CN107547343B - Message operation control method and device - Google Patents
Message operation control method and device Download PDFInfo
- Publication number
- CN107547343B CN107547343B CN201710508327.3A CN201710508327A CN107547343B CN 107547343 B CN107547343 B CN 107547343B CN 201710508327 A CN201710508327 A CN 201710508327A CN 107547343 B CN107547343 B CN 107547343B
- Authority
- CN
- China
- Prior art keywords
- port number
- encapsulated
- message
- header
- vxlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The disclosure relates to a message operation control method and device. The method comprises the following steps: identifying source port number information in an outer UDP header of the VXLAN message encapsulated with the outer UDP header; determining an operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type; and according to the operation type, carrying out operation control on the VXLAN message encapsulated with the outer layer UDP header. The message operation control method and the device can distinguish the VXLAN message according to the source port number information in the UDP header of the outer layer of the VXLAN message, determine the operation type corresponding to the VXLAN message and perform operation control corresponding to the operation type on the VXLAN message, thereby realizing multi-path distinguishing control on the VXLAN message obtained by packaging the same VXLAN tunnel.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for controlling packet operations.
Background
VXLAN (Virtual Extensible Local Area Network) is a two-layer VPN (Virtual private Network) technology based on an IP (Internet Protocol) Network and adopting a MAC in UDP (Media Access Control in user data Protocol) encapsulation form. After a VXLAN header, an outer UDP header, and an outer IP header are encapsulated for an original packet by a VTEP (VXLAN Tunnel End Point), the VXLAN packet obtained by encapsulation is forwarded to a remote VTEP through a VXLAN Tunnel, and the remote VTEP decapsulates the VXLAN packet.
In the related art, when a VXLAN message passes through a VXLAN tunnel, a network node of the VXLAN tunnel may need to perform multiple-path differentiated control on the VXLAN message obtained by encapsulating the same VXLAN tunnel. Currently, when the VTEP encapsulates an original packet, a ToS (Type of Service) field of an outer IP header of a VXLAN packet may be set, and a network node of a VXLAN tunnel may perform control processing according to the ToS field of the outer IP header, for example, perform QoS (Quality of Service) processing by identifying the ToS field and determining different QoS levels. But the ToS field of the outer IP header is only 3 bits, which is binary 000 to 111, corresponding to 8 priorities of QoS. By identifying the ToS field, it is difficult to implement other control operations, such as IPSec encryption, and it is more difficult to implement multiple-way differentiated control on VXLAN packets encapsulated by the same VXLAN tunnel.
Disclosure of Invention
In view of this, the present disclosure provides a message operation control method and device to solve the problem that multiple paths of VXLAN messages obtained by encapsulating the same VXLAN tunnel cannot be controlled differently in the related art.
According to an aspect of the present disclosure, a method for controlling a packet operation is provided, including:
identifying source port number information in an outer UDP header of the VXLAN message encapsulated with the outer UDP header;
determining an operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type;
and according to the operation type, carrying out operation control on the VXLAN message encapsulated with the outer layer UDP header.
According to another aspect of the present disclosure, there is provided a packet operation control apparatus, including:
the information identification module is used for identifying the source port number information in the outer UDP header of the VXLAN message encapsulated with the outer UDP header;
the type determining module is used for determining the operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type;
and the operation control module is used for carrying out operation control on the VXLAN message encapsulated with the outer layer UDP header according to the operation type.
According to another aspect of the present disclosure, there is provided a packet operation control apparatus, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to perform the above method.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having computer program instructions stored thereon, wherein the computer program instructions, when executed by a processor, implement the above-described method.
The message operation control method and the device determine the operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type by identifying the source port number information in the outer UDP head of the VXLAN message encapsulated with the outer UDP head, and perform operation control on the VXLAN message encapsulated with the outer UDP head according to the operation type, thereby being capable of distinguishing the VXLAN message according to the source port number information in the outer UDP head of the VXLAN message, determining the operation type corresponding to the VXLAN message and performing operation control corresponding to the operation type on the VXLAN message, and further realizing multi-path distinguishing control on the VXLAN message encapsulated with the same VXLAN tunnel.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features, and aspects of the disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 shows a flowchart of a message operation control method according to an embodiment of the present disclosure.
Fig. 2 is a schematic diagram showing an encapsulation format of a VXLAN packet in the related art.
Fig. 3 shows an exemplary flowchart of a message operation control method according to an embodiment of the disclosure.
Fig. 4 is a block diagram illustrating a VTEP in a message operation control method according to an embodiment of the present disclosure.
Fig. 5 shows an exemplary flowchart of a message operation control method according to an embodiment of the disclosure.
Fig. 6 is a block diagram illustrating a message operation control apparatus according to an example embodiment.
Fig. 7 is a schematic block diagram of a message operation control apparatus according to an example embodiment.
Fig. 8 is a block diagram illustrating an apparatus 900 for message handling control in accordance with an example embodiment.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
Example 1
Fig. 1 shows a flowchart of a message operation control method according to an embodiment of the present disclosure. The method may be used in VTEP. As shown in fig. 1, the method includes steps S11 to S13.
In step S11, the source port number information in the outer UDP header of the VXLAN message encapsulating the outer UDP header is identified.
Fig. 2 is a schematic diagram showing an encapsulation format of a VXLAN packet in the related art. As shown in fig. 2, the encapsulation format of the VXLAN message is to add an 8-byte VXLAN header, an 8-byte outer UDP header, and a 20-byte outer IP header to the original message. The outer UDP header may include UDP source port number information and UDP destination port number information. The UDP source port number information may be information associated with the UDP source port number, such as the UDP source port number, and further such as a combination of the UDP source port number and the operation type identification, as such is not limited by this disclosure.
In step S12, an operation type matching the source port number information is determined from the correspondence between the source port number information and the operation type.
As one example of this implementation, the correspondence of the source port number information and the operation type may be set in advance. For example, it may be preset that the operation type corresponding to the source port number information a is to perform IPSec (Internet protocol security) encryption, the operation type corresponding to the source port number information B is to perform PBR (policy based Routing) operation, and the operation type corresponding to the source port number information C is to perform QoS (Quality of service) speed limitation. It should be noted that, although the correspondence between the operation type and the source port number information and the operation type is described above by taking IPSec encryption, PBR operation, and QoS speed limit as examples, those skilled in the art will understand that the present disclosure is not limited thereto. Those skilled in the art can flexibly set the operation type and the corresponding relationship between the source port number information and the operation type according to the actual application scenario.
It should be further noted that, as can be understood by those skilled in the art, the present disclosure does not limit the number of the preset corresponding relationships between the source port number information and the operation type, and may be, for example, one or more. Under the condition that the number of the preset corresponding relations between the source port number information and the operation types is multiple, the VXLAN messages can be distinguished according to the source port number information in the outer layer UDP header, and therefore the VXLAN messages obtained by packaging the same VXLAN tunnel are subjected to multi-path distinguishing control.
In step S13, operation control is performed on the VXLAN packet encapsulated with the outer UDP header according to the operation type.
As an example of this embodiment, after obtaining a VXLAN message, source port number information, for example, source port number information B, may be obtained from an outer UDP header of the VXLAN message, and according to a corresponding relationship between the source port number information and an operation type, it is determined that an operation type matching the source port number information B is a PBR operation, and then the PBR operation is performed on the VXLAN message.
As another example of this embodiment, after obtaining a plurality of VXLAN messages, source port number information corresponding to each VXLAN message may be obtained from each VXLAN message outer UDP header, for example, source port number information B of VXLAN message 1, source port number information a of VXLAN message 2, and source port number information B of VXLAN message 3. And according to the corresponding relation between the source port number information and the operation type, determining that the operation type matched with the source port number information B is PBR operation, performing PBR operation on the VXLAN message 1 and the VXLAN message 3, determining that the operation type matched with the source port number information A is IPSec encryption, and performing IPSec encryption on the VXLAN message 2.
On the basis of the above embodiment, after step 23 is completed, the method further includes: and transmitting the message after the operation control is finished through the port corresponding to the operation type.
The message operation control method can distinguish the VXLAN message according to the source port number information in the UDP header of the outer layer of the VXLAN message, determine the operation type corresponding to the VXLAN message and carry out operation control corresponding to the operation type on the VXLAN message, thereby realizing multi-path distinguishing control on the VXLAN message obtained by encapsulating the same VXLAN tunnel. Because the source port number field in the outer UDP header may be 16 bits, and the ToS field in the related art is only 3 bits, compared with the ToS field, the source port number information in the source port number field can implement more types of operation control on the VXLAN packet.
In addition, in the related art, after the VXLAN message is generated by encapsulation, the network node through which the two-layer VXLAN tunnel passes can generally recognize only the outer IP header or the outer UDP header of the VXLAN message, and rarely recognizes the VXLAN header of the VXLAN message. In the application, the network node passing through the two-layer VXLAN tunnel can identify the source port number information in the outer-layer UDP header, deeper identification of the VXLAN message is not needed, and subsequent encapsulation or decapsulation of the VXLAN message is facilitated.
It should be further noted that the above operation refers to encapsulation or decapsulation of a message. Correspondingly, the operation type refers to an encapsulation type and a decapsulation type, and different functions, such as IPSec encryption, PBR, and the like, can be implemented by performing different types of encapsulation or decapsulation on the packet.
Fig. 3 shows an exemplary flowchart of a message operation control method according to an embodiment of the disclosure. The embodiment shown in fig. 3 shows an implementation manner of how to encapsulate the outer UDP header in the original packet, so as to generate the "VXLAN packet encapsulated with the outer UDP header" in step S11. It should be noted that, in an embodiment, the source port information in the source port number field only includes the source port number, and the source port number information is the source port number; alternatively, the source port information in the source port number field includes the source port number and the operation type identification.
In the following embodiment, the UDP source port number information is taken as an example to be described, and as shown in fig. 3, the method includes steps S31 to S35.
In step S31, the original packet to be encapsulated is matched with the control policy, and a reserved port number matching the feature identifier carried in the original packet to be encapsulated is determined.
The control policy may refer to a rule that can determine a reserved port number matching a feature identifier carried in an original packet to be encapsulated by matching the original packet to be encapsulated. The present disclosure does not set the Control policy, for example, the Control policy may be an Access Control List (ACL) or the like. One or more matching rules and reserved port numbers corresponding to the matching rules can be set in the control policy. When a plurality of matching rules are set in the control policy, the VTEP may match the original packet to be encapsulated with the plurality of matching rules, respectively.
In one possible implementation, the feature identification includes: an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header; matching the original message to be encapsulated with the control strategy, and determining a reserved port number matched with the feature identifier carried by the original message to be encapsulated comprises: and matching the original message to be encapsulated with a control strategy, and determining a matched reserved port number according to one or more of an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header of the original message to be encapsulated.
It should be noted that, although the characteristic identifier carried by the original packet to be encapsulated is described above by using an inner ethernet header, an inner IP header, an inner UDP header, or an inner TCP header as an example, those skilled in the art can understand that the disclosure is not limited thereto. The technical personnel in the field can flexibly set the characteristic identification carried by the original message to be packaged according to the actual application scene.
In step S32, the original packet to be encapsulated is encapsulated by using the matched reserved port number as the source port number of the outer UDP header.
As an example of this embodiment, the control policy is an access control list, and a matching rule and a reserved port number of the original packet to be encapsulated may be set in the access control list. For example, in the access control list, there may be set: the reserved port numbers from the source IP port number a to the destination IP port number b are port numbers 100, the reserved port numbers from the source MAC port number c to the destination MAC port number d are port numbers 200, and the reserved port numbers from the source IP port number e to the destination IP port number f are port numbers 300.
If the first original message to be encapsulated is a message from a source IP port number a to a destination IP port number b, determining a reserved port number matched with the feature identifier carried by the first original message as a port number 100. And encapsulating the first original message by taking the port number 100 as a source port number of an outer layer UDP header, thereby obtaining a first VXLAN message.
If the second original message to be encapsulated is a message from a source MAC port number c to a destination MAC port number d, determining a reserved port number matched with the feature identifier carried by the second original message as a port number 200. And the port number 200 is used as the source port number of the outer layer UDP header to encapsulate the second original message, thereby obtaining a second VXLAN message.
If the third original message to be encapsulated is a message from the source IP port number e to the destination IP port number f, the reserved port number matched with the feature identifier carried in the third original message is determined as the port number 300. And the third original message is encapsulated by taking the port number 300 as the source port number of the outer layer UDP header, so that a third VXLAN message is obtained.
It should be noted that, as a reserved port number, the port number 100, the port number 200, and the port number 300 can only be used for encapsulating a source port number of an outer UDP header of an original packet serving as a matching rule, and an original packet not serving as a matching rule cannot be encapsulated using the reserved port number as a source port number of the outer UDP header.
In step S33, the source port number in the outer UDP header of the VXLAN message encapsulating the outer UDP header is identified.
See step S11 for a description of this step.
In step S34, an operation type matching the source port number is determined from the correspondence between the source port number and the operation type.
See step S12 for a description of this step.
In step S35, operation control is performed on the VXLAN packet encapsulated with the outer UDP header according to the operation type.
See step S13 for a description of this step.
As an example of this embodiment, the control policy is an access control list, and a corresponding relationship between the source port number and the operation type may be set in the access control list. For example, in the access control list, there may be set: the method comprises the steps of carrying out IPSec encryption on a VXLAN message with a source port number of 100, carrying out PBR operation on the VXLAN message with a source port number of 200, and carrying out QoS speed limitation on the VXLAN message with a source port number of 300.
If the first VXLAN message is obtained, the source port number may be obtained from the outer UDP header of the first VXLAN message as port number 100. And according to the corresponding relation between the source port number and the operation type, determining that the operation type matched with the source port number 100 is IPSec encryption, and then performing IPSec encryption on the first VXLAN message, thereby realizing uniform distinguishing control on the original messages from the source IP port number a to the destination IP port number b.
If the second VXLAN message is obtained, the source port number may be obtained from the outer UDP header of the second VXLAN message as port number 200. And according to the corresponding relation between the source port number and the operation type, determining that the operation type matched with the source port number 200 is PBR operation, and performing PBR operation on the second VXLAN message, thereby realizing uniform differentiated control on the original messages from the source MAC port number c to the destination MAC port number d.
If the third VXLAN message is obtained, the source port number may be obtained from the outer UDP header of the third VXLAN message as port number 300. And according to the corresponding relation between the source port number and the operation type, determining that the operation type matched with the source port number 300 is QoS speed limiting, and performing QoS speed limiting on the third VXLAN message, thereby realizing uniform differential control on the original message from the source IP port number e to the destination IP port number f.
In a possible implementation manner, since not all messages need to be differentially controlled, the method further includes: under the condition that a reserved port number matched with the characteristic identifier carried by the original message to be encapsulated does not exist, generating a new port number according to the original message to be encapsulated; because the generated new port number cannot conflict with the reserved port number, the generated new port number is ensured to be different from the port number reserved in the control strategy, and the new port number is used as the source port number of the outer-layer UDP header to encapsulate the original message to be encapsulated under the condition that the new port number is different from the reserved port number in the control strategy.
The new port number is different from the reserved port number in the control policy, which may mean that the new port number is different from each reserved port number in the control policy. And under the condition that the new port number is the same as one reserved port number in the control strategy, a new port number can be generated again according to the original message to be encapsulated until the newly generated new port number is different from the reserved port number in the control strategy.
In a possible implementation manner, generating a new port number according to the original packet to be encapsulated may include: and generating a new port number according to the inner-layer Ethernet header of the original message to be encapsulated.
As an example of the implementation manner, generating a new port number according to the inner-layer ethernet header of the original packet to be encapsulated may include: and acquiring first content from the inner-layer Ethernet header of the original message to be packaged, performing first hash operation on the first content, and taking the obtained hash value as a new port number. Wherein the first content may be a source MAC value or a destination MAC value in an inner-layer ethernet header, which is not limited by this disclosure.
It should be noted that, although the method of generating a new port number is described above by taking the hash operation on the inner-layer ethernet header as an example, those skilled in the art will understand that the present disclosure is not limited thereto. Those skilled in the art can flexibly set the method for generating the new port number according to the actual application scenario. For example, the new port number is generated according to one of an inner IP header, an inner TCP header, or an inner UDP header of the original packet to be encapsulated.
Of course, in another embodiment of the present disclosure, the source port information in the source port number field includes: and the source port number and the operation type identifier can determine the subsequent operation control on the message by identifying the operation type identifier in the field of the source port number.
Specifically, any bit may be reserved in the source port field for filling in the operation type identifier, and the other fields are used for filling in the source port number.
Then in step S11, by identifying the operation type identifier of the reserved field part in the source port information, and in step S12, the operation type matching the operation type identifier is determined according to the correspondence between the operation type identifier and the operation type stored in advance.
In addition, the generation manner of the source port number in this embodiment may adopt a specific manner as in the above embodiment, that is: and acquiring first content from the inner-layer Ethernet header of the original message to be packaged, performing first hash operation on the first content, and taking the obtained hash value as a source port number. Wherein the first content may be a source MAC value or a destination MAC value in an inner-layer ethernet header.
As an example of this embodiment, a process flow of an original packet to be encapsulated is described by taking VXLAN encapsulation and IPSec encryption as examples. Part of original messages to be encapsulated need to be subjected to IPSec encryption after VXLAN encapsulation is completed, and the other part of original messages to be encapsulated only need to be subjected to VXLAN encapsulation. Fig. 4 is a block diagram illustrating a VTEP in a message operation control method according to an embodiment of the present disclosure. As shown in fig. 4, the VTEP may include a VXLAN module and an IPSec module. The VXLAN module is used for packaging the original message to be packaged, and the IPSec module is used for encrypting the VXLAN message.
It should be noted that, as those skilled in the art can understand, VXLAN encapsulation on the original message may refer to encapsulating a VXLAN header, an outer UDP header, an outer IP header, and an outer ethernet header on the original message. The message generated after the original message completes encapsulation of the VXLAN header, the outer UDP header, the outer IP header, and the outer ethernet header may be referred to as a VXLAN message. The present disclosure does not limit the encapsulation method of the VXLAN header, outer IP header, and outer ethernet header.
And adding a configuration module for configuring the source port number of the outer layer UDP according to the original message to be encapsulated in the VXLAN module. The configuration rules of the configuration module are as follows: and for the original message to be encapsulated matched with the rule in the control strategy, encapsulating the original message to be encapsulated by taking the port number corresponding to the rule matched with the original message to be encapsulated as the source port number of the outer-layer UDP header. The port number corresponding to the rule is used as a reserved port number, and can only be used for configuring the original message to be encapsulated of the matching rule, and the original message to be encapsulated of the non-matching rule can not be configured.
The configuration module matches the original message to be encapsulated with the rules in the control strategy. If the original message to be encapsulated is matched with the rule, the configuration module encapsulates the original message to be encapsulated by taking the port number corresponding to the rule as the source port number of the outer UDP header. If the original message to be encapsulated does not match the rule, the configuration module determines the source port number of the outer layer UDP by using the method in the embodiment, and determines whether the source port number of the outer layer UDP is the same as the reserved port number. If the source port number of the outer layer UDP is the same as the reserved port number, the configuration module needs to re-determine the source port number of the outer layer UDP by using the method in the above-mentioned technique until the determined source port number of the outer layer UDP is different from the reserved port number.
As shown in fig. 4, VTEP1 includes VXLAN module 11 and IPSec module 12. In VTEP1, VXLAN module 11 performs VXLAN encapsulation on an original message to be encapsulated, generates a VXLAN message, and sends the VXLAN message to IPSec module 12. IPSec module 12 matches the VXLAN packet to an IPSec security policy. If the VXLAN packet matches the IPSec security policy, the IPSec module 12 performs IPSec encryption on the VXLAN packet to generate an IPSec packet, and the VTEP1 sends the IPSec packet to the VTEP 2. If the VXLAN message does not match the IPSec security policy, the VTEP1 sends the VXLAN message directly to VTEP 2.
As shown in fig. 4, VTEP2 includes VXLAN module 21 and IPSec module 22. In VTEP2, VTEP2 determines the type of a packet by IPSec module 22 after each reception of the packet. If the packet is an IPSec packet, the IPSec module 22 decrypts the IPSec packet to obtain a VXLAN packet, and sends the VXLAN packet to the VXLAN module 21. If the message is a common VXLAN message, IPSec module 22 matches the VXLAN message with an IPSec security policy. If the VXLAN message is a message that needs to be encrypted by IPSec, the IPSec module 22 directly discards the VXLAN message, otherwise, the VXLAN message is sent to the VXLAN module 21. The VXLAN module 21 decapsulates the VXLAN message and forwards the decapsulated message.
It should be noted that, in the related art, the IPSec module may determine whether the VXLAN packet matches the IPSec security policy according to conditions such as a protocol type, a source IP address, a destination IP address, a source TCP or UDP port number, and a destination TCP or UDP port number, as will be understood by those skilled in the art.
Fig. 5 shows an exemplary flowchart of a packet encapsulation method according to an embodiment of the disclosure. As shown in fig. 5, the method includes steps S51 to S58.
In step S51, it is determined whether a reserved port number matching the feature identifier carried in the original packet to be encapsulated exists in the control policy, if so, step S52 is executed, otherwise, step S53 is executed.
In step S52, the original packet to be encapsulated is encapsulated by using the matched reserved port number as the source port number of the outer UDP header.
In step S53, a new port number is generated according to the original packet to be encapsulated.
In step S54, it is determined whether the new port number is the same as the reserved port number in the control policy, if so, the process jumps to step S53, otherwise, step S55 is performed.
In step S55, the original packet to be encapsulated is encapsulated by using the new port number as the source port number of the outer UDP header.
In step S56, the source port number in the outer UDP header of the VXLAN message encapsulating the outer UDP header is identified.
In step S57, an operation type matching the source port number is determined from the correspondence between the source port number and the operation type.
In step S58, operation control is performed on the VXLAN packet encapsulated with the outer UDP header according to the operation type.
Example 2
Fig. 6 is a block diagram illustrating a message operation control apparatus according to an example embodiment. As shown in fig. 6, the message operation control apparatus includes: an information identification module 61, a type determination module 62 and an operation control module 63.
An information identifying module 61, configured to identify source port number information in an outer UDP header of the VXLAN message in which the outer UDP header is encapsulated;
a type determining module 62, configured to determine, according to a correspondence between the source port number information and the operation type, an operation type that matches the source port number information;
and an operation control module 63, configured to perform operation control on the VXLAN packet encapsulated with the outer UDP header according to the operation type.
Fig. 7 is a schematic block diagram of a message operation control apparatus according to an example embodiment. As shown in fig. 7:
in one possible implementation, the apparatus further includes: a reserved port number determination module 64 and a first encapsulation module 65.
The reserved port number determining module 64 is configured to match the original packet to be encapsulated with a control policy, and determine a reserved port number that matches a feature identifier carried in the original packet to be encapsulated; a first encapsulating module 65, configured to encapsulate the original packet to be encapsulated by using the matched reserved port number as a source port number of the outer UDP header.
In one possible implementation, the feature identifier includes: an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header; the reserved port number determination module 64 is configured to: matching the original message to be encapsulated with a control strategy, and determining a matched reserved port number according to one or more of an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header of the original message to be encapsulated.
In one possible implementation, the apparatus further includes: a first generation module 66 and a second encapsulation module 67.
The first generating module 66 is configured to generate a new port number according to the original packet to be encapsulated, when there is no reserved port number that matches the feature identifier carried in the original packet to be encapsulated; a second encapsulating module 67, configured to encapsulate the original packet to be encapsulated by using the new port number as a source port number of an outer UDP header when the new port number is different from the reserved port number in the control policy.
In one possible implementation, the apparatus further includes: a second generating module 68, configured to, under the condition that the new port number is the same as the reserved port number in the control policy, re-generate a new port number according to the original packet to be encapsulated until the re-generated new port number is different from the reserved port number in the control policy.
The message operation control device can distinguish VXLAN messages according to source port number information in an outer UDP header of the VXLAN messages, determine operation types corresponding to the VXLAN messages and perform operation control corresponding to the operation types on the VXLAN messages, so that multi-path distinguishing control on the VXLAN messages obtained by packaging the same VXLAN tunnel is realized.
Fig. 8 is a block diagram illustrating an apparatus 900 for message handling control in accordance with an example embodiment. Referring to fig. 8, the apparatus 900 may include a processor 901, a machine-readable storage medium 902 having stored thereon machine-executable instructions. The processor 901 and the machine-readable storage medium 902 may communicate via a system bus 903. Also, the processor 901 executes the message operation control method described above by reading machine-executable instructions corresponding to the message operation control logic in the machine-readable storage medium 902.
The machine-readable storage medium 902 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (10)
1. A message operation control method is characterized by comprising the following steps:
identifying source port number information in an outer UDP header of the VXLAN message encapsulated with the outer UDP header;
determining an operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type;
and according to the operation type, carrying out operation control on the VXLAN message encapsulated with the outer layer UDP header.
2. The method of claim 1, wherein prior to identifying the source port number information in an outer UDP header of the VXLAN message encapsulating the outer UDP header, the method further comprises:
matching an original message to be encapsulated with a control strategy, and determining a reserved port number matched with a characteristic identifier carried by the original message to be encapsulated;
and packaging the original message to be packaged by taking the matched reserved port number as a source port number of an outer UDP header.
3. The method of claim 2, wherein the feature identification comprises: an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header;
matching the original message to be encapsulated with a control strategy, and determining a reserved port number matched with the feature identifier carried by the original message to be encapsulated comprises:
matching the original message to be encapsulated with a control strategy, and determining a matched reserved port number according to one or more of an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header of the original message to be encapsulated.
4. The method of claim 2, further comprising:
under the condition that a reserved port number matched with the characteristic identifier carried by the original message to be encapsulated does not exist, generating a new port number according to the original message to be encapsulated;
and under the condition that the new port number is different from the reserved port number in the control strategy, packaging the original message to be packaged by taking the new port number as a source port number of an outer UDP (user Datagram protocol) head.
5. The method of claim 4, further comprising:
and under the condition that the new port number is the same as the reserved port number in the control strategy, re-generating a new port number according to the original message to be encapsulated until the re-generated new port number is different from the reserved port number in the control strategy.
6. A message operation control apparatus, comprising:
the information identification module is used for identifying the source port number information in the outer UDP header of the VXLAN message encapsulated with the outer UDP header;
the type determining module is used for determining the operation type matched with the source port number information according to the corresponding relation between the source port number information and the operation type;
and the operation control module is used for carrying out operation control on the VXLAN message encapsulated with the outer layer UDP header according to the operation type.
7. The apparatus of claim 6, further comprising:
the reserved port number determining module is used for matching the original message to be encapsulated with a control strategy and determining a reserved port number matched with the characteristic identifier carried by the original message to be encapsulated;
and the first encapsulating module is used for encapsulating the original message to be encapsulated by taking the matched reserved port number as the source port number of the outer UDP header.
8. The apparatus of claim 7, wherein the feature identifier comprises: an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header;
the reserved port number determining module is configured to:
matching the original message to be encapsulated with a control strategy, and determining a matched reserved port number according to one or more of an inner Ethernet header, an inner IP header, an inner UDP header or an inner TCP header of the original message to be encapsulated.
9. The apparatus of claim 7, further comprising:
a first generating module, configured to generate a new port number according to the original packet to be encapsulated when there is no reserved port number matching the feature identifier carried in the original packet to be encapsulated;
and the second encapsulating module is used for encapsulating the original message to be encapsulated by taking the new port number as the source port number of the outer UDP header under the condition that the new port number is different from the reserved port number in the control strategy.
10. The apparatus of claim 9, further comprising:
and the second generating module is used for re-generating a new port number according to the original message to be encapsulated under the condition that the new port number is the same as the reserved port number in the control strategy until the re-generated new port number is different from the reserved port number in the control strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710508327.3A CN107547343B (en) | 2017-06-28 | 2017-06-28 | Message operation control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710508327.3A CN107547343B (en) | 2017-06-28 | 2017-06-28 | Message operation control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547343A CN107547343A (en) | 2018-01-05 |
| CN107547343B true CN107547343B (en) | 2020-06-05 |
Family
ID=60970162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710508327.3A Active CN107547343B (en) | 2017-06-28 | 2017-06-28 | Message operation control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547343B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110290043A (en) * | 2018-03-19 | 2019-09-27 | 杭州达乎科技有限公司 | Message transmitting method and equipment in VXLAN network |
| CN110768884B (en) * | 2018-07-25 | 2021-10-15 | 华为技术有限公司 | VXLAN message encapsulation and policy execution method, equipment and system |
| CN111182016B (en) * | 2018-11-12 | 2022-12-27 | 中移(杭州)信息技术有限公司 | PPPoE dialing message transmission method and device |
| CN110099056B (en) * | 2019-04-30 | 2021-09-03 | 哈尔滨英赛克信息技术有限公司 | Policy conflict dynamic detection method for IPSec security gateway |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102957617B (en) * | 2011-08-18 | 2016-02-10 | 盛科网络(苏州)有限公司 | Realize method and the device of multi-service superposition |
| US10177936B2 (en) * | 2014-03-28 | 2019-01-08 | International Business Machines Corporation | Quality of service (QoS) for multi-tenant-aware overlay virtual networks |
| CN106330597B (en) * | 2015-07-10 | 2019-07-26 | 新华三技术有限公司 | Path between VXLAN endpoint of a tunnel VTEP is up to detection method and device |
-
2017
- 2017-06-28 CN CN201710508327.3A patent/CN107547343B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547343A (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10587492B2 (en) | Method and apparatus for tracing paths in service function chains | |
| CN107547343B (en) | Message operation control method and device | |
| US10404588B2 (en) | Path maximum transmission unit handling for virtual private networks | |
| CN108702331B (en) | Integration of SR application segments with Service Function Chaining (SFC) header metadata | |
| US11050664B2 (en) | Encapsulation method, device and node | |
| US9992310B2 (en) | Multi-hop Wan MACsec over IP | |
| TWI499342B (en) | Tunnel acceleration for wireless access points | |
| US20190394211A1 (en) | Providing Processing and Network Efficiencies in Protecting Internet Protocol Version 6 Segment Routing Packets and Functions Using Security Segment Identifiers | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| WO2017143903A1 (en) | Method, device and system for access control | |
| US11418434B2 (en) | Securing MPLS network traffic | |
| US20140192808A1 (en) | Tunnel sub-interface using ip header field | |
| CN106233673A (en) | Network service inserts | |
| CN111917625B (en) | Method, device and nodes for realizing difference from VXLAN service to SR domain | |
| WO2016150205A1 (en) | Method, device and system for processing vxlan message | |
| CN109412927B (en) | Multi-VPN data transmission method and device and network equipment | |
| CN108390812B (en) | Message forwarding method and device | |
| CN112350941A (en) | ESP-based encapsulation message for realizing source routing at overlay layer and sending method | |
| WO2023030160A1 (en) | Packet sending method, network device, storage medium, and program product | |
| US11552878B1 (en) | Managing replay windows in multipath connections between gateways | |
| WO2023272498A1 (en) | Packet forwarding method and apparatus, network node and storage medium | |
| US20230133729A1 (en) | Security for communication protocols | |
| RU2517405C2 (en) | Method of providing security associations for encrypted packet data | |
| CN115766063A (en) | Data transmission method, device, equipment and medium | |
| CN116366300A (en) | Data transmission method, device and data transmission system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |