CN113329009A - Method, device and system for controlling forwarding of flow data - Google Patents
Method, device and system for controlling forwarding of flow data Download PDFInfo
- Publication number
- CN113329009A CN113329009A CN202110585062.3A CN202110585062A CN113329009A CN 113329009 A CN113329009 A CN 113329009A CN 202110585062 A CN202110585062 A CN 202110585062A CN 113329009 A CN113329009 A CN 113329009A
- Authority
- CN
- China
- Prior art keywords
- address
- private network
- message
- forwarding
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000000903 blocking effect Effects 0.000 claims description 62
- 238000012544 monitoring process Methods 0.000 claims description 28
- 230000032683 aging Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000004064 recycling Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Abstract
The disclosure relates to a forwarding control method, a forwarding control device, a forwarding control system, an electronic device and a computer readable medium of traffic data. The method comprises the following steps: acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding. The forwarding control method, the forwarding control device, the forwarding control system, the electronic equipment and the computer readable medium for the traffic data can automatically block the corresponding traffic of the offline user, effectively block redundant traffic sent to the internal network by the external network, and also can prevent the problem of mischarging the traffic.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method, an apparatus, a system, an electronic device, and a computer-readable medium for controlling forwarding of traffic data.
Background
In large network deployments, different functions are typically deployed on different devices. The coupling of the whole deployment is reduced, and the stability of the whole network is prevented from being influenced when a certain part of the deployment goes wrong. Fig. 1 is one of typical deployment application scenarios of a network, when a user accesses the internet, the user first accesses an access control system, and the access control system sends an authentication request to a radius server. Aiming at the authenticated user, the access control system allocates a private network address for the user, the user accesses an external network through NAT gateway equipment by using the private network address, and when the user accesses the external network, the access control system counts the IP flow of the user and sends a charging message to a radius authentication platform; finally, the charging for the single user is realized through the radius charging platform.
In the prior art, the user is generally controlled by an access control system; and meanwhile, the statistics of the user use flow is realized on the basis of control. In this way, the network authentication system and the network outlet are independent from each other, and if the flow sent to the intranet still exists in the extranet after the user goes offline, when the intranet IP is recycled, the risk that the user is charged by mistake exists.
Therefore, a new method, an apparatus, a system, an electronic device, and a computer-readable medium for controlling forwarding of traffic data are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, a system, an electronic device, and a computer readable medium for controlling forwarding of traffic data, which can automatically block corresponding traffic of an offline user, effectively block redundant traffic sent from an external network to an internal network, and prevent a problem of mischarging traffic.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a method for controlling forwarding of traffic data is provided, where the method is used for authenticating a charging monitoring platform, and the method includes: acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding.
In an exemplary embodiment of the present disclosure, acquiring an authentication packet of a user based on traffic data includes: monitoring flow data between an access control system and an authentication charging server; analyzing the flow data to extract an authentication message; and extracting the upper and lower line messages in the authentication message.
In an exemplary embodiment of the present disclosure, generating a notification message based on the private network IP address further includes: the notification message is encrypted and signed.
In an exemplary embodiment of the present disclosure, sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding includes: and at preset time, sending the plurality of notification messages obtained by gathering to an exit gateway so that the exit gateway controls the forwarding of the flow data.
According to an aspect of the present disclosure, a method for controlling forwarding of traffic data is provided, which can be used for an egress gateway, and includes: acquiring a notification message from an authentication charging monitoring platform; analyzing the notification message to extract a private network IP address; updating a preset blocking node table based on the private network IP address; and matching the flow data with the blocking node table to control the forwarding of the flow data.
In an exemplary embodiment of the present disclosure, further comprising: and generating the blocking node table based on a plurality of private network IP addresses and node values and node time corresponding to the private network IP addresses, wherein each private network IP address and node value and node time corresponding to the private network IP address are used as one node in the blocking node table.
In an exemplary embodiment of the present disclosure, further comprising: and aging the nodes in the blocking node table at regular time according to a preset period.
In an exemplary embodiment of the present disclosure, updating a blocking node table based on the private network IP address includes: carrying out Hash calculation on the private network IP address to generate a node value; matching the node value with node values of a plurality of nodes in the blocking node table; and when the matching is consistent, linking the private network IP address behind the node in the blocking node table.
In an exemplary embodiment of the present disclosure, linking the private network IP address to a node in the blocking node table includes: extracting the generation time of the private network IP address; generating a child node based on the generation time and the private network IP address; and linking the child node behind the node in the blocking node table.
In an exemplary embodiment of the present disclosure, matching traffic data with the blocking node table to control forwarding of the traffic data includes: acquiring a source IP address and a destination IP address of a message in the flow data; matching the source IP address and the destination IP address with nodes in the blocking node table respectively; and when the matching is successful, discarding the message.
According to an aspect of the present disclosure, a forwarding control device for traffic data is provided, which can be used for authenticating a charging monitoring platform, and includes: the message module is used for acquiring an authentication message of a user based on the flow data; the address module is used for extracting the private network IP address of the user based on the authentication message; the notification module is used for generating a notification message based on the private network IP address; and the sending module is used for sending the notification message to an exit gateway so that the exit gateway controls the forwarding of the flow data.
According to an aspect of the present disclosure, a forwarding control apparatus for traffic data, which is applicable to an egress gateway, is provided, and the apparatus includes: the message module is used for acquiring a notification message from the authentication charging monitoring platform; the analysis module is used for analyzing the notification message to extract a private network IP address; the updating module is used for updating a preset blocking node table based on the private network IP address; and the control module is used for matching the flow data with the blocking node table so as to control the flow data forwarding.
According to an aspect of the present disclosure, a forwarding control system for traffic data is provided, including: the authentication charging monitoring platform is used for acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway; the exit gateway is used for acquiring the notification message from the authentication charging monitoring platform; analyzing the notification message to extract a private network IP address; updating a preset blocking node table based on the private network IP address; and matching the flow data with the blocking node table to control the forwarding of the flow data.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the forwarding control method, the forwarding control device, the forwarding control system, the electronic equipment and the computer readable medium of the flow data, the authentication message of the user is obtained based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; the notification message is sent to the exit gateway so that the exit gateway can control the flow data forwarding mode, the corresponding flow of the offline user can be automatically blocked, the redundant flow sent to the internal network by the external network can be effectively blocked, and the problem of flow error charging can be prevented.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a block diagram of a forwarding control system for traffic data in the prior art.
Fig. 2 is a traffic forwarding diagram of a traffic data forwarding control system in the prior art.
Fig. 3 is a traffic forwarding diagram of another traffic data forwarding control system in the prior art.
Fig. 4 is a traffic forwarding diagram of a forwarding control system for traffic data in the prior art.
Fig. 5 is a block diagram illustrating a forwarding system for traffic data in accordance with an example embodiment.
Fig. 6 is a flowchart illustrating a method for controlling forwarding of traffic data according to an exemplary embodiment.
Fig. 7 is a flowchart illustrating a forwarding control method of traffic data according to another exemplary embodiment.
Fig. 8 is a block diagram illustrating a forwarding control apparatus for traffic data according to an example embodiment.
Fig. 9 is a block diagram illustrating a forwarding control apparatus for traffic data according to another exemplary embodiment.
FIG. 10 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 11 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The technical abbreviations involved in this disclosure are explained as follows:
NAT: a technique for performing IP address translation.
NAT gateway: the NAT gateway is generally a device deployed at an internal network outlet and used for performing NAT conversion between an internal network address and a public network address.
Radius authentication: a third party authentication method. Based on radius authentication protocol, authentication, authorization and charging aiming at different users can be realized through the cooperation of client and server.
As shown in fig. 1, when a user accesses the internet, the user first accesses the access control system through a wireless hotspot or a wired manner, and the access control system sends the user data to a radius authentication charging system for authentication; after the authentication is passed, the access control system allocates a private network IP address IP1 to the user, the user uses a private IP to access the Internet, and the private network IP is converted into a public network address at the NAT gateway to access the external network.
When a user accesses a network, the access control system controls and counts private network IP, and only allows the distributed private network IP address to pass through the access control system and blocks the unallocated IP address; and meanwhile, the distributed private network IP is counted and sent to a radius authentication charging server. Finally, the radius authentication charging server realizes the uniform authentication charging of a plurality of users.
The access control system uses a circulating private network IP address pool, allocates a private network IP for the user when the user is on line, puts the private network IP into a resource recycling pool after the user is off line, and adds the private network IP into the IP resource pool for recycling after the resource recycling pool is cooled for a period of time.
When the private network IP accesses the external network, the NAT gateway converts the private network IP into a public network mapping address and generates a session. When the message replied by the public network passes through the NAT gateway, the NAT gateway searches for a session, and the public network address is converted into the private network IP of the intranet user again, so that the many-to-one mapping between the private network IP and the public network IP is realized.
As shown in fig. 2, a user a accesses a network through a wireless hotspot, and after authentication, the access control system allocates a private network address IP1 to the user a and performs charging for an IP1 at the same time (sends a charging message of IP1 to a radius authentication system); when user A accesses the external network, the NAT gateway performs address conversion to the public network IP2 and generates a session. However, there are the following cases: accessing the external network to perform the fragment downloading service after the user A successfully logs in, wherein the external network sends a large amount of downloading messages to the public network address IP 2; after NAT conversion, a large amount of traffic of the private network IP1 of the external network access user A exists; as shown in fig. 3, if user a goes offline during the downloading process, the IP1 belonging to user a in the access control system enters the resource recycling resource pool; and the access control system carries out packet loss processing on the IP1 message. However, at this time, the NAT gateway does not know that the user a is offline, and since the external network continuously sends traffic to the NAT gateway, the traffic may refresh the session, so that the traffic corresponding to the user a on the NAT gateway is always sent to the internal network through the NAT gateway.
The inventors of the present disclosure have found that if user B is on-line at this time, and user B is authenticated, the access control system assigns IP1 to user B again at this time. As shown in fig. 4, since the IP1 becomes the valid IP again at this time, the traffic accessed by the external network and sent to the internal network through the NAT gateway will be sent to the user B through the access control system; and meanwhile, the access control system sends a charging message to the radius authentication charging server. But at this time, the user B does not access the corresponding service, resulting in the user B being mischarged.
In order to solve the problem that a network authentication system and a network outlet are mutually independent in networking, if the flow sent to an intranet still exists in an outer network after a user is offline, and when the intranet IP is recycled, the user is charged by mistake, the invention provides a forwarding control method, a forwarding control device and a forwarding control system of flow data, and the forwarding control method, the forwarding control device and the forwarding control system can solve the problems in the prior art. The present disclosure is described in detail below with reference to specific examples.
Fig. 5 is a block diagram illustrating a forwarding system for traffic data in accordance with an example embodiment.
As shown in fig. 5, the system architecture may include a mobile terminal, a wireless hotspot, other terminals, an access control system, an authentication billing server, an egress gateway, an authentication billing platform, other devices, an external network, and the like. And the network cable equipment can also comprise a medium for providing a communication link between the mobile terminal, the wireless hotspot, other terminals, an access control system, an authentication charging server, an exit gateway, an authentication charging platform, other equipment and an external network. The network cabling devices may be of various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user can use the mobile terminal, the wireless hotspot, other terminals to perform data interaction through the access control system, the exit gateway and the external network so as to receive or send messages and the like. The mobile terminal or other terminals can be installed with various communication client applications, such as a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The mobile or other terminal may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablets, laptop and desktop computers, and the like.
The access control system is used for sending the flow data of the user to the authentication charging system for authentication; when the authentication is passed, the access control system assigns a private network IP address IP1 to the user. When the user accesses the external network, the access control system only allows the allocated private network IP to access, and carries out the online time statistics according to the private network IP, and the access control system can send the online time of the user to the authentication charging server.
The authentication charging monitoring platform is used for acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway;
and the exit gateway is used for converting the private IP into a public IP address to access an external network when the user uses the private IP address to access the Internet. More specifically, the system is further configured to obtain a notification message from the authentication charging monitoring platform; analyzing the notification message to extract a private network IP address; updating a preset blocking node table based on the private network IP address; and matching the flow data with the blocking node table to control the forwarding of the flow data.
Fig. 6 is a flowchart illustrating a method for controlling forwarding of traffic data according to an exemplary embodiment. The forwarding control method 60 for traffic data can be applied to an authenticated charging monitoring platform, and at least includes steps S602 to S608.
The authentication charging monitoring platform equipment can monitor the interactive user on-line and off-line messages between the access control system and the authentication charging server. The monitoring platform analyzes the private network IP address of the user in the authentication message, assembles the message based on the private network IP after the analysis is completed, encrypts and signs the message, and sends the message to an exit gateway or other equipment needing linkage. The egress gateway generates blocking IP blocking traffic for the IP. The method comprises the following specific steps:
as shown in fig. 6, in S602, an authentication packet of the user is acquired based on the traffic data. May for example listen for traffic data between the access control system and the authentication charging server; analyzing the flow data to extract an authentication message; extracting an upper and lower line message in the authentication message; the notification message may also be encrypted and signed.
In S604, the private network IP address of the user is extracted based on the authentication packet.
In S606, a notification message is generated based on the private network IP address.
In S608, the notification message is sent to an egress gateway so that the egress gateway controls the traffic data forwarding. For example, at a preset time, sending the aggregated notification messages to an egress gateway so that the egress gateway controls the forwarding of the traffic data. In a scene with lower real-time requirement, the authentication monitoring platform equipment can collect a certain amount of private network IP address data and then send the private network IP address data to equipment needing linkage, and the linkage equipment analyzes IP addresses in a unified way.
According to the forwarding control method of the flow data, the authentication message of the user is obtained based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; the notification message is sent to the exit gateway so that the exit gateway can control the flow data forwarding mode, the corresponding flow of the offline user can be automatically blocked, the redundant flow sent to the internal network by the external network can be effectively blocked, and the problem of flow error charging can be prevented.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 7 is a flowchart illustrating a forwarding control method of traffic data according to another exemplary embodiment. The forwarding control method 30 for traffic data is applicable to an egress gateway and includes at least steps S702 to S708.
And the exit gateway receives the message sent by the monitoring platform, and carries out legality verification and decryption on the message. And analyzing the IP in the message, and generating a corresponding IP node according to the IP address.
After receiving the message of the normal flow; firstly, searching conversation, if NAT exists, firstly carrying out NAT reduction and other services. And analyzing the source IP and the destination IP of the message. Matching an IP blocking node table according to the source IP and the target IP respectively; as long as any IP is successfully matched, the message is directly discarded; and if the matching is not successful, the message is forwarded normally. The method comprises the following specific steps:
as shown in fig. 7, in S702, a notification message from the authenticated billing listening platform is acquired.
In S704, the notification message is parsed to extract a private network IP address.
In S706, a preset blocking node table is updated based on the private network IP address. Carrying out Hash calculation on the private network IP address to generate a node value; matching the node value with node values of a plurality of nodes in the blocking node table; and when the matching is consistent, linking the private network IP address behind the node in the blocking node table.
Wherein linking the private network IP address to a node in the blocking node table comprises: extracting the generation time of the private network IP address; generating a child node based on the generation time and the private network IP address; and linking the child node behind the node in the blocking node table.
In one embodiment, the blocking node table may be further generated based on a plurality of private network IP addresses and their corresponding node values and node times, where each private network IP address and its corresponding node value and node time is one node in the blocking node table. And aging the nodes in the blocking node table at regular time according to a preset period.
The IP blocking node may include a user IP address, a hash value, a next node, a node generation time, and the like. Wherein, the hash calculation is carried out according to the IP address sent by the authentication monitoring platform equipment to obtain a node hash value; when a hash conflict exists, hanging the conflicting node behind the existing node, and assigning a next node pointer; the node generation time is used to record the creation time of the node for subsequent aging of the node. And meanwhile, recording the survival time of the node by using a global variable for judging when the node is aged. The specific content of the IP blocking node table may be as follows:
after receiving the summarized message, the egress gateway may perform validity verification and decryption on the message. Analyzing the IP address in the message, and calculating a hash value according to the IP address; generating an IP blocking node according to the hash, the node generation time and other information, and hanging the node on a corresponding hash grid; if the hash grid already has a node, the node is directly hung behind the original node.
And hanging the nodes on a time queue according to the ascending order of the generation time while generating the nodes. And (4) utilizing a timer to periodically traverse the time queue, and if the current time minus the generation time of the node is greater than the survival time of the node, directly aging and removing the node.
In S708, the traffic data is matched with the blocking node table to control forwarding of the traffic data. For example, a source IP address and a destination IP address of a packet in the traffic data are obtained; matching the source IP address and the destination IP address with nodes in the blocking node table respectively; and when the matching is successful, discarding the message.
When the exit gateway receives the message of normal service flow and carries out operations such as NAT reduction and the like, analyzing the source IP and the target IP of the message; firstly, carrying out IP blocking node matching by using a source IP, and directly losing packets if the matching is successful; otherwise, matching the IP blocking node to the target IP, if the target IP node is successfully matched, still discarding the message, and if the target IP node is not successfully matched, normally forwarding the message.
More specifically, when the IP blocking nodes are matched, a hash value is calculated according to an IP address, the nodes on a hash grid are obtained for matching, and if the matching is successful, packet loss processing is directly carried out; if the matching fails, the next node is continuously matched, and the like until the matching is successful or all the nodes are matched.
According to the flow data forwarding control method, the online and offline actions of the intranet user are monitored through the authentication charging monitoring platform device, the corresponding flow of the offline user is blocked through the linkage of the monitoring device and the exit gateway, the flow sent to the intranet by the external network can be effectively blocked, and the problem of flow error charging after the intranet IP is redistributed is solved.
In the scheme, authentication monitoring platform equipment is added in the original networking environment, the up-down line of the IP corresponding to the user is monitored through the authentication monitoring platform equipment, and the blocking strategy corresponding to the private network IP is issued to the exit gateway aiming at the down-line user. If the exit gateway carries out NAT conversion, after the outer network accesses the inner network flow to carry out NAT reduction, the matching IP blocking strategy carries out flow blocking and session aging according to the private network IP. If the gateway only serves as three-layer forwarding, the flow of the IP of the offline user is directly blocked and the session is aged.
And after the blocking time corresponding to the IP address expires, deleting the corresponding blocking strategy to ensure that the flow after the IP is redistributed is normally forwarded.
It is worth mentioning that in the scheme, the authentication message of the online and offline of the user is monitored by using the independent equipment. The alternative scheme can use the exit gateway to directly monitor the up-down authentication message of the user, and the exit gateway directly blocks the flow; in the scheme, the outlet firewall needs to analyze the authentication message, and the pressure on the outlet firewall is high.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 8 is a block diagram illustrating a forwarding control apparatus for traffic data according to an example embodiment. As shown in fig. 8, the forwarding control device 80 of traffic data can be used for authenticating a charging monitoring platform, and includes: a messaging module 802, an address module 804, a notification module 806, and a sending module 808.
The message module 802 is configured to obtain an authentication message of a user based on traffic data;
the address module 804 is configured to extract a private network IP address of the user based on the authentication packet;
the notification module 806 is configured to generate a notification message based on the private network IP address;
the sending module 808 is configured to send the notification message to an egress gateway so that the egress gateway controls the forwarding of the traffic data.
Fig. 9 is a block diagram illustrating a forwarding control apparatus for traffic data according to another exemplary embodiment. As shown in fig. 9, the forwarding control device 90 for traffic data may be used for an egress gateway, and includes: a message module 902, a parsing module 904, an updating module 906, and a control module 908.
The message module 902 is configured to obtain a notification message from the authentication charging monitoring platform;
the parsing module 904 is configured to parse the notification message to extract a private network IP address;
the updating module 906 is configured to update a preset blocking node table based on the private network IP address;
the control module 908 is configured to match traffic data with the blocking node table to control forwarding of the traffic data.
According to the forwarding control device of the flow data, the authentication message of the user is obtained based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; the notification message is sent to the exit gateway so that the exit gateway can control the flow data forwarding mode, the corresponding flow of the offline user can be automatically blocked, the redundant flow sent to the internal network by the external network can be effectively blocked, and the problem of flow error charging can be prevented.
FIG. 10 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 1000 according to this embodiment of the disclosure is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. The components of the electronic device 1000 may include, but are not limited to: at least one processing unit 1010, at least one memory unit 1020, a bus 1030 that couples various system components including the memory unit 1020 and the processing unit 1010, a display unit 1040, and the like.
Wherein the storage unit stores program code executable by the processing unit 1010 to cause the processing unit 1010 to perform steps according to various exemplary embodiments of the present disclosure described in this specification. For example, the processing unit 1010 may perform the steps shown in fig. 6 and 7.
The memory unit 1020 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)10201 and/or a cache memory unit 10202, and may further include a read only memory unit (ROM) 10203.
The memory unit 1020 may also include a program/utility 10204 having a set (at least one) of program modules 10205, such program modules 10205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 1000 may also communicate with one or more external devices 1000' (e.g., keyboard, pointing device, bluetooth device, etc.) such that a user can communicate with devices with which the electronic device 1000 interacts, and/or any devices (e.g., router, modem, etc.) with which the electronic device 1000 can communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interfaces 1050. Also, the electronic device 1000 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1060. A network adapter 1060 may communicate with other modules of the electronic device 1000 via the bus 1030. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1000, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 11, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding. The computer readable medium may also implement the following functions: acquiring a notification message from an authentication charging monitoring platform; analyzing the notification message to extract a private network IP address; updating a preset blocking node table based on the private network IP address; and matching the flow data with the blocking node table to control the forwarding of the flow data.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (13)
1. A control method for forwarding flow data is used for authenticating a charging monitoring platform, and is characterized by comprising the following steps:
acquiring an authentication message of a user based on the flow data;
extracting the private network IP address of the user based on the authentication message;
generating a notification message based on the private network IP address;
sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding.
2. The method of claim 1, wherein obtaining the authentication message for the user based on the traffic data comprises:
monitoring flow data between an access control system and an authentication charging server;
analyzing the flow data to extract an authentication message;
and extracting the upper and lower line messages in the authentication message.
3. The method of claim 2, wherein generating a notification message based on the private network IP address further comprises:
the notification message is encrypted and signed.
4. The method of claim 1, wherein sending the notification message to an egress gateway to cause the egress gateway to control the traffic data forwarding comprises:
and at preset time, sending the plurality of notification messages obtained by gathering to an exit gateway so that the exit gateway controls the forwarding of the flow data.
5. A method for controlling forwarding of traffic data, which can be used for an egress gateway, is characterized by comprising:
acquiring a notification message from an authentication charging monitoring platform;
analyzing the notification message to extract a private network IP address;
updating a preset blocking node table based on the private network IP address;
and matching the flow data with the blocking node table to control the forwarding of the flow data.
6. The method of claim 5, further comprising:
and generating the blocking node table based on a plurality of private network IP addresses and node values and node time corresponding to the private network IP addresses, wherein each private network IP address and node value and node time corresponding to the private network IP address are used as one node in the blocking node table.
7. The method of claim 6, further comprising:
and aging the nodes in the blocking node table at regular time according to a preset period.
8. The method of claim 5, wherein updating a blocking node table based on the private network IP address comprises:
carrying out Hash calculation on the private network IP address to generate a node value;
matching the node value with node values of a plurality of nodes in the blocking node table;
and when the matching is consistent, linking the private network IP address behind the node in the blocking node table.
9. The method of claim 8, wherein linking the private network IP address behind a node in the blocking node table comprises:
extracting the generation time of the private network IP address;
generating a child node based on the generation time and the private network IP address;
and linking the child node behind the node in the blocking node table.
10. The method of claim 5, wherein matching traffic data with the blocking node table to control the traffic data forwarding comprises:
acquiring a source IP address and a destination IP address of a message in the flow data;
matching the source IP address and the destination IP address with nodes in the blocking node table respectively;
and when the matching is successful, discarding the message.
11. A forwarding control device of traffic data, which can be used for authenticating a charging monitoring platform, is characterized by comprising:
the message module is used for acquiring an authentication message of a user based on the flow data;
the address module is used for extracting the private network IP address of the user based on the authentication message;
the notification module is used for generating a notification message based on the private network IP address;
and the sending module is used for sending the notification message to an exit gateway so that the exit gateway controls the forwarding of the flow data.
12. An apparatus for controlling forwarding of traffic data, which is applicable to an egress gateway, comprising:
the message module is used for acquiring a notification message from the authentication charging monitoring platform;
the analysis module is used for analyzing the notification message to extract a private network IP address;
the updating module is used for updating a preset blocking node table based on the private network IP address;
and the control module is used for matching the flow data with the blocking node table so as to control the flow data forwarding.
13. A system for controlling forwarding of traffic data, comprising:
the authentication charging monitoring platform is used for acquiring an authentication message of a user based on the flow data; extracting the private network IP address of the user based on the authentication message; generating a notification message based on the private network IP address; sending the notification message to an egress gateway;
the exit gateway is used for acquiring the notification message from the authentication charging monitoring platform; analyzing the notification message to extract a private network IP address; updating a preset blocking node table based on the private network IP address; and matching the flow data with the blocking node table to control the forwarding of the flow data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110585062.3A CN113329009A (en) | 2021-05-27 | 2021-05-27 | Method, device and system for controlling forwarding of flow data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110585062.3A CN113329009A (en) | 2021-05-27 | 2021-05-27 | Method, device and system for controlling forwarding of flow data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113329009A true CN113329009A (en) | 2021-08-31 |
Family
ID=77421724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110585062.3A Pending CN113329009A (en) | 2021-05-27 | 2021-05-27 | Method, device and system for controlling forwarding of flow data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113329009A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237332A (en) * | 2008-02-29 | 2008-08-06 | 福建星网锐捷网络有限公司 | Billing method, billing system and traffic statistical device |
| WO2008138245A1 (en) * | 2007-05-09 | 2008-11-20 | Huawei Technologies Co., Ltd. | A method for implementing the inter-working gateway application layer routing and the system and session border controller thereof |
| WO2010013251A1 (en) * | 2008-07-30 | 2010-02-04 | Alok Singh | Internet control management and accounting in a utility computing environment |
| US20140006593A1 (en) * | 2012-06-28 | 2014-01-02 | Cable Television Laboratories, Inc. | Usage based accounting for network deployment |
-
2021
- 2021-05-27 CN CN202110585062.3A patent/CN113329009A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008138245A1 (en) * | 2007-05-09 | 2008-11-20 | Huawei Technologies Co., Ltd. | A method for implementing the inter-working gateway application layer routing and the system and session border controller thereof |
| CN101237332A (en) * | 2008-02-29 | 2008-08-06 | 福建星网锐捷网络有限公司 | Billing method, billing system and traffic statistical device |
| WO2010013251A1 (en) * | 2008-07-30 | 2010-02-04 | Alok Singh | Internet control management and accounting in a utility computing environment |
| US20140006593A1 (en) * | 2012-06-28 | 2014-01-02 | Cable Television Laboratories, Inc. | Usage based accounting for network deployment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9231962B1 (en) | Identifying suspicious user logins in enterprise networks | |
| US10097568B2 (en) | DNS tunneling prevention | |
| US9461889B2 (en) | Applying policies to subnets | |
| KR20210022732A (en) | Automated packetless network reachability analysis | |
| CN112187799B (en) | Resource access policy generation method and device, storage medium and electronic equipment | |
| CN112187491A (en) | Server management method, device and equipment | |
| CN113055470B (en) | Service request distribution method and system | |
| IL288689B1 (en) | Cryptographic key orchestration between trusted containers in a multi-node cluster | |
| CN111404774B (en) | Data monitoring method, device, equipment and storage medium | |
| US20220103415A1 (en) | Remote network and cloud infrastructure management | |
| CN111885190B (en) | Service request processing method and system | |
| US11516138B2 (en) | Determining network flow direction | |
| US20190007306A1 (en) | Device and method for controlling route of traffic flow | |
| WO2024078208A1 (en) | Domain name query method and apparatus based on ecs protocol, and storage medium and device | |
| CN114143079B (en) | Verification device and method for packet filtering strategy | |
| US20210160759A1 (en) | Dynamic mapping of nodes responsible for monitoring traffic of an evolved packet core | |
| CN115314257B (en) | File system authentication method and device, electronic equipment and computer storage medium | |
| CN111935092A (en) | Information interaction method and device based on third-party application and electronic equipment | |
| CN113329009A (en) | Method, device and system for controlling forwarding of flow data | |
| CN112260903B (en) | Link monitoring method and device | |
| CN112994934B (en) | Data interaction method, device and system | |
| CN113608778A (en) | Application management method and device, storage medium and electronic equipment | |
| Mokhov et al. | Automating MAC spoofer evidence gathering and encoding for investigations | |
| CN112152915A (en) | Message forwarding network system and message forwarding method | |
| CN113596053B (en) | Communication service processing method, system, device, medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210831 |
|
| RJ01 | Rejection of invention patent application after publication |