CN108259504A - It is a kind of based on group realize accesses control list a method and device - Google Patents

It is a kind of based on group realize accesses control list a method and device Download PDF

Info

Publication number
CN108259504A
CN108259504A CN201810089056.7A CN201810089056A CN108259504A CN 108259504 A CN108259504 A CN 108259504A CN 201810089056 A CN201810089056 A CN 201810089056A CN 108259504 A CN108259504 A CN 108259504A
Authority
CN
China
Prior art keywords
control list
group
information
accesses control
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810089056.7A
Other languages
Chinese (zh)
Inventor
刘庆海
李晨
龚海东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Centec Networks Suzhou Co Ltd
Original Assignee
Centec Networks Suzhou Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Centec Networks Suzhou Co Ltd filed Critical Centec Networks Suzhou Co Ltd
Priority to CN201810089056.7A priority Critical patent/CN108259504A/en
Publication of CN108259504A publication Critical patent/CN108259504A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Present invention is disclosed a kind of based on a group method and device for realization accesses control list, the method includes realizing flow point group using flow table already present in exchanger chip, it is divided into source packet and purpose grouping, matching field is used for using the two group id as in ace, is configured so as to fulfill packet-based acl strategies.The present invention is grouped not only ace entry numbers by multilevel flow table and reduces with consuming exponentially grade, improves tcam resource utilizations, but also greatly reduce administrator and safeguard ace difficulty.

Description

It is a kind of based on group realize accesses control list a method and device
Technical field
The present invention relates to a kind of accesses control list technology, more particularly, to a kind of based on group realizing accesses control list Method and device.
Background technology
ACL (Access Control List, accesses control list) is a kind of access control technology, and which define users The access permission permission of (different data).ACL is a series of set of permissions/refusal rule.Two, three layers of parsing, four layers of packet Information in head is filtered packet according to the rule (Key) pre-defined, so as to achieve the purpose that access control.It is common Acl functions include:The basic security means of network access are provided;It limits network flow, improve network performance;ACL counts work( Can, redirect etc..With network size become larger and the sharp increase of type of business, the list item that acl is used to implement in interchanger are shown Must be more in short supply, while the sharp increase of ACE (Access Control Entry, access control list item) quantity is to network management The management of member brings huge challenge.
Traditional ACL is to match certain flow by the way that series of rules collection is configured and perform certain action.Wherein, to The field matched is typically the five-tuple parsed from heading.Such as the addresses of the ip using in heading as matching word Section, then often increase the different ip streams in an ip address newly, it is necessary in tcam (ternary content addressable Memory, three-state content addressing memory, for storing the tri-state cam of acl rules) it is inner increase by one except ip addresses are different, He is duplicate new ACE, as shown in Figure 1.This method has two, on the one hand can consume tcam moneys quickly On the other hand source can increase the maintenance difficulties of administrator.
Invention content
The defects of it is an object of the invention to overcome the prior art, provides a kind of based on a group side for realization accesses control list Method and device, to improve tcam resource utilizations.
To achieve the above object, the following technical solutions are proposed by the present invention:It is a kind of based on group realize accesses control list a side Method, including:
S1, the information that message is carried according to its head or chip search the information block obtained, and by the grouping ID is as the matching field in access control list item;
S2, the increase group matching field in each list item of accesses control list;
S3 matches the ID being grouped described in S1 with the group matching field in accesses control list, if matching, holds The corresponding action of described group of matching field of row.
Preferably, in S1, the information or chip that message is carried according to its head searches the information block mistake obtained Journey includes:The source information or chip that message is carried according to its head are searched the source information obtained and are grouped into source packet, according to Its carry purpose information or chip search obtain purpose information block to purpose grouping in, and by the ID of the source packet with The ID of purpose grouping is as the matching field in access control list item.
Preferably, in S2, increase source packet matching field and purpose grouping in each list item of accesses control list With field.
Preferably, in S1, by the flow table in exchanger chip according to the information that header carries by packet.
Preferably, the source information includes at least source ip addresses or source port, and the purpose information includes at least purpose ip Address or destination interface.
Preferably, the flow table includes at least fdb tables, routing table.
Preferably, the message in the grouping can share the access control list (ACL) regulations of the member in the grouping.
Present invention further teaches another technical solutions:It is a kind of based on group realize accesses control list a device, including:
Packet module, information or chip for message to be carried according to its head search the information block obtained, And using the ID of the grouping as the matching field in access control list item;
ACL matching fields increase module, for the increase group matching field in each list item of accesses control list;
Message matching module, for described group in the ID and accesses control list that will be grouped in the packet module Matching field is matched, if matching, performs the corresponding action of described group of matching field.
Preferably, the packet module is specifically used for:The source information or chip that message is carried according to its head are looked into The source information of acquisition is looked for be grouped into source packet, the purpose information block obtained is searched according to the purpose information of its carrying or chip Into purpose grouping, and the ID that the ID of the source packet and purpose are grouped is as the matching word in access control list item Section.
Preferably, the ACL matching fields increase module and are specifically used for:Increase in each list item of accesses control list Source packet matching field and purpose grouping matching field.
The beneficial effects of the invention are as follows:The present invention realizes flow point group, grouping using flow table already present in exchanger chip It is divided into source packet and purpose grouping.Matching field is used for using the two group id as in ace, so as to fulfill based on grouping Acl strategies configuration.By multilevel flow table grouping, not only ace entry numbers are reduced with consuming exponentially grade, improve tcam moneys Source utilization rate, but also greatly reduce administrator and safeguard ace difficulty.
Description of the drawings
Fig. 1 is the principle schematic of existing embodiment accesses control list;
Fig. 2 is the flow diagram of the method for the present invention;
Fig. 3 is the principle schematic of accesses control list of the embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing of the present invention, clear, complete description is carried out to the technical solution of the embodiment of the present invention.
Disclosed is a kind of based on a group method and device for realization accesses control list, passes through multilevel flow table point Group not only so that ace entry numbers are reduced with consuming exponentially grade, improves tcam resource utilizations, but also greatly reduce Administrator safeguards ace difficulty.
With reference to shown in Fig. 2 and Fig. 3, the embodiment of the present invention is revealed a kind of based on a group side for realization accesses control list Method, including:
1st step, the information that message is carried according to its head or chip search the information block obtained, and by the grouping ID as the matching field in access control list item.
Specifically, itself is there is a variety of flow tables in exchanger chip, such as fdb (Forwarding DataBase, MAC Location forwarding table) table, routing table and some other business flow lists etc..Message enters in exchanger chip, passes through these flow tables It can tentatively identify the grouping of outgoing packet.Specifically, some information or chip that these flow tables are carried according to header are searched The information of acquisition is identified, wherein, header at least carries source ip addresses, source port, purpose ip addresses, destination interface etc. Information, in Fig. 3, flow table is divided into according to same source ip addresses such as are carried in message S1 and message S2 in 1 (group 1) of group, Certainly, flow table is not limited to according to source ip address informations identification packet here, can also be carried according to header its Grouping is identified in his information.
In the present embodiment, flow table searches the information obtained according to the information or chip carried in message and is respectively divided into message In source packet and purpose grouping.Specifically, the source information or chip message carried according to its head searches the source information obtained It is grouped into source packet, is searched in the purpose information block to purpose grouping obtained according to the purpose information of its carrying or chip. Source information or chip that header carries search the source information obtained, such as source ip addresses (source ip addresses), source port (source ports) information etc.;Purpose information or chip that header carries search the purpose information obtained, such as purpose ip Location (source ip addresses), destination interface (source ports) information etc..In Fig. 3, flow table is according in message S1 and message S2 It carries same source ip addresses to be divided into source group group 1, be divided into according to same purpose ip addresses are carried in message S1 and message S2 In purpose group group 1.Similarly, flow table is not limited to identify packet according to object here ip address informations, can also be according to report Grouping is identified in the other information that literary head carries.Grouping principle and message S1 for the message S3 and message S4 of Fig. 3 and The grouping principle of message S2 is identical, certainly, it is possible thereby to be generalized to the grouping of a plurality of message.
That is, according to above step, it is known that the source packet ID of message and purpose packet ID.Such as message here S1 and message S2, by example from above, it is known that their source packet ID and purpose packet ID are 1.By these source packets ID With purpose packet ID as the matching field in access control list item.
2nd step, the increase group matching field in each list item of accesses control list.
Specifically, in the present embodiment, the increased group of matching field in each list item of accesses control list, is source respectively Matching field and purpose grouping matching field are grouped, source packet ID and purpose packet ID is specifically may respectively be, that is, is used for and flow table The source packet ID and purpose packet ID of middle identification match.
3rd step matches the ID being grouped described in the 1st step with the group matching field in accesses control list, if Match, then perform the corresponding action of described group of matching field.
Specifically, in the present embodiment, by the source packet ID of message and purpose packet ID respectively in accesses control list Source packet ID and purpose packet ID match.If matching, performs source packet ID accesses control lists corresponding with purpose packet ID List item configuration performs action, forwards the packet to destination interface up.
Source packet ID and purpose packet ID such as above-mentioned message S1 and message S2 are 1, then match accesses control list Middle source packet ID and purpose packet ID are 1 access control list item, and according to the access control list item, message is turned It is dealt on purpose equipment D1 or purpose equipment D2.
If in this way, newly-increased ip streams, then this stream is only needed to be divided into some already existing group It goes, it is possible to enjoy the acl rules that group member is possessed.A such as newly-increased ip address is different and other information and existing table The identical ip streams of information in then need to only flow the information in addition to ip addresses according to this ip, assign it to In existing group.It does not need to not only increase new ace entries again in tcam in this way, but also is safeguarded convenient for administrator.
In addition, the reduction for using the consumption exponentially grade for causing ace entry numbers of multilevel flow table.Here multilevel flow table, Refer to the flow table in exchanger chip here and the accesses control list the present invention is based on group, as the flow table in exchanger chip is The first order, the accesses control list based on group are the second level, then the matching of two-stage flow table can be achieved.
Comparison diagram 2 and Fig. 3 will also realize that, after multilevel flow table, ace entry numbers significantly reduce.
The embodiment of the present invention it is revealed it is a kind of based on group realize accesses control list a device, including:
Packet module, information or chip for message to be carried according to its head search the information block obtained, And using the ID of the grouping as the matching field in access control list item.
ACL matching fields increase module, for the increase group matching field in each list item of accesses control list.
Message matching module, for described group in the ID and accesses control list that will be grouped in the packet module Matching field is matched, if matching, performs the corresponding action of described group of matching field.
Wherein, the specific grouping principle of packet module, ACL matching fields, which increase the specific of module, increases principle and report The matching principle of literary matching module, can be respectively with reference to the description in above-mentioned 1st step, the 2nd step and the 3rd step, and which is not described herein again.
The technology contents and technical characteristic of the present invention have revealed that as above, however those skilled in the art still may base Make various replacements and modification without departing substantially from spirit of the present invention, therefore, the scope of the present invention in teachings of the present invention and announcement The revealed content of embodiment should be not limited to, and various replacements and modification without departing substantially from the present invention should be included, and is this patent Shen Please claim covered.

Claims (10)

  1. It is 1. a kind of based on group method for realizing accesses control list, which is characterized in that including:
    S1, the information or chip that message is carried according to its head search the information block obtained, and the ID of the grouping is made For the matching field in access control list item;
    S2, the increase group matching field in each list item of accesses control list;
    S3 matches the ID being grouped described in S1 with the group matching field in accesses control list, if matching, performs institute State the corresponding action of group matching field.
  2. It is 2. according to claim 1 based on group method for realizing accesses control list, which is characterized in that described to incite somebody to action in S1 The information or chip that message is carried according to its head are searched the information block process obtained and are included:Message is carried according to its head Source information or chip search obtain source information be grouped into source packet, according to its carrying purpose information or chip lookup obtains In the purpose information block obtained to purpose grouping, and the ID that the ID of the source packet and purpose are grouped is as accesses control list Matching field in list item.
  3. It is 3. according to claim 2 based on group method for realizing accesses control list, which is characterized in that in S2, to access Increase source packet matching field and purpose grouping matching field in each list item of control list.
  4. It is 4. according to claim 1 or 2 based on group method for realizing accesses control list, which is characterized in that in S1, to pass through Flow table in exchanger chip is according to the information that header carries by packet.
  5. It is 5. according to claim 2 based on group method for realizing accesses control list, which is characterized in that the source information is extremely Include source ip addresses or source port less, the purpose information includes at least purpose ip addresses or destination interface.
  6. It is 6. according to claim 4 based on group method for realizing accesses control list, which is characterized in that the flow table is at least Including fdb tables, routing table.
  7. It is 7. according to claim 1 based on group method for realizing accesses control list, which is characterized in that in the grouping Message can share the access control list (ACL) regulations of the member in the grouping.
  8. It is 8. a kind of based on a group device for realization accesses control list, which is characterized in that including:
    Packet module, information or chip for message to be carried according to its head search the information block obtained, and will The ID of the grouping is as the matching field in access control list item;
    ACL matching fields increase module, for the increase group matching field in each list item of accesses control list;
    Message matching module, for described group of matching in the ID and accesses control list that will be grouped in the packet module Field is matched, if matching, performs the corresponding action of described group of matching field.
  9. It is 9. according to claim 8 based on a group device for realization accesses control list, which is characterized in that the packet Module is specifically used for:The source information or chip that message is carried according to its head search the source information obtained and are grouped into source packet It is interior, it is searched in the purpose information block to purpose grouping obtained according to the purpose information of its carrying or chip, and the source is divided The ID of ID and the purpose grouping of group is as the matching field in access control list item.
  10. It is 10. according to claim 9 based on a group device for realization accesses control list, which is characterized in that the ACL matchings Field increases module and is specifically used for:Increase source packet matching field and purpose grouping in each list item of accesses control list With field.
CN201810089056.7A 2018-01-30 2018-01-30 It is a kind of based on group realize accesses control list a method and device Pending CN108259504A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810089056.7A CN108259504A (en) 2018-01-30 2018-01-30 It is a kind of based on group realize accesses control list a method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810089056.7A CN108259504A (en) 2018-01-30 2018-01-30 It is a kind of based on group realize accesses control list a method and device

Publications (1)

Publication Number Publication Date
CN108259504A true CN108259504A (en) 2018-07-06

Family

ID=62742223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810089056.7A Pending CN108259504A (en) 2018-01-30 2018-01-30 It is a kind of based on group realize accesses control list a method and device

Country Status (1)

Country Link
CN (1) CN108259504A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110971526A (en) * 2020-01-06 2020-04-07 盛科网络(苏州)有限公司 Flow table expansion method and device for FDB (fully drawn bus) resources of hybrid switch
CN112073357A (en) * 2019-06-10 2020-12-11 中兴通讯股份有限公司 Method and device for issuing access control list

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1738290A (en) * 2004-08-18 2006-02-22 华为技术有限公司 Network access control method based on access control listing
CN102916893A (en) * 2012-11-14 2013-02-06 迈普通信技术股份有限公司 Device and method for setting internet protocol (IP) multicast retransmission port in three-layer switchboard
CN105791107A (en) * 2014-12-22 2016-07-20 中兴通讯股份有限公司 ACL (Access Control List) rule configuration method, matching method and related device
CN106506468A (en) * 2016-10-31 2017-03-15 盛科网络(苏州)有限公司 A kind of method that minimizing ACE entries are consumed

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1738290A (en) * 2004-08-18 2006-02-22 华为技术有限公司 Network access control method based on access control listing
CN102916893A (en) * 2012-11-14 2013-02-06 迈普通信技术股份有限公司 Device and method for setting internet protocol (IP) multicast retransmission port in three-layer switchboard
CN105791107A (en) * 2014-12-22 2016-07-20 中兴通讯股份有限公司 ACL (Access Control List) rule configuration method, matching method and related device
CN106506468A (en) * 2016-10-31 2017-03-15 盛科网络(苏州)有限公司 A kind of method that minimizing ACE entries are consumed

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073357A (en) * 2019-06-10 2020-12-11 中兴通讯股份有限公司 Method and device for issuing access control list
CN110971526A (en) * 2020-01-06 2020-04-07 盛科网络(苏州)有限公司 Flow table expansion method and device for FDB (fully drawn bus) resources of hybrid switch
CN110971526B (en) * 2020-01-06 2021-10-29 苏州盛科通信股份有限公司 Flow table expansion method and device for FDB (fully drawn bus) resources of hybrid switch

Similar Documents

Publication Publication Date Title
US10476794B2 (en) Efficient caching of TCAM rules in RAM
US9627063B2 (en) Ternary content addressable memory utilizing common masks and hash lookups
US7408932B2 (en) Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing
US7525958B2 (en) Apparatus and method for two-stage packet classification using most specific filter matching and transport level sharing
US9984144B2 (en) Efficient lookup of TCAM-like rules in RAM
US7369557B1 (en) Distribution of flows in a flow-based multi-processor system
US10491521B2 (en) Field checking based caching of ACL lookups to ease ACL lookup search
US7813337B2 (en) Network packet processing using multi-stage classification
US20170053012A1 (en) High-performance bloom filter array
CN104579940B (en) Search the method and device of accesses control list
CN100433715C (en) Method for providing different service quality tactics to data stream
US20160277297A1 (en) Sdn packet forwarding
CN102577273B (en) Iterative parsing and classification
CN105429879B (en) Flow entry querying method, equipment and system
CN1972240A (en) Fast package filter processing method and its apparatus
CN111988231B (en) Mask quintuple rule matching method and device
CN106331196A (en) Method and device for realizing NAT
CN103248573A (en) Centralization management switch for OpenFlow and data processing method of centralization management switch
CN110035074A (en) A kind of chip implementing method and device of ACL matching UDF message
CN108259504A (en) It is a kind of based on group realize accesses control list a method and device
CN102195853B (en) Method and device for storing bitmap
CN111950000B (en) Access control method and device
CN106506468A (en) A kind of method that minimizing ACE entries are consumed
CN115834478A (en) Method for realizing PBR high-speed forwarding by using TCAM
US10205658B1 (en) Reducing size of policy databases using bidirectional rules

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 215000 unit 13 / 16, 4th floor, building B, No.5 Xinghan street, Suzhou Industrial Park, Jiangsu Province

Applicant after: Suzhou Shengke Communication Co.,Ltd.

Address before: Unit 13 / 16, floor 4, building B, No. 5, Xinghan street, Suzhou Industrial Park, Suzhou, Jiangsu Province, 215000

Applicant before: CENTEC NETWORKS (SU ZHOU) Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180706