CN100589446C - Package transmitting method and system based on safety service - Google Patents
Package transmitting method and system based on safety service Download PDFInfo
- Publication number
- CN100589446C CN100589446C CN200710119881A CN200710119881A CN100589446C CN 100589446 C CN100589446 C CN 100589446C CN 200710119881 A CN200710119881 A CN 200710119881A CN 200710119881 A CN200710119881 A CN 200710119881A CN 100589446 C CN100589446 C CN 100589446C
- Authority
- CN
- China
- Prior art keywords
- fib
- item
- list item
- table item
- perception
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method and a system for packet forwarding based on the security service. A first association relation between an FIB table and an ARP table is established; the firstpacket of the service flow is received, the corresponding security service information and the FIB table of the first packet are obtained, and a second association relation between the attribute information of the service flow packet carried by the first packet and the security service information and the FIB table are established; the follow-up packet of the service flow is received, and according to the attribute information of the follow-up packet and the second association relation and the first association relation, the security service information and the ARP table information are searched, the follow-up packet is processed with the security service according to the security service information, and the follow-up packet is forwarded according to the ARP table information. The presentinvention does not need to search the security service table and the ARP table of each packet, thus greatly improving the packet forwarding efficiency based on the security service.
Description
Technical field
The present invention relates to the safety service technical field, be specifically related to package transmitting method and system based on safety service.
Background technology
Along with popularizing and development of network, be not only simple quick forwarding to the requirement of the network equipment, also need the network equipment that safety service is provided.This demand in market has promoted the development of safety means, and safety means are proposed following the requirement: network data is implemented safety service as: still provide reasonable forwarding performance under the situation of safety inspection filtration etc.
Safety means will reach above requirement, depend on the lifting of hardware performance, simultaneously the also tissue of depended software relevant entries and relevant operation flow optimization.How to organize relevant main list item and rely on it to promote handling property, become the proposition that safety product faces.
Fig. 1 is existing bag forwarding process figure based on safety service, and as shown in Figure 1, its concrete steps are as follows:
Step 101: configuration safety service list item on safety means.
Each safety service list item comprises: one or the corresponding relation of combination in any and safety service information in the five-tuple information, perhaps comprise: the corresponding relation of forwarding information and safety service information perhaps comprises: one or the corresponding relation of combination in any, forwarding information and safety service information in the five-tuple information.
Five-tuple information is promptly: source IP address information, source port information, protocol number, purpose IP address information, purpose outbound port information.
Forwarding information is promptly: three layers of outgoing interface information in forwarding information base (FIB) list item etc., the outbound port information in the ARP(Address Resolution Protocol) list item etc.
Which kind of safety service the indication of safety service information specifically should carry out is handled, as: filtration treatment etc.
Step 102: safety means receive bag, search the safety service list item corresponding with the five-tuple of this bag in software.
Step 103: safety means are carried out corresponding safety service and are handled according to the safety service information in the safety service list item that finds, and are finished, and go to step 104.
Safety service in this step handle at be that the safety service of porch is handled.
Step 104: safety means are searched the fib table item corresponding with the purpose IP address of this bag in software.
Step 105: safety means are searched the ARP list item that mates most with the fib table item in software.
Step 106: safety means in software, search with the fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 107: safety means are carried out corresponding safety service and are handled according to the safety service information in the safety service list item that finds, and are finished, and go to step 108.
Safety service in this step handle at be that the safety service in exit is handled.
Step 108: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of bag, and this bag is forwarded.
From above process as can be seen: after safety means receive bag, at first according to the five-tuple information searching safety service list item that wraps, and carry out corresponding safety service and handle, search fib table item and ARP list item then, search the safety service list item according to the fib table item and the ARP list item that find again, and carry out corresponding safety service and handle, dispose, transmit bag according to the ARP list item.Obviously, handling process is longer, greatly reduces the forward efficiency of bag.
Summary of the invention
The invention provides package transmitting method and system, to improve forward efficiency based on the bag of safety service based on safety service.
Technical scheme of the present invention is achieved in that
A kind of package transmitting method based on safety service comprises:
First incidence relation of fib table item and ARP list item;
Receive the first packet of Business Stream, obtain safety service information corresponding and fib table item, set up second incidence relation of the attribute information of the service flow packet that first packet carries and safety service information, fib table item with first packet;
Receive the subsequent packet of Business Stream, attribute information and described second incidence relation and first incidence relation according to subsequent packet, find safety service information and ARP list item information, according to this safety service information subsequent packet is carried out safety service and handle, subsequent packet is forwarded according to this ARP list item information.
Described first incidence relation and second incidence relation are kept in the software unit.
Described first incidence relation of setting up comprises: with software unit in the index of the ARP list item that mates most of each fib table item add in each fib table item;
Described second incidence relation of setting up comprises: set up the incidence relation between the index of attribute information, the safety service information of service flow packet, the described fib table item that finds in software unit.
When receiving subsequent packet, described searching comprises: in all second incidence relations, search the second corresponding incidence relation of attribute information of the service flow packet of carrying with this subsequent packet, in this second incidence relation, find safety service information, search the fib table item that the fib table entry index in this second incidence relation points to, find the ARP list item according to the ARP table item index in this fib table item.
Described index with the ARP list item further comprises before adding in each fib table item: for each fib table item is provided with the FIB sequence number,
And described second incidence relation of setting up further comprises: the FIB sequence number of fib table item is added in this second incidence relation, and, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously.
When receiving subsequent packet, the described fib table item of searching further comprises: whether the FIB sequence number in the fib table item that judgement finds is consistent with the FIB sequence number in described second incidence relation that finds, if find the ARP list item according to the ARP table item index in this fib table item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, with FIB sequence number and the fib table entry index in described second incidence relation that finds of the index upgrade of the FIB sequence number in the fib table item that finds and this fib table item, in software unit, search the ARP list item that mates most with described fib table item then.
Described first incidence relation of setting up comprises: search the ARP list item that mates most with each fib table item in software unit, in software unit, set up the FIB perception list item that comprises the ARP table item index that finds, this FIB perception table item index is added in the described fib table item;
Described second incidence relation of setting up is: set up the incidence relation between the FIB perception table item index of the attribute information, safety service information of service flow packet, the fib table item that finds in software unit.
When receiving subsequent packet, described searching comprises:
In all second incidence relations, search the second corresponding incidence relation of service flow packet attribute information that carries with this subsequent packet, in this second incidence relation, find safety service information, search the FIB perception list item that the FIB perception table item index in this second incidence relation points to, find the ARP list item according to the ARP table item index in this FIB perception list item.
Describedly further comprise before in software unit, searching the ARP list item that mates most with each fib table item: for each fib table item is provided with the FIB sequence number,
And the described FIB of foundation perception list item further comprises: the FIB sequence number of described fib table item is added in this FIB perception list item,
And described second incidence relation of setting up further comprises: the FIB sequence number of fib table item is added in this second incidence relation,
And, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously, and upgrade the FIB sequence number in the FIB perception list item corresponding with this fib table item.
When receiving subsequent packet, the described FIB of searching perception list item further comprises: whether the FIB sequence number in the FIB perception list item that judgement finds is consistent with the FIB sequence number in described second incidence relation that finds, if find the ARP list item according to the ARP table item index in this FIB perception list item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, with FIB perception table item index and the FIB sequence number in FIB perception table item index in the fib table item that finds and described second incidence relation that finds of FIB sequence number renewal, search the ARP list item that mates most with described fib table item then.
Described first incidence relation and second incidence relation are kept in the hardware cell.
Described first incidence relation of setting up further comprises before: study ARP list item and fib table item in software unit;
Described first incidence relation of setting up comprises: in hardware cell, set up with software unit in the identical ARP perception list item of each ARP list item institute content, the index of this ARP perception list item is added in the described ARP list item; Search the ARP list item that mates most with each fib table item, in hardware cell, set up the FIB perception list item that comprises the ARP perception table item index in the ARP list item that finds, this FIB perception table item index is added in the described fib table item;
Described second incidence relation of setting up is: set up the attribute information, safety service information of service flow packet, the incidence relation between the FIB perception table item index in the fib table item that finds in software unit, this incidence relation is saved in the hardware cell.
When receiving subsequent packet, described searching comprises:
In all second incidence relations of hardware cell, search the second corresponding incidence relation of service flow packet attribute information that carries with this subsequent packet, in this second incidence relation, find safety service information, search the FIB perception list item that the FIB perception table item index in this second incidence relation points to, find ARP perception list item according to the ARP perception table item index in this FIB perception list item, this ARP perception list item is the ARP list item information that finds.
Described study fib table item further comprises: for this fib table item is provided with the FIB sequence number,
And the described FIB of foundation perception list item further comprises: the FIB sequence number of this fib table item is added in this FIB perception list item,
And described second incidence relation of setting up further comprises: the FIB sequence number of this fib table item is added in second incidence relation,
And, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously, and upgrade the FIB sequence number in the FIB perception list item corresponding with this fib table item.
When receiving subsequent packet, the described FIB of searching perception list item further comprises: whether the FIB sequence number in the FIB perception list item that judgement finds is consistent with the FIB sequence number in described second incidence relation that finds, if find ARP perception list item according to the ARP perception table item index in this FIB perception list item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, upgrade FIB perception table item index and FIB sequence number in second incidence relation with FIB perception table item index in the fib table item that finds and FIB sequence number, search the ARP list item that mates most with described fib table item then.
The attribute information of described service flow packet is: five-tuple information.
A kind of packet forwarding system based on safety service comprises:
Business is transmitted relating module, sets up first incidence relation of fib table item and ARP list item; Receive the first packet of Business Stream, obtain safety service information corresponding and fib table item, set up second incidence relation of the attribute information of service flow packet and safety service information, fib table item with first packet; Receive the subsequent packet of Business Stream, attribute information and described second incidence relation and first incidence relation of the service flow packet of carrying according to this subsequent packet find safety service information and ARP list item information; The safety service information that finds is sent to the safety service processing module, the ARP list item information that finds is sent to forwarding module;
The safety service processing module is carried out the safety service processing according to the service flow packet that the safety service information butt joint that receives is received, is finished, and service flow packet is sent to forwarding module;
Forwarding module forwards the service flow packet that receives according to the ARP list item information that receives.
The described professional relating module of transmitting comprises:
Fib table item study memory module, study fib table item adds the index of the ARP list item that mates most with this fib table item in this fib table item to;
Session list item memory module is preserved each Session list item;
The Session list item is searched module, receive service flow packet, in Session list item memory module, search the Session list item corresponding with the attribute information of this service flow packet, if find, then the safety service information in the Session list item is sent to the safety service processing module, and in fib table item study memory module, search and the corresponding fib table item of fib table entry index in this Session list item, the ARP table item index in the fib table item that finds is sent to forwarding module; If do not find, then this bag is sent to the Session list item and set up update module;
The Session list item is set up update module, receive service flow packet, safety service information that will be corresponding with this service flow packet sends to the safety service processing module, sets up to comprise the attribute information of service flow packet and the Session list item of described safety service information in Session table memory module; In fib table item study memory module, search the fib table item corresponding, will send to forwarding module, and the index of the fib table item that finds is added in the Session list item of foundation with the ARP list item that this fib table item mates most with service flow packet.
This system further comprises: fib table item update module when the fib table item in the renewal fib table item study memory module, is updated to the FIB sequence number that this fib table item is provided with;
And described fib table item study memory module is when study fib table item, for this fib table item is provided with the FIB sequence number;
It is further that described Session list item is set up update module, the FIB sequence number of fib table item added in the Session list item of foundation.
Described Session list item is searched module after the fib table item is learnt to find the fib table item in the memory module, whether the FIB sequence number in the fib table item that further judgement finds is consistent with the FIB sequence number in the Session list item, if it is consistent, then the safety service information in the Session list item is sent to the safety service processing module, and the ARP table item index in the fib table item is sent to forwarding module; If inconsistent, then service flow packet is sent to the Session list item with the Session table item index that finds and set up update module,
Described Session list item is set up update module and is received service flow packet and Session table item index, in safety service list item memory module, find safety service information, safety service information that will be corresponding with this service flow packet sends to the safety service processing module, with the safety service information in the Session list item corresponding in this safety service information replacement Session list item memory module with this Session table item index, in fib table item study memory module, search the fib table item corresponding with service flow packet, replace FIB sequence number and fib table entry index in the described Session list item with the index of the FIB sequence number in the fib table item that finds and this fib table item, will send to forwarding module with the ARP list item that described fib table item mates most.
Described fib table item study memory module and Session list item memory module are arranged in software unit.
The described professional relating module of transmitting comprises:
Fib table item study memory module, study fib table item, search the ARP list item that mates most with this fib table item, in FIB perception list item memory module, set up the FIB perception list item of the index that comprises the ARP list item that finds, this FIB perception table item index is added in the fib table item;
FIB perception list item memory module is preserved each the FIB perception list item that comprises the ARP table item index;
Session list item memory module is preserved each Session list item;
The Session list item is searched module, receive service flow packet, in Session list item memory module, search the Session list item corresponding with the attribute information of service flow packet, if find, then the safety service information in the Session list item is sent to the safety service processing module, and in FIB perception list item memory module, search and the corresponding FIB perception list item of FIB perception table item index in this Session list item, the ARP table item index in the FIB perception list item is sent to forwarding module; If do not find, then service flow packet is sent to the Session list item and set up update module;
The Session list item is set up update module, receive service flow packet, safety service information that will be corresponding with this service flow packet sends to the safety service processing module, sets up to comprise the attribute information of service flow packet and the Session list item of described safety service information in Session list item memory module; In fib table item study memory module, search the fib table item corresponding, will send to forwarding module with the ARP list item that this fib table item mates most, and the FIB perception table item index in the fib table item that finds is added in the Session list item of foundation with service flow packet.
This system further comprises: fib table item update module, when the fib table item in the renewal fib table item study memory module, be updated to the FIB sequence number that this fib table item is provided with, simultaneously in FIB perception list item memory module, find FIB perception list item, replace FIB sequence number in this FIB perception list item with the FIB sequence number after this renewal according to the FIB perception table item index in this fib table item;
And described fib table item study memory module for this fib table item is provided with the FIB sequence number, and is added this FIB sequence number in the FIB perception list item of foundation after learning the fib table item;
It is further that described Session list item is set up update module, the FIB sequence number of fib table item added in the Session list item of foundation.
Described Session list item is searched module finds FIB perception list item in FIB perception list item memory module after, whether the FIB sequence number in the FIB perception list item that further judgement finds is consistent with the FIB sequence number in the Session list item, if it is consistent, then the safety service information in the Session list item is sent to the safety service processing module, find the ARP list item according to the ARP table item index in the FIB perception list item, this ARP list item is sent to forwarding module; If inconsistent, then service flow packet is sent to the Session list item with the Session table item index that finds and set up update module,
Described Session list item is set up update module and is received service flow packet and Session table item index, the safety service information corresponding with service flow packet is sent to the safety service processing module, with the safety service information in the Session list item corresponding in this safety service information replacement Session list item memory module with this Session table item index, in fib table item study memory module, search the fib table item corresponding with service flow packet, replace FIB perception table item index and FIB sequence number in the described Session list item with FIB perception table item index in the fib table item that finds and FIB sequence number, and search the ARP list item that mates most with described fib table item, this ARP list item is sent to forwarding module.
Described fib table item study memory module, FIB perception list item memory module and Session list item memory module are arranged in software unit.
The described professional relating module of transmitting comprises:
Fib table item study memory module, study fib table item, search the ARP list item that mates most with the fib table item, in FIB perception list item memory module, set up the FIB perception list item of the index that comprises the ARP perception list item corresponding, this FIB perception table item index is added in the fib table item with the ARP list item that finds;
FIB perception list item memory module is preserved each FIB perception list item;
ARP perception list item memory module is preserved content each ARP perception list item identical with the ARP list item;
Session list item memory module is preserved each Session list item;
The Session list item is searched module, receive service flow packet, in Session list item memory module, search the Session list item corresponding with the attribute information of service flow packet, if find, safety service information in the Session list item is sent to the safety service processing module, in FIB perception list item memory module, search and the corresponding FIB perception list item of FIB perception table item index in the Session list item, the ARP perception table item index in the FIB perception list item is sent to forwarding module; If do not find, then service flow packet is sent to the Session list item and set up update module;
The Session list item is set up update module, receives service flow packet, and the safety service information corresponding with service flow packet is sent to the safety service processing module, sets up to comprise the attribute information of service flow packet and the Session list item of described safety service information; In fib table item study memory module, search the fib table item corresponding with service flow packet, to send to forwarding module with the ARP list item that this fib table item mates most, and the FIB perception table item index in the fib table item that finds added in the Session list item of foundation, this Session list item is saved in the Session list item memory module.
This system further comprises: fib table item update module, when the fib table item in the renewal fib table item study memory module, be updated to the FIB sequence number that this fib table item is provided with, simultaneously in FIB perception list item memory module, find FIB perception list item, replace FIB sequence number in this FIB perception list item with the FIB sequence number after this renewal according to the FIB perception table item index in this fib table item;
And described fib table item study memory module for this fib table item is provided with the FIB sequence number, and is added this FIB sequence number in the FIB perception list item of foundation after learning the fib table item;
It is further that described Session list item is set up update module, the FIB sequence number of fib table item added in the Session list item of foundation.
Described Session list item is searched module finds FIB perception list item in FIB perception list item memory module after, whether the FIB sequence number in the FIB perception list item that further judgement finds is consistent with the FIB sequence number in the Session list item, if it is consistent, then the safety service information in the Session list item is sent to the safety service processing module, and the ARP perception table item index in the FIB perception list item is sent to forwarding module; If inconsistent, then service flow packet is sent to the Session list item with the Session table item index that finds and set up update module,
Described Session list item is set up update module and is received service flow packet and Session table item index, the safety service information corresponding with service flow packet is sent to the safety service processing module, with the safety service information in the Session list item corresponding in this safety service information replacement Session list item memory module with this Session table item index, in fib table item study memory module, search the fib table item corresponding with service flow packet, replace FIB perception table item index and FIB sequence number in the described Session list item with FIB perception table item index in the fib table item that finds and FIB sequence number, and will send to forwarding module with the ARP list item that described fib table item mates most.
Described FIB perception list item memory module, ARP perception list item memory module, Session list item memory module are arranged in hardware cell.
Compared with prior art, the present invention is by setting up first incidence relation of fib table item and ARP list item, and adopt prior art to carry out the safety service list item to the first packet of Business Stream, the fib table item, searching of ARP list item, and set up the attribute information and the safety service information of this bag according to lookup result, second incidence relation of fib table item, make the subsequent packet of Business Stream directly to carry out the safety service processing and to transmit processing according to described first and second incidence relations, need not each bag and all carry out the safety service list item, the fib table item, searching of ARP list item improved the bag forward efficiency based on safety service greatly.
Description of drawings
Fig. 1 is existing bag forwarding process figure based on safety service;
The bag forwarding process figure that Fig. 2 provides for the embodiment of the invention one based on safety service;
The bag forwarding process figure that Fig. 3 provides for the embodiment of the invention two based on safety service;
The packet forwarding system composition diagram that Fig. 4 provides for the embodiment of the invention one based on safety service;
The packet forwarding system composition diagram that Fig. 5 provides for the embodiment of the invention two based on safety service.
Embodiment
Because the five-tuple of each bag in the same Business Stream is identical, and the safety service list item serves as according to setting up with the five-tuple of bag all usually, and forwarding-table item: fib table item and ARP list item also are that the five-tuple with bag serves as according to setting up, thereby can learn: the safety service that each bag of same Business Stream is carried out is handled and is transmitted that to handle be identical.Therefore, core concept of the present invention is: when learning the fib table item, search the ARP list item corresponding with this fib table item, set up first incidence relation of fib table item and ARP list item, the first packet of Business Stream is carried out the safety service list item according to prior art search with fib table item, ARP list item and search, and the attribute information of setting up bag according to lookup result and second incidence relation that needs the corresponding fib table item of the information of all safety services of this first packet execution and this first packet.Like this, the subsequent packet of this Business Stream just can directly find safety service information and ARP list item information according to this described second and first incidence relation, thereby directly this subsequent packet is carried out that safety service is handled and transmit and handle, and need not to carry out again the search procedure of safety service list item and fib table item, ARP list item.
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The bag forwarding process figure that Fig. 2 provides for the embodiment of the invention one based on safety service, as shown in Figure 2, its concrete steps are as follows:
Step 201: safety means arrive the ARP list item by software learning.
Step 202: safety means to the fib table item, for this fib table item is provided with the FIB sequence number, are searched the ARP list item corresponding with this fib table item by software learning, and the index of this ARP list item is added in this fib table item.
Forwarding information in revising the fib table item as: during three layers of outgoing interface information, the FIB sequence number in this fib table item is added 1; When deletion fib table item, also the FIB sequence number in this fib table item to be added 1.Like this, after the fib table item was modified or deletes, the FIB sequence number in fib table item and the Session list item set up in subsequent step will be inconsistent, thereby trigger the renewal of fib table entry index and FIB sequence number in the Session list item.
Step 203: safety means receive bag, search the Session list item corresponding with the five-tuple information of this bag in software.
Step 204: safety means judge whether to find the Session list item, if, execution in step 214; Otherwise, execution in step 205.
Step 205: safety means determine that this bag is the first packet of Business Stream, search the information of carrying with this first packet as the safety service list item that five-tuple information is corresponding in software.
Step 206: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, and in software, set up the Session list item, this Session list item comprises: the five-tuple information of this first packet and described safety service information.
Safety service in this step handle at be that the safety service of safety means porch is handled.
Step 207: safety means are searched the fib table item corresponding with the purpose IP address of this first packet in software.
Step 208: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
Step 209: safety means add the index of the FIB sequence number in the fib table item that finds and this fib table item in the Session list item of step 206 foundation to.
As can be seen, execute this step after, the Session list item that safety means are set up comprises: five-tuple information, safety service information, fib table entry index, FIB sequence number.
Step 210: safety means in software, search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
The fib table item comprises: information such as purpose IP address, purpose mask, three layers of outgoing interface, next jumping.
Step 211: safety means judge whether to find the safety service list item, if, execution in step 212; Otherwise, execution in step 213.
Step 212: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item of step 206 foundation, safety service disposes, and goes to step 213.
Safety service in this step handle at be that the safety service in safety means exit is handled.
Step 213: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this first packet, and this first packet is forwarded, and return step 203.
Step 214: safety means are determined the subsequent packet of this bag for Business Stream, find the fib table item according to the fib table entry index in the Session list item.
Step 215: whether the FIB sequence number in the fib table item that the safety means judgement finds is consistent with the FIB sequence number in the Session list item, if, execution in step 216; Otherwise, execution in step 218.
Step 216: safety means determine that fib table Xiang Wei is modified or deleted, and according to the safety service information in the Session list item, this subsequent packet is carried out corresponding safety service handle, and are finished, and go to step 217.
Step 217: safety means find the ARP list item according to the ARP table item index in the fib table item, two layers of link layer header in the ARP list item that finds are encapsulated on two layers of head of this subsequent packet, and this subsequent packet is forwarded, and return step 203.
Step 218: safety means determine that the fib table item is modified or deleted, and search the information of carrying with this subsequent packet as the safety service list item that five-tuple information is corresponding.
Step 219: safety means are carried out corresponding safety service to this subsequent packet and are handled according to the safety service information in the safety service list item that finds, and the safety service information in the Session list item that is found with this safety service information updating.
Step 220: safety means are searched the fib table item corresponding with the purpose IP address of this subsequent packet in software.
Step 221: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
Step 222: safety means are with FIB sequence number and fib table entry index in the Session list item that index upgrade was found of FIB sequence number and this fib table item in the fib table item that finds.
Step 223: safety means search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 224: safety means judge whether to find the safety service list item, if, execution in step 225; Otherwise, execution in step 226.
Step 225: safety means are according to the safety service information in the safety service list item that finds, this subsequent packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item that is found, safety service disposes, and goes to step 226.
Step 226: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this subsequent packet, and this subsequent packet is forwarded, and return step 203.
From flow process shown in Figure 2 as can be seen: after software, learning the fib table item, search the ARP list item that mates most with this fib table item, the index of this ARP list item is added in this fib table item.
When the first packet to Business Stream has carried out after the safety service list item in the software, fib table item and ARP list item search, the structure of the Session list item of being set up in software according to lookup result is as follows:
Session list item: five-tuple information, safety service information, fib table entry index, FIB sequence number.
Like this, after the subsequent packet of receiving this Business Stream, just can in software, find above-mentioned Session list item according to the five-tuple information of this subsequent packet, handle according to the corresponding safety service of the safety service information and executing in this Session list item then, find the fib table item according to the fib table entry index in this Session list item, find the ARP list item according to the ARP table item index in this fib table item again, thereby this subsequent packet is forwarded.As can be seen, all safety service information all centralized stores in the Session list item, improved the safety service treatment effeciency; And, when searching the ARP list item, also need not to carry out searching, also need not to mate of fib table item according to five-tuple information again with the fib table item, and can directly find the fib table item according to the fib table entry index in the Session list item, directly find the ARP list item according to the ARP table item index in the fib table item again, further improved forward efficiency.
In embodiment illustrated in fig. 2, the safety service of the subsequent packet of Business Stream handled and transmit to handle all in software, carry out, below be given in and in the hardware subsequent packet of Business Stream carried out safety service and handle and transmit the embodiment that handles.
The safety service process chart that Fig. 3 provides for the embodiment of the invention two, as shown in Figure 3, its concrete steps are as follows:
Step 301: safety means arrive the ARP list item by software learning, in hardware, set up ARP perception list item, the content that comprises in this ARP perception list item is identical with the content of the ARP list item of being learnt, and the index of ARP perception list item is added in the ARP list item of being learnt.
Step 302: safety means arrive the fib table item by software learning, for this fib table item is provided with the FIB sequence number, search the ARP list item corresponding with this fib table item, and the foundation FIB perception list item corresponding with this fib table item, this FIB perception list item comprises: the ARP perception table item index in the FIB sequence number of this fib table item, the described ARP list item is saved in this FIB perception list item in the hardware.
Forwarding information in revising the fib table item as: during three layers of outgoing interface information, the FIB sequence number in this fib table item is added 1, finds FIB perception list item according to the FIB perception table item index in this fib table item simultaneously, the FIB sequence number in this FIB perception list item is added 1; When deletion fib table item, also to find FIB perception list item according to the FIB perception table item index in this fib table item, the FIB sequence number in this FIB perception list item is added 1.Like this, after the fib table item was modified or deletes, the FIB sequence number in FIB sequence number in the FIB perception list item and the Session list item of setting up in subsequent step will be inconsistent, thereby trigger the renewal of FIB perception table item index and FIB sequence number in the Session list item.
Step 303: safety means receive bag, search the Session list item corresponding with the five-tuple information of this bag in hardware.
Step 304: safety means judge whether to find the Session list item, if, execution in step 314; Otherwise, execution in step 305.
Step 305: safety means determine that this bag is the first packet of Business Stream, search the information of carrying with this first packet as the safety service list item that five-tuple information is corresponding in software.
Step 306: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, and in software, set up the Session list item, this Session list item comprises: the five-tuple information of this first packet and described safety service information.
Step 307: safety means are searched the fib table item corresponding with the purpose IP address of this first packet in software.
Step 308: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
Step 309: safety means add FIB perception table item index in the fib table item that finds and FIB sequence number in the Session list item of setting up in the step 306 to.
As can be seen, execute this step after, the Session list item that safety means are set up comprises: five-tuple information, safety service information, FIB perception table item index, FIB sequence number.
Step 310: safety means in software, search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 311: safety means judge whether to find the safety service list item, if, execution in step 312; Otherwise, execution in step 313.
Step 312: safety means are according to the safety service information in the safety service list item that finds, this first packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item of step 306 foundation, this Session list item is saved in the hardware, safety service disposes, and goes to step 313.
Step 313: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this first packet, and this bag is forwarded, and return step 303.
Step 314: safety means are determined the subsequent packet of this bag for Business Stream, find FIB perception list item according to the FIB perception table item index in the Session list item.
Step 315: whether the FIB sequence number in the FIB perception list item that the safety means judgement finds is consistent with the FIB sequence number in the Session list item, if, execution in step 316; Otherwise, execution in step 318.
Step 316: safety means determine that fib table Xiang Wei is modified or deleted, and according to the safety service information in the Session list item, this subsequent packet is carried out corresponding safety service handle, and are finished, and go to step 317.
Step 317: safety means find ARP perception list item according to the ARP perception table item index in the FIB perception list item, two layers of link layer header in the ARP perception list item that finds are encapsulated on two layers of head of this subsequent packet, this subsequent packet is forwarded, return step 303.
Step 318: safety means determine that the fib table item is modified or deleted, and search the information of carrying with this subsequent packet as the safety service list item that five-tuple information is corresponding.
Step 319: safety means are carried out corresponding safety service to this subsequent packet and are handled according to the safety service information in the safety service list item that finds, and the safety service information in the Session list item that is found with this safety service information updating.
Step 320: safety means are searched the fib table item corresponding with the purpose IP address of this subsequent packet in software.
Step 321: safety means find the fib table item, search the ARP list item that mates most with this fib table item in software.
Step 322: safety means upgrade FIB perception table item index and the FIB sequence number in the Session list item that is found with the FIB perception table item index in the fib table item that finds and FIB sequence number.
Step 323: safety means search with described fib table item in the corresponding safety service list item of three layers of outgoing interface information.
Step 324: safety means judge whether to find the safety service list item, if, execution in step 325; Otherwise, execution in step 326.
Step 325: safety means are according to the safety service information in the safety service list item that finds, this subsequent packet is carried out corresponding safety service to be handled, simultaneously this safety service information is added in the Session list item that is found, safety service disposes, and goes to step 326.
Step 326: safety means are encapsulated into two layers of link layer header in the ARP list item that finds on two layers of head of this subsequent packet, and this bag is forwarded, and return step 303.
From flow process shown in Figure 3 as can be seen: after software, learning the ARP list item, can in hardware, preserve the ARP perception list item corresponding, and this ARP perception table item index is saved in the ARP list item of learning with this ARP list item.
When learn the fib table item in software after, the structure of the FIB perception list item of setting up in hardware is:
FIB perception list item: FIB sequence number, ARP perception table item index.
When the first packet to Business Stream has carried out after the safety service list item in the software, fib table item and ARP list item search, the structure of the Session list item of being preserved in hardware according to lookup result is as follows:
Session list item: five-tuple information, safety service information, FIB perception table item index, FIB sequence number.
Like this, after the subsequent packet of receiving this Business Stream, just can in hardware, find above-mentioned Session list item according to the five-tuple information of this subsequent packet, handle according to the corresponding safety service of the safety service information and executing in this Session list item then, find FIB perception list item in the hardware according to the FIB perception table item index in this Session list item, find ARP perception list item in the hardware according to the ARP perception table item index in this FIB perception list item again, thereby this subsequent packet is forwarded.As can be seen, processing is handled and transmitted to the safety service of subsequent packet all in hardware, carry out, improved the safety service treatment effeciency and the forward efficiency of subsequent packet greatly; Simultaneously, all safety service information all centralized stores in the Session list item, further improved the safety service treatment effeciency; And, when searching ARP perception list item, also need not to carry out searching, also need not to mate of fib table item according to five-tuple information again with the fib table item, and can directly find FIB perception list item according to the FIB perception table item index in the Session list item, directly find ARP perception list item according to the ARP perception table item index in the FIB perception list item again, further improved forward efficiency.
Simultaneously, from as can be seen embodiment illustrated in fig. 3: the fib table item the embodiment of the invention and the difference of fib table item of the prior art are, also need preserve FIB perception table item index in the fib table item, with when the fib table item is modified or deletes, can upgrade in time FIB sequence number in the FIB perception list item, thereby FIB perception table item index in the Session list item that upgrades in time and FIB sequence number.
In the embodiment shown in fig. 3,, FIB perception list item and Session list item are saved in the hardware, in hardware, have preserved and the identical ARP perception of ARP contents in table list item simultaneously in order further to accelerate forwarding speed based on the bag of safety service.In actual applications, also FIB perception list item and Session list item can be saved in the software, simultaneously, in hardware, do not preserve ARP perception list item, at this moment, comprise the ARP table item index in the FIB perception list item but not ARP perception table item index, like this, the safety service of the subsequent packet of Business Stream handled and transmit to handle all carry out in software, its detailed process is given unnecessary details at this no longer one by one to embodiment illustrated in fig. 3 similar.
The packet forwarding system composition diagram that Fig. 4 provides for the embodiment of the invention one based on safety service, as shown in Figure 4, it mainly comprises: safety service list item memory module 401, fib table item study memory module 402, ARP list item study memory module 403, Session list item memory module 404, bag receiver module 405, Session list item are searched module 406, the Session list item is set up update module 407, safety service processing module 408 and forwarding module 409, wherein:
Safety service list item memory module 401: preserve each safety service list item of forming by five-tuple information and/or forwarding-table item information and safety service information.
Fib table item study memory module 402: learn the fib table item, preserve this fib table item, and the FIB sequence number is set for this fib table item, each fib table item comprises: purpose IP address information, purpose mask information, three layers of outgoing interface information, next hop information and FIB sequence number etc., and in ARP list item study memory module 403, search the ARP list item that mates most with this fib table item, the index of the ARP list item that finds is added in this fib table item.
ARP list item study memory module 403: study is also preserved the ARP list item.
Session list item memory module 404: preserve each Session list item of forming by five-tuple information, safety service information, fib table entry index, FIB sequence number.
Bag receiver module 405: be used for receiving bag, this bag sent to safety service processing module 408 and the Session list item is searched module 406.
The Session list item is searched module 406: receive the bag that bag receiver module 405 is sent, in Session list item memory module 404, search the Session list item corresponding with the five-tuple information of this bag, if find, then in fib table item study memory module 402, search and the corresponding fib table item of fib table entry index in this Session list item, whether the FIB sequence number in the fib table item that judgement finds is consistent with the FIB sequence number in the Session list item, if it is consistent, then the safety service information in this Session list item is sent to safety service processing module 408, in ARP list item study memory module 403, find the ARP list item according to the ARP table item index in the fib table item, this ARP list item is sent to forwarding module 409; If inconsistent, then the Session table item index that will wrap and find is carried at renewal and sends to the Session list item in indicating and set up update module 407; If do not find, then this bag is carried to set up and sends to the Session list item in the indication and set up update module 407.
The Session list item is set up update module 407: receive the Session list item and search the foundation indication of carrying bag that module 406 is sent, in safety service list item memory module 401, search the information of carrying as the safety service information that five-tuple information is corresponding with this bag, the safety service information that finds is sent to safety service processing module 408, set up new Session list item in Session list item memory module 404, this Session list item comprises: the five-tuple information of described bag and the safety service information that finds; In fib table item study memory module 402, search the fib table item corresponding with the purpose IP address of this bag, the index of the FIB sequence number in this fib table item and this fib table item is added in the Session list item of being set up, in ARP list item study memory module 403, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 409, and in safety service list item memory module 401, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 408, and this safety service information is added in Session list item memory module 404 in the newly-established Session list item.Receive the Session list item and search the renewal indication of carrying bag and Session table item index that module 406 is sent, in safety service list item memory module 401, search the information of carrying as the safety service information that five-tuple information is corresponding with this bag, the safety service information that finds is sent to safety service processing module 408, in Session list item memory module 404, find the Session list item according to described Session table item index, replace safety service information in this Session list item with the safety service information that finds; In fib table item study memory module 402, search the fib table item corresponding with the purpose IP address of this bag, replace FIB sequence number and fib table entry index in the described Session list item with the index of the FIB sequence number in this fib table item and this fib table item, in ARP list item study memory module 403, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 409, and in safety service list item memory module 401, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 408, and this safety service information is added in the described Session list item.
Safety service processing module 408: receive the bag that bag receiver module 405 is sent, reception Session list item searches module 406 or the Session list item is set up the safety service information that update module 407 is sent, according to this safety service information this bag being carried out corresponding safety service handles, dispose, this bag is sent to forwarding module 409.
Forwarding module 409: receive the bag through the safety service processing that safety service processing module 408 is sent, reception Session list item searches module 406 or the Session list item is set up the ARP list item that update module 407 is sent, and according to this ARP list item, bag is sent.
System in the embodiment of the invention also can further comprise: fib table item update module be used for upgrading the fib table item that the fib table item is learnt memory module 402, and when upgrading the fib table item, the FIB sequence number with this fib table item adds 1 simultaneously.
In actual applications, safety service list item memory module 401, fib table item study memory module 402, ARP list item study memory module 403, Session list item memory module 404, Session list item can be searched module 406, the Session list item is set up update module 407 and is referred to as the professional relating module of transmitting.
The packet forwarding system composition diagram that Fig. 5 provides for the embodiment of the invention two based on safety service, as shown in Figure 5, it mainly comprises: safety service list item memory module 501, fib table item study memory module 502, FIB perception list item memory module 503, ARP list item study memory module 504, ARP perception list item memory module 505, Session list item memory module 506, bag receiver module 507, Session list item are searched module 508, the Session list item is set up update module 509, safety service processing module 510 and forwarding module 511, wherein:
Safety service list item memory module 501: preserve each safety service list item of forming by five-tuple information and/or forwarding-table item information and safety service information.
Fib table item study memory module 502: learn the fib table item, preserve this fib table item, and the FIB sequence number is set for this fib table item, each fib table item comprises: purpose IP address information, the purpose mask information, three layers of outgoing interface information, next hop information and FIB sequence number etc., and in ARP list item study memory module 504, search the ARP list item that mates most with this fib table item, in FIB perception list item memory module 503, set up FIB perception list item, this FIB perception list item comprises: the FIB sequence number of the ARP perception table item index in the ARP list item that finds and the fib table item of learning, and this FIB perception table item index added in the fib table item of learning.
FIB perception list item memory module 503: storage FIB perception list item, each FIB perception list item comprises: ARP perception table item index and FIB sequence number.
ARP list item study memory module 504: study is also preserved the ARP list item, simultaneously in ARP perception list item memory module 505, set up ARP perception list item, the content of this ARP perception list item is identical with the content of the ARP list item of learning, and the index of this ARP perception list item is added in the ARP list item of learning.
ARP perception list item memory module 505: storage ARP perception list item.
Session list item memory module 506: preserve each Session list item of forming by five-tuple information, safety service information, FIB perception table item index, FIB sequence number.
Bag receiver module 507: be used for receiving bag, this bag sent to safety service processing module 510 and the Session list item is searched module 508.
The Session list item is searched module 508: receive the bag that bag receiver module 507 is sent, in Session list item memory module 506, search the Session list item corresponding with the five-tuple information of this bag, if find, then in FIB perception list item memory module 503, search and the corresponding FIB perception list item of FIB perception table item index in this Session list item, whether the FIB sequence number in the FIB perception list item that judgement finds is consistent with the FIB sequence number in the Session list item, if it is consistent, then the safety service information in this Session list item is sent to safety service processing module 510, the ARP perception table item index in the FIB perception list item is sent to forwarding module 511; If inconsistent, then the Session table item index that will wrap and find is carried at renewal and sends to the Session list item in indicating and set up update module 509; If do not find, then this bag is carried to set up and sends to the Session list item in the indication and set up update module 509.
The Session list item is set up update module 509: receive the Session list item and search the foundation indication of carrying bag that module 508 is sent, in safety service list item memory module 501, search the information of carrying as the safety service information that five-tuple information is corresponding with this bag, the safety service information that finds is sent to safety service processing module 510, set up new Session list item, this Session list item comprises: the five-tuple information of described bag and the safety service information that finds; In fib table item study memory module 502, search the fib table item corresponding with the purpose IP address of this bag, FIB perception table item index in this fib table item and FIB sequence number are added in the Session list item of being set up, in ARP list item study memory module 504, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 511, and in safety service list item memory module 501, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 510, and this safety service information added to, in the newly-established Session list item, this Session list item is saved in Session list item memory module 506.Receive the Session list item and search the renewal indication of carrying bag and Session table item index that module 508 is sent, in safety service list item memory module 501, search the safety service information corresponding with this five-tuple information, the safety service information that finds is sent to safety service processing module 510, in Session list item memory module 506, find the Session list item according to described Session table item index, replace safety service information in this Session list item with the safety service information that finds; In fib table item study memory module 502, search the fib table item corresponding with the purpose IP address of this bag, replace FIB perception table item index and FIB sequence number in the described Session list item with FIB perception table item index in this fib table item and FIB sequence number, in ARP list item study memory module 504, search the ARP list item that mates most with this fib table item, this ARP list item is sent to forwarding module 511, and in safety service list item memory module 501, search with the described fib table item that finds in the corresponding safety service information of three layers of outgoing interface information, if find, this safety service information is sent to safety service processing module 510, and this safety service information is added in the described Session list item.
Safety service processing module 510: receive the bag that bag receiver module 507 is sent, reception Session list item searches module 508 or the Session list item is set up the safety service information that update module 509 is sent, according to this safety service information this bag being carried out corresponding safety service handles, dispose, this bag is sent to forwarding module 511.
Forwarding module 511: receive the bag that safety service processing module 510 is sent through the safety service processing, receive the Session list item and search the ARP perception table item index that module 508 is sent, in ARP perception list item memory module 505, search the ARP perception list item that this ARP perception table item index points to, according to this ARP perception list item, this bag is sent; Receive the Session list item and set up the ARP list item that update module 509 is sent,, bag is sent according to this ARP list item.
System in the embodiment of the invention also can further comprise: fib table item update module, be used for upgrading the fib table item of fib table item study memory module 502, and when upgrading the fib table item, FIB sequence number with this fib table item adds 1 simultaneously, and according to the FIB perception table item index in this fib table item, in FIB perception list item memory module 503, find FIB perception list item, the FIB sequence number in this FIB perception list item is added 1.
In actual applications, safety service list item memory module 501, fib table item study memory module 502, FIB perception list item memory module 503, ARP list item study memory module 504, ARP perception list item memory module 505, Session list item memory module 506, Session list item can be searched module 508, the Session list item is set up update module 509 and is referred to as the professional relating module of transmitting.
It is pointed out that safety service list item memory module 501, fib table item study memory module 502, ARP list item study memory module 504 for adopting the module of prior art structure, are kept in the software.And FIB perception list item memory module 503, ARP perception list item memory module 505, Session list item memory module 506 are the module of embodiment of the invention structure, be kept in the hardware, as: among the TCAM, with the access speed of quickening safety means to Session list item, FIB perception list item, ARP perception list item, thereby raising is based on the bag forward efficiency of safety service.
In addition, in actual applications, FIB perception list item memory module 503, Session list item memory module 506 also can be saved in the software, need not structure ARP perception list item memory module 505 in hardware more simultaneously, and fib table item study memory module 502, ARP list item study memory module 504, Session list item are searched the function of module 508, forwarding module 511 need do following change:
The FIB perception list item that fib table item study memory module 502 is set up in FIB perception list item memory module 503 comprises: the FIB sequence number of the index of the ARP list item that finds and the fib table item of learning.
The functionality change of ARP list item study memory module 504 is: study is also preserved the ARP list item.
The Session list item search the FIB sequence number of module 508 in the FIB perception list item that judgement finds consistent with FIB sequence number in the Session list item after, need in ARP list item study memory module 504, find the ARP list item according to the ARP table item index in the FIB perception list item, this ARP list item is sent to forwarding module 511.
The functionality change of forwarding module 511 is: receive the bag through the safety service processing that safety service processing module 510 is sent, reception Session list item searches module 508 and the Session list item is set up the ARP list item that update module 509 is sent, according to this ARP list item, bag is sent.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (25)
1, a kind of package transmitting method based on safety service is characterized in that, comprising:
Set up first incidence relation of forwarding information base fib table item and ARP list item;
Receive the first packet of Business Stream, obtain safety service information corresponding and fib table item, set up second incidence relation of the attribute information of the service flow packet that first packet carries and safety service information, fib table entry index with first packet;
Receive the subsequent packet of Business Stream, attribute information and described second incidence relation and first incidence relation according to subsequent packet, find safety service information and ARP list item information, according to this safety service information subsequent packet is carried out safety service and handle, subsequent packet is forwarded according to this ARP list item information.
2, the method for claim 1 is characterized in that, described first incidence relation and second incidence relation are kept in the software unit.
3, method as claimed in claim 2 is characterized in that, described first incidence relation of setting up fib table item and ARP list item comprises: with software unit in the index of the ARP list item that mates most of each fib table item add in each fib table item;
Second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index comprises: set up the incidence relation between the index of the attribute information, safety service information of service flow packet, the fib table item that gets access in software unit.
4, method as claimed in claim 3, it is characterized in that, when receiving subsequent packet, describedly find safety service information and the ARP list item information comprises: in all second incidence relations, search the second corresponding incidence relation of attribute information of the service flow packet of carrying with this subsequent packet, in this second incidence relation, find safety service information, search the fib table item that the fib table entry index in this second incidence relation points to, find the ARP list item according to the ARP table item index in this fib table item.
5, method as claimed in claim 4 is characterized in that, described with software unit in the index of the ARP list item that mates most of each fib table item further comprise before adding in each fib table item: for each fib table item is provided with the FIB sequence number,
And, second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index further comprises: the FIB sequence number of fib table item is added in this second incidence relation, and, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously.
6, method as claimed in claim 5, it is characterized in that, when receiving subsequent packet, the fib table item that the described fib table entry index of searching in this second incidence relation points to further comprises: whether the FIB sequence number in the fib table item that judgement finds is consistent with the FIB sequence number in second incidence relation that finds, if find the ARP list item according to the ARP table item index in this fib table item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, with FIB sequence number and the fib table entry index in described second incidence relation that finds of the index upgrade of the FIB sequence number in the fib table item that finds and this fib table item, in software unit, search the ARP list item that mates most with described fib table item then.
7, method as claimed in claim 2, it is characterized in that, described first incidence relation of setting up fib table item and ARP list item comprises: search the ARP list item that mates most with each fib table item in software unit, in software unit, set up the FIB perception list item that comprises the ARP table item index that finds, this FIB perception table item index is added in the described fib table item;
Second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index is: set up the incidence relation between the FIB perception table item index of the attribute information, safety service information of service flow packet, the fib table item that gets access in software unit.
8, method as claimed in claim 7 is characterized in that, when receiving subsequent packet, describedly finds safety service information and the ARP list item information comprises:
In all second incidence relations, search the second corresponding incidence relation of service flow packet attribute information that carries with this subsequent packet, in this second incidence relation, find safety service information, search the FIB perception list item that the FIB perception table item index in this second incidence relation points to, find the ARP list item according to the ARP table item index in this FIB perception list item.
9, method as claimed in claim 7 is characterized in that, describedly further comprises search the ARP list item that mates most with each fib table item in software unit before: for each fib table item is provided with the FIB sequence number,
And the described FIB perception list item that comprises the ARP table item index that finds of setting up in software unit further comprises: the FIB sequence number of described fib table item is added in this FIB perception list item,
And second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index further comprises: the FIB sequence number of fib table item is added in this second incidence relation,
And, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously, and upgrade the FIB sequence number in the FIB perception list item corresponding with this fib table item.
10, method as claimed in claim 9, it is characterized in that, when receiving subsequent packet, the FIB perception list item that the described FIB perception table item index of searching in this second incidence relation points to further comprises: whether the FIB sequence number in the FIB perception list item that judgement finds is consistent with the FIB sequence number in second incidence relation that finds, if find the ARP list item according to the ARP table item index in this FIB perception list item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, with FIB perception table item index and the FIB sequence number in FIB perception table item index in the fib table item that finds and described second incidence relation that finds of FIB sequence number renewal, search the ARP list item that mates most with described fib table item then.
11, the method for claim 1 is characterized in that, described first incidence relation and second incidence relation are kept in the hardware cell.
12, method as claimed in claim 11 is characterized in that, described first incidence relation of setting up fib table item and ARP list item further comprises before: study ARP list item and fib table item in software unit;
The described fib table item of setting up comprises with first incidence relation of ARP list item: in hardware cell, set up with software unit in the identical ARP perception list item of each ARP list item institute content, the index of this ARP perception list item is added in the described ARP list item; Search the ARP list item that mates most with each fib table item, in hardware cell, set up the FIB perception list item that comprises the ARP perception table item index in the ARP list item that finds, this FIB perception table item index is added in the described fib table item;
Second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index is: set up the attribute information, safety service information of service flow packet, the incidence relation between the FIB perception table item index in the fib table item that finds in software unit, this incidence relation is saved in the hardware cell.
13, method as claimed in claim 12 is characterized in that, when receiving subsequent packet, describedly finds safety service information and the ARP list item information comprises:
In all second incidence relations of hardware cell, search the second corresponding incidence relation of service flow packet attribute information that carries with this subsequent packet, in this second incidence relation, find safety service information, search the FIB perception list item that the FIB perception table item index in the 3rd incidence relation points to, find ARP perception list item according to the ARP perception table item index in this FIB perception list item, this ARP perception list item is the ARP list item information that finds.
14, method as claimed in claim 13 is characterized in that, described in software unit study ARP list item and fib table item further comprise: for this fib table item is provided with the FIB sequence number,
And the described FIB perception list item that comprises the ARP perception table item index in the ARP list item that finds of setting up in hardware cell further comprises: the FIB sequence number of this fib table item is added in this FIB perception list item,
And second incidence relation of the described attribute information of setting up the service flow packet that first packet carries and safety service information, fib table entry index further comprises: the FIB sequence number of this fib table item is added in second incidence relation,
And, when upgrading the fib table item, upgrade the FIB sequence number of this fib table item simultaneously, and upgrade the FIB sequence number in the FIB perception list item corresponding with this fib table item.
15, method as claimed in claim 14, it is characterized in that, when receiving subsequent packet, the FIB perception list item that the described FIB perception table item index of searching in this second incidence relation points to further comprises: whether the FIB sequence number in the FIB perception list item that judgement finds is consistent with the FIB sequence number in second incidence relation that finds, if find ARP perception list item according to the ARP perception table item index in this FIB perception list item; Otherwise, in software unit, search the fib table item corresponding again with this subsequent packet, upgrade FIB perception table item index and FIB sequence number in second incidence relation with FIB perception table item index in the fib table item that finds and FIB sequence number, search the ARP list item that mates most with described fib table item then.
16, the method for claim 1 is characterized in that, the attribute information of described service flow packet is: five-tuple information.
17, a kind of packet forwarding system based on safety service is characterized in that, comprising:
First module is set up first incidence relation of fib table item and ARP list item;
Second module receives the first packet of Business Stream, obtains safety service information corresponding with first packet and fib table item, sets up second incidence relation of the attribute information of service flow packet and safety service information, fib table entry index;
Three module, receive the subsequent packet of Business Stream, attribute information and described second incidence relation and first incidence relation of the service flow packet of carrying according to this subsequent packet, find safety service information and ARP list item information, according to safety service information subsequent packet is carried out safety service and handle, subsequent packet is forwarded according to the ARP list item information.
18, system as claimed in claim 17 is characterized in that, described first module comprises:
First submodule, study fib table item adds the index of the ARP list item that mates most with this fib table item in this fib table item to;
Second submodule when the fib table item in renewal first submodule, is updated to the FIB sequence number that this fib table item is provided with;
And described first submodule is when study fib table item, for this fib table item is provided with the FIB sequence number;
Described second module is further, the FIB sequence number of fib table item is added in second incidence relation of the attribute information of service flow packet of foundation and safety service information, fib table entry index.
As claim 17 or 18 described systems, it is characterized in that 19, described first module is arranged in software unit.
20, system as claimed in claim 17 is characterized in that, described first module comprises:
First submodule, study fib table item is searched the ARP list item that mates most with this fib table item, sets up the FIB perception list item of the index that comprises the ARP list item that finds in FIB perception list item memory module, and this FIB perception table item index is added in the fib table item;
Second submodule is preserved each the FIB perception list item that comprises the ARP table item index.
21, system as claimed in claim 20 is characterized in that, described first module further comprises:
The 3rd submodule when upgrading the fib table item, is updated to the FIB sequence number that this fib table item is provided with, and finds FIB perception list item according to the FIB perception table item index in this fib table item simultaneously, replaces FIB sequence number in this FIB perception list item with the FIB sequence number after this renewal;
And described first submodule for this fib table item is provided with the FIB sequence number, and adds this FIB sequence number in the FIB perception list item of foundation after learning the fib table item;
Described second module is further, the FIB sequence number of fib table item is added in second incidence relation of foundation.
22, the system described in claim 20 or 21 is characterized in that, described first module is arranged in software unit.
23, system as claimed in claim 17 is characterized in that, described first module comprises:
First submodule, study fib table item, search the ARP list item that mates most with the fib table item, in FIB perception list item memory module, set up the FIB perception list item of the index that comprises the ARP perception list item corresponding, this FIB perception table item index is added in the fib table item with the ARP list item that finds;
Second submodule is preserved each FIB perception list item;
The 3rd submodule is preserved content each ARP perception list item identical with the ARP list item.
24, system as claimed in claim 23 is characterized in that, described first module further comprises:
The 4th submodule when upgrading the fib table item, is updated to the FIB sequence number that this fib table item is provided with, and finds FIB perception list item according to the FIB perception table item index in this fib table item simultaneously, replaces FIB sequence number in this FIB perception list item with the FIB sequence number after this renewal;
And described first submodule for this fib table item is provided with the FIB sequence number, and adds this FIB sequence number in the FIB perception list item of foundation after learning the fib table item;
Described second module is further, the FIB sequence number of fib table item is added in second incidence relation of foundation.
As claim 23 or 24 described systems, it is characterized in that 25, described second submodule, the 3rd submodule are arranged in hardware cell.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710119881A CN100589446C (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
| US12/529,907 US8316432B2 (en) | 2007-08-02 | 2008-07-17 | Method for implementing security-related processing on packet and network security device |
| PCT/CN2008/071676 WO2009015578A1 (en) | 2007-08-02 | 2008-07-17 | Method and network security device for executing security processing to packets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710119881A CN100589446C (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101110770A CN101110770A (en) | 2008-01-23 |
| CN100589446C true CN100589446C (en) | 2010-02-10 |
Family
ID=39042668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710119881A Expired - Fee Related CN100589446C (en) | 2007-08-02 | 2007-08-02 | Package transmitting method and system based on safety service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100589446C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8316432B2 (en) | 2007-08-02 | 2012-11-20 | Hangzhou H3C Technologies Co., Ltd. | Method for implementing security-related processing on packet and network security device |
| CN109286570B (en) * | 2018-11-15 | 2020-02-11 | 北京华三通信技术有限公司 | Method and device for searching adjacent table items |
-
2007
- 2007-08-02 CN CN200710119881A patent/CN100589446C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101110770A (en) | 2008-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101965794B1 (en) | Packet format and communication method of network node for compatibility of ip routing, and the network node | |
| CN105959254B (en) | The method and apparatus for handling message | |
| CN102100041B (en) | Outbound transmission of packet based on routing search key constructed from packet destination address and outbound interface | |
| CN106470158B (en) | Message forwarding method and device | |
| KR20170009927A (en) | Method, device, and system for configuring flow entries | |
| CN100372347C (en) | 4 over 6 tunnel packing and depacking method for extending boundary gateway protocol | |
| CN106657637A (en) | Handheld device capable of providing data tethering services while maintaining suite of handheld service functions | |
| CN1543142A (en) | Router and address identification information management server | |
| CN102685177A (en) | Transparent proxy caching of resources | |
| CN104601468A (en) | Message forwarding method and device | |
| CN105379228A (en) | Method, switch, and controller for implementing ARP | |
| CN104486229B (en) | A kind of method and apparatus for realizing the forwarding of VPN message | |
| CN105991793B (en) | The method and apparatus of message forwarding | |
| CN105939297A (en) | TCP message reassembling method and TCP message reassembling device | |
| CN102035738A (en) | Method and device for acquiring routing information | |
| CN103701653B (en) | The processing method of a kind of interface hot plug configuration data and network configuration server | |
| CN101110769B (en) | Package transmitting method and system based on safety service | |
| CN102325077B (en) | Communication method among branches and egress routers of branches | |
| CN107070790A (en) | A kind of route learning method and routing device | |
| CN101594301B (en) | Method and device for processing message | |
| CN103812774B (en) | Tactics configuring method, message processing method and related device based on TCAM | |
| CN101106529B (en) | Packet forwarding method and system based on secure service | |
| CN105933235B (en) | Data communications method and device | |
| CN100589446C (en) | Package transmitting method and system based on safety service | |
| JP3911273B2 (en) | Packet distribution device and distribution method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100210 Termination date: 20200802 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |