CN102394816A - User service quality control method and equipment for virtual private network - Google Patents
User service quality control method and equipment for virtual private network Download PDFInfo
- Publication number
- CN102394816A CN102394816A CN2011103346826A CN201110334682A CN102394816A CN 102394816 A CN102394816 A CN 102394816A CN 2011103346826 A CN2011103346826 A CN 2011103346826A CN 201110334682 A CN201110334682 A CN 201110334682A CN 102394816 A CN102394816 A CN 102394816A
- Authority
- CN
- China
- Prior art keywords
- message
- user
- stream
- address information
- quality
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network communication and particularly provides a user service quality control method and equipment for a virtual private network. The method comprises the following steps of: receiving a message by a gateway and obtaining address information of the message; judging whether the message belongs to a known connection or stream according to the address information of the message; if so, ensuring a user corresponding to the message, wherein a corresponding relation between the known stream or connection and the user is recorded in the gateway; ensuring a service quality strategy of the user according to a corresponding relation between the user and the service quality strategy; and executing a service quality control to the message according to the service quality strategy. The method provided by the invention can be used for identifying the user to whom the flow entering into an SSLVPN (Security Socket Layer Virtual Private Network) gateway belongs and carrying out different service quality controls aiming at different users. Therefore, important services are normally operated, a wideband is reasonably used and network resources are effectively used.
Description
Technical field
The present invention relates to network communications technology field, particularly relate to a kind of virtual private network subscriber method for controlling quality of service and equipment.
Background technology
VPN (Virtual Private Network; VPN) be a kind of dedicated network of on public network, setting up, it is the communication protocol through special encryption, the proprietary remote secure access passage of between the in-house network in two or more enterprises of different addresses on the public network, being set up.Local Leased line only need be rented by enterprise, and safe and reliable the connection just can be set up between the in-house network of each branch of enterprise and enterprise, with the safe transmission of assurance data in the internet (Internet) of this locality connections in.Use VPN that the cost of saving is arranged, remote access be provided, autgmentability is strong, be convenient to advantage such as management.
(Security Socket Layer Virtual Private Network SSLVPN) is a kind of VPN technologies of setting up the remote secure access passage based on secure socket layer protocol to the safe socket layer virtual private network.It is the VPN technologies of rising in recent years, and it is used along with the rise of universal and ecommerce, the telecommuting of the Internet and develops rapidly.
In the prior art, remote subscriber can be through WEB browser or ssl tunneling visit SSLVPN gateway.When a large amount of remote subscribers carries out online access; Because the bandwidth of wide area network is limited; If (situation that a plurality of user's bandwidth-hoggings perhaps appear in the most of wide area network side bandwidth of a CU will appear in Quality of Service, QOS) control not carry out service quality.At this moment the length of data queue on network will increase, and causes packet to postpone to increase, and then causes the result that certain customers' message transmissions is unstable, TCP re-transmission frequency increases, business occurs intermittently even interrupts fully.In addition; If do not carry out QOS control; Some business that real-time is had relatively high expectations (for example speech business) can improperly cause packet loss because of dispatching, retransmit, and make that professional effect is unacceptable; For example occur voice call delay, sound can not identification etc. situation, and cause waste of network resources.Therefore, do not receive the influence of problems such as network delay or obstruction, need a kind of effective service quality Q OS controlling mechanism to guarantee the unimpeded of network and professional normally carrying out in order to make the SSLVPN business.The QOS strategy can be at network over loading or when congested, guarantees the influence that the critical network business datum is not postponed or is abandoned, and guarantees the efficient operation of network simultaneously, makes full use of Internet resources.
Have a kind of QoS of customer control method based on SSLVPN in the prior art, this method guarantees the total bandwidth that the SSLVPN business takies at WAN outlet through the method for RSVP.The SSLVPN gateway has fixing open an IP address and a port (PORT) at wide area network; Can a QOS strategy be set to this IP address and port; This strategy is through the bandwidth of the flow of control this IP address of visit and port; And preferably dispatch the message of this IP address and port transmitting-receiving, guarantee the professional total service quality of SSLVPN.
In realizing process of the present invention; The inventor finds to have following problem in the prior art at least: the method that prior art provides can only ensure the professional total service quality of SSLVPN; Can not be directed against different user service implementation quality control; Therefore can't solve the problem that bandwidth is seized and the priority scheduling high-priority data is transmitted between each user, can't guarantee normally carrying out of important service, network resource utilization is low.
Summary of the invention
For solving the problems of the technologies described above; The embodiment of the invention provides a kind of virtual private network subscriber method for controlling quality of service and equipment; Can identify the user that flow belonged to who gets into the SSLVPN gateway; And, rationally utilize bandwidth to different user's service implementation quality controls, guarantee normally carrying out of important service.
On the one hand, the embodiment of the invention provides a kind of virtual private network subscriber method for controlling quality of service, and said method comprises:
Gateway receives message, obtains the address information of said message;
Judge according to the address information of said message whether said message belongs to known connection or stream,, confirm the user that said message is corresponding if said message belongs to known connection or stream; Wherein, said gateway records known stream or connection and user's corresponding relation;
Confirm said quality of services for users strategy according to the corresponding relation of user and quality of service policy, said message is carried out service quality control according to said quality of service policy.
On the other hand, the embodiment of the invention provides a kind of VPN equipment, and said equipment comprises:
Memory is used to write down known stream or connection and user's the corresponding relation and the corresponding relation of user and quality of service policy;
Acquisition module is used for gateway and receives message, obtains the address information of said message;
Identification module; Be used for judging according to the address information of said message whether said message belongs to known connection or stream; If said message belongs to known connection or stream, confirm the user that said message is corresponding with user's corresponding relation according to known stream that writes down in the memory or connection;
First processing module, the user who is used for writing down according to memory and the corresponding relation of quality of service policy are confirmed said quality of services for users strategy, according to said quality of service policy said message are carried out service quality control.
In the embodiment of the invention, gateway obtains the address information of said message after receiving message, judges according to the address information of said message whether said message belongs to known connection or stream; If according to stream and the user's of record corresponding relation or Socket is connected and user's corresponding relation, confirm the user of said message correspondence; Confirm the quality of services for users strategy according to the corresponding relation of user and quality of service policy, said message is carried out service quality control according to said quality of service policy.The method that the embodiment of the invention provides can identify the user that flow belonged to who gets into the SSLVPN gateway, and implements different service quality control to different users, rationally utilizes bandwidth, guarantees normally carrying out of important service.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiment that put down in writing among the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The virtual private network subscriber method for controlling quality of service first embodiment flow chart that Fig. 1 provides for the embodiment of the invention;
The virtual private network subscriber method for controlling quality of service second embodiment flow chart that Fig. 2 provides for the embodiment of the invention;
Virtual private network subscriber method for controlling quality of service the 3rd embodiment flow chart that Fig. 3 provides for the embodiment of the invention;
Virtual private network subscriber method for controlling quality of service the 4th embodiment flow chart that Fig. 4 provides for the embodiment of the invention;
The VPN equipment first embodiment sketch map that Fig. 5 provides for the embodiment of the invention;
The VPN equipment second embodiment sketch map that Fig. 6 provides for the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of virtual private network subscriber method for controlling quality of service and equipment; Can identify the user that flow belonged to who gets into the SSLVPN gateway; And, rationally utilize bandwidth to different user's service implementation quality controls, guarantee normally carrying out of important service.
In order to make those skilled in the art person understand the technical scheme among the present invention better; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all should belong to the scope of the present invention's protection.
In the SSLVPN network, the SSLVPN gateway provides the equipment of SSLVPN business function, hereinafter to be referred as gateway.WAN (Wide Area Network, wide area network) mouthful is the interface that gateway inserts wide area network, and remote subscriber can pass through WAN mouth IAD; LAN (Local Area Network, local area network (LAN)) mouthful is the interface of gateway towards internal network.Embodiment provided by the invention gets into the user that LAN mouth flow is belonged to through user and the identification that identification entering WAN mouth flow is belonged to; Implement QOS control to different users; Guarantee normally carrying out of important service, rationally utilized bandwidth, improved utilization rate of network resource.
Referring to Fig. 1, the virtual private network subscriber method for controlling quality of service first embodiment flow chart that provides for the embodiment of the invention.Said method comprises:
S101, gateway receives message, and obtains the address information of said message.
S102 judges according to the address information of said message whether said message belongs to known connection or stream, if said message belongs to known connection or stream, confirms the user that said message is corresponding; Wherein, said gateway records known stream or connection and user's corresponding relation.
S103 confirms said quality of services for users strategy according to the corresponding relation of user and quality of service policy, according to said quality of service policy said message is carried out service quality control.
Preferably, said method also comprises:
If said message does not belong to known connection or stream, then receive said message according to the speed that limits.
A kind of virtual private network subscriber method for controlling quality of service that the embodiment of the invention provides judges through the address information of message whether said message belongs to known connection or stream; And according to stream and the user's of record corresponding relation or be connected and user's corresponding relation can identify the user that flow belonged to of entering SSLVPN gateway; And implement different service quality to different users and control; Rationally utilize bandwidth, guarantee normally carrying out of important service.
The front is mentioned, and the SSLVPN gateway all has an interface at wide area network and local area network (LAN).In the face of two embodiment that carry out QOS control through the user that flow belonged to who discerns entering WAN mouth describe in detail, said two embodiment all are to improvement embodiment illustrated in fig. 1 down.
Referring to Fig. 2, the virtual private network subscriber method for controlling quality of service second embodiment flow chart that provides for the embodiment of the invention.
S201 in the WAN of gateway side, to the flow of access gateway, sets up the stream table according to the address information of message.
Among the embodiment provided by the invention, message is meant I P message.In a period of time, the sequence of message that between a source IP address and purpose IP address, transmits continuously is referred to as stream.The message that belongs to same stream has identical source port number, destination slogan, protocol number and source IP address, purpose IP address.
In embodiment provided by the invention,, set up the stream table according to the address information of message to the flow of access gateway.Wherein, the address information of message comprises: source IP address, purpose IP address, source port, destination interface.For the flow that gets into gateway, be that the stream table set up in keyword with source IP address, purpose IP address, source port, the destination interface information of message.The stream table is one group and is keyword, is the data forwarding basis list item of content with concrete action with the several tuples in the message (IP address, port numbers, dscp, protocol number).The movement content of list item can store the QOS strategy of execution, and said QOS strategy specifically can comprise bandwidth control, priority scheduling information etc.Record the corresponding relation of user and service quality QOS strategy in the stream table.
S202 after gateway receives the message that the user sends, obtains the address information of message.
S203 searches whether there be the list item corresponding with said message in the stream table according to the address information of message.If have, judge that said message belongs to known stream, get into step S204.If do not exist, get into step S207.
For the SSLVPN message that gets into gateway WAN mouth, gateway is at first searched the stream table according to the address information of message, and said address information can comprise source, purpose IP address and source, the destination slogan of message.If in the stream table, have the list item corresponding, judge that then said message belongs to known stream with said message.If do not exist, judge that then said message belongs to unknown stream.
S204 judges in the list item of said stream table whether have ID.If exist, get into step S205, if do not exist, get into step S208.
ID is used to distinguish different users, and ID and user have corresponding relation.Preserve the corresponding relation of user and QOS strategy in the stream table.
S205 confirms the user that said message is corresponding according to said ID, gets into step S206.
S206 confirms the quality of service policy corresponding with said user according to the user with the corresponding relation of quality of service policy, according to said quality of service policy said message is carried out service quality control.
In embodiments of the present invention, the QOS strategy is mainly used in description and how carries out the ensemble of communication that different service quality is controlled to the flow that belongs to different user.Concrete, the QOS strategy is mainly used in after identifying particular user, and the flow that gets into gateway is carried out bandwidth constraints and priority scheduling.In embodiments of the present invention, the QOS strategy can be set each user's bandwidth, when the SSLVPN gateway receives flow, if the data that receive surpass the bandwidth of setting then can be dropped; When transmitted traffic, generally abandon or shaping if surpass bandwidth constraints.In embodiments of the present invention,, then under the User Priority condition of different, preferentially receive the customer flow of high priority, abandon the low priority user flow if there are a plurality of customer flows to get into gateway simultaneously; When sending a plurality of customer flow at the same time, can preferentially send the high-priority users flow, send or abandon the low priority user flow after a while.
There is not corresponding list item in S207 if search the stream table, then sets up the stream table list item corresponding with said message, gets into step S208.
The address information that comprises said message in the said stream table list item.
S208 to not belonging to the message of known stream, receives message according to the speed that limits.
Generally speaking, when in the stream table, not having the list item corresponding or in stream table list item, not having ID, can limit with lower speed and receive message (for example 20KB/S) with message.The message flow that can prevent to discern the user like this is excessive, causes network blockage, and can improve the fail safe of Data Receiving.
Further, said method can also comprise:
If when gateway identifies the user of said message correspondence in the processing procedure that receives message, judge whether said user is new user; If said new user's the ID and the corresponding relation of said user and quality of service policy are recorded in the said stream table list item.If not new user, the said user's of record ID in the corresponding stream table list item of said message.
The gateway application layer can obtain the ID that is present among first trip or the cookie and discern the user from the http request.Said ID generally is the character visible string of numeral and letter composition.When having ID in the message data of receiving, can not think a new user.Perhaps after user's debarkation authentication success, also can produce a new user.When the gateway application layer finds that said user is new user; Then ID and the corresponding QOS strategy with new user sends to data surface, by the said user of stream table record of data surface and the tactful corresponding relation of corresponding relation, ID and QOS of ID.When the gateway application layer is discerned said user and is not new user, ID is sent to the stream table of data surface.
Concrete, the method that the embodiment of the invention provides can also comprise the step of safeguarding of stream table:
When the corresponding TCP of said message connects disconnection, delete the stream table list item corresponding with said message.Because the corresponding TCP/SSL of stream table list item connects, so gateway can be deleted corresponding stream table list item when perception TCP end message.Concrete, when receiving TCP Fin or RST, show that TCP connects disconnection, can delete said stream table list item.
For the generation (for example FIN or RST message dropping) that prevents abnormal conditions; Can take the idle mode of cutting off to delete stream table list item; Promptly in the corresponding TCP of said message is connected time of setting, do not carry out message when handling, delete the stream table list item corresponding with said message.Generally can use timer to detect, if a stream table list item (corresponding TCP connects) does not receive in a period of time or sends message, then with its deletion.
In second embodiment provided by the invention, set up the stream table at gateway, search the stream table through the address information of message; Judge whether said message belongs to known stream; And discerning the corresponding user of said message with user's corresponding relation according to stream, the QOS strategy execution QOS corresponding according to the user controls, and can carry out different QOS to different user and control; To guarantee normally carrying out of important service, rationally utilize bandwidth.
According to the difference of SSLVPN equipment, can adopt the 3rd embodiment provided by the invention to realize identification, and carry out different QOS strategies according to different users to flow institute home subscriber.Different with second embodiment is that the 3rd embodiment provided by the invention is in the transmitting-receiving of tcp protocol stack through Socket control gateway WAN side data.
Referring to Fig. 3, be virtual private network subscriber method for controlling quality of service the 3rd embodiment flow chart provided by the invention.
S301, gateway receives message, and obtains the address information of message.
S302, gateway compares the address information of said message with the known address information that is connected, when the address information of the address information of said message and known connection is identical, judge that said message belongs to known connection.If not, get into step S305.
The front is mentioned, and the corresponding TCP of stream connects.Therefore, gateway can judge whether message belongs to known connection according to the address information of the corresponding connection of message.Generally speaking, the message that has identical source IP address and a source port information belongs to same the connection.Wherein, the said Socket that is connected to connects.
S303 according to the connection of record and user's corresponding relation, confirms the user of said connection ownership.
If said message belongs to known connection, gateway can connect the corresponding relation with the user according to the Socket of record, confirms the user of said connection ownership.Socket is also referred to as " socket " usually, is used to describe IP address and port, and application program is perhaps replied network requests through " socket " to the network request of sending usually.
S304, if identify the user of the corresponding connection ownership of said message, then the corresponding relation according to user and quality of service policy carries out service quality control to said message.
Concrete, gateway can be carried out corresponding service quality control to concrete user behind the user who identifies the corresponding connection ownership of said message, mainly be that flow is carried out bandwidth constraints and priority scheduling.Concrete quality of service policy is identical with second embodiment.
Preferably, if a plurality of Socket connect corresponding same user, said a plurality of Socket then is set connects shared said user's bandwidth.Can guarantee that so single user bandwidth is controlled, rationally utilizes bandwidth.
S305 to not belonging to the message of known connection, receives message according to the speed that limits.
When a connection just had been established, gateway was not know user that it is corresponding, only after advanced treating, just knows the user that it is corresponding.To not belonging to the connection of known users, the reception of control TCP Socket receives message (for example 20KB/S) with lower speed.Can prevent connecting here the big flow of burst like this, cause network blockage, and can improve the fail safe of Data Receiving.
S306, after gateway is handled the data that receive, confirm said connect corresponding user after, write down the corresponding relation of this connection and user and quality of services for users strategy.
The corresponding same Socket of message with identical source IP address and source port is connected.After the gateway application layer passes through the User Defined field in the Socket request, identifies the corresponding user of said connection, then can write down the corresponding relation of this connection and user and quality of services for users strategy.Use this flow that connects transmission then to use unified QOS strategy.
The 3rd embodiment provided by the invention is used to make does not have the VPN of data Layer equipment to come the QOS of different user is controlled through the control of TCP Socket.The method that the embodiment of the invention provides can be distinguished different users, implements different QOS strategies to different user, to guarantee normally carrying out of important service, rationally utilizes bandwidth.
The front is mentioned, and the SSLVPN gateway all has an interface at wide area network and local area network (LAN).Describe in detail in the face of an embodiment who carries out QOS control through the user that flow belonged to who discerns entering LAN mouth down.
Referring to Fig. 4, virtual private network subscriber method for controlling quality of service the 4th embodiment flow chart that provides for the embodiment of the invention.Said method comprises:
S401 for each user distributes an independent IP address in local area network (LAN) LAN side, writes down said IP address and user's corresponding relation.
In the prior art, for the flow that the WEB class that gets into the LAN mouth is used, the purpose IP address of message is the Intranet IP address of gateway, and the purpose IP address and the user of said message concern one to one, can't be used to distinguish the user.In embodiments of the present invention, SSLVPN equipment for each user distributes an independent IP address in local area network (LAN) LAN side, and writes down said IP address and user's corresponding relation after the user reaches the standard grade.Through this mode, when message gets into the LAN mouth, can distinguish the user according to this IP address.
S402 carries out User Recognition according to said IP address and user's corresponding relation to the message that gets into the LAN side.
When LAN side gateway received message, the user corresponding with this IP address can be searched through IP address and user's corresponding relation in the purpose IP address that this IP address is a message.
The flow of using for the tunnel-like that gets into the LAN side, because the gateway IP address that be each user's independent allocation, therefore can be according to purpose IP address differentiation user.In the application embodiment, for getting into the flow that LAN side WEB class is used, gateway has also distributed an independent IP address for the user in the LAN side.Like this, in the LAN side, each user has two IP addresses.The gateway data surface just can carry out User Recognition to the message that gets into these two IP addresses.Concrete, can search subscriber's meter usually and distinguish the user who gets into LAN effluent amount ownership through subscriber's meter record IP address and user's corresponding relation.
S403, identify the corresponding user of said message after, confirm said quality of services for users strategy according to the corresponding relation of user and quality of service policy, according to said quality of service policy said message is carried out service quality and controls.
Like this, also can implement different QOS control to different users, rationally utilize bandwidth, effectively utilize Internet resources through distinguishing the user for the flow that gets into the LAN survey.
Referring to Fig. 5, the embodiment of the invention a kind of VPN equipment, be used to realize said method.Said equipment comprises:
Memory 501 is used to write down known stream or connection and user's the corresponding relation and the corresponding relation of user and quality of service policy.
Acquisition module 502 is used to receive message, obtains the address information of said message.
Identification module 503; Be used for judging according to the address information of said message whether said message belongs to known connection or stream; If said message belongs to known connection or stream, confirm the user that said message is corresponding with user's corresponding relation according to known stream that writes down in the memory or connection.
First processing module 504, the user who is used for writing down according to memory and the corresponding relation of quality of service policy are confirmed said quality of services for users strategy, according to said quality of service policy said message are carried out service quality control.
Concrete, said equipment also comprises:
Second processing module does not belong to known connection or stream if be used for said message, then receives said message according to the speed that limits.
In a specific embodiment provided by the invention, said identification module is:
First identification module is used for according to the address information inquiry stream table of said message whether the list item corresponding with said message being arranged; If have, judge that said message belongs to known stream; When said message belongs to known stream, further confirm the user that said message is corresponding.
Preferably, when identification module was first identification module, said equipment also comprised:
Set up module, be used for when judging that there be not the list item corresponding with said message in said stream table, setting up the stream table list item corresponding with said message, said stream table list item comprises the address information of said message.
First logging modle; Be used for when gateway when the processing procedure that receives message identifies the corresponding user of said message and is new user, said new user's the ID and the corresponding relation of said user and quality of service policy are recorded in the said stream table list item.
Second logging modle, be used for when gateway when the processing procedure that receives message identifies the corresponding user of said message and is not new user, the said user's of record ID in the corresponding stream table list item of said message.
First removing module is used for when the corresponding TCP of said message connects disconnection, deleting the stream table list item corresponding with said message.
Second removing module is used in the corresponding TCP of said message is connected time of setting, not carrying out message when handling, and deletes the stream table list item corresponding with said message.
In another embodiment provided by the invention, said identification module is:
Second identification module is used for the address information of said message is compared with the known address information that is connected, and when the address information of the address information of said message and known connection is identical, judges that said message belongs to known connection; If confirm the user that said message is corresponding with user's corresponding relation according to connecting.
Preferably, when identification module was second identification module, said equipment also comprised:
The 3rd logging modle is used for after gateway is handled the message that receives, identify said connect corresponding user after, write down the corresponding relation of this connection and user and quality of services for users strategy.
Module is set, is used for if the corresponding same user of a plurality of connections then is provided with the shared said user's bandwidth of said a plurality of connection.
Referring to Fig. 6, VPN equipment second provided by the invention is executed the illustration intention.
The embodiment of the invention also provides a kind of VPN equipment, is used to realize method shown in Figure 4, and said equipment comprises:
The 3rd identification module 602 is used for according to said IP address and user's corresponding relation the message that gets into the LAN side being carried out User Recognition;
The 3rd processing module 603 after being used to identify the user of said message correspondence, is confirmed said quality of services for users strategy according to the corresponding relation of user and quality of service policy, according to said quality of service policy said message is carried out service quality control.
Need to prove; In this article; Relational terms such as first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint relation or the order that has any this reality between these entities or the operation.And; Term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability; Thereby make and comprise that process, method, article or the equipment of a series of key elements not only comprise those key elements; But also comprise other key elements of clearly not listing, or also be included as this process, method, article or equipment intrinsic key element.Under the situation that do not having much more more restrictions, the key element that limits by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises said key element and also have other identical element.
The present invention can describe in the general context of the computer executable instructions of being carried out by computer, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the present invention, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.
The above only is an embodiment of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.
Claims (13)
1. a virtual private network subscriber method for controlling quality of service is characterized in that, said method comprises:
Gateway receives message, obtains the address information of said message;
Judge according to the address information of said message whether said message belongs to known connection or stream,, confirm the user that said message is corresponding if said message belongs to known connection or stream; Wherein, said gateway records known stream or connection and user's corresponding relation;
Confirm said quality of services for users strategy according to the corresponding relation of user and quality of service policy, said message is carried out service quality control according to said quality of service policy.
2. method according to claim 1 is characterized in that, said method also comprises:
If said message does not belong to known connection or stream, then receive said message according to the speed that limits.
3. method according to claim 1 and 2 is characterized in that, said address information according to said message judges whether said message belongs to known connection or stream is:
In the address information inquiry stream table according to said message whether the list item corresponding with said message is arranged; If have, judge that said message belongs to known stream;
The corresponding user of said definite said message is:
Judge and whether have ID in the said list item; If exist, confirm the user that said message is corresponding with user's corresponding relation according to ID.
4. method according to claim 3 is characterized in that, said method also comprises:
When the corresponding TCP of said message connects disconnection, delete the list item corresponding with said message.
5. method according to claim 3 is characterized in that, said method also comprises:
In the corresponding TCP of said message is connected time of setting, do not carry out message when handling, delete the list item corresponding with said message.
6. according to any described method of claim 3 to 5, it is characterized in that the address information of said message, said ID and user's the corresponding relation and the corresponding relation of said user and quality of service policy are kept in the stream table.
7. method according to claim 1 is characterized in that, said address information according to said message judges whether said message belongs to known connection or stream is:
The address information of said message is compared with the known address information that is connected, when the address information of the address information of said message and known connection is identical, judge that said message belongs to known connection;
The corresponding user of said definite said message is:
Confirm the user that said message is corresponding according to connecting with user's corresponding relation.
8. method according to claim 7 is characterized in that, said definite quality of service policy is:
If the corresponding same user of a plurality of connections confirms that then quality of service policy is for being provided with the shared said user's bandwidth of said a plurality of connection.
9. method according to claim 1 is characterized in that, when judging that said message does not belong to known connection or stream, said method also comprises:
When gateway carries out said message preserving the corresponding connection of said message or the corresponding relation of stream and user and quality of services for users strategy after processing and identification goes out the corresponding user of said message.
10. a VPN equipment is characterized in that, said equipment comprises:
Memory is used to write down known stream or connection and user's the corresponding relation and the corresponding relation of user and quality of service policy;
Acquisition module is used for gateway and receives message, obtains the address information of said message;
Identification module; Be used for judging according to the address information of said message whether said message belongs to known connection or stream; If said message belongs to known connection or stream, confirm the user that said message is corresponding with user's corresponding relation according to known stream that writes down in the memory or connection;
First processing module, the user who is used for writing down according to said memory and the corresponding relation of quality of service policy are confirmed said quality of services for users strategy, according to said quality of service policy said message are carried out service quality control.
11. equipment according to claim 10 is characterized in that, said identification module is:
First identification module is used for according to the address information inquiry stream table of said message whether the list item corresponding with said message being arranged; If have, judge whether said message belongs to known stream; When said message belongs to known stream, further confirm the user that said message is corresponding.
12. equipment according to claim 10 is characterized in that, said identification module is:
Second identification module is used for the address information of said message is compared with the known address information that is connected, and when the address information of the address information of said message and known connection is identical, judges that said message belongs to known connection; If confirm the user that said message is corresponding with user's corresponding relation according to connecting.
13. equipment according to claim 10 is characterized in that, said equipment also comprises:
Second processing module does not belong to known connection or stream if be used for said message, then receives said message according to the speed that limits.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110334682.6A CN102394816B (en) | 2011-10-28 | 2011-10-28 | User service quality control method and equipment for virtual private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110334682.6A CN102394816B (en) | 2011-10-28 | 2011-10-28 | User service quality control method and equipment for virtual private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102394816A true CN102394816A (en) | 2012-03-28 |
| CN102394816B CN102394816B (en) | 2015-03-18 |
Family
ID=45862026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110334682.6A Active CN102394816B (en) | 2011-10-28 | 2011-10-28 | User service quality control method and equipment for virtual private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102394816B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685008A (en) * | 2012-08-31 | 2014-03-26 | 中国电信股份有限公司 | Bidirectional message priority marking method and system |
| CN107124366A (en) * | 2016-02-24 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of method for realizing service quality control, apparatus and system |
| CN112422396A (en) * | 2020-11-04 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | TCP network transmission acceleration method and system based on SSLVPN channel |
| CN113645236A (en) * | 2021-08-10 | 2021-11-12 | 北京天融信网络安全技术有限公司 | Message processing method, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859294A (en) * | 2005-12-30 | 2006-11-08 | 华为技术有限公司 | Method for providing QoS service for virtual special net user |
| CN101355516A (en) * | 2008-09-09 | 2009-01-28 | 中兴通讯股份有限公司 | Method and system for providing service quality tactics for various virtual special network |
| CN101488914A (en) * | 2009-01-06 | 2009-07-22 | 杭州华三通信技术有限公司 | Quality of service implementing method and provide edge equipment |
-
2011
- 2011-10-28 CN CN201110334682.6A patent/CN102394816B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859294A (en) * | 2005-12-30 | 2006-11-08 | 华为技术有限公司 | Method for providing QoS service for virtual special net user |
| CN101355516A (en) * | 2008-09-09 | 2009-01-28 | 中兴通讯股份有限公司 | Method and system for providing service quality tactics for various virtual special network |
| CN101488914A (en) * | 2009-01-06 | 2009-07-22 | 杭州华三通信技术有限公司 | Quality of service implementing method and provide edge equipment |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685008A (en) * | 2012-08-31 | 2014-03-26 | 中国电信股份有限公司 | Bidirectional message priority marking method and system |
| CN103685008B (en) * | 2012-08-31 | 2017-02-15 | 中国电信股份有限公司 | Bidirectional message priority marking method and system |
| CN107124366A (en) * | 2016-02-24 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of method for realizing service quality control, apparatus and system |
| CN107124366B (en) * | 2016-02-24 | 2020-12-11 | 中兴通讯股份有限公司 | Method, device and system for realizing service quality control |
| CN112422396A (en) * | 2020-11-04 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | TCP network transmission acceleration method and system based on SSLVPN channel |
| CN113645236A (en) * | 2021-08-10 | 2021-11-12 | 北京天融信网络安全技术有限公司 | Message processing method, device and storage medium |
| CN113645236B (en) * | 2021-08-10 | 2022-11-29 | 北京天融信网络安全技术有限公司 | Message processing method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102394816B (en) | 2015-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4916809B2 (en) | Load balancing control apparatus and method | |
| US7480707B2 (en) | Network communications management system and method | |
| CN101404650B (en) | Method and system for sub-dividing network application service quality | |
| CN101309195A (en) | Method and apparatus for guarantee quality of service of secure socket layer of virtual private network | |
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| US20080263558A1 (en) | Method and apparatus for on-demand resource allocation and job management | |
| CN102143088B (en) | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) | |
| CN102394816A (en) | User service quality control method and equipment for virtual private network | |
| CN101577671A (en) | Method and system for automatically controlling flow of peer-to-peer networking service | |
| CN102201990A (en) | Service control method and system for autonomous network | |
| GB2394382A (en) | Monitoring the propagation of viruses through an Information Technology network | |
| CN101616131A (en) | A kind of method of defensing attack of Arp virus | |
| US7546367B2 (en) | Methods and systems for managing network traffic by multiple constraints | |
| EP1193945B1 (en) | Method and apparatus for access control in a network | |
| US7437758B2 (en) | Propagation of viruses through an information technology network | |
| CN106470150A (en) | Relation chain storage method and device | |
| CN101795273B (en) | Method and device for filtering junk mail | |
| CN101753449A (en) | Resource management system supporting the probability guarantee of end-to-end delay and the method thereof | |
| KR100773416B1 (en) | Method and system for controlling network traffic of p2p and instant messenger | |
| CN109104424A (en) | A kind of safety protecting method and device of OPC communication | |
| US20100175103A1 (en) | Reactive throttling of inbound messages and ranges | |
| CN101977154A (en) | Intelligent flow security processing control method and device | |
| CN100479419C (en) | Method for preventing refusal service attack | |
| KR20140125508A (en) | Communication node having traffic optimization capability and method for traffic optimization in the communication node | |
| US20090100487A1 (en) | Mitigating subscriber side attacks in a cable network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |