CN112104621A - Traffic management method and equipment - Google Patents
Traffic management method and equipment Download PDFInfo
- Publication number
- CN112104621A CN112104621A CN202010892786.8A CN202010892786A CN112104621A CN 112104621 A CN112104621 A CN 112104621A CN 202010892786 A CN202010892786 A CN 202010892786A CN 112104621 A CN112104621 A CN 112104621A
- Authority
- CN
- China
- Prior art keywords
- http protocol
- protocol data
- data message
- application system
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The application provides a traffic management method and equipment. In the flow management method, when determining that an HTTP protocol data message received by a control channel passes identity identification and access management IAM authentication, establishing a plurality of associated flow table entries for a user sending the data message in an associated flow management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user; and allowing the user to send a plurality of non-HTTP protocol data messages to the application system through the non-HTTP protocol data channel according to the associated traffic management table.
Description
Technical Field
The present application relates to communication technologies, and in particular, to a traffic management method and apparatus.
Background
In a traditional network security model, a network boundary is used as a protection boundary, and devices such as a firewall, a DDOS (Distributed Denial Of Service), and an IPS (internet protocol Service) are generally used to monitor traffic at an enterprise entrance. However, since intranet defense measures are often weak, once an attacker attacks the boundary of an intranet, the data leakage risk in the intranet environment is faced. On the other hand, with the rise of the micro service architecture, the system composition mode evolves from centralized to distributed, and the service provided by the enterprise to the outside is more targeted, and a more refined protection mode needs to be provided.
In the above technical background, a zero trust network technology is generated, where traffic of a user accessing an access network must first be authenticated by a proxy device, the proxy device generates a token for the authenticated user, the generated token is sent to the authenticated user through a cookie field of an HTTP (hypertext Transfer Protocol) Protocol packet, and the authenticated user stores the received token in a local cookie. Therefore, the proxy equipment receives the message sent to the application system, if the message carries the token, the message is sent to the application system through the control channel based on the HTTP protocol, and if the received message does not carry the token, the message is not sent to the application system.
However, when the application system has a plurality of interaction channels, such as a control channel based on the HTTP protocol and a data channel based on the TCP protocol, the proxy device can only perform IAM (Identity and Access Management) authentication on messages received by the control channel based on the HTTP protocol, and cannot perform IAM authentication on messages received by other data channels.
Disclosure of Invention
The application aims to provide a traffic management method and traffic management equipment, which are used for managing non-HTTP protocol data messages received by a non-HTTP protocol data channel based on HTTP protocol data messages received by a control channel.
In order to achieve the above object, the present application provides a traffic management method, in the method, when it is determined that an HTTP protocol data packet received by a control channel passes identity identification and access management IAM authentication, a plurality of associated traffic table entries are established for a user sending the data packet in an associated traffic management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user; multiple non-HTTP protocol data messages that allow a user to send to an application system over a non-HTTP protocol data channel based on an associated traffic management table
To achieve the above object, the present application also provides a traffic management device, which includes a processor and a memory; the memory is used for storing processor executable instructions; wherein the processor is configured to perform the following by executing the processor-executable instructions in the memory: determining that an HTTP protocol data message received by a control channel passes identity recognition and access management IAM authentication; establishing a plurality of associated flow table entries for users sending data messages in an associated flow management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user; and allowing the user to send a plurality of non-HTTP protocol data messages to the application system through the non-HTTP protocol data channel according to the associated traffic management table.
The application system has the advantages that the application system with the control channel of the login system being the HTTP can be deployed in the zero trust network even if the non-HTTP is used for data message transmission, and the application range of the zero trust network is expanded.
Drawings
Fig. 1 is a flowchart of an embodiment of a traffic management method provided in the present application;
FIG. 2 is a flow chart illustrating setting of an associated traffic management table;
FIG. 3 is a flow diagram illustrating the management of non-HTTP protocol data packets via an associated traffic management table;
fig. 4 is a schematic diagram of an embodiment of a traffic management method and apparatus provided in the present application.
Detailed Description
A detailed description will be given of a number of examples shown in a number of figures. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the examples.
The term "including" as that term is used is meant to include, but is not limited to; the term "comprising" means including but not limited to; the terms "above," "within," and "below" include the instant numbers; the terms "greater than" and "less than" mean that the number is not included. The term "based on" means based on at least a portion thereof.
Fig. 1 is a flowchart of an embodiment of a traffic management method provided in the present application; the method comprises the following steps:
Step 102, establishing a plurality of associated flow table entries for a user sending a data message in an associated flow management table.
Wherein each associated traffic table entry at least comprises: the network address of the user, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type.
And 103, allowing the user to send a plurality of non-HTTP protocol data messages to the application system through the non-HTTP protocol data channel according to the associated traffic management table.
The method shown in fig. 1 has the beneficial effects that the application system with the control channel of the login system being the HTTP protocol can be deployed in the zero trust network even if the non-HTTP protocol is used for data message transmission, thereby expanding the application range of the zero trust network.
FIG. 2 is a flow chart illustrating setting of an associated traffic management table; as shown in fig. 2, includes:
For an application system using the HTTP protocol for a control channel, the control channel is identified and managed directly using an existing management scheme.
The user generates a data stream a, which passes through the proxy device. According to the existing management scheme, the proxy device performs IAM authentication using the authentication information and application information of the user.
After the authentication is passed, the proxy device carries the relevant token in the cookie field of the HTTP protocol. After the data stream a receives the token and stores the token in the local cookie, all subsequently generated request messages carry the relevant token field. Thus, the proxy equipment receives the request message with token, releases the related message and sends the message to the application system.
And identifying one or a plurality of data channels related to the control channel according to a protocol management module built in the IAM system or the agent equipment. For a user who passes the authentication, the data channel which is subsequently generated by the user and used for accessing the application system is also considered to be allowed to pass.
The embodiment shown in fig. 2 improves the IAM authentication procedure of the existing http protocol control channel, generates an associated traffic management table entry for the user authenticated by the IAM,
the problems existing in the prior art are as follows: when the access traffic of the application system is not a message based on the HTTP protocol, it is difficult for the proxy device to insert necessary authentication information token into the access traffic according to the existing scheme. The application protocols are various, and the agent equipment needs to be analyzed aiming at each protocol; most protocols, especially binary coded protocols, basically have no field in which authentication information can be inserted, and for application systems which are not defined by the disclosed protocols, the insertion of the authentication information cannot be realized; for the application system using the non-HTTP protocol, the existing scheme is utilized, and the HTTP protocol message received by the control channel manages the non-HTTP protocol message received by the data channel, so that the non-HTTP protocol message is deployed and effectively managed in the zero trust network.
FIG. 3 is a flow diagram illustrating the management of non-HTTP protocol data packets via an associated traffic management table; as shown in fig. 3, include;
For a data channel of a non-HTTP protocol, the judgment principle of the same user is the same source IP address. More strictly, if the source IP address is a NAT translated address of a local area network egress (using existing identification schemes), subsequent access by the user may be allowed or blocked depending on the control policy.
At step 302, application protocol features are identified 302.
The data flow a is related to the data flow b and other data flows, the related process is processed by a protocol identification module, the data flow generated by each application is an objective fact, a result is analyzed in the prior protocol identification process, and the identification process is also identified by a protocol management module by utilizing the content characteristics of the data flow.
However, the content characteristics of the data channel may not be recognizable in the first message.
Since the protocol type is determined based on the data stream or data channel, and the protocol type of a control channel or data channel is fixed, the identification herein also includes using the content characteristics of the data stream as described above, and thus is not based on per-packet identification.
As shown in step 302, the content characteristics of the data channel may not be identified in the header, and a threshold is set to ensure that the data stream of the data channel is identified and to prevent irrelevant traffic from being mistakenly passed. Therefore, the unidentified data message which does not exceed a certain threshold value is sent to the application system, so that the potential safety hazard caused by the fact that the large-flow unidentified message attacks the application system is avoided, and the correct identification of the related flow is ensured.
The same user's principle is a source IP address, which is looked up in an associated traffic management table based on the source IP address and the protocol ID of the identified protocol type, as depicted in step 301.
In order to avoid the control risk caused by long-term non-aging of the associated traffic management table entry, the aging time of each associated traffic table entry is controlled through the latest message access time. And when the matched associated flow management table entry is found, the access time of the latest message is followed, so that the aging time of the table entry is prevented from being deleted.
Through the embodiment shown in fig. 3, other data streams except the associated traffic generated by the user or data streams of the same type generated by other users are not allowed to be sent to the application device through the proxy device, so that the application system in the zero trust network is accessed, a more comprehensive management purpose is achieved, and the defects in the prior art are overcome. For application systems using non-HTTP protocols (at least the control channel of the login system is the HTTP protocol), the method can also be deployed in the zero trust network, and the adaptive range of the zero trust network is expanded.
Fig. 4 is a schematic diagram of an embodiment of a traffic management method and apparatus provided in the present application. This device 40 may be used as a device in a zero trust network that performs IAM authentication. The device includes a processor, a memory, and a switch chip. Wherein, the memory, the processor and the exchange chip are connected through a bus. The processor is operable by executing processor-executable instructions in the memory to perform the following:
determining that an HTTP protocol data message received by a control channel passes identity recognition and access management IAM authentication; establishing a plurality of associated flow table entries for users sending data messages in an associated flow management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user; and allowing the user to send a plurality of non-HTTP protocol data messages to the application system through the non-HTTP protocol data channel according to the associated traffic management table.
The processor executes, by executing instructions in the memory, a plurality of non-HTTP protocol data messages that allow a user to send to an application system via a non-HTTP protocol data channel according to the associated traffic management table, including: judging whether the protocol type of each non-HTTP protocol data message is identified; if yes, searching a relevant flow management table according to the identified protocol identification corresponding to the protocol type and each non-HTTP protocol data message; allowing a non-HTTP protocol data message of the matched associated flow table entry to be sent to the application system through a non-HTTP protocol data channel; and the non-HTTP protocol data message of which the matched associated traffic table entry is not found is not allowed to be sent to the application system through the non-HTTP protocol data channel.
When the processor finds the matched associated flow table entry by executing the instruction in the memory, the following operations are also executed: and updating the latest access time in the searched matched associated flow table entry.
The processor, by executing the instructions in the memory, further performs the following: and identifying and deleting the associated flow table entry with the time which is not updated and reaches the aging time in the associated flow management table.
When the processor does not recognize the protocol type of each non-HTTP protocol data message by operating the instructions in the memory, the following operations are also executed: judging whether the number of messages without identifying the protocol type exceeds a threshold value; if yes, allowing the non-HTTP protocol data channel to send the non-identified non-HTTP protocol type data message to the application system; if not, sending the unrecognized non-HTTP protocol type data message to the application system by a non-HTTP protocol data channel.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method of traffic management, the method comprising:
determining that an HTTP protocol data message received by a control channel passes identity recognition and access management IAM authentication;
establishing a plurality of associated flow table entries for a user sending the data message in an associated flow management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user;
and allowing the user to send a plurality of non-HTTP protocol data messages to an application system through a non-HTTP protocol data channel according to the associated traffic management table.
2. The method of claim 1, wherein allowing the user to send a plurality of non-HTTP protocol data packets to an application system via a non-HTTP protocol data channel according to the associated traffic management table comprises:
judging whether the protocol type of each non-HTTP protocol data message is identified;
if yes, searching the associated traffic management table according to the identified protocol identification corresponding to the protocol type and each non-HTTP protocol data message;
allowing a non-HTTP protocol data message for searching the matched associated flow table entry to be sent to the application system through a non-HTTP protocol data channel;
and not allowing the non-HTTP protocol data message of which the matched associated flow table entry is not found to be sent to the application system through a non-HTTP protocol data channel.
3. The method of claim 2, wherein when a matching associated traffic table entry is found, the method further comprises:
and updating the latest access time in the searched matched associated flow table entry.
4. The method of claim 2, further comprising:
and identifying and deleting the associated flow table entry with the time which is not updated and reaches the aging time in the associated flow management table.
5. The method of claim 2, further comprising:
when the protocol type of each non-HTTP protocol data message is not identified, judging whether the number of the messages without the identified protocol type exceeds a threshold value;
if not, allowing the non-HTTP protocol data channel to send the non-identified non-HTTP protocol type data message to the application system;
and if so, not allowing the unrecognized non-HTTP protocol type data message to be sent to the application system through a non-HTTP protocol data channel.
6. A traffic management device, characterized in that the device comprises a processor and a memory; the memory is to store processor-executable instructions; wherein the processor, by executing the processor-executable instructions in the memory, is to perform operations comprising:
determining that an HTTP protocol data message received by a control channel passes identity recognition and access management IAM authentication;
establishing a plurality of associated flow table entries for a user sending the data message in an associated flow management table; wherein each associated traffic table entry at least comprises: the network address, the latest access time and a protocol identifier corresponding to a non-HTTP protocol type of the user;
and allowing the user to send a plurality of non-HTTP protocol data messages to an application system through a non-HTTP protocol data channel according to the associated traffic management table.
7. The apparatus of claim 6, wherein the processor, by executing the instructions in the memory, executes a plurality of non-HTTP protocol data packets that allow the user to send to an application system via a non-HTTP protocol data channel according to the associated traffic management table, comprises:
judging whether the protocol type of each non-HTTP protocol data message is identified;
if yes, searching the associated traffic management table according to the identified protocol identification corresponding to the protocol type and each non-HTTP protocol data message;
allowing a non-HTTP protocol data message for searching the matched associated flow table entry to be sent to the application system through a non-HTTP protocol data channel;
and not allowing the non-HTTP protocol data message of which the matched associated flow table entry is not found to be sent to the application system through a non-HTTP protocol data channel.
8. The apparatus of claim 7, wherein when the processor finds a matching associated traffic table entry by executing the instructions in the memory, the processor further performs the following:
and updating the latest access time in the searched matched associated flow table entry.
9. The apparatus of claim 7, wherein the processor, by executing the instructions in the memory, further performs the following:
and identifying and deleting the associated flow table entry with the time which is not updated and reaches the aging time in the associated flow management table.
10. The apparatus of claim 7, wherein the processor, when executing the instructions in the memory, does not identify a protocol type of each non-HTTP protocol datagram, further performs the following:
judging whether the number of messages without identifying the protocol type exceeds a threshold value;
if not, allowing the non-HTTP protocol data channel to send the non-identified non-HTTP protocol type data message to the application system;
and if so, not allowing the unrecognized non-HTTP protocol type data message to be sent to the application system through a non-HTTP protocol data channel.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010892786.8A CN112104621B (en) | 2020-08-31 | 2020-08-31 | Traffic management method and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010892786.8A CN112104621B (en) | 2020-08-31 | 2020-08-31 | Traffic management method and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112104621A true CN112104621A (en) | 2020-12-18 |
CN112104621B CN112104621B (en) | 2022-04-01 |
Family
ID=73756843
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010892786.8A Active CN112104621B (en) | 2020-08-31 | 2020-08-31 | Traffic management method and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112104621B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102695167A (en) * | 2012-05-18 | 2012-09-26 | 中国联合网络通信集团有限公司 | Mobile subscriber identity management method and apparatus thereof |
CN104468790A (en) * | 2014-12-09 | 2015-03-25 | 北京奇虎科技有限公司 | Method for processing cookie data and client side |
CN105051715A (en) * | 2013-03-15 | 2015-11-11 | 光明测量公司 | Systems and methods for establishing cloud-based instances with independent permissions |
CN105072129A (en) * | 2015-08-27 | 2015-11-18 | 北京星网锐捷网络技术有限公司 | Authentication method and system |
US20180083835A1 (en) * | 2016-09-16 | 2018-03-22 | Oracle International Corporation | Application management for a multi-tenant identity cloud service |
WO2018190983A1 (en) * | 2017-04-11 | 2018-10-18 | Xage Security, Inc. | Single authentication portal for diverse industrial network protocols across multiple osi layers |
CN110943827A (en) * | 2019-10-18 | 2020-03-31 | 天津幸福生命科技有限公司 | Data acquisition method and device based on network protocol |
-
2020
- 2020-08-31 CN CN202010892786.8A patent/CN112104621B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102695167A (en) * | 2012-05-18 | 2012-09-26 | 中国联合网络通信集团有限公司 | Mobile subscriber identity management method and apparatus thereof |
CN105051715A (en) * | 2013-03-15 | 2015-11-11 | 光明测量公司 | Systems and methods for establishing cloud-based instances with independent permissions |
CN104468790A (en) * | 2014-12-09 | 2015-03-25 | 北京奇虎科技有限公司 | Method for processing cookie data and client side |
CN105072129A (en) * | 2015-08-27 | 2015-11-18 | 北京星网锐捷网络技术有限公司 | Authentication method and system |
US20180083835A1 (en) * | 2016-09-16 | 2018-03-22 | Oracle International Corporation | Application management for a multi-tenant identity cloud service |
WO2018190983A1 (en) * | 2017-04-11 | 2018-10-18 | Xage Security, Inc. | Single authentication portal for diverse industrial network protocols across multiple osi layers |
CN110943827A (en) * | 2019-10-18 | 2020-03-31 | 天津幸福生命科技有限公司 | Data acquisition method and device based on network protocol |
Non-Patent Citations (2)
Title |
---|
赵洁等: "椭圆曲线加密结合cookie信息的物联网终端安全认证协议", 《电信科学》 * |
郎为民等: "大数据中心身份和访问管理机制研究", 《电信快报》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112104621B (en) | 2022-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20100095351A1 (en) | Method, device for identifying service flows and method, system for protecting against deny of service attack | |
US6513122B1 (en) | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities | |
US7814311B2 (en) | Role aware network security enforcement | |
US6463474B1 (en) | Local authentication of a client at a network device | |
Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
US10742674B1 (en) | Systems and methods for segmented attack prevention in internet of things (IoT) networks | |
US10397111B2 (en) | Communication device, communication system, and communication method | |
US20030065943A1 (en) | Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network | |
US20040187032A1 (en) | Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators | |
CN102035793B (en) | Botnet detecting method, device and network security protective equipment | |
US20190149573A1 (en) | System of defending against http ddos attack based on sdn and method thereof | |
JP2004507978A (en) | System and method for countering denial of service attacks on network nodes | |
JP2011509619A (en) | Facilitating protection against MAC table overflow attacks | |
JP2020017809A (en) | Communication apparatus and communication system | |
US10397225B2 (en) | System and method for network access control | |
US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
US20110023088A1 (en) | Flow-based dynamic access control system and method | |
KR101281160B1 (en) | Intrusion Prevention System using extract of HTTP request information and Method URL cutoff using the same | |
EP1739921A1 (en) | Progressive wiretap | |
CN112104621B (en) | Traffic management method and equipment | |
CN106411852B (en) | Distributed terminal access control method and device | |
CN107690004B (en) | Method and device for processing address resolution protocol message | |
US8271678B2 (en) | Independent detection and filtering of undesirable packets | |
JP2006501527A (en) | Method, data carrier, computer system, and computer program for identifying and defending attacks against server systems of network service providers and operators | |
US10742608B2 (en) | Communications methods, systems and apparatus for packet policing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |