CN102752220B - Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream - Google Patents
Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream Download PDFInfo
- Publication number
- CN102752220B CN102752220B CN201210250261.XA CN201210250261A CN102752220B CN 102752220 B CN102752220 B CN 102752220B CN 201210250261 A CN201210250261 A CN 201210250261A CN 102752220 B CN102752220 B CN 102752220B
- Authority
- CN
- China
- Prior art keywords
- sslvpn
- data flow
- service
- qos type
- iad
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Do you this application discloses a kind of identification SSL? the method and apparatus of the service quality QoS type of service of VPN data stream, wherein, does the method comprise: be SSL in the data flow monitoring reception? does IAD judge SSL after VPN data stream? whether VPN data stream meets the QoS type of service request condition preset; If meet QoS type of service request condition, is then IAD to SSL? the SSL that VPN data stream will be forwarded to? vpn gateway sends a request message, wherein, and is request message for asking SSL? the QoS type of service of VPN data stream; Is IAD from the SSL received? do you in the response message that vpn gateway returns for request message, obtain SSL? the QoS type of service of VPN data stream.Can the application make IAD can identify the SSL received? the QoS type of service of VPN data stream.
Description
Technical field
The application relates to technical field of network security, particularly a kind of method and apparatus identifying the service quality QoS type of service of SSLVPN data flow.
Background technology
SSL(SecureSocketLayer, SSL) VPN(VirtualPrivateNetwork, Virtual Private Network) be that a kind of ssl protocol that adopts is to realize the novel VPN technologies of long-range access, it is with HTTPS(SecureHTTP, the HTTP of safety, namely supports the http protocol of SSL) based on.SSLVPN adopts the ssl protocol of standard to be encrypted the packet in transmission; thus the fail safe of data is protected in application layer; be widely used in the telesecurity access of sing on web (webpage), for user's remote access company's internal network provides safety assurance.
The group-network construction of typical SSLVPN network as shown in Figure 1.SSLVPN gateway is positioned at the edge of enterprise network, the server in enterprise network and between remote access user, the communication of both control.Keeper creates resource corresponding to enterprise network server on SSLVPN gateway; Afterwards; during server in remote access user's access enterprise networks, first set up HTTPS with SSLVPN gateway and be connected, select the resource needing access; by SSLVPN gateway access request is transmitted to the server in enterprise network, thus reaches the object of the server in protection enterprise network.
At present, along with heating gradually of SSLVPN application, increasing enterprise starts the network architecture adopting SSLVPN, solves the remote access demand of enterprise.As shown in Figure 2, enterprise disposes SSLVPN gateway in general headquarters, SSL client in the local area network (LAN) of each branch sets up SSLVPN secure connection by the SSLVPN gateway of IAD and general headquarters, then by the internal server of the proxy access general headquarters of SSLVPN gateway.Concrete, first SSL client is encrypted the message of access internal server, and then send to SSLVPN gateway, SSLVPN gateway sends to internal server after being decrypted encrypted message; Internal server sends to the handling process of the message of SSL client the same.
But in above-mentioned networking, IAD is merely able to forward the SSLVPN data flow between SSL client and SSLVPN gateway, because SSLVPN data flow is encryption, thus IAD None-identified goes out the QoS(QualityofService of SSLVPN data flow, service quality) type of service, and carry out corresponding QoS process according to its QoS type of service.
Summary of the invention
In view of this, this application provides a kind of method and apparatus identifying the service quality QoS type of service of SSLVPN data flow, the QoS type of service of the SSLVPN data flow received can be identified to make IAD.
The technical scheme of the application comprises:
On the one hand, provide a kind of method identifying the QoS type of service of SSLVPN data flow, the method is for comprising in the SSLVPN network of IAD and SSLVPN gateway, the method comprises: after the data flow monitoring reception is SSLVPN data flow, and IAD judges whether SSLVPN data flow meets the QoS type of service request condition preset; If meet QoS type of service request condition, then the SSLVPN gateway that IAD will be forwarded to SSLVPN data flow sends a request message, and wherein, request message is for asking the QoS type of service of SSLVPN data flow; The response message that IAD returns from the SSLVPN gateway received for request message, obtain the QoS type of service of SSLVPN data flow.
On the other hand, additionally provide a kind of method identifying the QoS type of service of SSLVPN data flow, the method is for comprising in the SSLVPN network of IAD and SSLVPN gateway, the method comprises: SSLVPN gateway receives the request message that IAD is sent, wherein, request message is for asking the QoS type of service of SSLVPN data flow; SSLVPN gateway determines data flow after the deciphering corresponding with SSLVPN data flow; The QoS type of service of data flow after SSLVPN gateway identification deciphering, and return response message to IAD, so that IAD obtains the QoS type of service that this identifies from response message, as the QoS type of service of SSLVPN data flow.
Another aspect, additionally provides a kind of routing forwarding equipment, and this equipment is for comprising the IAD in the SSLVPN network of IAD and SSLVPN gateway, and this equipment comprises: monitoring modular, for monitoring whether the data flow received is SSLVPN data flow; Judge module, for when monitoring module monitors is SSLVPN data flow to the data flow received, judges whether SSLVPN data flow meets the QoS type of service request condition preset; Transceiver module, during for judging that at judge module SSLVPN data flow meets QoS type of service request condition, the SSLVPN gateway that will be forwarded to SSLVPN data flow sends a request message, and, receive the response message that SSLVPN gateway returns for request message, wherein, request message is for asking the QoS type of service of SSLVPN data flow; Acquisition module, for obtaining the QoS type of service of SSLVPN data flow from response message.
Another aspect, additionally provide a kind of routing forwarding equipment, this equipment is for comprising the SSLVPN gateway in the SSLVPN network of IAD and SSLVPN gateway, this equipment comprises: transceiver module, for receiving the request message that IAD is sent, wherein, request message is for asking the QoS type of service of SSLVPN data flow, and, response message is returned to IAD, so that IAD obtains the QoS type of service that identification module identifies from response message, as the QoS type of service of SSLVPN data flow; Determination module, for determining data flow after the deciphering corresponding with SSLVPN data flow; Identification module, for identifying the QoS type of service of data flow after the deciphering that determination module is determined.
In the application, IAD is after receiving SSLVPN data flow, the SSLVPN gateway that will be able to be forwarded to this SSLVPN data flow sends a request message, to ask the QoS type of service of this SSLVPN data flow, this SSLVPN gateway is after receiving this request message, QoS type of service can be carried and return to IAD in the response message, thus, IAD can identify the QoS type of service obtaining this SSLVPN data flow, and then can carry out corresponding QoS process according to this QoS type of service to this SSLVPN data flow.
Accompanying drawing explanation
Fig. 1 is the group-network construction schematic diagram of SSLVPN network in prior art;
Fig. 2 is the network architecture schematic diagram that in prior art, enterprise headquarters and branch adopt SSLVPN networking;
Fig. 3 is the flow chart of the QoS type of service method of IAD identification SSLVPN data flow in the embodiment of the present application one SSLVPN network;
Fig. 4 is the flow chart of the QoS type of service method of SSLVPN gateway identification SSLVPN data flow in the embodiment of the present application two SSLVPN network;
Fig. 5 is the concrete operations flow chart of the embodiment of the present application three IAD;
Fig. 6 is the concrete operations flow chart of the embodiment of the present application Three S's SLVPN gateway;
Fig. 7 is the message format schematic diagram of the embodiment of the present application three request message and response message;
Fig. 8 is the form schematic diagram of Data part in message format as shown in Figure 7;
Fig. 9 is the structural representation that the embodiment of the present application four is applied to the routing forwarding equipment of IAD;
Figure 10 is the structural representation that the embodiment of the present application four is applied to the routing forwarding equipment of SSLVPN gateway.
Embodiment
For making the object of the application, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, the application is further described.
In prior art, IAD is merely able to forward the SSLVPN data flow between SSL client and SSLVPN gateway, because SSLVPN data flow is encryption, thus IAD None-identified goes out the QoS type of service of SSLVPN data flow, and carry out corresponding QoS process according to its QoS type of service.For the problems referred to above that prior art exists, in the application's following examples, IAD is after the SSLVPN data flow judging to receive meets the QoS type of service request condition pre-set, the QoS type of service of this SSLVPN data flow of SSLVPN gateway requests that will be able to be forwarded to this SSLVPN data flow, and and then obtain the QoS type of service of this SSLVPN data flow, like this, IAD can identify the QoS type of service of the SSLVPN data flow received, thus corresponding QoS process can be carried out according to its QoS type of service to SSLVPN data flow, in the application, the QoS type of service of SSLVPN data flow refers to the determined QoS type of service of enciphered data stream type carried according to SSLVPN data flow.
Embodiment one
In SSLVPN networking as shown in Figure 2, in order to the QoS type of service making the IAD of each branch can identify SSLVPN data flow, the handling process of IAD side as shown in Figure 3, comprises the following steps:
Step S302, the data flow that IAD monitors reception is SSLVPN data flow;
By the information of data flow, the information of the data flow that accessing gateway equipment monitoring forwards self, judges whether this data flow is SSLVPN data flow.
Step S304, IAD judges whether this SSLVPN data flow meets the QoS type of service request condition preset, if meet, then enters step S306, if do not meet, then enters step S308;
QoS type of service request condition can pre-set in actual applications according to the actual requirements, such as, QoS type of service request condition can exceed default time threshold for the duration of SSLVPN data flow, or the quantity of SSLVPN data flow exceedes default amount threshold (or exceed default message amount threshold value for the total quantity of the message in SSL data flow), or the combination of these two conditions, can also be other decision condition, the application limit this.
Step S306, the SSLVPN gateway that IAD will be forwarded to this SSLVPN data flow sends a request message, for asking the QoS type of service of this SSLVPN data flow;
Concrete, to this SSLVPN data flow destination address indicated by SSLVPN gateway device send a request message, to ask the QoS type of service of this SSLVPN data flow.QoS type of service comprises: video, voice, HTTP(HyperTextTransferProtocol, HTML (Hypertext Markup Language)) and FTP(FileTransferProtocol, file transfer protocol (FTP)) etc.
Step S308, flow process conventionally carries out forward process to this SSLVPN data flow, jumps out this flow process;
The flow process of prior art is generally: SSLVPN data flow is done forward process, if when needing to carry out QoS process to SSLVPN data flow in repeating process, owing to not obtaining enciphered data stream type that SSLVPN data flow carries therefore corresponding QoS type of service can not be obtained, so can only according to the IP(InternetProtocol of message, Internet Protocol) head or TCP(TransmissionControlProtocol, transmission control protocol) non-encrypted field in head does QoS Classification and Identification and queue scheduling to SSLVPN data flow, do not carry out profound QoS identifying processing.
Step S310, the response message that IAD returns from the SSLVPN gateway received for request message, obtains the QoS type of service of this SSLVPN data flow, to carry out corresponding QoS process according to this QoS type of service to this SSLVPN data flow.
In the embodiment of the present application, IAD is after the SSLVPN data flow judging to receive meets the QoS type of service request condition pre-set, the QoS type of service of this SSLVPN data flow of SSLVPN gateway requests that will be able to be forwarded to this SSLVPN data flow, and and then obtain the QoS type of service of this SSLVPN data flow, like this, IAD can identify the QoS type of service of the SSLVPN data flow received, thus can carry out corresponding QoS process according to its QoS type of service to SSLVPN data flow.
Embodiment two
In SSLVPN networking as shown in Figure 2, in order to the QoS type of service making the IAD of each branch can identify SSLVPN data flow, the handling process of the SSLVPN gateway of general headquarters as shown in Figure 4, comprises the following steps:
Step S402, SSLVPN gateway receives the request message (request message of the QoS type of service for asking SSLVPN data flow namely described in embodiment one) that IAD is sent;
The information of the SSLVPN data flow of asking to some extent can be carried in this request message.
Step S404, SSLVPN gateway determines data flow after the deciphering that the SSLVPN data flow of asking with this request message is corresponding;
In order to data flow after determining the deciphering corresponding with asked SSLVPN data flow (after deciphering, data flow is the asked data flow of SSLVPN data flow after deciphering), SSLVPN gateway can at local maintenance traffic flow information correspondence table, this table can adopt other information tables established, and also newly can set up a table.This traffic flow information correspondence have recorded the corresponding relation between the information of SSLVPN data flow and the rear data flow of deciphering in showing.Like this, by this traffic flow information correspondence table, search traffic flow information after the deciphering corresponding with the information of the SSLVPN data flow of carrying in request message, data flow after the deciphering corresponding with this SSLVPN data flow can be determined.
Step S406, the QoS type of service of data flow after the deciphering that the identification of SSLVPN gateway is determined in step s 404, and the QoS type of service identified is carried in the response message, send to IAD, so that IAD gets the QoS type of service of the SSLVPN data flow that will ask from this response message, and according to this QoS type of service, corresponding QoS process is carried out to this SSLVPN data flow.
SSLVPN gateway can draw the QoS type of service of data flow after this deciphering by the business module in self to data flow analysis after deciphering, then this QoS type of service carried and reply to IAD in the response message, the QoS type of service that IAD just can return according to SSLVPN gateway carries out corresponding QoS process to this SSLVPN data flow.
Embodiment three
In actual applications, as shown in Figure 5, IAD can operate according to following flow process:
Step S502, receiving data stream;
Step S504, monitor the information of the data flow received in real time, a data flow can be defined according to the five-tuple information of message (source IP, object IP, source port, destination interface and protocol number), according to protocol type and the destination interface of the data flow received, judge whether this data flow is SSLVPN data flow, if judge that this data flow is not SSLVPN data flow, then enter step S506, if judge that this data flow is SSLVPN data flow, then enter step S508;
Above-mentioned steps S502 ~ S504 corresponds to the step S302 in embodiment one.
Step S506, flow process conventionally carries out forward process to data stream, jumps out this flow process;
This step S506 corresponds to the step S308 in embodiment one.
Step S508, owing to only needing the identification SSLVPN data flow that will be forwarded to SSLVPN gateway being carried out to QoS type of service, therefore, can in the address of the pre-defined SSLVPN gateway in IAD this locality, by judging that the destination address of SSLVPN data flow is whether in the scope of the predefined SSLVPN gateway address in this locality, judge that this SSLVPN data flow is the need of identification QoS type of service, if not in the scope of SSLVPN gateway address, then determine that this SSLVPN data flow does not need to identify QoS type of service, then enter step S506, if the destination address of this SSLVPN data flow is in the scope of SSLVPN gateway address, then determine that this SSLVPN data flow needs to identify QoS type of service, enter step S510,
Step S510, adds up the time that this SSLVPN data flow continues or the total amount of adding up this SSLVPN data flow;
Step S512, judges whether the time that this SSLVPN data flow continues or total amount exceed default threshold values, if do not exceed, then enter step S506, if exceeded, then enter step S514;
This step S508 ~ S512 corresponds to the step S304 in embodiment one.
Step S514, the SSLVPN gateway of asking the request message of the QoS type of service of this SSLVPN data flow to send to this data flow to be forwarded to will be used for, carry in this request message this SSLVPN data flow original five-tuple information A and through NAT(NetworkAddressTranslation, network address translation) if the five-tuple information B(IAD after process does not open nat feature, then A=B), the address of the SSLVPN gateway that this data flow will be forwarded to can obtain from the destination address of this data flow;
In the present embodiment, five-tuple information A and five-tuple information B is the information of this SSLVPN data flow.This step S514 corresponds to the step S306 in embodiment one.
So, IAD is after the response message receiving the reply of SSLVPN gateway, first can judge whether include QoS type of service in this response message, if comprised, then from this response message, get QoS type of service, and according to this QoS type of service, corresponding QoS process (the step S310 corresponding in embodiment one) is carried out to this SSLVPN data flow, if do not comprised, then still according to this data flow of handling process process of common SSLVPN data flow, concrete, QoS type of service corresponding to SSLVPN data flow is got when IAD does not finally identify, or have sent request message to SSLVPN gateway, but when also not obtaining replying (namely not receiving corresponding response message), this SSLVPN data flow can be put into default queue or be the queue of common SSLVPN stream data definition in advance by IAD, flow process conventionally can carry out forward process to the SSLVPN data flow in queue afterwards.Herein, the flow process of prior art see the step S308 in embodiment one, can repeat no more here.
Correspondingly, as shown in Figure 6, SSLVPN gateway, in order to the QoS type of service coordinating IAD to identify SSLVPN data flow, can operate according to following flow process:
Step S602, SSLVPN gateway receives the request message that IAD is sent; This step corresponds to the step S402 in embodiment two;
Step S604, according to the five-tuple information B comprised in request message, searches the information of the data flow through SSLVPN gateway decipher after corresponding with five-tuple information B from the traffic flow information correspondence table of this locality;
Step S606, judge whether the information finding the rear data flow of deciphering, if found, then enter step S608, if the information of data flow after not having the deciphering that record is corresponding with five-tuple information B in traffic flow information correspondence table, thus the information of data flow after not finding the deciphering corresponding with five-tuple information B, then enter step S614;
Step S608, after supposing the deciphering found, the information of data flow is designated as the rear data flow C of deciphering, thus, after determining the deciphering corresponding with this SSLVPN data flow, data flow is data flow C, SSLVPN gateway by existing data flow recognition technology, as: according to the message information of acl definition, the condition code information comprised in message, message length information etc., identify the QoS type of service of the rear data flow C of deciphering;
Step S610, judges whether the QoS type of service that have identified the rear data flow C of deciphering, if having identified, then enters step S612, if None-identified goes out, then enter step S614;
Step S612, inserts the mark of the QoS type of service identified in response message, and enters step S616;
QoS type of service can be identified by numeral, to avoid the information leakage of SSLVPN data flow.Like this, just need the Digital ID appointing various QoS type of service and correspondence thereof in advance in IAD and SSLVPN gateway, the QoS type of service making IAD correctly can resolve SSLVPN gateway to insert.
Step S614, fills out QoS type of service in response message as null value or particular value, is used to indicate the QoS type of service of this SSLVPN data flow of None-identified;
Step S616, replys response message to IAD.
Step S604 ~ S612 corresponds to the step S404 ~ S406 in embodiment two.
In actual applications, the message format of request message and response message can adopt form as shown in Figure 7, obviously, also can adjust according to specific implementation situation.
In Fig. 7, the implication of each character representation is explained as follows:
OP: the type representing operation, OP=1 represents request message, and OP=2 represents response message; Length is 1 byte (octet);
ID: represent message identification, is used for the corresponding relation of matching request and response message; ID in request message is stochastic generation, and ID in response message must ID in the request message corresponding with it consistent; Length is 2 bytes;
Count: the number representing data in request or response message; Length is 1 byte;
Data: represent load data, its data format as shown in Figure 8.
In Fig. 8, the implication of each character representation is explained as follows:
Index: the index representing SSLVPN data flow, the index of each SSLVPN data flow is unique; Length is 4 bytes;
A: represent the five-tuple information of SSLVPN data flow before NAT conversion, be connected in series by source IP, object IP, protocol number, source port and destination interface and form; Length is 13 bytes;
B: represent the five-tuple information of SSLVPN data flow after NAT conversion, be connected in series by source IP, object IP, protocol number, source port and destination interface and form; Length is 13 bytes;
QoS: the mark representing the QoS type of service of SSLVPN data flow, in request message, this value is full 0, inserted the QoS type of service of this SSLVPN data flow in response message by SSLVPN gateway, if None-identified goes out the QoS type of service of this SSLVPN data flow, then fill out full 0 or particular value; Length is 2 bytes;
Request message and response message are when transmitting; can by existing IPSec(IP safety)/SSLVPN technology carries out protection transmission; when not revealing security information; above-mentioned message also directly can pass through TCP/UDP(UserDatagramProtocol; User Datagram Protoco (UDP)) protocol transmission, the application does not limit this.
Embodiment four
Corresponding to the method in embodiment one, the embodiment of the present application provides a kind of routing forwarding equipment of the IAD be applied in SSLVPN network, IAD and SSLVPN gateway is included in SSLVPN network, this IAD under the cooperation of SSLVPN gateway, can identify the QoS type of service obtaining SSLVPN data flow.As shown in Figure 9, this routing forwarding equipment 10 being used for IAD comprises: monitoring modular 102, judge module 104, transceiver module 106 and acquisition module 108, wherein:
Monitoring modular 102, whether the data flow received for monitoring transceiver module 106 is SSLVPN data flow; Concrete monitoring mode see embodiment three, can repeat no more here.
Judge module 104, when being SSLVPN data flow for monitoring the data flow of reception at monitoring modular 102, judge whether this SSLVPN data flow meets the QoS type of service request condition preset, wherein, the quantity that this QoS type of service request condition can exceed default time threshold or SSLVPN data flow for duration of SSLVPN data flow exceedes default amount threshold or both combinations, also can be other condition.
Transceiver module 106, during for judging that this SSLVPN data flow meets QoS type of service request condition at judge module 104, the SSLVPN gateway (i.e. the SSLVPN data flow indicated by destination address of this data flow) that will be forwarded to this SSLVPN data flow sends a request message, and, receive the response message that this SSLVPN gateway returns for this request message, wherein, request message is for asking the QoS type of service of SSLVPN data flow;
Acquisition module 108, for obtaining the QoS type of service of this SSLVPN data flow in this response message of receiving from transceiver module 106, so that this routing forwarding equipment 10 can carry out corresponding QoS process according to this QoS type of service to this SSLVPN data flow.
In actual applications, judge module 104 can also monitoring modular 102 monitor transceiver module 106 receive data flow be SSLVPN data flow after, before judging whether this SSLVPN data flow meets the QoS type of service request condition preset, first judge that the destination address of this SSLVPN data flow is whether within the scope of the SSLVPN gateway address preset, to determine that this SSLVPN data flow is the need of identification QoS type of service, if in scope, then determine that this SSLVPN data flow needs to identify QoS type of service, then perform and judge whether this SSLVPN data flow meets the step of QoS type of service request condition, if not in scope, then determine that this SSLVPN data flow does not need to identify QoS type of service, this routing forwarding equipment can according to existing this data flow of handling process process.
The present embodiment additionally provides a kind of routing forwarding equipment of the SSLVPN gateway be applied in SSLVPN network, IAD and SSLVPN gateway is included in this SSLVPN network, this SSLVPN gateway can coordinate IAD, makes IAD can identify the QoS type of service of SSLVPN data flow.As shown in Figure 10, this routing forwarding equipment 20 being used for SSLVPN gateway comprises: transceiver module 202, determination module 204 and identification module 206, wherein:
Transceiver module 202, for receiving the request message that IAD (as shown in Figure 9) is sent, wherein, request message is for asking the QoS type of service of SSLVPN data flow, and, response message is returned, so that IAD obtains the QoS type of service that identification module 206 identifies from this response message, as the QoS type of service of this SSLVPN data flow to IAD;
Determination module 204, for determining data flow after the deciphering corresponding with this SSLVPN data flow;
Identification module 206, for identifying the QoS type of service of data flow after the deciphering that determination module 204 is determined.
In actual applications, the information of the SSLVPN data flow of asking to some extent can be carried in the request message that IAD is sent, then, determination module 204 is by traffic flow information correspondence table, search traffic flow information after the deciphering corresponding with the information of SSLVPN data flow, determine data flow after the deciphering corresponding with this SSLVPN data flow, wherein, the corresponding relation between the information that have recorded data flow after SSLVPN data flow and deciphering in traffic flow information correspondence table.
To sum up, the above embodiment of the application can reach following technique effect:
In the above embodiments of the present application, IAD is after receiving SSLVPN data flow (data flow for encryption), the SSLVPN gateway that will be able to be forwarded to this SSLVPN data flow sends a request message, to ask the QoS type of service of this SSLVPN data flow, SSLVPN gateway is after receiving this request message, data flow after the deciphering corresponding with this SSLVPN data flow can be searched, and the QoS type of service of data flow after identifying this deciphering, then this QoS type of service is carried and return to IAD in the response message, thus, IAD can identify the QoS type of service obtaining this SSLVPN data flow, and then corresponding QoS process can be carried out according to this QoS type of service to this SSLVPN data flow.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, within all spirit in the application and principle, any amendment made, equivalent replacements, improvement etc., all should be included within scope that the application protects.
Claims (11)
1. identify a method for the service quality QoS type of service of SSL SSL Virtual Private Network VPN data stream, for comprising in the SSLVPN network of IAD and SSLVPN gateway, it is characterized in that, comprising:
After the data flow monitoring reception is SSLVPN data flow, described IAD judges whether described SSLVPN data flow meets the QoS type of service request condition preset;
If meet described QoS type of service request condition, then the SSLVPN gateway that described IAD will be forwarded to described SSLVPN data flow sends a request message, and wherein, described request message is for asking the QoS type of service of described SSLVPN data flow;
The response message that described IAD returns from the described SSLVPN gateway received for described request message, obtain the QoS type of service of described SSLVPN data flow.
2. method according to claim 1, is characterized in that, described QoS type of service request condition comprise following one of at least: the duration of SSLVPN data flow exceedes default time threshold, and the total amount of SSLVPN data flow exceedes default amount threshold.
3. method according to claim 1 and 2, is characterized in that, after the data flow monitoring reception is SSLVPN data flow, before judging whether described SSLVPN data flow meets the QoS type of service request condition preset, also comprises:
Described IAD judges that the destination address of described SSLVPN data flow is within the scope of the SSLVPN gateway address preset, to determine that described SSLVPN data flow needs to identify QoS type of service.
4. method according to claim 1, is characterized in that, described IAD opens network address translation NAT, includes in described request message: the original five-tuple information of described SSLVPN data flow and the five-tuple information after NAT.
5. identify a method for the service quality QoS type of service of SSL SSL Virtual Private Network VPN data stream, for comprising in the SSLVPN network of IAD and SSLVPN gateway, it is characterized in that, comprising:
Described SSLVPN gateway receives the request message that described IAD is sent, and wherein, described request message is for asking the QoS type of service of SSLVPN data flow;
Described SSLVPN gateway determines data flow after the deciphering corresponding with described SSLVPN data flow;
The QoS type of service of data flow after deciphering described in the identification of described SSLVPN gateway, and return response message to described IAD, so that described IAD obtains the QoS type of service identified from described response message, as the QoS type of service of described SSLVPN data flow.
6. method according to claim 5, is characterized in that, carries the information of described SSLVPN data flow in described request message, then, after described SSLVPN gateway determines the deciphering corresponding with described SSLVPN data flow, data flow comprises:
Described SSLVPN gateway is in traffic flow information correspondence table, search traffic flow information after the deciphering corresponding with the information of described SSLVPN data flow, wherein, have recorded the corresponding relation between the information of SSLVPN data flow and the information of the rear data flow of deciphering in described traffic flow information correspondence table.
7. a routing forwarding equipment, for comprising the IAD in the SSLVPN network of IAD and SSL SSL Virtual Private Network vpn gateway, is characterized in that, comprise:
Monitoring modular, for monitoring whether the data flow received is SSLVPN data flow;
Judge module, for when described monitoring module monitors is SSLVPN data flow to the data flow received, judges whether described SSLVPN data flow meets the service quality QoS type of service request condition preset;
Transceiver module, during for judging that described SSLVPN data flow meets described QoS type of service request condition at described judge module, the SSLVPN gateway that will be forwarded to described SSLVPN data flow sends a request message, and, receive the response message that described SSLVPN gateway returns for described request message, wherein, described request message is for asking the QoS type of service of described SSLVPN data flow;
Acquisition module, for obtaining the QoS type of service of described SSLVPN data flow from described response message.
8. routing forwarding equipment according to claim 7, it is characterized in that, described QoS type of service request condition comprise following one of at least: the duration of SSLVPN data flow exceedes default time threshold, and the total amount of SSLVPN data flow exceedes default amount threshold.
9. the routing forwarding equipment according to claim 7 or 8, it is characterized in that, described judge module is also for when described monitoring module monitors is SSLVPN data flow to the data flow received, before judging whether described SSLVPN data flow meets the QoS type of service request condition preset, first judge that the destination address of described SSLVPN data flow is within the scope of the SSLVPN gateway address preset, to determine that described SSLVPN data flow needs to identify QoS type of service.
10. a routing forwarding equipment, for comprising the SSLVPN gateway in the SSLVPN network of IAD and SSL SSL Virtual Private Network vpn gateway, is characterized in that, comprise:
Transceiver module, for receiving the request message that described IAD is sent, wherein, described request message is for asking the service quality QoS type of service of SSLVPN data flow, and, response message is returned, so that described IAD obtains the QoS type of service that identification module identifies from described response message, as the QoS type of service of described SSLVPN data flow to described IAD;
Determination module, for determining data flow after the deciphering corresponding with described SSLVPN data flow;
Described identification module, for identifying the QoS type of service of data flow after the described deciphering that described determination module is determined.
11. routing forwarding equipment according to claim 10, it is characterized in that, the information of described SSLVPN data flow is carried in described request message, then, described determination module is used for by traffic flow information correspondence table, search traffic flow information after the deciphering corresponding with the information of described SSLVPN data flow, determine data flow after the deciphering corresponding with described SSLVPN data flow, wherein, have recorded the corresponding relation between the information of SSLVPN data flow and the information of the rear data flow of deciphering in described traffic flow information correspondence table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210250261.XA CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210250261.XA CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102752220A CN102752220A (en) | 2012-10-24 |
| CN102752220B true CN102752220B (en) | 2016-04-06 |
Family
ID=47032124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210250261.XA Active CN102752220B (en) | 2012-07-19 | 2012-07-19 | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102752220B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3089435B1 (en) * | 2014-01-20 | 2023-08-30 | Huawei Technologies Co., Ltd. | Service processing method and network device |
| CN105610665B (en) * | 2015-07-29 | 2019-06-18 | 哈尔滨工业大学(威海) | A kind of VPN agreement suitable for mobile device |
| CN107154917B (en) * | 2016-03-03 | 2020-06-02 | 华为技术有限公司 | Data transmission method and server |
| CN105897512B (en) * | 2016-05-10 | 2019-09-10 | 国网冀北电力有限公司信息通信分公司 | A kind of monitoring method and system of Virtual Private Network VPN |
| CN107425995A (en) * | 2016-05-24 | 2017-12-01 | 中兴通讯股份有限公司 | Bidirectional measurement control method, send business device and receive business device |
| CN107786448B (en) * | 2016-08-30 | 2021-11-19 | 华为技术有限公司 | Method and device for establishing forwarding path of service flow |
| US10757161B2 (en) * | 2017-01-09 | 2020-08-25 | Citrix Systems, Inc. | Learning technique for QoS based classification and prioritization of SAAS applications |
| CN108401262A (en) * | 2018-02-06 | 2018-08-14 | 武汉斗鱼网络科技有限公司 | A kind of method and device that terminal applies communication data is obtained and analyzed |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267319A (en) * | 2008-04-30 | 2008-09-17 | 中兴通讯股份有限公司 | A method for distributing control rule of policy billing |
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| CN101500277A (en) * | 2008-02-03 | 2009-08-05 | 华为技术有限公司 | Method, equipment and system for obtaining QoS information by access network |
| CN101730174A (en) * | 2009-05-08 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for realizing cross-system switching in evolved packet system |
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
-
2012
- 2012-07-19 CN CN201210250261.XA patent/CN102752220B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414940A (en) * | 2007-10-16 | 2009-04-22 | 华为技术有限公司 | Method for establishing Ethernet business, net element equipment and network system |
| CN101500277A (en) * | 2008-02-03 | 2009-08-05 | 华为技术有限公司 | Method, equipment and system for obtaining QoS information by access network |
| CN101267319A (en) * | 2008-04-30 | 2008-09-17 | 中兴通讯股份有限公司 | A method for distributing control rule of policy billing |
| CN101730174A (en) * | 2009-05-08 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for realizing cross-system switching in evolved packet system |
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102752220A (en) | 2012-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102752220B (en) | Identify the method and apparatus of the service quality QoS type of service of SSL VPN data stream | |
| KR101680955B1 (en) | Multi-tunnel virtual private network | |
| US9294450B2 (en) | Selectively performing man in the middle decryption | |
| CN102347870B (en) | A kind of flow rate security detection method, equipment and system | |
| EP2001165B1 (en) | Method and system for measuring network performance | |
| US9813447B2 (en) | Device and related method for establishing network policy based on applications | |
| US9256636B2 (en) | Device and related method for application identification | |
| US20160044106A1 (en) | Device and related method for dynamic traffic mirroring | |
| CN105516062B (en) | Method for realizing L2 TP over IPsec access | |
| EP3499908B1 (en) | A device and method for the determination of applications running on a network | |
| Parsons | Deep Packet Inspection in Perspective: Tracing its lineage and surveillance potentials | |
| CN102088438A (en) | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client | |
| CN104184646A (en) | VPN data interaction method and system and VPN data interaction device | |
| Budiyanto et al. | Comparative Analysis of VPN Protocols at Layer 2 Focusing on Voice over Internet Protocol | |
| Carvajal et al. | Detecting unprotected SIP-based Voice over IP traffic | |
| US20160112488A1 (en) | Providing Information of Data Streams | |
| US11968237B2 (en) | IPsec load balancing in a session-aware load balanced cluster (SLBC) network device | |
| US11689444B2 (en) | Edge networking devices and systems for identifying a software application | |
| CN106506718B (en) | IVI transition method and network system based on the pure IPv6 network of multiple NAT | |
| Kumar et al. | Security and Privacy Preservation for Data Communication Network | |
| CN102857426B (en) | A kind of method of network equipment and transmitting data flow thereof | |
| Talevski et al. | The impact of security on VoIP call quality | |
| KR101613747B1 (en) | Method for authenticating of message and ip-pbx system for the same | |
| Slay et al. | Voice over IP forensics | |
| EP4262148A1 (en) | Network security with server name indication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |