CN112333097A - Message forwarding method and device and gateway equipment - Google Patents

Message forwarding method and device and gateway equipment Download PDF

Info

Publication number
CN112333097A
CN112333097A CN202011051595.5A CN202011051595A CN112333097A CN 112333097 A CN112333097 A CN 112333097A CN 202011051595 A CN202011051595 A CN 202011051595A CN 112333097 A CN112333097 A CN 112333097A
Authority
CN
China
Prior art keywords
data flow
session table
message
logic chip
table item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011051595.5A
Other languages
Chinese (zh)
Other versions
CN112333097B (en
Inventor
桂定旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202011051595.5A priority Critical patent/CN112333097B/en
Publication of CN112333097A publication Critical patent/CN112333097A/en
Application granted granted Critical
Publication of CN112333097B publication Critical patent/CN112333097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/31Flow control; Congestion control by tagging of packets, e.g. using discard eligibility [DE] bits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

The specification provides a message forwarding method, a message forwarding device and gateway equipment, and relates to the field of communication equipment. A message forwarding method comprises the following steps: receiving a data flow message sent by a logic chip; when the data flow message is determined to be the first message, generating a session table item aiming at the data flow, and sending the session table item to the logic chip; and when the data flow message is determined not to be the first message, performing Deep Packet Inspection (DPI) processing on the data flow message, setting the first identifier as a matching state after determining that the operation corresponding to the matched application layer security policy is released, and setting a second identifier in the issued session table entry as a valid state so that the logic chip forwards the data flow message according to the issued session table entry. By the method, the data flow forwarding speed of the gateway equipment can be increased under the condition that the application layer security policy control is started.

Description

Message forwarding method and device and gateway equipment
Technical Field
The present specification relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding a packet, and a gateway device.
Background
With the development of networks, when a gateway device forwards a message, the gateway device includes two modes of software forwarding and hardware forwarding. When the software is forwarded, the processor executes a software algorithm to process and forward the message; when hardware forwarding is performed, a message is processed and forwarded by a logic chip such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). The software forwarding can realize richer functions, and the hardware forwarding has higher forwarding speed.
Due to the requirement of a user on the security of a network, on the basis of identifying the five-tuple of the packet and executing the security policy, the application layer information carried in the payload of the packet needs to be further identified. At this time, the Packet needs to be uploaded to the processor for DPI (Deep Packet Inspection) so that the processor executes a security policy for the application layer. However, for a packet in a data flow, if the gateway device executes the security policy of the application layer, all the packets in the data flow need to be uploaded to the processor for DPI, and then software forwarding is performed. As a result, the processing of the packet in the data stream by the gateway device is limited by the processing capability of the processor, which results in a decrease in the forwarding rate of the data stream by the gateway device.
Disclosure of Invention
In order to overcome the problems in the related art, the present specification provides a message forwarding method, a message forwarding apparatus, and a gateway device.
According to a first aspect of embodiments of the present specification, there is provided a packet forwarding method, including:
receiving a data flow message sent by the logic chip, wherein the data flow message is a data flow message of which the logic chip is not matched with the effective session table entry;
when the data stream message is determined to be the first message, generating a session table item aiming at the data stream, and sending the session table item to the logic chip, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with the application layer security policy, and the sent session table item comprises a second identifier used for indicating whether the sent session table item is effective;
and when the data flow message is determined not to be the first message, performing Deep Packet Inspection (DPI) processing on the data flow message, setting the first identifier as a matching state after determining that the operation corresponding to the matched application layer security policy is released, and setting a second identifier in the issued session table entry as a valid state so that the logic chip forwards the data flow message according to the issued session table entry.
Optionally, the DPI processing is performed on the data flow packet, including:
and after determining that the operation corresponding to the matched application layer security policy is blocked, deleting the generated session table item, and informing the logic chip to delete the issued session table item.
Further, after the DPI processing is performed on the data flow packet, the method further includes:
when the number of the data flow messages processed by the DPI does not exceed the preset number, forwarding the data flow messages;
and when the number of the data flow messages processed by the DPI exceeds the preset number, setting the data flow as other types of data flow.
According to a second aspect of embodiments of the present specification, there is provided a packet forwarding apparatus, including:
the receiving unit is used for receiving the data flow message sent by the logic chip, wherein the data flow message is the data flow message of the logic chip which is not matched with the effective session table entry;
the identification unit is used for generating a session table item aiming at the data stream and sending the session table item to the logic chip when the data stream message is determined to be the first message, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with the application layer security policy, and the sent session table item comprises a second identifier used for indicating whether the sent session table item is effective;
the identification unit is further configured to, when it is determined that the data flow packet is not the first packet, perform DPI processing on the data flow packet, set the first identifier to a matching state after determining that the operation corresponding to the matched application layer security policy is released, and set the second identifier in the delivered session entry to an effective state, so that the logic chip forwards the data flow packet according to the delivered session entry.
Optionally, the identifying unit is further configured to delete the generated session entry and notify the logic chip to delete the issued session entry after determining that the operation corresponding to the matched application layer security policy is blocking.
Further, the device further comprises a processing unit, configured to forward the data flow packet when the number of data flow packets processed by the DPI does not exceed a preset number; and when the number of the data flow messages processed by the DPI exceeds the preset number, setting the data flow as other types of data flow.
According to a third aspect of the embodiments of the present specification, there is also provided a gateway device including a processor and a logic chip;
the processor receives a data flow message sent by the logic chip, wherein the data flow message is a data flow message of which the logic chip is not matched with the effective session table entry;
when the processor determines that the data flow message is a first message, a session table item aiming at the data flow is generated, and the session table item is issued to the logic chip, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with the application layer security policy, and the issued session table item comprises a second identifier used for indicating whether the issued session table item is effective;
when the processor determines that the data flow message is not the first message, the DPI processing is carried out on the data flow message, after the operation corresponding to the matched application layer security policy is determined to be released, the first identifier is set to be in a matching state, and the second identifier in the issued session table entry is set to be in an effective state;
when receiving the session table item issued by the processor, the logic chip stores the session table item and marks the issued session table item as not valid;
when the logic chip receives the effective notification sent by the processor, the sent session table entry is marked as effective;
and when the issued session table entry is effective, the logic chip forwards the data stream message based on the effective session table entry.
Optionally, after the processor determines that the operation corresponding to the matched application layer security policy is blocked, deleting the generated session entry;
the processor issues a deletion notification to the logic chip;
and the logic chip deletes the session table entry corresponding to the deletion notification according to the deletion notification.
Further, when the processor determines that the number of the data flow messages processed by the DPI does not exceed the preset number, the data flow messages are forwarded; and when the processor determines that the number of the data flow messages subjected to the DPI processing exceeds the preset number, setting the data flow as other types of data flow.
Optionally, the gateway device is a security gateway device.
The technical scheme provided by the implementation mode of the specification can have the following beneficial effects:
in the embodiment of the present specification, when the gateway device receives a data flow packet, an identifier is carried in a delivered session entry, and after the processor determines that an operation corresponding to an application layer security policy is released, the released data flow is directly forwarded by the logic chip without being sent to the processor for processing and forwarding, so that a problem that all data flow packets in the data flow need to be sent to the processor after the gateway device starts application layer security policy control is solved, and a data flow forwarding speed of the gateway device is increased.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a flowchart of a message forwarding method according to the present application;
fig. 2 is a schematic structural diagram of a gateway device to which the present application relates;
fig. 3 is a schematic structural diagram of a message forwarding apparatus according to the present application;
fig. 4 is a schematic structural diagram of another message forwarding apparatus according to the present application;
fig. 5 is a flowchart of a message forwarding method according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating a data flow packet flowing in a gateway device according to the embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification.
The present application provides a packet forwarding method, as shown in fig. 1, including:
s100, receiving a data flow message sent by the logic chip.
In the gateway apparatus shown in fig. 2, at least a processor and a logic chip are included. The processor is used for realizing functions of routing calculation, session establishment, DPI processing of messages, software forwarding and the like, and the logic chip is used for performing table lookup forwarding on the messages. The processor and the logic chip are connected through a system bus to transmit data.
The forwarding table and the session table stored in the logic chip are issued by the processor. The gateway device may be a security gateway device such as a firewall device, or a router, a switch, or the like having a network security function. The gateway device may further include a memory for storing a forwarding table and a session table generated by the processor, and the logic chip includes a memory space for storing the forwarding table and the session table transmitted by the processor. In the gateway device, a data stream session table entry may be associated with a corresponding forwarding table entry, or information required for forwarding a packet is directly recorded in the session table entry, thereby implementing forwarding of a data stream packet in a data stream.
The system bus can be subdivided into a control bus and a data bus, wherein the control bus is used for issuing a session table and a routing table, and the data bus is used for transmitting data such as messages. Since the system bus is a relatively common mode of device connection and data transmission, the functions of the system bus are not split subsequently, and the whole system bus is taken as an example for description.
When the logic chip forwards the message, if the corresponding effective session table entry is stored in the logic chip, the message is directly forwarded by the logic chip through table lookup, and if the corresponding effective session table entry is not stored in the logic chip, the logic chip sends the message to the processing for processing such as routing calculation and/or session establishment.
Generally, a data stream includes a large number of data stream messages, and the data stream messages may be divided into a first message and a non-first message, where the first message is a first message of the data stream, and the non-first message is a message after the first message of the data stream.
In step S100, the data flow packet received by the processor is a data flow packet whose logical chip is not matched to the valid session entry. The session table at least includes a quintuple, an access interface, a session identifier and the like, so as to realize the forwarding of the message in a session form.
When the data flow message is matched with a session table entry, whether the processor has finished DPI processing on the data flow can be confirmed according to the first identifier. If completed, the first identifier is marked as a matching state, and if not completed, the first identifier is marked as an unmatched state.
The session table stored in the logic chip may further include a second identifier, where the second identifier is used to indicate whether a session table entry is in a valid state. When the session table entry matched with the data flow message is marked as valid, the logic chip can directly forward the data flow message according to the session table entry, and when the session table entry matched with the data flow message is marked as not valid, the logic chip can send the data flow message to the processor for processing.
S101, when the data flow message is determined to be the first message, generating a session table item aiming at the data flow, and sending the session table item to the logic chip.
S102, when the data flow message is determined not to be the first message, carrying out DPI processing on the data flow message.
And S103, after the operation corresponding to the matched application layer security policy is determined to be released, setting the first identifier as a matching state, and setting the second identifier in the issued session table entry as an effective state, so that the logic chip forwards the data stream message according to the issued session table entry.
When the processor receives the data flow message sent by the logic chip, the judgment can be carried out according to the information of quintuple, an input interface and the like carried in the data flow message.
When the processor determines that the uploaded data stream message is a header message of the data stream, a session table entry for the data stream is generated according to message header information carried in the header message, and the session table entry is issued to the logic chip for storage in order to guide the logic chip to forward the data stream message according to the generated session table entry. In addition, the processor also needs to perform routing calculation and can generate a forwarding table entry, and the forwarding table entry is also issued to the logic chip for storage.
Because the first message is generally a protocol message for establishing a session, after the processor generates a session entry and performs routing calculation, the first message is directly sent to the destination device in a software forwarding manner.
At this time, since the gateway device starts the application layer security policy control, the data flow packet of the data flow needs to be uploaded to the processor before determining the application layer security policy. In the process of performing DPI processing, the processor needs to analyze the load of the data flow packet, that is, obtain the content carried in the application layer of the data flow packet, such as a URL (Uniform Resource Locator), application information, and the like, so as to implement deep analysis on the data flow packet and application layer security policy control.
When the processor performs DPI processing, matching is performed according to an application layer security policy preset by the gateway device, and operations set based on the application layer security policy can be divided into releasing and blocking of data streams. Since the DPI process needs to analyze a plurality of data flow packets, the data flow packets are still forwarded by the processor through the software during the DPI process.
When the data stream needs to be released, the processor sets the stored session table entry to be in a matching state, and triggers the processor to set the second identifier of the session table entry stored in the logic chip to be in an effective state, namely, the session table entry stored in the logic chip is effective. After that, the logic chip can forward the subsequent data flow message according to the effective session table entry without uploading to the processor.
When the data flow needs to be blocked, the subsequent data flow message is determined not to be forwarded, the stored session table entry is deleted, and the logic chip is informed to delete the session table entry issued aiming at the data flow, so that the situation that the non-effective session table entry occupies the storage space of the logic chip is avoided. Of course, the processor may also carry the aging time when issuing the session entry to the logic chip, and when the aging time arrives, if the session entry is still not valid, the logic chip deletes the session entry.
In the process of implementing application layer security policy control by a processor by performing DPI processing on a data stream, only a small amount of data stream messages need to be analyzed, so that a matched application layer security policy can be determined, if the number of data stream messages exceeds a certain number, the application layer security policy cannot be matched, the application layer security policy can be understood as being unidentifiable, and the application corresponding to the data stream is other types which are not configured in the application layer security policy.
At this time, the data stream is matched with a default policy in the application layer security policy, that is, the data stream is determined to be an application of another type (which may be understood as an unknown type), and the application layer security policy corresponding to the application of the other type is matched for control. Therefore, the number of data flow packets that need to be processed by DPI, for example, 10 data flow packets, can be set. The software is forwarded by the processor for the 10 data flow messages, the data flow messages after the 10 data flow messages are matched with the application layer security policies corresponding to other types, specifically, are released or blocked, the processing mode is the same as the processing mode, namely, the operation corresponding to the application layer security policy is released, the processor updates the first identifier of the stored session table entry to be in a matching state and updates the second identifier in the logic chip to be in an effective state, and if the operation corresponding to the application layer security policy is blocked, the processor and the session table entry stored in the logic chip are deleted.
In the embodiment of the present specification, when the gateway device receives a data flow packet, an identifier is carried in a delivered session entry, and after the processor determines that an operation corresponding to an application layer security policy is released, the released data flow is directly forwarded by the logic chip without being sent to the processor for processing and forwarding, so that a problem that all data flow packets in the data flow need to be sent to the processor after the gateway device starts application layer security policy control is solved, and a data flow forwarding speed of the gateway device is increased.
In addition, it should be noted that the gateway device may enable the application layer security policy only for a part of the interfaces, and enable the non-application layer security policy only for other interfaces, at this time, the processor may determine the session entry, the routing entry, and the like of the data flow packet only by using the first packet without performing DPI processing on the data flow packet, and then may forward the non-first packet.
Certainly, a plurality of logic chips may be further included in one gateway device to perform forwarding processing on the packet, but a specific processing manner is consistent with the above-described manner, and a description thereof is not repeated here.
Correspondingly, the present application also provides a packet forwarding apparatus, as shown in fig. 3, including:
the receiving unit is used for receiving the data flow message sent by the logic chip, wherein the data flow message is the data flow message of the logic chip which is not matched with the effective session table entry;
the identification unit is used for generating a session table item aiming at the data stream and sending the session table item to the logic chip when the data stream message is determined to be the first message, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with the application layer security policy, and the sent session table item comprises a second identifier used for indicating whether the sent session table item is effective;
the identification unit is further configured to, when it is determined that the data flow packet is not the first packet, perform DPI processing on the data flow packet, set the first identifier to a matching state after determining that the operation corresponding to the matched application layer security policy is released, and set the second identifier in the delivered session entry to an effective state, so that the logic chip forwards the data flow packet according to the delivered session entry.
Further, the identification unit is further configured to delete the generated session entry and notify the logic chip to delete the issued session entry after determining that the operation corresponding to the matched application layer security policy is blocking.
Further, as shown in fig. 4, the packet forwarding apparatus further includes a processing unit, configured to forward the data flow packet when the number of data flow packets subjected to the DPI processing does not exceed a preset number; and when the number of the data flow messages processed by the DPI exceeds the preset number, setting the data flow as other types of data flow.
A message forwarding method according to the present application is described below with reference to a specific structure of a gateway device by taking an embodiment as an example.
The gateway device, as shown in fig. 2, includes a processor, a logic chip, a memory, and a system bus, and the processor, the logic chip, and the memory are connected by the system bus. Application layer security policy control is enabled at an ingress interface 1 of the gateway device, the ingress interface 1 indicating the interface at which data flows into the gateway device. For the gateway device, it may contain a plurality of ingress interfaces 1 and egress interfaces 2, and only one ingress interface 1 and egress interface 2 is shown in the figure for convenience of description.
In the process of forwarding a data flow packet in a data flow, as shown in fig. 5, a method for forwarding a packet includes:
and S1, the logic chip receives the data flow message.
As shown in fig. 6, the data flow message goes from the ingress interface 1 to the gateway device and enters the logic chip along the connection line between the ingress interface 1 and the logic chip.
S2, the logic chip obtains the quintuple and the input interface carried in the data flow message, and inquires the session table in the storage space according to the quintuple and the input interface, if the effective session table entry is not matched, the step goes to S3, and if the effective session table entry is matched, the step goes to S10.
And S3, when the logic chip does not find the effective session table item, sending the data flow message to the processor through the system bus.
If the logic chip fails to find the matched session entry in the storage space, the received data stream message can be considered as the first message of the data stream, and at this time, the data stream message is sent to the processor along the solid line path of the solid line.
S4, the processor obtains the quintuple and the input interface in the data flow message, and inquires the conversation table in the memory, when the conversation table item is not found, the S5 is jumped to, when the conversation table item is found, the S7 is jumped to.
And under the condition that the session table entry is not found, the data flow message is considered as the first message, and routing calculation is required to be carried out according to a protocol.
S5, the processor carries out route calculation according to the quintuple and the incoming interface, generates the conversation table item and stores the conversation table item in the memory.
After the processor performs the routing calculation, a session table entry for the data flow is generated, and the session table entry may include contents such as forwarding information and a session identifier for forwarding a data flow packet.
Since the gateway device enables the application layer security policy, DPI processing is required for the data flow packets. To be able to determine whether control of the application layer security policy has been completed for a data flow, the session table entries stored in the memory are marked by matching identifiers, as shown in table 1 below:
session identification Source IP address …… Input interface Outlet interface Matching identification
1 165.143.1.62 1 2 0
TABLE 1
Wherein the matching identifier (i.e., the first identifier) is marked as "0", i.e., not matched to an application layer security policy, since the processor has not yet been able to complete control of the application layer security policy for the piece of data flow. Therefore, the DPI processing is still required for the subsequent data flow packets.
At this time, since the first packet may not carry the load related to the application layer, the first packet cannot be subjected to DPI processing, and the matching identifier is "0", and the first packet is directly forwarded by the processor according to the generated session entry, that is, the first packet is forwarded along the solid path in fig. 6.
And S6, the processor issues the generated session table item to the logic chip.
Here, when the processor issues the session table entry to the logic chip, the processor may carry a field that is not in effect, which is used to inform the processor that the session table entry issued by the processor still fails to match the application layer security policy, and the session table entry does not take effect. When receiving the session entry, the logic chip records in its own storage space, and generates an effective identifier (i.e., a second identifier) in the recorded session entry, as shown in table 2:
session identification Source IP address …… Input interface Outlet interface Validation token
1 165.143.1.62 1 2 0
TABLE 2
When the valid identifier is marked as '0', the session table entry is considered to be not valid, and the logic chip does not transmit the data stream message according to the session table entry for the moment.
S7, the processor determines the data flow message to process DPI according to the matching identification, and searches the application layer security strategy matched with the data flow.
In the application, the matching state is set when the matching identifier is set to "1", and the data stream packet is forwarded by the logic chip and is not uploaded to the processor, so that if the data stream packet is still uploaded to the processor, the matching identifier is set to "0", that is, the data stream packet is in an unmatched state, and the data stream packet is not matched to the application layer security policy.
In the process of DPI processing, the processor analyzes the payload content of a data flow packet (non-header packet) to obtain application layer information, such as a URL.
After the application layer information is acquired, matching is carried out with an application layer security policy configured in advance in the gateway device, if the application layer information is matched and the result is release, the step goes to S8, and if the application layer information is matched and the result is blocking, the step goes to S11.
If the data flow message is not matched with the session table entry, the processor directly forwards the data flow message through the session table entry, namely, the data flow message is forwarded along the flow of the solid line path.
The DPI processing sometimes cannot complete the matching of the application layer security policy by only one data flow packet, so that the data flow packet can still be forwarded by the processor according to the session table entry in the memory during the DPI processing. However, in order to avoid endless DPI processing, a preset number may be configured in advance, when a data flow packet subjected to DPI processing does not reach the preset number, the following data flow packet is still subjected to DPI processing, when the preset number is reached, it may be considered that an application layer security policy for certain type of application layer information is not preset, and at this time, the data flow is regarded as a data flow of a default type (that is, an unknown type) to perform control of the application layer security policy. Here, the DPI processing is also considered to be completed, matching to the application layer security policy.
S8, the processor sets the corresponding session table entry in the memory to be in a matching state.
After the application layer security policy is matched, the processor needs to update the session table entry stored in the memory, and set the matching identifier to "1", that is, the data stream packet has been matched to the corresponding application layer security policy.
At this time, the session table entry in the memory, as shown in table 3:
session identification Source IP address …… Input interface Outlet interface Matching identification
1 165.143.1.62 1 2 1
TABLE 3
And S9, the processor issues the session table item to the logic chip again, and updates the effective identifier of the session table item in the storage space into an effective state.
At this point, the application layer security policy has already been determined by DPI processing to allow the data flow to be forwarded, i.e., the result is clear. Then, in order to accelerate forwarding of the data flow packet, the subsequent data flow packet may not be sent to the processor for DPI processing, and the processor may issue the session table entry for the data flow again. This time, the issuing may carry an effective field, and when the logic chip receives the session table entry, the logic chip may cover the original session table entry, and the effective identifier in the session table entry is set to "1".
At this time, the session table entry stored in the storage space is as shown in table 4:
session identification Source IP address …… Input interface Outlet interface Validation token
1 165.143.1.62 1 2 1
TABLE 4
And S10, the logic chip forwards the data flow message according to the effective session table entry in the storage space.
Since the data flow is already processed by the DPI and meets the security policy of the application layer, the data flow can be directly accelerated and forwarded by the logic chip without being processed by the up-processor, that is, forwarded along the dotted path in fig. 6.
S11, the processor deletes the conversation table item aiming at the data flow in the memory and informs the logic chip.
After DPI processing, it is determined that the data flow cannot be forwarded according to the application layer security policy, and therefore, the processor deletes the session entry (shown in table 1) stored in the memory and notifies the logic chip of synchronous processing.
And S12, deleting the corresponding session table entry in the storage space by the logic chip according to the notification issued by the processor.
Because the forwarding of the data stream packet needs to be blocked, the session table entry (shown in table 2) issued before the processor is deleted.
Through the processing flow, the data stream message can be sent to the processor for processing before the application layer security policy is matched, if the operation corresponding to the application layer security policy is determined to be released, subsequent data stream messages are accelerated and forwarded through the logic chip, the forwarding speed of the data stream messages is improved, and if the operation corresponding to the application layer security policy is determined to be blocked, the session table entries in the logic chip and the memory are directly deleted, so that the subsequent data stream messages are prevented from being forwarded.
In addition, it should be noted that the gateway device may include various boards, for example, an interface board connected to the ingress interface and the egress interface, a switch board for exchanging data received by the interface board, a service board that has implemented a network security function, and the like, and the logic chip and the processor may be disposed on the service board. In a router or a switch including only an interface board and a switch board, a logic chip and a processor may be provided on the interface board or the switch board to implement the above functions. Of course, it may also be a gateway device as shown in fig. 2, which is a box-type device that may implement the above-described functions directly on the included board.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof.
The above description is only for the purpose of illustrating the preferred embodiments of the present disclosure and is not to be construed as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (10)

1. A message forwarding method is characterized by comprising the following steps:
receiving a data flow message sent by a logic chip, wherein the data flow message is a data flow message of which the logic chip is not matched with an effective session table item;
when the data stream message is determined to be a first message, generating a session table item aiming at the data stream, and issuing the session table item to the logic chip, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with an application layer security policy, and the issued session table item comprises a second identifier used for indicating whether the issued session table item is effective;
and when the data flow message is determined not to be the first message, performing Deep Packet Inspection (DPI) processing on the data flow message, setting the first identifier to be in a matching state and setting a second identifier in the issued session table entry to be in an effective state after determining that the operation corresponding to the matched application layer security policy is released, so that the logic chip forwards the data flow message according to the issued session table entry.
2. The method of claim 1, wherein the DPI processing the data flow packets comprises:
and after determining that the operation corresponding to the matched application layer security policy is blocked, deleting the generated session table item, and informing the logic chip to delete the issued session table item.
3. The method of claim 1, wherein after the DPI processing the data flow packet, further comprising:
when the number of the data flow messages processed by the DPI does not exceed the preset number, forwarding the data flow messages;
and when the number of the data flow messages processed by the DPI exceeds a preset number, setting the data flow as other types of data flows.
4. A message forwarding apparatus, comprising:
the receiving unit is used for receiving a data flow message sent by a logic chip, wherein the data flow message is a data flow message of a session table item which is not matched with the logic chip to be effective;
the identification unit is used for generating a session table item aiming at the data stream and sending the session table item to the logic chip when the data stream message is determined to be the first message, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with the application layer security policy, and the sent session table item comprises a second identifier used for indicating whether the sent session table item is effective or not;
the identification unit is further configured to, when it is determined that the data flow packet is not the first packet, perform DPI processing on the data flow packet, set the first identifier to a matching state after determining that the operation corresponding to the matched application layer security policy is released, and set the second identifier in the delivered session entry to an active state, so that the logic chip forwards the data flow packet according to the delivered session entry.
5. The apparatus according to claim 4, wherein the identifying unit is further configured to delete the generated session entry and notify the logic chip to delete the issued session entry after determining that the operation corresponding to the matched application layer security policy is blocking.
6. The apparatus according to claim 4, further comprising a processing unit, configured to forward the data flow packets when the number of data flow packets processed by the DPI does not exceed a preset number; and when the number of the data flow messages processed by the DPI exceeds a preset number, setting the data flow as other types of data flows.
7. A gateway device comprising a processor and a logic chip;
the processor receives a data flow message sent by a logic chip, wherein the data flow message is a data flow message of a session table item which is not matched with the logic chip to be effective;
when the processor determines that the data stream message is a first message, generating a session table item aiming at the data stream, and sending the session table item to the logic chip, wherein the generated session table item comprises a first identifier used for indicating whether the session table item is matched with an application layer security policy, and the sent session table item comprises a second identifier used for indicating whether the sent session table item is effective;
when the processor determines that the data flow message is not the first message, the data flow message is subjected to DPI processing, after the operation corresponding to the matched application layer security policy is determined to be released, the first identifier is set to be in a matching state, and a second identifier in the issued session table entry is set to be in an effective state;
when the logic chip receives the session table item issued by the processor, the logic chip stores the session table item and marks the issued session table item as not valid;
when the logic chip receives the effective notification sent by the processor, the sent session table entry is marked as effective;
and the logic chip transmits the received data stream message to the processor when the issued session table entry does not take effect, and forwards the data stream message based on the taken-effect session table entry when the issued session table entry takes effect.
8. The gateway device of claim 7,
deleting the generated session table item after the processor determines that the operation corresponding to the matched application layer security policy is blocked;
the processor issues a deletion notification to the logic chip;
and the logic chip deletes the session table entry corresponding to the deletion notification according to the deletion notification.
9. The gateway device of claim 7,
when the processor determines that the number of the data flow messages processed by the DPI does not exceed a preset number, forwarding the data flow messages; and when the processor determines that the number of the data flow messages processed by the DPI exceeds a preset number, setting the data flow as other types of data flows.
10. The gateway device according to any of claims 7-9, wherein the gateway device is a security gateway device.
CN202011051595.5A 2020-09-29 2020-09-29 Message forwarding method and device and gateway equipment Active CN112333097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011051595.5A CN112333097B (en) 2020-09-29 2020-09-29 Message forwarding method and device and gateway equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011051595.5A CN112333097B (en) 2020-09-29 2020-09-29 Message forwarding method and device and gateway equipment

Publications (2)

Publication Number Publication Date
CN112333097A true CN112333097A (en) 2021-02-05
CN112333097B CN112333097B (en) 2022-05-24

Family

ID=74314184

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011051595.5A Active CN112333097B (en) 2020-09-29 2020-09-29 Message forwarding method and device and gateway equipment

Country Status (1)

Country Link
CN (1) CN112333097B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114024887A (en) * 2021-11-10 2022-02-08 北京天融信网络安全技术有限公司 Method, device and equipment for processing forwarding table item and storage medium
CN114374569A (en) * 2022-03-22 2022-04-19 北京指掌易科技有限公司 Message detection method and device, electronic equipment and storage medium
CN114793199A (en) * 2022-03-30 2022-07-26 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN114827044A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Message processing method, device and network equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8510551B1 (en) * 2008-11-10 2013-08-13 Juniper Networks, Inc. Policy handling for multicast transmissions
CN103368777A (en) * 2013-07-11 2013-10-23 曙光信息产业股份有限公司 Data packet processing board and processing method
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN108259644A (en) * 2018-01-18 2018-07-06 新华三技术有限公司 A kind of communication equipment and its ARP entry generation method
CN110311866A (en) * 2019-06-28 2019-10-08 杭州迪普科技股份有限公司 A kind of method and device of fast-forwarding message
CN110691045A (en) * 2019-10-25 2020-01-14 新华三信息安全技术有限公司 Protocol message forwarding method, line card board, network equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8510551B1 (en) * 2008-11-10 2013-08-13 Juniper Networks, Inc. Policy handling for multicast transmissions
CN103368777A (en) * 2013-07-11 2013-10-23 曙光信息产业股份有限公司 Data packet processing board and processing method
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN108259644A (en) * 2018-01-18 2018-07-06 新华三技术有限公司 A kind of communication equipment and its ARP entry generation method
CN110311866A (en) * 2019-06-28 2019-10-08 杭州迪普科技股份有限公司 A kind of method and device of fast-forwarding message
CN110691045A (en) * 2019-10-25 2020-01-14 新华三信息安全技术有限公司 Protocol message forwarding method, line card board, network equipment and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114024887A (en) * 2021-11-10 2022-02-08 北京天融信网络安全技术有限公司 Method, device and equipment for processing forwarding table item and storage medium
CN114374569A (en) * 2022-03-22 2022-04-19 北京指掌易科技有限公司 Message detection method and device, electronic equipment and storage medium
CN114793199A (en) * 2022-03-30 2022-07-26 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN114793199B (en) * 2022-03-30 2024-02-09 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN114827044A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN114827044B (en) * 2022-04-27 2023-12-26 新华三信息安全技术有限公司 Message processing method, device and network equipment

Also Published As

Publication number Publication date
CN112333097B (en) 2022-05-24

Similar Documents

Publication Publication Date Title
CN112333097B (en) Message forwarding method and device and gateway equipment
US10938748B2 (en) Packet processing method, computing device, and packet processing apparatus
EP3142310B1 (en) Method, device, and system for configuring flow entries
EP3110084B1 (en) Method for generating forwarding information, controller and service forwarding entity
US10148573B2 (en) Packet processing method, node, and system
US11575606B2 (en) Method, apparatus, and system for generating, and processing packets according to, a flow filtering rule
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
US8510551B1 (en) Policy handling for multicast transmissions
WO2018000443A1 (en) Service function chaining (sfc)-based packet forwarding method, device and system
EP2541866A1 (en) Management schemes for filter sets
EP2860882B1 (en) Service processing method, device and system
US8817792B2 (en) Data forwarding method, data processing method, system and relevant devices
JP6248929B2 (en) COMMUNICATION SYSTEM, ACCESS CONTROL DEVICE, SWITCH, NETWORK CONTROL METHOD, AND PROGRAM
CN108429680B (en) Route configuration method, system, medium and equipment based on virtual private cloud
US9998364B2 (en) Method for processing packet and forwarder
US10079805B2 (en) Bypassing a firewall for authorized flows using software defined networking
WO2017107814A1 (en) Method, apparatus and system for propagating qos policies
WO2022033345A1 (en) Pdu session establishment method, terminal device, and chip system
CN110278152B (en) Method and device for establishing fast forwarding table
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
KR20190062525A (en) Method and software defined networking (SDN) controller for providing multicast service
US20090041043A1 (en) Communication system, switching node computer and method for determining a control node
KR101500251B1 (en) Communication system, node, packet forwarding method and computer-readable recording medium recording a program
US10033589B1 (en) Management of services to subscriber groups in a distributed service plane environment
CN113055293A (en) Routing method and device in software defined wide area network and communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant