CN101110769B - Package transmitting method and system based on safety service - Google Patents
Package transmitting method and system based on safety service Download PDFInfo
- Publication number
- CN101110769B CN101110769B CN2007101198791A CN200710119879A CN101110769B CN 101110769 B CN101110769 B CN 101110769B CN 2007101198791 A CN2007101198791 A CN 2007101198791A CN 200710119879 A CN200710119879 A CN 200710119879A CN 101110769 B CN101110769 B CN 101110769B
- Authority
- CN
- China
- Prior art keywords
- list item
- arp
- information
- safety service
- item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method and a system for packet forwarding based on the security service. An association relation between an FIB table and an ARP table is established; the first packet of the service flow is received, the corresponding security service information of the first packet is obtained, and the corresponding relation between the attribute information of the service flow packet carried by the first packet and the security service information is established; after receiving the follow-up packet of the service flow, and according to the attribute information of the service flow packet carried by the follow-up packet and the corresponding relation and the association relation, the security service information and the ARP table information are searched, the follow-up packet is processed with the security service according to the security service information, and the follow-up packet is forwarded according to the ARP table information. The present invention does not need to search the security service table and the ARP table of each packet, thus greatly improving the packet forwarding efficiency based on the security service.
Description
Technical field
The present invention relates to the safety service technical field, be specifically related to package transmitting method and system based on safety service.
Background technology
Along with popularizing and development of network, be not only simple quick forwarding to the requirement of the network equipment, also need the network equipment that safety service is provided.This demand in market has promoted the development of safety means, and safety means are proposed following the requirement: network data is implemented safety service as: still provide reasonable forwarding performance under the situation of safety inspection filtration etc.
Safety means will reach above requirement, depend on the lifting of hardware performance, simultaneously the also tissue of depended software relevant entries and relevant operation flow optimization.How to organize relevant main list item and rely on it to promote handling property, become the proposition that safety product faces.
Fig. 1 is existing bag forwarding process figure based on safety service, and as shown in Figure 1, its concrete steps are as follows:
Step 101: configuration safety service list item on safety means.
Each safety service list item comprises: one or the corresponding relation of combination in any and safety service information in the five-tuple information, perhaps comprise: the corresponding relation of forwarding information and safety service information perhaps comprises: one or the corresponding relation of combination in any, forwarding information and safety service information in the five-tuple information.
Five-tuple information is promptly: source IP address information, source port information, protocol number, purpose IP address information, purpose outbound port information.
Forwarding information is promptly: three layers of outgoing interface information in forwarding information base (FIB) list item etc., the outbound port information in the ARP(Address Resolution Protocol) list item etc.
Which kind of safety service the indication of safety service information specifically should carry out is handled, as: filtration treatment etc.
Step 102: safety means receive bag, search the safety service list item corresponding with the five-tuple of this bag.
Step 103: safety means are carried out corresponding safety service to this bag and are handled according to the safety service information in the safety service list item that finds, and are finished, and go to step 104.
Safety service in this step handle at be that the safety service of safety means porch is handled.
Step 104: safety means are searched the fib table item corresponding with the purpose IP address of this bag.
Step 105: safety means are searched the ARP list item that mates most with the fib table item.
Step 106: safety means search with the fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 107: safety means are carried out corresponding safety service to this bag and are handled according to the safety service information in the safety service list item that finds, and are finished, and go to step 108.
Safety service in this step handle at be that the safety service in safety means exit is handled.
Step 108: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of bag, and this bag is forwarded.
From above process as can be seen: after safety means receive bag, at first according to the five-tuple information searching safety service list item that wraps, and carry out corresponding safety service and handle, search fib table item and ARP list item then, search the safety service list item according to the fib table item and the ARP list item that find again, and carry out corresponding safety service and handle, dispose, transmit bag according to the ARP list item.Obviously, handling process is longer, greatly reduces the forward efficiency of bag.
Summary of the invention
The invention provides package transmitting method and system, to improve forward efficiency based on the bag of safety service based on safety service.
Technical scheme of the present invention is achieved in that
A kind of package transmitting method based on safety service comprises:
Set up the incidence relation of fib table item and ARP list item;
Receive the first packet of Business Stream, obtain the safety service information corresponding, set up the attribute information of the service flow packet that this first packet carries and the corresponding relation of safety service information with this first packet;
Receive the subsequent packet of Business Stream, the service flow packet attribute information and described corresponding relation and the described incidence relation that carry according to subsequent packet, find safety service information and ARP list item information, according to safety service information subsequent packet is carried out safety service and handle, subsequent packet is forwarded according to the ARP list item information.
Described incidence relation and corresponding relation are kept in the software unit.
The described incidence relation of setting up comprises: the index of the ARP list item that mates most with each fib table item is added in this fib table item;
To the subsequent packet that receives, the described safety service information that finds comprises: search the corresponding safety service information of service flow packet attribute information of carrying with this subsequent packet in described corresponding relation;
To the subsequent packet that receives, the described ARP of finding list item information comprises: obtain the fib table item corresponding with the purpose IP address of subsequent packet, find the ARP list item according to the ARP table item index in this fib table item.
Described incidence relation and corresponding relation are kept in the hardware cell.
The described incidence relation of setting up further comprises before: study ARP list item and fib table item in software unit;
The described incidence relation of setting up comprises: preserve the ARP perception list item identical with each ARP contents in table in the software unit in hardware cell; In hardware cell, preserve the FIB perception list item identical, the index of the ARP perception list item that mates most with this FIB perception list item is added in this FIB perception list item with each fib table item content in the software unit;
To the subsequent packet that receives, the described safety service information that finds comprises: search the corresponding safety service information of service flow packet attribute information of carrying with this subsequent packet in described corresponding relation;
To the subsequent packet that receives, the described ARP of obtaining list item information is: FIB perception list item is arrived in the purpose IP address search according to subsequent packet, find ARP perception list item according to the ARP perception table item index in the described FIB perception list item, this ARP perception list item is the ARP list item information that finds.
The attribute information of described service flow packet is: five-tuple information.
A kind of packet forwarding system based on safety service comprises:
Business is transmitted relating module, sets up the incidence relation of fib table item and ARP list item; Receive the Business Stream first packet, obtain the safety service information corresponding, set up the attribute information of the service flow packet that this first packet carries and the corresponding relation of safety service information with this first packet; Receive the subsequent packet of Business Stream, service flow packet attribute information and described corresponding relation and described incidence relation according to this subsequent packet is carried find safety service information and ARP list item information; The safety service information that finds is sent to the safety service processing module, the ARP list item information that finds is sent to forwarding module;
The safety service processing module is carried out the safety service processing according to the service flow packet that the safety service information butt joint that receives is received, will send to forwarding module through the service flow packet that safety service is handled;
Forwarding module forwards the service flow packet that receives according to the ARP list item information that receives.
The described professional relating module of transmitting comprises:
Fib table item study memory module, study fib table item adds the index of the ARP list item that mates most with this fib table item in this fib table item to;
Session list item memory module is preserved each Session list item;
The Session list item is searched module, receive service flow packet, if in Session list item memory module, find the Session list item corresponding with the attribute information of this service flow packet, safety service information in this Session list item is sent to the safety service processing module, and in fib table item study memory module, search the fib table item corresponding with this service flow packet, find the ARP list item according to the ARP table item index in the fib table item, this ARP list item is sent to forwarding module; Otherwise, this service flow packet is sent to the Session list item sets up module;
The Session list item is set up module, receives service flow packet, and the safety service information corresponding with the attribute information of this service flow packet is sent to the safety service processing module, and foundation comprises the attribute information of service flow packet and the Session list item of safety service information; In fib table item study memory module, search the fib table item corresponding, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module, store newly-established Session list item into Session list item memory module with this service flow packet.
This system further comprises: fib table item update module, upgrade the fib table item in the fib table item study memory module, and when the renewal of fib table item finishes, search with this renewal after the ARP list item that mates most of fib table item, with the ARP table item index in this fib table item of index upgrade of this ARP list item that finds.
Described fib table item study memory module and Session list item memory module are arranged in software unit.
The described professional relating module of transmitting comprises:
FIB perception list item memory module preserve content and the identical FIB perception list item of each fib table item content in the software unit, and each FIB perception list item comprises the index of the ARP perception list item that mates most with this FIB perception list item;
ARP perception list item memory module is preserved content and the identical ARP perception list item of each ARP contents in table in the software unit;
Session list item memory module is preserved each Session list item;
The Session list item is searched module, receive service flow packet, in Session list item memory module, search the Session list item corresponding with the attribute information of service flow packet, if find, then the safety service information in this Session list item is sent to the safety service processing module, and in FIB perception list item memory module, search the FIB perception list item corresponding with service flow packet, the ARP perception table item index in the FIB perception list item is sent to forwarding module; If do not find, then this service flow packet is sent to the Session list item and set up module;
The Session list item is set up module, receives service flow packet, and safety service information that will be corresponding with this service flow packet sends to the safety service processing module, and foundation comprises the attribute information of service flow packet and the Session list item of safety service information; In software unit, search the ARP list item corresponding, this ARP list item is sent to forwarding module, and the Session list item of setting up is saved in the Session list item memory module with service flow packet.
This system further comprises: fib table item update module, fib table item in the update software unit, and when the renewal of fib table item finishes, in software unit, search with this renewal after the ARP list item that mates most of fib table item, with the index of the ARP perception list item corresponding and in the content update FIB perception list item memory module of the fib table item after upgrading with this ARP list item with the content of the corresponding FIB perception list item of described fib table item.
Described FIB perception list item memory module, ARP perception list item memory module, Session list item memory module are arranged in hardware cell.
Compared with prior art, the present invention is by setting up the incidence relation of fib table item and ARP list item, and adopt prior art to carry out the safety service list item to the first packet of Business Stream, the fib table item, searching of ARP list item, and be attribute information of each bag of Business Stream with the attribute information of first packet, set up the attribute information of service flow packet and the corresponding relation of safety service information according to lookup result, make the subsequent packet of Business Stream directly to carry out the safety service processing according to described corresponding relation, transmit processing according to described incidence relation, need not each bag and all carry out the safety service list item, searching of ARP list item improved the bag forward efficiency based on safety service greatly.
Description of drawings
Fig. 1 is existing bag forwarding process figure based on safety service;
The bag forwarding process figure that Fig. 2 provides for the embodiment of the invention one based on safety service;
The bag forwarding process figure that Fig. 3 provides for the embodiment of the invention two based on safety service;
The packet forwarding system composition diagram that Fig. 4 provides for the embodiment of the invention one based on safety service;
The packet forwarding system composition diagram that Fig. 5 provides for the embodiment of the invention two based on safety service.
Embodiment
Because the five-tuple of each bag in the same Business Stream is identical, and the safety service list item serves as according to setting up with the five-tuple of bag all usually, thereby can learn: it is identical that the safety service that each bag of same Business Stream is carried out is handled.Therefore, core concept of the present invention is: the first packet of Business Stream is carried out the safety service list item according to prior art search with fib table item, ARP list item and search, and set up the five-tuple of bag and the information incidence relation of all safety services that need this bag is carried out according to lookup result.Like this, the subsequent packet of this Business Stream just can directly find safety service information according to this incidence relation, thereby directly this subsequent packet is carried out the safety service processing, and need not to carry out the search procedure of safety service list item again.In addition, when learning the fib table item, search the ARP list item corresponding, set up the incidence relation of fib table item and ARP list item, like this, just need not the subsequent packet of Business Stream is carried out the matching process of fib table item and ARP list item again with this fib table item.
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The bag forwarding process figure that Fig. 2 provides for the embodiment of the invention one based on safety service, as shown in Figure 2, its concrete steps are as follows:
Step 201: safety means to the fib table item, are searched the ARP list item corresponding with this fib table item by software learning, and the index of this ARP list item is added in this fib table item.
As can be seen, the content of fib table item is: purpose IP address+purpose mask+three layer outgoing interface+next jumping+ARP table item index.
When upgrading the fib table item, search again with this renewal after the ARP list item that mates most of fib table item, with the ARP table item index in this fib table item of index upgrade of this ARP list item.
Step 202: safety means receive bag, search the Session list item corresponding with the five-tuple information of this bag.
Step 203: safety means judge whether to find the Session list item, if, execution in step 212; Otherwise, execution in step 204.
Step 204: safety means determine that this bag is the first packet of Business Stream, search the information of carrying with this first packet as the safety service list item that five-tuple information is corresponding in software.
Step 205: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, and in software, set up the Session list item, this Session list item comprises: the five-tuple information of this first packet and described safety service information.
Safety service in this step handle at be that the safety service of safety means porch is handled.
Safety means might find more than a safety service list item, and at this moment, safety means add the safety service information in all safety service list items that find in the Session list item to.
Step 206: safety means are searched the fib table item corresponding with the purpose IP address of this first packet in software.
The fib table item comprises: information such as purpose IP address, purpose mask, three layers of outgoing interface, next jumping.
Step 207: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
This step 207 also can change to: safety means find the fib table item, find the ARP list item that mates most with this fib table item according to the ARP table item index in this fib table item.
Step 208: safety means search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 209: safety means judge whether to find the safety service list item, if, execution in step 210; Otherwise, execution in step 211.
Step 210: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item of setting up in the step 205, safety service disposes, and goes to step 211.
Safety service in this step handle at be that the safety service in safety means exit is handled.If in step 209, do not find the safety service list item, can determine that then this first packet need not to do safety service and handles in the safety means exit.
Step 211: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this first packet, and this first packet is forwarded, and return step 202.
Step 212: safety means are determined the subsequent packet of this bag for Business Stream, according to the safety service information in the Session list item, this subsequent packet is carried out corresponding safety service handle, and are finished, and go to step 213.
Step 213: safety means are searched the fib table item corresponding with the purpose IP address of this subsequent packet in software.
Step 214: safety means find the ARP list item according to the ARP table item index in the fib table item that finds, and two layers of link layer header in the ARP list item that finds are encapsulated on two layers of head of this subsequent packet, and this subsequent packet is forwarded, and return step 202.
From flow process shown in Figure 2 as can be seen: after software, learning the fib table item, in software, search the ARP list item that mates most with this fib table item, the index of this ARP list item is added in this fib table item.
When the first packet to Business Stream has carried out after the safety service list item in the software searches, the structure of the new Session list item of being set up in software according to lookup result is as follows:
Session list item: five-tuple information, safety service information.
Like this, after the subsequent packet of receiving this Business Stream, just can in software, find above-mentioned Session list item according to the five-tuple information of this subsequent packet, according to the safety service information in this Session list item this subsequent packet being carried out corresponding safety service then handles, purpose IP address according to this subsequent packet finds the fib table item in software, find the ARP list item according to the ARP table item index in this fib table item again, thereby this subsequent packet is forwarded.As can be seen, with all safety service information all centralized stores in the Session list item, improved the safety service treatment effeciency; And, when searching the ARP list item, need not to carry out the matching operation of ARP list item and fib table item, and can directly find the ARP list item according to the ARP table item index in the fib table item, further improved forward efficiency.
In embodiment illustrated in fig. 2, the safety service of the subsequent packet of Business Stream handled and transmit to handle all in software, carry out, below be given in and in the hardware subsequent packet of Business Stream carried out safety service and handle and transmit the embodiment that handles.
The bag forwarding process figure that Fig. 3 provides for the embodiment of the invention two based on safety service, as shown in Figure 3, its concrete steps are as follows:
Step 301: safety means arrive the ARP list item by software learning, in hardware, set up ARP perception list item, the content that comprises in this ARP perception list item is identical with the content of the ARP list item of being learnt, and the index of ARP perception list item is added in the ARP list item of being learnt.
Through after this step, the content of ARP list item and ARP perception list item is as follows respectively:
ARP list item: three layers of outgoing interface+outbound port+effective marker position+link layer header length+two layer link layer header+ARP perception table item index.
ARP perception list item: three layers of outgoing interface+outbound port+effective marker position+link layer header length+two layer link layer header.
As can be seen: the difference of ARP list item and ARP perception list item is, has comprised ARP perception table item index in the ARP list item.
When upgrading the ARP list item, find ARP perception list item according to the ARP perception table item index in the ARP list item, then with the content of this ARP perception list item of content update of the ARP list item after upgrading.
Step 302: safety means to the fib table item, are set up FIB perception list item by software learning in hardware, the content that is comprised in this FIB perception list item is identical with the content of the fib table item of being learnt; Search the ARP list item corresponding, the index of the ARP perception list item in this ARP list item is added in this FIB perception list item, the index of this FIB perception list item is added in the fib table item of learning with this fib table item.
Through after this step, the content of fib table item and FIB perception list item is as follows respectively:
Fib table item: purpose IP address+purpose mask+three layer outgoing interface+next jumping+FIB perception table item index.
FIB perception list item: purpose IP address+purpose mask+three layer outgoing interface+next jumping+ARP perception table item index.
As can be seen: the difference of fib table item and FIB perception list item is, has comprised FIB perception table item index in the fib table item, has comprised in the FIB perception list item and the ARP perception table item index that self mates most.
When upgrading the fib table item, to find FIB perception list item according to the FIB perception table item index in the fib table item, then with the content of this FIB perception list item of content update of the fib table item after upgrading, and search again with this renewal after the ARP list item that mates most of fib table item, upgrade ARP perception table item index in this FIB perception list item with the ARP perception table item index in this ARP list item.
Step 303: safety means receive bag, search the Session list item corresponding with the five-tuple information of this bag in hardware.
Step 304: safety means judge whether to find the Session list item, if, execution in step 313; Otherwise, execution in step 305.
Step 305: safety means determine that this bag is the first packet of Business Stream, search the information of carrying with this first packet as the safety service list item that five-tuple information is corresponding in software.
Step 306: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, and in software, set up the Session list item, this Session list item comprises: the five-tuple information of this first packet and described safety service information.
Safety means might find more than a safety service list item, and at this moment, safety means add the safety service information in all safety service list items that find in the Session list item to.
Step 307: safety means are searched the fib table item corresponding with the purpose IP address of this first packet in software.
Step 308: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
Step 309: safety means in software, search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 310: safety means judge whether to find the safety service list item, if, execution in step 311; Otherwise, execution in step 312.
Step 311: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item of setting up in the step 306, simultaneously this Session list item is saved in the hardware, safety service disposes, and goes to step 312.
Step 312: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this first packet, and this first packet is forwarded, and return step 303.
Step 313: safety means are determined the subsequent packet of this bag for Business Stream, according to the safety service information in the Session list item, this subsequent packet is carried out corresponding safety service handle, and are finished, and go to step 314.
Step 314: safety means are searched the FIB perception list item corresponding with the purpose IP address of this subsequent packet in hardware.
Step 315: safety means find ARP perception list item according to the ARP perception table item index in the FIB perception list item that finds, two layers of link layer header in the ARP perception list item that finds are encapsulated on two layers of head of this subsequent packet, this subsequent packet is forwarded, return step 303.
From flow process shown in Figure 3 as can be seen: after software, learning the ARP list item, can in hardware, preserve the ARP perception list item corresponding with this ARP list item.
After in software, learning the fib table item, in hardware, preserve the FIB perception list item corresponding, and in software, search the ARP list item that mates most with this fib table item with this fib table item, the ARP perception table item index in this ARP list item is added in the FIB perception list item.
When the first packet to Business Stream has carried out after the safety service list item in the software searches, the structure of the new Session list item of being preserved in hardware according to lookup result is as follows:
Session list item: five-tuple information, safety service information.
Like this, after the subsequent packet of receiving this Business Stream, just can in hardware, find above-mentioned Session list item according to the five-tuple information of this subsequent packet, according to the safety service information in this Session list item this subsequent packet being carried out corresponding safety service then handles, purpose IP address according to this subsequent packet finds FIB perception list item in hardware, find ARP perception list item in the hardware according to the ARP perception table item index in this FIB perception list item again, thereby this subsequent packet is forwarded.As can be seen, processing is handled and transmitted to the safety service of subsequent packet all in hardware, carry out, improved the safety service treatment effeciency and the forward efficiency of subsequent packet greatly.
The packet forwarding system composition diagram that Fig. 4 provides for the embodiment of the invention one based on safety service, as shown in Figure 4, it mainly comprises: safety service list item memory module 401, fib table item study memory module 402, ARP list item study memory module 403, Session list item memory module 404, bag receiver module 405, Session list item are searched module 406, the Session list item is set up module 407, safety service processing module 408 and forwarding module 409, wherein:
Safety service list item memory module 401: preserve each safety service list item of forming by five-tuple information and/or forwarding-table item information and safety service information.
Fib table item study memory module 402: learn the fib table item, preserve this fib table item, and in ARP list item study memory module 403, search the ARP list item that mates most with this fib table item, this ARP table item index is added in the fib table item of learning.
ARP list item study memory module 403: study is also preserved the ARP list item.
Session list item memory module 404: preserve each Session list item of forming by five-tuple, safety service information.
Bag receiver module 405: be used for receiving bag, this bag sent to safety service processing module 408 and the Session list item is searched module 406.
The Session list item is searched module 406: receive the bag that bag receiver module 405 is sent, in Session list item memory module 404, search the Session list item corresponding with the five-tuple of this bag, if find, safety service information in this Session list item is sent to safety service processing module 408, and in fib table item study memory module 402, search the fib table item corresponding with the purpose IP address of this bag, in ARP list item study memory module 403, find the ARP list item according to the ARP table item index in this fib table item, this ARP list item is sent to forwarding module 409; If do not find, then this bag is sent to the Session list item and set up module 407.
The Session list item is set up module 407: receive the Session list item and search the bag that module 406 is sent, in safety service list item memory module 401, search the information of carrying as the safety service information that five-tuple is corresponding with this bag, the safety service information that finds is sent to safety service processing module 408, set up new Session list item, this Session list item comprises: the five-tuple of described bag and the safety service information that finds; In fib table item study memory module 402, search the fib table item corresponding with the purpose IP address of this bag, in ARP list item study memory module 403, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 409, and in safety service list item memory module 401, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 408, and this safety service information added in the newly-established Session list item, should be saved in the Session list item memory module 404 by newly-established Session list item.
Safety service processing module 408: receive the bag that bag receiver module 406 is sent, reception Session list item searches module 406 or the Session list item is set up the safety service information that module 407 is sent, according to this safety service information this bag being carried out corresponding safety service handles, dispose, this bag is sent to forwarding module 409.
Forwarding module 409: receive the bag through the safety service processing that safety service processing module 408 is sent, reception Session list item searches module 406 or the Session list item is set up the ARP list item that module 407 is sent, and according to this ARP list item, bag is sent.
System in the embodiment of the invention also can further comprise: fib table item update module, be used for upgrading the fib table item of fib table item study memory module 402, and when the renewal of fib table item finishes, root in ARP list item study memory module 403, search with this renewal after the ARP list item that mates most of fib table item, with the ARP table item index in this fib table item of index upgrade of this ARP list item that finds.
In actual applications, safety service list item memory module 401, fib table item study memory module 402, ARP list item study memory module 403, Session list item memory module 404, Session list item can be searched module 406, the Session list item is set up module 407 and is referred to as the professional relating module of transmitting.
The packet forwarding system composition diagram that Fig. 5 provides for the embodiment of the invention two based on safety service, as shown in Figure 5, it mainly comprises: safety service list item memory module 501, fib table item study memory module 502, FIB perception list item memory module 503, ARP list item study memory module 504, ARP perception list item memory module 505, Session list item memory module 506, bag receiver module 507, Session list item are searched module 508, the Session list item is set up module 509, safety service processing module 510 and forwarding module 511, wherein:
Safety service list item memory module 501: preserve each safety service list item of forming by five-tuple information and/or forwarding-table item information and safety service information.
Fib table item study memory module 502: learn the fib table item, preserve this fib table item, and in ARP list item study memory module 504, search the ARP list item that mates most with this fib table item, in FIB perception list item memory module 503, set up FIB perception list item, this FIB perception list item comprises all the elements in the fib table item of learning, also comprise the ARP perception table item index in the APR list item that finds, then this FIB perception table item index is added in the fib table item of learning.
FIB perception list item memory module 503: storage FIB perception list item.
ARP list item study memory module 504: study is also preserved the ARP list item, simultaneously in ARP perception list item memory module 505, set up ARP perception list item, the content of this ARP perception list item is identical with the content of the ARP list item of learning, and the index of this ARP perception list item is added in the ARP list item of learning.
ARP perception list item memory module 505: storage ARP perception list item.
Session list item memory module 506: preserve each Session list item of forming by five-tuple, safety service information.
Bag receiver module 507: be used for receiving bag, this bag sent to safety service processing module 510 and the Session list item is searched module 508.
The Session list item is searched module 508: receive the bag that bag receiver module 507 is sent, in Session list item memory module 506, search the Session list item corresponding with the five-tuple of this bag, if find, then in FIB perception list item memory module 503, search the FIB perception list item corresponding with the purpose IP address of this bag, safety service information in this Session list item is sent to safety service processing module 510, the ARP perception table item index in this FIB perception list item is sent to forwarding module 511; If do not find, then this bag is sent to the Session list item and set up module 509.
The Session list item is set up module 509: receive the Session list item and search the bag that module 508 is sent, in safety service list item memory module 501, search the information of carrying as the safety service information that five-tuple is corresponding with this bag, the safety service information that finds is sent to safety service processing module 510, set up new Session list item, this Session list item comprises: the five-tuple of described bag and the safety service information that finds; In fib table item study memory module 502, search the fib table item corresponding with the purpose IP address of this bag, in ARP list item study memory module 504, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 511, and in safety service list item memory module 501, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 510, and this safety service information added in the newly-established Session list item, should be saved in the Session list item memory module 506 by newly-established Session list item.
Safety service processing module 510: receive the bag that bag receiver module 507 is sent, reception Session list item searches module 508 or the Session list item is set up the safety service information that module 509 is sent, according to this safety service information this bag being carried out corresponding safety service handles, dispose, this bag is sent to forwarding module 511.
Forwarding module 511: receive the bag that safety service processing module 510 is sent through the safety service processing, receive the Session list item and search the ARP perception table item index that module 508 is sent, in ARP perception list item memory module 505, search the ARP perception list item that this ARP perception table item index points to, according to this ARP perception list item, this bag is sent; Receive the Session list item and set up the ARP list item that module 509 is sent,, bag is sent according to this ARP list item.
System in the embodiment of the invention also can further comprise: fib table item update module, be used for upgrading the fib table item of fib table item study memory module 502, and when the renewal of fib table item finishes, in FIB perception list item memory module 503, find FIB perception list item according to the FIB perception table item index in this fib table item, in ARP list item study memory module 504, search with this renewals after the ARP list item that mates most of fib table item, with the content of the FIB perception list item that content update was found of the fib table item after ARP perception table item index in this ARP list item that finds and the renewal.
In actual applications, safety service list item memory module 501, fib table item study memory module 502, FIB perception list item memory module 503, ARP list item study memory module 504, ARP perception list item memory module 505, Session list item memory module 506, Session list item can be searched module 508, the Session list item is set up module 509 and is referred to as the professional relating module of transmitting.
It is pointed out that safety service list item memory module 501, fib table item study memory module 502, ARP list item study memory module 504 for adopting the module of prior art structure, are kept in the software.And FIB perception list item memory module 503, ARP perception list item memory module 505, Session list item memory module 506 are the module of embodiment of the invention structure, be kept in the hardware, as: among the TCAM, with the access speed of quickening safety means to Session list item, FIB perception list item, ARP perception list item, thereby raising is based on the bag forward efficiency of safety service.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (7)
1. the package transmitting method based on safety service is characterized in that, comprising:
Set up the incidence relation of forwarding information base fib table item and ARP list item;
Receive the first packet of Business Stream, obtain the safety service information corresponding with this first packet, handle according to the safety service that this safety service information is carried out the porch to first packet, set up the five-tuple information that this first packet carries and the corresponding relation of this safety service information, search the fib table item corresponding with first packet, search with the fib table item in the corresponding safety service list item of three layers of outgoing interface information, if find, according to the safety service information in this safety service list item, first packet being carried out the safety service in exit handles, simultaneously this safety service information is added in the described corresponding relation, ARP list item according to fib table item correspondence forwards first packet, and wherein said five-tuple information is source IP address information, source port information, protocol number, purpose IP address information and purpose outbound port information;
Receive the subsequent packet of Business Stream, five-tuple information of carrying according to subsequent packet and the five-tuple information of having set up and the corresponding relation of safety service information find safety service information, according to safety service information subsequent packet being carried out safety service handles, purpose IP address and described incidence relation according to subsequent packet find the ARP list item information, according to the ARP list item information subsequent packet are forwarded.
2. the method for claim 1 is characterized in that, described incidence relation and corresponding relation are kept in the software unit.
3. method as claimed in claim 2 is characterized in that, the described incidence relation of setting up fib table item and ARP list item comprises: the index of the ARP list item that mates most with each fib table item is added in this fib table item;
To the subsequent packet that receives, the described ARP of finding list item information comprises: obtain the fib table item corresponding with the purpose IP address of subsequent packet, find the ARP list item according to the ARP table item index in this fib table item.
4. the method for claim 1 is characterized in that, described incidence relation and corresponding relation are kept in the hardware cell.
5. method as claimed in claim 4 is characterized in that, the described incidence relation of setting up fib table item and ARP list item further comprises before: study ARP list item and fib table item in software unit;
The described fib table item of setting up comprises with the incidence relation of ARP list item: the identical ARP perception list item of each ARP contents in table in preservation and the software unit in hardware cell; In hardware cell, preserve the FIB perception list item identical, the index of the ARP perception list item that mates most with this FIB perception list item is added in this FIB perception list item with each fib table item content in the software unit;
To the subsequent packet that receives, the described ARP of finding list item information is: FIB perception list item is arrived in the purpose IP address search according to subsequent packet, find ARP perception list item according to the ARP perception table item index in the described FIB perception list item, this ARP perception list item is the ARP list item information that finds.
6. the packet forwarding system based on safety service is characterized in that, comprising:
First module is set up the incidence relation of fib table item and ARP list item;
Second module, receive the Business Stream first packet, obtain the safety service information corresponding with this first packet, handle according to the safety service that this safety service information is carried out the porch to first packet, set up the five-tuple information that this first packet carries and the corresponding relation of this safety service information, search the fib table item corresponding with first packet, search with the fib table item in the corresponding safety service list item of three layers of outgoing interface information, if find, according to the safety service information in this safety service list item, first packet being carried out the safety service in exit handles, simultaneously this safety service information is added in the described corresponding relation, ARP list item according to fib table item correspondence forwards first packet, and wherein said five-tuple information is source IP address information, source port information, protocol number, purpose IP address information and purpose outbound port information;
Three module, receive the subsequent packet of Business Stream, five-tuple information of carrying according to this subsequent packet and the five-tuple information of having set up and the corresponding relation of safety service information find safety service information, according to safety service information subsequent packet being carried out safety service handles, purpose IP address and described incidence relation according to subsequent packet find the ARP list item information, according to the ARP list item information subsequent packet are forwarded.
7. system as claimed in claim 6 is characterized in that, described first module comprises:
First submodule preserve content and the identical FIB perception list item of each fib table item content in the software unit in hardware cell, and each FIB perception list item comprises the index of the ARP perception list item that mates most with this FIB perception list item;
Second submodule is preserved content and the identical ARP perception list item of each ARP contents in table in the software unit in hardware cell;
And described three module arrives FIB perception list item according to the purpose IP address search of subsequent packet, finds ARP perception list item according to the ARP perception table item index in the FIB perception list item, and this ARP perception list item is the ARP list item that finds.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101198791A CN101110769B (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
| PCT/CN2008/071676 WO2009015578A1 (en) | 2007-08-02 | 2008-07-17 | Method and network security device for executing security processing to packets |
| US12/529,907 US8316432B2 (en) | 2007-08-02 | 2008-07-17 | Method for implementing security-related processing on packet and network security device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101198791A CN101110769B (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101110769A CN101110769A (en) | 2008-01-23 |
| CN101110769B true CN101110769B (en) | 2010-08-25 |
Family
ID=39042667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101198791A Expired - Fee Related CN101110769B (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101110769B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404235A (en) * | 2011-12-26 | 2012-04-04 | 杭州华三通信技术有限公司 | Packet transfer method and field programmable gate array |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009015578A1 (en) * | 2007-08-02 | 2009-02-05 | Hangzhou H3C Technologies Co., Ltd. | Method and network security device for executing security processing to packets |
| CN105099921B (en) * | 2015-05-29 | 2019-01-25 | 新华三技术有限公司 | A kind of fastext processing method and device based on user |
| CN113645188B (en) * | 2021-07-07 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | Data packet rapid forwarding method based on security association |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1464703A (en) * | 2002-06-19 | 2003-12-31 | 华为技术有限公司 | Method for increasing IP message transferring speed |
| CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| CN1794695A (en) * | 2005-12-28 | 2006-06-28 | 杭州华为三康技术有限公司 | Method of refreshing hardware table item |
| CN1878139A (en) * | 2006-05-31 | 2006-12-13 | 杭州华为三康技术有限公司 | Three-layer forwarding method, device and ARP information table updating method |
| CN1996948A (en) * | 2006-12-28 | 2007-07-11 | 杭州华为三康技术有限公司 | Message forwarding method and device based on the media access control layer |
-
2007
- 2007-08-02 CN CN2007101198791A patent/CN101110769B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1464703A (en) * | 2002-06-19 | 2003-12-31 | 华为技术有限公司 | Method for increasing IP message transferring speed |
| CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| CN1794695A (en) * | 2005-12-28 | 2006-06-28 | 杭州华为三康技术有限公司 | Method of refreshing hardware table item |
| CN1878139A (en) * | 2006-05-31 | 2006-12-13 | 杭州华为三康技术有限公司 | Three-layer forwarding method, device and ARP information table updating method |
| CN1996948A (en) * | 2006-12-28 | 2007-07-11 | 杭州华为三康技术有限公司 | Message forwarding method and device based on the media access control layer |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404235A (en) * | 2011-12-26 | 2012-04-04 | 杭州华三通信技术有限公司 | Packet transfer method and field programmable gate array |
| CN102404235B (en) * | 2011-12-26 | 2014-03-26 | 杭州华三通信技术有限公司 | Packet transfer method and field programmable gate array |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101110769A (en) | 2008-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101965794B1 (en) | Packet format and communication method of network node for compatibility of ip routing, and the network node | |
| CN102685177B (en) | The transparent proxy cache method of resource, the network equipment and system | |
| CN102100041B (en) | Outbound transmission of packet based on routing search key constructed from packet destination address and outbound interface | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| CN103595637B (en) | Based on tree and the content center network node processing data method of Hash table | |
| CN102075438B (en) | unicast data frame transmission method and device | |
| CN105959254B (en) | The method and apparatus for handling message | |
| CN106470158B (en) | Message forwarding method and device | |
| CN102857428B (en) | A kind of message forwarding method based on Access Control List (ACL) and equipment | |
| RU2005136879A (en) | SOURCE ID FOR FINDING A MAC ADDRESS | |
| CN101247308A (en) | Tunnel packet processing method for implementing IPv6 traversing IPv4 based on network processor | |
| CN106657637A (en) | Handheld device capable of providing data tethering services while maintaining suite of handheld service functions | |
| CN103152269B (en) | A kind of message forwarding method based on NAT and equipment | |
| CN105379228A (en) | Method, switch, and controller for implementing ARP | |
| CN103166866A (en) | Method of generating table items, method of receiving messages and relative devices and systems | |
| CN101110769B (en) | Package transmitting method and system based on safety service | |
| CN104486229B (en) | A kind of method and apparatus for realizing the forwarding of VPN message | |
| CN102325077B (en) | Communication method among branches and egress routers of branches | |
| CN107070790A (en) | A kind of route learning method and routing device | |
| CN102025848A (en) | Gateway and method for processing packets by using gateway | |
| CN105933235B (en) | Data communications method and device | |
| CN103812774B (en) | Tactics configuring method, message processing method and related device based on TCAM | |
| CN101106529B (en) | Packet forwarding method and system based on secure service | |
| CN102201996A (en) | Method and equipment for forwarding message in network address translation (NAT) environment | |
| CN105207904B (en) | Processing method, device and the router of message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100825 Termination date: 20200802 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |