As multimedia services, such as stream media, videoconference, Video On Demand, etc. in Internet develop, multicast technology has become a key technology in broadband multimedia applications, and more and more multicast data messages are transmitted over network. However, the existing multicast networks are poor in manageability and operability and can not meet the demand for future network development.
In an existing multicast network, a valid unicast internet protocol (IP) address can be used as a multicast source to send multicast messages to the multicast network, with a multicast address as the destination address. At the same time, the terminals in the network declare to the multicast network their needs for multicast messages from a certain multicast address through Internet Group Management Protocol (IGMP); if the network supports multicast protocol, the multicast messages will reach the recipient via a route specified in the multicast protocol.
In the above method of sending multicast messages from a multicast source, if a network terminal sends a great deal of multicast messages to the multicast network maliciously with a valid unicast IP address as the multicast source address, a large number of nonsensical multicast messages will be transmitted over the multicast network, and thereby occupy the network resources to a great extent, causing interference to normal operation of the multicast system, and even paralysis of the system.
In order to protect the multicast system against attacks from malicious multicast messages, multicast sources shall be controlled strictly, so that only authorized multicast sources can send multicast messages to the multicast network.
In existing multicast networks, Access Control Lists (ACLs) are usually used to restrict the address range of multicast sources that send multicast messages to specific multicast addresses, and thereby control the multicast messages sent from multicast sources.
Information in the ACL includes the corresponding relationship between multicast source address and multicast address.
The rules of ACL are as followings: 1. in default, multicast messages with a multicast address as the destination address are not permitted to enter into the multicast network; 2. if a multicast address in ACL corresponds to a multicast source address, multicast messages with the multicast source address as the source address and the multicast address as the destination address are permitted to enter into the multicast network. Wherein, the priority of rule 2 is higher than that of rule 1.
The detailed method of implementing control management of multicast source with ACL is as following: the ACL is configured in the router on access layer and the switch of the multicast network; the switch and the router support ACL rules and filter off multicast messages sent from multicast sources not permitted to send multicast messages to specific multicast addresses in accordance with the ACL, or the switch and the router only forward multicast messages sent from specific multicast sources to specific multicast groups.
The above method is implemented as follows: when the switch or the router on the access layer receives a multicast message, judging, according to the configured ACL thereof, whether the source address of the received multicast message is within the range specified by the ACL; if the source address is within the range specified by the ACL, it indicates that the source unicast IP address of the multicast message is permitted to send multicast messages to the destination address of the multicast message, the switch or the router on the access layer permits the multicast message to enter into the multicast network by means of forwarding the multicast message; if the source address is not within the range specified by the ACL, it indicates that the source address of the multicast message is not permitted to send multicast messages to the destination address of the multicast message, the switch or the router on the access layer does not permit the multicast message to enter into the multicast network by means of discarding the multicast message, not creating forwarding route for it, etc. In this way, the multicast sources are controlled by implementing the above mentioned method.
The ACLs configured in the routers on the access layer and the switches are static. When the restriction to multicast source or multicast address is to be modified, i.e., the content in the ACLs is to be modified, the ACLs in individual routers on the access layer and switches have to be modified manually. The fact that the change in ACL content being not flexible and requiring manual intervention is not fit for automatic real time management of multicast sources in the multicast network, resulting in high cost in management and maintenance and poor manageability and operability of the multicast network.