CN102347932B - A kind of processing method of data message and system - Google Patents
A kind of processing method of data message and system Download PDFInfo
- Publication number
- CN102347932B CN102347932B CN201010240679.3A CN201010240679A CN102347932B CN 102347932 B CN102347932 B CN 102347932B CN 201010240679 A CN201010240679 A CN 201010240679A CN 102347932 B CN102347932 B CN 102347932B
- Authority
- CN
- China
- Prior art keywords
- data message
- safe class
- field
- network
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 8
- 238000000034 method Methods 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 31
- 238000006243 chemical reaction Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of processing method and system of data message, relate to data communication field.The inventive method comprises: data message transmitting terminal sends datagram, the heading of described data message comprises the field of the safe class being used to indicate data message, wherein, the value of described field is arranged by described data message transmitting terminal, or is arranged by the network equipment of the described data message of transmission; Data message receiving terminal receives described data message, reads the value of described field, and the safe class of data message indicated by read value processes described data message.Technical solution of the present invention improves the ability that whole network is distinguished and processed different safety class message.
Description
Technical field
The present invention relates to data communication field, particularly relate to a kind of access device and borde gateway to the processing method of the data message of different safety class.
Background technology
Existing the Internet is based on IP technique construction, the opening of IP network facilitates the prosperity of the Internet, also brings a large amount of safety problems, and the node in the Internet is by multiple organization managements of multiple country, some node is trusty, also may be fly-by-night.User in network may receive the data message of trusted node, also may receive the data message of trustless node.
Meanwhile, IP network is the network that multi-service is shared, and both may transmit the message of high level of security business, and also need the message transmitting some low level security various-services.For the needs of service application, under many circumstances, even if the intermediate node of network finds that some data messages are safe not, simply by these packet loss, otherwise can not can cause service disconnection, affect the business experience of user.
Current IP network does not provide corresponding processing method to the message of above-mentioned different safety class, just the message of different safety class is simply mixed transmission, this just causes final destination node cannot distinguish data message is derive from safe network, or unsafe network, thus Differentiated Services cannot be carried out for safe class, the safety of the Internet cannot be fundamentally improved.
Summary of the invention
Technical problem to be solved by this invention is, provides a kind of processing method and system of data message, so that the network equipment utilizes security level information to carry out classification process to data message.
The field of identification message level of security is not had in existing IP message, thus terminal use or service server are when receiving message, it is safe and reliable for cannot telling which data message, which data message is believable not, thus cannot differentiating and processing be carried out, this just for insincere node pretends to be trusted node to attack user or service server leaves attack space, makes the fail safe of network be promoted at all.The present invention's rank safe to carry in IPV6 message, to solve above-mentioned potential safety hazard, fundamentally improves the fail safe of IP network for this reason.
In order to solve the problems of the technologies described above, the invention discloses a kind of processing method of data message, comprising:
Data message transmitting terminal sends datagram, the heading of described data message comprises the field of the safe class being used to indicate data message, wherein, the value of described field is arranged by described data message transmitting terminal, or is arranged by the network equipment of the described data message of transmission;
Data message receiving terminal receives described data message, reads the value of described field, and the safe class of data message indicated by read value processes described data message.
Further, in said method, when the value of described field is arranged by data message transmitting terminal, the network equipment transmitting described data message also judges whether the safe class of the data message indicated by value of described field belongs to the level of security scope of permission, if so, then described data message receiving terminal is given by described data-message transmission.
Wherein, if the network equipment transmitting described data message judges that the safe class of the data message indicated by the value of described field does not belong to the level of security scope of permission, then upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment renewal belongs to the level of security scope of permission.
Further, in said method, the value of described field arranges finger by the network equipment transmitting described data message: in the transmitting procedure of data message, described network equipment receives data message, if when the field being used to indicate the safe class of data message in the heading of the data message received by judging is invalid, then the value of described field is set according to the safe class of the data message received.
Wherein, the safety level information of the data message of described data message receiving terminal indicated by read value is carried out process to described data message and is referred to:
If described data message receiving terminal judges that the safe class of the data message indicated by value reading described field belongs to the level of security scope of permission, then data message described in normal process, if described data message receiving terminal judges that the safe class of the data message indicated by value reading described field does not belong to the level of security scope of permission, then abandon this data message.
Described network equipment at least comprises network access server.
When described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, according to the IP(Internet Protocol) of described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
The invention also discloses a kind for the treatment of system of data message, comprise data message transmitting terminal, network equipment and data message receiving terminal, wherein:
Described data message transmitting terminal, for sending datagram, the heading of described data message comprises the field of the safe class being used to indicate data message;
Described network equipment, for the data-message transmission that described data message transmitting terminal sent to described data message receiving terminal;
Described data message receiving terminal, for receiving described data message, read the field of the safe class being used to indicate data message in the heading of described data message, and the safe class of data message indicated by read field processes to described data message.
Further, in said system, described data message transmitting terminal, also for described data message is set heading in be used to indicate the value of the field of the safe class of data message;
Described network equipment, when transmitting described data message, also for judge described data message heading in be used to indicate the field of the safe class of data message value indicated by the safe class of data message whether belong to the level of security scope of permission, if, then give described data message receiving terminal by described data-message transmission, otherwise upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment upgrades belongs to the level of security scope of permission.
Further, described network equipment, in the transmitting procedure of data message, also for judge received data message heading in whether be used to indicate the field of the safe class of data message invalid, when the value of described field is invalid, the value of described field is set according to the safe class of the data message received, and the data message after setting operation is sent to described data message receiving terminal.
Further, when described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, described the second boundary gateway is also for the IP(Internet Protocol) according to described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
Described data message receiving terminal, when judging that the safe class of the data message read indicated by the value of described field belongs to the level of security scope of permission, data message described in normal process, when judging that the safe class of the data message read indicated by the value of described field does not belong to the level of security scope of permission, then abandon this data message.
Technical solution of the present invention adds security information in the heading of data message, such data message receiving terminal just can process according to the security information of data message accordingly, facilitate network node, server or terminal use to screen message according to security information and filter, improve whole network and distinguish and the ability of process different safety class message.
Accompanying drawing explanation
Fig. 1 is the heading schematic diagram of existing RFC1883 (the IPV6 first edition);
Fig. 2 is the heading schematic diagram of existing RFC2460 (the IPV6 second edition);
Fig. 3 is the heading schematic diagram of IP datagram literary composition provided by the present invention;
Fig. 4 is the network architecture figure of transmission of IP data message in the present embodiment;
Fig. 5 is the flow chart of transmission of IP data message in the present embodiment.
Embodiment
Below in conjunction with drawings and the specific embodiments, technical solution of the present invention is described in further details.
At present, two versions of IPV6 heading are RFC1883 (the IPV6 first edition) and RFC2460 (the IPV6 second edition).These two version IPV6 headings, mainly the QOS traffic management part of first 32 there occurs change, in RFC1883, QOS management is made up of the precedence field (priority) of 4 and stream label (flowlabel) field of 24, as shown in Figure 1; In rfc 2460, these two parts of priority and flowlabel are modified to the Business Stream classification (trafficclass) of 8 and stream label (flowlabel) field of 20, as shown in Figure 2.
The present invention is by IPV6 heading, increase the field that is used to indicate the level of security of data message, specifically, can by the discharge pattern in IPV6 message and stream label (trafficclass and Flowlabel) space compression 4 bit spaces, be used to provide to the information of level of security, such as, level of security can have 0 ~ 15, totally 16 level of securitys.Remaining 24, still used by discharge pattern and stream label, other division format of IP heading and meaning are all constant, the meaning of these two labels is constant, just Serial Number Range compresses to some extent, as shown in Figure 3: that is, discharge pattern in original IPV6 heading and stream label can be reduced 4, then 4 safe class (securitylevel) fields (hereinafter referred to as SL field) are increased, to indicate the information of the safe class of this data message, after such amendment, the data boundary of 32bit is still kept in heading, do not affect the speed that router adopts hardware handles.
Embodiment
The present embodiment provides a kind for the treatment of system of data message, at least comprises data message transmitting terminal, network equipment and data message receiving terminal.
According to message source, for sending datagram, the heading of the data message sent comprises the field of the safe class being used to indicate data message;
Network equipment, for the data-message transmission that sent by data message transmitting terminal to data message receiving terminal;
Data message receiving terminal, for receiving data message, reading in the heading of data message and being used to indicate the field of the safe class of data message, and the safe class of data message indicated by read field processes data message;
Wherein, data message receiving terminal, when judging that the safe class of the data message read indicated by the value of field belongs to the level of security scope of permission, data message described in normal process, when judging that the safe class of the data message read indicated by the value of field does not belong to the level of security scope of permission, then abandon this data message.
Particularly, the value being used to indicate the field of the safe class of data message in the heading of data message can be arranged by data message transmitting terminal;
Now, network equipment, when transmitting described data message, also for judge the data message that will transmit heading in be used to indicate the field of the safe class of data message value indicated by the safe class of data message whether belong to the level of security scope of permission, if, then by received data-message transmission to data message receiving terminal, otherwise upgrade the value of this field, by the data-message transmission after renewal rewards theory to data message receiving terminal, wherein, the safe class of the data message indicated by value of the field after network equipment upgrades belongs to the level of security scope of permission.
The value being used to indicate the field of the safe class of data message in the heading of data message also can be arranged by network equipment, i.e. network equipment, in the transmitting procedure of data message, whether the field being used to indicate the safe class of data message in the heading of the data message received by judgement is invalid, when the value of this field invalid (such as data message transmitting terminal does not arrange the value of this field), the value of this field is set according to the safe class of the data message received, and the data message after setting operation is sent to data message receiving terminal, when the value of this field is effective, direct data message transmission is to data message receiving terminal.
Also have in some scenes, when data message transmitting terminal and data message receiving terminal are positioned at heterogeneous networks, network equipment at least comprises the first network access server of data message transmitting terminal place first network, the first borde gateway of first network, the second boundary gateway of data message receiving terminal place second network and the access server of second network.Wherein, when the second boundary gateway receives the data message of the first borde gateway transmission, the second boundary gateway is also for the IP(Internet Protocol) according to first network and second network, the safe class of translation data message, and the value of above-mentioned field is set according to the safe class of data message after conversion, then by the access server of second network by the data-message transmission after setting operation to data message receiving terminal.
Below with the network architecture shown in Fig. 4 example, illustrate that said system transmission carries the process of the data message of the information of safe class.Wherein, data message transmitting terminal (i.e. information transmitter A) and data message receiving terminal (information receiver B) are positioned at heterogeneous networks, and the network that these two different (is hereafter called network one and network two, wherein, the network at user A place is called network one, the networking at user B place is called network two) adhere to different security domains separately: suppose to be respectively security domain 1 and security domain 2.Wherein, user A and user B accesses respective network respectively by network access server C1 and C2, carrys out intercommunication between two networks by Interworking gateway D1 and D2.This process as shown in Figure 5, comprises the following steps:
Step 501: information transmitter A sends datagram to information receiver B, in the present embodiment, the heading of the data message sent comprises the field of the safe class being used to indicate this data message, and in the present embodiment, the value of this field is arranged by information transmitter A;
In this step, the value being used to indicate the field of the safe class of this data message set in the heading of data message of information transmitter A is namely to should the safe class of data message.
Also have in some scenes, the safe class of the data message indicated by the value of this field is system configuration, particularly, the safe class of data message except the safe class with user mutually outside the Pass, also may with the relating to parameters such as user type, data message type, namely system synthesis considers the safe class of each data message of parameter configuration such as user type, data message type of the safe class of user, the transmit leg of data message.
Step 502: when the network access server C1 of the network one at user A place receives the data message that A sends, check that whether the setting of user A to the safe class being used to indicate data message in the heading of this data message be reasonable, if, then directly be transmitted to borde gateway D1, otherwise the safe class of Update Table message is rational safe class, then by amended data message forwarding to borde gateway D1;
In this step, check whether the safe class being used to indicate data message in the heading of data message rationally refers to: each network is the safe class scope of the data message configuration data message of each user's transmission in advance, therefore, the safe class being used to indicate the data message indicated by value of the field of the safe class of data message in the heading of the data message that each user sends must within the scope of the safe class allowed, the safe class being used to indicate the data message indicated by value of the field of the safe class of data message in the heading of i.e. data message is then thought reasonably within the scope of this safe class, otherwise think irrational,
The safe class of network access server C1 Update Table message is that rational safe class refers to, according to the information of this data message (as the safe class of this data message of system configured in advance, this safe class may be information-related with the safe class of user, user type, data message type etc.) upgrade the value of the field of the safe class being used to indicate data message in the heading of data message, and after ensureing to upgrade, the safe class of the data message indicated by value of this field belongs to the safe class scope of permission.
Also have in some embodiments, when network access server C1 checks that the safe class in this data message is unreasonable, also can not modify, and directly abandon this data message.
Step 503: the borde gateway D1 of the network one at user A place receives above-mentioned data message, and send to the borde gateway D2 of the network two at user B place;
Step 504: after borde gateway D2 receives above-mentioned data message, changes the safe class of this data message according to IP(Internet Protocol), and the data message after conversion is sent to the network access server C2 of user B;
In this step, because the network at user A place and the network at user B place are not same networks, therefore the safe class definition of two networks is not quite identical, now needs to remap to the safe class of data message.Such as, very safe and reliable data message in network A, might not very secure and trusted in network B, therefore needs to do the adjustment of some safe classes.
In the present embodiment, borde gateway D2 carries out safety level information conversion according to IP(Internet Protocol) and refers to, the safe class of data message is mapped to the safe class of network two correspondence, be used to indicate the value of the field of the safe class of data message according in the heading of the safe class setting data message of the data message after mapping, namely now this field settings instruction be the safe class of this data message in network two;
Such as, the heading of the data message that the borde gateway D2 of network two receives from the borde gateway D1 of network one, the safe class of data message is 15 (supposing the superlative degree in the safe class of the data message that 15 grades is network one), when then borde gateway D2 carries out the information conversion of safe class according to IP(Internet Protocol), the safe class 15 of data message can be changed 3 grades (now, 3 grades is the superlative degree in the safe class of the data message of network two).
Step 505: the network access server C2 of user B, receive the data message that borde gateway D2 sends, judge whether the value of the field of the safe class being used to indicate data message in the heading of this data message allows to send to user B, if allowed, then send to user B, otherwise directly abandon this data message;
Step 506: user B receives this data message, read the value of the field of the safe class being used to indicate data message in the heading of this data message, if read the data message indicated by value of field safe class be the level of security that user B allows, then this data message is sent to the corresponding upper level applications of user B;
Step 507: the upper level applications of user B checks that whether this data message is the data message of the content on request user B, if, then the application program of user B is according to the safe class of this data message, processes accordingly, otherwise abandons this data message;
In this step, user B is according to the safe class of data message, and certainly directional user A returns all information containing secret, or returns limited or through filtering information to user A, or refusal provides corresponding informance;
Step 508: when the network access server C2 of user B receives the corresponding data message that user B returns, network access server C2 checks the safe class the scope whether safe class of the data message indicated by the value of the field of the safe class being used to indicate data message in the heading of this data message allows at user B, if, then direct this data message is sent to D2, otherwise send to D2 again after being used to indicate the value of the field of the safe class of data message in the heading of Update Table message, wherein, after amendment, the safe class of the value designation data message of this field is the safe class that user B allows,
Step 509: the data message returned is sent to the borde gateway D1 of network one after receiving the data message that network access server C2 returns by the borde gateway D2 of network two;
Step 510: after the borde gateway D1 of network one receives above-mentioned data message, change according to the safe class of IP(Internet Protocol) to data message, and the data message after conversion is sent to the network access server C1 of the network one at user A place;
In this step, carry out conversion to the safe class of data message to refer to, be used to indicate the value of the field of the safe class of data message in the heading of borde gateway D1 Update Table message, make the safe class of value instruction this data message in network one of amended field.
Step 511: when network access server C1 receives above-mentioned data message, judges whether the safe class of this data message is allowed to send to user A, if allow to send to user A, then sends to A, otherwise directly abandon this data message;
Step 512: after user A receives this data message, whether the safe class of inspection data message is the safe class that user A allows, if, then this data message is sent to the corresponding application programs of user A, the upper level applications of user A processes accordingly according to safe class, otherwise abandons this data message;
In this step, detect the safe class of data message, namely refer to the value being used to indicate the field of the safe class of data message in the heading of reading data message, judge whether the safe class of the data message indicated by value of the field read is the safe class that user A allows;
Wherein, when the safe class of data message is the safe class of user A permission, user A is according to the safe class of this data message, and certainly directional user B returns all information containing secret, or return limited or through filtering information to user B, or refusal provides corresponding informance.
In above-mentioned flow process, if have passed through insecure network in network, the safe class of the data message transmitted also will change accordingly, such as, if between network one and network two be not direct connection, but needing through the transfer of unsafe network three, the safe class so through the data message of network three transfer all will remap by the safe class of network three.Particularly, the renewal of the safe class of this data message processes primarily of intermediate node (as borde gateway D).
In addition, the data message of more than a kind of safe class can be sent for each user, such as, user A can be allowed to send safe class and be respectively 0, the data message of Isosorbide-5-Nitrae.That is, the data message sent for each user is to the level of security set that should be had to allow.Now, network access server, when checking the data message that user sends, judges that the safe class of carrying in the data message that user sends is no in the level of security set that this user allows.
Also have in some embodiments, between network one and network two data message transmission process in, the transmission of network three is have passed through according to cipher mode (as VPN passes through), due to network three employing is cipher mode, the network three then can considering data message process is safe, network element in network three is without the need to inspection of modifying to the safe class of received data message, namely when network three receives the data message of network one transmission, pass through network two completely, and network two receive network three forward data message time, directly change by the safe class of IP(Internet Protocol) to data message of present networks (i.e. network two) and network one.
Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection range that all should belong to the claim appended by the present invention.
Claims (12)
1. a processing method for data message, is characterized in that, the method comprises:
Data message transmitting terminal sends datagram, the heading of described data message comprises the field of the safe class being used to indicate data message, wherein, the value of described field is arranged by described data message transmitting terminal, or is arranged by the network equipment of the described data message of transmission; Whether the source that the safe class of described data message is used to indicate data message is secure network;
Data message receiving terminal receives described data message, reads the value of described field, and the safe class of data message indicated by read value processes described data message.
2. the method for claim 1, it is characterized in that, when the value of described field is arranged by data message transmitting terminal, the network equipment transmitting described data message also judges whether the safe class of the data message indicated by value of described field belongs to the level of security scope of permission, if so, then described data message receiving terminal is given by described data-message transmission.
3. method as claimed in claim 2, it is characterized in that, if the network equipment transmitting described data message judges that the safe class of the data message indicated by the value of described field does not belong to the level of security scope of permission, then upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment renewal belongs to the level of security scope of permission.
4. the method for claim 1, is characterized in that, the value of described field arranges finger by the network equipment transmitting described data message:
In the transmitting procedure of data message, described network equipment receives data message, if when the field being used to indicate the safe class of data message in the heading of the data message received by judging is invalid, then the value of described field is set according to the safe class of the data message received.
5. the method as described in any one of Claims 1-4, is characterized in that,
The safety level information of the data message of described data message receiving terminal indicated by read value is carried out process to described data message and is referred to:
If described data message receiving terminal judges that the safe class of the data message indicated by value reading described field belongs to the level of security scope of permission, then data message described in normal process, if described data message receiving terminal judges that the safe class of the data message indicated by value reading described field does not belong to the level of security scope of permission, then abandon this data message.
6. method as claimed in claim 5, is characterized in that,
Described network equipment at least comprises network access server.
7. method as claimed in claim 5, is characterized in that,
When described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, according to the IP(Internet Protocol) of described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
8. a treatment system for data message, is characterized in that, this system comprises data message transmitting terminal, network equipment and data message receiving terminal, wherein: whether the source that the safe class of described data message is used to indicate data message is secure network;
Described data message transmitting terminal, for sending datagram, the heading of described data message comprises the field of the safe class being used to indicate data message;
Described network equipment, for the data-message transmission that described data message transmitting terminal sent to described data message receiving terminal;
Described data message receiving terminal, for receiving described data message, read the field of the safe class being used to indicate data message in the heading of described data message, and the safe class of data message indicated by read field processes to described data message.
9. system as claimed in claim 8, is characterized in that, described data message transmitting terminal, also for described data message is set heading in be used to indicate the value of the field of the safe class of data message;
Described network equipment, when transmitting described data message, also for judge described data message heading in be used to indicate the field of the safe class of data message value indicated by the safe class of data message whether belong to the level of security scope of permission, if, then give described data message receiving terminal by described data-message transmission, otherwise upgrade the value of described field, described data message receiving terminal is given by the data-message transmission after renewal rewards theory, wherein, the safe class of the data message indicated by value of the field after described network equipment upgrades belongs to the level of security scope of permission.
10. system as claimed in claim 8, is characterized in that,
Described network equipment, in the transmitting procedure of data message, also for judge received data message heading in whether be used to indicate the field of the safe class of data message invalid, when the value of described field is invalid, the value of described field is set according to the safe class of the data message received, and the data message after setting operation is sent to described data message receiving terminal.
11. systems as claimed in claim 8, is characterized in that,
When described data message transmitting terminal and described data message receiving terminal are positioned at heterogeneous networks, described network equipment at least comprises the first network access server of described data message transmitting terminal place first network, the first borde gateway of described first network, the second boundary gateway of described data message receiving terminal place second network and the access server of described second network;
Wherein, when described the second boundary gateway receives the data message of described first borde gateway transmission, described the second boundary gateway is also for the IP(Internet Protocol) according to described first network and second network, change the safe class of described data message, and the value of described field is set according to the safe class of the data message after conversion.
12. systems as described in any one of claim 8 to 11, is characterized in that,
Described data message receiving terminal, when judging that the safe class of the data message read indicated by the value of described field belongs to the level of security scope of permission, data message described in normal process, when judging that the safe class of the data message read indicated by the value of described field does not belong to the level of security scope of permission, then abandon this data message.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010240679.3A CN102347932B (en) | 2010-07-27 | 2010-07-27 | A kind of processing method of data message and system |
| PCT/CN2010/080258 WO2012013003A1 (en) | 2010-07-27 | 2010-12-24 | Method and system for processing data message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010240679.3A CN102347932B (en) | 2010-07-27 | 2010-07-27 | A kind of processing method of data message and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102347932A CN102347932A (en) | 2012-02-08 |
| CN102347932B true CN102347932B (en) | 2016-03-02 |
Family
ID=45529378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010240679.3A Active CN102347932B (en) | 2010-07-27 | 2010-07-27 | A kind of processing method of data message and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102347932B (en) |
| WO (1) | WO2012013003A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506553B (en) * | 2016-12-28 | 2019-11-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of Internet protocol IP filter method and system |
| CN107480540B (en) * | 2017-07-25 | 2019-10-01 | 中国工商银行股份有限公司 | Data access control system and method |
| CN109660551A (en) * | 2018-12-29 | 2019-04-19 | 安徽典典科技发展有限责任公司 | A kind of data packet and its transmission method of rule components encapsulation |
| US11711347B2 (en) * | 2019-04-12 | 2023-07-25 | Zafar Khan | Registered encrypted electronic message and redacted reply system |
| CN114925386B (en) * | 2022-07-15 | 2022-10-25 | 飞腾信息技术有限公司 | Data processing method, computer device, data processing system and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1864390A (en) * | 2003-10-29 | 2006-11-15 | 思科技术公司 | Method and apparatus for providing network security using security labeling |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7359378B2 (en) * | 2001-10-11 | 2008-04-15 | International Business Machines Corporation | Security system for preventing unauthorized packet transmission between customer servers in a server farm |
| KR20050079459A (en) * | 2004-02-06 | 2005-08-10 | 삼성전자주식회사 | Secure router and method for routing thereof |
| CN1728714B (en) * | 2004-07-27 | 2011-07-27 | 邓里文 | Method for mutual communication between IPv4 network and IPv6 network |
-
2010
- 2010-07-27 CN CN201010240679.3A patent/CN102347932B/en active Active
- 2010-12-24 WO PCT/CN2010/080258 patent/WO2012013003A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1864390A (en) * | 2003-10-29 | 2006-11-15 | 思科技术公司 | Method and apparatus for providing network security using security labeling |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102347932A (en) | 2012-02-08 |
| WO2012013003A1 (en) | 2012-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100437543C (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| US8065402B2 (en) | Network management using short message service | |
| TWI395435B (en) | Open network connections | |
| Wendzel et al. | Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet | |
| CN102347932B (en) | A kind of processing method of data message and system | |
| RU2316129C2 (en) | Safety in networks of arbitrary localization level | |
| CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
| CN101997916B (en) | Method and device for file transmission based on network | |
| US8724630B2 (en) | Method and system for implementing network intercommunication | |
| CN102934402A (en) | Interruption, at least in part, of frame transmission | |
| CN103414725A (en) | Method and device used for detecting and filtering data message | |
| CN100438427C (en) | Network control method and equipment | |
| EP2628278B1 (en) | Method, system and element for multipurpose data traffic engineering and routing | |
| CN104202313A (en) | Data forwarding method and gateway | |
| CN102123071B (en) | The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes | |
| Lastinec et al. | A study of securing in-vehicle communication using IPSEC protocol | |
| RU2292118C2 (en) | Protectability in wide-area networks | |
| CN107786441B (en) | Communication method, OpenFlow switch and communication system | |
| CN114866374B (en) | Intelligent home gateway equipment and intelligent home system | |
| CN1996960B (en) | A filtering method for instant communication message and instant communication system | |
| KR102412933B1 (en) | System and method for providing network separation service based on software-defined network | |
| CN105100037B (en) | A kind of backward traffic management and control system | |
| KR100539760B1 (en) | System and method for inducing installing agent using internet access control | |
| CN113973274A (en) | Management method compatible with LoRaWAN standard communication and private LoRa communication simultaneously | |
| CN114828038A (en) | Access network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201216 Address after: Room 705, 7 / F, room 9, 1699, Zuchongzhi South Road, Kunshan City, Suzhou City, Jiangsu Province Patentee after: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right | ||
| CP02 | Change in the address of a patent holder |
Address after: 215300 rooms 107 and 108, area C, 55 Xiaxi street, Kunshan Development Zone, Suzhou City, Jiangsu Province Patentee after: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. Address before: Room 705, 7 / F, room 9, 1699, Zuchongzhi South Road, Kunshan City, Suzhou City, Jiangsu Province Patentee before: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231103 Address after: 215300 Penglang Honghu Road, Kunshan Development Zone, Suzhou City, Jiangsu Province Patentee after: KUNSHAN HONGJIA SOLDER MANUFACTURING Co.,Ltd. Address before: 215300 rooms 107 and 108, area C, 55 Xiaxi street, Kunshan Development Zone, Suzhou City, Jiangsu Province Patentee before: Kunshan chuangzhihui Intellectual Property Operation Co.,Ltd. |
|
| TR01 | Transfer of patent right |