CN108494800A - A kind of detection of security data packet and processing method, device, P4 interchangers and medium - Google Patents
A kind of detection of security data packet and processing method, device, P4 interchangers and medium Download PDFInfo
- Publication number
- CN108494800A CN108494800A CN201810390425.6A CN201810390425A CN108494800A CN 108494800 A CN108494800 A CN 108494800A CN 201810390425 A CN201810390425 A CN 201810390425A CN 108494800 A CN108494800 A CN 108494800A
- Authority
- CN
- China
- Prior art keywords
- data packet
- header field
- record
- detection
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of data flow safety detection and processing method, device, P4 interchangers and computer readable storage medium, the security data packet detection and processing method are executed by P4 interchangers, including:By uplink link received data packet, the data packet is parsed to extract the first header field of the data packet;First header field of the data packet is matched with the first state table that predefined P4 configuration files issue;And in successful match, the connection status attribute in the first record of corresponding successful match is written in the packet header of the data packet;To include that the second header field of the connection attribute is matched with the transformation flow table that predefined P4 configuration files issue;And in successful match, legitimacy detection is carried out to the data packet by checking algorithm;After detection is legal, the data packet is forwarded, the safety detection of all data packets in data flow is carried out on P4 interchangers, realizes fine-grained access control.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of data flow safety detection and processing method, device, P4 friendships
It changes planes and computer readable storage medium.
Background technology
Software defined network SDN (Software Defined Network) is by the big Clean Slate in U.S. Stamford
A kind of new network of Emulex network innovation framework that seminar proposes, can be special by the formal definition of software programming and control network, essence
Point is the programmability of separation and the opening of control plane and data plane so that network management becomes simpler, flexible,
It is considered as a revolution of network field.In SDN operational network frameworks, including SDN controllers, interchanger and purpose are whole
End, OpenFlow originate from Stanford University Clean Slate project team, by Nick McKeown et al. in 2008
ACM SIGCOMM deliver the paper for elaborating this concept.OpenFlow agreements, which are used as, uses most common separation control plane
With the SDN southbound interfaces of data plane 1.5 versions have been evolved at present, wherein matching since OpenFlow1.0 is issued
The number in domain becomes 40 of 1.3 versions from 12 tuples of 1.0 versions, finally to 45 matching domains of 1.5 versions, matching domain
Number is continuously increased as new version supports the update of characteristic.But OpenFlow does not support flexibly to increase matching domain, often
Increase a matching domain just to need to rewrite the protocol stack of controller and interchanger both ends and the processing data packets of interchanger
Logic, this undoubtedly increases the difficulty of switch design, also seriously affects the version stability of Open Flow agreements, influences
The popularization of OpenFlow.Although the specification of its different editions supports more and more head protocols fields, the rule of more levels
Table cannot meet the needs of network Development to increase programmability and the flexibility of interchanger.
During implementing the embodiment of the present invention, inventor has found:With the development and application of SDN, SDN network also face
Face many new security challenges.The firewall applications module of SDN and not perfect at present, function only simply carries out wrapping
Filter only carries out safe handling to first data packet in network flow, realizes simple access control, but this simple
Control, the security protection for whole network is far from being enough.And in existing framework, SDN controllers are centralized controls
Center, either packet filter firewall or state-inspection firewall should all be deployed in controller.But when host or
When network equipment transmission data packet, in addition to first data packet can be detected by controller, first packet only currently flowed can quilt
Controller detects, and for other data packets, controller can not directly carry out decision.If giving control each data packet
Device processed is detected, and great performance cost can be brought to controller.
Invention content
In view of the above-mentioned problems, the purpose of the present invention is to provide a kind of data flow safety detection and processing method, device, P4
Interchanger and computer readable storage medium carry out the safety detection of all data packets in data flow on P4 interchangers, real
Existing fine-grained access control.
In a first aspect, an embodiment of the present invention provides a kind of detection of security data packet and processing method, the data packet peace
Full inspection is surveyed and processing method is executed by P4 interchangers, and is included the following steps:
By uplink link received data packet, the data packet is parsed to extract the first packet header word of the data packet
Section;
First header field of the data packet is matched with the first state table that predefined P4 configuration files issue;
Wherein, the first state table includes at least one the first records, and first record is for storing connection status attribute;
When the first record matching success in the first header field of the data packet and the first state table, by phase
Connection status attribute in answering the first of successful match to record is written in the packet header of the data packet;
By include the connection attribute the transformation flow table that issues of the second header field and predefined P4 configuration files into
Row matching;Wherein, the transformation flow table includes at least one the second records, and second record is for storing connection status attribute
And action attributes;
When the second header field of the data packet is with the second record matching success converted in flow table, pass through school
Checking method carries out legitimacy detection to the data packet;
After data packet detection is legal, turned according to the action attributes in the second of the corresponding successful match the record
Send out data packet described.
In the first realization method of first aspect, the checking algorithm includes MD5 checking algorithms;
It is then described when the second header field of the data packet is with the second record matching success converted in flow table,
Legitimacy detection is carried out to the data packet by checking algorithm, is specifically included:
When second header field of the data packet is with the second record matching success converted in flow table, to the number
Message length filling is carried out according to packet, so that 512 complementation of message length pair of the data packet is 0;
The message length of the data packet after record filling;
The magic number of standard is packed into for the information of the data packet after filling;Wherein, the magic number of the standard includes 4 whole
Number, is indicated, then (01234567) 16 A=, B=(89ABCDEF) 16, C=(FEDCBA98) 16, D=with A, B, C, D
(76543210)16;
Four-wheel loop computation is carried out to the information of the data packet after loading standard magic number;Wherein, the operation includes
With or non-and 4 linear functions of exclusive or.
In second of realization method of first aspect, further include:
It receives and predefines P4 configuration files, and machine configuration is swapped according to the predefined P4 configuration files.
In the third realization method of first aspect, second record is additionally operable to storage NextState attribute,
Then the security data packet detection and processing method further include:
When the second header field of the data packet with it is described transformation flow table in the second record matching success when, according to
The connection status attribute in corresponding first record is updated with the NextState attribute in successfully second record.
In the 4th kind of realization method of first aspect, further include:
When the second header field of the data packet and unsuccessful second record matching converted in flow table, by institute
It states the second header field and is sent to SDN controllers;Wherein, second header field for trigger the SDN controllers according to
Second header field judges the type of the data packet, when judging the data packet for request data package, root
Firewall rule matching is carried out according to second header field, and returns to transformation flow table item in successful match;Described in judgement
When data packet is not request data package, second header field is matched with the second state table in SDN controllers, and
Transformation flow table item is returned in successful match;Second state table is recorded including at least one third, for characterizing SDN network
In all data packets connection status, third record is for storing connection status attribute;The transformation flow table item includes point
The action attributes of the NextState attribute and setting matched;
Corresponding second record of the data packet is added according to the transformation flow table item that the SDN controllers return;
Legitimacy detection is carried out to the data packet by check algorithm;
The data packet detection it is legal after, according to accordingly add it is described second record in NextState attribute and
Action attributes forward the data packet.
According to the 4th of first aspect the kind of realization method, in the 5th kind of realization method of first aspect, second packet
Head file be additionally operable to trigger the SDN controllers second header field carry out firewall rule matching it is unsuccessful it
Afterwards, packet loss instruction is returned;And the SDN controllers matched with second state table in second header field it is unsuccessful
When, return to packet loss instruction;
Then the security data packet detection and processing method further include:
The packet loss instruction returned according to the SDN controllers abandons the data packet.
Further include in the 6th kind of realization method of first aspect according to any of the above realization method of first aspect:
The second state table that the SDN controllers store periodically is obtained to the SDN controllers, to update first shape
State table.
Second aspect, an embodiment of the present invention provides a kind of detection of security data packet and processing units, including:
First header parser unit, for by uplink link received data packet, parsing the data packet to extract
First header field of the data packet;
First matching unit, for issuing the first header field of the data packet and predefined P4 configuration files
One state table is matched;Wherein, the first state table includes at least one the first records, and first record is for storing
Connection status attribute;
Connection status writing unit, for when the in the first header field and the first state table of the data packet
When the success of one record matching, the connection status attribute in the first record of corresponding successful match is written to the packet header of the data packet
In;
Second matching unit, for the second header field that will include the connection attribute and predefined P4 configuration files
The transformation flow table issued is matched;Wherein, the transformation flow table includes at least one the second records, and second record is used for
Store connection status attribute and action attributes;
First legitimacy detection unit, for the second header field when the data packet and the in the transformation flow table
When the success of two record matchings, legitimacy detection is carried out to the data packet by checking algorithm;
First data packet forwarding unit is used for after data packet detection is legal, according to the corresponding successful match
The second record in action attributes forward the data packet.
In the first realization method of second aspect, the checking algorithm includes MD5 checking algorithms;
Then the first legitimacy detection unit, specifically includes:
Fill module, for the data packet the second header field with it is described transformation flow table in the second record matching at
When work(, message length filling is carried out to the data packet, so that 512 complementation of message length pair of the data packet is 0;
Logging modle, the message length for recording the data packet after filling;
Magic number load module, the magic number for being packed into standard for the information of the data packet after filling;Wherein, the mark
Accurate magic number includes 4 integers, is indicated with A, B, C, D, then (01234567) 16 A=, B=(89ABCDEF) 16, C=
(FEDCBA98) (76543210) 16 16, D=;
Loop computation module carries out four-wheel loop computation for the information to the data packet after loading standard magic number;
Wherein, the operation include with or non-and 4 linear functions of exclusive or.
In second of realization method of second aspect, further include:
Dispensing unit is swapped for receiving predefined P4 configuration files, and according to the predefined P4 configuration files
Machine configures.
In the third realization method of second aspect, second record is additionally operable to storage NextState attribute,
Then the security data packet detection and processing method further include:
First updating unit, for the second header field when the data packet and the second record in the transformation flow table
When successful match, the company in corresponding first record is updated according to the NextState attribute in second record of successful match
Connect status attribute.
In the 4th kind of realization method of second aspect, further include:
Second header field transmission unit, for when in the second header field of the data packet and the transformation flow table
When second record matching is unsuccessful, second header field is sent to SDN controllers;Wherein, second header field
The type of the data packet is judged according to second header field for triggering the SDN controllers, when judging
When to state data packet be request data package, firewall rule matching is carried out according to second header field, and in successful match
Return to transformation flow table item;When judging the data packet not for request data package, by second header field and SDN controllers
In the second state table matched, and in successful match return transformation flow table item;Second state table includes at least one
Third record, the connection status for characterizing all data packets in SDN network, the third record is for storing connection status
Attribute;The transformation flow table item includes the NextState attribute of distribution and the action attributes of setting;
Second record adding device, the transformation flow table item for being returned according to the SDN controllers add the data packet
Corresponding second record;
Second legitimacy detection unit, for carrying out legitimacy detection to the data packet by checking algorithm;
Second data packet forwarding unit, for after data packet detection is legal, according to described the accordingly added
NextState attribute and action attributes in two records forward the data packet.
According to the 4th of second aspect the kind of realization method, in the 5th realization method of second aspect, second packet header
Field is additionally operable to trigger the SDN controllers in second header field after progress firewall rule matching is unsuccessful,
Return to packet loss instruction;And the SDN controllers are returned when second header field matches unsuccessful with second state table
Return packet loss instruction;
Then the security data packet detection and processing method further include:
Packet loss unit, the packet loss instruction for being returned according to the SDN controllers abandon the data packet.
Further include in the 6th kind of realization method of second aspect according to any of the above realization method of second aspect:
Second updating unit, for periodically obtaining the second state that the SDN controllers store to the SDN controllers
Table, to update the first state table.
The third aspect an embodiment of the present invention provides a kind of P4 interchangers, including processor, memory and is stored in institute
The computer program executed by the processor is stated in memory and is configured as, the processor executes the computer program
Security data packet detection described in Shi Shixian is any one of above-mentioned and processing method.
Fourth aspect, an embodiment of the present invention provides a kind of computer readable storage mediums, which is characterized in that the calculating
Machine readable storage medium storing program for executing includes the computer program of storage, wherein controls the computer when the computer program is run
Equipment where readable storage medium storing program for executing execute it is any one of above-mentioned described in security data packet detection and processing method.
An embodiment of the present invention provides a kind of data flow safety detection and processing method, device, P4 interchangers and computers
Readable storage medium storing program for executing has the advantages that:
By the way that first state table, transformation flow table are arranged on P4 interchangers, realized in P4 interchangers by P4 Programming with Pascal Language
The safety detection of all data packets in upper carry out data flow and processing, when there is data packet to reach P4 interchangers, described in parsing
Data packet is to extract the first header field of the data packet, by the first state table on P4 interchangers, transformation flow table
Matching process realizes the safety detection process to the data packet, realizes fine-grained access control, extracts out and applies layer state
Related information, according to the forwarding of the related information determination data of the application layer, to realize the access control based on state,
There is well adapting to property, autgmentability and lower expense simultaneously.
Description of the drawings
In order to illustrate more clearly of technical scheme of the present invention, attached drawing needed in embodiment will be made below
Simply introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, general for this field
For logical technical staff, without creative efforts, other drawings may also be obtained based on these drawings.
Fig. 1 is the flow diagram of security data packet detection and processing method that first embodiment of the invention provides.
Fig. 2 is the schematic diagram for the P4 frameworks that first embodiment of the invention provides.
Fig. 3 is the structural schematic diagram of security data packet detection and processing unit that fourth embodiment of the invention provides.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, first embodiment of the invention provides a kind of detection of security data packet and processing method, the data
Packet safety detection and processing method are executed by P4 interchangers, and are included the following steps:
S11 parses the data packet to extract the first packet of the data packet by uplink link received data packet
Head file.
In embodiments of the present invention, before realizing the security data packet detection and processing method, the P4 described first is handed over
Reception of changing planes predefines P4 configuration files, and swaps machine configuration according to the predefined P4 configuration files, i.e., will be described pre-
It defines in P4 configuration files " burning " to the P4 interchangers, the predefined P4 configuration files are write by P4 language, ask
It is P4 frameworks refering to Fig. 2, the P4 language meets:(1) agreement independence:The network equipment is not tied up with any specific procotol
Fixed, user can use any network data plane agreement of P4 language descriptions and processing data packets behavior, this characteristic to pass through certainly
Packet analyzing device, the matching flow of matching-action schedule and stream control routine is defined to realize;(2) target independence:User need not close
The details of heart bottom hardware achieves that the programming description to the processing mode of data packet, this characteristic is compiled by the front and back ends P4
Device realizes that P4 high-level language programs are converted into intermediate representation IR by front-end compiler, and back-end compiler matches IR compiling forming apparatus
It sets, automatically configures target device.(3) reconfigurability:User is allowed to change the program of Packet analyzing and processing at any time, and after compiling
Interchanger is configured, real realization scene can re-match ability.In order to realize that above-mentioned characteristic, the compiler of P4 language use modularization
Design, the input and output between modules all use the configuration file of reference format, such as the output conduct of p4c-bm modules
Bmv2 moulds JSON format configuration files in the block are loaded into, in embodiments of the present invention, is configured by P4 and predefines P4 configuration texts
The predefined P4 configuration files are configured in the chip of the P4 interchangers so that P4 interchangers execute the data packet by part
Safety detection and processing method.
S12, the first state table that the first header field of the data packet and predefined P4 configuration files are issued carry out
Matching;Wherein, the first state table includes at least one the first records, and first record is for storing connection status category
Property.
In embodiments of the present invention, the first state table be made of four-tuple (Match Field, State,
Timeout, Packet_count), wherein Match Field include IP (source address and the destination address, but only needle of data packet
To connection status, when matching session table without distinguishing) and protocol type (including TCP/UDP, ICMP etc.);
State indicates connection status;Timeout indicates the time-out time of connection;Packet_count indicates the number of data packets passed through;
To carry out safety detection to all data packets in a data stream.
S13, when the first record matching success in the first header field of the data packet and the first state table,
Connection status attribute in first record of corresponding successful match is written in the packet header of the data packet.
S14 will include the transform stream that issues of the second header field and predefined P4 configuration files of the connection attribute
Table is matched;Wherein, the transformation flow table includes at least one the second records, and second record is for storing connection status
Attribute and action attributes.
In the embodiment of the present invention, the action attributes determine the processing mode of the data packet.
S15 leads to when the second header field of the data packet is with the second record matching success converted in flow table
It crosses checking algorithm and legitimacy detection is carried out to the data packet.
In inventive embodiments, the second record is additionally operable to storage NextState attribute, when the second packet header of the data packet
When field is with the second record matching success converted in flow table, the P4 interchangers are remembered according to described the second of successful match
NextState attribute in record updates the connection status attribute in corresponding first record.
In embodiments of the present invention, the checking algorithm includes MD5 checking algorithms, and specifically, the P4 interchangers are in institute
When stating the second header field of data packet with the second record matching success converted in flow table, letter is carried out to the data packet
Length filling is ceased, so that 512 complementation of message length pair of the data packet is 0;The information of the data packet after record filling
Length;The magic number of standard is packed into for the information of the data packet after filling;Wherein, the magic number of the standard includes 4 integers,
It is indicated with A, B, C, D, then (01234567) 16 A=, B=(89ABCDEF) 16, C=(FEDCBA98) 16, D=
(76543210)16;Four-wheel loop computation is carried out to the information of the data packet after loading standard magic number;Wherein, the operation
Including with or non-and 4 linear functions of exclusive or.
S16, after data packet detection is legal, according to the action category in the second of the corresponding successful match the record
Property the forwarding data packet.
In embodiments of the present invention, by predefine the transformation flow table that issues of P4 configuration files than traditional OpenFlow
Flow table is added to status attribute (State) and NextState attribute (Next_State), and redefined data packet and
The matched process of flow table item, matched result depend not only upon the information of packet header, while depending on the state of data packet.
When successful match, it will execute OFPIT_SET_STATE instructions, which will convert next in respective record in flow table
State value (Next_State) is assigned to the state attribute value in state table;It is handled simultaneously according to action attributes (ACTION instructions)
The data packet;It includes packet header and status information that P4 interchangers will be sent to SDN controllers if matching is unsuccessful
Packet_in message, SDN controllers return to Flow_mod message as responding, flow table item are added into P4 interchangers.
In conclusion first embodiment of the invention provides a kind of data flow safety detection and processing method, by P4
First state table, transformation flow table are set on interchanger, is realized by P4 Programming with Pascal Language and is carried out in data flow on P4 interchangers
The safety detection of all data packets and processing, when there is data packet to reach P4 interchangers, it is described to extract to parse the data packet
First header field of data packet is realized by the matching process of first state table, transformation flow table on P4 interchangers to institute
The safety detection process for stating data packet realizes fine-grained access control, extraction information related with application layer state, according to institute
The forwarding of the related information determination data of application layer is stated, to realize the access control based on state, while being had preferable suitable
Ying Xing, autgmentability and lower expense.
In order to facilitate the understanding of the present invention, some currently preferred embodiments of the present invention will be done and will further be retouched below
It states.
Second embodiment of the invention:
On the basis of first embodiment of the invention, further include:
When the second header field of the data packet and unsuccessful second record matching converted in flow table, by institute
It states the second header field and is sent to SDN controllers;Wherein, second header field for trigger the SDN controllers according to
Second header field judges the type of the data packet, when judging the data packet for request data package, root
Firewall rule matching is carried out according to second header field, and returns to transformation flow table item in successful match;Described in judgement
When data packet is not request data package, second header field is matched with the second state table in SDN controllers, and
Transformation flow table item is returned in successful match;Second state table is recorded including at least one third, for characterizing SDN network
In all data packets connection status, third record is for storing connection status attribute;The transformation flow table item includes point
The action attributes of the NextState attribute and setting matched.
Corresponding second record of the data packet is added according to the transformation flow table item that the SDN controllers return.
Legitimacy detection is carried out to the data packet by checking algorithm.
The data packet detection it is legal after, according to accordingly add it is described second record in NextState attribute and
Action attributes forward the data packet.
In embodiments of the present invention, second header field is additionally operable to trigger the SDN controllers in second packet
Head file returns to packet loss instruction after progress firewall rule matching is unsuccessful;And the SDN controllers are in second packet
When head file matches unsuccessful with second state table, packet loss instruction is returned to, the P4 interchangers are according to the SDN controllers
The packet loss instruction of return abandons the data packet.
Third embodiment of the invention:
On the basis of above example of the present invention, further include:
The second state table that the SDN controllers store periodically is obtained to the SDN controllers, to update first shape
State table.
In embodiments of the present invention, the P4 interchangers periodically obtain the SDN controllers storage to the SDN controllers
The second state table, to update the first state table, to realize to reach P4 interchangers data flow in all data
The safety detection of packet, second state table form (Match Field, State, Timeout, Packet_ by four-tuple
Count), wherein Match Field include data packet IP (source address and destination address, but just for connection status,
Without distinguishing when with session table) and protocol type (including TCP/UDP, ICMP etc.);State indicates connection status;
Timeout indicates the time-out time of connection;Packet_count indicates the number of data packets passed through.
In embodiments of the present invention, the security data packet of the present invention is detected by taking TCP data bag-like state testing process as an example
And processing method illustrates:
(1) after data packet reaches P4 interchangers, P4 interchangers extract the packet header critical field of the data packet, and by institute
The first state table stated in packet header critical field and P4 interchangers carries out matching operation.
(2) if without successful match, the record is added in first state table, state is set to DEFAULT, then
It turns to (4);
(3) if successful match, packet header is written into status information;
(4) packet header including status information is matched with the transformation flow table in P4 interchangers, if matching
Failure, does not find corresponding flow table information, then SDN controllers is transferred to judge whether the data packet is SYN data packets;
(5) if it is SYN data packets, illustrate for new establishment of connection, then to carry out firewall rule sets under discrimination in SDN controllers
It matches, after successful match, flow-mod message is sent into interchanger,
In converting flow table, addition record, action attributes forward distributes next status attribute, and interchanger receives
After record is added to, SET_STATE operations are immediately performed, that is, update first state table, then the P4 interchangers are to the number
After carrying out legitimacy detection according to packet, the data packet is forwarded.
(6) if not SYN data packets, explanation may be a part for original connection, not need rule match, described
SDN controllers directly inquire the second state table, if it is present issuing Flow-mod message, flow table are converted into interchanger and is added
Add record, action attributes forward, and distributes NextState attribute;After interchanger receives record addition, it is immediately performed SET_
STATE is operated, that is, updates first state table, after then the P4 interchangers carry out legitimacy detection to the data packet, forwarding
The data packet.
(7) if data packet can all be matched with first state table in interchanger and transformation flow table, packet header information
Controller is not issued, directly by P4 switch processes.
Referring to Fig. 3, fourth embodiment of the invention provides a kind of detection of security data packet and processing unit, including:
First header parser unit 11, for by uplink link received data packet, parsing the data packet to carry
Take the first header field of the data packet.
First matching unit 12, for issue the first header field of the data packet and predefined P4 configuration files
First state table is matched;Wherein, the first state table includes at least one the first records, and first record is for depositing
Store up connection status attribute.
Connection status writing unit 13, for when in the first header field of the data packet and the first state table
When the success of the first record matching, the connection status attribute in the first record of corresponding successful match is written to the packet of the data packet
In head.
Second matching unit 14, for that will include the second header field and predefined P4 configuration texts of the connection attribute
The transformation flow table that part issues is matched;Wherein, the transformation flow table includes at least one the second records, and second record is used
In storage connection status attribute and action attributes.
First legitimacy detection unit 15, for when in the second header field of the data packet and the transformation flow table
When the success of the second record matching, legitimacy detection is carried out to the data packet.
First data packet forwarding unit 16, for the data packet detection it is legal after, according to it is described it is corresponding matching at
Action attributes in second record of work(forward the data packet.
In the first realization method of fourth embodiment, the checking algorithm includes MD5 checking algorithms;
Then the first legitimacy detection unit, specifically includes:
Fill module, for the data packet the second header field with it is described transformation flow table in the second record matching at
When work(, message length filling is carried out to the data packet, so that 512 complementation of message length pair of the data packet is 0;
Logging modle, the message length for recording the data packet after filling;
Magic number load module, the magic number for being packed into standard for the information of the data packet after filling;Wherein, the mark
Accurate magic number includes 4 integers, is indicated with A, B, C, D, then (01234567) 16 A=, B=(89ABCDEF) 16, C=
(FEDCBA98) (76543210) 16 16, D=;
Loop computation module carries out four-wheel loop computation for the information to the data packet after loading standard magic number;
Wherein, the operation include with or non-and 4 linear functions of exclusive or.
In second of realization method of fourth embodiment, further include:
Dispensing unit is swapped for receiving predefined P4 configuration files, and according to the predefined P4 configuration files
Machine configures.
In the third realization method of fourth embodiment, second record is additionally operable to storage NextState attribute,
Then the security data packet detection and processing method further include:
First updating unit, for the second header field when the data packet and the second record in the transformation flow table
When successful match, the company in corresponding first record is updated according to the NextState attribute in second record of successful match
Connect status attribute.
In the 4th kind of realization method of fourth embodiment, further include:
Second header field transmission unit, for when in the second header field of the data packet and the transformation flow table
When second record matching is unsuccessful, second header field is sent to SDN controllers;Wherein, second header field
The type of the data packet is judged according to second header field for triggering the SDN controllers, when judging
When to state data packet be request data package, firewall rule matching is carried out according to second header field, and in successful match
Return to transformation flow table item;When judging the data packet not for request data package, by second header field and SDN controllers
In the second state table matched, and in successful match return transformation flow table item;Second state table includes at least one
Third record, the connection status for characterizing all data packets in SDN network, the third record is for storing connection status
Attribute;The transformation flow table item includes the NextState attribute of distribution and the action attributes of setting;
Second record adding device, the transformation flow table item for being returned according to the SDN controllers add the data packet
Corresponding second record;
Second legitimacy detection unit, for carrying out legitimacy detection to the data packet;
Second data packet forwarding unit, for after data packet detection is legal, according to described the accordingly added
NextState attribute and action attributes in two records forward the data packet.
According to the 4th of fourth embodiment the kind of realization method, in the 5th realization method of fourth embodiment, described second
Header field be additionally operable to trigger the SDN controllers second header field carry out firewall rule matching it is unsuccessful it
Afterwards, packet loss instruction is returned;And the SDN controllers matched with second state table in second header field it is unsuccessful
When, return to packet loss instruction;
Then the security data packet detection and processing method further include:
Packet loss unit, the packet loss instruction for being returned according to the SDN controllers abandon the data packet.
According to any of the above realization method of fourth embodiment, in the 6th kind of realization method of fourth embodiment, also
Including:
Second updating unit, for periodically obtaining the second state that the SDN controllers store to the SDN controllers
Table, to update the first state table.
Fifth embodiment of the invention provides a kind of P4 interchangers.The P4 interchangers of the embodiment include:Processor, storage
Device and it is stored in the computer program that can be run in the memory and on the processor, such as data flow safety detection
And processing routine.The processor realizes above-mentioned each data flow safety detection and processing method when executing the computer program
Step in embodiment, such as step S11 shown in FIG. 1.Alternatively, the processor is realized when executing the computer program
State the function of each module/unit in each device embodiment, such as the first header parser unit.
Illustratively, the computer program can be divided into one or more module/units, one or more
A module/unit is stored in the memory, and is executed by the processor, to complete the present invention.It is one or more
A module/unit can be the series of computation machine program instruction section that can complete specific function, and the instruction segment is for describing institute
State implementation procedure of the computer program in the P4 interchangers.
The P4 interchangers may include, but be not limited only to, processor, memory.On it will be understood by those skilled in the art that
State the example that component is only P4 interchangers, do not constitute the restriction to P4 interchangers, may include it is more than above-mentioned component or
Less component either combines certain components or different components, such as the P4 interchangers can also include input and output
Equipment, network access equipment, bus etc..
Alleged processor can be central processing unit (Central Processing Unit, CPU), can also be it
His general processor, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor
Deng the processor is the control centre of the P4 interchangers, utilizes each of various interfaces and the entire P4 interchangers of connection
A part.
The memory can be used for storing the computer program and/or module, and the processor is by running or executing
Computer program in the memory and/or module are stored, and calls the data being stored in memory, described in realization
The various functions of P4 interchangers.The memory can include mainly storing program area and storage data field, wherein storing program area
It can storage program area, the application program etc. needed at least one function;Storage data field can store the use according to interchanger
The data etc. created.In addition, memory may include high-speed random access memory, can also include non-volatile memories
Device, such as hard disk, memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure
Digital, SD) card, flash card (Flash Card), at least one disk memory, flush memory device or other volatibility are solid
State memory device.
Wherein, if module/unit that the P4 interchangers integrate is realized in the form of SFU software functional unit and as only
Vertical product is sold or in use, can be stored in a computer read/write memory medium.Based on this understanding, this hair
All or part of flow in bright realization above-described embodiment method, can also be instructed by computer program relevant hardware come
It completes, the computer program can be stored in a computer readable storage medium, which holds by processor
When row, it can be achieved that the step of above-mentioned each embodiment of the method.Wherein, the computer program includes computer program code, institute
It can be source code form, object identification code form, executable file or certain intermediate forms etc. to state computer program code.It is described
Computer-readable medium may include:Any entity or device, recording medium, U of the computer program code can be carried
Disk, mobile hard disk, magnetic disc, CD, computer storage, read-only memory (ROM, Read-Only Memory), arbitrary access
Memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It needs
It is bright, the content that the computer-readable medium includes can according in jurisdiction legislation and patent practice requirement into
Row increase and decrease appropriate, such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium does not include that electricity carries
Wave signal and telecommunication signal.
It should be noted that the apparatus embodiments described above are merely exemplary, wherein described be used as separating component
The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also
It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual
It needs that some or all of module therein is selected to achieve the purpose of the solution of this embodiment.In addition, device provided by the invention
In embodiment attached drawing, the connection relation between module indicates there is communication connection between them, specifically can be implemented as one or
A plurality of communication bus or signal wire.Those of ordinary skill in the art are without creative efforts, you can to understand
And implement.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art
For, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also considered as
Protection scope of the present invention.
Claims (10)
1. a kind of detection of security data packet and processing method, which is characterized in that the security data packet detection and processing method by
P4 interchangers execute, and include the following steps:
By uplink link received data packet, the data packet is parsed to extract the first header field of the data packet;
First header field of the data packet is matched with the first state table that predefined P4 configuration files issue;Its
In, the first state table includes at least one the first records, and first record is for storing connection status attribute;
When the first record matching success in the first header field of the data packet and the first state table, by corresponding
It is written in the packet header of the data packet with the connection status attribute in successful first record;
To include that the transformation flow table that issues of the second header field and predefined P4 configuration files of the connection attribute carries out
Match;Wherein, the transformation flow table includes at least one the second records, and second record is for storing connection status attribute and dynamic
Make attribute;
When the second header field of the data packet is with the second record matching success converted in flow table, passes through to verify and calculate
Method carries out legitimacy detection to the data packet;
After data packet detection is legal, institute is forwarded according to the action attributes in the second of the corresponding successful match the record
State data packet.
2. security data packet detection described in claim 1 and processing method, which is characterized in that the checking algorithm includes MD5
Checking algorithm;
It is then described when the second header field of the data packet is with the second record matching success converted in flow table, pass through
Checking algorithm carries out legitimacy detection to the data packet, specifically includes:
When second header field of the data packet is with the second record matching success converted in flow table, to the data packet
Message length filling is carried out, so that 512 complementation of message length pair of the data packet is 0;
The message length of the data packet after record filling;
The magic number of standard is packed into for the information of the data packet after filling;Wherein, the magic number of the standard includes 4 integers,
It is indicated with A, B, C, D, then (01234567) 16 A=, B=(89ABCDEF) 16, C=(FEDCBA98) 16, D=
(76543210)16;
Four-wheel loop computation is carried out to the information of the data packet after loading standard magic number;Wherein, the operation include with,
Or non-and 4 linear functions of exclusive or.
3. security data packet detection described in claim 1 and processing method, which is characterized in that further include:
It receives and predefines P4 configuration files, and machine configuration is swapped according to the predefined P4 configuration files.
4. security data packet detection according to claim 1 and processing method, which is characterized in that second record is also used
In storage NextState attribute,
Then the security data packet detection and processing method further include:
When the second header field of the data packet with it is described transformation flow table in the second record matching success when, according to matching at
NextState attribute in second record of work(updates the connection status attribute in corresponding first record.
5. security data packet detection according to claim 1 and processing method, which is characterized in that further include:
When the second header field of the data packet is unsuccessful with the second record matching in the transformation flow table, by described the
Two header fields are sent to SDN controllers;Wherein, second header field is for triggering the SDN controllers according to
Second header field judges the type of the data packet, when judging the data packet for request data package, according to institute
It states the second header field and carries out firewall rule matching, and return to transformation flow table item in successful match;When judging the data
When Bao Buwei request data packages, second header field is matched with the second state table in SDN controllers, and
Transformation flow table item is returned when with success;Second state table is recorded including at least one third, for characterizing institute in SDN network
There is the connection status of data packet, the third record is for storing connection status attribute;The transformation flow table item includes distribution
NextState attribute and the action attributes of setting;
Corresponding second record of the data packet is added according to the transformation flow table item that the SDN controllers return;
Legitimacy detection is carried out to the data packet by checking algorithm;
After data packet detection is legal, the NextState attribute in being recorded according to accordingly add described second and action
Attribute forwards the data packet.
6. security data packet detection according to claim 5 and processing method, which is characterized in that second header field
It is additionally operable to trigger the SDN controllers in second header field after progress firewall rule matching is unsuccessful, return
Packet loss instructs;And the SDN controllers, when second header field matches unsuccessful with second state table, return is lost
Packet instruction;
Then the security data packet detection and processing method further include:
The packet loss instruction returned according to the SDN controllers abandons the data packet.
7. the security data packet detection according to claim 1 to 6 any one and processing method, which is characterized in that also wrap
It includes:
The second state table that the SDN controllers store periodically is obtained to the SDN controllers, to update the first state
Table.
8. a kind of security data packet detection and processing unit, which is characterized in that including:
First header parser unit, it is described to extract for by uplink link received data packet, parsing the data packet
First header field of data packet;
First matching unit, the first shape for issuing the first header field of the data packet and predefined P4 configuration files
State table is matched;Wherein, the first state table includes at least one the first records, and first record is for storing connection
Status attribute;
Connection status writing unit, for the first header field when the data packet and the first note in the first state table
When recording successful match, the connection status attribute in the first record of corresponding successful match is written in the packet header of the data packet;
Second matching unit, the second header field for that will include the connection attribute are issued with predefined P4 configuration files
Transformation flow table matched;Wherein, the transformation flow table includes at least one the second records, and second record is for storing
Connection status attribute and action attributes;
First legitimacy detection unit, for the second header field when the data packet and the second note in the transformation flow table
When recording successful match, legitimacy detection is carried out to the data packet by checking algorithm;
First data packet forwarding unit, for after data packet detection is legal, according to the of the corresponding successful match
Action attributes in two records forward the data packet.
9. a kind of P4 interchangers, including processor, memory and it is stored in the memory and is configured as by described
The computer program that device executes is managed, the processor is realized when executing the computer program as any one in claim 1 to 7
Security data packet detection described in and processing method.
10. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium includes the calculating of storage
Machine program, wherein equipment where controlling the computer readable storage medium when the computer program is run is executed as weighed
Profit requires the detection of the security data packet described in any one of 1 to 7 and processing method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810390425.6A CN108494800A (en) | 2018-04-27 | 2018-04-27 | A kind of detection of security data packet and processing method, device, P4 interchangers and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810390425.6A CN108494800A (en) | 2018-04-27 | 2018-04-27 | A kind of detection of security data packet and processing method, device, P4 interchangers and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108494800A true CN108494800A (en) | 2018-09-04 |
Family
ID=63313153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810390425.6A Pending CN108494800A (en) | 2018-04-27 | 2018-04-27 | A kind of detection of security data packet and processing method, device, P4 interchangers and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108494800A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109525495A (en) * | 2018-12-24 | 2019-03-26 | 广东浪潮大数据研究有限公司 | A kind of data processing equipment, method and FPGA board |
| CN109857359A (en) * | 2019-02-14 | 2019-06-07 | 深圳前海骁客影像科技设计有限公司 | MIPI data processing method, device and circuit |
| CN110933001A (en) * | 2019-11-18 | 2020-03-27 | 清华大学 | Basic processing unit structure of extensible reconfigurable switch packet parser |
| CN111277517A (en) * | 2020-01-19 | 2020-06-12 | 长沙星融元数据技术有限公司 | Programmable switching chip-based convergence and shunt method and device, storage medium and electronic equipment |
| CN112733514A (en) * | 2021-01-21 | 2021-04-30 | 浪潮卓数大数据产业发展有限公司 | Method for exporting picture downloading in excel by Bootstrap table |
| CN115002039A (en) * | 2022-07-27 | 2022-09-02 | 之江实验室 | Traffic unloading method and system based on UDF |
| CN115086392A (en) * | 2022-06-01 | 2022-09-20 | 珠海高凌信息科技股份有限公司 | Data plane and switch based on heterogeneous chip |
| CN115118617A (en) * | 2022-05-26 | 2022-09-27 | 中国科学院计算技术研究所 | Intention-driven network measurement method and system based on P4 programmable switch |
| US11882039B1 (en) | 2022-07-27 | 2024-01-23 | Zhejiang Lab | UDF-based traffic offloading methods and systems |
| CN115118617B (en) * | 2022-05-26 | 2024-05-28 | 中国科学院计算技术研究所 | Method, system and storage medium for measuring intention driving network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050111460A1 (en) * | 2003-11-21 | 2005-05-26 | Sahita Ravi L. | State-transition based network intrusion detection |
| CN101536455A (en) * | 2006-11-03 | 2009-09-16 | 朗讯科技公司 | Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks |
| CN102238187A (en) * | 2011-07-26 | 2011-11-09 | 东念(杭州)科技有限公司 | System of communication protocol based on TCP (Transmission Control Protocol)/IP (Internet Protocol) and realization method thereof |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
-
2018
- 2018-04-27 CN CN201810390425.6A patent/CN108494800A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050111460A1 (en) * | 2003-11-21 | 2005-05-26 | Sahita Ravi L. | State-transition based network intrusion detection |
| CN101536455A (en) * | 2006-11-03 | 2009-09-16 | 朗讯科技公司 | Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks |
| CN102238187A (en) * | 2011-07-26 | 2011-11-09 | 东念(杭州)科技有限公司 | System of communication protocol based on TCP (Transmission Control Protocol)/IP (Internet Protocol) and realization method thereof |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
Non-Patent Citations (1)
| Title |
|---|
| 张剑等: "《信息安全技术》", 31 December 2015 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109525495B (en) * | 2018-12-24 | 2022-03-11 | 广东浪潮大数据研究有限公司 | Data processing device and method and FPGA board card |
| CN109525495A (en) * | 2018-12-24 | 2019-03-26 | 广东浪潮大数据研究有限公司 | A kind of data processing equipment, method and FPGA board |
| CN109857359A (en) * | 2019-02-14 | 2019-06-07 | 深圳前海骁客影像科技设计有限公司 | MIPI data processing method, device and circuit |
| CN109857359B (en) * | 2019-02-14 | 2023-12-26 | 深圳前海骁客影像科技设计有限公司 | MIPI data processing method, device and circuit |
| CN110933001A (en) * | 2019-11-18 | 2020-03-27 | 清华大学 | Basic processing unit structure of extensible reconfigurable switch packet parser |
| CN110933001B (en) * | 2019-11-18 | 2020-11-27 | 清华大学 | Basic processing unit structure of extensible reconfigurable switch packet parser |
| CN111277517A (en) * | 2020-01-19 | 2020-06-12 | 长沙星融元数据技术有限公司 | Programmable switching chip-based convergence and shunt method and device, storage medium and electronic equipment |
| CN112733514A (en) * | 2021-01-21 | 2021-04-30 | 浪潮卓数大数据产业发展有限公司 | Method for exporting picture downloading in excel by Bootstrap table |
| CN115118617A (en) * | 2022-05-26 | 2022-09-27 | 中国科学院计算技术研究所 | Intention-driven network measurement method and system based on P4 programmable switch |
| CN115118617B (en) * | 2022-05-26 | 2024-05-28 | 中国科学院计算技术研究所 | Method, system and storage medium for measuring intention driving network |
| CN115086392A (en) * | 2022-06-01 | 2022-09-20 | 珠海高凌信息科技股份有限公司 | Data plane and switch based on heterogeneous chip |
| CN115086392B (en) * | 2022-06-01 | 2023-07-07 | 珠海高凌信息科技股份有限公司 | Data plane and switch based on heterogeneous chip |
| CN115002039A (en) * | 2022-07-27 | 2022-09-02 | 之江实验室 | Traffic unloading method and system based on UDF |
| US11882039B1 (en) | 2022-07-27 | 2024-01-23 | Zhejiang Lab | UDF-based traffic offloading methods and systems |
| WO2024021588A1 (en) * | 2022-07-27 | 2024-02-01 | 之江实验室 | Udf-based traffic offloading method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108494800A (en) | A kind of detection of security data packet and processing method, device, P4 interchangers and medium | |
| US9887912B2 (en) | Flow table matching method and apparatus, and openflow switching system | |
| CN104012063B (en) | Controller for flexible and extensible flow processing in software-defined networks | |
| US20190324793A1 (en) | Transaction control arrangement for device management system | |
| CN110035009A (en) | The node of packet forwarding path element indicates | |
| CN110035006A (en) | The individual networks equipment of Forwarding plane resetting | |
| CN110178342A (en) | The scalable application level of SDN network monitors | |
| CN109361550A (en) | The method, device and equipment of network equipments configuration management | |
| CN107070674A (en) | The network device data plane sandbox of the packet forward-path of third party's control | |
| CN104394211A (en) | Design and implementation method for user behavior analysis system based on Hadoop | |
| CN102770852A (en) | Information and communication processing system, method, and network node | |
| EP1648113A2 (en) | Probe apparatus and method therefor | |
| CN102098227A (en) | Packet capture method and kernel module | |
| CN108809826A (en) | A kind of elephant data flow processing method, device, P4 interchangers and medium | |
| CN104954165B (en) | A kind of method, equipment and the system of link analysis | |
| CN108965134B (en) | Message forwarding method and device | |
| CN109246159B (en) | Method and device for verifying security policy | |
| WO2023024416A1 (en) | Data transmission method, apparatus and device based on load balancing, and storage medium | |
| CN108600389A (en) | A kind of data transmission method and device based on common interface platform | |
| CN105847179B (en) | The method and device that Data Concurrent reports in a kind of DPI system | |
| US10333769B2 (en) | Deployable linear bitwise protocol transformation | |
| CN108712308A (en) | The method and apparatus that the network equipment is detected in virtual network | |
| US6675221B1 (en) | Method and apparatus for customizing and fowarding parameters in a network processor | |
| CN104219160B (en) | Generate the method and apparatus of input parameter | |
| JPH01126044A (en) | Multi-protocol processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180904 |
|
| RJ01 | Rejection of invention patent application after publication |