Summary of the invention
Technical problem to be solved by this invention is, provides a kind of processing method and system of data message, so that the network equipment utilizes security level information to carry out classification process to data message.
The field of identification message level of security is not had in existing IP message, thus terminal use or service server are when receiving message, it is safe and reliable for cannot telling which data message, which data message is believable not, thus cannot differentiating and processing be carried out, this just for insincere node pretends to be trusted node to attack user or service server leaves attack space, makes the fail safe of network be promoted at all.The present invention's rank safe to carry in IPV6 message, to solve above-mentioned potential safety hazard, fundamentally improves the fail safe of IP network for this reason.
In order to solve the problems of the technologies described above, the invention discloses a kind of processing method of data message, comprising:
Data message transmitting terminal sends datagram, the heading of described data message comprises the field of the safe class being used to indicate data message, wherein, the value of described field is arranged by described data message transmitting terminal, or is arranged by the network equipment of the described data message of transmission;
Data message receiving terminal receives described data message, reads the value of described field, and the safe class of data message indicated by read value processes described data message.
Further, in said method, when the value of described field is arranged by data message transmitting terminal, the network equipment transmitting described data message also judges whether the safe class of the data message indicated by value of described field belongs to the level of security scope of permission, if so, then described data message receiving terminal is given by described data-message transmission.
Wherein, if the network equipment transmitting described data message judges that the safe class of the data message indicated by the value of described field does not belong to the level of security scope of permission, then upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment renewal belongs to the level of security scope of permission.
Further, in said method, the value of described field arranges finger by the network equipment transmitting described data message: in the transmitting procedure of data message, described network equipment receives data message, if when the field being used to indicate the safe class of data message in the heading of the data message received by judging is invalid, then the value of described field is set according to the safe class of the data message received.
Wherein, the safety level information of the data message of described data message receiving terminal indicated by read value is carried out process to described data message and is referred to:
If described data message receiving terminal judges that the safe class of the data message indicated by value reading described field belongs to the level of security scope of permission, then data message described in normal process, if described data message receiving terminal judges that the safe class of the data message indicated by value reading described field does not belong to the level of security scope of permission, then abandon this data message.
Described network equipment at least comprises network access server.
When described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, according to the IP(Internet Protocol) of described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
The invention also discloses a kind for the treatment of system of data message, comprise data message transmitting terminal, network equipment and data message receiving terminal, wherein:
Described data message transmitting terminal, for sending datagram, the heading of described data message comprises the field of the safe class being used to indicate data message;
Described network equipment, for the data-message transmission that described data message transmitting terminal sent to described data message receiving terminal;
Described data message receiving terminal, for receiving described data message, read the field of the safe class being used to indicate data message in the heading of described data message, and the safe class of data message indicated by read field processes to described data message.
Further, in said system, described data message transmitting terminal, also for described data message is set heading in be used to indicate the value of the field of the safe class of data message;
Described network equipment, when transmitting described data message, also for judge described data message heading in be used to indicate the field of the safe class of data message value indicated by the safe class of data message whether belong to the level of security scope of permission, if, then give described data message receiving terminal by described data-message transmission, otherwise upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment upgrades belongs to the level of security scope of permission.
Further, described network equipment, in the transmitting procedure of data message, also for judge received data message heading in whether be used to indicate the field of the safe class of data message invalid, when the value of described field is invalid, the value of described field is set according to the safe class of the data message received, and the data message after setting operation is sent to described data message receiving terminal.
Further, when described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, described the second boundary gateway is also for the IP(Internet Protocol) according to described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
Described data message receiving terminal, when judging that the safe class of the data message read indicated by the value of described field belongs to the level of security scope of permission, data message described in normal process, when judging that the safe class of the data message read indicated by the value of described field does not belong to the level of security scope of permission, then abandon this data message.
Technical solution of the present invention adds security information in the heading of data message, such data message receiving terminal just can process according to the security information of data message accordingly, facilitate network node, server or terminal use to screen message according to security information and filter, improve whole network and distinguish and the ability of process different safety class message.
Embodiment
The present embodiment provides a kind for the treatment of system of data message, at least comprises data message transmitting terminal, network equipment and data message receiving terminal.
According to message source, for sending datagram, the heading of the data message sent comprises the field of the safe class being used to indicate data message;
Network equipment, for the data-message transmission that sent by data message transmitting terminal to data message receiving terminal;
Data message receiving terminal, for receiving data message, reading in the heading of data message and being used to indicate the field of the safe class of data message, and the safe class of data message indicated by read field processes data message;
Wherein, data message receiving terminal, when judging that the safe class of the data message read indicated by the value of field belongs to the level of security scope of permission, data message described in normal process, when judging that the safe class of the data message read indicated by the value of field does not belong to the level of security scope of permission, then abandon this data message.
Particularly, the value being used to indicate the field of the safe class of data message in the heading of data message can be arranged by data message transmitting terminal;
Now, network equipment, when transmitting described data message, also for judge the data message that will transmit heading in be used to indicate the field of the safe class of data message value indicated by the safe class of data message whether belong to the level of security scope of permission, if, then by received data-message transmission to data message receiving terminal, otherwise upgrade the value of this field, by the data-message transmission after renewal rewards theory to data message receiving terminal, wherein, the safe class of the data message indicated by value of the field after network equipment upgrades belongs to the level of security scope of permission.
The value being used to indicate the field of the safe class of data message in the heading of data message also can be arranged by network equipment, i.e. network equipment, in the transmitting procedure of data message, whether the field being used to indicate the safe class of data message in the heading of the data message received by judgement is invalid, when the value of this field invalid (such as data message transmitting terminal does not arrange the value of this field), the value of this field is set according to the safe class of the data message received, and the data message after setting operation is sent to data message receiving terminal, when the value of this field is effective, direct data message transmission is to data message receiving terminal.
Also have in some scenes, when data message transmitting terminal and data message receiving terminal are positioned at heterogeneous networks, network equipment at least comprises the first network access server of data message transmitting terminal place first network, the first borde gateway of first network, the second boundary gateway of data message receiving terminal place second network and the access server of second network.Wherein, when the second boundary gateway receives the data message of the first borde gateway transmission, the second boundary gateway is also for the IP(Internet Protocol) according to first network and second network, the safe class of translation data message, and the value of above-mentioned field is set according to the safe class of data message after conversion, then by the access server of second network by the data-message transmission after setting operation to data message receiving terminal.
Below with the network architecture shown in Fig. 4 example, illustrate that said system transmission carries the process of the data message of the information of safe class.Wherein, data message transmitting terminal (i.e. information transmitter A) and data message receiving terminal (information receiver B) are positioned at heterogeneous networks, and the network that these two different (is hereafter called network one and network two, wherein, the network at user A place is called network one, the networking at user B place is called network two) adhere to different security domains separately: suppose to be respectively security domain 1 and security domain 2.Wherein, user A and user B accesses respective network respectively by network access server C1 and C2, carrys out intercommunication between two networks by Interworking gateway D1 and D2.This process as shown in Figure 5, comprises the following steps:
Step 501: information transmitter A sends datagram to information receiver B, in the present embodiment, the heading of the data message sent comprises the field of the safe class being used to indicate this data message, and in the present embodiment, the value of this field is arranged by information transmitter A;
In this step, the value being used to indicate the field of the safe class of this data message set in the heading of data message of information transmitter A is namely to should the safe class of data message.
Also have in some scenes, the safe class of the data message indicated by the value of this field is system configuration, particularly, the safe class of data message except the safe class with user mutually outside the Pass, also may with the relating to parameters such as user type, data message type, namely system synthesis considers the safe class of each data message of parameter configuration such as user type, data message type of the safe class of user, the transmit leg of data message.
Step 502: when the network access server C1 of the network one at user A place receives the data message that A sends, check that whether the setting of user A to the safe class being used to indicate data message in the heading of this data message be reasonable, if, then directly be transmitted to borde gateway D1, otherwise the safe class of Update Table message is rational safe class, then by amended data message forwarding to borde gateway D1;
In this step, check whether the safe class being used to indicate data message in the heading of data message rationally refers to: each network is the safe class scope of the data message configuration data message of each user's transmission in advance, therefore, the safe class being used to indicate the data message indicated by value of the field of the safe class of data message in the heading of the data message that each user sends must within the scope of the safe class allowed, the safe class being used to indicate the data message indicated by value of the field of the safe class of data message in the heading of i.e. data message is then thought reasonably within the scope of this safe class, otherwise think irrational,
The safe class of network access server C1 Update Table message is that rational safe class refers to, according to the information of this data message (as the safe class of this data message of system configured in advance, this safe class may be information-related with the safe class of user, user type, data message type etc.) upgrade the value of the field of the safe class being used to indicate data message in the heading of data message, and after ensureing to upgrade, the safe class of the data message indicated by value of this field belongs to the safe class scope of permission.
Also have in some embodiments, when network access server C1 checks that the safe class in this data message is unreasonable, also can not modify, and directly abandon this data message.
Step 503: the borde gateway D1 of the network one at user A place receives above-mentioned data message, and send to the borde gateway D2 of the network two at user B place;
Step 504: after borde gateway D2 receives above-mentioned data message, changes the safe class of this data message according to IP(Internet Protocol), and the data message after conversion is sent to the network access server C2 of user B;
In this step, because the network at user A place and the network at user B place are not same networks, therefore the safe class definition of two networks is not quite identical, now needs to remap to the safe class of data message.Such as, very safe and reliable data message in network A, might not very secure and trusted in network B, therefore needs to do the adjustment of some safe classes.
In the present embodiment, borde gateway D2 carries out safety level information conversion according to IP(Internet Protocol) and refers to, the safe class of data message is mapped to the safe class of network two correspondence, be used to indicate the value of the field of the safe class of data message according in the heading of the safe class setting data message of the data message after mapping, namely now this field settings instruction be the safe class of this data message in network two;
Such as, the heading of the data message that the borde gateway D2 of network two receives from the borde gateway D1 of network one, the safe class of data message is 15 (supposing the superlative degree in the safe class of the data message that 15 grades is network one), when then borde gateway D2 carries out the information conversion of safe class according to IP(Internet Protocol), the safe class 15 of data message can be changed 3 grades (now, 3 grades is the superlative degree in the safe class of the data message of network two).
Step 505: the network access server C2 of user B, receive the data message that borde gateway D2 sends, judge whether the value of the field of the safe class being used to indicate data message in the heading of this data message allows to send to user B, if allowed, then send to user B, otherwise directly abandon this data message;
Step 506: user B receives this data message, read the value of the field of the safe class being used to indicate data message in the heading of this data message, if read the data message indicated by value of field safe class be the level of security that user B allows, then this data message is sent to the corresponding upper level applications of user B;
Step 507: the upper level applications of user B checks that whether this data message is the data message of the content on request user B, if, then the application program of user B is according to the safe class of this data message, processes accordingly, otherwise abandons this data message;
In this step, user B is according to the safe class of data message, and certainly directional user A returns all information containing secret, or returns limited or through filtering information to user A, or refusal provides corresponding informance;
Step 508: when the network access server C2 of user B receives the corresponding data message that user B returns, network access server C2 checks the safe class the scope whether safe class of the data message indicated by the value of the field of the safe class being used to indicate data message in the heading of this data message allows at user B, if, then direct this data message is sent to D2, otherwise send to D2 again after being used to indicate the value of the field of the safe class of data message in the heading of Update Table message, wherein, after amendment, the safe class of the value designation data message of this field is the safe class that user B allows,
Step 509: the data message returned is sent to the borde gateway D1 of network one after receiving the data message that network access server C2 returns by the borde gateway D2 of network two;
Step 510: after the borde gateway D1 of network one receives above-mentioned data message, change according to the safe class of IP(Internet Protocol) to data message, and the data message after conversion is sent to the network access server C1 of the network one at user A place;
In this step, carry out conversion to the safe class of data message to refer to, be used to indicate the value of the field of the safe class of data message in the heading of borde gateway D1 Update Table message, make the safe class of value instruction this data message in network one of amended field.
Step 511: when network access server C1 receives above-mentioned data message, judges whether the safe class of this data message is allowed to send to user A, if allow to send to user A, then sends to A, otherwise directly abandon this data message;
Step 512: after user A receives this data message, whether the safe class of inspection data message is the safe class that user A allows, if, then this data message is sent to the corresponding application programs of user A, the upper level applications of user A processes accordingly according to safe class, otherwise abandons this data message;
In this step, detect the safe class of data message, namely refer to the value being used to indicate the field of the safe class of data message in the heading of reading data message, judge whether the safe class of the data message indicated by value of the field read is the safe class that user A allows;
Wherein, when the safe class of data message is the safe class of user A permission, user A is according to the safe class of this data message, and certainly directional user B returns all information containing secret, or return limited or through filtering information to user B, or refusal provides corresponding informance.
In above-mentioned flow process, if have passed through insecure network in network, the safe class of the data message transmitted also will change accordingly, such as, if between network one and network two be not direct connection, but needing through the transfer of unsafe network three, the safe class so through the data message of network three transfer all will remap by the safe class of network three.Particularly, the renewal of the safe class of this data message processes primarily of intermediate node (as borde gateway D).
In addition, the data message of more than a kind of safe class can be sent for each user, such as, user A can be allowed to send safe class and be respectively 0, the data message of Isosorbide-5-Nitrae.That is, the data message sent for each user is to the level of security set that should be had to allow.Now, network access server, when checking the data message that user sends, judges that the safe class of carrying in the data message that user sends is no in the level of security set that this user allows.
Also have in some embodiments, between network one and network two data message transmission process in, the transmission of network three is have passed through according to cipher mode (as VPN passes through), due to network three employing is cipher mode, the network three then can considering data message process is safe, network element in network three is without the need to inspection of modifying to the safe class of received data message, namely when network three receives the data message of network one transmission, pass through network two completely, and network two receive network three forward data message time, directly change by the safe class of IP(Internet Protocol) to data message of present networks (i.e. network two) and network one.
Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection range that all should belong to the claim appended by the present invention.