CN106789282A - It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall - Google Patents
It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall Download PDFInfo
- Publication number
- CN106789282A CN106789282A CN201611233795.6A CN201611233795A CN106789282A CN 106789282 A CN106789282 A CN 106789282A CN 201611233795 A CN201611233795 A CN 201611233795A CN 106789282 A CN106789282 A CN 106789282A
- Authority
- CN
- China
- Prior art keywords
- iec60870
- rule
- network interface
- queue
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0823—Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
Abstract
The present invention provides a kind of method for realizing the agreement low latencies of IEC60870 5 104 treatment industrial fireproof wall, three steps of method key step point:The first step is that since network interface card receives data, network interface card opens many queue functions, and trawl performance uses NAPI modes.Second step is using many queues, the multi-core CPU of network interface card, nuclear technology is tied up using SMP, it is each one interrupt number of network interface card queue application, each queue is tied on different CPU cores by interrupting, may be implemented in all of CPU core of synchronization can process network card data, concurrent processing characteristic is realized, network card data processing speed is improved.3rd step is the treatment of agreement protection aspect, and the policing rule that user is issued is optimized using instruments such as IPSET, implementation rule matching batch processing, improves matching speed, reduces and postpones;The inventive method can solve industrial fireproof wall causes communication delay to increase when 5 104 agreements of IEC60870 are protected, and causes the problem of communication abnormality.
Description
Technical field
IEC60870-5- is realized the invention belongs to industrial fireproof wall defense-in-depth technical field, more particularly to one kind
The method that 104 agreement low latencies process industrial fireproof wall.
Background technology
Current industrial protection wall is directed to the protection of IEC60870-5-104, when consuming relatively great amount of in whole process
Between.Fire wall receives the packet of IEC60870-5-104, gives firewall system and is processed, and matches basic rule, enters
Row defense-in-depth, fields match.IEC60870-5-104 is processed in existing scheme to proceed as follows:
Step one, network interface card receive IEC60870-5-104 packets:Network interface card uses general mode, and single queue receives data
Bag, hard break mode notifies kernel.
Step 2,:CPU monokaryons process network card data:The data of network interface card queue are loaded into kernel to be processed.
Step 3, rule match:Packet is matched by system convention, matches the rules up to a hundred or even thousands of of configuration.
Step 4, defense-in-depth:Develop the module of oneself, packet information is copied to parsed in the module and by
Field carries out rule match;
Protection Results feed back:Result according to protection is let pass or interception IEC60870-5-104 packets, and protection is tied
Fruit notifies firewall management client.
There is distinct disadvantage in prior art:Fire wall network interface card is when packet is received using single queue network interface card, substantial amounts of association
View data cannot constantly enter into network interface card and be processed, and cause packet loss, cause protocol communication to produce re-transmission, and communication has been significantly greatly increased
Postpone.Packet enters after network interface card, and kernel is notified by the way of interrupting, and with a large amount of arrivals of packet, can produce big
The hardware interrupts of amount, cause CPU respond it is a large amount of interrupt cannot normal process data, cause packet to be deposited in network interface card always, prolong
Increase late.The rule of substantial amounts of user configuring is matched into kernel, each packet carries out substantial amounts of Data Matching, postponed
Linearly increase with regular number.Simple mode Match IP, port, agreement with string matching during packet defense-in-depth
The data such as field, have been significantly greatly increased the time-consuming of matching, and increase postpones.
Therefore, the prior art is defective, it is necessary to improve.
The content of the invention
The technical problems to be solved by the invention are directed to the deficiencies in the prior art, there is provided one kind realizes IEC60870-5-
The method that 104 agreement low latencies process industrial fireproof wall, can drop in Firewall Protection IEC60870-5-104 communication process
It is low its treatment postpone, will not caused by the protection of fire wall IEC60870-5-104 communication failures.
A kind of method for realizing IEC60870-5-104 agreements low latency treatment industrial fireproof wall of present invention offer, including with
Lower step:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and connect using polling mode
Processing data bag is received, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is bound by interrupting
Onto different core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for
IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is carried out primarily directed to the IP address of upstream and downstream machine
The rule of protection;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
Described method, wherein, before the step 102 is included in packet arrival, trawl performance uses NAPI patterns
And a hard break is only triggered when changing trawl performance.
Described method, wherein, the step 102 also includes reaching poll maximum time or reaches poll maximum amount of data
When reopen hard break.
Described method, wherein, the step 104 includes:Using many queue network interface cards, multi-core CPU is each queue Shen
Please an interrupt number.
Described method, wherein, the step 106 includes:Using IEC60870-5-104 testing mechanisms, it is according to port
It is no be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets.
Described method, wherein, the step 108 includes:The policing rule that user is issued is carried out using IPSET instruments
Optimization, implementation rule matching batch processing, the rule that policing rule is protected for the IP address of upstream and downstream machine, protection
Rule includes the data flow of a certain protocol type for forbidding or allowing a certain IP address.
Described method, wherein, the step 108 includes:The rule of a plurality of protection is deposited in an address set by IPSET
Close sets.
Described method, wherein, the step 110 includes:Using the HOOK based on linux kernel Netfilter frameworks
Treatment mechanism, by the direct carry of processing module on the HOOK points that kernel is provided.
Using such scheme, reduce IEC60870-5-104 protocol communications on fire wall and postpone, the present invention enters from data
Network interface card proceeds by optimization, CPU core acceleration treatment, general rule matching, depth detection using most efficient Optimized Matching and
Algorithmic match, reduces the increased communication delay when checking IEC60870-5-104 agreements to greatest extent.Fire wall
When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to equipment.But when NAPI is opened,
The maximum time of its poll and the maximum amount of data of poll need to enter Mobile state and match somebody with somebody according to the work networking environment of industrial fireproof wall
Put, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula gained
It is worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
Brief description of the drawings
Fig. 1 is the flow chart of embodiments of the invention.
Specific embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in detail.
Embodiment 1
IEC60870-5-104 agreements are wide variety of power industries, and a kind of scheduling station and distant place substation telemechanical communicate
Agreement, the protocol communication process is higher to postponing requirement property, and industrial fireproof wall enters to IEC60870-5-104 protocol datas
The delay of IEC60870-5-104 communications is significantly increased during row reception, treatment, depth detection etc., distal end is easily caused
Communication abnormality time-out, causes communication failure, influences the proper communication of electric power networks.IEC60870-5-104 proposed by the invention
Agreement low latency technology
Delay of the industrial fireproof wall when IEC60870-5-104 protocol datas are processed can be greatly reduced, it is right by protecting
The influence of IEC60870-5-104 proper communications is preferably minimized.
Three steps of method key step point:
The first step is that since network interface card receives data, network interface card opens many queue functions, and trawl performance uses NAPI modes.Repair
Change trawl performance, network interface card hard break tupe is carried out constantly according to industrial network communication conditions with poll tupe
Switching, it is ensured that during the various situations such as size data bag, height Internet traffic, packet can be processed with most fast speed.It is anti-
When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to wall with flues equipment.But opening NAPI
When, the maximum time of its poll and the maximum amount of data of poll need to enter Mobile state according to the work networking environment of industrial fireproof wall
Configuration, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula institute
Must be worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
Second step is, using many queues, the multi-core CPU of network interface card, nuclear technology to be tied up using SMP, is each network interface card queue application
One interrupt number, each queue is tied on different CPU cores by interrupting, and may be implemented in all of CPU core of synchronization
Network card data can be processed, concurrent processing characteristic is realized, network card data processing speed is improved.
3rd step is the treatment of agreement protection aspect, and the policing rule that user is issued is carried out excellent using instruments such as IPSET
Change, implementation rule matching batch processing improves matching speed, reduces and postpones;Using based on linux kernel Netfilter frameworks
HOOK treatment mechanisms, by the direct carry of processing module on the HOOK points that kernel is provided, using kernel module matching high, subtract
Few function call, reduces resource switch and expends, and lifts treatment effeciency;Using HASH algorithms, four-tuple, five-tuple information are improved
Matching speed.
The inventive method can solve industrial fireproof wall causes communication delay to increase when IEC60870-5-104 agreements are protected,
Cause the problem of communication abnormality.
On the basis of the above, as shown in figure 1, present invention offer one kind is realized that IEC60870-5-104 agreements are low and prolonged
The method for the treatment of industrial fireproof wall, comprises the following steps late:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and connect using polling mode
Processing data bag is received, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is bound by interrupting
Onto different core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for
IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is carried out primarily directed to the IP address of upstream and downstream machine
The rule of protection;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
In the above method, before the step 102 is included in packet arrival, trawl performance is using NAPI patterns and changes
A hard break is only triggered during trawl performance.
In the above method, the weight when step 102 also includes reaching poll maximum time or reaching poll maximum amount of data
It is new to open hard break.
In the above method, the step 104 includes:Using many queue network interface cards, multi-core CPU is each queue application one
Individual interrupt number.
In the above method, the step 106 includes:Using IEC60870-5-104 testing mechanisms, according to port whether be
2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets.
In the above method, the step 108 includes:The policing rule that user is issued is optimized using IPSET instruments,
Implementation rule matches batch processing, the rule that policing rule is protected for the IP address of upstream and downstream machine, the rule of protection
Data flow including forbidding or allowing a certain protocol type of a certain IP address.Rule match batch processing is batch matching,
A plurality of compatible rule merging can be one by IPSET, and after merging, one rule of matching is actually that have matched many bars.
In the above method, the step 108 includes:The rule of a plurality of protection is deposited in an address set by IPSET
sets.Unlike common iptables chains are linear storages and filtering, ip set is stored in the data structure of tape index, this
Even if kind of a structure set can also be searched efficiently than larger;Another example is:IPSET can create a rule,
Allow 22 ports by fire wall, multiple ip to this rule can be added by ipset add, that is, realize the 22 of these ip
The packet of port can be by fire wall.
In the above method, the step 110 includes:Using the HOOK processors based on linux kernel Netfilter frameworks
System, by the direct carry of processing module on the HOOK points that kernel is provided.
The present invention can use modularization, modular design principle, and matching component is driven by IEC60870-5-104, open
Open NAPI packet receivings pattern and change trawl performance, the size, number according to packet are realized hardware interrupts and poll switching, matched somebody with somebody
Close, be that efficiency reaches highest, postpone to be preferably minimized.ICE104 multinuclears processing assembly can be corresponding by the way that network interface card queue is tied to
In core, the treatment of packet is concurrently performed, improve processing speed, processing data packets amount, reduce the burden of monokaryon treatment, drop
Reduction process postpones.IEC60870-5-104 rule optimization components, be by a plurality of rule creation of user configuring by IPSET instruments
One set, reduces matching times, improves performance, reduces and postpones.IEC60870-5-104 efficient matchings components, by HASH etc.
Algorithm, improves four-tuple, five-tuple information, the matching speed of character string.
Using such scheme, reduce IEC60870-5-104 protocol communications on fire wall and postpone, the present invention enters from data
Network interface card proceeds by optimization, CPU core acceleration treatment, general rule matching, depth detection using most efficient Optimized Matching and
Algorithmic match, reduces the increased communication delay when checking IEC60870-5-104 agreements to greatest extent.Fire wall
When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to equipment.But when NAPI is opened,
The maximum time of its poll and the maximum amount of data of poll need to enter Mobile state and match somebody with somebody according to the work networking environment of industrial fireproof wall
Put, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula gained
It is worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
The present invention proceeds by optimization and accelerates from data into network interface card, and drive pattern is matched and pattern switching accelerates, CPU is more
The many queue acceleration of core treatment, general rule matching accelerate, depth detection is carried out using most efficient Optimized Matching and algorithmic match
Accelerate, reduce to greatest extent to IEC60870-5-104 agreements when industrial fireproof wall is checked it is increased communication prolong
Late.Exception interference of the industrial fireproof wall to IEC60870-5-104 protocol communications is avoided, realizes that industrial fireproof wall can be protected
Communication protocol will not produce the target of influence to communication again.
It should be appreciated that for those of ordinary skills, can according to the above description be improved or converted,
And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.
Claims (8)
1. it is a kind of realize IEC60870-5-104 agreements low latency process industrial fireproof wall method, it is characterised in that including with
Lower step:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and using polling mode receiving area
Reason packet, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is tied to not by interruption
On same core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for
IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is protected primarily directed to the IP address of upstream and downstream machine
Rule;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
2. method according to claim 1, it is characterised in that the step 102 is included in before packet arrives, network interface card
Driving only triggers a hard break using NAPI patterns and when changing trawl performance.
3. method according to claim 2, it is characterised in that the step 102 also include reaching poll maximum time or
Hard break is reopened when reaching poll maximum amount of data.
4. method according to claim 1, it is characterised in that the step 104 includes:Using many queue network interface cards, multinuclear
CPU, is one interrupt number of each queue application.
5. method according to claim 1, it is characterised in that the step 106 includes:Examined using IEC60870-5-104
Survey mechanism, according to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for
IEC60870-5-104 packets.
6. method according to claim 1, it is characterised in that the step 108 includes:The policing rule that user is issued
Optimized using IPSET instruments, implementation rule matching batch processing, policing rule is carried out for the IP address of upstream and downstream machine
The rule of protection, the rule of protection includes the data flow of a certain protocol type for forbidding or allowing a certain IP address.
7. method according to claim 1, it is characterised in that the step 108 includes:IPSET is by the rule of a plurality of protection
Then deposit in an address set sets.
8. method according to claim 1, it is characterised in that the step 110 includes:Using based on linux kernel
The HOOK treatment mechanisms of Netfilter frameworks, by the direct carry of processing module on the HOOK points that kernel is provided.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611233795.6A CN106789282A (en) | 2016-12-28 | 2016-12-28 | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611233795.6A CN106789282A (en) | 2016-12-28 | 2016-12-28 | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106789282A true CN106789282A (en) | 2017-05-31 |
Family
ID=58921439
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611233795.6A Pending CN106789282A (en) | 2016-12-28 | 2016-12-28 | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789282A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109284192A (en) * | 2018-09-29 | 2019-01-29 | 网宿科技股份有限公司 | Method for parameter configuration and electronic equipment |
CN110460623A (en) * | 2019-09-27 | 2019-11-15 | 杭州九略智能科技有限公司 | A kind of processing system, method and terminal for Industry Control puppy parc |
CN114006863A (en) * | 2021-11-02 | 2022-02-01 | 北京科东电力控制系统有限责任公司 | Multi-core load balancing cooperative processing method and device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103368263A (en) * | 2013-07-18 | 2013-10-23 | 国家电网公司 | Detection method for communication states of IEC104 protocol of dispatching automation system |
CN103701784A (en) * | 2013-12-17 | 2014-04-02 | 迈普通信技术股份有限公司 | Host machine protection method |
US20160285829A1 (en) * | 2013-12-20 | 2016-09-29 | Abb Technology Ag | Security framework for transmitting communication messages between a substation lan and packet-switched wan |
-
2016
- 2016-12-28 CN CN201611233795.6A patent/CN106789282A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103368263A (en) * | 2013-07-18 | 2013-10-23 | 国家电网公司 | Detection method for communication states of IEC104 protocol of dispatching automation system |
CN103701784A (en) * | 2013-12-17 | 2014-04-02 | 迈普通信技术股份有限公司 | Host machine protection method |
US20160285829A1 (en) * | 2013-12-20 | 2016-09-29 | Abb Technology Ag | Security framework for transmitting communication messages between a substation lan and packet-switched wan |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109284192A (en) * | 2018-09-29 | 2019-01-29 | 网宿科技股份有限公司 | Method for parameter configuration and electronic equipment |
CN110460623A (en) * | 2019-09-27 | 2019-11-15 | 杭州九略智能科技有限公司 | A kind of processing system, method and terminal for Industry Control puppy parc |
CN114006863A (en) * | 2021-11-02 | 2022-02-01 | 北京科东电力控制系统有限责任公司 | Multi-core load balancing cooperative processing method and device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhao et al. | A window protocol for transmission of time-constrained messages | |
CN106789282A (en) | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall | |
CN102970142B (en) | A kind of VPN device is adding the method and system of concurrent encryption and decryption under close snap ring border | |
CN105245555A (en) | Communication protocol security defending system for electric power serial server | |
Bohara et al. | Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations | |
CN111181850B (en) | Data packet flooding suppression method, device and equipment and computer storage medium | |
CN109412897B (en) | Shared MAC (media Access control) implementation system and method based on multi-core processor and FPGA (field programmable Gate array) | |
Li et al. | An effective SDN controller scheduling method to defence DDoS attacks | |
CN106452856A (en) | Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function | |
Wang et al. | SmartChain: Enabling high-performance service chain partition between SmartNIC and CPU | |
Valizadeh et al. | Ddos attacks detection in multi-controller based software defined network | |
Zvabva et al. | Evaluation of industrial firewall performance issues in automation and control networks | |
Yang et al. | Modeling and mitigating the coremelt attack | |
Kang et al. | FPGA-based real-time abnormal packet detector for critical industrial network | |
CN103685321A (en) | Data packet forwarding and safety protection detection system, load balancing method and device | |
EP3346663B1 (en) | Apparatus, system, and method for accelerating security inspections using inline pattern matching | |
Li et al. | A highly compatible verification framework with minimal upgrades to secure an existing edge network | |
US7577157B2 (en) | Facilitating transmission of a packet in accordance with a number of transmit buffers to be associated with the packet | |
Patel et al. | An intelligent collaborative intrusion detection and prevention system for smart grid environments | |
CN111148154B (en) | Recursive feedback type flow congestion suppression method for routing equipment | |
CN102752304B (en) | Prevent the method and system that half-connection is attacked | |
CN105635145A (en) | Chip-level safety protection method of CAPWAP DTLS tunnel | |
Karimi et al. | Acceleration of IPTABLES Linux packet filtering using GPGPU | |
Fan et al. | Software-Defined Networking Integrated with Cloud Native and Proxy Mechanism: Detection and Mitigation System for TCP SYN Flooding Attack | |
Zhan et al. | GUARDBOX: A high-performance middlebox providing confidentiality and integrity for packets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |
|
RJ01 | Rejection of invention patent application after publication |