CN105721334B - Method and equipment for determining transmission path and updating ACL - Google Patents
Method and equipment for determining transmission path and updating ACL Download PDFInfo
- Publication number
- CN105721334B CN105721334B CN201410730053.9A CN201410730053A CN105721334B CN 105721334 B CN105721334 B CN 105721334B CN 201410730053 A CN201410730053 A CN 201410730053A CN 105721334 B CN105721334 B CN 105721334B
- Authority
- CN
- China
- Prior art keywords
- information
- controller
- request
- request information
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of network communication, in particular to a method and equipment for determining a transmission path and updating an ACL (access control list), which are used for solving the problem of overlarge load pressure of a firewall at present. The method for determining the transmission path comprises the following steps: after receiving request information which is sent by a sending end and used for applying for communication, a controller determines transmission rule information of the request information from a first Access Control List (ACL) according to the request information; determining a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information; the switch in the transmission path is then notified of the transmission path. According to the technical scheme, the first ACL which can detect the request information which is sent by the sending end and used for applying for communication is added in the controller, so that the controller can determine the transmission rule information of the request information according to the corresponding information configured in the ACL, and the load pressure of the firewall is reduced.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for determining a transmission path and updating an ACL.
Background
In the field of computer networks, a firewall is a device which is formed by combining software and hardware devices and helps to ensure information security and protect a network from being invaded by illegal users, and comprises 4 parts of service access rules, verification tools, packet filtering and application gateways.
A firewall is an access control measure executed during network communication, and defines data packets that can access a computer through an access control list. The method can set the data packets which pass through the operation, can also set the data packets which do not pass through the operation, and can also prevent the malicious access in the network.
In SDN (Software Defined Network), a firewall is indispensable to protect information security, allow or restrict the passage of transmitted data. The technical scheme of an internal firewall in an SDN network in the prior art is as follows:
configuring a security policy based on information such as ports and protocols on a firewall in advance; when the host needs to communicate, the data packet is sent to the directly connected switch and reported to the controller through the switch; the controller calculates a forwarding path and issues a path passing through the firewall to the switch; the firewall processes all incoming packets according to an existing security policy.
That is to say, in the prior art, all messages are also sent to the firewall for detection, which easily causes the load pressure of the firewall to be too high, so that the messages cannot be normally transmitted.
In summary, at present, all messages are sent to the firewall for detection, so that the firewall load pressure is too large.
Disclosure of Invention
The invention provides a method and equipment for determining a transmission path and updating an ACL (access control list), which are used for solving the problem that the load pressure of a firewall is overlarge because all messages are sent to the firewall for detection in the prior art.
The embodiment of the invention provides a method for determining a transmission path, which comprises the following steps:
after receiving request information which is sent by a sending end and used for applying for communication, a controller determines transmission rule information of the request information from a first Access Control List (ACL) according to the request information;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
Because the first ACL which can detect the request information which is sent by the sending end and used for applying for communication is added in the controller, the controller can determine the transmission rule information of the request information according to the corresponding information configured in the ACL, thereby reducing the load pressure of the firewall.
Preferably, after receiving the request information for applying for communication sent by the sending end, the controller further includes:
the controller sends the request information to a firewall according to the fact that the request information cannot determine the transmission rule information of the request information from the first ACL;
after receiving the transmission rule information of the request information sent by the firewall, the controller updates the first ACL according to the transmission rule information of the request information, and determines the transmission rule information of the request information from the first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
When the controller can not determine the transmission rule information of the request information, the controller sends the transmission rule information to the firewall for detection and determination, so that the load pressure of the firewall is reduced.
Preferably, after receiving the transmission rule information of the request information from the firewall, the controller further includes:
if the firewall does not send the transmission rule information of the request information through the second ACL, the controller places the request information and the received transmission rule information of the request information in the first ACL; or
And if the firewall sends the transmission rule information of the request information through the second ACL, the controller updates the first ACL according to the received second ACL.
Because the controller updates the first ACL according to the updated second ACL or the transmission rule information of the firewall, the controller can directly determine the transmission rule information of the request information according to the first ACL after receiving the same request information, and determine the transmission path according to the determined transmission rule information, so that the controller can determine different transmission paths according to different request information, and the load pressure of the firewall is further reduced.
Preferably, the controller determines whether to allow the sending end to send the message to the receiving end according to the following modes:
if the transmission rule information is an allowance request or a safety request, the controller determines that the sending end is allowed to send the message to the receiving end;
if the transmission rule information is a suspicious request, the controller sends the request information to a firewall, and determines whether to allow a sending end to send a message to a receiving end according to the notification of the firewall;
and if the transmission rule information is a rejection request, the controller determines that the sending end is not allowed to send the message to the receiving end.
The controller can perform preliminary judgment on the request information when receiving the request information, so that the controller can determine the most transmission path of the message according to different transmission rule information.
Preferably, if the transmission rule information is an allow request or the transmission rule information is a suspicious request and the sender is allowed to send the message to the receiver according to the notification of the firewall, the transmission path includes the firewall;
and if the transmission rule information is a security request, the transmission path does not include a firewall.
The controller can determine different transmission paths according to different transmission rule information, so that the load pressure of the firewall is reduced.
Preferably, after the controller notifies the switch in the transmission path of the transmission path, the method further includes:
after receiving updated transmission rule information sent by a firewall, the controller updates a first ACL according to the updated transmission rule information;
the controller re-determines the transmission rule information of the request information according to the updated first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
Since the transmission rule information of the request message can be dynamically changed as needed, the control can dynamically determine the transmission path according to the transmission rule information.
Preferably, after notifying the switch in the transmission path of the transmission path and before receiving the updated transmission rule information of the request information notified by the firewall, the controller further includes:
and the controller samples the message corresponding to the request information transmitted between the sending end and the receiving end and sends the sampled message corresponding to the request information to the firewall.
The transmitted message is sampled by adopting a mechanism, so that the safety of message transmission is further ensured.
Preferably, after the controller re-determines the transmission rule information of the request information according to the updated first ACL, the method further includes:
if the transmission rule information of the request information is determined to be a suspicious request again, the controller samples messages corresponding to other request information transmitted between the sending end and the receiving end, and sends the sampled messages corresponding to other request information to the firewall.
Because all messages are sampled after the transmission rule information of the request information is determined to be the suspicious request, the safety of information transmission is improved.
Preferably, after the controller determines the transmission rule information of the request message, the controller further includes:
and the controller informs all the switches connected with the sending end after determining that the sending end is not allowed to send the message to the receiving end according to the transmission rule information of the request information.
The embodiment of the invention provides a method for updating an Access Control List (ACL), which comprises the following steps:
after receiving request information sent by a controller, a firewall determines transmission rule information of the request information according to a preset security policy;
and the firewall sends the transmission rule information or the second ACL containing the determined transmission rule information to the controller, so that the controller updates the first ACL used for judging whether to allow the transmission corresponding to the request information according to the received transmission rule information or the second ACL.
The firewall can send the transmission rule information or the second ACL containing the determined transmission rule information to the controller, so that the controller can update the first ACL used for judging whether to allow transmission corresponding to the request information according to the received transmission rule information or the second ACL, and the load pressure of the firewall is reduced.
Preferably, the method further comprises:
after receiving a message sent to a receiving end by a sending end, the firewall determines whether the message is safe or not according to a preset safety strategy;
if yes, sending the message to a corresponding switch according to the address information recorded in the message;
otherwise, the controller is notified to deny transmission of the message.
Preferably, after receiving the request message sent by the controller, the firewall determines, according to a preset security policy, transmission rule information of the request message:
if the determined transmission rule information of the request information is a suspicious request, the firewall detects messages corresponding to other request information transmitted between the sending end and the receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
Preferably, the firewall sends the transmission rule information or the updated second ACL to the controller, and after updating the first ACL, the method further includes:
the firewall detects the sampling message from the controller according to a preset security policy;
and the firewall informs the controller after detecting that the sampling message is a suspicious message.
An embodiment of the present invention provides a controller for determining a transmission path, including:
the first determining module is used for determining transmission rule information of request information from a first Access Control List (ACL) according to the request information after receiving the request information which is sent by a sending end and used for applying for communication;
the second determining module is used for determining a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
and the notification module is used for notifying the transmission path to the switch in the transmission path.
Preferably, the first determining module is further configured to:
after receiving request information sent by a sending end and used for applying for communication, according to the fact that the request information cannot determine transmission rule information of the request information from the first ACL, the request information is sent to a firewall, after the transmission rule information of the request information sent by the firewall is received, the first ACL is updated according to the transmission rule information of the request information, and the transmission rule information of the request information is determined from the first ACL;
the second determination module is further to:
after receiving request information for applying for communication sent by a sending end, determining a transmission path from the sending end to a receiving end after determining that the sending end can send a message to the receiving end according to the transmission rule information;
the notification module is further configured to:
and after receiving request information which is sent by a sending end and used for applying for communication, notifying the transmission path to a switch in the transmission path.
Preferably, the first determining module is further configured to:
after receiving the transmission rule information of the request information from the firewall, if the firewall does not send the transmission rule information of the request information through a second ACL, placing the request information and the received transmission rule information of the request information in the first ACL; or if the firewall sends the transmission rule information of the request information through the second ACL, updating the first ACL according to the received second ACL.
Preferably, the second determining module is further configured to:
if the transmission rule information is an allowance request or a safety request, determining that a sending end is allowed to send the message to a receiving end; if the transmission rule information is a suspicious request, sending the request information to a firewall, and determining whether to allow a sending end to send a message to a receiving end according to the notification of the firewall; and if the transmission rule information is a rejection request, determining that the sending end is not allowed to send the message to the receiving end.
Preferably, the first determining module is further configured to:
after the transmission path is notified to a switch in the transmission path, after updated transmission rule information sent by a firewall is received, updating a first ACL according to the updated transmission rule information; re-determining the transmission rule information of the request information according to the updated first ACL;
the second determination module is further to:
after the transmission path is informed to the switch in the transmission path, according to the transmission rule information, after the sending end is determined to be capable of sending the message to the receiving end, the transmission path from the sending end to the receiving end is determined;
the notification module is further configured to:
and after the transmission path is notified to the switch in the transmission path, notifying the switch in the transmission path of the transmission path.
Preferably, the method further comprises the following steps:
and the sampling module is used for sampling the message corresponding to the request information transmitted between the transmitting end and the receiving end after the transmission path is informed to the switch in the transmission path and before the updated transmission rule information of the request information informed by the firewall is received, and transmitting the sampled message corresponding to the request information to the firewall.
Preferably, the sampling module is further configured to:
after the transmission rule information of the request information is re-determined according to the updated first ACL, if the transmission rule information of the request information is re-determined to be a suspicious request, sampling messages corresponding to other request information transmitted between the transmitting end and the receiving end, and transmitting the sampled messages corresponding to the other request information to a firewall.
Preferably, the notification module is further configured to:
and after the transmission rule information of the request information is determined, notifying all switches connected with the sending end after the sending end is determined not to be allowed to send the message to the receiving end according to the transmission rule information of the request information.
The embodiment of the invention provides firewall equipment for updating an Access Control List (ACL), which comprises:
the third determining module is used for determining transmission rule information of the request information according to a preset security strategy after receiving the request information sent by the controller;
and the updating module is used for sending the transmission rule information or the second ACL containing the determined transmission rule information to the controller so that the controller updates the first ACL used for judging whether to allow the transmission corresponding to the request information according to the received transmission rule information or the second ACL.
Preferably, the third determining module is further configured to:
after receiving a message sent to a receiving end by a sending end, determining whether the message is safe or not according to a preset safety strategy;
if yes, sending the message to a corresponding switch according to the address information recorded in the message;
otherwise, the controller is notified to deny transmission of the message.
Preferably, the third determining module is further configured to:
after request information sent by a controller is received, determining transmission rule information of the request information according to a preset safety strategy, and if the determined transmission rule information of the request information is a suspicious request, detecting messages corresponding to other request information transmitted between a sending end and a receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
Preferably, the update module is further configured to:
and sending the transmission rule information or the updated second ACL to the controller, detecting the sampling message from the controller according to a preset security policy after updating the first ACL, and notifying the controller after detecting that the sampling message is a suspicious message.
Drawings
Fig. 1 is a flowchart illustrating a method for determining a transmission path according to an embodiment of the invention;
fig. 2 is a schematic diagram of a firewall security architecture based on SDN;
fig. 3 is a flowchart illustrating a method for determining a transmission path according to a second embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for determining a transmission path according to a third embodiment of the present invention;
FIG. 5 is a diagram illustrating a controller for determining a transmission path according to a fourth embodiment of the present invention;
fig. 6 is a schematic diagram of a firewall device for updating an access control list ACL according to the fifth embodiment of the present invention.
Detailed Description
After receiving request information which is sent by a sending end and used for applying for communication, a controller of the embodiment of the invention determines transmission rule information of the request information from a first Access Control List (ACL) according to the request information; determining a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information; the switch in the transmission path is then notified of the transmission path. According to the technical scheme, the first ACL which can detect the request information which is sent by the sending end and used for applying for communication is added in the controller, so that the controller can determine the transmission rule information of the request information according to the corresponding information configured in the ACL, and the load pressure of the firewall is reduced.
After receiving request information sent by a controller, a firewall of the embodiment of the invention determines transmission rule information of the request information according to a preset security policy; and sending the transmission rule information or the second ACL containing the determined transmission rule information to the controller, so that the controller updates the first ACL used for judging whether to allow the transmission corresponding to the request information according to the received transmission rule information or the second ACL. According to the technical scheme, the firewall can send the transmission rule information or the second ACL containing the determined transmission rule information to the controller, so that the controller can update the first ACL according to the received transmission rule information or the second ACL, the controller can determine the transmission rule information of the request information according to the updated first ACL, and the load pressure of the firewall is reduced.
The embodiments of the present invention will be described in further detail with reference to the drawings attached hereto.
As shown in fig. 1, a method for determining a transmission path according to an embodiment of the present invention includes:
in step 102, the controller notifies the switch in the transmission path of the transmission path.
Embodiments of the present invention may be applied to any architecture. If the embodiment of the present invention is applied to an SDN (Software Defined Network) architecture as shown in fig. 2, the first ACL storage may be stored in Firewall Agent Application Software (Firewall Agent Application), and the controller may query the first ACL through the Firewall Agent Application Software.
The request information is the request information sent by the sending end to the controller when the sending end sends a message to the receiving end, and the request information comprises address information between the receiving end and the receiving end, and the type, size and other information of the message sent by the sending end to the receiving end.
The transmission rule information is different identification codes added to blank fields in the netconf protocol in a customized manner according to user needs, wherein the different identification codes represent different transmission rule information.
The addition of different identification codes in the blank field of the netconf protocol is shown in table 1.
TABLE 1
| Identification code | Description of field |
| 001 | Allowing requests |
| 002 | Rejecting a request |
| 003 | Security request |
| 004 | Suspicious request |
When the identification code is 001, indicating that the request is allowed; when the identification code is 002, the request is rejected; when the identification code is 003, indicating a security request; when the identification code is 004, a suspicious request is indicated.
The permission request indicates that the controller determines that the sending end can send the message to the receiving end, but the message needs to be sent to the receiving end through a firewall;
the rejection request means that the controller determines that the sending end can not send the message to the receiving end, and sends a notice of rejecting the request to a switch connected with the sending end;
the safety request indicates that the controller determines that the sending end can send the message to the receiving end, and the message is directly sent to the receiving end through the switch without passing through a firewall;
the suspicious request indicates that the controller is transitioning from partial sample detection to full sample detection for messages sent from the sender to the receiver.
The identification code 001 may also indicate a suspicious request, a denial request, or a security request, or other requests other than these four types, and the identification codes 002, 003, and 004 are similar to the identification code 001 and are not described herein again. The identification code can be one, two or four, and the user can set the corresponding setting according to the requirement, and in addition, the user can also increase, delete or modify the transmission rule information in a personalized way according to the requirement.
And the controller determines that the sending end can send the message to the receiving end according to the transmission rule information of the request information, and then determines a transmission path from the sending end to the receiving end.
If the controller determines that the sending end can not send the message to the receiving end according to the transmission rule information of the request information, the controller sends a notice of rejecting the request to a switch connected with the sending end.
Preferably, after receiving the request information for applying for communication sent by the sending end, the controller further includes:
the controller sends the request information to a firewall according to the fact that the request information cannot determine the transmission rule information of the request information from the first ACL;
after receiving the transmission rule information of the request information sent by the firewall, the controller updates the first ACL according to the transmission rule information of the request information, and determines the transmission rule information of the request information from the first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
That is, when the controller receives a new request message, and cannot determine the transmission rule information of the request message according to the first ACL in the controller, the controller sends the request message to the firewall, and the firewall determines the transmission rule information, that is, the identification code, of the request message according to the preset security policy.
After the firewall determines the transmission rule information of the request message, the request message is sent to the controller, the controller places the request message and the mark code in the first ACL, and updates the first ACL, so that the controller does not need to send the request message to the firewall for judgment when receiving the same request message.
Taking the example of the network architecture of fig. 2 as an example, when a server a applies for sending a message to a server B for the first time, the server a sends a request message to a controller, because an ACL of the controller does not have transmission rule information corresponding to the request message, the request message sent by the server a needs to be sent to a firewall, the firewall determines the transmission rule information of the request message according to a preset security policy, the firewall sends the transmission rule information to the controller after determining the transmission rule information of the request message, the controller updates the ACL of the controller according to the transmission rule information, then the controller determines the transmission rule information of the request message according to the ACL of the controller, and determines a transmission path of the message after determining that the message sent by a sending end can be sent to a receiving end.
Preferably, after receiving the transmission rule information of the request information from the firewall, the controller further includes:
if the firewall does not send the transmission rule information of the request information through the second ACL, the controller places the request information and the received transmission rule information of the request information in the first ACL; or
And if the firewall sends the transmission rule information of the request information through the second ACL, the controller updates the first ACL according to the received second ACL.
That is, the controller may update the first ACL based on the transmission rule information of the request information transmitted by the firewall, or may update the first ACL based on the updated second ACL transmitted by the firewall.
Taking the network architecture of fig. 2 as an example, the firewall sends the updated ACL to the controller, and the controller updates the ACL in the controller according to the updated ACL; the firewall can also send the transmission rule information to the controller, and the controller updates the ACL in the controller according to the transmission rule information.
Preferably, the controller determines whether to allow the sending end to send the message to the receiving end according to the following modes:
if the transmission rule information is an allowance request or a safety request, the controller determines that the sending end is allowed to send the message to the receiving end;
if the transmission rule information is a suspicious request, the controller sends the request information to a firewall, and determines whether to allow a sending end to send a message to a receiving end according to the notification of the firewall;
and if the transmission rule information is a rejection request, the controller determines that the sending end is not allowed to send the message to the receiving end.
Preferably, if the transmission rule information is an allow request or the transmission rule information is a suspicious request and the sender is allowed to send the message to the receiver according to the notification of the firewall, the transmission path includes the firewall.
And if the transmission rule information is a security request, the transmission path does not include a firewall.
That is, when the transmission rule information, i.e., the identification code, is a security request, the message transmitted from the transmitting end to the receiving end is determined to be secure, the message does not need to be transmitted to the firewall,
when the transmission rule information, that is, the identification code, is an allowance request, the message sent by the sending end to the receiving end is determined to be transmittable, and the message needs to be sent to the firewall for judgment.
Taking the network architecture of fig. 2 as an example, when the transmission rule information of the request information transmitted from the server C to the server D is an allow request, the transmission path may be server C- > switch i- > firewall- > switch i- > server D; when the transmission rule information of the request information transmitted from the server a to the server B is a suspicious request and it is determined that the sender is allowed to send the message to the receiver according to the notification of the firewall, the transmission path may be server a- > switch ii- > firewall- > switch ii- > server B.
When the transmission rule information of the request information sent by the server B to the server C is a safety request, the transmission path determined by the controller is the server B- > the switch III- > the server C, the path is the optimal transmission path, the forwarding equipment of the optimal transmission path is the least, and the switch is in a normal working state.
Preferably, after the controller notifies the switch in the transmission path of the transmission path, the method further includes:
after receiving updated transmission rule information sent by a firewall, the controller updates a first ACL according to the updated transmission rule information;
the controller re-determines the transmission rule information of the request information according to the updated first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
Specifically, if the transmission rule information of the request information, that is, the identification code, is an permission request, the request information is safe within a threshold range according to a security policy preset by a firewall, if the message corresponding to the permission request passing through the firewall is safe within a period of time, the firewall modifies the transmission rule information of the request information corresponding to the message into a security request, and sends the modified transmission rule information to the controller, and the message sent by the sending end to the receiving end does not need to be judged by the firewall.
If the transmission rule information of the request information, that is, the identification code, is an allowance request, the firewall modifies the transmission rule information of the request information corresponding to the message into a security request according to a preset security policy of the firewall, if the security is detected after 100 messages, wherein the preset security policy of the firewall can be set differently according to different requirements, and is not limited to the manner of dynamically modifying the transmission rule information.
In implementation, the transmission rule of the request message is not always the same, and the transmission rule of the request message may be dynamically changed according to a security policy preset in a firewall, where the security policy preset in the firewall is configured in the firewall according to a user requirement.
Preferably, after notifying the switch in the transmission path of the transmission path and before receiving the updated transmission rule information of the request information notified by the firewall, the controller further includes:
and the controller samples the message corresponding to the request information transmitted between the sending end and the receiving end and sends the sampled message corresponding to the request information to the firewall.
The controller informs the switch to send the transmitted message to the controller according to a preset condition, such as a determined period of time, or the switch sends the 100 th message to each controller after sending 99 messages, so as to realize the sampling of the transmitted message by the controller, and the sampling form is not limited to the above manner as long as the controller can obtain the transmitted message.
Preferably, after the controller re-determines the transmission rule information of the request information according to the updated first ACL, the method further includes:
if the transmission rule information of the request information is determined to be a suspicious request again, the controller samples messages corresponding to other request information transmitted between the sending end and the receiving end, and sends the sampled messages corresponding to other request information to the firewall.
That is, after the controller updates the first ACL and re-determines that the request information is a suspicious request, the controller samples 100% of the messages sent by the sending end and the receiving end, that is, monitors 100%, and after detecting for a period of time, re-determines the transmission information rule of the request information according to the preset security policy of the firewall if no illegal message or dangerous message is found.
Taking fig. 2 as an example for explanation, after receiving request information for requesting to send a message from server a to server B, the controller determines that the request information is a suspicious request, the controller sends other messages transmitted between server a and server B to the firewall for detection, after the firewall detects a period of time, or detects 100 messages, or detects other forms of security policies, if no exception is found, the controller dynamically modifies transmission rule information of the message corresponding to the request information into a security request, and resumes sampling detection of the messages between A, B.
Preferably, after the controller determines the transmission rule information of the request message, the controller further includes:
and the controller informs all the switches connected with the sending end after determining that the sending end is not allowed to send the message to the receiving end according to the transmission rule information of the request information.
Taking fig. 2 as an example, if the controller determines that the transmission rule information of the request information, which the server a applies for communication to the server B, is a rejection request according to the first ACL, the controller notifies the switch i, the switch ii, the switch iii, the switch iv …, and the like connected to the server a to reject the request.
As shown in fig. 3, a method for updating an access control list ACL according to a second embodiment of the present invention includes:
It should be noted that the controller sends the request message to the firewall only when the controller cannot determine the transmission rule information of the request message.
The updated second ACL containing the determined transmission rule information or the transmission rule information is sent to the controller through the firewall to update the first ACL of the controller, so that when the controller receives the same request information again, the transmission path of the message can be directly determined according to the first ACL without being sent to the firewall.
Preferably, after receiving a message sent by a sending end to a receiving end, the firewall determines whether the message is safe according to a preset security policy;
if yes, sending the message to a corresponding switch according to the address information recorded in the message;
otherwise, the controller is notified to deny transmission of the message.
When the controller determines that the transmission rule information of the request information is the permission request, the message needs to be sent to the firewall for judgment.
If the message is safe, the message is returned to the switchboard of the firewall according to the address information recorded in the message; and if the message is unsafe, the transmission rule information of the request information corresponding to the modification message is a rejection request, the transmission rule information is sent to the controller, the controller is informed of rejecting transmission of the message, and the controller informs the switch connected with the sending end of discarding the message.
Taking fig. 2 as an example for explanation, after receiving a message sent by a server a to a server B, a firewall determines the security of the message, and if a controller determines that a transmission path of the message is server a- > switch i- > firewall- > switch i- > server B, the firewall determines that the message is a security message, and returns the message to switch i; otherwise, the transmission rule information of the message corresponding to the request information is modified into a rejection request, and the rejection request is sent to the controller, and then the controller informs the switch I to reject the request.
Preferably, after receiving the request message sent by the controller, the firewall determines, according to a preset security policy, transmission rule information of the request message:
if the determined transmission rule information of the request information is a suspicious request, the firewall detects messages corresponding to other request information transmitted between the sending end and the receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
Taking fig. 2 as an example, if it is determined that the transmission rule information of the request information between the server a and the server B is a suspicious request, the firewall detects a message corresponding to another request information between the server a and the server B.
Preferably, the firewall sends the transmission rule information or the updated second ACL to the controller, and after updating the first ACL, the method further includes:
the firewall detects the sampling message from the controller according to a preset security policy;
and the firewall informs the controller after detecting that the sampling message is a suspicious message.
Taking fig. 2 as an example, if the firewall receives the transmission message sampled by the controller between the server a and the server B, the sampled message is detected according to a preset security policy, and if the message is a suspicious message, the firewall notifies the controller so that the controller detects all messages between the server a and the server B.
As shown in fig. 4, a method for determining a transmission path according to a third embodiment of the present invention includes:
in step 400, the controller receives request information for applying communication sent by the sending end.
In step 401, the controller determines whether the transmission rule information of the request information can be determined from the first ACL according to the request information, if yes, step 403 is executed, otherwise, step 402 is executed.
In step 403, the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information.
In step 404, the controller notifies the switches in the transmission path of the determined transmission path.
Based on the same inventive concept, the embodiment of the present invention further provides a controller for determining a transmission path, and since the method for determining a transmission path corresponding to the controller of the embodiment of the present invention is a method for determining a transmission path, the implementation of the apparatus of the embodiment of the present invention may refer to the implementation of the method, and repeated details are not repeated.
As shown in fig. 5, a controller for determining a transmission path according to a fourth embodiment of the present invention includes:
a first determining module 500, configured to determine, after receiving request information sent by a sending end and used for applying for communication, transmission rule information of the request information from a first access control list ACL according to the request information;
a second determining module 501, configured to determine, according to the transmission rule information, a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end;
a notifying module 502, configured to notify the switch in the transmission path of the transmission path.
Preferably, the first determining module 500 is further configured to:
after receiving request information sent by a sending end and used for applying for communication, according to the fact that the request information cannot determine transmission rule information of the request information from the first ACL, the request information is sent to a firewall, after the transmission rule information of the request information sent by the firewall is received, the first ACL is updated according to the transmission rule information of the request information, and the transmission rule information of the request information is determined from the first ACL;
the second determining module 501 is further configured to:
after receiving request information for applying for communication sent by a sending end, determining a transmission path from the sending end to a receiving end after determining that the sending end can send a message to the receiving end according to the transmission rule information;
the notification module 502 is further configured to:
and after receiving request information which is sent by a sending end and used for applying for communication, notifying the transmission path to a switch in the transmission path.
Preferably, the first determining module 500 is further configured to:
after receiving the transmission rule information of the request information from the firewall, if the firewall does not send the transmission rule information of the request information through a second ACL, placing the request information and the received transmission rule information of the request information in the first ACL; or if the firewall sends the transmission rule information of the request information through the second ACL, updating the first ACL according to the received second ACL.
Preferably, the second determining module 501 is further configured to:
if the transmission rule information is an allowance request or a safety request, determining that a sending end is allowed to send the message to a receiving end; if the transmission rule information is a suspicious request, sending the request information to a firewall, and determining whether to allow a sending end to send a message to a receiving end according to the notification of the firewall; and if the transmission rule information is a rejection request, determining that the sending end is not allowed to send the message to the receiving end.
Preferably, the first determining module 500 is further configured to:
after the transmission path is notified to a switch in the transmission path, after updated transmission rule information sent by a firewall is received, updating a first ACL according to the updated transmission rule information; re-determining the transmission rule information of the request information according to the updated first ACL;
the second determining module 501 is further configured to:
after the transmission path is informed to the switch in the transmission path, according to the transmission rule information, after the sending end is determined to be capable of sending the message to the receiving end, the transmission path from the sending end to the receiving end is determined;
the notification module 502 is further configured to:
and after the transmission path is notified to the switch in the transmission path, notifying the switch in the transmission path of the transmission path.
Preferably, the method further comprises the following steps:
the sampling module 503 is configured to sample a message corresponding to the request information transmitted between the sending end and the receiving end after the transmission path is notified to the switch in the transmission path and before the updated transmission rule information of the request information notified by the firewall is received, and send the sampled message corresponding to the request information to the firewall.
Preferably, the sampling module 503 is further configured to:
after the transmission rule information of the request information is re-determined according to the updated first ACL, if the transmission rule information of the request information is re-determined to be a suspicious request, sampling messages corresponding to other request information transmitted between the transmitting end and the receiving end, and transmitting the sampled messages corresponding to the other request information to a firewall.
Preferably, the notification module 502 is further configured to:
and after the transmission rule information of the request information is determined, notifying all switches connected with the sending end after the sending end is determined not to be allowed to send the message to the receiving end according to the transmission rule information of the request information.
Based on the same inventive concept, the embodiment of the present invention further provides a firewall device for updating an access control list ACL, and since the method corresponding to the firewall device for updating the access control list ACL in the embodiment of the present invention is a method for updating the access control list ACL, the implementation of the apparatus in the embodiment of the present invention may refer to the implementation of the method, and repeated details are not described again.
As shown in fig. 6, a firewall device for updating an access control list ACL in five embodiments of the present invention includes:
a third determining module 600, configured to determine, after receiving request information sent by a controller, transmission rule information of the request information according to a preset security policy;
an updating module 601, configured to send the transmission rule information or the second ACL containing the determined transmission rule information to the controller, so that the controller updates the first ACL for determining whether to allow transmission corresponding to the request information according to the received transmission rule information or the second ACL.
Preferably, the third determining module 600 is further configured to:
after receiving a message sent to a receiving end by a sending end, determining whether the message is safe or not according to a preset safety strategy;
if yes, sending the message to a corresponding switch according to the address information recorded in the message;
otherwise, the controller is notified to deny transmission of the message.
Preferably, the third determining module 600 is further configured to:
after request information sent by a controller is received, determining transmission rule information of the request information according to a preset safety strategy, and if the determined transmission rule information of the request information is a suspicious request, detecting messages corresponding to other request information transmitted between a sending end and a receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
Preferably, the updating module 601 is further configured to:
and sending the transmission rule information or the updated second ACL to the controller, detecting the sampling message from the controller according to a preset security policy after updating the first ACL, and notifying the controller after detecting that the sampling message is a suspicious message.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (19)
1. A method of determining a transmission path, the method comprising:
after receiving request information which is sent by a sending end and used for applying for communication, a controller determines transmission rule information of the request information from a first Access Control List (ACL) according to the request information;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to a switch in the transmission path;
after determining the transmission rule information of the request information, the controller further includes:
the controller informs all the switches connected with the sending end after determining that the sending end is not allowed to send the message to the receiving end according to the transmission rule information of the request information;
after receiving the request information for applying for communication sent by the sending end, the controller further includes:
the controller sends the request information to a firewall according to the fact that the request information cannot determine the transmission rule information of the request information from the first ACL;
after receiving the transmission rule information of the request information sent by the firewall, the controller updates the first ACL according to the transmission rule information of the request information, and determines the transmission rule information of the request information from the first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
2. The method of claim 1, wherein the controller, after receiving the transmission rule information of the request message from the firewall, further comprises:
if the firewall does not send the transmission rule information of the request information through the second ACL, the controller places the request information and the received transmission rule information of the request information in the first ACL; or
And if the firewall sends the transmission rule information of the request information through the second ACL, the controller updates the first ACL according to the received second ACL.
3. The method of claim 1, wherein the controller determines whether to allow the sender to send the message to the receiver according to:
if the transmission rule information is an allowance request or a safety request, the controller determines that the sending end is allowed to send the message to the receiving end;
if the transmission rule information is a suspicious request, the controller sends the request information to a firewall, and determines whether to allow a sending end to send a message to a receiving end according to the notification of the firewall;
and if the transmission rule information is a rejection request, the controller determines that the sending end is not allowed to send the message to the receiving end.
4. The method of claim 3, wherein if the transmission rule information is an allow request or the transmission rule information is a suspicious request and the sender is allowed to send the message to the receiver according to the notification of the firewall, the transmission path includes the firewall;
and if the transmission rule information is a security request, the transmission path does not include a firewall.
5. The method of claim 3, wherein the controller, after notifying the switches in the transmission path of the transmission path, further comprises:
after receiving updated transmission rule information sent by a firewall, the controller updates a first ACL according to the updated transmission rule information;
the controller re-determines the transmission rule information of the request information according to the updated first ACL;
the controller determines a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
the controller notifies the transmission path to the switches in the transmission path.
6. The method of claim 5, wherein after the controller notifies the switch in the transmission path of the transmission path and before receiving the updated transmission rule information of the request information notified by the firewall, further comprising:
and the controller samples the message corresponding to the request information transmitted between the sending end and the receiving end and sends the sampled message corresponding to the request information to the firewall.
7. The method of claim 6, wherein after the controller re-determines the transmission rule information of the requested information according to the updated first ACL, the method further comprises:
if the transmission rule information of the request information is determined to be a suspicious request again, the controller samples messages corresponding to other request information transmitted between the sending end and the receiving end, and sends the sampled messages corresponding to other request information to the firewall.
8. A method of updating an access control list ACL, the method comprising:
after receiving request information sent by a controller, a firewall determines transmission rule information of the request information according to a preset security policy;
the firewall sends the transmission rule information or a second ACL containing the determined transmission rule information to the controller, so that the controller updates the first ACL used for judging whether to allow transmission corresponding to the request information according to the received transmission rule information or the second ACL;
wherein, the method also comprises:
after receiving a message sent to a receiving end by a sending end, the firewall determines whether the message is safe or not according to a preset safety strategy;
if yes, sending the message to a corresponding switch according to the address information recorded in the message;
otherwise, the controller is notified to deny transmission of the message.
9. The method of claim 8, wherein after receiving the request message sent by the controller, the firewall determines the transmission rule information of the request message according to a preset security policy:
if the determined transmission rule information of the request information is a suspicious request, the firewall detects messages corresponding to other request information transmitted between the sending end and the receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
10. The method of claim 8, wherein the firewall sends the transmission rule information or the updated second ACL to the controller for updating the first ACL, further comprising:
the firewall detects the sampling message from the controller according to a preset security policy;
and the firewall informs the controller after detecting that the sampling message is a suspicious message.
11. A controller for determining a transmission path, the controller comprising:
the first determining module is used for determining transmission rule information of request information from a first Access Control List (ACL) according to the request information after receiving the request information which is sent by a sending end and used for applying for communication;
the second determining module is used for determining a transmission path from the sending end to the receiving end after determining that the sending end can send the message to the receiving end according to the transmission rule information;
a notification module, configured to notify the transmission path to a switch in the transmission path;
wherein the notification module is further configured to:
after the transmission rule information of the request information is determined, notifying all switches connected with the sending end after the sending end is determined not to be allowed to send the message to the receiving end according to the transmission rule information of the request information;
wherein the first determining module is further configured to:
after receiving request information sent by a sending end and used for applying for communication, according to the fact that the request information cannot determine transmission rule information of the request information from the first ACL, the request information is sent to a firewall, after the transmission rule information of the request information sent by the firewall is received, the first ACL is updated according to the transmission rule information of the request information, and the transmission rule information of the request information is determined from the first ACL;
the second determination module is further to:
after receiving request information for applying for communication sent by a sending end, determining a transmission path from the sending end to a receiving end after determining that the sending end can send a message to the receiving end according to the transmission rule information;
the notification module is further configured to:
and after receiving request information which is sent by a sending end and used for applying for communication, notifying the transmission path to a switch in the transmission path.
12. The controller of claim 11, wherein the first determination module is further to:
after receiving the transmission rule information of the request information from the firewall, if the firewall does not send the transmission rule information of the request information through a second ACL, placing the request information and the received transmission rule information of the request information in the first ACL; or if the firewall sends the transmission rule information of the request information through the second ACL, updating the first ACL according to the received second ACL.
13. The controller of claim 11, wherein the second determination module is further to:
if the transmission rule information is an allowance request or a safety request, determining that a sending end is allowed to send the message to a receiving end; if the transmission rule information is a suspicious request, sending the request information to a firewall, and determining whether to allow a sending end to send a message to a receiving end according to the notification of the firewall; and if the transmission rule information is a rejection request, determining that the sending end is not allowed to send the message to the receiving end.
14. The controller of claim 13, wherein the first determination module is further to:
after the transmission path is notified to a switch in the transmission path, after updated transmission rule information sent by a firewall is received, updating a first ACL according to the updated transmission rule information; re-determining the transmission rule information of the request information according to the updated first ACL;
the second determination module is further to:
after the transmission path is informed to the switch in the transmission path, according to the transmission rule information, after the sending end is determined to be capable of sending the message to the receiving end, the transmission path from the sending end to the receiving end is determined;
the notification module is further configured to:
and after the transmission path is notified to the switch in the transmission path, notifying the switch in the transmission path of the transmission path.
15. The controller of claim 14, further comprising:
and the sampling module is used for sampling the message corresponding to the request information transmitted between the transmitting end and the receiving end after the transmission path is informed to the switch in the transmission path and before the updated transmission rule information of the request information informed by the firewall is received, and transmitting the sampled message corresponding to the request information to the firewall.
16. The controller of claim 15, wherein the sampling module is further to:
after the transmission rule information of the request information is re-determined according to the updated first ACL, if the transmission rule information of the request information is re-determined to be a suspicious request, sampling messages corresponding to other request information transmitted between the transmitting end and the receiving end, and transmitting the sampled messages corresponding to the other request information to a firewall.
17. A firewall device for updating an access control list ACL, the firewall device comprising:
the third determining module is used for determining transmission rule information of the request information according to a preset security strategy after receiving the request information sent by the controller;
the updating module is used for sending the transmission rule information or the second ACL containing the determined transmission rule information to the controller so that the controller updates the first ACL used for judging whether to allow the transmission corresponding to the request information according to the received transmission rule information or the second ACL;
wherein the third determining module is further configured to:
after receiving a message sent to a receiving end by a sending end, determining whether the message is safe or not according to a preset safety strategy; if yes, sending the message to a corresponding switch according to the address information recorded in the message; otherwise, the controller is notified to deny transmission of the message.
18. The firewall device of claim 17, wherein the third determination module is further to:
after request information sent by a controller is received, determining transmission rule information of the request information according to a preset safety strategy, and if the determined transmission rule information of the request information is a suspicious request, detecting messages corresponding to other request information transmitted between a sending end and a receiving end;
the sending end and the receiving end are used for transmitting the message corresponding to the request information.
19. The firewall device of claim 17, wherein the update module is further to:
and sending the transmission rule information or the updated second ACL to the controller, detecting the sampling message from the controller according to a preset security policy after updating the first ACL, and notifying the controller after detecting that the sampling message is a suspicious message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410730053.9A CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410730053.9A CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105721334A CN105721334A (en) | 2016-06-29 |
| CN105721334B true CN105721334B (en) | 2020-02-18 |
Family
ID=56143397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410730053.9A Active CN105721334B (en) | 2014-12-04 | 2014-12-04 | Method and equipment for determining transmission path and updating ACL |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105721334B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657015B (en) * | 2016-11-23 | 2020-09-22 | 中国银联股份有限公司 | SDN network-based data transmission method |
| CN110896380B (en) * | 2019-11-28 | 2021-09-17 | 迈普通信技术股份有限公司 | Flow table screening method and device, electronic equipment and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
| CN103428013A (en) * | 2012-05-18 | 2013-12-04 | 华为终端有限公司 | Device managing method and system and gateway device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4356693B2 (en) * | 2003-03-12 | 2009-11-04 | 日本電気株式会社 | Message delivery apparatus and method, system and program thereof |
| JP5458688B2 (en) * | 2009-03-19 | 2014-04-02 | 富士通株式会社 | Uniqueness guarantee support program, service providing system, and uniqueness guarantee realization method |
-
2014
- 2014-12-04 CN CN201410730053.9A patent/CN105721334B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428013A (en) * | 2012-05-18 | 2013-12-04 | 华为终端有限公司 | Device managing method and system and gateway device |
| CN103051557A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Data stream processing method and system, controller and switching equipment |
Non-Patent Citations (1)
| Title |
|---|
| SDN控制器架构研究与功能开发;吴锦辉;《万方数据知识服务平台》;20140917;正文第4章,图4-19 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105721334A (en) | 2016-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351229B (en) | Terminal UE (user equipment) management and control method and device | |
| JP7071998B2 (en) | In-vehicle network abnormality detection system and in-vehicle network abnormality detection method | |
| US10986093B2 (en) | Monitoring device, monitoring method, and computer program | |
| JP6923265B2 (en) | Configurable Robustness Agent in Plant Security Systems | |
| US9071974B2 (en) | Mobile telephone firewall and compliance enforcement system and method | |
| KR102524204B1 (en) | Apparatus and method for intrusion response in vehicle network | |
| US8606899B1 (en) | Systems and methods for dynamic session license control | |
| US9661006B2 (en) | Method for protection of automotive components in intravehicle communication system | |
| JPWO2007116605A1 (en) | Communication terminal device, rule distribution device, and program | |
| CN109845227B (en) | Method and system for network security | |
| CN112866427A (en) | Apparatus and method for security of industrial control network | |
| US20180034733A1 (en) | Communication system, communication method, and non-transitiory computer readable medium storing program | |
| CN105814861B (en) | Apparatus and method for transmitting data | |
| KR102603512B1 (en) | Method and device for preventing manipulation on a CAN bus using nodes connected to the bus by a CAN controller | |
| CN105721334B (en) | Method and equipment for determining transmission path and updating ACL | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| US20210329454A1 (en) | Detecting Unauthorized Access to a Wireless Network | |
| EP3076591B1 (en) | Providing policy information on an existing communication channel | |
| US20220086649A1 (en) | Partial limitation of a mobile network device | |
| EP3036880B1 (en) | Method and apparatus for monitoring and filtering universal serial bus network traffic | |
| KR101343693B1 (en) | Network security system and method for process thereof | |
| US11489865B2 (en) | Control device, communication system, control method, and computer program | |
| CN116015776A (en) | Sealing method and device of collapse host, electronic equipment and storage medium | |
| KR101041997B1 (en) | System for counterplaning web firewall using conative detection?interception and method therefor | |
| CN114600424B (en) | Security system, method, and computer-readable storage medium for filtering data traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |