Abstract: Disclosed is a method and an apparatus for packet forwarding, which relate to the network technology field and are applied to a network node. The method comprises: obtaining an SRV6 packet; if a function field in a target SID contains a security authentication instruction, obtaining a target argument based on an operation indicated by the security authentication instruction, and performing security authentication processing on the SRv6 packet based on the target argument; wherein, the target SID is an SID, corresponding to the network node, in a segment list carried by a header of the SRv6 packet, and the target argument is: an argument for the security authentication instruction recorded in the header; and forwarding the processed SRv6 packet to a next-hop device. By applying the solution for packet forwarding according to examples of the present disclosure, the security in forwarding the SRv6 packet along the SRv6 forwarding path can be improved.

Abstract: A method is provided for a master apparatus of a Virtual Router Redundancy Protocol (VRRP) in a dual-homed node that is a part of a dual-homed network to implement a Layer 3 apparatus. The dual-homed network includes the dual-homed node and a Layer 2 MPLS-Transport Profile (MPLS-TP) network. The method includes monitoring a state of an uplink, when the monitoring detects that the uplink has a failure, notifying an original backup apparatus of the VRRP to perform a master-backup switch, and notifying a downlink apparatus of the master apparatus of the VRRP that a remote link has a failure, thereby causing the downlink apparatus to switch a working channel within the MPLS-TP network. The method includes, when a notification indicating that the master-backup switch has been performed is received from the original backup apparatus of the VRRP, switching to a backup apparatus of the VRRP.

Abstract: A method and device for preventing a roaming user terminal from re-authentication are provided. The method includes: when Virtual Local Area Network (VLAN) of a roaming user terminal changes, change information of the roaming user terminal is reported to a Broadband Remote Access Server (BRAS) via an Access Controller (AC) and the BRAS reports modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server).

Abstract: Examples of the present disclosure provide a dual-homing protection method and device. In the dual-homing protection method, a forwarding item synchronizing channel and a data transfer channel are established between two Provider Edge (PE) devices in a dual-homing node, a Pseudo Wire (PW) and a Label Switched Path (LSP) protection group bearing the PW are established between a network side peer PE device and the two PE devices in the dual-homing node, which are taken as a logical device, so as to implement LSP protection within a network. The present disclosure may enable the protection within a network to be independent of access link protection. Subsequently, the management is simple.

Abstract: The present invention provides an apparatus and method for processing a packet. An interface processing module selects one from all service processing modules as a service processing module for processing a packet; if the service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet after performing the tunnel processing; if another service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet to a service processing module needing to perform tunnel processing for the packet. According to the present invention, the packet can be processed uniformly by the service processing module, so it is not unnecessary to store session states in the service processing modules, and also not unnecessary to perform synchronization between the service processing modules, which greatly decreases complexity of processing the packet and saves system bandwidth.

Abstract: A method is provided for a master apparatus of a Virtual Router Redundancy Protocol (VRRP) in a dual-homed node that is a part of a dual-homed network to implement a Layer 3 apparatus. The dual-homed network includes the dual-homed node and a Layer 2 MPLS-Transport Profile (MPLS-TP) network. The method includes monitoring a state of an uplink, when the monitoring detects that the uplink has a failure, notifying an original backup apparatus of the VRRP to perform a master-backup switch, and notifying a downlink apparatus of the master apparatus of the VRRP that a remote link has a failure, thereby causing the downlink apparatus to switch a working channel within the MPLS-TP network. The method includes, when a notification indicating that the master-backup switch has been performed is received from the original backup apparatus of the VRRP, switching to a backup apparatus of the VRRP.

Abstract: Examples of the present disclosure provide a dual-homing protection method and device. In the dual-homing protection method, a forwarding item synchronizing channel and a data transfer channel are established between two Provider Edge (PE) devices in a dual-homing node, a Pseudo Wire (PW) and a Label Switched Path (LSP) protection group bearing the PW are established between a network side peer PE device and the two PE devices in the dual-homing node, which are taken as a logical device, so as to implement LSP protection within a network. The present disclosure may enable the protection within a network to be independent of access link protection. Subsequently, the management is simple.

Abstract: The present invention discloses a packet processing apparatus and method. The packet processing apparatus is applied to an L4˜L7 network device, including a plurality of interface processing units and a plurality of service processing units, the interface processing units are connected with the service processing units through a first connection unit; and each of the interface processing units is adapted to select, after receiving a packet from outside, a service processing unit from all the service processing units and transmit the packet to the selected service processing unit; and each of the service processing units is adapted to perform service processing to the packet after receiving the packet. The present invention improves packet processing capability and reliability of the L4˜L7 network device.

Abstract: A method and device for preventing a roaming user terminal from re-authentication are provided. The method includes: when Virtual Local Area Network (VLAN) of a roaming user terminal changes, change information of the roaming user terminal is reported to a Broadband Remote Access Server (BRAS) via an Access Controller (AC) and the BRAS reports modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server).

Abstract: In a method and an apparatus for evaluating air interface condition of a wireless local area network (WLAN), the evaluation of the air interface condition of the WLAN is divided into four layers: the evaluation of the air interface condition of the pre-defined area, the evaluation of the air interface condition of each place in the pre-defined area, the evaluation of the air interface condition of each AP in each place and the evaluation of the air interface condition of each user accessing each AP. The method and apparatus are able to provide definite evaluation denoting the level of the air interface condition through analyzing and quantizing of the statistical information items with respect to the overall air interface condition of the whole area covered by the WLAN or the partial air interface condition of each place, each AP and each user in the pre-defined area.

Abstract: An apparatus and method for ensuring distributed packet transmission security are provided. In an embodiment of the present invention, a main control board allocates SA information to multiple processing boards according to a pre-defined criterion, so that each processing board which receives and stores the SA information may implement IPSec processing. As such, the IPSec processing is shared by the multiple processing boards. Accordingly, when there are a large number of IPSec tunnels on one interface, the IPSec processing to the packets passing the IPSec tunnels will not completely rely on only the processing board where the interface is located. Instead, the IPSec processing is allocated to different processing boards. Therefore, the multiple processing boards effectively share the IPSec processing corresponding to multiple SAs. The efficiency of the IPSec processing is increased.

Abstract: The present invention discloses a method, an apparatus, and a system for IKE negotiation. One method comprises: upon receiving a data packet, selecting one of multiple service cards according to a pre-configured policy and triggering the service card to send an IKE negotiation packet; and saving the mapping between the IKE negotiation packet and the service card. The other method comprises: upon receiving an IKE negotiation packet, selecting one of multiple service cards according to a pre-configured policy, triggering the service card to perform IKE negotiation, and saving the mapping between of the IKE negotiation packet and the service card. The solution enables a network node a node to distribute IKE negotiations to different service cards to perform IKE negotiation at the same time, improving IKE negotiation speed.

Abstract: Embodiments of the present invention provide method for implementing security-related processing on packet and a network security device. Through establishing a relationship between stream attribute information of an initial packet of a stream and security-related processing information implemented on the initial packet, when a succeeding packet of the stream is received, the previously stored relationship is acquired according to stream attribute information of the succeeding packet, the security-related processing is implemented on the succeeding packet according to the security-related processing information in the relationship.

Abstract: The present invention discloses a packet processing method, which applies to a high-performance and scalable flow processing system architecture. The service board performs security processing for packets received from external devices by using the firewall function before sending them to the main CPU; similarly, the service board also performs security processing for packets sent from the main CPU by using the firewall function before the main CPU sends them to external devices. The methods of the present invention utilize high performance and good scalability of the new architecture. In a network with heavy and high-speed traffic, the service board performs security processing for packets by using the firewall function and then transmits the valid packets to the main CPU. Thus, the main CPU is protected by the firewall function against attack packets.

Abstract: The present invention discloses a method for implementing centralized control plane and distributed data plane and that comprises the following steps: the main control unit of the main board generates control information and delivers it to the adaptation layer of the main board; the adaptation layer of the main board transmits the control information to the adaptation layer of the service board(s); the adaptation layer of the service board(s) delivers the control information to the data plane and hardware engine of the service board(s). The present discloses a program and system for implementing centralized control plane and distributed data plane. The present invention provides a software architecture using an adaptation layer to implement centralized control plane and distributed data plane to ensure high performance and good scalability of the new architecture, reduce system complexity, and keep system simplicity and efficiency.

Abstract: A method accelerates access of a multi-core system to its critical resources, which includes preparing to delete a critical node in a critical resource, separating the critical node from the critical resource, and deleting the critical node if the conditions for deleting the critical node are satisfied. An apparatus includes a confirmation module for the node to be deleted and a deletion module to accelerate access of a multi-core system to its critical resources.

Abstract: The present invention provides an apparatus and method for processing a packet. An interface processing module selects one from all service processing modules as a service processing module for processing a packet; if the service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet after performing the tunnel processing; if another service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet to a service processing module needing to perform tunnel processing for the packet. According to the present invention, the packet can be processed uniformly by the service processing module, so it is not unnecessary to store session states in the service processing modules, and also not unnecessary to perform synchronization between the service processing modules, which greatly decreases complexity of processing the packet and saves system bandwidth.

Abstract: An apparatus and method for ensuring distributed packet transmission security are provided. In an embodiment of the present invention, a main control board allocates SA information to multiple processing boards according to a pre-defined criterion, so that each processing board which receives and stores the SA information may implement IPSec processing. As such, the IPSec processing is shared by the multiple processing boards. Accordingly, when there are a large number of IPSec tunnels on one interface, the IPSec processing to the packets passing the IPSec tunnels will not completely rely on only the processing board where the interface is located. Instead, the IPSec processing is allocated to different processing boards. Therefore, the multiple processing boards effectively share the IPSec processing corresponding to multiple SAs. The efficiency of the IPSec processing is increased.

Abstract: The present invention discloses a packet processing method, which applies to a high-performance and scalable flow processing system architecture. The service board performs security processing for packets received from external devices by using the firewall function before sending them to the main CPU; similarly, the service board also performs security processing for packets sent from the main CPU by using the firewall function before the main CPU sends them to external devices. The methods of the present invention utilize high performance and good scalability of the new architecture. In a network with heavy and high-speed traffic, the service board performs security processing for packets by using the firewall function and then transmits the valid packets to the main CPU. Thus, the main CPU is protected by the firewall function against attack packets.

Abstract: The present invention discloses a method, an apparatus, and a system for IKE negotiation. One method comprises: upon receiving a data packet, selecting one of multiple service cards according to a pre-configured policy and triggering the service card to send an IKE negotiation packet; and saving the mapping between the IKE negotiation packet and the service card. The other method comprises: upon receiving an IKE negotiation packet, selecting one of multiple service cards according to a pre-configured policy, triggering the service card to perform IKE negotiation, and saving the mapping between of the IKE negotiation packet and the service card. The solution enables a network node a node to distribute IKE negotiations to different service cards to perform IKE negotiation at the same time, improving IKE negotiation speed.