Abstract: Embodiments of this application disclose a method for verifying an SRv6 packet. An egress node of an IPsec tunnel may receive an SRv6 packet, where the SRv6 packet is a packet encapsulated in an IPsec transport mode. The SRv6 packet includes an AH and at least one SRH. The SRv6 packet carries first indication information, where the first indication information indicates the egress node to perform AH verification on the SRv6 packet. A verification range of the AH verification includes the at least one SRH.

Abstract: A packet forwarding method is disclosed. The method includes: After an edge node in a trusted domain receives an SRv6 packet whose destination address is a BSID, the edge node may verify the packet based on a BSID in the packet and a destination field in an SRH of the packet. If the packet passes the verification, the edge node forwards the packet. If the packet fails the verification, the edge node discards the packet. Not only a node outside the trusted domain is required to access the trusted domain by using the BSID, but also the packet entering the trusted domain needs to be verified with reference to the target field in the segment routing header.

Abstract: A method for preventing a replay attack on a Segment Routing over Internet Protocol version 6 (SRv6) keyed hashed message authentication code (HMAC) verification. The method includes a network device receiving an SRv6 packet comprising anti-replay attack verification information. The network device performs anti-replay attack verification based on the anti-replay attack verification information. The network device performs HMAC hash computation on the SRv6 packet in response to the first SRv6 packet passing passes the anti-replay attack verification.