摘要 |
A method and apparatus provides protection for network infrastructure discriminating between trusted and non-trusted sources. According to at least one embodiment, packets containing information for the control plane are marked at Layer-2. According to at least one embodiment, interface groups are applied, whereby a router can determine whether a packet should be marked or not. According to at least one embodiment, the marking of control packets is done by encapsulating the packets at Layer-2 in a way that uniquely identifies the Layer-2 frames as carrying trusted control information, which is referred to as control encapsulation. Routers exchange control packets (such as routing protocol or signaling protocol packets) using the control encapsulation. Rate-limited queuing the unmarked control packets has the benefit of supporting routers without the control encapsulation functionality while eliminating the susceptibility of the router to flood-type DoS attacks on its control plane. The implementation of interface groups enables a router to determine when control encapsulation should or should not be used. Interface groups may be implemented for backbone connections, customer-specific interface groups, and interface groups for peering with other service providers. <IMAGE> |