CN101079799A - A dynamic port control device based on hardware acceleration - Google Patents
A dynamic port control device based on hardware acceleration Download PDFInfo
- Publication number
- CN101079799A CN101079799A CNA2006100607630A CN200610060763A CN101079799A CN 101079799 A CN101079799 A CN 101079799A CN A2006100607630 A CNA2006100607630 A CN A2006100607630A CN 200610060763 A CN200610060763 A CN 200610060763A CN 101079799 A CN101079799 A CN 101079799A
- Authority
- CN
- China
- Prior art keywords
- data message
- information
- rule
- addressable memory
- content addressable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000001133 acceleration Effects 0.000 title abstract 2
- 238000012545 processing Methods 0.000 claims abstract description 12
- 230000003068 static effect Effects 0.000 claims description 26
- 238000004891 communication Methods 0.000 abstract description 11
- 238000000034 method Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 230000008859 change Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic port control device based on hardware acceleration in the network communication domain, which comprises the following parts: addressable content memory, regular management mode and table look-up mode. The invention improves the regular look-up property and report processing rate of network equipment, which ensures the network safety.
Description
Technical field
The invention belongs to network communication field, relate in particular to the procotol that contains dynamic port control.
Background technology
For the main frame that communicates by the network interconnection, its Content of Communication all is encapsulated in the data message.At present, most of operating systems all support multiprogram (process) to move simultaneously, therefore when destination host is received data message, need identify the affiliated process of data content of this data message, and give this process the data content of data message and handle.In based on the network of ICP/IP protocol, realize this function by port, HTML (Hypertext Markup Language) (Hypertext Transfer Protocol for example, HTTP) use 80 ports, (File Transfer Protocol FTP) uses 21 ports to file transfer protocol (FTP).Therefore, if a main frame both as http server, during again as ftp server, when this main frame is received data message, can be port that 80 data message send the HTTP process to handle, and be port that 21 data message send the FTP process to handle.
For the network equipment, when its processing to the data message was relevant with this data message institute data carried by data type, it just needed to discern the port of this data message at least and makes respective handling.The fire compartment wall that for example ought be deployed in certain local area network (LAN) outlet only allows the interior http server of external host visit local area network (LAN), while is when forbidding the visit of ftp server again, the destination interface information that this fire compartment wall just must extract in the data message is discerned the type of each data message, and makes respective handling.
In order to realize the transmission of data, receive and dispatch two unanimities that must keep ports of sending out, if promptly recipient's receiving port is the data message of A, then transmit leg is made as A with regard to the port that must will send data message.Most programs all use the port of making an appointment to communicate, and for example http protocol is used in web page browsing, and its port generally is 80 or 8080, and this port assignment mode is called the static port configuration.To program or the procotol based on static port configuration, the mode that the network equipment equally can be by the static port configuration associates port and program or procotol to discern and transmission process.
Along with the fast development and the extensive use of computer networking technology, network application also becomes increasingly complex, and the dynamic port distribution occurred.At this moment, the port that communicating pair uses is no longer made an appointment, but dynamic assignment through consultation.For example in the FTP downloading process, user side and server are set up earlier a control connection communication port (using 21 ports usually) on the port of making an appointment, and choose a new port by this lane negotiation will, utilize this new port to set up data afterwards and connect communication port, need data downloaded then to connect on the communication port and transmit in data.After the data transmission was finished, this port was released, and can be used by other program.When transmitting data again, user side and server need negotiated ports again next time.Because the network equipments such as router or fire compartment wall can't be predicted the new port that negotiation gets, therefore necessary monitoring communications both sides' negotiations process is to obtain necessary information.
Prior network device when supporting to contain the procotol of dynamic port mainly by following two kinds of implementations:
(1) opens all possible port
In this mode, be to guarantee proper communication, open the port that might use in the configuration of the network equipment.Because do not need monitoring communications process and dynamically open and close port, its advantage is the performance height, but has run counter to the principle of minimum safety stability, has stayed the leak that can be used for malicious attack, therefore this mode is eliminated just gradually.
(2) dynamic programming control
In this mode, network equipment monitoring communications process is also caught and is consulted the port information of coming out, with relevant information, for example source IP address, purpose IP address, source medium access control (Media Access Control, MAC) address, target MAC (Media Access Control) address, source port number, destination slogan and protocol type etc. generate the corresponding dynamic rule together and join in the dynamic programming table.When receiving data message, the central processing unit of the network equipment (Central Processing Unit, CPU) extract information such as source IP address, purpose IP address, source MAC, target MAC (Media Access Control) address, source port number, destination slogan and protocol type in the data message by the software algorithm of tabling look-up, at first with the dynamic programming table in dynamic programming relatively, there is coupling then to do respective handling, otherwise utilizes the rule inspection of static configuration again.In this case, the list item bit wide of generally searching is 100~200bit, if (the RAM capacity that is then consumed is very big for RandomAccess Memory, RAM) space, even reaches 2 with the address direct index random access memory of length like this
200List item space, therefore a series of convergence mapping algorithms of general employing, the list item rule is mapped to list item address about 20bit, but because CPU need move the convergence mapping algorithm, the time that causes obtaining the rule match result is long, be generally Millisecond, even second level, and be subjected to the influence of the size of contents in table and complexity bigger, search the time instability, it is very low to cause searching performance, has increased the delay variation of data message.
Summary of the invention
The object of the present invention is to provide a kind of based on hardware-accelerated dynamic port control device, be intended to solve in the prior art when dynamically realizing port controlling, exist fail safe lower, perhaps the rule searching performance is lower, has increased the problem of the delay variation of data message.
The present invention is achieved in that a kind of based on hardware-accelerated dynamic port control device, and described device comprises:
Content Addressable Memory is used to store the static rule of data message and the list item information of dynamic programming, and according to the table look-up processing result information of information searching data message of the rule of data message;
Rules administration module is used to receive user configured static rule, and sets up or the renewal dynamic programming according to the processing result information of data message and data message; And
Table look-up module, be used for receiving data packets, extract rule in the described data message information of tabling look-up, the described rule information of tabling look-up is sent to Content Addressable Memory, described data message is transmitted or abandoned to the processing result information of the data message of searching according to Content Addressable Memory, and when the content of described data message includes dynamic port information, the rule information of tabling look-up of described data message and data message is sent to rules administration module, and receiving the dynamic programming that rules administration module need be set up or upgrade, configuration store is in Content Addressable Memory.
The list item information of described static rule and dynamic programming is stored in two of Content Addressable Memory respectively independently in the logical space.
The list item information storage and uniform of described static rule and dynamic programming is in a logical space of Content Addressable Memory;
The list item information of described dynamic programming is stored in the low order address of Content Addressable Memory, the priority height;
The list item information of described static rule is stored in the high address of Content Addressable Memory, and priority is low.
The described rule information of tabling look-up comprises source IP address, purpose IP address, source MAC, target MAC (Media Access Control) address, source port number, destination slogan and the protocol type information of data message.
The described rule information of tabling look-up further comprises the connection control information or the application layer message of data message.
When utilizing the present invention dynamically to realize port controlling, can significantly improve the performance of searching of rule under the situation that guarantees internet security, the time of searching simultaneously is stable, has improved the message treatment effeciency of the network equipment.
Description of drawings
Fig. 1 is the structure chart of dynamic port control device provided by the invention;
Fig. 2 is the structural representation that is stored in the rule list among the CAM among the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
In the present invention, still realize the dynamic opening of port and close, utilize hardware-accelerated assurance to search performance simultaneously by dynamic programming.
Fig. 1 shows the structure of dynamic port control device provided by the invention, Content Addressable Memory (Content Addressable Memory, CAM) the 101st, a kind of special memory device, can be concurrently the keyword of all storage item and input be carried out content match, be widely used in the high-speed search processing, has speed fast (per second can carry out up to a million search), constant (parallel processing of the time of tabling look-up, irrelevant with the list item number), support priority advantages such as (when a plurality of list items and keyword coupling, returning the address of the list item of first coupling).The list item information of the rule of CAM101 storage data message.
In the present invention, static rule is by user configured, the rule that does not dynamically change in system's running.Dynamic programming is in system's running, according to user configured static rule and data message result the interim effectively rule that automatically generates.After data message was finished dealing with, dynamic programming was deleted.Comparing with static rule, because dynamic programming is to be used for two communications between definite main frame, so Rule Information is definite, is accurate coupling when promptly tabling look-up, and does not have commensurate in scope etc.; Simultaneously, the priority of dynamic programming is higher than static rule, and upgrades frequent.
As one embodiment of the present of invention, store a static rule table and dynamic programming table two table among the CAM101, store the list item information of static rule and the list item information of dynamic programming respectively.When searching the result of data message, preferentially search the dynamic programming table, if in the dynamic programming table, search unsuccessfully, search the static rule table again.Therefore, when searching the result of data message, CAM101 may search in two tables.
As an alternative embodiment of the invention, in list item information storage and uniform to a rule list with static rule and dynamic programming in CAM101, wherein the list item information of dynamic programming is stored in the low order address of CAM101, the priority height.The list item information of static rule is stored in the CAM101 high address, and priority is low, as shown in Figure 2.When searching the result of data message, preferentially search dynamic programming, if dynamic programming is searched when getting nowhere, continue to search static rule.Like this, when searching the result of data message, CAM101 only need once search in a rule list and get final product, and can further improve search efficiency.
The data message that rules administration module 102 reports according to table look-up module 103 and the result of data message are set up or are upgraded dynamic programming.The data message that rules administration module 102 analysis is received therefrom obtains dynamic port information, set up or change corresponding dynamic rule, rules administration module 102 set up or the dynamic programming of change by table look-up module 103 configuration store in CAM101.Overtime or when being out of use, rules administration module 102 is with the corresponding dynamic redundant rule elimination when dynamic programming, rules administration module 102 issues delete instruction to table look-up module 103, by the dynamic programming among the table look-up module 103 deletion CAM101.Simultaneously, rules administration module 102 receives user configured static rule, sends to table look-up module 103, by table look-up module 103 static rule is stored among the CAM101.
Data message on the table look-up module 103 receiving data packets interfaces, the rule of at first the extracting data message information of tabling look-up, information such as source IP address, purpose IP address, source MAC, target MAC (Media Access Control) address, source port number, destination slogan and protocol type for example, also can further extract the connection control information of data message or application layer message etc., form search key, send to CAM101.CAM101 searches the rule list of storage, obtains the result of this data message, returns to table look-up module 103.Table look-up module 103 is transmitted or is abandoned the data message according to the result that CAM101 finds.When if the content of data message includes dynamic port information, then table look-up module 103 is delivered data message and result to rules administration module 102 together.Rules administration module 102 is according to the dynamic programming state that data message was set up or changed to result of searching of information in the data message and data message, and the dynamic programming state information that will need to set up or change sends to table look-up module 103, table look-up module 103 is upgraded dynamic programming state corresponding among the CAM101, and data message forwarding is exported.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1, a kind ofly it is characterized in that based on hardware-accelerated dynamic port control device described device comprises:
Content Addressable Memory is used to store the static rule of data message and the list item information of dynamic programming, and according to the table look-up processing result information of information searching data message of the rule of data message;
Rules administration module is used to receive user configured static rule, and sets up or the renewal dynamic programming according to the processing result information of data message and data message; And
Table look-up module, be used for receiving data packets, extract rule in the described data message information of tabling look-up, the described rule information of tabling look-up is sent to Content Addressable Memory, described data message is transmitted or abandoned to the processing result information of the data message of searching according to Content Addressable Memory, and when the content of described data message includes dynamic port information, the rule information of tabling look-up of described data message and data message is sent to rules administration module, and receiving the dynamic programming that rules administration module need be set up or upgrade, configuration store is in Content Addressable Memory.
2, as claimed in claim 1ly it is characterized in that the list item information of described static rule and dynamic programming is stored in two of Content Addressable Memory respectively independently in the logical space based on hardware-accelerated dynamic port control device.
3, as claimed in claim 1ly it is characterized in that based on hardware-accelerated dynamic port control device the list item information storage and uniform of described static rule and dynamic programming is in a logical space of Content Addressable Memory;
The list item information of described dynamic programming is stored in the low order address of Content Addressable Memory, the priority height;
The list item information of described static rule is stored in the high address of Content Addressable Memory, and priority is low.
4, as claimed in claim 1 based on hardware-accelerated dynamic port control device, it is characterized in that the described rule information of tabling look-up comprises source IP address, purpose IP address, source MAC, target MAC (Media Access Control) address, source port number, destination slogan and the protocol type information of data message.
5, as claimed in claim 4ly it is characterized in that based on hardware-accelerated dynamic port control device the described rule information of tabling look-up further comprises the connection control information or the application layer message of data message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100607630A CN101079799A (en) | 2006-05-25 | 2006-05-25 | A dynamic port control device based on hardware acceleration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100607630A CN101079799A (en) | 2006-05-25 | 2006-05-25 | A dynamic port control device based on hardware acceleration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101079799A true CN101079799A (en) | 2007-11-28 |
Family
ID=38907040
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006100607630A Pending CN101079799A (en) | 2006-05-25 | 2006-05-25 | A dynamic port control device based on hardware acceleration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101079799A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006285A (en) * | 2010-11-02 | 2011-04-06 | 北京天融信科技有限公司 | Message processing method and device for network security equipment |
| CN103051636A (en) * | 2012-12-31 | 2013-04-17 | 华为技术有限公司 | Method and equipment for transmitting data messages |
| CN103744722A (en) * | 2014-01-10 | 2014-04-23 | 上海斐讯数据通信技术有限公司 | Method for determining priority of rule |
| CN108206828A (en) * | 2017-12-28 | 2018-06-26 | 浙江宇视科技有限公司 | A kind of double monitoring method of controlling security and system |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN113660276A (en) * | 2021-08-18 | 2021-11-16 | 宜宾电子科技大学研究院 | Remote task scheduling method based on privacy data protection |
-
2006
- 2006-05-25 CN CNA2006100607630A patent/CN101079799A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006285A (en) * | 2010-11-02 | 2011-04-06 | 北京天融信科技有限公司 | Message processing method and device for network security equipment |
| CN102006285B (en) * | 2010-11-02 | 2016-07-06 | 北京天融信科技股份有限公司 | A kind of message processing method for Network Security Device and device |
| CN103051636A (en) * | 2012-12-31 | 2013-04-17 | 华为技术有限公司 | Method and equipment for transmitting data messages |
| CN103051636B (en) * | 2012-12-31 | 2017-06-06 | 华为技术有限公司 | The transmission method and equipment of a kind of data message |
| CN103744722A (en) * | 2014-01-10 | 2014-04-23 | 上海斐讯数据通信技术有限公司 | Method for determining priority of rule |
| CN108206828A (en) * | 2017-12-28 | 2018-06-26 | 浙江宇视科技有限公司 | A kind of double monitoring method of controlling security and system |
| CN108206828B (en) * | 2017-12-28 | 2021-03-09 | 浙江宇视科技有限公司 | Dual-monitoring safety control method and system |
| CN109905387A (en) * | 2019-02-20 | 2019-06-18 | 网宿科技股份有限公司 | A kind of data processing method and device |
| CN113660276A (en) * | 2021-08-18 | 2021-11-16 | 宜宾电子科技大学研究院 | Remote task scheduling method based on privacy data protection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7966655B2 (en) | Method and apparatus for optimizing a firewall | |
| US7222150B1 (en) | Network server card and method for handling requests received via a network interface | |
| JP4317522B2 (en) | Network traffic control in a peer-to-peer environment | |
| US6928478B1 (en) | Method and apparatus for implementing a MAC address pool for assignment to a virtual interface aggregate | |
| CN102223365B (en) | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster | |
| US10079894B2 (en) | Method and apparatus for dynamic destination address control in a computer network | |
| US20070245417A1 (en) | Malicious Attack Detection System and An Associated Method of Use | |
| US20030050974A1 (en) | Accelerating responses to requests mabe by users to an internet | |
| CN101079799A (en) | A dynamic port control device based on hardware acceleration | |
| CN101009660B (en) | Universal method and device for processing the match of the segmented message mode | |
| CN106161335A (en) | A kind for the treatment of method and apparatus of network packet | |
| CN102483702A (en) | Network traffic processing pipeline for virtual machines in a network device | |
| US20090119745A1 (en) | System and method for preventing private information from leaking out through access context analysis in personal mobile terminal | |
| US8566444B1 (en) | Methods and system for simultaneous multiple rules checking | |
| KR20080021677A (en) | Data processing system | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN101325553B (en) | Method for ISCSI data to traverse NAT and inner network memory system | |
| US9218356B2 (en) | Systems and methods for accelerating networking functionality | |
| US6725218B1 (en) | Computerized database system and method | |
| CN1863193B (en) | Method for implementing safety tactics of network safety apparatus | |
| CN107135242A (en) | Mongodb clusters access method, apparatus and system | |
| WO2023019876A1 (en) | Intelligent decision-based data transmission method, apparatus, and device, and storage medium | |
| CN104509059A (en) | Use of primary and secondary connection tables | |
| CN101989946B (en) | Compression method of communication equipment route forwarding table | |
| KR20020051599A (en) | Security Policy System and Method in Distributed Computing Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SHENZHEN CITY HENGYANG SCIENCE CO., LTD. Free format text: FORMER OWNER: LI HAO Effective date: 20080314 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20080314 Address after: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District science and Technology Park, Guangdong, Shenzhen Province, China: 518057 Applicant after: Semptian Technologies Ltd. Address before: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District science and Technology Park, Guangdong, Shenzhen Province, China: 518057 Applicant before: Li Hao |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20071128 |