CN102752220A - Method and equipment for identifying service type of quality of service (QoS) of SSL VPN (source socket layer) (virtual private network) data stream - Google Patents
Method and equipment for identifying service type of quality of service (QoS) of SSL VPN (source socket layer) (virtual private network) data stream Download PDFInfo
- Publication number
- CN102752220A CN102752220A CN201210250261XA CN201210250261A CN102752220A CN 102752220 A CN102752220 A CN 102752220A CN 201210250261X A CN201210250261X A CN 201210250261XA CN 201210250261 A CN201210250261 A CN 201210250261A CN 102752220 A CN102752220 A CN 102752220A
- Authority
- CN
- China
- Prior art keywords
- data flow
- ssl vpn
- service
- ssl
- qos type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method and equipment for identifying the service type of quality of service (QoS) of the SSL VPN (source socket layer) (virtual private network) data stream, comprising the following steps: judging whether the SSL VPN data stream meets the predetermined request requirement of the service type of the QoS or not by an access gateway after it is monitored that the received data stream is the SSL VPN data stream; sending the request information to an SSL VPN gateway to which the SSL VPN data stream is to be forwarded by the access gateway if the SSL VPN data stream meets the predetermined request requirement of the service type of the QoS, wherein the request information is used for requesting the service type of the QoS of the SSL VPN data stream; and acquiring the service type of the QoS of the SSL VPN data stream by the access gateway from the response information returned by the request information received by the SSL VPN gateway. Due to the adoption of the method and the equipment, the received service type of quality of the QoS of the SSL VPN can be identified by the access gateway.
Description
Technical field
The application relates to the network security technology field, particularly a kind of method and apparatus of discerning the service quality QoS type of service of SSL VPN data flow.
Background technology
SSL (Secure Socket Layer; SSL) VPN (Virtual Private Network; Virtual Private Network) is a kind of novel VPN technologies that adopt ssl protocol to realize long-range access; It is the basis with HTTPS (Secure HTTP, the HTTP of safety promptly support the http protocol of SSL).SSL VPN adopts the ssl protocol of standard that the packet in the transmission is encrypted; Thereby protected safety of data in application layer; Be widely used in inserting, for user's remote access company's internal network provides safety assurance based on the telesecurity of Web (webpage).
The group-network construction of typical SSL VPN network is as shown in Figure 1.The SSL vpn gateway is positioned at the edge of enterprise network, between the server and remote access user in enterprise network, controls the communication of the two.The keeper creates the corresponding resource of server in the enterprise network on the SSL vpn gateway; Afterwards; During server in remote access user's access enterprise networks, at first set up HTTPS with the SSL vpn gateway and be connected, selection needs accessed resources; By the SSL vpn gateway access request is transmitted to the server in the enterprise network, thereby reaches the purpose of the server in the protection enterprise network.
At present, heat gradually along with what SSL VPN used, more and more enterprises begins to adopt the network architecture of SSLVPN, solves the remote access demand of enterprise.As shown in Figure 2; Enterprise disposes the SSL vpn gateway in general headquarters; SSL client in the local area network (LAN) of each branch is set up SSL VPN safety through the IAD and the SSL vpn gateway of general headquarters and is connected, and passes through the internal server of the proxy access general headquarters of SSL vpn gateway then.Concrete, the SSL client is at first encrypted the message of access internal server, sends to the SSL vpn gateway then, and the SSL vpn gateway sends to internal server to encrypting after message is deciphered; It is the same that internal server sends to the handling process of message of SSL client.
But in above-mentioned networking; IAD is merely able to the SSL VPN data flow between SSL client and the SSL vpn gateway is transmitted; Because SSL VPN data flow is encrypted; Thereby IAD can't identify QoS (Quality of Service, the service quality) type of service of SSL VPN data flow, and carries out corresponding QoS according to its QoS type of service and handle.
Summary of the invention
In view of this, the application provides a kind of method and apparatus of service quality QoS type of service of the SSL of identification VPN data flow, so that IAD can identify the QoS type of service of the SSL VPN data flow that receives.
The application's technical scheme comprises:
On the one hand; A kind of method of QoS type of service of the SSL of identification VPN data flow is provided; This method is used for comprising the SSL VPN network of IAD and SSL vpn gateway; This method comprises: after the data flow that monitors reception was SSL VPN data flow, IAD judged whether SSL VPN data flow satisfies preset QoS type of service request condition; If satisfy QoS type of service request condition, then IAD sends a request message to the SSL vpn gateway that SSL VPN data flow will be forwarded to, and wherein, request message is used to ask the QoS type of service of SSL VPN data flow; IAD obtains the QoS type of service of SSL VPN data flow from the response message that the SSL vpn gateway that receives returns to request message.
On the other hand; A kind of method of QoS type of service of the SSL of identification VPN data flow also is provided; This method is used for comprising the SSL VPN network of IAD and SSL vpn gateway; This method comprises: the SSL vpn gateway receives IAD sent request message, and wherein, request message is used to ask the QoS type of service of SSLVPN data flow; Data flow after the definite deciphering corresponding of SSL vpn gateway with SSL VPN data flow; The QoS type of service of back data flow is deciphered in the identification of SSL vpn gateway, and returns response message to IAD, so that IAD obtains the QoS type of service that this identifies from response message, as the QoS type of service of SSL VPN data flow.
Another aspect also provides a kind of routing forwarding equipment, and this equipment is used for comprising the IAD of the SSL VPN network of IAD and SSLVPN gateway, and this equipment comprises: monitoring modular is used to monitor whether the data flow that receives is SSL VPN data flow; Judge module is used in monitoring module monitors judging whether SSL VPN data flow satisfies the QoS type of service request condition of presetting when the data flow that receives is SSL VPN data flow; Transceiver module; Be used for when judge module is judged SSL VPN data flow and satisfied QoS type of service request condition; The SSL vpn gateway that will be forwarded to SSL VPN data flow sends a request message, and, receive the response message that the SSL vpn gateway returns to request message; Wherein, request message is used to ask the QoS type of service of SSL VPN data flow; Acquisition module is used for obtaining from response message the QoS type of service of SSL VPN data flow.
Another aspect also provides a kind of routing forwarding equipment, and this equipment is used for comprising the SSL vpn gateway of the SSL VPN network of IAD and SSLVPN gateway; This equipment comprises: transceiver module; Be used to receive IAD sent request message, wherein, request message is used to ask the QoS type of service of SSL VPN data flow; And; Return response message to IAD, so that IAD obtains the QoS type of service that identification module identifies from response message, as the QoS type of service of SSL VPN data flow; Determination module is used for confirming data flow after the deciphering corresponding with SSL VPN data flow; Identification module is used to discern the QoS type of service of data flow after the deciphering that determination module determines.
Among the application; IAD is after receiving SSL VPN data flow; Can send a request message to the SSL vpn gateway that this SSL VPN data flow will be forwarded to, to ask the QoS type of service of this SSL VPN data flow, this SSL vpn gateway is after receiving this request message; Can the QoS type of service be carried at and return to IAD in the response message; Thereby IAD can be discerned the QoS type of service that obtains this SSL VPN data flow, and then can carry out corresponding QoS to this SSLVPN data flow according to this QoS type of service and handle.
Description of drawings
Fig. 1 is the group-network construction sketch map of SSL VPN network in the prior art;
Fig. 2 is the network architecture sketch map that enterprise headquarters and branch adopt SSL VPN networking in the prior art;
Fig. 3 is the flow chart of the QoS type of service method of IAD identification SSL VPN data flow in the application embodiment one SSL VPN network;
Fig. 4 is the flow chart of the QoS type of service method of SSL vpn gateway identification SSL VPN data flow in the application embodiment two SSL VPN networks;
Fig. 5 is the concrete operations flow chart of the application embodiment three IADs;
Fig. 6 is the concrete operations flow chart of the application embodiment Three S's SL vpn gateway;
Fig. 7 is the message format sketch map of the application embodiment three request messages and response message;
Fig. 8 is the form sketch map of Data part in the message format as shown in Figure 7;
Fig. 9 is the structural representation that the application embodiment four is applied to the routing forwarding equipment of IAD;
Figure 10 is the structural representation that the application embodiment four is applied to the routing forwarding equipment of SSL vpn gateway.
Embodiment
For the purpose, technical scheme and the advantage that make the application is clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, to the application's further explain.
In the prior art; IAD is merely able to the SSLVPN data flow between SSL client and the SSL vpn gateway is transmitted; Because SSL VPN data flow is encrypted; Thereby IAD can't identify the QoS type of service of SSL VPN data flow, and carries out corresponding QoS according to its QoS type of service and handle.The problems referred to above to the prior art existence; In the application's following examples; IAD is after judging the satisfied QoS type of service request condition that is provided with in advance of the SSL VPN data flow that receives; The QoS type of service of this SSL VPN data flow of SSL vpn gateway request that can will be forwarded to this SSL VPN data flow, and and then obtain the QoS type of service of this SSL VPN data flow, like this; IAD can identify the QoS type of service of the SSL VPN data flow that receives; Handle thereby can carry out corresponding QoS to SSL VPN data flow according to its QoS type of service, among the application, the QoS type of service of SSL VPN data flow is meant the determined QoS type of service of enciphered data stream type of being carried according to SSL VPN data flow.
Embodiment one
In SSL VPN networking as shown in Figure 2, in order to make the IAD of each branch can discern the QoS type of service of SSL VPN data flow, the handling process of IAD side is as shown in Figure 3, may further comprise the steps:
The data flow that step S302, IAD monitor reception is a SSL VPN data flow;
The information of the data flow that the accessing gateway equipment monitoring self is transmitted judges through the information of data flow whether this data flow is SSL VPN data flow.
Step S304, IAD judge whether this SSL VPN data flow satisfies preset QoS type of service request condition, if satisfy, then gets into step S306, if do not satisfy, then gets into step S308;
QoS type of service request condition can be provided with in practical application according to the actual requirements in advance; For example; QoS type of service request condition can surpass preset time threshold for the duration of SSL VPN data flow, and perhaps the quantity of SSL VPN data flow surpasses preset amount threshold (total quantity that perhaps is the message in the SSL data flow surpasses preset message amount threshold value), the perhaps combination of these two conditions; Can also be other decision condition, the application does not do qualification to this.
Step S306, IAD sends a request message to the SSL vpn gateway that this SSL VPN data flow will be forwarded to, and is used to ask the QoS type of service of this SSL VPN data flow;
Concrete, the SSL vpn gateway equipment indicated to the destination address of this SSL VPN data flow sends a request message, to ask the QoS type of service of this SSL VPN data flow.The QoS type of service comprises: video, voice, HTTP (HyperText Transfer Protocol, HTTP) and FTP (File Transfer Protocol, FTP) etc.
Step S308 transmits processing according to the flow process of prior art to this SSL VPN data flow, jumps out this flow process;
The flow process of prior art generally is: SSL VPN data flow is done to transmit handle; If in the time of in repeating process, need carrying out the QoS processing to SSL VPN data flow; Owing to do not obtain the former QoS type of service that can not obtain correspondence of enciphered data stream type that SSL VPN data flow is carried; So can only be according to IP (the Internet Protocol of message; Internet Protocol) the non-encrypted field in head or TCP (Transmission Control Protocol, the transmission control protocol) head is done QoS Classification and Identification and queue scheduling to SSL VPN data flow, does not carry out profound QoS identification and handles.
Step S310, IAD obtain the QoS type of service of this SSL VPN data flow from the response message that the SSL vpn gateway that receives returns to request message, handle so that according to this QoS type of service this SSL VPN data flow is carried out corresponding QoS.
Among the application embodiment; IAD is after judging the satisfied QoS type of service request condition that is provided with in advance of the SSL VPN data flow that receives; Understand the QoS type of service of this SSL VPN data flow of SSL vpn gateway request that will be forwarded to this SSL VPN data flow; And and then obtain the QoS type of service of this SSLVPN data flow; Like this, IAD can identify the QoS type of service of the SSL VPN data flow that receives, and handles thereby can carry out corresponding QoS to SSL VPN data flow according to its QoS type of service.
Embodiment two
In SSL VPN networking as shown in Figure 2, in order to make the IAD of each branch can discern the QoS type of service of SSL VPN data flow, the handling process of the SSL vpn gateway of general headquarters is as shown in Figure 4, may further comprise the steps:
Step S402, SSL vpn gateway receive IAD sent request message (being the request message of asking being used to of describing among the embodiment one the QoS type of service of SSL VPN data flow);
Can carry the information of the SSL VPN data flow of request to some extent in this request message.
Data flow after the corresponding deciphering of the SSL VPN data flow that step S404, SSL vpn gateway confirm to ask with this request message;
In order to confirm and the corresponding deciphering of the SSL VPN data flow of being asked back data flow (deciphering back data flow is the data flow of SSL VPN data flow after deciphering of being asked); The SSL vpn gateway can be in a data stream information of local maintenance correspondence table; This table can adopt other information tables of having set up, also can newly set up a table.Write down the corresponding relation between the information of SSL VPN data flow and deciphering back data flow in this traffic flow information correspondence table.Like this, through in this traffic flow information correspondence table, search with request message in the corresponding deciphering of the information back traffic flow information of the SSL VPN data flow of carrying, can determine data flow after the deciphering corresponding with this SSL VPN data flow.
Step S406; The SSL vpn gateway is identified in the QoS type of service of data flow after the deciphering of determining among the step S404; And the QoS type of service that identifies is carried in the response message; Send to IAD, so as IAD from this response message, get access to the QoS type of service of the SSL VPN data flow that will ask, and according to this QoS type of service this SSL VPN data flow is carried out corresponding QoS and handles.
The SSL vpn gateway can be analyzed the QoS type of service that draws this deciphering back data flow to deciphering the back data flow through the business module in self; Then this QoS type of service is carried at and replies to IAD in the response message, IAD just can carry out corresponding QoS to this SSL VPN data flow according to the QoS type of service that the SSL vpn gateway returns to be handled.
Embodiment three
In practical application, as shown in Figure 5, IAD can be operated according to following flow process:
Step S502, receiving data stream;
Step S504, the information of the data flow that monitoring in real time receives can be according to data flow of five-tuple information (source IP, purpose IP, source port, destination interface and protocol number) definition of message; Protocol type and destination interface according to the data flow that receives; Judge whether this data flow is SSL VPN data flow, is not SSL VPN data flow if judge this data flow, then gets into step S506; If judge this data flow is SSL VPN data flow, then gets into step S508;
Above-mentioned steps S502 ~ S504 is corresponding to the step S302 among the embodiment one.
Step S506 transmits processing according to the flow process of prior art to data stream, jumps out this flow process;
This step S506 is corresponding to the step S308 among the embodiment one.
Step S508; Owing to only need carry out the identification of QoS type of service, therefore, can define the address of SSL vpn gateway in advance in IAD this locality to the SSL VPN data flow that will be forwarded to the SSL vpn gateway; Whether the destination address through judging SSL VPN data flow is in the scope of predefined SSL vpn gateway address, this locality; Judge whether this SSL VPN data flow need discern the QoS type of service, if not in the scope of SSL vpn gateway address, then definite this SSL VPN data flow need not discerned the QoS type of service; Then get into step S506; If the destination address of this SSL VPN data flow in the scope of SSL vpn gateway address, is then confirmed this SSL VPN data flow and need be discerned the QoS type of service, gets into step S510;
Step S510 adds up time that this SSL VPN data flow continues or the total amount of adding up this SSL VPN data flow;
Step S512 judges whether time or total amount that this SSL VPN data flow continues surpass preset threshold values, if do not surpass, then get into step S506, if surpassed, then get into step S514;
This step S508 ~ S512 is corresponding to the step S304 among the embodiment one.
Step S514; To be used to ask the request message of the QoS type of service of this SSL VPN data flow to send to the SSL vpn gateway that this data flow will be forwarded to; Carry the original five-tuple information A and process NAT (the Network Address Translation of this SSL VPN data flow in this request message; Network address translation) the five-tuple information B after the processing is not (if IAD is opened nat feature; A=B then), the address of the SSL vpn gateway that this data flow will be forwarded to can obtain from the destination address of this data flow;
In the present embodiment, five-tuple information A and five-tuple information B are the information of this SSL VPN data flow.This step S514 is corresponding to the step S306 among the embodiment one.
So; IAD is after the response message that receives the answer of SSL vpn gateway; Can judge whether include the QoS type of service in this response message earlier; If comprise, then from this response message, get access to the QoS type of service, and according to this QoS type of service this SSL VPN data flow is carried out corresponding QoS and handle (corresponding to the step S310 among the embodiment one); If do not comprise; Then still handle this data flow according to the handling process of common SSL VPN data flow; Concrete; Do not get access to the corresponding QoS type of service of SSL VPN data flow when IAD finally has identification, perhaps sent request message to the SSL vpn gateway, but when also not obtaining replying (promptly not receiving corresponding response message); IAD can be put into this SSL VPN data flow default queue or be the formation of common SSL VPN stream data definition in advance, can transmit processing to the SSL VPN data flow in the formation according to the flow process of prior art afterwards.Here, the flow process of prior art can repeat no more referring to the step S308 among the embodiment one here.
Correspondingly, as shown in Figure 6, the SSL vpn gateway identifies the QoS type of service of SSL VPN data flow in order to cooperate IAD, can operate according to following flow process:
Step S602, SSL vpn gateway receive IAD sent request message; This step is corresponding to the step S402 among the embodiment two;
Step S604 according to the five-tuple information B that comprises in the request message, searches the information through data flow SSL vpn gateway deciphering after corresponding with five-tuple information B from the traffic flow information correspondence table of this locality;
Step S606; Judge whether to find the information of deciphering back data flow; If found, then get into step S608, if there not be to write down the information of data flow after the deciphering corresponding in the traffic flow information correspondence table with five-tuple information B; Thereby do not find the information of data flow after the deciphering corresponding, then get into step S614 with five-tuple information B;
Step S608, the information of data flow is designated as deciphering back data flow C after the deciphering of supposing to find, thereby; Confirmed that data flow is data flow C after the deciphering corresponding with this SSL VPN data flow; The SSL vpn gateway is through existing data flow recognition technology, as: according to the message information of acl definition, the condition code information that comprises in the message; Message length information etc., the QoS type of service of identification deciphering back data flow C;
Step S610 has judged whether to identify the QoS type of service of data flow C after the deciphering, if identified, then gets into step S612, if can't identify, then gets into step S614;
Step S612 inserts the sign of the QoS type of service that identifies in the response message, and gets into step S616;
The QoS type of service can identify through numeral, to avoid the information leakage of SSL VPN data flow.Like this, just need in IAD and SSL vpn gateway, to appoint various QoS types of service and corresponding Digital ID thereof in advance, make IAD can correctly resolve the QoS type of service that the SSL vpn gateway is inserted.
Step S614 fills out QoS type of service in the response message and is null value or particular value, is used to indicate the QoS type of service that can't discern this SSL VPN data flow;
Step S616 replys response message to IAD.
Step S604 ~ S612 is corresponding to the step S404 among the embodiment two ~ S406.
In practical application, the message format of request message and response message can adopt form as shown in Figure 7, obviously, also can adjust according to concrete realization situation.
Among Fig. 7, the implication of each character representation is explained as follows:
OP: the expression operation types, OP=1 representes request message, OP=2 representes response message; Length is 1 byte (octet);
ID: the expression message identification is used for the corresponding relation of matching request and response message; ID in the request message is generation at random, and the ID in the response message must be consistent with the ID in its corresponding request message; Length is 2 bytes;
Count: the number of data in expression request or the response message; Length is 1 byte;
Data: the expression load data, its data format is as shown in Figure 8.
Among Fig. 8, the implication of each character representation is explained as follows:
Index: the index of expression SSL VPN data flow, the index of each SSL VPN data flow is unique; Length is 4 bytes;
A: the five-tuple information of expression SSL VPN data flow before the NAT conversion is formed by source IP, purpose IP, protocol number, source port and destination interface serial connection; Length is 13 bytes;
B: the five-tuple information of expression SSL VPN data flow after the NAT conversion is formed by source IP, purpose IP, protocol number, source port and destination interface serial connection; Length is 13 bytes;
QoS: the sign of the QoS type of service of expression SSL VPN data flow; This value is for complete 0 in the request message; Insert the QoS type of service of this SSL VPN data flow by the SSL vpn gateway in the response message,, then fill out complete 0 or particular value if can't identify the QoS type of service of this SSL VPN data flow; Length is 2 bytes;
Request message and response message are when transmission; Can protect transmission through existing IPSec (IP safety)/SSL VPN technologies; Under the situation of not revealing security information; Above-mentioned message also can directly be passed through TCP/UDP (User Datagram Protocol, UDP) protocol transmission, and the application does not do qualification to this.
Embodiment four
Corresponding to the method among the embodiment one; The application embodiment provides the routing forwarding equipment of the IAD in a kind of SSL of being applied to VPN network; Include IAD and SSLVPN gateway in the SSL VPN network; This IAD can be under the cooperation of SSL vpn gateway, and identification obtains the QoS type of service of SSL VPN data flow.As shown in Figure 9, this routing forwarding equipment 10 that is used for IAD comprises: monitoring modular 102, judge module 104, transceiver module 106 and acquisition module 108, wherein:
Monitoring modular 102 is used to monitor whether the data flow that transceiver module 106 receives is SSL VPN data flow; Concrete monitoring mode can repeat no more referring to embodiment three here.
Transceiver module 106; Be used for when judge module 104 is judged this SSL VPN data flow and satisfied QoS type of service request condition; The SSL vpn gateway (i.e. the indicated SSL VPN data flow of the destination address of this data flow) that will be forwarded to this SSL VPN data flow sends a request message, and, receive the response message that this SSL vpn gateway returns to this request message; Wherein, request message is used to ask the QoS type of service of SSL VPN data flow;
In practical application; Judge module 104 can also monitor after data flow that transceiver module 106 receives is SSL VPN data flow at monitoring modular 102; Before judging whether this SSL VPN data flow satisfies preset QoS type of service request condition; Whether whether the destination address of judging earlier this SSL VPN data flow in preset SSL vpn gateway address realm, need discern the QoS type of service to confirm this SSL VPN data flow, as if in scope; Then definite this SSL VPN data flow need be discerned the QoS type of service, carries out then and judges whether this SSL VPN data flow satisfies the step of QoS type of service request condition; If not in scope, then definite this SSL VPN data flow need not discerned the QoS type of service, and this routing forwarding equipment can be handled this data flow according to existing handling process.
Present embodiment also provides the routing forwarding equipment of the SSL vpn gateway in a kind of SSL of being applied to VPN network; Include IAD and SSL vpn gateway in this SSL VPN network; This SSL vpn gateway can cooperate IAD, makes IAD can identify the QoS type of service of SSL VPN data flow.Shown in figure 10, this routing forwarding equipment 20 that is used for the SSL vpn gateway comprises: transceiver module 202, determination module 204 and identification module 206, wherein:
In practical application; Can carry the information of the SSL VPN data flow of request to some extent in the IAD sent request message, then, determination module 204 is through in the traffic flow information correspondence table; Search traffic flow information after the deciphering corresponding with the information of SSLVPN data flow; Come to confirm data flow after the deciphering corresponding, wherein, write down SSL VPN data flow in the traffic flow information correspondence table and deciphered the corresponding relation between the information of back data flow with this SSL VPN data flow.
To sum up, the above embodiment of the application can reach following technique effect:
In the application's the foregoing description; IAD is receiving SSL VPN data flow (for data stream encrypted) afterwards; Can send a request message to the SSL vpn gateway that this SSL VPN data flow will be forwarded to, to ask the QoS type of service of this SSL VPN data flow, the SSL vpn gateway is after receiving this request message; Can search and the corresponding deciphering of this SSL VPN data flow back data flow; And discern this deciphering QoS type of service of data flow afterwards, this QoS type of service is carried at returns to IAD in the response message then, thereby; IAD can be discerned the QoS type of service that obtains this SSL VPN data flow, and then can carry out corresponding QoS to this SSL VPN data flow according to this QoS type of service and handle.
The above is merely the application's preferred embodiment, and is in order to restriction the application, not all within the application's spirit and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the application protects.
Claims (11)
1. method of discerning the service quality QoS type of service of SSL SSL Virtual Private Network VPN data flow is used for comprising it is characterized in that the SSL VPN network of IAD and SSL vpn gateway, comprising:
After the data flow that monitors reception was SSL VPN data flow, said IAD judged whether said SSLVPN data flow satisfies preset QoS type of service request condition;
If satisfy said QoS type of service request condition, then said IAD sends a request message to the SSL vpn gateway that said SSL VPN data flow will be forwarded to, and wherein, described request message is used to ask the QoS type of service of said SSL VPN data flow;
Said IAD obtains the QoS type of service of said SSL VPN data flow from the response message that the said SSL vpn gateway that receives returns to described request message.
2. method according to claim 1 is characterized in that, said QoS type of service request condition comprise following one of at least: the duration of SSL VPN data flow surpasses preset time threshold, and the total amount of SSL VPN data flow surpasses preset amount threshold.
3. method according to claim 1 and 2 is characterized in that, after the data flow that monitors reception is SSL VPN data flow, before judging whether said SSL VPN data flow satisfies preset QoS type of service request condition, also comprises:
Said IAD is judged the destination address of said SSL VPN data flow in preset SSL vpn gateway address realm, need discern the QoS type of service to confirm said SSLVPN data flow.
4. method according to claim 1 is characterized in that said IAD has been opened network address translation NAT, includes in the described request message: the five-tuple information behind the original five-tuple information of said SSLVPN data flow and the process NAT.
5. method of discerning the service quality QoS type of service of SSL SSL Virtual Private Network VPN data flow is used for comprising it is characterized in that the SSL VPN network of IAD and SSL vpn gateway, comprising:
Said SSL vpn gateway receives said IAD sent request message, and wherein, described request message is used to ask the QoS type of service of SSL VPN data flow;
Data flow after the definite deciphering corresponding of said SSL vpn gateway with said SSL VPN data flow;
The QoS type of service of the said deciphering of said SSL vpn gateway identification back data flow; And return response message to said IAD; So that said IAD obtains the QoS type of service that identifies from said response message, as the QoS type of service of said SSLVPN data flow.
6. method according to claim 5 is characterized in that, carries the information of said SSL VPN data flow in the described request message, and then, data flow comprised after said SSL vpn gateway was confirmed the deciphering corresponding with said SSL VPN data flow:
Said SSL vpn gateway is in the traffic flow information correspondence table; Search traffic flow information after the deciphering corresponding with the information of said SSL VPN data flow; Wherein, write down corresponding relation between the information of SSL VPN data flow and deciphering back data flow in the said traffic flow information correspondence table.
7. routing forwarding equipment is used for comprising it is characterized in that the IAD of the SSL VPN network of IAD and SSL SSL Virtual Private Network vpn gateway, comprising:
Monitoring modular is used to monitor whether the data flow that receives is SSL VPN data flow;
Judge module is used in said monitoring module monitors judging whether said SSL VPN data flow satisfies preset service quality QoS type of service request condition when the data flow that receives is SSL VPN data flow;
Transceiver module; Be used for when said judge module is judged said SSL VPN data flow and satisfied said QoS type of service request condition; The SSL vpn gateway that will be forwarded to said SSL VPN data flow sends a request message, and, receive the response message that said SSL vpn gateway returns to described request message; Wherein, described request message is used to ask the QoS type of service of said SSL VPN data flow;
Acquisition module is used for obtaining from said response message the QoS type of service of said SSL VPN data flow.
8. routing forwarding equipment according to claim 7; It is characterized in that; Said QoS type of service request condition comprise following one of at least: the duration of SSL VPN data flow surpasses preset time threshold, and the total amount of SSLVPN data flow surpasses preset amount threshold.
9. according to claim 7 or 8 described routing forwarding equipment; It is characterized in that; Said judge module also is used in said monitoring module monitors when the data flow that receives is SSL VPN data flow; Before judging whether said SSL VPN data flow satisfies preset QoS type of service request condition, the destination address of judging said SSLVPN data flow earlier need be discerned the QoS type of service to confirm said SSLVPN data flow in preset SSL vpn gateway address realm.
10. routing forwarding equipment is used for comprising it is characterized in that the SSL vpn gateway of the SSL VPN network of IAD and SSL SSL Virtual Private Network vpn gateway, comprising:
Transceiver module; Be used to receive said IAD sent request message, wherein, described request message is used to ask the service quality QoS type of service of SSLVPN data flow; And; Return response message to said IAD, so that said IAD obtains the QoS type of service that identification module identifies from said response message, as the QoS type of service of said SSL VPN data flow;
Determination module is used for confirming data flow after the deciphering corresponding with said SSL VPN data flow;
Said identification module is used to discern the said QoS type of service of deciphering the back data flow that said determination module is determined.
11. routing forwarding equipment according to claim 10; It is characterized in that; Carry the information of said SSL VPN data flow in the described request message, then, said determination module is used for through in the traffic flow information correspondence table; Search traffic flow information after the deciphering corresponding with the information of said SSL VPN data flow; Come to confirm data flow after the deciphering corresponding, wherein, write down SSL VPN data flow in the said traffic flow information correspondence table and deciphered the corresponding relation between the information of back data flow with said SSL VPN data flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210250261.XA CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210250261.XA CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102752220A true CN102752220A (en) | 2012-10-24 |
| CN102752220B CN102752220B (en) | 2016-04-06 |
Family
ID=47032124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210250261.XA Active CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102752220B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610665A (en) * | 2015-07-29 | 2016-05-25 | 哈尔滨工业大学(威海) | VPN protocol for mobile devices |
| CN105897512A (en) * | 2016-05-10 | 2016-08-24 | 国网冀北电力有限公司信息通信分公司 | Method and system for monitoring virtual private network (VPN) |
| WO2017148419A1 (en) * | 2016-03-03 | 2017-09-08 | 华为技术有限公司 | Data transmission method and server |
| CN107360247A (en) * | 2014-01-20 | 2017-11-17 | 华为技术有限公司 | The method and the network equipment of processing business |
| CN107425995A (en) * | 2016-05-24 | 2017-12-01 | 中兴通讯股份有限公司 | Bidirectional measurement control method, send business device and receive business device |
| CN107786448A (en) * | 2016-08-30 | 2018-03-09 | 华为技术有限公司 | The method and apparatus for establishing the forward-path of Business Stream |
| CN108401262A (en) * | 2018-02-06 | 2018-08-14 | 武汉斗鱼网络科技有限公司 | A kind of method and device that terminal applies communication data is obtained and analyzed |
| CN110249596A (en) * | 2017-01-09 | 2019-09-17 | 思杰系统有限公司 | The learning skill of the classification and priority ranking based on QOS for SAAS application |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267319A (en) * | 2008-04-30 | 2008-09-17 | 中兴通讯股份有限公司 | A method for distributing control rule of policy billing |
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| CN101500277A (en) * | 2008-02-03 | 2009-08-05 | 华为技术有限公司 | Method, equipment and system for obtaining QoS information by access network |
| CN101730174A (en) * | 2009-05-08 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for realizing cross-system switching in evolved packet system |
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
-
2012
- 2012-07-19 CN CN201210250261.XA patent/CN102752220B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| CN101500277A (en) * | 2008-02-03 | 2009-08-05 | 华为技术有限公司 | Method, equipment and system for obtaining QoS information by access network |
| CN101267319A (en) * | 2008-04-30 | 2008-09-17 | 中兴通讯股份有限公司 | A method for distributing control rule of policy billing |
| CN101730174A (en) * | 2009-05-08 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for realizing cross-system switching in evolved packet system |
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360247A (en) * | 2014-01-20 | 2017-11-17 | 华为技术有限公司 | The method and the network equipment of processing business |
| US10129722B2 (en) | 2014-01-20 | 2018-11-13 | Huawei Technologies Co., Ltd. | Service processing method and network device |
| CN107360247B (en) * | 2014-01-20 | 2019-02-26 | 华为技术有限公司 | The method and the network equipment of processing business |
| CN105610665A (en) * | 2015-07-29 | 2016-05-25 | 哈尔滨工业大学(威海) | VPN protocol for mobile devices |
| CN105610665B (en) * | 2015-07-29 | 2019-06-18 | 哈尔滨工业大学(威海) | A kind of VPN agreement suitable for mobile device |
| WO2017148419A1 (en) * | 2016-03-03 | 2017-09-08 | 华为技术有限公司 | Data transmission method and server |
| CN105897512A (en) * | 2016-05-10 | 2016-08-24 | 国网冀北电力有限公司信息通信分公司 | Method and system for monitoring virtual private network (VPN) |
| CN105897512B (en) * | 2016-05-10 | 2019-09-10 | 国网冀北电力有限公司信息通信分公司 | A kind of monitoring method and system of Virtual Private Network VPN |
| CN107425995A (en) * | 2016-05-24 | 2017-12-01 | 中兴通讯股份有限公司 | Bidirectional measurement control method, send business device and receive business device |
| CN107786448A (en) * | 2016-08-30 | 2018-03-09 | 华为技术有限公司 | The method and apparatus for establishing the forward-path of Business Stream |
| CN110249596A (en) * | 2017-01-09 | 2019-09-17 | 思杰系统有限公司 | The learning skill of the classification and priority ranking based on QOS for SAAS application |
| CN108401262A (en) * | 2018-02-06 | 2018-08-14 | 武汉斗鱼网络科技有限公司 | A kind of method and device that terminal applies communication data is obtained and analyzed |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102752220B (en) | 2016-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102752220A (en) | Method and equipment for identifying service type of quality of service (QoS) of SSL VPN (source socket layer) (virtual private network) data stream | |
| KR102075228B1 (en) | Security system and communication control method | |
| KR101680955B1 (en) | Multi-tunnel virtual private network | |
| KR100987689B1 (en) | Proxy terminal, server device, proxy terminal communication path setting method, and server device communication path setting method | |
| CN102347870B (en) | A kind of flow rate security detection method, equipment and system | |
| US20220086691A1 (en) | User Data Traffic Handling | |
| US7577156B2 (en) | Highly adaptable proxy traversal and authentication | |
| CN104184646B (en) | VPN data interactive method and system and its network data exchange equipment | |
| CN102088438B (en) | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client | |
| US20090291685A1 (en) | Radio communication system, communication device, and relay device | |
| US20200128083A1 (en) | Method of activating processes applied to a data session | |
| JP2001292174A (en) | Method and communication device for constituting secured e-mail communication between mail domain of internet | |
| TWI549553B (en) | Communication methods and communication systems | |
| CN110049024B (en) | Data transmission method, transfer server and access network point server | |
| US20170346932A1 (en) | In-band path-to-path signals using tcp retransmission | |
| CN1996960B (en) | A filtering method for instant communication message and instant communication system | |
| CN110677389B (en) | SSL protocol-based hybrid attack protection method and device | |
| KR101613747B1 (en) | Method for authenticating of message and ip-pbx system for the same | |
| US20080222693A1 (en) | Multiple security groups with common keys on distributed networks | |
| CN102546387A (en) | Method, device and system for processing data message | |
| KR101114921B1 (en) | Processing apparatus and method for providing virtual private network service on mobile communication | |
| US20210273926A1 (en) | Method for editing messages by a device on a communication path established between two nodes | |
| CN111131182A (en) | VoIP communication network penetration device and method | |
| KR20040028329A (en) | Method for supplying discriminative services in VPN | |
| US11968237B2 (en) | IPsec load balancing in a session-aware load balanced cluster (SLBC) network device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |