CN106713260B - Method for dynamic data injection in virtual private dial-up network - Google Patents
Method for dynamic data injection in virtual private dial-up network Download PDFInfo
- Publication number
- CN106713260B CN106713260B CN201610699552.5A CN201610699552A CN106713260B CN 106713260 B CN106713260 B CN 106713260B CN 201610699552 A CN201610699552 A CN 201610699552A CN 106713260 B CN106713260 B CN 106713260B
- Authority
- CN
- China
- Prior art keywords
- data packet
- port
- unit
- data
- forwarding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for dynamic data injection, in particular to a method for dynamic data injection in a virtual private dial-up network. The device for dynamic data injection in the virtual private dial-up network is connected in series in an original link, a server is externally connected, the external server generates different data packets according to different rules and sends the data packets back to the device through a return port, the device inquires whether the stream to which the data packets belong exists through a classification matching unit, then a forwarding port of the data packets is set as an inquired port, and finally the dynamic data packets are sent to the original link according to the forwarding port, so that the dynamic data injection facing the virtual private dial-up network is realized.
Description
The invention relates to a device for dynamic data injection in a virtual private dial-up network and a divisional application of the method thereof, wherein the application number is 201310731323.3, and the application date is 2013, 12 months and 27 days.
Technical Field
The invention relates to a device and a method for dynamic data injection, in particular to a device and a method for dynamic data injection in a virtual private dial-up network.
Background
VPDN (Virtual Private Dial-up Network) is a Virtual Private Dial-up Network service based on Dial-up users, i.e. access to the internet in a Dial-up access manner, and packetizes and encrypts Network data when transmitting data through a public switched telephone Network; private data can be transmitted in the VPDN to reach the security level of a private network. The secure virtual private network is established by combining the bearing function of an IP network with a corresponding authentication and authorization mechanism, and is a technology which is rapidly developed along with the development of Internet technology in recent years.
Currently, a VPDN service is commonly used, in which business personnel and enterprises working in a trans-regional manner can remotely pass through a public network and be connected with an internal network of the enterprise through a virtual encryption channel, and users on the public network cannot access the internal network of the enterprise through the virtual channel; in addition, the VPDN service has some other typical services such as: the wireless loss assessment application in the insurance industry, the wireless mobile meter reading application in the power industry and the like. The forwarding and shunting equipment applied to VPDN service at present can filter and forward data stream through various high-efficiency query methods, the device and the method can well meet the requirements of monitoring and counting the VPDN service, but if the behavior of an Internet user can be monitored and customized data can be pushed to the Internet user on the same device, the Internet request of the Internet user is returned to the user after being interrupted, if illegal requests or requests specified in an enterprise need to be monitored, but the requests of the user are not discarded, and the traditional shunting equipment based on VPDN cannot meet the requirements.
The structure of a conventional flow dividing apparatus is shown in fig. 1. The network data of the network I can be output to the monitoring equipment only through the service port in a one-way mode after reaching the classification matching module through the serial interface.
The chinese patent application No. 0213628508 discloses a forwarding method for virtual private dial-up network service data packets, which uses session numbers to perform fast query of corresponding sessions, and fast locates corresponding VPDN data area; the data of the user is forwarded after being inquired, the request target of the user cannot be changed, the internet access behavior of the internet access user cannot be returned to the user, and the user-defined data cannot be dynamically injected to the user.
Disclosure of Invention
The invention aims to solve the problem that the current situation that the internet surfing behavior of an internet surfing user is subjected to intervention and then returned to the user cannot be realized in the conventional VPDN service.
In order to solve the technical problems, the invention provides a specific technical scheme that: an apparatus for dynamic data injection in a virtual private dial-up network, comprising: the system comprises a serial interface unit 1, a global control unit 2, a classification matching unit 3, a service unit 4 and a return unit 5;
the serial interface unit 1 is at least one pair of forwarding ports which are connected in series between the network server and the switch and used as serial flow;
the global control unit 2 configures a service port and a return port through a configuration interface, and configures rules and behaviors of a data packet which needs to be redirected to the return port; initializing a flow table;
the classification matching unit 3 is used for receiving the data packet of the serial port unit 1, and forwarding the data packet to the service unit 4, the serial port unit 1 or the return unit 5 according to the result after inquiring the rule; receiving the data packet of the return unit 5, inquiring the flow table, analyzing the uplink and downlink directions of the data packet, and inquiring the original port; setting the forwarding port of the data packet as the inquired port and then sending the port to the serial interface unit 1;
the service unit 4 is used for receiving the data packet of the classification matching unit 3 and forwarding the data packet to a specific device or other networks according to the result label;
the return unit 5 is used for receiving the data of the classification matching unit 3, sending the data to an external server, receiving a data packet of the external server and sending the data packet to the classification matching unit 3.
The above-mentioned string interface units 1 are paired; there may be multiple pairs of serial ports on the device to satisfy multiple links in series.
The serial interface unit 1 comprises a serial interface A and a serial interface B, receives the data packets output by the classification matching unit, and forwards the data packets to the original link from the serial interface B and the serial interface A according to the uplink and downlink directions.
The global control unit 2 is operated on the CPU of the apparatus of the present invention, and controls other units through a data bus.
The global control unit 2 sets the attribute of the interface as a service port or a return port through the management interface, and initializes the space of the flow table. In the visible physical interfaces of the device, except for the serial interface, the management serial port and the management network port, all other interfaces can be service ports or return ports, the service ports and the return ports need to be defined clearly by a user, but one interface cannot be both the return port and the service port.
The classification matching unit 3 receives the data packet input by the serial interface unit 1, inquires the behavior in the flow table, if the behavior does not hit, creates a new flow to the flow table, and inquires the rule; if yes, setting the behavior of the data packet as the behavior of the flow; meanwhile, the classification matching unit 3 receives the data packet input by the return unit 5, and queries whether a flow exists in the flow table, if so, the uplink and downlink directions of the data packet need to be analyzed, the port is queried according to the uplink and downlink directions, and the forwarding port of the data packet is collocated as the queried port.
The return unit 5 receives the data packet which comes from the classification matching unit 3 and hits the specific rule, and sends the data packet to an external server; and receiving a data packet sent by the external server to the classification matching unit 3.
The invention is connected in series in the original link and can be connected with the external server, the external server generates different data packets according to different rules and sends the data packets back to the device of the invention through the return port, the device of the invention matches the original port of the data packets through the flow table in the classification matching unit and marks the result label of the original port on the data packets, and finally sends the dynamic data packets to the original link according to the result label, thereby realizing the dynamic data injection facing the virtual private dial-up network.
The invention also provides a method for dynamic data injection in a virtual private dial-up network, which comprises the following steps:
step S1, the serial interface unit 1 receives the internet access request of the internet user and extracts the stream characteristics of the internet access request data packet;
step S2, the classification matching unit 3 matches the data packet that needs to be transmitted to the return port;
judging whether the data packet exists in a flow table or not according to the flow characteristics, and if so, judging a hit threshold value of the data packet; if the flow characteristics do not exist, dynamically creating a flow in a flow table according to the flow characteristics, updating the newly-created flow into the flow table, and inquiring rules;
judging the number of hits of the data packet, if the number of hits of the data packet is larger than a hit threshold value of the flow, setting the behavior of the data packet as a behavior of inquiring the flow, and if the number of hits of the data packet is smaller than the hit threshold value of the flow, inquiring rules;
inquiring three types of rules in the rule set, wherein the number of hits is less than a hit threshold or the data packets do not exist in the flow table, and the three types of rules are divided into a target rule, an L4 rule and a L7 rule;
marking a behavior tag result for the data packet according to the rule query result;
step S3, the return port receives the data packet dynamically generated by the external server and inquires the flow table;
the flow table refers to the dynamically updated flow table in step S2;
inquiring flow table representation, and inquiring whether a flow meeting the characteristics exists in the flow table according to the flow characteristics of the data packet; if yes, analyzing the uplink and downlink directions of the data packet; if not, the data packet is discarded;
step S4, analyzing the uplink and downlink direction, and inquiring the port number;
analyzing the uplink and downlink directions indicates that if the data packet direction is uplink, a destination port needs to be inquired in the flow table; if the direction of the data packet is downlink, a source port needs to be inquired in the flow table; collocating the forwarding port of the data packet as a destination port or a source port which is inquired;
step S5, the data packet is sent to the original link according to the flow behavior and the forwarding port.
The technical effects are as follows:
as shown in fig. 2, when business trip personnel of an enterprise access the internal network of the enterprise through the public network, the internal network of the enterprise can monitor and intervene on the network data of the VPDN, and if illegal requests or requests specified in the enterprise need to be monitored but the requests of users are not discarded, the dynamic data injection device and method of the present invention can be used.
Compared with the prior art, the invention adds the return unit, and solves the requirement that the internet request of the internet user is returned to the user after the internet request is ended. The service port on the device can realize the known data filtering data forwarding service and the service of dynamic data injection, and the definition of the service port and the back-transmission port can be flexibly configured in the global control unit, so that the flexibility and the expandability can greatly meet the increasingly complex service requirements.
Drawings
Fig. 1 is a block diagram of a conventional filtering and forwarding apparatus.
Fig. 2 is a diagram of network access locations for the device of the present invention.
FIG. 3 is a block diagram of the VPDN oriented dynamic data injection apparatus of the present invention.
FIG. 4 is a block diagram of the structure of the apparatus and method for VPDN oriented dynamic data injection of the present invention.
FIG. 5 is a basic flow diagram of the VPDN oriented dynamic data injection apparatus and method of the present invention.
FIG. 6 is a detailed data flow diagram of the VPDN oriented dynamic data injection apparatus and method of the present invention.
Detailed Description
The invention is further described with reference to the following figures and implementations. In the following description, for the sake of brevity, some details of the prior art, including structure and function, will not be repeated.
As shown in fig. 2, the present invention provides a device connected in series between a network server (abbreviated as L NS) and a switch, and fig. 2 is a network access location diagram of the VPDN-oriented dynamic data injection device and method of the present invention.
The structure of the apparatus of the present invention is shown in FIG. 3. The internet data of the network I reaches the classification matching module through the serial interface, the classification matching module can realize traditional forwarding and filtering, forward the data to the monitoring equipment, output the data to an external server through a return port, receive the data generated by the external server and return the data to the original network.
FIG. 4 is a block diagram of the structure of the apparatus and method for VPDN oriented dynamic data injection of the present invention.
The system comprises a serial port A and a serial port B in a serial interface unit 1, a global control unit 2, a classification matching unit 3, a service unit 4 and a return unit 5.
A serial interface A: one of 1 of a pair of external ports is provided for connecting to one of 1 of 2 concatenated network element devices as one of the concatenated traffic forwarding ports.
Port a is a visible physical interface, which may be an optical or electrical interface, with one or multiple rate capability. The port a and the port B are a pair of serial interfaces, which are well known and will not be described herein.
A serial interface B: one of 1 of a pair of external ports is provided for connecting to one of 1 of 2 concatenated network element devices as one of the concatenated traffic forwarding ports.
Port B is a visible physical interface, either an optical or electrical interface, with one or multiple rate capability. Port B and port a are a pair of serial interfaces, which are well known and will not be described herein.
The global control unit 2: a configuration interface is provided, which interfaces on the device are designated as service ports, which interfaces are designated as return ports, and any number of non-serial ports on the device can be designated as return ports.
The classification matching unit 3: and receiving the data of the serial interface unit 1, inquiring the characteristic flow to which the data packet belongs in the flow table, obtaining a matching result if the inquiry is successful, and inquiring the rule if the inquiry is failed to obtain the matching result.
Specifically, a packet input from the serial interface unit 1 is received, the flow characteristics are extracted, and then the flow table is queried for the presence of the flow. And establishing a new flow or continuously inquiring a rule according to the inquiry result. And directly obtaining a forwarding result by querying the data packet with successful flow, or else obtaining the forwarding result by querying the rule.
Receiving a data packet of a return port, inquiring whether a flow to which the data packet belongs exists in a flow table, if so, analyzing the uplink and downlink directions of the data packet, searching a port number, and finally forwarding the original data packet according to a forwarding port number. This is well known and will not be described in detail here.
Service unit 4: it is common to receive the data packets from the classification matching unit 3 and forward the data packets according to the forwarding behavior, and will not be described in detail here.
The backhaul unit 5: receiving the specific data packet matched by the classification matching unit 3 and forwarding the data packet to an external server; and receiving a data packet generated by an external server and forwarding the data packet to the classification matching unit 3 for behavior result query and uplink and downlink analysis. The return port is a physically visible port and may be an electrical port or an optical port for transmitting and receiving light.
FIG. 5 is a basic flow chart of the method for dynamic data injection facing VPDN according to the present invention.
Step S1, the serial interface unit 1 receives the internet access request of the internet user and extracts the stream characteristics of the internet access request data packet;
step S2, the classification matching unit 3 matches the data packet that needs to be transmitted to the return port;
judging whether the data packet exists in a flow table or not according to the flow characteristics, and if so, judging a hit threshold value of the data packet; if the flow characteristics do not exist, dynamically creating a flow in a flow table according to the flow characteristics, updating the newly-created flow into the flow table, and inquiring rules;
judging the number of hits of the data packet, if the number of hits of the data packet is larger than a hit threshold value of the flow, setting the behavior of the data packet as a behavior of inquiring the flow, and if the number of hits of the data packet is smaller than the hit threshold value of the flow, inquiring rules;
inquiring three types of rules in the rule set, wherein the number of hits is less than a hit threshold or the data packets do not exist in the flow table, and the three types of rules are divided into a target rule, an L4 rule and a L7 rule;
marking a behavior tag result for the data packet according to the rule query result;
step S3, the return port receives the data packet dynamically generated by the external server and inquires the flow table;
the flow table refers to the dynamically updated flow table in step S2;
inquiring flow table representation, and inquiring whether a flow meeting the characteristics exists in the flow table according to the flow characteristics of the data packet; if yes, analyzing the uplink and downlink directions of the data packet; if not, the data packet is discarded;
step S4, analyzing the uplink and downlink direction, and inquiring the port number;
analyzing the uplink and downlink directions indicates that if the data packet direction is uplink, a destination port needs to be inquired in the flow table; if the direction of the data packet is downlink, a source port needs to be inquired in the flow table; collocating the forwarding port of the data packet as the inquired port;
step S5, the data packet is sent to the original link according to the behavior of the stream and the serial interface.
The apparatus for dynamic data injection facing to VPDN according to the present invention is illustrated by taking a specific requirement of a company as an example in conjunction with FIG. 6.
As shown in fig. 6, a data request with the user name of terminal 1, domain name of "www.wiki.com" and keyword of "VPDN" is sent from serial port a to the apparatus of the present invention. The device can redirect the HTTP request message for accessing 'www.wiki.com' to the wiki server in the company for searching preferentially, and send the request to www.wiki.com if no keyword is searched on the wiki in the company. The method for completing the functions by the device comprises the following steps:
in the initial state, serial port a is connected to the router of the company internal lan, serial port B is connected to the router of the company external network, and serial port C is connected to a server 1, assuming that the ip address of the server is "192.168.8.100", and the server runs the wiki website inside the company.
The user logs in the management interface of the device through the SSH, configures the interface C as a return port, configures a rule of domain = "www.wiki.com", and sets a forwarding behavior of the rule as "forwarding from the interface C. "
In step 6a01, terminal 1 initiates an HTTP request to "www.wiki.com" with the keyword "VPDN". Assume that the IP address of terminal 1 is 192.168.8.111 and the gateway of the lan is 192.168.8.1.
Step 6a02, after the serial port a receives the request message, it first extracts the stream characteristics from the data packet, i.e. sip = "192.168.8.111", dip = "192.168.8.1", sport = "a", dport = "B", protocol = "http"; then step 6a03 is entered.
As shown in table 1 below, the information of the flow table entry is typically uniquely defined by a five-tuple, which includes a Protocol type (Protocol), a source ip (sip), a destination ip (dip), a source port (port), and a destination port (dport). Packets with the same quintuple identity belong to the same flow. Such a flow has a unidirectional character, since the quintuple distinguishes the source and destination IP. For a complete interactive process, its packets will belong to two different flows. Of more concern in many applications is the connection, i.e., the complete interaction process. The connection includes two streams of source IP addresses, source ports, destination IP addresses, and destination ports. For ease of description, the term flow is used herein to refer to a connection, or bi-directional flow. Such a flow is uniquely defined by a protocol type and a pair of IP, port groups. The flow table is empty in the initial state, the original port number, the destination port number, and the protocol type are temporarily filled with 0, the original IP and the destination IP are temporarily filled with 0.0.0.0, and the behavior of the flow is temporarily filled with drop (drop). Table 1:
step 6a03, using the extracted flow characteristics to search the flow table, if the flow meeting the flow characteristics is found in the flow table, the step is shifted to step 6a04, otherwise, the step is shifted to step 6a 05.
Step 6a04, if the flow to which the packet belongs exists in the flow table: the front threshold (matchCounter) packets of this flow will query the rule table (go to step 6a 07), until no matching rule is found or the threshold (matchCounter) is exceeded, and the behavior of the user-defined static flow determines the forwarding of the subsequent packets. The threshold value (matchCounter) defaults to 10, which the user can customize in the command line.
Step 6a05, if the flow table does not match the flow with the original port number a, the destination port number B, the original IP 192.168.8.111, the destination port number 192.168.8.1 and the http protocol type, newly creating the flow in the flow table, updating the flow table, and then entering the second layer rule query. The updated flow table contents are shown in table 2 below:
step 6a06, if the flow exists and the number of hits is greater than the hit threshold of the flow, the behavior of the query flow is set as the final behavior of the packet.
In step 6a07, the packet that does not hit in the flow table and the packet that is smaller than the threshold value need to be subjected to rule matching at the second layer.
The matching of the rules is realized through a rule table, the rule table comprises 4 rule sets and 3 classes of rules, wherein the 3 classes of rules comprise a specific object (target) rule, an L4 rule and a L7 rule, the target rule can be combined with a L4 rule or an L7 rule, namely, the classification table item of the target rule and the classification table item of the L4 rule or the classification table item of the L7 rule are hit at the same time.
Each rule subclass is divided into 4 priorities according to different matching processing and forwarding modes, and each priority can set respective data processing and forwarding behaviors. Each priority level may have added to it 20K rule classification entries (class-entries) with the same processing behavior.
A packet that misses any rule will automatically hit the entry that becomes default and be processed according to the behavior defined by default.
The data packet first queries the target rule table, then queries the tables of L4 or L7 according to behavior the decision of whether to query L4 or L7 by setting default of the target rule table.
the target rule contains two classification table entries: ip and name. The IP is an internet IP used after the user connection authentication is successful; name is radius and ppp username.
the target rule has 1-4 and default priorities, with 1 being the highest priority, 4 being the lowest priority, and default being the default priority. The capacity of each priority can be 20K, different priorities do not allow the same rule to be stored, and default priority default does not allow the rule to be configured.
The default behavior of default priority defaults is loop, the default behaviors of the other priorities are not set (UNSET). The behavior of each priority can be configured, and the behavior of target rules can be configured as loop, drop, fwhash, redirect, to l4 and to l7, namely normal forwarding, discarding, hash forwarding (normal forwarding is copied to a return port or an output port at the same time), redirecting (redirecting to an output port or a return port), forwarding to L4 rule query and forwarding to L7 rule query.
L4 the rule table entry is shown in table 3 below, and includes several types of classification table entries, i.e. ip, protocol + port, and domain, i.e. ip in the inner layer of the data packet L2 TP, protocol in the inner layer of protocol, protocol + port is { UDP | TCP } + port number, domain is the domain name requested by dns, and finally ip corresponding to the matching domain name, and ip is learned by the device automatically acquiring dns response packet, the rule table entry is empty under default condition, and no data is temporarily filled in table 3:
l4 rules all have a priority of 1-4 and default, 1 being the highest priority, 4 being the lowest priority, default being the default priority each priority may add 20K capacity to the classification entry, default priority not allowing rules to be configured, different priorities not allowing the same rules to be stored.
The default behavior of default priority defaults is loop, the default behaviors of the other priorities are not set (UNSET). The behavior of each priority can be configured, and the behavior of L4 rules can be configured to loop, drop, fwhash, redirect hash, tol7, namely normal forwarding, discarding, hash forwarding, hash redirection, and forwarding to L7 rule query.
The behavior of the default priority can also be set as to l7, the rule is switched to L7 for inquiry, if different priorities are hit at the same time, the forwarding behavior corresponding to the rule with the highest priority is selected, the ip corresponding to the dns domain name is dynamically maintained according to the dns data packet received by the device, each domain name stores 256 ip at most, and the number of the acquired ip exceeding the number can automatically cover the initially stored ip.
L7 rules contain ud, host, uri, host + uri classification entries the active control and passive monitoring support up to 128 ud classification entries, 4 ud each, with four bytes supported per ud.
L7 rules all have a priority of 1-4 and default, 1 being the highest priority, 4 being the lowest priority, default being the default priority each priority may add 20K capacity to the classification entry, default priority not allowing rules to be configured, different priorities not allowing the same rules to be stored.
The default behavior of default priority defaults is loop, the default behaviors of the other priorities are not set (UNSET). The behavior of each priority can be configured, and the behavior of L7 rules can be configured as loop, drop, fwhash, redirect hash, tol4, namely normal forwarding, discarding, hash forwarding, hash redirection, and forwarding to L4 rule query.
The default priority behavior can also be set to be to l4, go to L4 rule query, if different priorities are hit at the same time, take the forwarding behavior corresponding to the rule with the highest priority.
The terminal 1 preferentially matches the target rule according to the static rule set by the user, and since the table entry of the target rule does not match the domain name (domain), and the L4 rule matches the domain name (domain), the user can set the default rule of the target to turn to L4, and the specific rule configuration is as follows:
add ruleset 1 control l4: 1 domain= "www.wiki.com"
since the company needs to redirect the "www.wiki.com" request to the wiki inside, it needs to configure a behavior in the static rule to forward ruleset 1 in the rule from the return port C, and the specific behavior is configured as follows (assuming that the physical interface number on the device of the present invention of the return port C is 9):
set ruleset 1 control target: default to l4
set ruleset 1 control l4: 1 redirect hash s 9
the correspondence table between the behavior forwarding table and the rule set is not described in detail herein because it is a well-known content.
In step 6a08, if the data request packet of terminal 1 matches the rule table entry in the rule set, the behavior of the data request packet is set as the behavior of the rule.
Step 6a09, if the data request packet of terminal 1 fails to match in the rule set, the behavior of the data packet is set as discarding.
In step 6b01, the data request from terminal 1 is sent to server 1 with IP address 192.168.6.100 via return port C. The server 1 searches the database for the data with the keyword "VPDN" and transmits the queried result back to the interface C.
Step 6b02, after the return port receives the data, first extract the flow characteristics of the data packet, and query the flow in the flow table described in table 1. If a stream is found that meets the characteristics, go to step 6b03, otherwise go to 6b 04.
In step 6b03, if there is a flow in the flow table that meets the characteristics of the packet, the server 1 first needs to analyze the uplink and downlink directions of the packet. In this example, the data returned after the request data of the terminal 1 is processed by the server 1 may be an uplink or a downlink; if the information with the keyword of 'VPDN' is found in the database of the server 1, the data packet is a response packet, and the data packet is a downlink packet; if the information with the keyword "VPDN" is not found in the database of the server 1, the request of the terminal 1 needs to be returned to the link again, and the data packet received by the return port C is the request packet and is the uplink. The packet information is shown in table 4 below:
in step 6b04, if the data packet sent back by the server 1 is not successfully matched in the flow table, the action of the packet is set as discarding.
And 6b05, updating the content in the table 4 according to the results of the analysis of the ascending and descending in the steps 5 and 6b 03. If the data packet sent back by the server 1 is uplink data, the information with the keyword 'VPDN' is not found; the original destination port number of this packet needs to be looked up in the flow table shown in table 2, and the destination port B is found in table 2. If the data packet sent back by the server 1 is downlink data, the information with the keyword of 'VPDN' is found; the original input port number of this packet needs to be looked up in the flow table shown in table 2, and the original port is found to be a in table 2. There are two possibilities for table 4 after updating, as shown in tables 5 and 6 below. Table 5:
table 6:
In summary, the result is: if the contents of the VPDN can be found on the server of the company, the wiki webpage in the company is pushed back to the client, and if the data of the VPDN is not found in the company, a request for searching the VPDN from www.wiki.com is sent out and transferred to a website with the domain name of www.wiki.com.
In summary, in this embodiment, the user's request for surfing the internet through the VPDN is already interfered by the network device inside the company, but the user's request is not discarded; and internal data priority matching is carried out on an internet request initiated by a user, namely, data in an internal database is injected to an internet user, so that the requirement of dynamic data injection facing to VPDN is met.
Claims (1)
1. A method for dynamic data injection in virtual private dial-up network, characterized by that, connect the device used for dynamic data injection in the virtual private dial-up network in series in the primitive periodic line, connect the server externally, the server produces different data packets according to different rules externally, and send the said data packet back to the device through returning the mouth, the device inquires whether the flow that the above-mentioned data packet belongs to exists through the categorised matching unit, if do not exist then abandon the data packet; if the dynamic data packet exists in the original link, analyzing the uplink and downlink directions of the data packet, inquiring ports according to the results of the uplink and downlink directions, setting a forwarding port of the data packet as an inquired port, and finally sending the dynamic data packet to the original link according to the forwarding port to realize dynamic data injection facing to the virtual private dial network; the device for dynamic data injection in the virtual private dial-up network comprises the following components: the system comprises a serial port unit (1), a global control unit (2), a classification matching unit (3), a service unit (4) and a return unit (5); wherein: the serial port unit (1) is at least one pair of forwarding ports which are connected in series between the network server and the switch and used as serial flow; the global control unit (2) configures a service port and a return port through a configuration interface, and configures rules and behaviors of a data packet which needs to be redirected to the return port; initializing a flow table; the classification matching unit (3) is used for receiving the data packet of the serial interface unit 1, and forwarding the data packet to the service unit (4), the serial interface unit (1) or the return unit (5) according to the result after inquiring the rule; receiving the data packet of the return unit (5), inquiring the flow table, analyzing the uplink and downlink directions of the data packet, inquiring the source port,
analyzing the uplink and downlink directions of the data packet means that if the direction of the data packet is uplink, a target port needs to be inquired in the flow table; if the direction of the data packet is downlink, the source port number needs to be inquired in the flow table; collocating the forwarding port of the data packet as the inquired destination port or source port;
setting the forwarding port of the data packet as the inquired port and then sending the port to the serial interface unit (1);
the service unit (4) is used for receiving the data packet of the classification matching unit (3) and forwarding the data packet to external equipment according to the result label; and the return unit (5) is used for receiving the data of the classification matching unit (3), sending the data to an external server, receiving a data packet of the external server and sending the data packet to the classification matching unit (3).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610699552.5A CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610699552.5A CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
| CN201310731323.3A CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Division CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106713260A CN106713260A (en) | 2017-05-24 |
| CN106713260B true CN106713260B (en) | 2020-07-10 |
Family
ID=50321624
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Active CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
| CN201610699552.5A Expired - Fee Related CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Active CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN103685310B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099942B (en) | 2014-04-30 | 2019-05-03 | 华为技术有限公司 | A kind of data package processing method and equipment |
| CN108124021B (en) * | 2016-11-28 | 2021-04-16 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining Internet Protocol (IP) address and accessing website |
| CN112866289B (en) * | 2021-03-02 | 2022-09-30 | 恒为科技(上海)股份有限公司 | Method and system for extracting feature rule |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100373896C (en) * | 2002-07-26 | 2008-03-05 | 中兴通讯股份有限公司 | Virtual special dialing network business data packet retransmission method |
| CN100518138C (en) * | 2005-04-12 | 2009-07-22 | 华为技术有限公司 | Method for realizing virtual special network |
| CN101997826A (en) * | 2009-08-28 | 2011-03-30 | 中兴通讯股份有限公司 | Routing methods of control net element, forwarding net element and internet protocol network |
| CN101764741B (en) * | 2009-11-27 | 2012-06-06 | 上海恒为信息科技有限公司 | Filtering and shunting device and method supporting multi-service function |
| CN103227773B (en) * | 2012-03-31 | 2016-05-11 | 杭州华三通信技术有限公司 | A kind of method and system thereof of setting up VPDN connection |
-
2013
- 2013-12-27 CN CN201310731323.3A patent/CN103685310B/en active Active
- 2013-12-27 CN CN201610699552.5A patent/CN106713260B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN103685310A (en) | 2014-03-26 |
| CN103685310B (en) | 2017-01-04 |
| CN106713260A (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735379B2 (en) | Hybrid hardware-software distributed threat analysis | |
| US9806944B2 (en) | Network controller and a computer implemented method for automatically define forwarding rules to configure a computer networking device | |
| US9634943B2 (en) | Transparent provisioning of services over a network | |
| US9172649B2 (en) | Traffic classification and control on a network node | |
| CA2836821C (en) | Application identification method, and data mining method, apparatus, and system | |
| US10608992B2 (en) | Hybrid hardware-software distributed threat analysis | |
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| JP4759389B2 (en) | Packet communication device | |
| US9654395B2 (en) | SDN-based service chaining system | |
| YuHunag et al. | A novel design for future on-demand service and security | |
| US8776207B2 (en) | Load balancing in a network with session information | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| JP2014147120A (en) | Control device, control method and communication system | |
| US20150113629A1 (en) | Monitoring network traffic | |
| JP2013526804A (en) | Method and apparatus for identifying an application protocol | |
| US6490290B1 (en) | Default internet traffic and transparent passthrough | |
| WO2018036254A1 (en) | Packet forwarding method and device | |
| US20080104688A1 (en) | System and method for blocking anonymous proxy traffic | |
| KR101527377B1 (en) | Service chaining system based on software defined networks | |
| CN106713260B (en) | Method for dynamic data injection in virtual private dial-up network | |
| CN107071075B (en) | Device and method for dynamically jumping network address | |
| Bonola et al. | StreaMon: A data-plane programming abstraction for software-defined stream monitoring | |
| CN103001966A (en) | Processing and identifying method and device for private network IP | |
| CN104579939A (en) | Protecting method and device for gateway | |
| Cho et al. | A sophisticated packet forwarding scheme with deep packet inspection in an openflow switch |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| DD01 | Delivery of document by public notice |
Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notice of non patent agent (person) Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notification to Make Rectification |
|
| DD01 | Delivery of document by public notice |
Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notification of Passing Examination on Formalities |
|
| DD01 | Delivery of document by public notice | ||
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200710 Termination date: 20201227 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |