CN106789282A - It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall - Google Patents

It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall Download PDF

Info

Publication number
CN106789282A
CN106789282A CN201611233795.6A CN201611233795A CN106789282A CN 106789282 A CN106789282 A CN 106789282A CN 201611233795 A CN201611233795 A CN 201611233795A CN 106789282 A CN106789282 A CN 106789282A
Authority
CN
China
Prior art keywords
iec60870
rule
network interface
queue
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611233795.6A
Other languages
Chinese (zh)
Inventor
彭亮
韩涛
李龙飞
王明军
郝庆贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Haitian Wei Industry Process Control Technology Ltd By Share Ltd
Original Assignee
Qingdao Haitian Wei Industry Process Control Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Haitian Wei Industry Process Control Technology Ltd By Share Ltd filed Critical Qingdao Haitian Wei Industry Process Control Technology Ltd By Share Ltd
Priority to CN201611233795.6A priority Critical patent/CN106789282A/en
Publication of CN106789282A publication Critical patent/CN106789282A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route

Abstract

The present invention provides a kind of method for realizing the agreement low latencies of IEC60870 5 104 treatment industrial fireproof wall, three steps of method key step point:The first step is that since network interface card receives data, network interface card opens many queue functions, and trawl performance uses NAPI modes.Second step is using many queues, the multi-core CPU of network interface card, nuclear technology is tied up using SMP, it is each one interrupt number of network interface card queue application, each queue is tied on different CPU cores by interrupting, may be implemented in all of CPU core of synchronization can process network card data, concurrent processing characteristic is realized, network card data processing speed is improved.3rd step is the treatment of agreement protection aspect, and the policing rule that user is issued is optimized using instruments such as IPSET, implementation rule matching batch processing, improves matching speed, reduces and postpones;The inventive method can solve industrial fireproof wall causes communication delay to increase when 5 104 agreements of IEC60870 are protected, and causes the problem of communication abnormality.

Description

It is a kind of to realize the method that IEC60870-5-104 agreements low latency processes industrial fireproof wall
Technical field
IEC60870-5- is realized the invention belongs to industrial fireproof wall defense-in-depth technical field, more particularly to one kind The method that 104 agreement low latencies process industrial fireproof wall.
Background technology
Current industrial protection wall is directed to the protection of IEC60870-5-104, when consuming relatively great amount of in whole process Between.Fire wall receives the packet of IEC60870-5-104, gives firewall system and is processed, and matches basic rule, enters Row defense-in-depth, fields match.IEC60870-5-104 is processed in existing scheme to proceed as follows:
Step one, network interface card receive IEC60870-5-104 packets:Network interface card uses general mode, and single queue receives data Bag, hard break mode notifies kernel.
Step 2,:CPU monokaryons process network card data:The data of network interface card queue are loaded into kernel to be processed.
Step 3, rule match:Packet is matched by system convention, matches the rules up to a hundred or even thousands of of configuration.
Step 4, defense-in-depth:Develop the module of oneself, packet information is copied to parsed in the module and by Field carries out rule match;
Protection Results feed back:Result according to protection is let pass or interception IEC60870-5-104 packets, and protection is tied Fruit notifies firewall management client.
There is distinct disadvantage in prior art:Fire wall network interface card is when packet is received using single queue network interface card, substantial amounts of association View data cannot constantly enter into network interface card and be processed, and cause packet loss, cause protocol communication to produce re-transmission, and communication has been significantly greatly increased Postpone.Packet enters after network interface card, and kernel is notified by the way of interrupting, and with a large amount of arrivals of packet, can produce big The hardware interrupts of amount, cause CPU respond it is a large amount of interrupt cannot normal process data, cause packet to be deposited in network interface card always, prolong Increase late.The rule of substantial amounts of user configuring is matched into kernel, each packet carries out substantial amounts of Data Matching, postponed Linearly increase with regular number.Simple mode Match IP, port, agreement with string matching during packet defense-in-depth The data such as field, have been significantly greatly increased the time-consuming of matching, and increase postpones.
Therefore, the prior art is defective, it is necessary to improve.
The content of the invention
The technical problems to be solved by the invention are directed to the deficiencies in the prior art, there is provided one kind realizes IEC60870-5- The method that 104 agreement low latencies process industrial fireproof wall, can drop in Firewall Protection IEC60870-5-104 communication process It is low its treatment postpone, will not caused by the protection of fire wall IEC60870-5-104 communication failures.
A kind of method for realizing IEC60870-5-104 agreements low latency treatment industrial fireproof wall of present invention offer, including with Lower step:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and connect using polling mode Processing data bag is received, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is bound by interrupting Onto different core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is carried out primarily directed to the IP address of upstream and downstream machine The rule of protection;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
Described method, wherein, before the step 102 is included in packet arrival, trawl performance uses NAPI patterns And a hard break is only triggered when changing trawl performance.
Described method, wherein, the step 102 also includes reaching poll maximum time or reaches poll maximum amount of data When reopen hard break.
Described method, wherein, the step 104 includes:Using many queue network interface cards, multi-core CPU is each queue Shen Please an interrupt number.
Described method, wherein, the step 106 includes:Using IEC60870-5-104 testing mechanisms, it is according to port It is no be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets.
Described method, wherein, the step 108 includes:The policing rule that user is issued is carried out using IPSET instruments Optimization, implementation rule matching batch processing, the rule that policing rule is protected for the IP address of upstream and downstream machine, protection Rule includes the data flow of a certain protocol type for forbidding or allowing a certain IP address.
Described method, wherein, the step 108 includes:The rule of a plurality of protection is deposited in an address set by IPSET Close sets.
Described method, wherein, the step 110 includes:Using the HOOK based on linux kernel Netfilter frameworks Treatment mechanism, by the direct carry of processing module on the HOOK points that kernel is provided.
Using such scheme, reduce IEC60870-5-104 protocol communications on fire wall and postpone, the present invention enters from data Network interface card proceeds by optimization, CPU core acceleration treatment, general rule matching, depth detection using most efficient Optimized Matching and Algorithmic match, reduces the increased communication delay when checking IEC60870-5-104 agreements to greatest extent.Fire wall When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to equipment.But when NAPI is opened, The maximum time of its poll and the maximum amount of data of poll need to enter Mobile state and match somebody with somebody according to the work networking environment of industrial fireproof wall Put, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula gained It is worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
Brief description of the drawings
Fig. 1 is the flow chart of embodiments of the invention.
Specific embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in detail.
Embodiment 1
IEC60870-5-104 agreements are wide variety of power industries, and a kind of scheduling station and distant place substation telemechanical communicate Agreement, the protocol communication process is higher to postponing requirement property, and industrial fireproof wall enters to IEC60870-5-104 protocol datas The delay of IEC60870-5-104 communications is significantly increased during row reception, treatment, depth detection etc., distal end is easily caused Communication abnormality time-out, causes communication failure, influences the proper communication of electric power networks.IEC60870-5-104 proposed by the invention Agreement low latency technology
Delay of the industrial fireproof wall when IEC60870-5-104 protocol datas are processed can be greatly reduced, it is right by protecting The influence of IEC60870-5-104 proper communications is preferably minimized.
Three steps of method key step point:
The first step is that since network interface card receives data, network interface card opens many queue functions, and trawl performance uses NAPI modes.Repair Change trawl performance, network interface card hard break tupe is carried out constantly according to industrial network communication conditions with poll tupe Switching, it is ensured that during the various situations such as size data bag, height Internet traffic, packet can be processed with most fast speed.It is anti- When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to wall with flues equipment.But opening NAPI When, the maximum time of its poll and the maximum amount of data of poll need to enter Mobile state according to the work networking environment of industrial fireproof wall Configuration, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula institute Must be worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
Second step is, using many queues, the multi-core CPU of network interface card, nuclear technology to be tied up using SMP, is each network interface card queue application One interrupt number, each queue is tied on different CPU cores by interrupting, and may be implemented in all of CPU core of synchronization Network card data can be processed, concurrent processing characteristic is realized, network card data processing speed is improved.
3rd step is the treatment of agreement protection aspect, and the policing rule that user is issued is carried out excellent using instruments such as IPSET Change, implementation rule matching batch processing improves matching speed, reduces and postpones;Using based on linux kernel Netfilter frameworks HOOK treatment mechanisms, by the direct carry of processing module on the HOOK points that kernel is provided, using kernel module matching high, subtract Few function call, reduces resource switch and expends, and lifts treatment effeciency;Using HASH algorithms, four-tuple, five-tuple information are improved Matching speed.
The inventive method can solve industrial fireproof wall causes communication delay to increase when IEC60870-5-104 agreements are protected, Cause the problem of communication abnormality.
On the basis of the above, as shown in figure 1, present invention offer one kind is realized that IEC60870-5-104 agreements are low and prolonged The method for the treatment of industrial fireproof wall, comprises the following steps late:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and connect using polling mode Processing data bag is received, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is bound by interrupting Onto different core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is carried out primarily directed to the IP address of upstream and downstream machine The rule of protection;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
In the above method, before the step 102 is included in packet arrival, trawl performance is using NAPI patterns and changes A hard break is only triggered during trawl performance.
In the above method, the weight when step 102 also includes reaching poll maximum time or reaching poll maximum amount of data It is new to open hard break.
In the above method, the step 104 includes:Using many queue network interface cards, multi-core CPU is each queue application one Individual interrupt number.
In the above method, the step 106 includes:Using IEC60870-5-104 testing mechanisms, according to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets.
In the above method, the step 108 includes:The policing rule that user is issued is optimized using IPSET instruments, Implementation rule matches batch processing, the rule that policing rule is protected for the IP address of upstream and downstream machine, the rule of protection Data flow including forbidding or allowing a certain protocol type of a certain IP address.Rule match batch processing is batch matching, A plurality of compatible rule merging can be one by IPSET, and after merging, one rule of matching is actually that have matched many bars.
In the above method, the step 108 includes:The rule of a plurality of protection is deposited in an address set by IPSET sets.Unlike common iptables chains are linear storages and filtering, ip set is stored in the data structure of tape index, this Even if kind of a structure set can also be searched efficiently than larger;Another example is:IPSET can create a rule, Allow 22 ports by fire wall, multiple ip to this rule can be added by ipset add, that is, realize the 22 of these ip The packet of port can be by fire wall.
In the above method, the step 110 includes:Using the HOOK processors based on linux kernel Netfilter frameworks System, by the direct carry of processing module on the HOOK points that kernel is provided.
The present invention can use modularization, modular design principle, and matching component is driven by IEC60870-5-104, open Open NAPI packet receivings pattern and change trawl performance, the size, number according to packet are realized hardware interrupts and poll switching, matched somebody with somebody Close, be that efficiency reaches highest, postpone to be preferably minimized.ICE104 multinuclears processing assembly can be corresponding by the way that network interface card queue is tied to In core, the treatment of packet is concurrently performed, improve processing speed, processing data packets amount, reduce the burden of monokaryon treatment, drop Reduction process postpones.IEC60870-5-104 rule optimization components, be by a plurality of rule creation of user configuring by IPSET instruments One set, reduces matching times, improves performance, reduces and postpones.IEC60870-5-104 efficient matchings components, by HASH etc. Algorithm, improves four-tuple, five-tuple information, the matching speed of character string.
Using such scheme, reduce IEC60870-5-104 protocol communications on fire wall and postpone, the present invention enters from data Network interface card proceeds by optimization, CPU core acceleration treatment, general rule matching, depth detection using most efficient Optimized Matching and Algorithmic match, reduces the increased communication delay when checking IEC60870-5-104 agreements to greatest extent.Fire wall When the treatment of NAPI, many queues and SMP multinuclears is opened, parcel linear speed can lift 10-20 times to equipment.But when NAPI is opened, The maximum time of its poll and the maximum amount of data of poll need to enter Mobile state and match somebody with somebody according to the work networking environment of industrial fireproof wall Put, it then follows formula (data package size/600* unit interval packet number/400M) %2* (cpu load/100), formula gained It is worth 1 or to open hard break during more than 1 immediately, formula income value closes hard break when being less than 1, using poll processing data.
The present invention proceeds by optimization and accelerates from data into network interface card, and drive pattern is matched and pattern switching accelerates, CPU is more The many queue acceleration of core treatment, general rule matching accelerate, depth detection is carried out using most efficient Optimized Matching and algorithmic match Accelerate, reduce to greatest extent to IEC60870-5-104 agreements when industrial fireproof wall is checked it is increased communication prolong Late.Exception interference of the industrial fireproof wall to IEC60870-5-104 protocol communications is avoided, realizes that industrial fireproof wall can be protected Communication protocol will not produce the target of influence to communication again.
It should be appreciated that for those of ordinary skills, can according to the above description be improved or converted, And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.

Claims (8)

1. it is a kind of realize IEC60870-5-104 agreements low latency process industrial fireproof wall method, it is characterised in that including with Lower step:
Step 102:A hard break is only triggered when packet arrives, it is follow-up to close hard break and using polling mode receiving area Reason packet, until no packet;
Step 104:It is one interrupt number of each queue application, by SMP architecture, each queue is tied to not by interruption On same core, network card data can be processed in all of core of synchronization;
Step 106:According to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets;
Step 108:Implementation rule matches batch processing, and policing rule is protected primarily directed to the IP address of upstream and downstream machine Rule;
Step 110:By the direct carry of processing module on the HOOK points that kernel is provided;
Step 112:Using HASH algorithms, four-tuple, the matching speed of five-tuple information are improved.
2. method according to claim 1, it is characterised in that the step 102 is included in before packet arrives, network interface card Driving only triggers a hard break using NAPI patterns and when changing trawl performance.
3. method according to claim 2, it is characterised in that the step 102 also include reaching poll maximum time or Hard break is reopened when reaching poll maximum amount of data.
4. method according to claim 1, it is characterised in that the step 104 includes:Using many queue network interface cards, multinuclear CPU, is one interrupt number of each queue application.
5. method according to claim 1, it is characterised in that the step 106 includes:Examined using IEC60870-5-104 Survey mechanism, according to port whether be 2404 and data segment in the first two byte whether be 68H determine whether for IEC60870-5-104 packets.
6. method according to claim 1, it is characterised in that the step 108 includes:The policing rule that user is issued Optimized using IPSET instruments, implementation rule matching batch processing, policing rule is carried out for the IP address of upstream and downstream machine The rule of protection, the rule of protection includes the data flow of a certain protocol type for forbidding or allowing a certain IP address.
7. method according to claim 1, it is characterised in that the step 108 includes:IPSET is by the rule of a plurality of protection Then deposit in an address set sets.
8. method according to claim 1, it is characterised in that the step 110 includes:Using based on linux kernel The HOOK treatment mechanisms of Netfilter frameworks, by the direct carry of processing module on the HOOK points that kernel is provided.
CN201611233795.6A 2016-12-28 2016-12-28 It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall Pending CN106789282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611233795.6A CN106789282A (en) 2016-12-28 2016-12-28 It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611233795.6A CN106789282A (en) 2016-12-28 2016-12-28 It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall

Publications (1)

Publication Number Publication Date
CN106789282A true CN106789282A (en) 2017-05-31

Family

ID=58921439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611233795.6A Pending CN106789282A (en) 2016-12-28 2016-12-28 It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall

Country Status (1)

Country Link
CN (1) CN106789282A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109284192A (en) * 2018-09-29 2019-01-29 网宿科技股份有限公司 Method for parameter configuration and electronic equipment
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc
CN114006863A (en) * 2021-11-02 2022-02-01 北京科东电力控制系统有限责任公司 Multi-core load balancing cooperative processing method and device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103368263A (en) * 2013-07-18 2013-10-23 国家电网公司 Detection method for communication states of IEC104 protocol of dispatching automation system
CN103701784A (en) * 2013-12-17 2014-04-02 迈普通信技术股份有限公司 Host machine protection method
US20160285829A1 (en) * 2013-12-20 2016-09-29 Abb Technology Ag Security framework for transmitting communication messages between a substation lan and packet-switched wan

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103368263A (en) * 2013-07-18 2013-10-23 国家电网公司 Detection method for communication states of IEC104 protocol of dispatching automation system
CN103701784A (en) * 2013-12-17 2014-04-02 迈普通信技术股份有限公司 Host machine protection method
US20160285829A1 (en) * 2013-12-20 2016-09-29 Abb Technology Ag Security framework for transmitting communication messages between a substation lan and packet-switched wan

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109284192A (en) * 2018-09-29 2019-01-29 网宿科技股份有限公司 Method for parameter configuration and electronic equipment
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc
CN114006863A (en) * 2021-11-02 2022-02-01 北京科东电力控制系统有限责任公司 Multi-core load balancing cooperative processing method and device and storage medium

Similar Documents

Publication Publication Date Title
Zhao et al. A window protocol for transmission of time-constrained messages
CN106789282A (en) It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall
CN102970142B (en) A kind of VPN device is adding the method and system of concurrent encryption and decryption under close snap ring border
CN105245555A (en) Communication protocol security defending system for electric power serial server
Bohara et al. Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations
CN111181850B (en) Data packet flooding suppression method, device and equipment and computer storage medium
CN109412897B (en) Shared MAC (media Access control) implementation system and method based on multi-core processor and FPGA (field programmable Gate array)
Li et al. An effective SDN controller scheduling method to defence DDoS attacks
CN106452856A (en) Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function
Wang et al. SmartChain: Enabling high-performance service chain partition between SmartNIC and CPU
Valizadeh et al. Ddos attacks detection in multi-controller based software defined network
Zvabva et al. Evaluation of industrial firewall performance issues in automation and control networks
Yang et al. Modeling and mitigating the coremelt attack
Kang et al. FPGA-based real-time abnormal packet detector for critical industrial network
CN103685321A (en) Data packet forwarding and safety protection detection system, load balancing method and device
EP3346663B1 (en) Apparatus, system, and method for accelerating security inspections using inline pattern matching
Li et al. A highly compatible verification framework with minimal upgrades to secure an existing edge network
US7577157B2 (en) Facilitating transmission of a packet in accordance with a number of transmit buffers to be associated with the packet
Patel et al. An intelligent collaborative intrusion detection and prevention system for smart grid environments
CN111148154B (en) Recursive feedback type flow congestion suppression method for routing equipment
CN102752304B (en) Prevent the method and system that half-connection is attacked
CN105635145A (en) Chip-level safety protection method of CAPWAP DTLS tunnel
Karimi et al. Acceleration of IPTABLES Linux packet filtering using GPGPU
Fan et al. Software-Defined Networking Integrated with Cloud Native and Proxy Mechanism: Detection and Mitigation System for TCP SYN Flooding Attack
Zhan et al. GUARDBOX: A high-performance middlebox providing confidentiality and integrity for packets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170531

RJ01 Rejection of invention patent application after publication