CN111158864B - Data processing method, device, system, medium, and program - Google Patents

Data processing method, device, system, medium, and program Download PDF

Info

Publication number
CN111158864B
CN111158864B CN201911424631.5A CN201911424631A CN111158864B CN 111158864 B CN111158864 B CN 111158864B CN 201911424631 A CN201911424631 A CN 201911424631A CN 111158864 B CN111158864 B CN 111158864B
Authority
CN
China
Prior art keywords
access data
virtual network
network function
address conversion
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911424631.5A
Other languages
Chinese (zh)
Other versions
CN111158864A (en
Inventor
胡松
张思琴
吴涛
李红光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911424631.5A priority Critical patent/CN111158864B/en
Publication of CN111158864A publication Critical patent/CN111158864A/en
Application granted granted Critical
Publication of CN111158864B publication Critical patent/CN111158864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure provides a data processing method applied to general user equipment. The method comprises the following steps: receiving first access data; performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data; transferring the second access data to a virtual network function service chain running on the universal user terminal equipment, and performing strategy configuration on the second access data by the virtual network function service chain to obtain third access data; performing source address conversion on the third access data to obtain fourth access data; and forwarding the fourth access data based on the destination access address of the fourth access data. The disclosure also provides a data processing device, a system, a medium and a program arranged on the universal user terminal equipment.

Description

Data processing method, device, system, medium, and program
Technical Field
The present disclosure relates to the field of internet technology, and more particularly, to a data processing method, a data processing apparatus, a data processing system, a computer readable medium, and a computer program.
Background
Cpe, universal customer premise equipment. The universal customer premise equipment uCPE uses a universal hardware platform and provides virtualization capability, and runs various virtual network functions VNF (Virtual network function) virtual machines with different functions on the basis of the universal hardware platform, so that a new network equipment product form is formed. Currently, universal user equipment uCPE is widely applied to the scenes of SDWAN access, integrated security gateway, cloud security resource pool and the like.
In general, the virtual network function VNF virtual machines in the universal customer premise equipment ucope form a virtual network function service chain according to the service orchestration, so as to form a service function. Such as virtual network function VNF virtual machines using firewalls, IPS (Instruction Prevention system, intrusion prevention system), IDS (Instruction Detection system, intrusion detection system), probes, etc., form a secure traffic chain for a specific traffic. The universal user equipment uCPE platform transmits the traffic to the virtual network function service chain, the traffic flows through the virtual network function VNF nodes, and each virtual network function VNF node completes the respective business processing.
When the universal customer premise equipment ucope is deployed in a NAT (Network Address Translation ) environment, the traffic may perform either source address translation SNAT (Source Network Address Translation) or destination address translation DNAT (Destination Network Address Translation), in part or in whole, depending on the customer's needs. If the active address is converted into the SNAT, the converted source address is typically the interface address of the cpe or an address in the address pool. If there is a destination address translation DNAT, the destination address before translation is typically the interface address of the universal customer premise equipment ucope. Traffic may be source address translated SNAT or destination address translated DNAT, or both, as desired.
Before the start of all translations of the source address translation SNAT and the destination address translation DNAT, the destination IP may not be a real address. After all the source address translation SNAT and the destination address translation DNAT are translated, the source IP may not be a real address. This may result in that when the universal user equipment ucope is handed over to the virtual network function service chain, the virtual network function VNF node in the virtual network function service chain is not aware of the NAT configuration and NAT translation meta information in the universal user equipment ucope. Thus, traffic management and control of security policies, qoS policies, assets, threats, etc. on the virtual network function service chain cannot be effectively performed on the traffic configuration.
Disclosure of Invention
In view of this, the present disclosure provides a data processing method and a data processing device that can utilize a virtual network function service chain of a universal customer premise equipment ucope to perform effective policy configuration on traffic in a NAT access scenario.
One aspect of the present disclosure provides a data processing method applied to a general-purpose user terminal device. The method comprises the following steps: receiving first access data; performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data; transferring the second access data to a virtual network function service chain running on the universal user terminal equipment, and performing strategy configuration on the second access data by the virtual network function service chain to obtain third access data; performing source address conversion on the third access data to obtain fourth access data; and forwarding the fourth access data based on the destination access address of the fourth access data.
According to an embodiment of the disclosure, the method further comprises configuring the virtual network function service chain on the generic user side device.
According to an embodiment of the present disclosure, the virtual network function service chain includes at least one virtual network function node, and configuring the virtual network function service chain on the generic user side device includes: configuring two interfaces for each virtual network function node of the at least one virtual network function node; configuring two interfaces of each virtual network function node as two-layer bridging in each virtual network function node; configuring a corresponding platform interconnection interface for each of two interfaces of each virtual network function node, wherein the platform interconnection interface is used for being connected with the universal user terminal equipment; and connecting different virtual network function nodes in the at least one virtual network function node in series sequentially through platform interconnection interfaces corresponding to the two interfaces respectively.
According to an embodiment of the present disclosure, performing destination address conversion on the first access data to obtain second access data includes: performing destination address conversion on the first access data to obtain first intermediate data; and modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy.
According to an embodiment of the disclosure, modifying the MAC address header of the first intermediate data according to the preset modification policy includes modifying the first two bytes in the MAC address header of the first intermediate data to be modification 0, modifying the network byte sequence of the session identifier corresponding to the first access data in the last four bytes, and modifying the source MAC address byte to be a fixed value.
According to an embodiment of the present disclosure, performing source address conversion on the third access data to obtain fourth access data includes: reading information of a source address conversion strategy carried in a MAC address header of the second access data; performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
Another aspect of the present disclosure provides a data processing apparatus disposed in a general purpose user side device. The device comprises an access receiving module, a destination address conversion module, a strategy configuration module, a source address conversion module and an access forwarding module. The access receiving module is used for receiving the first access data. The destination address conversion module is configured to perform destination address conversion on the first access data to obtain second access data, so that a destination address of the second access data is an IP address of a real server to which the first access data is to be accessed, and a source address of the second access data is kept as an IP address of the real server that sends the first access data. The policy configuration module is configured to transfer the second access data to a virtual network function service chain running on the general user equipment, and the virtual network function service chain performs policy configuration on the second access data to obtain third access data. The source address conversion module is used for carrying out source address conversion on the third access data to obtain fourth access data. The access forwarding module is used for forwarding the fourth access data based on the destination access address of the fourth access data.
According to an embodiment of the disclosure, the apparatus further includes a VNF service chain configuration module configured to configure the virtual network function service chain on the generic user side device. Specifically, the VNF service chain configuration module is configured to configure two interfaces for each of at least one virtual network function node in the virtual network function service chain; configuring two interfaces of each virtual network function node as two-layer bridging in each virtual network function node; configuring a corresponding platform interconnection interface for each of two interfaces of each virtual network function node, wherein the platform interconnection interface is used for being connected with the universal user terminal equipment; and connecting different virtual network function nodes in the at least one virtual network function node in series sequentially through platform interconnection interfaces corresponding to the two interfaces respectively.
According to an embodiment of the disclosure, the destination address translation module is specifically configured to: performing destination address conversion on the first access data to obtain first intermediate data; and modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy.
According to an embodiment of the disclosure, the source address translation module is configured to: reading information of a source address conversion strategy carried in a MAC address header of the second access data; performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
Another aspect of the present disclosure provides a data processing system disposed on a general purpose client device. The system includes a destination address translation system, a source address translation system, and a virtual network function service chain. The destination address translation system is configured to run on the generic user side device. The source address translation system is configured to run on the universal client device. The virtual network function service chain is configured to run on the generic user side device. The destination address conversion system, the virtual network function service chain and the source address conversion system are sequentially connected in series. The destination address translation system 810 is configured to: receiving first access data; performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data; and forwarding the second access data to the virtual network function service chain. The virtual network function service chain is used for carrying out strategy configuration on the second access data to obtain third access data, and transferring the third access data to the source address translation system. The source address conversion system is used for carrying out source address conversion on the third access data to obtain fourth access data, and forwarding the fourth access data based on a destination access address of the fourth access data.
According to an embodiment of the present disclosure, the virtual network function service chain comprises at least one virtual network function node. Each of the at least one virtual network function node is configured with two interfaces. The two interfaces of each virtual network function node are configured as two-layer bridges within the virtual network function node. Each of the two interfaces of each virtual network function node is configured with a corresponding platform interconnection interface, and the platform interconnection interface is used for being connected with the universal user terminal equipment. Different virtual network function nodes in the at least one virtual network function node are configured to be serially connected in sequence through platform interconnection interfaces corresponding to the respective two interfaces.
According to an embodiment of the present disclosure, the destination address translation system is configured to perform destination address translation on the first access data, and obtaining second access data includes: performing destination address conversion on the first access data to obtain first intermediate data; and modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy.
According to an embodiment of the present disclosure, the modifying the MAC address header of the first intermediate data according to a preset modification policy includes: and modifying the first two bytes in the MAC address header of the first intermediate data as modification 0, the last four bytes as network byte sequence of the session identifier corresponding to the first access data, and modifying the source MAC address byte as a fixed value.
According to an embodiment of the present disclosure, the source address conversion system is further configured to perform source address conversion on the third access data, and obtaining fourth access data includes: reading information of a source address conversion strategy carried in a MAC address header of the second access data; performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
Another aspect of the present disclosure provides a data processing system including one or more memories and one or more processors. The memory has stored thereon computer executable instructions. The processor executes the instructions to implement the data processing method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions which when executed are for implementing a method as described above.
According to the embodiment of the disclosure, in the process of forwarding the traffic through the universal user equipment uCPE, quintuple information in the message seen by the virtual network function service chain is the real IP addresses and ports at two ends, so that each virtual network function VNF in the virtual network function service chain can carry out effective strategy configuration on the traffic, and the traffic forwarding flow is more convenient.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates a flow chart of a data processing method according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a data processing method according to another embodiment of the present disclosure;
Fig. 3 schematically illustrates a schematic diagram of a virtual network function service chain configured on a generic user side device according to an embodiment of the present disclosure;
fig. 4 schematically illustrates a schematic diagram of a preset policy for modifying a MAC address header according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a data processing flow during a forward session in which a generic client device receives access data from X0 and forwards the access data to YT in accordance with an embodiment of the present disclosure;
FIG. 6 schematically illustrates a data processing flow during a reverse session in which a generic client device receives access data from YT and forwards it to X0 in accordance with an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a data processing apparatus according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a data processing system according to an embodiment of the present disclosure; and
FIG. 9 schematically illustrates a block diagram of a computer system adapted to implement a data processing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a data processing method and device applied to universal user terminal equipment. The method comprises the following steps: receiving first access data; performing destination address conversion on the first access data to obtain second access data; transferring the second access data to a virtual network function service chain running on the universal user terminal equipment, and performing strategy configuration on the second access data by the virtual network function service chain to obtain third access data; performing source address conversion on the third access data to obtain fourth access data; and forwarding the fourth access data based on the destination access address of the fourth access data.
According to the embodiment of the disclosure, the destination IP address and the destination port in the five-tuple information in the second access data are converted into the real destination IP address and port, and the source IP address and the source port are not converted, so that the source IP address and the source port, the destination IP address and the destination port in the five-tuple information in the second access data are the real IP addresses and ports at both ends, and thus effective policy configuration, such as configuration of services such as security policies, qoS policies, assets, threats, and the like, can be performed through a virtual network function service chain (i.e., VNF service chain). If the virtual network function service chain cannot see the real IP addresses and ports at the two ends, the configured strategy cannot really function. For example, if the interception policy is configured through the virtual network function service chain, when the virtual network function service chain cannot acquire the IP address and port of the real source end, the access information sent from the real source end cannot be effectively intercepted. In the method of the embodiment of the disclosure, not only can the data forwarding of the universal user terminal equipment in the network address translation NAT scene be realized, but also the real IP addresses and ports of the two ends can be obtained from the second access data when the virtual network function service chain performs policy configuration, so that the configuration policy can be practically and effectively implemented.
Fig. 1 schematically illustrates a flow chart of a data processing method according to an embodiment of the present disclosure.
As shown in fig. 1, the data processing method may include operations S101 to S105 according to an embodiment of the present disclosure. The method is applied to the universal user terminal equipment.
In operation S101, first access data is received.
In operation S102, destination address conversion is performed on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real server to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real server sending the first access data.
In operation S103, the second access data is handed over to a virtual network function service chain running on the universal user terminal device, and policy configuration is performed on the second access data by the virtual network function service chain to obtain third access data.
In operation S104, source address conversion is performed on the third access data to obtain fourth access data.
In operation S105, the fourth access data is forwarded based on the destination access address of the fourth access data.
According to the embodiment of the disclosure, not only can the data forwarding of the universal user terminal equipment in the network address translation NAT scene be realized, but also the real IP addresses and ports of the two ends can be obtained from the second access data when the virtual network function service chain (VNF service chain) performs policy configuration, so that the configuration policy can be practically and effectively implemented.
Fig. 2 schematically illustrates a flow chart of a data processing method according to another embodiment of the present disclosure.
As shown in fig. 2, the data processing method may include operation S201 in addition to operations S101 to S105 according to an embodiment of the present disclosure. Wherein, operation S201 may be performed before operation S101.
In operation S201, a virtual network function service chain is configured on a general-purpose user side device.
According to one embodiment of the present disclosure, operation S201 may be specifically implemented by first configuring two interfaces for each of at least one virtual network function node, then configuring the two interfaces of the virtual network function node inside each virtual network function node as two-layer bridging, and configuring a corresponding platform interconnection interface for each of the two interfaces of each virtual network function node. The platform interconnection interface is used for being connected with the universal user terminal equipment, and different virtual network function nodes in at least one virtual network function node are sequentially connected in series through the platform interconnection interfaces corresponding to the two interfaces respectively.
Fig. 3 schematically illustrates a schematic diagram of a virtual network function service chain configured on a generic user side device according to an embodiment of the present disclosure.
As shown in fig. 3, the universal customer premise equipment ucope allocates two interfaces E1, E2 for forming a virtual network function service chain and corresponding platform interconnection interfaces for each virtual network function node. E1, E2 are configured as two-layer bridge interfaces within the virtual network function node and are placed in the same bridge. And logically connecting the virtual network function nodes in series on universal user terminal equipment uCPE through platform interconnection interfaces of E1 and E2 to form a two-layer series connection relationship.
According to an embodiment of the present disclosure, performing destination address conversion on the first access data in operation S102 to obtain the second access data may be specifically implemented as performing destination address conversion on the first access data to obtain first intermediate data, and then modifying a MAC address header of the first intermediate data according to a preset modification policy to obtain the second access data, where the MAC address header of the second access data includes information of a source address conversion policy. In this way, by including information of the source address translation policy in the MAC address header, a translation basis can be provided for translating the source address of the third access data.
According to an embodiment of the present disclosure, performing source address conversion on the third access data in operation S104 to obtain the fourth access data may be specifically implemented by first reading information of a source address conversion policy carried in a MAC address header of the second access data, then performing source address conversion on the third access data based on the information of the source address conversion policy to obtain second intermediate data, and recovering the MAC address header of the second intermediate data based on a preset modification policy to obtain the fourth access data. In some embodiments, after reading the information of the source address translation policy, the MAC address header of the data (i.e., the message) may also be accessed first, and then source address translation may be performed. Or in other embodiments, the recovery of the MAC address header and the source address translation may be performed concurrently.
Fig. 4 schematically illustrates a schematic diagram of a preset policy for modifying a MAC address header according to an embodiment of the present disclosure.
As shown in fig. 4, the procedure of modifying the MAC address header according to the embodiment of the present disclosure may be to modify the first two bytes in the MAC address header of the first intermediate data to be 0, modify the network endian of the session identification SID corresponding to the first access data to be the last four bytes, and modify the source MAC address byte to be a fixed value.
Specifically, the universal customer premise equipment ucope modifies the ethernet header MAC address. The universal customer premise equipment uCPE modifies the Ethernet header as follows: the first two bytes of the destination MAC are modified to be 0, and the last four bytes are modified to be a session identification SID (network byte sequence) corresponding to the first access data; the source MAC is modified to a fixed value that can be configured and furthermore the ethType can remain unchanged.
The destination MAC address header of the first intermediate data is modified after destination address translation DNAT on the universal customer premise equipment ucope as described above to carry session information, which can be used to match sessions when virtual network function services are chained back to packets, and to recover the MAC address header of the second intermediate data.
In order to facilitate understanding of the technical solutions of the embodiments of the present disclosure, the following exemplary description will describe the data processing method of the embodiments of the present disclosure in connection with the data processing flow during the forward session shown in fig. 5 and the reverse session shown in fig. 6. Those skilled in the art will appreciate that the following embodiments are merely examples and that the disclosed embodiments are not limited thereto.
Fig. 5 schematically illustrates a data processing flow during a forward session in which a generic client device receives access data from X0 and forwards it to YT, according to an embodiment of the present disclosure.
Fig. 5 illustrates a data processing flow in a virtual network function service chain traffic forwarding process of a universal user equipment ucope in a network address translation NAT access scenario. As shown in fig. 5, the access data for the forward session is forwarded from X0 to YT. The universal user equipment uCPE receives a message (i.e. first access data) at an interface A, and then forwards the message (i.e. second access data) to virtual network function nodes VNF1 and VNF2 in a virtual network function service chain after the position of a processing point 2, namely the destination address conversion DNAT is completed and the MAC address is modified; when the VNF1 and the VNF2 in the virtual network function service chain are serially connected and sequentially processed and then return to the message, the universal user equipment ucope receives the message (i.e., the third access data) from the virtual network function service chain; after the universal customer premise equipment uCPE recovers the message MAC address at the processing point 3 and finishes the rest processing flows such as source address conversion SNAT, the message (namely, fourth access data) is forwarded to the YT through the interface B at the processing point 4.
The processing points 1,2,3,4 can see the IP address and port of the message as shown, where X0: m0, Y0: n0 is information before conversion, and XT: mt- > YT: nt are both converted information.
The specific implementation of the data processing in fig. 5 includes the following steps 1 to 10.
Step 1: the universal user equipment uCPE receives a forward message from the interface A, and the original IP port is: x0: m0- > Y0: n0, the original destination MAC address and the original source MAC address are MAC-D- > MAC-S respectively.
And searching the session S and the ID of the session, namely the session SID, through the message quintuple. When there is data access, the universal customer premise equipment uCPE establishes a session S, wherein the ID is SID (four-byte integer), and the forward IP port of the session is X0: m0- > Y0: n0, the session forward MAC is MAC-S- > MAC-D; session reverse IP port is YT: nt- > XT: mt. The MAC of the reverse source destination of the conversation is empty, and is filled when the first message of the reverse flow of the conversation comes. If the session is found, the destination address conversion DNAT strategy and the source address conversion SNAT strategy are not required to be found, and the processes of session S and the like are not required to be established, and the IP and the port of the destination end after conversion are determined to be YT based on the session SID: nt, converting the IP and port of the source end into XT: mt. If the session is not found, the universal user terminal equipment uCPE determines that the converted destination terminal IP and port are YT by searching a destination address conversion DNAT strategy: nt; by searching a source address conversion SNAT strategy, the converted source end IP and port are determined as XT: mt.
Step 2: the universal user equipment uCPE performs destination address conversion DNAT conversion on the message (namely, the first access data) and converts the IP and the port of the destination end in the message into YT: after nt, the corresponding modification of the message is performed, such as ALG, TCP sequence number, checksum, length, IPv4/IPv6 header, etc.
Step 3: the universal customer premise equipment ucope modifies the ethernet MAC address header. The universal user equipment uCPE modifies the message Ethernet header as follows: the first two bytes of the destination MAC are modified to 0, and the last four bytes are modified to SID (network byte sequence); the source MAC is modified to a fixed value that can be configured, ethType is unchanged, as shown in fig. 4.
Step 4: at this time, the universal customer premise equipment ucope does not execute the packet processing flow after the destination address conversion DNAT, and the IP and ports of the source end and the destination end of the packet are X0: m0- > YT: and nt. And then the universal customer premise equipment uCPE sends the message (namely, the second access data) to a first virtual network function node VNF1 in the virtual network function service chain through the platform interconnection interface 1 of the virtual network function service chain.
Step 5: the first virtual network function node VNF1 in the virtual network function service chain receives the message through the E1 port, and after processing the message, sends out the message through E2 because E1 and E2 are in bridging relation. And then the platform interconnection interface 2 receives the packet and sends the packet through the platform interconnection interface 3. Because of the two-layer tandem relationship, the data packet will be transmitted all the way to the platform interconnect interface 4. In this process, the MAC address remains unchanged, and the IP and port of the source and destination of the packet are X0: m0- > YT: nt also remains unchanged.
Step 6: the universal customer premise equipment ucope receives the data packet (i.e. the third access data) from the platform interconnect interface 4 and extracts the last four bytes of the destination MAC, i.e. the SID, from the packet ethernet header. The universal user equipment uCPE queries the session according to the SID, and can query the session S.
Step 7: the universal user equipment uCPE recovers the MAC address of the message. And the universal user equipment uCPE restores the MAC address according to the information stored in the session S. And restoring the MAC of the source end and the destination end in the message to be MAC-S- > MAC-D.
Step 8: and the universal user equipment uCPE performs source address conversion SNAT on the message and executes the rest flow.
Step 9: the universal user equipment uCPE converts the source address into XT according to the source address conversion strategy SNAT information stored in the session S: mt. The five-tuple information of the message (i.e., the fourth access data) is then obtained as XT: mt- > YT: and nt.
Step 10: after the universal customer premise equipment ucope finishes all other processing, the universal customer premise equipment ucope sends out a message (i.e., fourth access data) from the interface B.
Fig. 6 schematically illustrates a data processing flow during a reverse session in which a generic client device receives access data from YT and forwards the access data to X0, according to an embodiment of the present disclosure.
With reference to fig. 5 and 6, the data processing flow in the reverse session is basically the same as that in the forward session, and the main difference is that: 1) The interface of the universal user equipment uCPE platform for receiving the first access data is B, and the interface for forwarding the fourth access data is A; 2) The destination address conversion DNAT strategy searching, the source address conversion SNAT strategy searching and the new session process are not needed, because the session is established in the forward session process; 3) Source MAC destination MAC is different from forward packet; 4) Processing point 1 sees an IP address and port YT: nt- > XT: mt; 5) The IP addresses and ports seen by processing point 2 and processing point 3 are YT: nt- > X0: m0; 6) The IP address and port seen by processing point 4 is Y0: n0- > X0: m0; 7) The interface of the universal user equipment uCPE transferred to the virtual network function service chain is a platform interconnection interface 4; 8) The interface of the virtual network function service chain returning data packet is a platform interconnection interface 1.
Therefore, the data processing method of the embodiment of the disclosure can divide the NAT network address translation processing flow of the message into two on the cpe of the ue, and perform policy configuration between the processing point after the DNAT is translated to the destination address and the processing point before the SNAT is translated to the source address by using the virtual network function service chain, and the rest flows are used for data forwarding.
Fig. 7 schematically illustrates a block diagram of a data processing apparatus 700 according to an embodiment of the disclosure.
As shown in fig. 7, a data processing apparatus 700 according to an embodiment of the present disclosure is provided at a universal customer premise equipment cpe. The apparatus 700 includes an access receiving module 710, a destination address translation module 720, a policy configuration module 730, a source address translation module 740, and an access forwarding module 750. According to another embodiment of the present disclosure, the apparatus 700 may further include a VNF service chain configuration module 760. The apparatus 700 may be used to implement the methods described with reference to fig. 1-6.
The access receiving module 710 is configured to receive the first access data.
The destination address conversion module 720 is configured to perform destination address conversion on the first access data to obtain second access data. According to an embodiment of the present disclosure, the destination address translation module 720 is specifically configured to: performing destination address conversion on the first access data to obtain first intermediate data; and modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy. The destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data
The policy configuration module 730 is configured to forward the second access data to a virtual network function service chain running on the universal user equipment, and the virtual network function service chain performs policy configuration on the second access data to obtain third access data.
The source address conversion module 740 is configured to perform source address conversion on the third access data to obtain fourth access data. According to an embodiment of the present disclosure, the source address conversion module 740 is specifically configured to: reading information of a source address conversion strategy carried in a MAC address header of the second access data; performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and restoring the MAC address header of the second intermediate data based on a preset modification strategy to obtain fourth access data.
The access forwarding module 750 is configured to forward the fourth access data based on the destination access address of the fourth access data.
The VNF service chain configuration module 760 is configured to configure a virtual network function service chain on the general user end device. Specifically, the VNF service chain configuration module 760 is configured to configure two interfaces for each of at least one virtual network function node in the virtual network function service chain; configuring two interfaces of each virtual network function node as two-layer bridging in each virtual network function node; configuring a corresponding platform interconnection interface for each of two interfaces of each virtual network function node, wherein the platform interconnection interface is used for being connected with universal user terminal equipment; and connecting different virtual network function nodes in at least one virtual network function node in series sequentially through the platform interconnection interfaces corresponding to the two interfaces respectively.
FIG. 8 schematically illustrates a block diagram of a data processing system 800 according to an embodiment of the present disclosure.
As shown in fig. 8, the data processing system 800 is disposed in a general-purpose user side device. System 800 includes a destination address translation system 810, a virtual network function service chain 820, and a source address translation system 830. Data processing system 800 may be used to implement the methods described with reference to fig. 1-6.
The destination address translation system 810 is configured to run on a general purpose user end device. The virtual network function service chain 820 is configured to run on a generic user end device. The source address translation system 830 is configured to run on a general purpose user end device. Wherein destination address translation system 810, virtual network function service chain 820, and source address translation system 830 are serially connected in sequence.
The destination address translation system 810 is configured to: receiving first access data; performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data; and forwarding the second access data to the virtual network function service chain 820.
The virtual network function service chain 820 is used to policy configure the second access data to obtain third access data and forward the third access data to the source address translation system 830.
The source address conversion system 830 is configured to perform source address conversion on the third access data to obtain fourth access data, and forward the fourth access data based on a destination access address of the fourth access data.
According to an embodiment of the present disclosure, virtual network function service chain 820 includes at least one virtual network function node. Each of the at least one virtual network function node is configured with two interfaces. The two interfaces of each virtual network function node are configured as two-layer bridges within the virtual network function node. Each of the two interfaces of each virtual network function node is configured with a corresponding platform interconnection interface, and the platform interconnection interfaces are used for being connected with the universal user terminal equipment. Different virtual network function nodes in the at least one virtual network function node are configured to be serially connected in sequence through the platform interconnection interfaces corresponding to the respective two interfaces.
According to an embodiment of the present disclosure, destination address translation system 810 performs destination address translation on the first access data, and obtaining the second access data includes: performing destination address conversion on the first access data to obtain first intermediate data; and modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy.
According to an embodiment of the present disclosure, modifying the MAC address header of the first intermediate data according to the preset modification policy includes: and modifying the first two bytes in the MAC address header of the first intermediate data as modification 0, the last four bytes as network byte sequence of the session identifier corresponding to the first access data, and modifying the source MAC address byte as a fixed value.
According to an embodiment of the present disclosure, the source address translation system 830 is further configured to perform source address translation on the third access data, where obtaining the fourth access data includes: reading information of a source address conversion strategy carried in a MAC address header of the second access data; performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and restoring the MAC address header of the second intermediate data based on a preset modification strategy to obtain fourth access data.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which when executed, may perform the corresponding functions.
For example, any of the access receiving module 710, the destination address translation module 720, the policy configuration module 730, the source address translation module 740, the access forwarding module 750, the VNF service chain configuration module 760, the destination address translation system 810, the virtual network function service chain 820, and the source address translation system 830 may be combined in one module to be implemented, or any one of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the access receiving module 710, the destination address translation module 720, the policy configuration module 730, the source address translation module 740, the access forwarding module 750, the VNF service chain configuration module 760, the destination address translation system 810, the virtual network function service chain 820, and the source address translation system 830 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or any other reasonable manner in which circuitry is integrated or packaged, or in hardware or firmware, or in any one of or a suitable combination of any of the three implementations of software, hardware, and firmware. Alternatively, at least one of the access receiving module 710, the destination address translation module 720, the policy configuration module 730, the source address translation module 740, the access forwarding module 750, the VNF service chain configuration module 760, the destination address translation system 810, the virtual network function service chain 820, and the source address translation system 830 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 9 schematically illustrates a block diagram of a computer system 900 adapted to implement a data processing method according to an embodiment of the present disclosure. The computer system illustrated in fig. 9 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 9, a computer system 900 according to an embodiment of the present disclosure includes a processor 901, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the computer system 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to an embodiment of the disclosure, computer system 900 may also include an input/output (I/O) interface 905, with input/output (I/O) interface 905 also being connected to bus 904. Computer system 900 may also include one or more of the following components connected to I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (10)

1. The data processing method is applied to general user terminal equipment, wherein the method comprises the following steps:
receiving first access data;
performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data;
transferring the second access data to a virtual network function service chain running on the universal user terminal equipment, and performing strategy configuration on the second access data by the virtual network function service chain to obtain third access data;
Performing source address conversion on the third access data to obtain fourth access data; and
forwarding the fourth access data based on the destination access address of the fourth access data;
the step of performing destination address conversion on the first access data to obtain second access data includes:
performing destination address conversion on the first access data to obtain first intermediate data;
modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy;
the step of performing source address conversion on the third access data to obtain fourth access data includes:
reading information of a source address conversion strategy carried in a MAC address header of the second access data;
performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and
and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
2. The method of claim 1, wherein the method further comprises:
And configuring the virtual network function service chain on the universal user terminal equipment.
3. The method of claim 2, wherein the virtual network function service chain comprises at least one virtual network function node, the configuring the virtual network function service chain on the generic user side device comprising:
configuring two interfaces for each virtual network function node of the at least one virtual network function node;
configuring two interfaces of each virtual network function node as two-layer bridging in each virtual network function node;
configuring a corresponding platform interconnection interface for each of two interfaces of each virtual network function node, wherein the platform interconnection interface is used for being connected with the universal user terminal equipment; and
and connecting different virtual network function nodes in the at least one virtual network function node in series sequentially through platform interconnection interfaces corresponding to the two interfaces respectively.
4. The method of claim 1, wherein the modifying the MAC address header of the first intermediate data according to a preset modification policy comprises:
and modifying the first two bytes in the MAC address header of the first intermediate data as modification 0, the last four bytes as network byte sequence of the session identifier corresponding to the first access data, and modifying the source MAC address byte as a fixed value.
5. A data processing apparatus, provided in a general-purpose user terminal device, wherein the apparatus includes:
the access receiving module is used for receiving the first access data;
the destination address conversion module is used for carrying out destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for sending the first access data;
the policy configuration module is used for transferring the second access data to a virtual network function service chain running on the universal user terminal equipment, and the virtual network function service chain performs policy configuration on the second access data to obtain third access data;
the source address conversion module is used for carrying out source address conversion on the third access data to obtain fourth access data; and
the access forwarding module is used for forwarding the fourth access data based on the destination access address of the fourth access data;
the step of performing destination address conversion on the first access data to obtain second access data includes:
Performing destination address conversion on the first access data to obtain first intermediate data;
modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy;
the step of performing source address conversion on the third access data to obtain fourth access data includes:
reading information of a source address conversion strategy carried in a MAC address header of the second access data;
performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and
and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
6. A data processing system, disposed in a general purpose client device, comprising:
a destination address translation system configured to run on the generic user side device;
a source address translation system configured to run on the generic user side device; and
a virtual network function service chain configured to run on the universal user terminal device;
The destination address conversion system, the virtual network function service chain and the source address conversion system are sequentially connected in series;
wherein, the liquid crystal display device comprises a liquid crystal display device,
the destination address translation system is configured to:
receiving first access data;
performing destination address conversion on the first access data to obtain second access data, so that the destination address of the second access data is the IP address of the real service end to be accessed by the first access data, and the source address of the second access data is kept as the IP address of the real service end for transmitting the first access data; and
forwarding the second access data to the virtual network function service chain;
the virtual network function service chain is used for carrying out strategy configuration on the second access data to obtain third access data, and transferring the third access data to the source address conversion system; and
the source address conversion system is used for carrying out source address conversion on the third access data to obtain fourth access data, and forwarding the fourth access data based on a destination access address of the fourth access data;
the destination address conversion system is configured to perform destination address conversion on the first access data, and obtaining second access data includes:
Performing destination address conversion on the first access data to obtain first intermediate data;
modifying the MAC address header of the first intermediate data according to a preset modification strategy to obtain the second access data, wherein the MAC address header of the second access data comprises information of a source address conversion strategy;
the source address conversion system is further configured to perform source address conversion on the third access data to obtain fourth access data, and includes:
reading information of a source address conversion strategy carried in a MAC address header of the second access data;
performing source address conversion on the third access data based on the information of the source address conversion strategy to obtain second intermediate data; and
and restoring the MAC address header of the second intermediate data based on the preset modification strategy to obtain the fourth access data.
7. The system of claim 6, wherein the virtual network function service chain comprises at least one virtual network function node:
each virtual network function node in the at least one virtual network function node is configured with two interfaces;
the two interfaces of each virtual network function node are configured into two-layer bridging inside the virtual network function node;
Each of the two interfaces of each virtual network function node is configured with a corresponding platform interconnection interface, and the platform interconnection interface is used for being connected with the universal user terminal equipment; and
different virtual network function nodes in the at least one virtual network function node are configured to be serially connected in sequence through platform interconnection interfaces corresponding to the respective two interfaces.
8. The system of claim 7, wherein the modifying the MAC address header of the first intermediate data according to a preset modification policy comprises:
and modifying the first two bytes in the MAC address header of the first intermediate data as modification 0, the last four bytes as network byte sequence of the session identifier corresponding to the first access data, and modifying the source MAC address byte as a fixed value.
9. A data processing system, comprising:
one or more memories storing executable instructions; and
one or more processors executing the executable instructions to implement the method of any of claims 1-4.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-4.
CN201911424631.5A 2019-12-31 2019-12-31 Data processing method, device, system, medium, and program Active CN111158864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911424631.5A CN111158864B (en) 2019-12-31 2019-12-31 Data processing method, device, system, medium, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911424631.5A CN111158864B (en) 2019-12-31 2019-12-31 Data processing method, device, system, medium, and program

Publications (2)

Publication Number Publication Date
CN111158864A CN111158864A (en) 2020-05-15
CN111158864B true CN111158864B (en) 2023-05-30

Family

ID=70560696

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911424631.5A Active CN111158864B (en) 2019-12-31 2019-12-31 Data processing method, device, system, medium, and program

Country Status (1)

Country Link
CN (1) CN111158864B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157632B (en) * 2021-10-12 2023-11-21 北京华耀科技有限公司 Network isolation method, device, equipment and storage medium
CN114422469B (en) * 2022-01-25 2023-10-24 北京天维信通科技有限公司 IPv4/IPv6 flow intelligent scheduling method, device and scheduling system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878194A (en) * 2016-12-30 2017-06-20 新华三技术有限公司 A kind of message processing method and device
CN109451084A (en) * 2018-09-14 2019-03-08 华为技术有限公司 A kind of service access method and device
CN109525684A (en) * 2018-12-11 2019-03-26 杭州数梦工场科技有限公司 Message forwarding method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9930008B2 (en) * 2014-03-25 2018-03-27 Cisco Technology, Inc. Dynamic service chain with network address translation detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878194A (en) * 2016-12-30 2017-06-20 新华三技术有限公司 A kind of message processing method and device
CN109451084A (en) * 2018-09-14 2019-03-08 华为技术有限公司 A kind of service access method and device
CN109525684A (en) * 2018-12-11 2019-03-26 杭州数梦工场科技有限公司 Message forwarding method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
蒋华 ; 闫一凡 ; 鞠磊 ; .可信服务链安全架构研究.计算机应用研究.2017,(04),全文. *

Also Published As

Publication number Publication date
CN111158864A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
US10862732B2 (en) Enhanced network virtualization using metadata in encapsulation header
US9137334B2 (en) Interconnection method, apparatus, and system based on socket remote invocation
US8725898B1 (en) Scalable port address translations
US10375193B2 (en) Source IP address transparency systems and methods
US10810034B2 (en) Transparent deployment of meta visor into guest operating system network traffic
WO2021073565A1 (en) Service providing method and system
US20160099890A1 (en) Relay Optimization using Software Defined Networking
WO2023005773A1 (en) Message forwarding method and apparatus based on remote direct data storage, and network card and device
CN112671938B (en) Business service providing method and system and remote acceleration gateway
CN114301868B (en) Method for quickly generating virtual container floating IP and method and device for network direct connection
CA2753747A1 (en) Method for operating a node cluster system in a network and node cluster system
CN111158864B (en) Data processing method, device, system, medium, and program
CN109936492A (en) A kind of methods, devices and systems by tunnel transmission message
CN114518969A (en) Inter-process communication method, system, storage medium and computer device
US20150096009A1 (en) Network traffic mangling application
CN113676390B (en) VXLAN-based trigger type dynamic security channel method, user side and central console
CN114827078A (en) Node access method and data transmission system
WO2015188706A1 (en) Data frame processing method, device and system
CN114900458B (en) Message forwarding method, device, medium and product
CN108848175A (en) A kind of method and device creating TCP connection
CN111147520B (en) Information processing method and device executed by firewall
US20240179178A1 (en) Control method and apparatus, computing device, and computer-readable storage medium
EP4319094A1 (en) Control method and apparatus, and computing device
CN106341344B (en) A kind of flow point class method and apparatus of multichannel process
CN117336269A (en) Resource access method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: Qianxin Technology Group Co.,Ltd.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: Qianxin Technology Group Co.,Ltd.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant