CN106878308A - A kind of icmp packet matching system and method - Google Patents

A kind of icmp packet matching system and method Download PDF

Info

Publication number
CN106878308A
CN106878308A CN201710093520.5A CN201710093520A CN106878308A CN 106878308 A CN106878308 A CN 106878308A CN 201710093520 A CN201710093520 A CN 201710093520A CN 106878308 A CN106878308 A CN 106878308A
Authority
CN
China
Prior art keywords
message
strategy
module
type
icmp message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710093520.5A
Other languages
Chinese (zh)
Other versions
CN106878308B (en
Inventor
王子彤
姜凯
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Inspur Science Research Institute Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201710093520.5A priority Critical patent/CN106878308B/en
Publication of CN106878308A publication Critical patent/CN106878308A/en
Application granted granted Critical
Publication of CN106878308B publication Critical patent/CN106878308B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of icmp packet matching system and method, belongs to network data exchange field, and the present invention includes strategy analyzing module, packet parsing module, Hash operation module, clash handle module, policy store module and comparison match module.Hash treatment is carried out by using segment message parameter, segment message parameter storage, icmp packet only needs to compare TYPE types when matching.On the premise of the accuracy of strategy matching is ensured, message protocol policy store cost is reduced, improve message matching efficiency, be that other protocol strategy storages leave domain amount.

Description

ICMP message matching system and method
Technical Field
The invention relates to the field of network data exchange, in particular to an ICMP message matching system and method.
Background
Icmp (Internet Control Message protocol) Internet Control Message protocol is a subprotocol of the TCP/IP protocol family, and is used to transmit Control messages between IP hosts and routers. Including network messages such as network traffic, host reachability, routing availability, etc. Although the user data is not transmitted, it plays an important role in the transfer of the user data.
Within a particular topology network, a switching device may maintain thousands of processing strategies for each protocol packet. When a specific packet arrives, quintuple matching is required to determine the adopted strategy, wherein the port number position of ICMP is changed into a TYPE TYPE and a CODE TYPE, and if the same strategy matching method as that of a common TCP or UDP protocol is adopted, the number of stored strategies can be increased, so that the storage redundancy can be increased, and the strategy matching efficiency can be reduced.
Disclosure of Invention
In order to solve the technical problems, the invention provides an ICMP message matching system aiming at ICMP strategies and TYPE TYPE characteristics in messages.
The technical scheme adopted by the invention is as follows:
an ICMP message matching system is provided,
the system comprises a strategy analysis module, a message analysis module, a Hash operation module, a conflict processing module, a strategy storage module and a comparison and matching module;
wherein,
the strategy analysis module is used for receiving and analyzing an ICMP message processing strategy issued by a preceding stage circuit and sending analyzed strategy data to the Hash operation module and the strategy storage module;
the message analysis module is used for receiving and analyzing the ICMP message from the network and sending the analyzed message data to the Hash operation module and the comparison and matching module;
the hash operation module is used for receiving input strategy data or message data, mapping a hash result through a certain hash function, and accessing the hash result to the high-order address input ends of the conflict processing module and the strategy storage module through the output end;
the conflict processing module is used for recording or inquiring the times of the same Hash output result and the corresponding low-order address of the strategy storage module;
the strategy storage module is used for storing the strategy data into the address which is output by the Hash operation module and is output by the conflict processing module and is commonly specified;
and the comparison and matching module is used for performing matching and comparison on the message data and the strategy data and outputting the result.
The analyzed strategy data comprises a legal ICMP message source IP address, a legal destination IP address, a legal ICMP message TYPE TYPE, a legal ICMP message direction and an ICMP message processing mode.
Legal ICMP message TYPE TYPEs are represented by 11-bit data forms, and one representation at each position comprises a corresponding TYPE TYPE in the strategy.
The analyzed message data comprises an ICMP message source IP address, an ICMP message destination IP address and an ICMP message TYPE TYPE;
the TYPE of the analyzed ICMP message is represented by a 11-bit data form, and a position I represents that the message is of a corresponding TYPE;
the invention also discloses an ICMP message matching method, which comprises the following steps,
(1) the front-stage circuit issues a legal ICMP message processing strategy to a strategy analysis module;
(2) carrying out Hash operation on the analyzed legal ICMP message source IP address, the legal destination IP address and the TYPE of the ICMP message with 11-bit all-zero, and carrying out conflict processing on the result;
(3) storing the legal ICMP message TYPE TYPE, the legal ICMP message direction and the ICMP message processing mode analyzed in the step 2 into a strategy storage module address formed by a Hash result and a conflict processing result;
(4) when ICMP message arrives, the message is analyzed by the message analysis module;
(5) the analyzed source IP address, the analyzed target IP address and the TYPE of the ICMP message with 11 bits being all zero are subjected to Hash operation and conflict processing to obtain the address of a strategy storage module to be inquired;
(6) carrying out bitwise AND operation on the TYPE TYPE of the arrived ICMP message and the read TYPE TYPE, if the result is not 0, indicating that a legal strategy is matched, and further carrying out subsequent message processing; otherwise, it indicates that the legal strategy is not matched, and the message is not processed or is processed by default.
The invention has the advantages that
By adopting the partial message parameters to carry out hash processing and partial message parameter storage, the TYPE only needs to be compared when ICMP messages are matched. On the premise of ensuring the accuracy of strategy matching, the storage cost of the message protocol strategy is reduced, the message matching efficiency is improved, and the domain size is reserved for other protocol strategy storage.
Drawings
Fig. 1 is a schematic diagram of the circuit structure of the present invention.
Detailed Description
The invention is explained in more detail below:
as shown in fig. 1, an ICMP message matching circuit of the present invention includes: the system comprises a strategy analysis module, a message analysis module, a hash operation module, a conflict processing module, a strategy storage module and a comparison and matching module.
The strategy analysis module is used for receiving and analyzing an ICMP message processing strategy issued by a preceding stage circuit and sending the analyzed strategy data to the Hash operation module and the strategy storage module. The message analysis module is used for receiving and analyzing the ICMP message from the network and sending the analyzed message data to the Hash operation module and the comparison matching module.
The hash operation module is configured to receive input policy data or message data, map a hash result through a certain hash function, and perform hash operation by using a CRC32 algorithm according to an embodiment of the present invention. And the high-order eleven-bit address input ends of the conflict processing module and the strategy storage module are accessed through the output ends.
And the conflict processing module is used for recording or inquiring the occurrence times of the same Hash output result and the corresponding low four-bit address of the strategy storage module. The strategy storage module is used for storing the strategy data into the address which is output by the Hash operation module and output by the conflict processing module and is commonly designated.
And the comparison and matching module is used for performing matching and comparison on the message data and the strategy data and outputting the result. And if the address of the strategy storage module is effective after the incoming message is subjected to Hash operation and conflict processing, carrying out bitwise AND operation on the TYPE of the analyzed ICMP message and the TYPE of the corresponding bit read from the strategy storage module. If the strategy contains the corresponding TYPE TYPE, the corresponding position is set to be one, and the two positions have a certain position to be one according to the bit and the operation result, which indicates that the legal strategy is matched.
The analyzed strategy data comprises a legal ICMP message source IP address, a legal destination IP address, a legal ICMP message TYPE TYPE, a legal ICMP message direction, an ICMP message processing mode and the like; the analyzed message data comprises an ICMP message source IP address, an ICMP message destination IP address, an ICMP message TYPE TYPE and the like.
The legal ICMP message TYPE TYPE is represented by a 11-bit data form, and each position one represents that a strategy contains a corresponding TYPE TYPE; the TYPE of the analyzed ICMP message is represented by a 11-bit data form, and a position I represents that the message is of a corresponding TYPE.
(1) The front-stage circuit issues a legal ICMP message processing strategy to a strategy analysis module;
(2) carrying out Hash operation on the analyzed legal ICMP message source IP address, the legal destination IP address and the TYPE of the ICMP message with 11-bit all-zero, and carrying out conflict processing on the result;
(3) storing the legal ICMP message TYPE TYPE, the legal ICMP message direction, the ICMP message processing mode and the like analyzed in the step 2 into a strategy storage module address formed by a Hash result and a conflict processing result;
(4) when ICMP message arrives, the message is analyzed by the message analysis module;
(5) the analyzed source IP address, the analyzed target IP address and the TYPE of the ICMP message with 11 bits being all zero are subjected to Hash operation and conflict processing to obtain the address of a strategy storage module to be inquired;
(6) carrying out bitwise AND operation on the TYPE TYPE of the arrived ICMP message and the read TYPE TYPE, if the result is not 0, indicating that a legal strategy is matched, and further carrying out subsequent message processing; otherwise, it indicates that the legal strategy is not matched, and the message is not processed or is processed by default.

Claims (6)

1. An ICMP message matching system, characterized in that,
the system comprises a strategy analysis module, a message analysis module, a Hash operation module, a conflict processing module, a strategy storage module and a comparison and matching module;
wherein,
the strategy analysis module is used for receiving and analyzing an ICMP message processing strategy issued by a preceding stage circuit and sending analyzed strategy data to the Hash operation module and the strategy storage module;
the message analysis module is used for receiving and analyzing the ICMP message from the network and sending the analyzed message data to the Hash operation module and the comparison and matching module;
the hash operation module is used for receiving input strategy data or message data, mapping a hash result through a certain hash function, and accessing the hash result to the high-order address input ends of the conflict processing module and the strategy storage module through the output end;
the conflict processing module is used for recording or inquiring the times of the same Hash output result and the corresponding low-order address of the strategy storage module;
the strategy storage module is used for storing the strategy data into the address which is output by the Hash operation module and is output by the conflict processing module and is commonly specified;
and the comparison and matching module is used for performing matching and comparison on the message data and the strategy data and outputting the result.
2. The system of claim 1,
the analyzed strategy data comprises a legal ICMP message source IP address, a legal destination IP address, a legal ICMP message TYPE TYPE, a legal ICMP message direction and an ICMP message processing mode.
3. The system of claim 2,
legal ICMP message TYPE TYPEs are represented by 11-bit data forms, and one representation at each position comprises a corresponding TYPE TYPE in the strategy.
4. The system of claim 1,
the analyzed message data comprises an ICMP message source IP address, an ICMP message destination IP address and an ICMP message TYPE TYPE.
5. The system of claim 4,
the TYPE of the analyzed ICMP message is represented by a 11-bit data format, where a first position represents that the message is of a corresponding TYPE.
6. An ICMP message matching method is characterized in that the method comprises the following steps,
(1) the front-stage circuit issues a legal ICMP message processing strategy to a strategy analysis module;
(2) carrying out Hash operation on the analyzed legal ICMP message source IP address, the legal destination IP address and the TYPE of the ICMP message with 11-bit all-zero, and carrying out conflict processing on the result;
(3) storing the legal ICMP message TYPE TYPE, the legal ICMP message direction and the ICMP message processing mode analyzed in the step 2 into a strategy storage module address formed by a Hash result and a conflict processing result;
(4) when ICMP message arrives, the message is analyzed by the message analysis module;
(5) the analyzed source IP address, the analyzed target IP address and the TYPE of the ICMP message with 11 bits being all zero are subjected to Hash operation and conflict processing to obtain the address of a strategy storage module to be inquired;
(6) carrying out bitwise AND operation on the TYPE TYPE of the arrived ICMP message and the read TYPE TYPE, if the result is not 0, indicating that a legal strategy is matched, and further carrying out subsequent message processing; otherwise, it indicates that the legal strategy is not matched, and the message is not processed or is processed by default.
CN201710093520.5A 2017-02-21 2017-02-21 ICMP message matching system and method Active CN106878308B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710093520.5A CN106878308B (en) 2017-02-21 2017-02-21 ICMP message matching system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710093520.5A CN106878308B (en) 2017-02-21 2017-02-21 ICMP message matching system and method

Publications (2)

Publication Number Publication Date
CN106878308A true CN106878308A (en) 2017-06-20
CN106878308B CN106878308B (en) 2020-06-19

Family

ID=59166332

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710093520.5A Active CN106878308B (en) 2017-02-21 2017-02-21 ICMP message matching system and method

Country Status (1)

Country Link
CN (1) CN106878308B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650181A (en) * 2018-04-20 2018-10-12 济南浪潮高新科技投资发展有限公司 A kind of IP packet strategy matching circuit and method
CN109768966A (en) * 2018-12-17 2019-05-17 航天信息股份有限公司 Icmp packet processing method and processing device based on terminal
CN111464444A (en) * 2020-03-30 2020-07-28 中科九度(北京)空间信息技术有限责任公司 Sensitive information distribution method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267437A (en) * 2008-04-28 2008-09-17 杭州华三通信技术有限公司 Packet access control method and system for network devices
CN101707617A (en) * 2009-12-04 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device
CN103181129A (en) * 2011-10-25 2013-06-26 华为技术有限公司 Data message processing method and system, message forwarding device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267437A (en) * 2008-04-28 2008-09-17 杭州华三通信技术有限公司 Packet access control method and system for network devices
CN101707617A (en) * 2009-12-04 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device
CN103181129A (en) * 2011-10-25 2013-06-26 华为技术有限公司 Data message processing method and system, message forwarding device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650181A (en) * 2018-04-20 2018-10-12 济南浪潮高新科技投资发展有限公司 A kind of IP packet strategy matching circuit and method
CN109768966A (en) * 2018-12-17 2019-05-17 航天信息股份有限公司 Icmp packet processing method and processing device based on terminal
CN111464444A (en) * 2020-03-30 2020-07-28 中科九度(北京)空间信息技术有限责任公司 Sensitive information distribution method

Also Published As

Publication number Publication date
CN106878308B (en) 2020-06-19

Similar Documents

Publication Publication Date Title
US11336574B2 (en) Segment routing extension headers
CN102104541B (en) Header processing engine
US7852774B2 (en) User datagram protocol traceroute probe extension
CN101707617B (en) Message filtering method, device and network device
US10237130B2 (en) Method for processing VxLAN data units
US9979648B1 (en) Increasing entropy across routing table segments
US10757230B2 (en) Efficient parsing of extended packet headers
CN106878308B (en) ICMP message matching system and method
US9590905B2 (en) Control apparatus and a communication method, apparatus, and system to perform path control of a network
US9525661B2 (en) Efficient method of NAT without reassemling IPV4 fragments
US8934489B2 (en) Routing device and method for processing network packet thereof
US20150264141A1 (en) Communication apparatus, information processor, communication method, and computer-readable storage medium
CN111131539B (en) Message forwarding method and device
US8365045B2 (en) Flow based data packet processing
US20030236913A1 (en) Network address translation for internet control message protocol packets
JP6678401B2 (en) Method and apparatus for dividing a packet into individual layers for change and joining the layers after change by information processing
JP6070863B2 (en) Packet processing method and forwarding element
TWI660609B (en) A method of identifying internal destinations of network packets and an apparatus thereof
CN116095197B (en) Data transmission method and related device
US20170250910A1 (en) Routing traffic between networks governed by different versions of the internet protocol
CN105450527B (en) The method and device for handling message, sending information, receiving information
CN114285907A (en) Data transmission method and device, electronic equipment and storage medium
US10250559B2 (en) Reversible mapping of network addresses in multiple network environments
WO2017184807A1 (en) Parallel multipath routing architecture
JP2021508212A (en) Network communication method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200527

Address after: 250100 Ji'nan high tech Zone, Shandong, No. 1036 wave road

Applicant after: INSPUR GROUP Co.,Ltd.

Address before: 250100, Ji'nan province high tech Zone, Sun Village Branch Road, No. 2877, building, floor, building, on the first floor

Applicant before: JINAN INSPUR HIGH-TECH TECHNOLOGY DEVELOPMENT Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230316

Address after: 250000 building S02, No. 1036, Langchao Road, high tech Zone, Jinan City, Shandong Province

Patentee after: Shandong Inspur Scientific Research Institute Co.,Ltd.

Address before: No. 1036, Shandong high tech Zone wave road, Ji'nan, Shandong

Patentee before: INSPUR GROUP Co.,Ltd.

TR01 Transfer of patent right