Background technology
It on the file-sharing technical spirit application of a kind of multi-to-multi in p2p (Peer to Peer, the point-to-point) pattern.By this technology, application program can be divided into multistage to the file of needs exchange and adopt the method for multicast communication, improves the speed of file transfer with this.With traditional FTP (File TransferProtocol, file transfer protocol (FTP)) difference, the file recipient is not to be undertaken by the file fragmentation order when downloading these files, and does not need to be connected to file supplier's main frame yet.But can locate to download by download other file recipient of distributed intersection.Like this, the file recipient has also born the work of partly uploading when downloading, and downloads and uploads synchronously and carry out, and this has just improved speed of download greatly, has made full use of Internet resources.
But the technology of this file-sharing has but been brought many problems simultaneously.At first be to have brought impact, because the switch mode of this multi-to-multi bandwidth consumed extremely to Virtual network operator; Next is the problem of copyright aspect, and it has caused pirate being becoming increasingly rampant; Be to have drawn new security threat at last, utilize file-sharing to come behaviors such as transmitted virus, spyware or manufacturing waste advertisements day by day to increase.
Therefore, for these reasons, need apply control to this switching technology from Virtual network operator and gerentocratic angle.And from most of terminal uses' angle, but do not wish to experience tangible restriction.So just caused a contradiction, normally adopted fire compartment wall or user agent's technology and address this problem existing method, the mode of maximum number of connections by setting the user or the data download stream that directly cuts off the user realizes.Several prior art schemes are as described below:
1) fire compartment wall or user agent's technology:
Limit the flow of file-sharing and user's maximum number of connections by fire compartment wall or user agent.Can also shield file-sharing software port numbers commonly used by fire compartment wall simultaneously, and block the destination address of downloading.
Above-mentioned technology can only be carried out the control of coarseness to network, closed port, and sealing is to the visit of Tracker (tracking) server.But present file-sharing software as, therefore BitTorrent (Bit mighty torrent), eDonkey (electric donkey), eMule (electric mule) or the like have the function of dynamic searching port, can not tackle the problem at its root.
2) utilize NBAR (Network-Based Application Recognition, based on network application identification) technology:
NBAR is a kind of technology that can discern four to seven layer protocol condition codes dynamically.By PDLM (Packet Description Language Module, bag descriptive language module) is uploaded in the router and goes, just can on router, discern the packet of file-sharing, thereby filter out these packets in network layer.
What above-mentioned technology adopted is that all file-sharing packets are all abandoned.The problem that file-sharing brings though this has fundamentally solved is also removed the benefit of file-sharing simultaneously in the lump.Therefore, this method can not be applicable to domestic consumer, can only be applicable to the enterprise customer, has limitation.
3) utilization is similar to fire compartment wall and the comprehensive product of router:
The function of this series products is integrated fire compartment wall and router can be carried out the applied analysis of deep layer, and can be implemented the bandwidth and the conversation control function of deep layer.The function that also has route and load balance simultaneously.
Above-mentioned technology can be accomplished fine-grained differentiation to the utilization of bandwidth and the control of session, but because this product still extension of fire compartment wall in essence, therefore can only solve local problem, when the network of operator is made up of a plurality of local area network (LAN)s, just can not the maximum interests that satisfy the user.
Generally speaking, these three kinds of schemes all are from the part, testing result are not segmented, and are carried out dynamic flow control according to the result who analyzes, and so also just are difficult to improve user experience.And three kinds of schemes all are unilateral concern benefits of operators, and do not consider the form of operator and user's doulbe-sides' victory to have certain limitation.
Summary of the invention
The invention provides a kind of method, Apparatus and system that the flow of point-to-point file-sharing is control effectively.
The present invention is achieved by the following technical solutions:
A kind of volume control device of point-to-point file-sharing, described device comprises:
Policy module is used to provide the flow control implementation strategy of file-sharing;
The packet filtering module, the packet that receiving router sends extracts connection control information and forms the message bag, according to the flow control implementation strategy described packet and/or message bag is filtered;
Flow-control module, the described packet and/or the message bag that are used for filtration is finished carry out the traffic statistics analysis, according to analysis result flow control are carried out in file-sharing.
A kind of flow control system of point-to-point file-sharing, described system comprises:
Intelligent management center IMC module, be used to receive the rate of discharge analysis result information and the rate of discharge development trend information of the point-to-point file-sharing that each router sends, to the described information analysis that receives, formulate different egress policys at each network, send to the router in each network;
The router control module, by interface and router and IMC module communication, be used to receive the packet that described egress policy and router send, dynamic system constant flow control implementation strategy is carried out flow control to the packet and/or the message bag of point-to-point file-sharing.
A kind of flow control methods of point-to-point file-sharing comprises:
The packet that router is transmitted filters and the traffic statistics analysis, according to actual user's file-sharing situation dynamic system constant flow control strategy, the flow of point-to-point file-sharing controlled specifically comprises:
The packet that router is transmitted filters, and filters out in non-transmission control protocol bag and the transmission control protocol bag and is sent to the bag of well known port, the non-point-to-point illegal contents that is connected in control messages and the point-to-point connection control messages;
Point-to-point file-sharing message after filtering is carried out traffic statistics, return described message afterwards and give router;
The flow statistics is analyzed, and dynamic system constant flow control strategy is as the benchmark of message screening.
As seen from the above technical solution provided by the invention, the present invention dynamically controls by the flow of user file being shared behavior, provide a kind of controlling mechanism flexibly for operator on the one hand, can partly regulate the file-sharing in the total flow, then guaranteed the justice of user's use traffic bandwidth on the other hand, prevented that the certain user from taking massive band width for a long time.
Embodiment
The invention provides a kind of flow control system of point-to-point file-sharing, a kind of embodiment group-network construction figure of described system as shown in Figure 1, comprise operator's end and local area network (LAN) end, end is provided with the intelligent management center module in operator, it is the IMC module, this module is used for rate of discharge report and the rate of discharge development trend information that timing receives the P2P file-sharing of each LAN router transmission, analysis-by-synthesis is carried out in described report, formulate different egress policys at each local area network (LAN), be distributed to then on the router of each local area network (LAN).A kind of embodiment of described IMC module forms that annexation comprises as shown in Figure 2 between framework and each component units:
Flow report receiving element is used for receiving the local P2P file-sharing rate of discharge report that all LAN routers of carrier network are sent, and deposits operator's local data base in.
The bulk flow analytic unit, analysis-by-synthesis is carried out in the P2P file-sharing rate of discharge report that is used for submitting to according to each LAN router that receives, and knows rate of discharge in the IMC module supervision scope exceed standard situation and rate of discharge distribution situation.
Policy database has Man Machine Interface, is used to receive the also strategy of storage administration person's formulation.
IMC policy development unit is used for carrying out the IMC comprehensive strategic according to the strategy that bulk flow analytic unit analysis result and policy database are stored and formulates, and carries out flow at different routers and redistributes, and formulate the load balancing strategy of route.
The unit is implemented in control, and each strategy distribution that is used for IMC policy development unit is formulated is given the LAN router of appointment.
For the bigger operator of some network sizes, corresponding IMC module can be set in different places, make and the some areas of IMC module management that each is regional or the whole rate of discharge in city carry out dynamic assignment of traffic and load balance.Like this, can reduce on the one hand the network egress flow of operator, also can make the user in operator's LAN can be fair and use outlet bandwidth dynamically on the other hand.
Be provided with the volume control device of point-to-point file-sharing at the local area network (LAN) end, described device comprises the router control module, by interface and router and IMC module communication, be used to receive the egress policy that the IMC module is formulated, under the prerequisite that does not change the current router basic function, realize the flow of P2P file-sharing is controlled.Described router control module is formed, and internal logic as shown in Figure 3.
Described router control module comprises:
Policy module is used to provide the flow control implementation strategy of file-sharing;
The packet filtering module, the packet that receiving router sends extracts connection control information and forms the message bag, according to the flow control implementation strategy described packet and/or message bag is filtered;
Flow-control module, the packet and/or the message bag that are used for described filtration is finished carry out the traffic statistics analysis, according to described analysis result flow control are carried out in file-sharing.
Described policy module further comprises:
Policy library is used for formulating and store the local router mid point according to the concrete condition of local network dot file is shared shared bandwidth ratio and management strategy; Such as, set the different management strategies and the maximum file-sharing bandwidth of allowance according to different Intranet IP.
The policy development unit, be used for the strategy of point-to-point file-sharing flow control of the described network that the analysis result according to described flow analysis unit, described message sink/transmitting element receives and the policy information of policy library, dynamic system constant flow control implementation strategy, and storage and upgrade described flow control implementation strategy.For example, if certain IP file-sharing flow exceeds standard in the net, then the connection request that current IP is carried out file-sharing according to the flow situation is refused, and blocks some file-sharings connections of having set up; If local router allows the total flow of file-sharing to exceed standard, then the IP that carries out file-sharing in the current net is reanalysed, temporarily forbid some connection of the big IP of linking number and flow number, also can be by forbidding the execution of the connection that IP has set up; If the file-sharing of this router outlet total flow does not exceed standard, then the branch situation allows to improve the file-sharing flow of single high priority IP.
Described packet filtering module further comprises:
Bag screening unit is used for the packet that receiving router sends, and screening obtains being sent in the transmission control protocol bag packet of non-common port, promptly filters out the packet that is sent to well known port in non-TCP (transmission control protocol) bag and the TCP bag.The packet that filters is back to router;
Pretreatment unit is used for the packet that obtains after the described screening is generated the preliminary treatment of additional information; Described preliminary treatment comprises: extract source, purpose IP address, source, destination slogan, and a segment information of application layer as preceding 20 characters of application layer data, generate additional information with the information of extracting and are sent to the key information match unit.
The key information match unit is used to receive the pretreated information of pretreatment unit, judges according to the application layer message in the described additional information whether the packet that is received is the connection control messages of point-to-point file-sharing; If the application layer in packet has partly been added the sign of P2P agreement, then this packet is P2P file-sharing connection control messages, just hereinafter described message bag.This message bag is used for different internodal connection controls.The connection control messages of P2P file-sharing is sent to message audit and processing unit.The connection control messages of non-P2P file-sharing is then added corresponding sign directly send to the strategy execution unit.
The strategy execution unit, described packet and/or the message bag of the flow control implementation strategy that is used for extracting described file-sharing from described policy module after to the key information match units match carried out filter operation, and sends filtered data bag and/or message bag to flow-control module.
Owing to can provide concrete implementation strategy at the IP node that needs in the current net to regulate flow in the described flow control implementation strategy, such as, the shared flow of certain IP node current file exceeds standard in the net, then provide strategy, after the strategy execution unit receives this strategy, packet/message bag through the strategy execution unit is carried out the IP matching addresses,, just this message bag is abandoned in case find the message bag of this IP address of coupling.
Described packet filtering module can also comprise:
Message audit and processing unit, the message bag and/or the packet that are used to receive the key information match unit judges and are the connection control messages of point-to-point file-sharing carry out content auditing, judge whether described file content is legal, send to the strategy execution unit after making corresponding sign according to judged result.As: for legal message bag, generating this packet is the sign of the request message bag of P2P file-sharing; For illegal message bag, generate the sign that this packet is illegal packet, and this message bag and flag information are sent to the strategy execution unit.
Described flow-control module further comprises:
The traffic statistics unit is used to receive strategy execution unit filtered data bag and/or message bag, and point-to-point file-sharing packet and/or message bag are added up; Statistical form is set in internal memory, by (referring to carrier network inside) the P2P linking number that IP set up in certain net of router and the P2P shared data bag number of correspondence with it, wherein P2P linking number and P2P file-sharing number-of-packet need further be divided between Intranet IP and between Intranet IP and outer net IP in the statistics stipulated time.In addition, store historical information in database, the statistical form data in the internal memory regularly write database, and restart statistics.When concrete statistics, only P2P file-sharing packet and message bag are added up; The P2P file-sharing message bag has here characterized the P2P linking number, and P2P file-sharing packet has then characterized the bag transmission quantity under the specific connection, the bandwidth number that takies in the stipulated time just.At last, the packet after the statistical disposition is transmitted to router and also regularly statistics is sent to the flow analysis unit.
The flow analysis unit, be used for the statistics of flow statistic unit is analyzed, calculate in the current net in each IP and net between IP and and net the point-to-point linking number set up between outer IP and total point-to-point flow, know the development trend of communication flows in current router P2P rate of discharge and the net simultaneously according to the historical information that writes down in the database, flow control is carried out in file-sharing according to described analysis result;
Message sink/transmitting element is used for the management of the strategy realization IMC module of the analysis result of the described flow analysis of timed sending unit and the point-to-point file-sharing flow control that timing receives the formulation of network IMC module to local router.
The invention provides a kind of flow control methods of point-to-point file-sharing, the process that the data of carrying out packet transmitting terminal and receiving terminal transmit comprises, transmitting terminal is connected the process of foundation and data transfer procedure with receiving terminal, the method for each process being carried out flow control is as described below.
Wherein a kind of embodiment operating process that transmitting terminal and the receiving terminal process of connecting are carried out flow control comprises the steps: as shown in Figure 4
Step 1: terminal A sends the message that request connects to terminal B, and this message is at first passed through router.
Step 2: router is transmitted this message bag to bag screening unit and pretreatment unit.
Step 3: bag screening unit and pretreatment unit screen and pretreatment operation this message bag, judge that whether this message bag is the TCP bag, and whether use well known port, and the message bag by screening is generated additional information.The process that generates additional information comprises: extract source, the purpose IP address of described message bag, source, destination slogan, and application layer message as preceding 20 characters of application layer data, generate the accessory information of message bag according to the information that extracts.
Step 4: if judge that through screening described message bag is non-TCP bag, or be the TCP bag of well known port, then bag screening unit returns described message bag to router.
Step 5: if by screening, then the pretreatment unit message bag that will generate additional information is sent to the key information match unit.
Step 6: the additional information that generates according to pretreatment unit in the key information match unit judges whether this message bag is the request message of P2P file-sharing.
Whether the key information match unit is the connection control messages of P2P file-sharing according to the application layer message judgment data bag in the additional information in the message bag.If the application layer in packet has partly been added the sign of P2P agreement, then this packet is P2P file-sharing connection control messages.
Step 7: if the request message of P2P file-sharing then sends described message to message audit and processing unit.If not, then add and directly send described message after the respective identification to the strategy execution unit.
Step 8: message audit and processing unit carry out content auditing to the message that receives, and judge whether the file content that need share is legal.
By preestablishing some illegal contents, message content and the predefined content that receives compared, if illegal, then set up and abandon sign; If legal, then generate the message flag that connects, send to the strategy execution unit.
Step 9: the strategy execution unit filters the message bag according to strategy.
The strategy execution unit filters out the request message of non-P2P file-sharing according to the strategy execution message screening operation that pre-establishes.
Step 10: the message bag after the strategy execution unit will filter is sent to the traffic statistics unit.
Step 11: the traffic statistics unit is added up P2P file-sharing packet/message bag, and to according to described message bag whether be that connection request message is made amendment to the list item in the statistical form.
Step 12: the traffic statistics unit returns the message bag to router.
Step 13: router is transmitted to terminal B with this message bag.The process that connects is finished.
A kind of embodiment operating process that the packet process of transmitting is carried out flow control comprises the steps: as shown in Figure 5
Step 1: under terminal A and terminal B had connected situation, terminal A sent the packet of shared file to terminal B, and this packet at first passes through router.
Step 2: router is transmitted to bag screening unit and pretreatment unit with described packet.
Step 3: bag screening unit and pretreatment unit screen and pretreatment operation this packet.
Judge at first whether this packet is the TCP bag, and the TCP bag that whether uses well known port, and to the packet generation additional information by screening.
Step 4: if described packet is non-TCP bag, or be the TCP bag of well known port, then return described packet and give router.
Step 5: the packet after bag screening unit and pretreatment unit transmission screening and the processing is to the key information match unit.
Step 6: the additional information that generates according to pretreatment unit in the key information match unit judges whether this packet is the request message of P2P file-sharing.
Matching process is with connecting the matching operation of setting up in the process.
Step 7: if judged result then adds respective markers and sends described packet to the strategy execution unit for being not the request message of P2P file-sharing.If the request message of P2P file-sharing then sends described message bag to audit and processing unit.The operation of audit and processing unit is with connecting the process of setting up.
Step 8: the strategy execution unit is carried out filter operation according to the strategy that pre-establishes to packet.
Step 9: the strategy execution unit sends to the traffic statistics unit with the filtered data bag.
Step 10: the traffic statistics unit is only added up P2P file-sharing packet/message bag.
Step 11: the traffic statistics unit returns packet to router.
Step 12: router is transmitted to terminal B with this packet.
Above-mentioned connect and data transmission procedure in the tactful performance element strategy of carrying out filter operation institute foundation be regularly to upgrade, its generative process comprises the steps: as shown in Figure 6
Step 1: the flow analysis unit regularly extracts the statistics of traffic statistics unit, and described statistics can adopt the form storage of statistical form, and then the flow analysis unit regularly extracts the traffic statistics table.
Step 2: the flow analysis unit is analyzed the statistical form that obtains, and knows that each carries out P2P file-sharing user's flow.
Step 3: the result that the flow analysis unit will be analyzed sends to the policy development unit.
Step 4: the policy development unit is according to the analysis result of described flow analysis unit, and the up-to-date strategy that extracts from IMC policy library unit and policy library.
Step 5: comprehensive flow control implementation strategy is dynamically formulated according to all information that obtain in the policy development unit.
Step 6: the policy development unit issues described comprehensive strategic and gives the strategy execution unit, and the strategy execution unit is according to the access vector cache in this unit of described policy update, and the described strategy execution filter operation of foundation.
In sum, the present invention has realized according to each terminal use's actual flow situation, dynamically adjust the flow control strategy, provide a kind of controlling mechanism flexibly for operator on the one hand, can partly regulate the file-sharing in the total flow, then guaranteed the justice of user's use traffic bandwidth on the other hand, prevented that the certain user from taking massive band width for a long time.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.