文主要有五种, 即  There are five main types of ICMP error report messages, namely
1、 目的主机不可达报文: 当路由器或主机不能向目的主机交付报文 时, 就向源发主机发送目的主机不可达的报文。  1. Destination host unreachable packet: When the router or host fails to deliver packets to the destination host, it sends the destination host unreachable packet to the source host.
2、 源发主机抑制报文: 当路由器或主机由于拥塞而丢弃报文时, 就 向源发主机发送源发主机抑制报文, 使源发主机知道应该将报文的发送 速率放慢。  2. The source host suppresses the packet: When the router or the host discards the packet due to congestion, it sends the source host suppression packet to the source host, so that the source host knows that the packet transmission rate should be slowed down.
3、 超时报文: 当路由器收到生存时间为零的报文时, 除丟弃该报文 外, 还要向源发主机发送超时报文。 当目的主机在预先规定的时间内不 能收到一个报文的全部内容时, 就将已收到的报文内容都丢弃, 并向源 发主机发送超过报文。  3. Timeout packet: When the router receives a packet with a lifetime of zero, it sends a timeout packet to the source host in addition to discarding the packet. When the destination host cannot receive the entire contents of a packet within a predetermined period of time, it discards the received packet content and sends the excess packet to the source host.
4、 参数问题报文: 当路由器或目的主机发现收到的报文的首部中有 字段的值不正确时, 就丢弃该报文, 并向源发主机发送参数问题报文。  4. Parameter problem message: When the router or destination host finds that the value of the field in the header of the received packet is incorrect, it discards the packet and sends a parameter problem message to the source host.
5、 改变路由即重定向报文: 路由器通过将改变路由报文发送给源发 主机, 让源发主机知道下次应将报文发给另外的路由器。  5. Change the route, that is, redirect the packet: The router sends the change route packet to the source host, so that the source host knows that the packet should be sent to another router next time.
不应发送 ICMP错误性报告报文的几种情况如下:  Several situations in which ICMP error reporting messages should not be sent are as follows:
1、 对 ICMP错误性报告报文不再发送 ICMP错误性报告报文;  1. The ICMP error report message is no longer sent to the ICMP error report message.
2、 对第一个分片的报文片的所有后续报文片都不发送 ICMP错误性 报告报文;  2. The ICMP error report message is not sent to all subsequent fragments of the first fragmented packet.
3、 对具有多播地址的报文都不发送 ICMP错误性报告报文;  3. No ICMP error report message is sent to the packet with the multicast address;
4、对具有特殊地址的报文,如 127.0.0.0或 0.0.0.0的艮文,不发送 ICMP 错误性报告报文。  4. For packets with special addresses, such as 127.0.0.0 or 0.0.0.0, ICMP error report messages are not sent.
ICMP信息性报文有四种: 1、 回送请求( Echo Request )和回 艮文 ( Echo Reply ): 当源发主 机或路由器向一个特定的目的主机发出回送请求报文后, 收到此报文的 机器必须给源发主机或路由器返回回答报文。 There are four types of ICMP information messages: 1. Echo Request and Echo Reply: After the originating host or router sends a loopback request message to a specific destination host, the machine that receives the packet must send the host or router to the source. Return to the reply message.
2、 时间戳请求和回答报文: 该报文主要用于请某个主机或路由器回 答当前的日期和时间。  2. Timestamp request and reply message: This message is mainly used to ask a host or router to reply to the current date and time.
3、 掩码地址请求报文: 该报文主要用于从子网掩码服务器得到某个 接口的地址掩码。  3. Mask address request message: This message is mainly used to obtain the address mask of an interface from the subnet mask server.
4、 路由器询问和通告报文: 该报文主要用于了解连接在本网络上的 路由器是否正常工作。 主机将路由器询问报文进行广播。 收到询问报文 的一个或多个路由器就使用路由器通告报文广播其路由选择信息。  4. Router inquiry and advertisement message: This message is mainly used to understand whether the router connected to the network works normally. The host broadcasts the router query message. One or more routers that receive the inquiry message broadcast their routing information using a router advertisement message.
通过将回送请求和应答两类报文(信息性报文)和超时报文(错误 报文) 两种报文的功能进行组合, 能够获得 IP报文的网络传输路径。  The network transmission path of the IP packet can be obtained by combining the functions of the two types of packets: the message request and the response message (information message) and the timeout message (error message).
下面我们以 IPv4网絡为例来说明 traceRoute (一种跟踪数据传输路径 的方法或程序) 功能。  Let us take the IPv4 network as an example to illustrate the function of traceRoute (a method or program for tracking data transmission paths).
目前使用的 traceroute包括两种: ICMP traceroute和基于用户数据报协 议(UDP ) 的 UDP traceroute。 某些软件公司使用 ICMP traceroute, 所以, 某些操作系统上发出的 traceRT使用的是 ICMP traceroute, 其它操作系统 , 比如 unix和某些公司的路由器都使用 UDP traceroute  There are two types of traceroute currently in use: ICMP traceroute and UDP traceroute based on User Datagram Protocol (UDP). Some software companies use ICMP traceroute, so traceRT issued on some operating systems uses ICMP traceroute, and other operating systems, such as Unix and some companies' routers, use UDP traceroute.
在路由器和主机中, TraceRoute根据报文生存时间 (TTL, Time to Live ) 的值来决定下一步的操作:  On the router and the host, TraceRoute determines the next operation based on the value of the packet lifetime (TTL, Time to Live):
如果收到的报文 TTL=0, 则丟弃该报文, 同时向源节点发送 ICMP超 时报文;  If the received packet has a TTL=0, the packet is discarded and an ICMP time-out message is sent to the source node.
如果收到的报文 TTL不等于 0, 则将 TTL减 1后, 将该报文转发给上层 协议处理。  If the TTL of the received packet is not equal to 0, the TTL is decremented by 1 and the packet is forwarded to the upper layer for processing.
一般 TraceRoute都将 TTL的值设置得很小, 刻意让路径上的节点返回 ICMP超时报文来获得路径信息。  Generally, TraceRoute sets the value of TTL to be small, and deliberately causes the node on the path to return an ICMP timeout packet to obtain path information.
ICMP traceroute的工作原理如下:  The ICMP traceroute works as follows:
ICMP traceroute使用 ICMP Echo Request ^文, ICMP Echo Reply 艮 文和 ICMP TTL-expired报文。 源发主机发出 ICMP Echo Request报文, 第一个 request报文的 TTL为 1, 第二个 request报文的 TTL为 2, 以后依此递 增直至 TTL为 30; 中间的路由器送回 ICMP TTL-expired ( ICMP type 11)报 文通知源发主机, packet同时因 TTL超时而被 drop, 由此源发主机知晓报 文一路上经过的每一个路由器, 最后的目的主机送回 ICMP Echo Reply报 文。 ICMP traceroute uses ICMP Echo Request messages, ICMP Echo Reply messages, and ICMP TTL-expired messages. The source host sends an ICMP Echo Request message. The TTL of the first request packet is 1, and the TTL of the second request packet is 2, and then increments until the TTL is 30. The intermediate router sends back ICMP TTL-expired ( ICMP type 11) packets to notify the source. The host and the packet are dropped due to the TTL timeout. Therefore, the source host knows each router that passes through the packet, and the last destination host sends an ICMP Echo Reply packet.
UDP traceroute的工作原理如下:  The UDP traceroute works as follows:
UDP traceroute使用 ICMP TTL- expired(type 11)报文, ICMP port uni-eachable(type 3, code 3) 艮文和 UDP port >32768才艮文。 源发主机发出 UDP packet, 源端口使用随机的任何大于 32768的高段 port#, destination port #从 33434开始每送个 probe依此递增, 直至 33434+29, ( cisco router 上使用 extended-traceroute命令可以 改这个起始的 33434 port # ) , 同时 TTL从 1开始依此递增, 直至 1+29=30 (最多送 30个 probe ) 。 中间的路由 器送回 ICMP TTL-expired报文, 使得源发主机得知了中间的每一个路由 器, 最后的目的主机送回 TTL-expired报文和 ICMP port unreachable报文 (因为任何主机上都没有应用使用 UDP port# >32768这样的高段 port# )。  UDP traceroute uses ICMP TTL-expired (type 11) packets, ICMP port uni-eachable (type 3, code 3) and UDP port >32768. The source host sends a UDP packet, and the source port uses any random port# greater than 32768. The destination port # starts from 33434 and increments each probe until 33344+29. (The extended-traceroute command can be used on the cisco router. Change the starting 33434 port # ) and increment the TTL from 1 until 1+29=30 (up to 30 probes). The intermediate router sends back ICMP TTL-expired packets, so that the originating host knows each router in the middle, and the last destination host sends back TTL-expired packets and ICMP port unreachable packets (because there is no application on any host). Use high-port port#) like UDP port# >32768.
根据上面所述的 ICMP traceroute和 UDP traceroute的工作原理, 用户 可以利用 ICMP traceroute和 UDP traceroute来获得网络中的节点信息和路 径信息, 并且可以通过改变报文的目的地址, 获得多个路径信息, 这些 信息组合起来就能够产生网络拓朴。  According to the working principle of ICMP traceroute and UDP traceroute, the user can use ICMP traceroute and UDP traceroute to obtain node information and path information in the network, and can obtain multiple path information by changing the destination address of the packet. The combination of information can produce a network topology.
从用户的角度来看, 用户关心的是服务质量, 用户不必关心通过哪 些节点来完成报文的传输, 用户获得路径信息也无益于提高用户的满意 度。 但不良攻击者却可以利用路径信息来对网络发起攻击, 所以, 应该 限制用户获得网絡路径信息。  From the user's point of view, the user cares about the quality of service. The user does not have to care about which nodes to complete the transmission of the message. The user obtains the path information and does not help to improve the user's satisfaction. However, bad attackers can use the path information to attack the network. Therefore, users should be restricted from obtaining network path information.
现有技术中一种针对 ICMP TraceRoute的安全防范方法为: 通过改变 路由器的报文处理规则来限制路由器返回系统信息。 该方法改变的报文 处理规则主要为:  A security defense method for the ICMP TraceRoute in the prior art is: limiting the router to return system information by changing the packet processing rules of the router. The packet processing rules changed by this method are mainly as follows:
1、 中间路径上任何一个路由器如果过滤 ICMP Echo Request , Traceroute就不能工作;  1. If any router on the intermediate path filters the ICMP Echo Request, Traceroute will not work.
2、封了 type 11 (Time Exceeded)报文, 中间的路由器全看不到, 但能 看到报文到达了最后的目的地; 2, sealed type 11 (Time Exceeded) message, the middle of the router can not see, but can See that the message has reached the final destination;
3、 封了 ICMP Echo Reply报文, 中间的所有节点能够返回 Time Exceeded信息,最后的 的地看不到,因此,用户仍旧能够获得路径信息。  3. After the ICMP Echo Reply message is encapsulated, all nodes in the middle can return Time Exceeded information, and the last location cannot be seen. Therefore, the user can still obtain the path information.
现有技术中一种针对 UDP TraceRoute的安全防范方法为:通过改变路 由器的报文处理规则来限制路由器返回系统信息。 该方法改变的报文处 理规则主要为:  A security defense method for UDP TraceRoute in the prior art is to limit the router to return system information by changing the packet processing rules of the router. The packet processing rules changed by this method are mainly as follows:
1、 中间路径上任何一个路由器如果过滤掉 UDP port>32768 , traceroute就不能工作;  1. If any router on the intermediate path filters out UDP port>32768, traceroute will not work.
2、 封掉 TTL超时报文, 使源发主机看不到中间的路由器;  2. The TTL timeout packet is blocked, so that the source host does not see the intermediate router.
3、 封掉 Echo Reply报文, 使源发主机不能获得目的节点的反应。 所述现有技术中针对 ICMP TraceRoute和 UDP TraceRoute的安全防 范方法的缺点为: 该方法将导致运营商网络内部使用 TraceRoute也受到 限制, 而 TraceRoute功能是运营商管理和维护网络的重要工具。  3. The Echo Reply packet is blocked, so that the source host cannot obtain the response from the destination node. The disadvantages of the security defense methods for the ICMP TraceRoute and the UDP TraceRoute in the prior art are as follows: This method will also limit the internal use of the TraceRoute in the carrier network, and the TraceRoute function is an important tool for the operator to manage and maintain the network.
发明内容 Summary of the invention
鉴于上述现有技术所存在的问题, 本发明的目的是提供一种防止用 户获得运营商网络信息的方法和装置及系统, 既可以使运营商网络不将 路径信息返回给用户, 又可以保证在运营商网絡内仍旧能够成功使用 TraceRoute功能。  In view of the above problems in the prior art, an object of the present invention is to provide a method, apparatus, and system for preventing a user from obtaining operator network information, which can enable the operator network not to return the path information to the user, and can ensure that The TraceRoute feature can still be successfully used in the carrier network.
本发明的目的是通过以下技术方案实现的:  The object of the invention is achieved by the following technical solutions:
一种防止用户获得运营商网络信息的方法, 包括:  A method for preventing a user from obtaining operator network information, including:
A、 确定运营商网络和用户网络之间的边缘路由器;  A. Determine an edge router between the carrier network and the user network;
B、所述边缘路由器将接收到的从运营商网络发往用户网络的互联网 控制报文协议 ICMP超时报文进行过滤处理。  B. The edge router filters the received ICMP time-out packet of the Internet Control Message Protocol sent from the carrier network to the user network.
较佳地, 步骤 B所述过滤处理具体包括:  Preferably, the filtering process in step B specifically includes:
所述边缘路由器将接收到的从运营商网絡发往用户网络的 ICMP超 时报文丢弃。  The edge router discards the received ICMP time-out message sent from the carrier network to the user network.
较佳地, 步骤 B所述过滤处理具体包括:  Preferably, the filtering process in step B specifically includes:
所述边缘路由器将接收到的从运营商网絡发往用户网络的 ICMP超 时报文的源地址进行修改, 然后将报文进行正常转发。 较佳地, 所述对源地址的修改具体包括: The edge router modifies the source address of the received ICMP timeout packet sent from the carrier network to the user network, and then forwards the packet normally. Preferably, the modifying the source address specifically includes:
所述边缘路由器将接收到的从运营商网絡发往用户网络的 ICMP超 时报文的源地址修改为自身的地址, 然后将报文进行正常转发。  The edge router modifies the source address of the received ICMP time-out message from the carrier network to the user network to its own address, and then forwards the packet normally.
较佳地, 所述对源地址的 ~改具体包括:  Preferably, the specific change of the source address includes:
所述边缘路由器将接收到的从运营商网络发往用户网络的 ICMP超 时报文的源地址修改为某个预先指定的地址, 然后将报文进行正常转发。  The edge router modifies the source address of the received ICMP time-out message sent from the carrier network to the user network to a pre-designated address, and then forwards the packet normally.
较佳地, 步骤 B所述边缘路由器接收到从运营商网络发往用户网络的 ICMP超时报文后, 进一步包括:  Preferably, after receiving the ICMP timeout message sent from the carrier network to the user network, the edge router further includes:
所述边缘路由器根据携带 ICMP超时报文的 IP报文本身的属性, 判断 该 ICMP超时报文的源节点是来自运营商网络还是用户网络, 如果是来自 运营商网络,则再执行过滤操作,如果来自用户网络,则将接收到的 ICMP 超时报文转发给目的用户网络。  The edge router determines whether the source node of the ICMP timeout packet is from the operator network or the user network according to the attribute of the IP packet body carrying the ICMP timeout message, and if it is from the carrier network, performing the filtering operation, if From the user network, the received ICMP timeout packet is forwarded to the destination user network.
较佳地, 所述 IP报文本身的属性包括 IP报文的生存时间 TTL或跳数限 制 Hop Limit。  Preferably, the attribute of the IP packet body includes an IP packet lifetime TTL or a hop limit Hop Limit.
较佳地, 所述方法适用于 IPv4或 IPv6网络。  Preferably, the method is applicable to an IPv4 or IPv6 network.
一种防止用户获得运营商网络信息的装置, 该装置通过路由器来实 现, 所述路由器包括:  An apparatus for preventing a user from obtaining information of an operator network, the apparatus being implemented by a router, the router comprising:
报文过滤模块: 用于将经过该路由器的, 从运营商网络发往用户网 絡的 ICMP超时 4艮文进行过滤处理。  Packet filtering module: Used to filter the ICMP timeouts sent from the carrier network to the user network through the router.
较佳地, 所述报文过滤模块包括:  Preferably, the packet filtering module includes:
报文丢弃模块: 用于将经过该路由器的, 从运营商网絡发往用户网 络的 ICMP超时报文进行丢弃;  The packet discarding module is configured to discard the ICMP timeout packet sent from the carrier network to the user network.
和 /或,  and / or,
报文地址修改模块: 用于对经过该路由器的, 从运营商网絡发往用 户网络的 ICMP超时报文进行地址修改。  The packet address modification module is used to modify the address of the ICMP timeout packet sent from the carrier network to the user network.
较佳地, 所述路由器还包括:  Preferably, the router further includes:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。 The message source judging module is configured to determine whether the ICMP timeout message sent from the carrier network to the user network is from the operator network or the user network, and if it is from the operator network, triggering the message filtering module to process, if from the user Network, triggers the existence of the router The forwarding module in the normal forwarding process is performed.
一种防止用户获得运营商网絡信息的系统, 包括用户网络和包含路 由器运营商网络, 所述路由器包括:  A system for preventing a user from obtaining operator network information, including a user network and a network including a router operator, the router comprising:
报文过滤模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行过滤、处理。  The packet filtering module is configured to filter and process ICMP timeout packets sent from the carrier network to the user network.
较佳地, 所述报文过滤模块包括:  Preferably, the packet filtering module includes:
报文丢弃模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超 B†报文进行丢弃;  The packet discarding module is configured to discard the ICMP Super B packets sent from the carrier network to the user network.
和 /或,  and / or,
报文地址修改模块: 用于对经过该路由器的, 从运营商网络发往用 户网络的 ICMP超时报文进行地址修改。  The packet address modification module is used to modify the address of the ICMP timeout packet sent from the carrier network to the user network.
较佳地, 所述路由器还包括:  Preferably, the router further includes:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。  The message source judging module is configured to determine whether the ICMP timeout message sent from the carrier network to the user network is from the operator network or the user network, and if it is from the operator network, triggering the message filtering module to process, if from the user The network triggers the existing forwarding module in the router to perform normal forwarding processing.
由上述本发明提供的技术方案可以看出, 本发明通过对经过运营商 网络边缘发送到用户网络的 ICMP超时报文进行过滤,该过滤操作包括对 报文进行丢弃或地址修改操作。 从而防止了运营商网络将包含运营商网 络路径信息的 ICMP超时报文返回给用户,或返回的 ICMP超时报文不能 够用来生成运营商网络路径信息, 同时保证了在运营商网络内仍旧能够 成功使用 TraceRoute等路径跟踪程序。再有, 由于本发明增加了对 ICMP 超时报文来源的判断, 因而对于来自用户网络的 ICMP超时报文,仍旧正 常地转发给用户网络。  As shown in the foregoing technical solution of the present invention, the present invention filters the ICMP timeout packets sent to the user network through the edge of the network. The filtering operation includes discarding or modifying the packets. Therefore, the carrier network is prevented from returning the ICMP timeout message including the carrier network path information to the user, or the returned ICMP timeout message cannot be used to generate the carrier network path information, and the carrier network can still be ensured in the carrier network. Successfully used path tracking programs such as TraceRoute. Furthermore, since the present invention increases the judgment of the source of the ICMP timeout message, the ICMP timeout message from the user network is still normally forwarded to the user network.
附图说明 图 1为本发明所述方法的具体处理流程图; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow chart showing a specific process of the method of the present invention;
图 2为本发明所述实施例的组网示意图;  2 is a schematic diagram of networking in the embodiment of the present invention;
图 3为本发明所述装置的结构示意图。 具体实施方式 本发明提供了一种防止用户获得运营商网络信息的方法和装置。 本 发明的核心为: 确定运营商网络和用户网络之间的边缘路由器; 在 ICMP 超时报文经过运营商网络边缘路由器发送到用户网络时, 网络边缘路由 器对该 ICMP超时艮文进行过滤操作。 Figure 3 is a schematic view showing the structure of the apparatus of the present invention. DETAILED DESCRIPTION OF THE INVENTION The present invention provides a method and apparatus for preventing a user from obtaining operator network information. The core of the present invention is: determining an edge router between the operator network and the user network; when the ICMP timeout message is sent to the user network through the operator network edge router, the network edge router filters the ICMP timeout message.
下面首先介绍一个概念: 边缘路由器, 位于运营商网络内, 用于连 接用户网络和运营商网络。  The following first introduces a concept: An edge router, located in the carrier network, is used to connect the user network with the carrier network.
下面结合附图来详细描述本发明, 本发明所述方法的具体处理流程 如图 1所示, 包括如下步骤:  The present invention will be described in detail below with reference to the accompanying drawings. The specific processing flow of the method of the present invention is as shown in FIG. 1 and includes the following steps:
步骤 1-1、 用户设备通过运营商网络向目的用户发送 ICMP Echo或 UDP报文, 并产生 ICMP超时报文。  Step 1-1: The user equipment sends an ICMP Echo or UDP packet to the destination user through the service provider network, and generates an ICMP timeout packet.
用户设备, 可能是一台主机, 也可能是多台主机、 路由器、 交换机 组成的网络, 通过运营商网络向目的用户发送多个 ICMP TraceRoute功能 中的 ICMP Echo报文, 或者发送多个 UDP TraceRoute功能中的 UDP报文。  The user equipment, which may be a host or a network of multiple hosts, routers, and switches, sends ICMP Echo packets from the ICMP TraceRoute function to the destination user through the carrier network, or sends multiple UDP TraceRoute functions. UDP packets in the middle.
一些 ICMP Echo报文或 UDP报文到达运营商网络中的中间路由器或 边缘路由器, 以及运营商网络外的其它一些用户网络中的路由器时, 报 文中的 TTL=0, 于是, 根据路由器中的 ICMP报文处理规则, 路由器将接 收到的 ICMP Echo报文或 UDP报文丢弃, 并根据 IP协议规程产生一个 ICMP超时报文, 将该 ICMP超时报文的目的地址设置为源用户设备的地 址, 源地址设置为路由器自身的地址。  When some ICMP Echo or UDP packets arrive at the intermediate router or edge router in the carrier network and other routers in the user network outside the carrier network, the TTL=0 in the packet, and then, according to the router ICMP packet processing rule, the router discards the received ICMP Echo packet or UDP packet, and generates an ICMP timeout packet according to the IP protocol. The destination address of the ICMP timeout packet is set to the address of the source user equipment. The source address is set to the address of the router itself.
步骤 1 -2、运营商网络中的中间路由器或边缘路由器接收到 ICMP超时 报文。  Step 1-2. The intermediate router or edge router in the carrier network receives the ICMP timeout packet.
所述步骤 1-1产生的 ICMP超时报文将通过运营商网络发送给源用户 设备。 因此, 运营商网络中的中间路由器或边缘路由器将接收到该 ICMP 超时报文, 如果是中间路由器接收到该 ICMP超时报文, 则执行步骤 1-3; 如果是边缘路由器接收到该 ICMP超时报文, 则执行步骤 1-4。  The ICMP timeout packet generated in the step 1-1 is sent to the source user equipment through the carrier network. Therefore, the intermediate router or the edge router in the carrier network will receive the ICMP timeout packet. If the intermediate router receives the ICMP timeout packet, perform steps 1-3; if the edge router receives the ICMP timeout packet, For example, perform steps 1-4.
步骤 1-3、 中间路由器对 ICMP超时报文进行正常转发。  Step 1-3: The intermediate router forwards ICMP timeout packets normally.
中间路由器根据正常的报文转发规则, 对接收到的 ICMP超时报文进 行转发, 不对报文做特殊处理。 步骤 1-4、 边缘路由器判断超时报文是否是从运营商网络发往用户网 络。 The intermediate router forwards the received ICMP timeout packet according to the normal packet forwarding rules, and does not perform special processing on the packet. Step 1-4: The edge router determines whether the timeout packet is sent from the carrier network to the user network.
边缘路由器接收到 ICMP超时报文后,需要判断该 ICMP超时报文是否 是从运营商网络发往用户网络, 如果是, 则执行步骤 1-6; 否则, 执行步 骤, 1-5。  After receiving the ICMP timeout packet, the edge router needs to determine whether the ICMP timeout packet is sent from the carrier network to the user network. If yes, go to Step 1-6; otherwise, go to Steps 1-5.
步骤 1-5、 边缘路由器对 ICMP超时报文进行正常转发。  Step 1-5: The edge router forwards ICMP timeout packets normally.
边缘路由器根据正常的报文转发规则, 对接收到的 ICMP超时报文进 行转发, 不对报文做特殊处理。  The edge router forwards the received ICMP timeout packet according to the normal packet forwarding rules, and does not perform special processing on the packet.
步骤 1 -6、 边缘路由器对 ICMP超时报文进行过滤操作。  Step 1 -6. The edge router filters the ICMP timeout packets.
如果边缘路由器判断该 ICMP超时报文是从运营商网络发往用户网 络, 则丢弃该 ICMP超时报文; 或者对该 ICMP超时报文中包含的地址信息 进行修改, 即转换处理, 所谓转换处理是指对该^ =艮文的部分内容进行修 改, 比如将 ICMP超时报文源地址替换为边缘路由器自身的地址, 或者, 将 ICMP超时报文源地址替换为其他某个预先指定的地址, 如 0.0.0.0等, 使用户根据该 ICMP超时报文不能生成运营商网络的路径信息, 该路径是 请求报文经过的路径。  If the edge router determines that the ICMP timeout packet is sent from the carrier network to the user network, the ICMP timeout packet is discarded; or the address information included in the ICMP timeout packet is modified, that is, the conversion process is performed. Modify the content of the ^=艮 text, for example, replace the source address of the ICMP timeout message with the address of the edge router itself, or replace the source address of the ICMP timeout message with some other pre-specified address, such as 0.0. 0.0, etc., so that the user cannot generate path information of the carrier network according to the ICMP timeout message, and the path is the path through which the request packet passes.
因此, 经过上面所述的操作后, 将可以防止用户 _ ICMP超时报文 获得运营商网络中的网络连接信息。  Therefore, after the above operations, the user_IMM timeout message can be prevented from obtaining network connection information in the carrier network.
对本发明所述方法的步骤 1-6, 本发明还提出了一种改进方案, 具体 描述如下:  For steps 1-6 of the method of the present invention, the present invention also proposes an improved solution, which is specifically described as follows:
边缘路由器利用携带 ICMP超时报文的 IP报文本身的一些属性, 判断 产生该 ICMP超时报文的源节点是来自运营商网络还是用户网络。 由于在 一些网络方案中,运营商网络中的节点产生的报文的 TTL和用户网絡中的 节点产生的报文的 TTL被分配了不同的范围, 因此, 能够根据报文 TTL值 来实现该判断。 当然, 如果是 Ipv6网络, 则根据跳数限制 (Hop Limit ) 来判断该 ICMP超时报文的源节点是来自运营商网络还是用户网络。  The edge router uses the attributes of the IP packet body that carries the ICMP timeout packet to determine whether the source node that generates the ICMP timeout packet is from the carrier network or the user network. In some network solutions, the TTL of the packet generated by the node in the carrier network and the TTL of the packet generated by the node in the user network are allocated different ranges. Therefore, the judgment can be implemented according to the TTL value of the packet. . Of course, if it is an Ipv6 network, it determines whether the source node of the ICMP timeout packet is from the carrier network or the user network according to the Hop Limit.
边缘路由器在判断了 ICMP超时报文的来源后, 对于来自运营商网络 的 ICMP超时报文, 不允许其从运营商网络转发到用户网络, 即根据上面 的描述,对 ICMP超时报文进行过滤操作; 对于来自用户网络的 ICMP超时 报文, 仍旧正常地转发给用户网络。 After determining the source of the ICMP timeout packet, the edge router does not allow the ICMP timeout packet from the carrier network to be forwarded from the carrier network to the user network. The ICMP timeout packet is filtered according to the above description. ; for ICMP timeouts from the user network The message is still forwarded normally to the user network.
上述改进方案对虚拟专用网 (VPN )有一定的意义, 因为两个在不 同地理位置的多个用户网络 /场所 /站点属于同一个客户, 这样同一个 VPN 内的用户都可以跟踪到属于同一个 VPN的其他用户网絡 /场所 /站点中, 同 时用户也不会获得运营商网络的信息。  The above improvement scheme has certain significance for the virtual private network (VPN), because two user networks/sites/sites in different geographical locations belong to the same customer, so that users in the same VPN can track the same one. In other users' networks/sites/sites of the VPN, users will not get information about the carrier network.
本发明还提供了一个本发明所述方法的实施例, 该实施例的组网示 意图如图 2所示。  The present invention also provides an embodiment of the method of the present invention, the networking of which is illustrated in Figure 2.
在图 2所示的组网中, CPN为用户设备, 可能是一台主机, 也可能是 多台主机、路由器或交换机组成的网络, CPN可能属于同一个或不同的个 人用户、 家庭用户、 企业用户或内容提供商、 因特网数据中心 (IDC ) 。  In the networking shown in Figure 2, the CPN is a user equipment, which may be a host or a network of multiple hosts, routers, or switches. The CPN may belong to the same or different individual users, home users, and enterprises. User or content provider, Internet Data Center (IDC).
PE为运营商边缘路由器, 位于用户网络同运营商网络的边界, PE需 要具有两个主要功能:  The PE is a carrier edge router. It is located at the boundary between the user network and the carrier network. The PE needs to have two main functions:
1、 根据需要对 IC P超时报文进行过滤操作, 其中包括对报文进行 丟弃或地址修改操作。  1. Filter the IC P timeout packets as required, including discarding or modifying the packets.
2、 根据 ICMP协议规程, 对报文进行正常的转发; 产生 ICMP超时报 文。  2. Normally forward the packet according to the ICMP protocol procedure; generate an ICMP timeout packet.
P为运营商核心路由器, 其主要功能为: 根据 ICMP协议规程, 对报 文进行正常的转发; 产生 ICMP超时报文。  P is the core router of the carrier. Its main functions are as follows: According to the ICMP protocol, the packets are forwarded normally; ICMP timeout packets are generated.
在图 2所示的组网中, 用户发起的一个路径跟踪流程如下:  In the networking shown in Figure 2, a path tracking process initiated by the user is as follows:
1、 CPN1内的用户 Hostl发送 Echo报文到 CPN4内的目的节点 Host4 , 1. The user in CPN1 Hostl sends an Echo message to the destination node Host4 in CPN4.
Hostl从返回的 Echo Reply报文中获得到目的节点的跳数 N,即中间需要经 过的转发节点数。 Hostl obtains the hop count N of the destination node from the returned Echo Reply packet, that is, the number of forwarding nodes that need to pass in the middle.
2、 CPN1内的 Hostl发送多个 ICMP Echo或 UDP报文, 目的地址为 CPN4内的节点 Host4的地址,并将各报文的 TTL依次设为 TTL=1, 2, 3 , 2. Hostl in CPN1 sends multiple ICMP Echo or UDP packets. The destination address is the address of Host4 in CPN4, and the TTL of each packet is set to TTL=1, 2, 3 in turn.
N, 这里 N即为到目的节点的跳数] SL N, where N is the number of hops to the destination node] SL
3、 Hostl发送的某些 ICMP Echo或 UDP报文在到达 PE1、 Pl、 P2、 PE4 后, 其 TTL=0, 于是, 根据路由器中的 ICMP报文处理规则, 这些 PE1、 Pl、 P2、 PE4将接收到的 ICMP Echo报文或 UDP报文丟弃, 并根据 IP规程 产生一个 ICMP超时报文, 将该 ICMP超时报文的目的地址设置为 Hostl的 地址, 源地址设置为 PE1、 Pl、 P2、 PE4自身的地址。 3. After some ICMP Echo or UDP packets sent by Host1 reach PE1, P1, P2, and PE4, their TTL=0. Therefore, according to the ICMP packet processing rules in the router, these PE1, P1, P2, and PE4 will The received ICMP Echo packet or UDP packet is discarded, and an ICMP timeout packet is generated according to the IP procedure. The destination address of the ICMP timeout packet is set to Hostl. Address, source address is set to PE1, Pl, P2, PE4's own address.
4, PE1、 PE2、 PE3、 PE4等运营商边缘路由器接收到 ICMP超时报文 后, 将检查该报文, 判断该报文是否是从运营商网络发往用户网络, 如 果是, 则对该报文进行过滤操作; 否则, 继续转发该报文。  After receiving the ICMP timeout packet, the edge routers of the PE1, PE2, PE3, and PE4 will check the packet to determine whether the packet is sent from the carrier network to the user network. If yes, the router reports the packet. The text is filtered; otherwise, the message continues to be forwarded.
比如, 如果 PE1接收到 P2发往 Hostl的 ICMP超时报文, 则对该报文进 行过滤操作; 如果 PE4接收到 Host4发往 Hostl的 ICMP超时报文,则继续转 发该报文。 该报文随后将到达 PE1。  For example, if PE1 receives the ICMP timeout packet sent by P2 to Host1, the packet is filtered. If the packet receives the ICMP timeout packet from Host4 to Host1, the device continues to forward the packet. The message will then arrive at PE1.
如果不采用上面所述的本发明的一种改进方案, PE1接收到 Host4发 往 Hostl的 ICMP超时报文后, 则对该报文进行过滤操作。  If the above-mentioned improvement of the present invention is not adopted, after receiving the ICMP timeout packet sent by Host4 to Host1, PE1 filters the packet.
如果采用上面所述的本发明的一种改进方案, PE1接收到 Host4发往 Hostl的 ICMP超时报文后, 则继续转发该报文。  If the above-mentioned improvement of the present invention is adopted, PE1 continues to forward the packet after receiving the ICMP timeout packet sent by Host4 to Host1.
再有, 由于本发明只有 ICMP超时报文在经过运营商网络的边缘路由 器发送到用户网絡的时候才实施过滤, 因此不会影响到运营商网络内部 发起的路径跟踪程序: 如在图 2的实施例中,如果由 PE1发起到 PE4的路径 跟踪, 从 Pl、 P2返回的 ICMP超时报文并不会被丟弃, PE1仍旧能够获得 到达 PE4的完整路径。  In addition, since the ICMP time-out packet is sent to the user network only when the edge router of the carrier network is sent to the user network, the path tracking procedure initiated by the carrier network is not affected: as shown in FIG. 2 For example, if PE1 initiates path tracking to PE4, the ICMP timeout packets returned from P1 and P2 are not discarded. PE1 can still obtain the complete path to PE4.
本发明所述装置的结构示意图如图 3所示。 该装置通过路由器来实 现, 并且在路由器中增加如下模块:  A schematic structural view of the device of the present invention is shown in FIG. The device is implemented by a router and the following modules are added to the router:
报文过滤模块、 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行过滤处理。  The packet filtering module is configured to filter the ICMP timeout packets sent from the carrier network to the user network.
上述报文过滤模块中包括如下模块:  The above packet filtering module includes the following modules:
报文丢弃模块, 用于将经过该路由器的、 从运营商网络发往用户网 络的 ICMP超时报文进行丢弃。 和 /或,  A packet discarding module is configured to discard ICMP timeout packets sent from the carrier network to the user network. and / or,
报文地址修改模块, 用于对经过该路由器的、 从运营商网络发往用 户网络的 ICMP超时报文进行地址修改,使该 ICMP超时报文不能到达用户 网络, 或者使用户不能根据处理后的 ICMP超时报文获得运营商网络的路 径信息。  The packet address modification module is configured to modify the address of the ICMP timeout packet sent from the carrier network to the user network through the router, so that the ICMP timeout packet cannot reach the user network, or the user cannot be processed according to the The ICMP timeout packet obtains the path information of the carrier network.
上述路由器还可以进一步包括:  The above router may further include:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。 A message source judging module, configured to determine an ICMP sent from the carrier network to the user network If the timeout packet is from the carrier network or the user network, if it is from the carrier network, the packet filtering module is triggered to process. If it is from the user network, the forwarding module existing in the router is triggered to perform normal forwarding processing.
参见图 2, 本发明还提供了一种防止用户获得运营商网络信息的系 统, 包括用户网络和包含路由器运营商网络, 且所述路由器包括:  Referring to FIG. 2, the present invention further provides a system for preventing a user from obtaining operator network information, including a user network and a network including a router operator, and the router includes:
报文过滤模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行过滤处理。  The packet filtering module is configured to filter the ICMP timeout packets sent from the carrier network to the user network.
上述报文过滤模块中包括如下模块:  The above packet filtering module includes the following modules:
报文丢弃模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行丟弃;  The packet discarding module is configured to discard the ICMP timeout packet sent from the carrier network to the user network.
和 /或,  and / or,
报文地址修改模块: 用于对经过该路由器的, 从运营商网络发往用 户网络的 ICMP超时 4艮文进行地址修改。  The packet address modification module is used to modify the address of the ICMP timeout message sent from the carrier network to the user network through the router.
上述路由器还可以进一步包括:  The above router may further include:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。  The message source judging module is configured to determine whether the ICMP timeout message sent from the carrier network to the user network is from the operator network or the user network, and if it is from the operator network, triggering the message filtering module to process, if from the user The network triggers the existing forwarding module in the router to perform normal forwarding processing.
本发明所述方法、装置和系统既适用于 IPv4网络, 也适用于 IPv6网 络。  The method, apparatus and system of the present invention are applicable to both IPv4 networks and IPv6 networks.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围 并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范 围内, 可轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权 利 要 求  Rights request
1、 一种防止用户获得运营商网絡信息的方法, 其特征在于, 包括: A method for preventing a user from obtaining information about a carrier network, which is characterized by comprising:
A、 确定运营商网络和用户网络之间的边缘路由器; A. Determine an edge router between the carrier network and the user network;
B、所述边缘路由器将接收到的从运营商网络发往用户网络的互联网 控制 4艮文协议 ICMP超时报文进行过滤处理。  B. The edge router filters the received ICMP timeout packet from the carrier network to the user network.
2、 根据权利要求 1所述防止用户获得运营商网络信息的方法, 其特 征在于, 步骤 B所述过滤处理具体包括:  The method for preventing the user from obtaining the operator network information according to claim 1, wherein the filtering process in step B specifically includes:
所述边缘路由器将接收到的从运营商网络发往用户网络的 ICMP超 时报文丢弃。  The edge router discards the received ICMP time-out message sent from the carrier network to the user network.
3、 根据权利要求 1所述防止用户获得运营商网络信息的方法, 其特 征在于, 步骤 B所述过滤处理具体包括:  The method for preventing the user from obtaining the operator network information according to claim 1, wherein the filtering process in step B specifically includes:
所述边缘路由器将接收到的从运营商网络发往用户网络的 ICMP超 时报文的源地址进行修改, 然后将报文进行正常转发。  The edge router modifies the source address of the received ICMP time-out message sent from the carrier network to the user network, and then forwards the packet normally.
4、 根据权利要求 3所述防止用户获得运营商网络信息的方法, 其特 征在于, 所述对源地址的修改具体包括:  The method for preventing the user from obtaining the operator network information according to claim 3, wherein the modifying the source address specifically includes:
所述边缘路由器将接收到的从运营商网络发往用户网络的 ICMP超 时报文的源地址修改为自身的地址, 然后将报文进行正常转发。  The edge router modifies the source address of the received ICMP time-out message from the carrier network to the user network to its own address, and then forwards the packet normally.
5、 根据权利要求 3所述防止用户获得运营商网絡信息的方法, 其特 征在于, 所述对源地址的修改具体包括:  The method for preventing the user from obtaining the operator network information according to claim 3, wherein the modifying the source address specifically includes:
所述边缘路由器将接收到的从运营商网络发往用户网络的 ICMP超 时报文的源地址修改为某个预先指定的地址, 然后将报文进行正常转发。  The edge router modifies the source address of the received ICMP time-out message sent from the carrier network to the user network to a pre-designated address, and then forwards the packet normally.
6、 才艮据权利要求 1所述防止用户获得运营商网络信息的方法, 其特 征在于, 步骤 B所述边缘路由器接收到从运营商网络发往用户网絡的 ICMP超时报文后, 进一步包括:  The method for preventing the user from obtaining the operator network information according to claim 1, wherein the edge router receives the ICMP timeout message sent from the carrier network to the user network, and further includes:
所述边缘路由器根据携带 ICMP超时报文的 IP报文本身的属性, 判断 该 ICMP超时报文的源节点是来自运营商网络还是用户网络, 如果是来自 运营商网络,则再执行过滤操作,如果来自用户网络,则将接收到的 ICMP 超时报文转发给目的用户网络。  The edge router determines whether the source node of the ICMP timeout packet is from the operator network or the user network according to the attribute of the IP packet body carrying the ICMP timeout message, and if it is from the carrier network, performing the filtering operation, if From the user network, the received ICMP timeout packet is forwarded to the destination user network.
7、 根据权利要求 6所述防止用户获得运营商网络信息的方法, 其特 征在于, 所述 IP报文本身的属性包括 IP报文的生存时间 TTL或跳数限制 Hop Limit 7. The method for preventing a user from obtaining operator network information according to claim 6, The attribute of the IP packet body includes the lifetime TTL of the IP packet or the hop limit.
8、 根据权利要求 1所述防止用户获得运营商网络信息的方法, 其特 征在于, 所述方法适用于 IPv4或 IPv6网络。  8. A method of preventing a user from obtaining operator network information according to claim 1, wherein the method is applicable to an IPv4 or IPv6 network.
9、 一种防止用户获得运营商网絡信息的装置, 该装置通过路由器来 实现, 其特征在于, 所述路由器包括:  A device for preventing a user from obtaining information of a carrier network, the device being implemented by a router, wherein the router comprises:
报文过滤模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时^ =艮文进行过滤处理。  Packet filtering module: It is used to filter the ICMP timeout of the router that is sent from the carrier network to the user network.
10、 根据权利要求 9所述防止用户获得运营商网络信息的装置, 其特 征在于, 所述报文过滤模块包括:  The device for preventing a user from obtaining operator network information according to claim 9, wherein the message filtering module comprises:
报文丟弃模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行丢弃;  The packet discarding module is configured to discard the ICMP timeout packet sent from the carrier network to the user network.
和 /或,  and / or,
报文地址修改模块: 用于对经过该路由器的, 从运营商网络发往用 户网络的 ICMP超时报文进行地址修改。  The packet address modification module is used to modify the address of the ICMP timeout packet sent from the carrier network to the user network.
1 根据权利要求 9 所述防止用户获得运营商网络信息的装置, 其 特征在于, 所述路由器还包括:  The device for preventing a user from obtaining operator network information according to claim 9, wherein the router further comprises:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。  The message source judging module is configured to determine whether the ICMP timeout message sent from the carrier network to the user network is from the operator network or the user network, and if it is from the operator network, triggering the message filtering module to process, if from the user The network triggers the existing forwarding module in the router to perform normal forwarding processing.
12、 一种防止用户获得运营商网络信息的系统, 包括用户网络和包 含路由器运营商网络, 其特征在于, 所述路由器包括:  12. A system for preventing a user from obtaining information about a carrier network, comprising a user network and a network including a router operator, wherein the router comprises:
报文过滤模块: 用于将经过该路由器的, 从运营商网络发往用户网 络的 ICMP超时报文进行过滤处理。  The packet filtering module is configured to filter the ICMP timeout packets sent from the carrier network to the user network.
13、 根据权利要求 12所述防止用户获得运营商网络信息的系统, 其 恃征在于, 所述报文过滤模块包括:  13. The system for preventing a user from obtaining operator network information according to claim 12, wherein the message filtering module comprises:
报文丢弃模块: 用于将经过该路由器的, 从运营商网络发往用户网 ^的 ICMP超时报文进行丢弃; 和 /或, The packet discarding module is configured to discard the ICMP timeout packet sent from the carrier network to the user network through the router. and / or,
报文地址修改模块: 用于对经过该路由器的, 从运营商网络发往用 户网络的 ICMP超时报文进行地址修改。  The packet address modification module is used to modify the address of the ICMP timeout packet sent from the carrier network to the user network.
14、 根据权利要求 12所迷防止用户获得运营商网络信息的装置, 其 特征在于, 所述路由器还包括:  14. The device of claim 12, wherein the router further comprises:
报文来源判断模块, 用于确定从运营商网络发往用户网络的 ICMP 超时报文是来自运营商网络还是用户网络, 如果是来自运营商网络, 则 触发报文过滤模块进行处理, 如果来自用户网络, 则触发路由器内已存 在的转发模块进行正常的转发处理。  The message source judging module is configured to determine whether the ICMP timeout message sent from the carrier network to the user network is from the operator network or the user network, and if it is from the operator network, triggering the message filtering module to process, if from the user The network triggers the existing forwarding module in the router to perform normal forwarding processing.
PCT/CN2006/000935 2005-07-07 2006-05-10 A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof WO2007006193A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2005100827176A CN100502352C (en) 2005-07-07 2005-07-07 Method and apparatus for preventing user from obtaining operation trader network information
CN200510082717.6 2005-07-07

Publications (1)

Publication Number Publication Date
WO2007006193A1 true WO2007006193A1 (en) 2007-01-18

Family

ID=37597914

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/000935 WO2007006193A1 (en) 2005-07-07 2006-05-10 A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof

Country Status (2)

Country Link
CN (1) CN100502352C (en)
WO (1) WO2007006193A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448912A (en) * 2019-08-27 2021-03-05 中兴通讯股份有限公司 Method, device and storage medium for preventing message attack

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025483B (en) * 2009-09-17 2012-07-04 国基电子(上海)有限公司 Wireless router and method for preventing malicious scanning by using same
CN101964723B (en) * 2010-07-30 2012-03-28 中国联合网络通信集团有限公司 Communication operator network information interaction management method and system
CN103986652B (en) * 2014-05-22 2017-12-08 新华三技术有限公司 A kind of method for tracing route and device
CN105828218B (en) * 2016-04-19 2019-06-11 华为技术有限公司 A kind of method, apparatus and system detecting multicast data flow transmission quality
CN115412488A (en) * 2021-05-28 2022-11-29 中兴通讯股份有限公司 Information processing method, network device, network system, and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5892753A (en) * 1996-12-02 1999-04-06 International Business Machines Corporation System and method for dynamically refining PMTU estimates in a multimedia datastream internet system
US6463061B1 (en) * 1997-12-23 2002-10-08 Cisco Technology, Inc. Shared communications network employing virtual-private-network identifiers
US20030236913A1 (en) * 2002-06-25 2003-12-25 Hoban Adrian C. Network address translation for internet control message protocol packets

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5892753A (en) * 1996-12-02 1999-04-06 International Business Machines Corporation System and method for dynamically refining PMTU estimates in a multimedia datastream internet system
US6463061B1 (en) * 1997-12-23 2002-10-08 Cisco Technology, Inc. Shared communications network employing virtual-private-network identifiers
US20030236913A1 (en) * 2002-06-25 2003-12-25 Hoban Adrian C. Network address translation for internet control message protocol packets

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WANG B.-T. ET AL.: "An IP traceback mechanism for reflective DoS attacks", ELECTRICAL AND COMPUTER ENGINEERINGS, 2004. CANADIAN CONFERENCE, vol. 2, 2 May 2004 (2004-05-02) - 5 May 2004 (2004-05-05), pages 901 - 904, XP010733971 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448912A (en) * 2019-08-27 2021-03-05 中兴通讯股份有限公司 Method, device and storage medium for preventing message attack
CN112448912B (en) * 2019-08-27 2023-08-01 中兴通讯股份有限公司 Method, device and storage medium for preventing message attack

Also Published As

Publication number Publication date
CN100502352C (en) 2009-06-17
CN1893392A (en) 2007-01-10

Similar Documents

Publication Publication Date Title
US20100061253A1 (en) Tracing connection paths through transparent proxies
WO2007006193A1 (en) A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof
Cisco Cisco IOS IP and IP Routing Command Reference Release 12.1
Cisco Network Protocols Command Reference Part 1 Cisco IOS Release 11.3 IP Addressing, IP Services, IP Routing Protocols
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECNet Commands
Cisco Network Protocols Command Reference, Part 1 Cisco IOS Release 12.0 IP Addressing, IP Services, IP Routing Protocols
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands
Cisco DECnet Commands

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06741828

Country of ref document: EP

Kind code of ref document: A1