CN101409677A - Access control method and apparatus - Google Patents
Access control method and apparatus Download PDFInfo
- Publication number
- CN101409677A CN101409677A CNA2008101815625A CN200810181562A CN101409677A CN 101409677 A CN101409677 A CN 101409677A CN A2008101815625 A CNA2008101815625 A CN A2008101815625A CN 200810181562 A CN200810181562 A CN 200810181562A CN 101409677 A CN101409677 A CN 101409677A
- Authority
- CN
- China
- Prior art keywords
- message
- rule
- keyword
- field
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to the communication security field. Aiming at the deficiencies of the prior art that the price of a memory which is used for an access strategy table is high and memories are wasted due to different strategy table items which are adopted according to different types of messages, the invention provides an access control method and a device thereof. In the method, a specific field which is relative with the access control is written into a customer field of a template, and a specific value is written into the customer field according to the rule of the access strategy table; the information of different types of messages is extracted according to the template and forms key word of the message. The value of the specific field of the message is written into the customer field of the key word. And the key word is matched with the rule. The action operation defined in advance is executed according to the matching result. The access control method and the device thereof have the beneficial effects that the memory can be effectively saved and the cost of the access control can be lowered.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the network security association area, is a kind of connection control method and device concretely.
Background technology
The access strategy list item is meant a certain class message to appointment, the list item that the behavior of use appointment is handled.The strategy list item is made up of three parts: rule (rule), mask (mask), behavior (action).Be illustrated in figure 1 as the schematic diagram of rule of Policy Table's item in the prior art and mask.
Comparison other that the rule self-explanatory characters define earlier or comparison range, whether the object that each need compare and the comparison other of this definition compare, see oneself to equal or be contained in this comparison other.Rule is made up of the concrete feature of limited number, as media access control address (MAC:Media Access Control), transmission control protocol address (IP:Transport Control Protocol) etc.Each feature is called field, and each field is made up of continuous several bytes.Field in the rule can be divided into two classes: fixed field, custom field.Fixed field refers to that this field can only be used to represent certain feature, as at the rule of IPv4 agreement in the 1-6 byte can only be used to represent that (SMAC is the abbreviation of source MAC to SMAC field etc., DMAC is the abbreviation of purpose MAC, SIP is the abbreviation of source IP address, and DIP is the abbreviation of purpose IP address).Custom field refers to that the represented content of this field can be by user oneself definition, and the user can use custom field to go to represent any field in the head.Can be used for the presentation protocol type as the custom field in the rule, also can be used for representing the source port number of TCP.Custom field can be by the represented content of user oneself definition, and then custom field also can be used for representing the content same with fixed field.As, fixed field includes the SMAC field, but the user can represent SMAC with custom field equally.
Custom field will be represented any content, is decided by template.Template is used to determine the field contents that will represent at custom field.For each class message, oneself independently template is arranged, can be used for representing different contents.
In rule, not all field all will go to carry out matching ratio.For example in some uses, only need go the comparison MAC Address, and not think comparison IP address, at this time just need to use and go up mask and represent the field be concerned about in the comparison procedure.Mask (mask) refers to that in the rule of configuration, which field contents what need care is, is indifferent to which field contents simultaneously.Care about with " 1 ", " 0 " expression is indifferent to.For each minimum unit in the field, promptly each, all wanting clear and definite definition is to be concerned about or to be indifferent to.As only wanting comparison MAC Address field, and do not think the comparison IP address field, then the mask of MAC Address field correspondence is set to entirely 1, indicates to be concerned about that the mask of IP address field is set to 0 simultaneously that expression is indifferent to.In field, also can only be concerned about the partial content in the field.
When behavior has referred to satisfy the rule of configuration and mask, the action that allow satisfied object do.Behavior in the strategy is the processing action to the message of coupling, comprise as allow message by or abandon, revise the actions such as some content of message.
The message that each will compare extracts the content with regular corresponding field from message, a sequence of being made up of these contents is called keyword.Just compared then with this keyword and rule.When many rules existed, keyword compared with rule in order.From first rule.If keyword rule does not therewith have then to compare with next bar rule in the coupling; If coupling has suffered, then the behavior of service regeulations correspondence is handled message, and has not down compared.In comparison procedure, be 1 as this place value in the mask, then the position of this in keyword and the rule wants just explanation coupling in full accord to suffer.If this place value is 0 in the mask, then this position of keyword at all events value all illustrate to mate and has suffered.Have only all positions all to mate and suffered, illustrate that just keyword and rule are in the coupling.When in keyword and the rule match, then use corresponding behavior to handle to the message in the coupling.
Internet protocol the 4th edition (IPv4:Internet Protocol version 4) and address resolution protocol (ARP:Address Resolution Protocol) are modal two kinds of messages in the existing network, and major part all is IPv4 and ARP message in the attack message simultaneously.For this reason, the behavior of different messages is set is that to stop attack message be a kind of effective means to the usage policy list item.The behavior of keeper's trusted message be set to by, the behavior of other invalid packet is set to abandon.Attack message belongs to invalid packet, will be dropped.For the IPv4 message, generally by SMAC, whether SIP discerns message is IPv4 message trusty.For the ARP message, generally by SMAC, whether SENDER IP discerns message is ARP message trusty.
Be directed to the IPv4 message, want to allow the SIP be 192.168.2.10 as us, SMAC is that the message of 0000.0000.0002 passes through, and allows other IP message all abandon.
Elder generation's processing rule part.Fill out 0000.0000.0002 in the SMAC field, fill out 192.168.2.10 in the SIP field.Do not need DMAC, DIP, custom field, then at DMAC, DIP, the custom field place fills out 0.
Handle the mask part again.Because be concerned about SMAC, SIP then is set to complete 1 on these two fields; Do not need DMAC, DIP, custom field, then at DMAC, DIP is set to complete 0 on the custom field.Behavior partly be by.
For allowing other IP message all abandon.Be it and the SMAC that is indifferent to the IP message of coming in, SIP, DMAC, DIP, custom field.So all be set to 0 in the rule part, all be set to 0 in the mask part and get final product.
After an IPv4 message was come in, it can extract the keyword the same with the rule field content, and self-defined part is wherein specified by template.Be illustrated in figure 2 as and be directed to IPv4 message keyword schematic diagram in the prior art, SMAC is 0000.0000.0002, and DMAC is 0000.0000.0005, and SIP is 192.168.2.10, and DIP is 192.168.5.5.After carrying out the coupling of SMAC and SIP with keyword, draw the IP message result identical with keyword, then allow to pass through.
Be directed to address analysis protocol message (ARP:Address Resolution Protocol), generally pass through SMAC, whether transmit leg IP (SENDER IP) discerns message is ARP message trusty, and the policy control engine of existing exchange chip does not generally all provide the fixed field at the SENDER IP of ARP, use custom field to represent SENDER IP, suppose that SENDER IP is 192.168.2.10, SMAC is that the ARP message of 0000.0000.0002 is a trusted ARP message, then will allow this message pass through.Other ARP message is an invalid packet, then will abandon other ARP message.Fig. 3 is for being directed to the policy control schematic diagram of ARP message in the prior art.
When receiving that a SMAC is 0000.0000.0002, DMAC is 0000.0000.008, when SENDERIP is the ARP message of 192.168.2.10, extracts keyword, is illustrated in figure 4 as prior art and is directed to the keyword schematic diagram that the ARP message extracts.
This keyword and top rule compare, and article one in can mating then uses the behavior of article one to handle this message, promptly allows this message pass through.
When a trusted user is connected certain port of switch following time, then this user's IPv4 and ARP message all are trusty.This user's IPv4 message has following feature: source IP distributes the IP address that obtains for the user, and source MAC is user's a MAC Address.This user's ARP message has following feature: SENDER IP distributes the IP address that obtains for the user, and source MAC is user's a MAC Address.Under the situation of opening ARP CHECK function, on switch, then to generate a tactful list item (being called the IPv4 list item) and a tactful list item (ARP CHECK list item) at this user ARP message at this User IP v4 message.
Yet, in exchange chip, because tactful list item resource often needs the relatively more expensive Ternary Content Addressable Memory (TCAM:ternary content addressable memory) of use value to store, therefore Policy Table's item size often all is limited in the existing exchange chip of industry, utilize above-mentioned prior art to cause the waste of tactful list item easily, and cost is higher relatively.After being directed to unlatching ARP-CHECK especially, need increase by two list items when adding a trusted user: one is used to mate the IPv4 message that this trusts the user, it is the IPv4 list item, another is used to mate the ARP message that this trusts the user, it is the ARP-CHECK list item, the configurable number of users of user mostly be most Policy Table's item number purpose half, limited configurable maximum trusted number of users.
In the introducing mode it is herein incorporated.
Summary of the invention
The object of the present invention is to provide a kind of connection control method, be used for solving the deficiency that prior art is directed to the different access strategy list item of dissimilar message needs, realized a kind ofly carrying out the method that the various protocols type is used same access strategy list item by custom field.
The present invention also aims to provide a kind of access control apparatus, be used to realize said method, and need on conventional network equipment, not carry out big change, realize that cost is low.
In order to solve above-mentioned existing issue, the embodiment of the invention provides a kind of connection control method, it is characterized in that this method comprises, write the specific fields relevant at the custom field of described template, and write particular value at the custom field of access strategy table rule with access control; Information according to the dissimilar messages of described template extraction, and constitute the keyword of this message, the numerical value of described message specific fields is write the custom field of entry keyword, this keyword and described rule are mated, carry out predefined behavior operation according to the result of coupling.
According to a further aspect of the described a kind of connection control method of the embodiment of the invention, in the step according to the dissimilar message informations of described template extraction, described dissimilar messages comprise IPv4 message and ARP message.
Another further aspect according to the described a kind of connection control method of the embodiment of the invention, custom field in described template writes in the step of the specific fields relevant with access control, for the template of ARP message, write the information of sender's IP address field at described custom field; For the template of IPv4 message, write the information of source IP address field at described custom field.
According to another further aspect of the described a kind of connection control method of the embodiment of the invention, write in the step of particular value at the custom field of access strategy table rule, in the custom field of described rule, write and allow the IP address information that inserts.
Another further aspect according to the described a kind of connection control method of the embodiment of the invention, the numerical value of described message specific fields is write in the custom field step of entry keyword, for the ARP message, described sender IP address information is write in the custom field of described keyword; For the IPv4 message, described source IP address information is write in the custom field of described keyword.
Another further aspect according to the described a kind of connection control method of the embodiment of the invention, in the step that this keyword and described rule are mated, described coupling comprises numerical value in the described keyword custom field of coupling and the numerical value in the described regular custom field.
According to another further aspect of the described a kind of connection control method of the embodiment of the invention,, allow described message to insert if described keyword and the success of described rule match are then carried out predefined behavior operation and be meant.
Another further aspect according to the described a kind of connection control method of the embodiment of the invention, if described keyword and described rule match are unsuccessful, then this keyword and Else Rule are complementary, if the match is successful then carry out and the corresponding behavior of described Else Rule operation.
In order to solve above-mentioned existing issue, the embodiment of the invention also provides a kind of access control apparatus, it is characterized in that this device comprises, template is revised the unit, modular unit, extraction unit, access strategy is revised the unit, the access strategy table unit, matching unit, behavior unit;
Described template is revised the unit and is write the specific fields relevant with access control at the custom field of described modular unit; Described access strategy is revised the unit and is write particular value at the custom field of described access strategy table unit rule; Described extraction unit is according to the information of the dissimilar messages of template extraction in the described modular unit, and constitutes the keyword of this message, the numerical value of described message specific fields write the custom field of entry keyword; Described matching unit mates the keyword of described extraction unit output and the rule in the described access strategy table unit, and sends matching result to described behavior unit and handle.
According to a further aspect of the described a kind of access control apparatus of the embodiment of the invention, described dissimilar messages comprise IPv4 message and ARP message.
The beneficial effect of the embodiment of the invention is, the present invention has solved effectively in the prior art and opened under the ARP-CHECK situation, generates an IPv4 list item and an ARP-CHECK list item simultaneously and the problem that consumes too much tactful list item.Setting by adjusting field in the list item and to the different definition of template reaches and shares a list item and just can control IPv4 message and ARP message, thereby the use of greatly having saved list item has improved nearly one times with the utilance of list item.And do not opening under the ARP-CHECK situation, as long as do very little variation, just can only control the IP message, thereby can effectively save described memory, reduce the cost of access control.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Figure 1 shows that the schematic diagram of rule of Policy Table's item in the prior art and mask;
Figure 2 shows that and be directed to IPv4 message keyword schematic diagram in the prior art;
Fig. 3 is for being directed to the policy control schematic diagram of ARP message in the prior art;
Figure 4 shows that prior art is directed to the keyword schematic diagram that the ARP message extracts;
Figure 5 shows that the connection control method first embodiment flow chart of the present invention;
Figure 6 shows that template and the mask second embodiment schematic diagram in the connection control method of the present invention;
Fig. 7 extracts the keyword second embodiment schematic diagram for access control of the present invention to the IPv4 message;
Fig. 8 extracts the keyword schematic diagram for access control of the present invention to the ARP message;
Figure 9 shows that the schematic diagram of connection control method rule of the present invention and mask the 3rd embodiment;
Be directed to the schematic diagram of keyword the 3rd embodiment of IPv4 message as shown in figure 10 for connection control method of the present invention;
Be directed to the schematic diagram of keyword the 3rd embodiment of ARP message as shown in figure 11 for connection control method of the present invention;
Figure 12 shows that the structural representation of embodiment of the invention access control apparatus.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, the present invention is described in further details below in conjunction with execution mode and accompanying drawing.At this, exemplary embodiment of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
It is a kind of that the embodiment of the invention provides.The present invention is described in detail below in conjunction with accompanying drawing.
Be illustrated in figure 5 as the connection control method first embodiment flow chart of the present invention.
Comprise step 501, revise rule, template and mask on the access control equipment in the network, in the relevant specific fields of custom field adding carrying out access control of described template; Add the particular value that to control in described rule and the corresponding field of described template custom field.
Described specific fields comprises, need know the information of access side when the network equipment carries out access control, for example inserts the sip address of message or SMAC address etc.
The particular value that adds in the described rule comprises, will carry out certain behavior if access side meets this particular value.
Revise described mask and be meant, make amendment, the field of being concerned about in those access controls is carried out relative set according to mask alter mode of the prior art.
Because according to above-mentioned template extraction keyword, so this keyword has the numerical value of corresponding specific fields at custom field.The numerical value that for example has the SIP field, the perhaps numerical value of Sender IP field at custom field.
With IPv4 message and ARP message is example, be illustrated in figure 6 as template and the mask second embodiment schematic diagram in the connection control method of the present invention, Fig. 7 extracts the keyword second embodiment schematic diagram for access control of the present invention to the IPv4 message, and Fig. 8 extracts the keyword schematic diagram for access control of the present invention to the ARP message.
Custom field in described template writes the IP field, SIP among this IP field such as Fig. 7, perhaps as the Sender IP among Fig. 8, mask only is concerned about the IP field contents of SMAC field, type of message field and custom field, if when the message that inserts in the content of SMAC address, type of message and IP field and rule, define the same, then carry out corresponding behavior operation, can be make the message that meets above-mentioned rule by or refuse this message and pass through.
For the type of message field, because IPv4 and ARP in will mating simultaneously, rule that then will type of message is set to 0x0800, mask is set to 0xFFF9, after being provided with like this, can extract the type of message value simultaneously is 0x0800 (IP message), 0x0802 (not using at present), 0x0804 (not using at present), 0x0806 (ARP message).
Since more than be provided with can be with the ethernet type value be 0x0802, in 0x0804 is also contained in, if just the SMAC field value of this class message and setting is regular identical, simultaneously identical with the value of setting in the value of Sender IP corresponding position, then such message also can be by in the coupling, should provide the interface to allow network management configuration access control table (ACL) to make this two classes message can mate the high policing rule of medium priority earlier when realizing and is not subjected to the influence of this policing rule.
The template of IPv4 message and ARP message will be set simultaneously.For the IPv4 message, being provided with what need obtain in template is the SIP field.The SIP field is side-play amount 12 bytes that begin from the IP packet header content to 15 bytes, and above-mentioned four bytes are formed the SIP field.When extracting keyword, the data of this SIP field are write as shown in Figure 7 IP field.
For the ARP message, being provided with what need obtain in template is Sender IP field, and Sender IP field is side-play amount 14 bytes that begin from the ARP packet header content to 17 bytes, and above-mentioned four bytes are formed Sender IP field.When extracting keyword, the data of this SenderIP field are write as shown in Figure 8 IP field.
When the IPv4 message inserts, keyword according to this message of template extraction, and carry out the coupling of keyword according to rule, in the access control of Match IP v4 message the SMAC address and IP type of message of required coupling, the IP field of keyword is mated with the IP field of rule, it in critical field sip address, the IP field of described rule is similarly sip address, if above-mentioned field contents all mates, then operate, allow to insert or the refusal access according to the behavior in the strategy of access control.
When the ARP message inserts, keyword according to this message of template extraction, and carry out the coupling of keyword according to rule, in the access control of coupling ARP message the SMAC address and ARP type of message of required coupling, the IP field of keyword is mated with the IP field of rule, it in critical field Sender IP address, the IP field of described rule is similarly Sender IP address, if above-mentioned field contents all mates, then operate, allow to insert or the refusal access according to the behavior in the strategy of access control.
If when not opening ARP-CHECK, only type of message need be revised as a Match IP v4 message and get final product.Can carry out following setting (other rules about SMAC address and sip address, mask do not need to change) to rule and corresponding mask thereof: regular 0x0800, mask: 0xFFFF.Opening ARP-CHECK and closing when switching between the ARP-CHECK, can realize easily like this.
By solution of the present invention, when opening ARP-CHECK, use a list item just can mate in IPv4 message and ARP message, IPv4 message and ARP message are controlled, thus the use of having saved the list item of half.The configurable trust number of users of keeper is doubled.Simultaneously when closing ARP-CHECK, as long as do very little change, just can allow list item only mate in the IPv4 message.
Be illustrated in figure 9 as the schematic diagram of connection control method rule of the present invention and mask the 3rd embodiment, be directed to the schematic diagram of keyword the 3rd embodiment of IPv4 message as shown in figure 10 for connection control method of the present invention, be directed to the schematic diagram of keyword the 3rd embodiment of ARP message as shown in figure 11 for connection control method of the present invention.
The network equipment is revised the template in the access strategy, and the custom field of IPv4 message template is set to the content of 12 byte to 15 bytes of IP message, and the custom field of ARP template is set to the content of 14 byte to 7 bytes of IP message.
Rule 1 in Fig. 9 is 0000.0000.0002 for the SMAC address, protocol type is 0800 (being the IP message), the value of custom field is 192.168.2.10 (being that sip address is 192.168.2.10), corresponding mask 1, the mask of SMAC field is FFFF.FFFF.FFFF, the mask of protocol type field is FFF9 (being 0800,0802,0804,0806 all can mate for rule promptly), and the mask of custom field is 255.255.255.255.Determined that having only the SMAC address when inserting message is 0000.0000.0002, protocol type is 0800,0802,0804 or 0806, the sip address of custom field is that the message of 192.168.2.10 could the match is successful, carries out certain predetermined behavior operation, inserts for allowing in this example.
After described access message mates with all access strategy list item (promptly all rules and corresponding mask) respectively, do not have all that the match is successful, then allow this message to insert in the ordinary course of things.
When the message that inserts is the IP message of IPv4 type, the SMAC of this message is 0000.0000.0002, and DMAC is 0000.0000.0005, and SIP is 192.168.2.10, and DIP is 192.168.5.5, and the keyword that extracts as shown in figure 10.
When inserting message is the ARP message of ARP type, and this message SMAC is 0000.0000.0002, and DMAC is 0000.0000.0008, and SENDERIP is 192.168.2.10, and the keyword that extracts as shown in figure 11.
After message enters this network equipment, it for example is switch, this equipment will insert message according to the template extraction data content, constitute keyword, and the rule among this keyword and above-mentioned Fig. 9 is complementary, if with regular 1 the match is successful then carry out corresponding behavior, in this example for allowing this to insert data message by this switch, if be not complementary with rule 1 then 2 be complementary with rule, in this example, every and the unsuccessful message of rule 1 coupling all can the match is successful with rule 2.That is, (SMAC SIP) is not (0000.0000.0002, rule 1 during IPv4 message 192.168.2.10) can not mate, rule 2 in can mating.(SMAC, SENDER IP) is not (0000.0000.0002, rule 1 during ARP message 192.168.2.10) can not mate, rule 2 in all can mating simultaneously.
When closing ARP-CHECK, as long as the mask of ethernet type field is set to corresponding IPv4 value corresponding, be FFFF in this example, at this moment above-mentioned ARP message is in the ethernet type field can not be mated, so any rule in can not mating.
Solved the network equipment such as switch and opened under the ARP-CHECK situation, the access strategy table need generate an IPv4 list item and an ARP-CHECK list item simultaneously, consumes the problem of too much tactful list item.Setting by adjusting field in the list item and to the different definition of template reaches and shares a list item and just can control IPv4 message and ARP message, thereby the use of greatly having saved list item has improved nearly one times with the utilance of list item.And do not opening under the ARP-CHECK situation, as long as do very little variation, just can only control the IP message.
Be the structural representation of embodiment of the invention access control apparatus as shown in figure 12.
Comprise template modification unit 1201, modular unit 1202, extraction unit 1203, access strategy is revised unit 1204, access strategy table unit 1205, matching unit 1206, behavior unit 1207.
Described template is revised unit 1201 and is connected with modular unit 1202, described modular unit 1202 is connected with extraction unit 1203, described extraction unit 1203 is connected with matching unit 1206, described access strategy is revised unit 1204 and is connected with access strategy table unit 1205, described access strategy table unit 1205 is connected with matching unit 1206, and described matching unit 1206 is connected with behavior unit 1207.
The described access strategy table unit 1205 general TCAM that adopt are as memory, so cost is very high, revising the 1201 pairs of described modular units 1202 in unit by template in embodiments of the present invention makes amendment, the custom field of template in the modular unit 1202 is revised as specific fields, for example, for the message of IPv4 type the template custom field of correspondence is revised as SIP, is revised as Sender IP for the template custom field of the message correspondence of ARP type.
Described extraction unit 1203, the data of extracting in the message according to the message that is directed to the different agreement type in the described modular unit 1202 constitute correspondent keyword.
Described access strategy is revised unit 1204, be used for revising the rule and the mask of access strategy table unit 1205, can control the network equipment that the message with particular value can insert or refuse to insert described access control apparatus place after revising rule, switch for example, revise behind the mask can control law validity.
Described matching unit 1206 is used for the message keyword of described extraction unit 1203 extractions and rule, the mask of described access strategy table unit 1205 are mated, and sends matching result to described behavior unit 1207.
Described behavior unit 1207 is used for according to matching result, i.e. success or unsuccessful according to predetermined in advance behavior described message is handled for example allows to insert described switch or refusal inserts described switch.
Beneficial effect of the present invention is, saved the memory space of the access strategy table of the network equipment, saved the cost of this access strategy table, and only need do very little change and just can be applied on the prior network device, the realization cost is low, and can effectively control access.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a connection control method is characterized in that this method comprises, writes the specific fields relevant with access control at the custom field of described template, and writes particular value at the custom field of access strategy table rule; Information according to the dissimilar messages of described template extraction, and constitute the keyword of this message, the numerical value of described message specific fields is write the custom field of entry keyword, this keyword and described rule are mated, carry out predefined behavior operation according to the result of coupling.
2. a kind of connection control method according to claim 1 is characterized in that, in the step according to the dissimilar message informations of described template extraction, described dissimilar messages comprise IPv4 message and address analysis protocol message.
3. a kind of connection control method according to claim 2, it is characterized in that, custom field in described template writes in the step of the specific fields relevant with access control, for the template of address analysis protocol message, writes the information of sender's IP address field at described custom field; For the template of IPv4 message, write the information of source IP address field at described custom field.
4. a kind of connection control method according to claim 3 is characterized in that, writes in the step of particular value at the custom field of access strategy table rule, writes to allow the IP address information that inserts in the custom field of described rule.
5. a kind of connection control method according to claim 4, it is characterized in that, the numerical value of described message specific fields is write in the custom field step of entry keyword,, described sender IP address information is write in the custom field of described keyword for address analysis protocol message; For the IPv4 message, described source IP address information is write in the custom field of described keyword.
6. a kind of connection control method according to claim 5, it is characterized in that, in the step that this keyword and described rule are mated, described coupling comprises numerical value in the described keyword custom field of coupling and the numerical value in the described regular custom field.
7. a kind of connection control method according to claim 5 is characterized in that, if described keyword and the success of described rule match are then carried out predefined behavior operation and be meant, allows described message to insert.
8. a kind of connection control method according to claim 5, it is characterized in that, if described keyword and described rule match are unsuccessful, then this keyword and Else Rule are complementary, if the match is successful then carry out and the corresponding behavior of described Else Rule is operated.
9. an access control apparatus is characterized in that this device comprises, template is revised the unit, modular unit, and extraction unit, access strategy is revised unit, access strategy table unit, matching unit, behavior unit;
Described template is revised the unit and is write the specific fields relevant with access control at the custom field of described modular unit; Described access strategy is revised the unit and is write particular value at the custom field of described access strategy table unit rule; Described extraction unit is according to the information of the dissimilar messages of template extraction in the described modular unit, and constitutes the keyword of this message, the numerical value of described message specific fields write the custom field of entry keyword; Described matching unit mates the keyword of described extraction unit output and the rule in the described access strategy table unit, and sends matching result to described behavior unit and handle.
10. a kind of access control apparatus according to claim 9 is characterized in that, described dissimilar messages comprise IPv4 message and address analysis protocol message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101815625A CN101409677B (en) | 2008-11-27 | 2008-11-27 | Access control method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101815625A CN101409677B (en) | 2008-11-27 | 2008-11-27 | Access control method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101409677A true CN101409677A (en) | 2009-04-15 |
| CN101409677B CN101409677B (en) | 2010-12-08 |
Family
ID=40572471
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101815625A Expired - Fee Related CN101409677B (en) | 2008-11-27 | 2008-11-27 | Access control method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101409677B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841474A (en) * | 2010-04-15 | 2010-09-22 | 华为技术有限公司 | Device for realizing access control lists |
| CN101902480A (en) * | 2010-08-06 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and wireless access device |
| CN102006585A (en) * | 2010-11-09 | 2011-04-06 | 华为终端有限公司 | Method for processing information and terminal |
| CN103139207A (en) * | 2013-01-31 | 2013-06-05 | 华为技术有限公司 | Decoding method and device, message analytic method and device and analytic equipment |
| CN103780630A (en) * | 2014-02-18 | 2014-05-07 | 迈普通信技术股份有限公司 | Method and system for isolating ports of virtual local area network |
| WO2017097026A1 (en) * | 2015-12-10 | 2017-06-15 | 深圳市中兴微电子技术有限公司 | Identification processing method and apparatus for data message, and storage medium |
| CN111277612A (en) * | 2020-05-08 | 2020-06-12 | 常州楠菲微电子有限公司 | Network message processing strategy generation method, system and medium |
| WO2021012260A1 (en) * | 2019-07-25 | 2021-01-28 | Oppo广东移动通信有限公司 | Method for transmitting data, sending end device and receiving end device |
| WO2024045599A1 (en) * | 2022-08-30 | 2024-03-07 | 中兴通讯股份有限公司 | Message matching method, computer device, and computer-readable storage medium |
-
2008
- 2008-11-27 CN CN2008101815625A patent/CN101409677B/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841474A (en) * | 2010-04-15 | 2010-09-22 | 华为技术有限公司 | Device for realizing access control lists |
| CN101902480A (en) * | 2010-08-06 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and wireless access device |
| CN102006585A (en) * | 2010-11-09 | 2011-04-06 | 华为终端有限公司 | Method for processing information and terminal |
| CN103139207A (en) * | 2013-01-31 | 2013-06-05 | 华为技术有限公司 | Decoding method and device, message analytic method and device and analytic equipment |
| CN103139207B (en) * | 2013-01-31 | 2016-01-06 | 华为技术有限公司 | Coding/decoding method and device, message parsing method and device and analyzing device |
| CN103780630A (en) * | 2014-02-18 | 2014-05-07 | 迈普通信技术股份有限公司 | Method and system for isolating ports of virtual local area network |
| WO2017097026A1 (en) * | 2015-12-10 | 2017-06-15 | 深圳市中兴微电子技术有限公司 | Identification processing method and apparatus for data message, and storage medium |
| WO2021012260A1 (en) * | 2019-07-25 | 2021-01-28 | Oppo广东移动通信有限公司 | Method for transmitting data, sending end device and receiving end device |
| CN114172970A (en) * | 2019-07-25 | 2022-03-11 | Oppo广东移动通信有限公司 | Method for transmitting data, sending end equipment and receiving end equipment |
| CN114172970B (en) * | 2019-07-25 | 2023-05-30 | Oppo广东移动通信有限公司 | Method for transmitting data, transmitting device, chip and computer-readable storage medium |
| CN111277612A (en) * | 2020-05-08 | 2020-06-12 | 常州楠菲微电子有限公司 | Network message processing strategy generation method, system and medium |
| CN111277612B (en) * | 2020-05-08 | 2020-08-07 | 常州楠菲微电子有限公司 | Network message processing strategy generation method, system and medium |
| WO2024045599A1 (en) * | 2022-08-30 | 2024-03-07 | 中兴通讯股份有限公司 | Message matching method, computer device, and computer-readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101409677B (en) | 2010-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101409677B (en) | Access control method and apparatus | |
| CN100492302C (en) | Method for realizing interprocess asynchronous communication based on Java | |
| CN101156420B (en) | Method for preventing duplicate sources from clients served by a network address port translator | |
| CN111416865B (en) | Protocol proxy processing method and system based on mimicry defense | |
| CN104038389A (en) | Multiple application protocol identification method and device | |
| CN101267437A (en) | Packet access control method and system for network devices | |
| CN101136910B (en) | Network address and protocol translating equipment and application layer gateway equipment | |
| CN100370788C (en) | Method for realizing data communication utilizing virtual network adapting card in network environment simulating | |
| CN111726305B (en) | Virtual machine-oriented multistage flow table management and control method and system | |
| CN104579940A (en) | Method and apparatus for searching ACL | |
| Lakos et al. | A general systematic approach to arc extensions for coloured Petri nets | |
| CN111988231B (en) | Mask quintuple rule matching method and device | |
| US20070192621A1 (en) | Network communication security processor and data processing method | |
| CN109547288B (en) | Programmable flow measuring method for protocol independent forwarding network | |
| WO2002062038A3 (en) | Community separation control in a multi-community node | |
| CN100553257C (en) | Transmit method with the exchange of control separated network spare internal information | |
| CN100481812C (en) | Flow controlling method based on application and network equipment for making applied flow control | |
| CN100399767C (en) | Method for access of IP public net of virtual exchanger system | |
| CN111181955B (en) | Session control method, device and storage medium based on mark | |
| JP2008502244A (en) | Flow processing | |
| CN108718320A (en) | A method of forming data packet communication white list to close rule data packet intersection with similar configuration internet of things equipment | |
| CN101599846B (en) | Method for multicast transmission of information in forwarding and controlling separation network wares | |
| CN103078802B (en) | A kind of implementation method of logic function block dynamic topology | |
| CN100579075C (en) | Method for rapid response to ICMP echo request message | |
| CN101964759B (en) | Multiuser-supporting high-speed message diversion method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101208 Termination date: 20141127 |
|
| EXPY | Termination of patent right or utility model |