CN113452809A

CN113452809A - Address segment analysis method and device, electronic equipment and medium

Info

Publication number: CN113452809A
Application number: CN202110731832.0A
Authority: CN
Inventors: 王苏洋
Original assignee: New H3C Security Technologies Co Ltd
Current assignee: New H3C Security Technologies Co Ltd
Priority date: 2021-06-29
Filing date: 2021-06-29
Publication date: 2021-09-28
Anticipated expiration: 2041-06-29
Also published as: CN113452809B

Abstract

The embodiment of the invention provides an address field analyzing method, an address field analyzing device, electronic equipment and a medium, relates to the technical field of communication, and can realize that the matching of message fields by using a TCAM chip is not limited by the length of the field. The technical scheme of the embodiment of the invention comprises the following steps: based on a preset division rule, dividing a start address and an end address in an address field to be analyzed into a preset number of fields respectively, wherein the length of each field is less than or equal to the preset length. The first-to-unequal fields included by the start address and the end address are then determined. And dividing the address segment to be analyzed into a plurality of rule segments based on the first pair of unequal fields included by the starting address and the ending address. And then analyzing the field to be analyzed included in each rule segment, and encapsulating the analysis result of the field to be analyzed and the rest fields included in the rule segment to which the field belongs to obtain the analysis result of each rule segment. And finally, taking the analysis results of all the rule segments included in the address segment to be analyzed as the analysis results of the address segment to be analyzed.

Description

Address segment analysis method and device, electronic equipment and medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for address segment resolution, an electronic device, and a medium.

Background

At present, a network device may perform Access Control List (ACL) matching on a received message through a Ternary Content Addressable Memory (TCAM) chip, and for an address segment of each ACL, the TCAM stores data (data) and a mask (mask) obtained by analyzing the address segment. The third state of the TCAM is realized by a mask, and when a bit of the mask is 1, it indicates that data of the bit needs to be accurately matched; when a bit of the mask is 0, it indicates that the data of the bit is fuzzy matched, i.e. the matching can be successful no matter whether the data is 0 or 1. For example, if the key value of the field to be matched of the received message is 1011, a piece of data stored in the TCAM is 1010, and the corresponding mask is 1111, it indicates that each bit needs to be accurately matched, and the matching fails at this time. If the other piece of data is 1010 and the corresponding mask is 1100, it means that only the first two bits need to be matched exactly, and the matching between 1011 and 1010 is successful.

However, the current method for resolving the address field is only suitable for binary bit strings within 32 bits. For IP address segments exceeding 32bit, for example, 128bit Internet Protocol Version6 (IPv 6) address segments cannot be matched by TCAM chip.

Disclosure of Invention

Embodiments of the present invention provide an address segment parsing method, an address segment parsing device, an electronic device, and a medium, so as to implement that when a TCAM chip is used to match a message field, the matching is not limited by a length of the field. The specific technical scheme is as follows:

in a first aspect, an embodiment of the present invention provides an address segment parsing method, including:

dividing a starting address and an ending address in an address field to be analyzed into a preset number of fields respectively based on a preset division rule, wherein the length of each field is less than or equal to a preset length;

comparing the starting address with the ending address from the highest bit one by one, and determining first-to-unequal fields included by the starting address and the ending address;

dividing the address field to be resolved into a plurality of rule fields based on first-to-unequal fields included by the starting address and the ending address; the starting sub-address and the terminating sub-address of the rule segment comprise a field to be analyzed, the fields before the field to be analyzed are the same, and the mask of the field after the field to be analyzed is 0 or the field to be analyzed is the last field;

analyzing the field to be analyzed included in each rule segment, and encapsulating the analysis result of the field to be analyzed and other fields included in the rule segment to which the field belongs to obtain the analysis result of each rule segment;

and taking the analysis results of all the rule segments included in the address segment to be analyzed as the analysis results of the address segment to be analyzed.

Optionally, the dividing the address segment to be resolved into a plurality of rule segments based on first-to-unequal fields included in the start address and the end address includes:

determining a maximum range rule segment included between the starting address and the terminating address based on a head-to-tail field included by the starting address and the terminating address;

dividing the address before the maximum range rule segment in the address segment to be analyzed into a first address segment, and dividing the address after the maximum range rule segment into a second address segment;

based on first-to-unequal fields included by the starting sub-address and the terminating sub-address of the first address segment, the first address segment is divided step by step until the last-stage address segments obtained by division are regular segments;

and based on first-to-unequal fields included by the starting sub-address and the ending sub-address of the second address field, dividing the second address field step by step until the last-stage address field obtained by division is a regular field.

Optionally, in the address field to be resolved, after dividing the address before the maximum range rule field into a first address field and dividing the address after the maximum range rule field into a second address field, the method further includes:

judging whether the first address segment is a rule segment; if not, executing the step of dividing the first address segment step by step based on the first pair of unequal fields included by the starting subaddress and the terminating subaddress of the first address segment; if so, taking the first address segment as a rule segment included in the address segment to be analyzed;

judging whether the second address field is a rule field or not; if not, executing the step of dividing the second address segment step by step based on the first pair of unequal fields included by the starting subaddress and the ending subaddress of the second address segment; if so, taking the second address field as a rule field included in the address field to be analyzed.

Optionally, the step of dividing the first address segment step by step based on first pair of unequal fields included in the start subaddress and the stop subaddress of the first address segment until the last address segment obtained by the division is a regular segment includes:

taking the first address segment as a current address segment to be divided;

determining first-to-unequal fields included by a starting subaddress and a terminating subaddress of the current address segment to be divided;

dividing the current address segment to be divided into two sub-address segments, wherein the starting sub-address of one sub-address segment is the starting sub-address of the current address segment to be divided, and the terminating sub-address is: setting all fields behind unequal fields included in the starting sub-address of the current address segment to be divided as 1 to obtain an address;

respectively judging whether each sub-address segment included in the current address segment to be divided is a rule segment;

if yes, ending the division of the current address segment to be divided;

if not, taking the sub-address segment which is not the rule segment as the current address segment to be divided, and returning to the step of determining the first-to-unequal fields included by the starting sub-address and the ending sub-address of the current address segment to be divided;

the step-by-step division of the second address segment is performed on the first pair of unequal fields included by the start subaddress and the stop subaddress based on the second address segment until the last stage of address segment obtained by division is a regular segment, and the method comprises the following steps:

taking the second address field as a current address field to be divided;

dividing the current address segment to be divided into two sub-address segments, wherein the terminator address of one sub-address segment is the terminator address of the current address segment to be divided, and the starting sub-address is: setting all fields behind unequal fields included in the terminator address of the current address segment to be divided as 0 to obtain an address;

if yes, ending the division of the current address segment to be divided;

if not, the sub-address segment which is not the rule segment is taken as the current address segment to be divided, and the step of determining the first-to-unequal fields included by the starting sub-address and the ending sub-address of the current address segment to be divided is returned.

Optionally, the parsing result includes a data portion and a mask portion; the encapsulating the analysis result of the field to be analyzed and the rest fields included in the rule segment to which the field belongs to obtain the analysis result of each rule segment includes:

and each field to be analyzed is processed as follows:

splicing fields before the fields to be analyzed in the rule section to which the fields to be analyzed belong before the data part of each analysis result respectively, and splicing a first number of all-0 fields after the data part of each analysis result to obtain analysis data of the rule section to which the fields to be analyzed belong; the first number is the same as the number of fields behind the field to be analyzed in the rule section to which the field to be analyzed belongs;

splicing a second number of all-1 fields before the mask part of each analysis result of the field to be analyzed, and splicing the first number of all-0 fields after the mask part of each analysis result to obtain the mask part of the field to be analyzed; and the second number is the same as the number of fields before the field to be analyzed in the rule section to which the field to be analyzed belongs.

Optionally, before the dividing, based on the preset dividing rule, the starting address and the ending address in the address segment to be resolved into the preset number of fields, the method further includes:

judging whether each address length included in the address segment to be analyzed is larger than a preset length or not;

if yes, executing the step of dividing the initial address and the end address in the address field to be analyzed into a preset number of fields based on a preset division rule;

if not, judging whether the highest bit of the starting address and the highest bit of the ending address of the address segment to be analyzed are the same;

if so, analyzing the address segment to be analyzed;

if not, under the condition that the address range of the address segment to be analyzed is not the global range, splitting the address segment to be analyzed into two sub-address segments with the same highest bit, and respectively analyzing each sub-address segment.

In a second aspect, an embodiment of the present invention provides an address segment resolution apparatus, including:

the dividing module is used for dividing a starting address and an ending address in an address field to be analyzed into a preset number of fields respectively based on a preset dividing rule, and the length of each field is less than or equal to a preset length;

a determining module, configured to compare the start address and the end address partitioned by the partitioning module from the highest bit one by one, and determine a first-to-unequal field included in the start address and the end address;

the dividing module is further configured to divide the address field to be resolved into a plurality of rule fields based on first-to-unequal fields included in the starting address and the ending address determined by the determining module; the starting sub-address and the terminating sub-address of the rule segment comprise a field to be analyzed, the fields before the field to be analyzed are the same, and the mask of the field after the field to be analyzed is 0 or the field to be analyzed is the last field;

the analysis module is used for analyzing the fields to be analyzed contained in each rule segment divided by the division module, and packaging the analysis results of the fields to be analyzed and the rest fields contained in the rule segment to which the analysis results belong to obtain the analysis results of each rule segment;

the determining module is further configured to use the analysis results of all rule segments included in the address segment to be analyzed as the analysis results of the address segment to be analyzed.

Optionally, the dividing module is specifically configured to:

Optionally, the apparatus further comprises: a judgment module; the judging module is used for:

dividing an address before the maximum range rule segment in the address segment to be analyzed into a first address segment, dividing an address after the maximum range rule segment into a second address segment, and then judging whether the first address segment is a rule segment; if not, executing the step of dividing the first address segment step by step based on the first pair of unequal fields included by the starting subaddress and the terminating subaddress of the first address segment; if so, taking the first address segment as a rule segment included in the address segment to be analyzed;

Optionally, the dividing module is specifically configured to:

taking the first address segment as a current address segment to be divided;

if yes, ending the division of the current address segment to be divided;

the dividing module is specifically configured to:

taking the second address field as a current address field to be divided;

if yes, ending the division of the current address segment to be divided;

Optionally, the determining module is specifically configured to:

and each field to be analyzed is processed as follows:

Optionally, the apparatus further comprises: the device comprises a judging module and a calling module;

the judging module is used for judging whether the length of each address included in the address segment to be analyzed is greater than the preset length or not before the initial address and the end address in the address segment to be analyzed are respectively divided into the fields with the preset number based on the preset dividing rule;

the calling module is used for calling the dividing module to execute the step of dividing the initial address and the ending address in the address field to be analyzed into the fields with the preset number respectively based on the preset dividing rule if the judging module judges that the address field is the initial address field;

the judging module is further configured to judge whether the highest bit of the start address and the highest bit of the end address of the address segment to be resolved are the same if the judging module judges that the address segment to be resolved is not the same;

the analysis module is further used for analyzing the address field to be analyzed if the judgment module judges that the address field to be analyzed is positive;

the analyzing module is further configured to, if the determining module determines that the address range of the address segment to be analyzed is not the global range, split the address segment to be analyzed into two sub-address segments with the same highest bit and analyze each sub-address segment respectively.

In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;

a memory for storing a computer program;

and the processor is used for realizing the steps of any address field analysis method when executing the program stored in the memory.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the steps of any one of the address segment parsing methods described above.

In a fifth aspect, an embodiment of the present invention further provides a computer program product containing instructions, which when run on a computer, cause the computer to execute any one of the above address segment resolving methods.

By adopting the technical scheme, the address field to be analyzed can be divided into a plurality of rule segments, the field to be analyzed in each rule segment is analyzed, and because the fields before the field to be analyzed in the rule segment are the same and the mask of the field after the field is 0, the mask of the field before the field to be analyzed is 1 and the mask of the field after the field is 0, in the embodiment of the invention, after the field to be analyzed is analyzed, the analysis result and the rest of the fields are packaged, namely the whole rule segment is analyzed. Since the length of the field to be analyzed is less than or equal to the preset length, the field to be analyzed can be analyzed by using an address field analysis method aiming at the address fields within 32 bits. Therefore, the embodiment of the invention can analyze the address field exceeding 32bit, and further, the address field exceeding 32bit can be matched through the TCAM chip.

Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.

FIG. 1 is a diagram illustrating an address matching process in the related art;

FIG. 2 is a binary tree of address fragments obtained by an address resolution process in the related art;

fig. 3 is a flowchart of an address field parsing method according to an embodiment of the present invention;

fig. 4 is a flowchart of a method for dividing a field to be analyzed into rule segments according to an embodiment of the present invention;

fig. 5 is a flowchart of a method for partitioning a first address segment into rule segments according to an embodiment of the present invention;

FIG. 6 is a flowchart of a method for partitioning a regular segment into a second address segment according to an embodiment of the present invention;

FIG. 7 is an exemplary diagram of a parsing result of a rule segment according to an embodiment of the present invention;

FIG. 8 is a flowchart of another address field resolution method according to an embodiment of the present invention;

fig. 9 is an exemplary diagram of a process of dividing a field to be parsed into rule segments according to an embodiment of the present invention;

fig. 10 is an exemplary diagram of another process for dividing a field to be parsed into rule segments according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an address segment resolution apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments given herein by one of ordinary skill in the art, are within the scope of the invention.

A process of performing ACL matching on a received message by a Ternary Content Addressable Memory (TCAM) chip in a high-end network device is shown in fig. 1.

As shown in fig. 1, Vcc represents a power supply voltage of a TCAM chip, Data to be searched is Key, an SRAM cell is a storage unit for storing Data (Data), and a MASK SRAM is a storage unit for storing a MASK (MASK). The data in the SRAM cell corresponds to the MASKs in the MASK SRAM one by one, and the length of the data is the same as that of the MASKs. The value of each bit of the Mask is used to indicate whether the values of the same bit in the data need to be matched exactly. When the value of the bit of the Mask is 0, the value of the bit is represented as "don't care", namely the value of the bit is 0 or 1 and can be matched; when the value of the bit of the Mask is 1, it indicates an exact match, i.e. the match can be achieved only if the value of the bit is equal to the value of the bit.

For a Key to be matched, the Key to be matched is matched (match) with each Data in the SRAM cell and the corresponding MASK of each Data in the MASK SRAM, then matching results are integrated through a matching line (Matchline), and the integrated matching results are fed back to the priority decoder. The priority decoder generates a binary match position location and a match hit signal, and when there are a plurality of Data matched with the Key, the Data with the highest priority is used as the Data matched with the Key. Wherein the smaller the address of Data, the higher the priority. The matching position location is used for representing the Data with the highest priority in the Data matched with the Key.

The relationship among Key, Mask, Data and Matchline can be expressed by the following logic expression: match ═ (Key ≠ Data) & Mask, Matchline! Match. Thus, truth tables of Key, Mask, Data and Matchline can be obtained, as shown in Table one:

watch 1

Key	Mask	Data	Matchline
					0	0	0	1
0	0	1	1
				0	1	0	1
0	1	1	0
				1	0	0	1
1	0	1	1
				1	1	0	0
1	1	1	1

Wherein Matchline of 1 indicates a match, and Matchline of 0 indicates a mismatch.

Before address matching, the address field of each ACL needs to be analyzed, and the analysis result, i.e., the correspondence between Data and Mask, is stored in the TCAM chip.

In the related art, the parsing process for the address field of the port within 32 bits is as follows:

1. converting the initial value of the address segment into a binary bit string and recording the binary bit string as start; the end value of the address field is converted into a binary bit string and is denoted as end, where start and end are the shortest bit string with the same highest order bits.

2. The closest bit strings of start and end are obtained. Where the most similar bit strings are: and according to the sequence from high order to low order, reserving the bit before the first unequal bit of start and end, and setting the first unequal bit and the later bit as bit strings with arbitrary values. For example, start is 00100, end is 00111, the first unequal bit is the fourth bit, the first to third bits are reserved, and the fourth and fifth bits are set to arbitrary values, resulting in 001 XX. Wherein, X can be 1 or 0.

If start and end cannot cover all the data of the closest bit string, i.e. the address field is not a complete binary tree, the next step is performed, otherwise the address field is represented by a field + mask (e.g. key:0, mask: 0) and the parsing is finished.

3. And determining the boundary point of the left subtree and the right subtree of the address field, and recording the boundary point as P. Where P is a bit string with the first unequal bit successor bit of start and end set to 0.

4. Respectively analyzing the left sub-tree and the right sub-tree of the address field by taking P as a demarcation point, and the process is as follows:

a) the current process value is initialized and recorded as Temp. When the left sub-tree is analyzed, initializing Temp as start; when the right sub-tree is resolved, Temp is initialized to end.

b) Acquiring a complete binary tree in the Temp, and starting from the lowest bit of the Temp and aiming at each bit of the Temp, judging whether the bit mask can be 0 or not; if yes, continuing to judge whether the last bit can be 0 or not, recording the index n of the bit until judging that a bit mask can not be 0, and taking key (temp) and mask (1< < n) -1) as an analysis value.

c) Update the value of Temp (when the left sub-tree is parsed, update Temp + ═ 1< < n; when the right sub-tree is analyzed, updating Temp-1 < < n), and then judging whether Temp reaches the boundary condition (when the left sub-tree is analyzed, the boundary condition is Temp < P; when the right sub-tree is analyzed, the boundary condition is Temp ≧ P), if not, the step b) is returned, and the analysis is finished until the boundary condition is reached.

The following describes a process of resolving a port address field within 32 bits in the related art by using a specific example:

assuming the address field is 1-10, the resolution process is as follows:

1. converting 1 into binary bit string to obtain 1; converting 10 into a binary bit string to obtain 1010; both need to be the shortest bit string with the same highest order, so start is 00001 and end is 01010. The only highest bit bits of start and end are the same, so the most similar bit string of start and end is 0XXXX, where X can be 0 or 1. Since 1-10 cannot cover all data of 0XXXX, i.e., address segments 1-10 are not complete binary trees, continued resolution is required.

2. And setting the first unequal bit subsequent bit in the start and the end to 0 to obtain the demarcation point P01000.

3. When the left sub-tree of the range segment is parsed, Temp is initialized to 00001.

For Temp ═ 00001, since the value of Temp may be 00000 when the mask of the last bit of 00001 is 0, and 00000 is not between 1-10, the last bit mask of 00001 cannot be 0, and the binary tree may be represented as 00001. Meanwhile, n is updated to be 0, Temp + is 1< <0, i.e., Temp is 00010 (i.e., decimal 2), Temp < P, and the analysis is continued.

For Temp ═ 00010, similarly, the last bit of 00010 can be 0 and the second to last bit cannot be 0, and the binary tree can be represented as 00010 and 00011. Meanwhile, n is updated to be 1, Temp + is 1< <1, i.e. Temp is 00100 (i.e. 4 in decimal), Temp is < P, and the analysis is continued.

For Temp 00100, the last two bits of 00100 can be 0 and the third last bit can not be 0, and the binary tree can be represented as 00100, 00101, 00110 and 00111. And simultaneously updating n-2, Temp + 1< <2, namely Temp-01000 (namely decimal 8), and Temp-P, wherein the boundary condition is not met, and the left sub-tree analysis is ended.

4. When the right sub-tree of the range segment is resolved, Temp is initialized to end.

For Temp ═ 01010, the last bit mask of 01010 can not be 0, and the binary tree can be represented as 01010, similarly. The analysis is continued by updating n-0, Temp-1 < <0, i.e., Temp 01001 (i.e., decimal 9) and Temp > P.

For Temp ═ 01001, similarly, the last bit mask of 01001 can be 0, the second to last bit mask cannot be 0, and the binary tree can be represented as 01000 and 01001. Updating n is 1, Temp-1 < <1, i.e., Temp 00111 (i.e., 7 in decimal), Temp < P, and the boundary condition is not satisfied, and right subtree parsing is finished.

The final analytical results obtained were:

Key:1(00001),mask:11111；

Key:2(00010),mask:11110；

Key:3(00100),mask:11100；

Key:4(01010),mask:11111；

Key:5(01001),mask:11110.

where, x represents bit-wise negation, < < represents left shift, and ═ represents equality.

For example, when Temp ═ 00001 and Temp + ═ 1< <0 are calculated, 1 is first shifted by 0 bits to the left to obtain 1, and then Temp ═ Temp +1 ═ 00001+1 ═ 00010 is calculated.

For example, when Temp ═ 00010 and Temp + ═ 1< <1 are calculated, 1 is shifted to the left by 1 bit to obtain 10, and then Temp ═ Temp +10 ═ 00010+10 ═ 00100 is calculated.

In the same way, the starting value 0.0.0.28 of the port range segment, i.e. 00011100 in binary, and the ending value 0.0.0.81, i.e. 01010001 in binary, are parsed to obtain a binary tree as shown in fig. 2, i.e. the parsing result is: 000111XX, 001 xxxxxx, 0100XXXX, 0101000X. Wherein, X represents that the bit can be 0 or 1. The triangles in fig. 2 indicate that the values of the subsequent bits are all X.

The analysis method of the address range segment can only analyze the address segment within 32 bits, however, there is an address segment (for example, an address segment of an IPv6 address) exceeding 32 bits at present, and the above method cannot be used to analyze the address segment, and accordingly, the TCAM chip cannot store the ACL including the IPv6 address segment, that is, the TCAM chip cannot be used to match the IPv6 message.

In order to solve the above problem, an embodiment of the present invention provides an address segment parsing method, where the method may be applied to a network device, for example, a device capable of forwarding a packet, such as a router or a switch. As shown in fig. 3, the method comprises the steps of:

s301, based on a preset division rule, dividing a start address and an end address in an address field to be analyzed into a preset number of fields respectively. Wherein the length of each field is less than or equal to a preset length.

Optionally, the preset length is 32 bits. The preset division rule is as follows: dividing the starting address and the ending address in the address field to be analyzed into fields with the same number (both the fields are preset numbers), wherein the fields obtained by dividing the starting address and the ending address correspond to each other one by one, the lengths of a pair of fields with the same position in the starting address and the ending address are the same, and the length of each field is smaller than or equal to the preset length.

For example, the start address is divided into S1, S2, S3, S4, and the end address is divided into E1, E2, E3, E4. Wherein, the lengths of S1 and E1 are the same, the lengths of S2 and E2 are the same, the lengths of S3 and E3 are the same, and the lengths of S4 and E4 are the same.

For example, for the IPv6 address segment, the start address and the end address are both 128 bits, the start address and the end address are respectively divided into 4 fields by S301, and each field is 32 bits in length.

S302, comparing the start address with the end address from the highest position one by one, and determining first-to-unequal fields included by the start address and the end address.

Wherein the unequal fields are two fields having different values of at least one bit.

In one embodiment, it may be determined whether the highest bit values of the start address and the end address are equal, if so, it is continuously determined whether the next bit values of the start address and the end address are equal until unequal bits are obtained, and fields to which unequal bits obtained at this time belong are used as first-to-unequal fields included in the start address and the end address.

In another embodiment, in the fields included in the start address and the end address, starting from the highest field, determining whether the highest field is equal, and if so, continuing to determine whether the next field of the highest field is equal until obtaining unequal fields, where the unequal fields obtained at this time are the first-to-unequal fields included in the start address and the end address.

For example, the start address in the address field to be resolved includes the following fields: 0000,0001,1100,0011. The termination address in the address field to be resolved comprises the following fields: 0000,0101,0011,0011. Wherein, for simplicity of illustration, 32 bits are represented by 4 bits. According to the sequence from high order to low order, the bit with different first numerical value of the start address and the end address is the 6 th bit and belongs to the second field, so that the start address and the end address comprise the unequal first-to-second fields of 0001 and 0101.

And S303, dividing the address field to be analyzed into a plurality of rule fields based on the first pair of unequal fields included by the starting address and the ending address. The start sub-address and the end sub-address of the rule segment comprise a field to be analyzed, the fields before the field to be analyzed are the same, and the mask of the field after the field to be analyzed is 0 or the field to be analyzed is the last field.

In the embodiment of the present invention, each pair of fields to be resolved is a field with the first unequal start sub-address and stop sub-address in the rule segment.

The mask of the field after the field to be resolved is 0, which indicates that each bit of the field after the field to be resolved can be 1 or 0.

S304, analyzing the field to be analyzed included in each rule segment, and packaging the analysis result of the field to be analyzed and the rest fields included in the rule segment to which the field belongs to obtain the analysis result of each rule segment.

Optionally, each pair of fields to be analyzed is a field with the first unequal start sub-address and the first unequal end sub-address in the rule segment, and each field is less than or equal to 32 bits, so that the fields to be analyzed can be analyzed by adopting the above-mentioned analysis manner for the fields in the range within 32 bits.

S305, taking the analysis result of all the rule segments included in the address segment to be analyzed as the analysis result of the address segment to be analyzed.

The address field parsing method provided by the embodiment of the present invention may divide the address field to be parsed into a plurality of rule fields, and parse the field to be parsed in each rule field, where the field before the field to be parsed in the rule field is the same, and the mask of the field after the field is 0, so that the mask of the field before the field to be parsed is 1, and the mask of the field after the field is 0, and therefore, in the embodiment of the present invention, after the field to be parsed is parsed, the parsing result is encapsulated with the remaining fields, which is equivalent to parsing the entire rule field. Since the length of the field to be analyzed is less than or equal to the preset length, the field to be analyzed can be analyzed by using an address field analysis method aiming at the address fields within 32 bits. Therefore, the embodiment of the invention can analyze the address field exceeding 32bit, and further, the address field exceeding 32bit can be matched through the TCAM chip.

In this embodiment of the present invention, referring to fig. 4, the above-mentioned S303, based on the first-to-unequal fields included in the start address and the end address, a manner of dividing the address field to be resolved into a plurality of rule fields may be implemented as the following steps:

s3031, determining a maximum range rule segment included between the start address and the end address based on the first pair of unequal fields included in the start address and the end address.

In one embodiment, each bit of the field belonging to the start address after the first pair of unequal fields in the start address and the end address is set to 0, and each bit of the field belonging to the end address after the first pair of unequal fields in the start address and the end address is set to 1, so as to obtain the maximum range rule segment.

S3032, dividing the address before the maximum range rule segment in the address segment to be analyzed into a first address segment, and dividing the address after the maximum range rule segment into a second address segment.

In this embodiment of the present invention, after S3032, it may further be determined whether the first address segment is a rule segment. If not, executing S3033; if yes, the first address segment is used as a rule segment included in the address segment to be analyzed.

And judging whether the second address field is a rule field or not. If not, executing S3034; if yes, the second address field is used as a rule field included in the address field to be analyzed.

S3033, the first address segment is divided step by step based on the first pair of unequal fields included by the start subaddress and the stop subaddress of the first address segment until the last stage of address segment obtained by division is a regular segment.

In one embodiment, referring to fig. 5, the rule segment of the first address segment may be partitioned by:

s30331, the first address segment is used as the current address segment to be divided.

S30332, determining the first-to-unequal fields included by the starting sub-address and the ending sub-address of the current address segment to be divided.

In one embodiment, whether the first field of the start sub-address is equal to the first field of the stop sub-address is judged according to the sequence from the high order to the low order, and if so, whether the second field of the start sub-address is equal to the second field of the stop sub-address is judged until the unequal fields of the start sub-address and the stop sub-address, namely the first pair of unequal fields, are obtained.

S30333, the current address segment to be divided is divided into two sub-address segments.

Wherein, the starting sub-address of one sub-address segment is the starting sub-address of the current address segment to be divided, and the terminating sub-address is: and setting all fields after the first unequal field included in the starting subaddress of the current address segment to be divided as 1 to obtain the address.

Correspondingly, the starting address of the other sub-address segment is: adding 1 to the first unequal field included in the initial sub-address of the current address segment to be divided, and setting the subsequent fields as 1 to obtain an address; the terminator address of the other subaddress field is: and the terminator address of the current address segment to be divided.

S30334, respectively determining whether each sub-address segment included in the current address segment to be partitioned is a rule segment. If yes, ending the division of the current address segment to be divided; if not, S30335 is executed.

S30335, the sub address segment which is not the rule segment is taken as the current address segment to be divided, and the S30332 is returned.

S3034, the second address segment is divided step by step based on the first pair of unequal fields included by the start sub-address and the end sub-address of the second address segment until the last stage of address segments obtained by division are regular segments.

In one embodiment, referring to FIG. 6, a regular segment of the second address segment may be divided by:

s30341, the second address field is used as the current address field to be divided.

S30342, determining the first-to-unequal fields included by the starting sub-address and the ending sub-address of the current address segment to be divided.

S30343, dividing the current address segment to be divided into two sub-address segments.

The terminator address of one sub-address segment is the terminator address of the current address segment to be divided, and the starting sub-address is: and setting all fields after the first unequal field included in the terminator address of the current address segment to be divided as 0 to obtain the address.

Correspondingly, the start address of the other sub-address segment is the start sub-address of the current address segment to be divided, and the stop sub-address is: and subtracting 1 from the first unequal field included in the terminator address of the current address segment to be divided, and setting the fields behind the first unequal field as the addresses obtained after 1.

S30344, respectively judging whether each sub-address segment included in the current address segment to be divided is a rule segment. If yes, ending the division of the current address segment to be divided; if not, S30345 is executed.

S30345, the sub address segment which is not the rule segment is taken as the current address segment to be divided, and the S30342 is returned.

The address field to be analyzed is divided into a plurality of rule segments by the method, and the field before the field to be analyzed in the rule segment is the same, namely the mask of the field before is 1, and the mask after the field to be analyzed in the rule segment is 0, so that the analysis of the field to be analyzed is equivalent to the analysis of the whole rule segment.

In this embodiment of the present invention, referring to fig. 7, in the above S304, the parsing result of the field to be parsed and the remaining fields included in the rule segment to which the field belongs are encapsulated, and a manner of obtaining the parsing result of each rule segment may be implemented as follows:

and each field to be analyzed is processed as follows:

splicing a second number of all-1 fields before the mask part of each analysis result of the field to be analyzed, and splicing a first number of all-0 fields after the mask part of each analysis result to obtain the mask part of the field to be analyzed; the second number is the same as the number of fields before the field to be analyzed in the rule segment to which the field to be analyzed belongs.

For example, with the rule segment as E₁,E₂,A0,A0-E₁,E₂,E ₃1, A1 as an example, suppose that pairs A0 and E₃Analyzing the field to be analyzed consisting of the-1 to obtain one or more analysis results. One of the analysis results is: k and m, an analysis result of the rule segment is: e is key ═ E₁,E₂,k,A0,mask＝A1_,A1_,m, A0. Where a0 denotes all 0 fields and a1 denotes all 1 fields.

In this embodiment of the present invention, referring to fig. 8, before the above S301, the method for determining the resolution of the address field may further include the following steps:

s801, judging whether each address length included in the address segment to be analyzed is larger than a preset length. If yes, the above S301-S305 are executed. If not, go to step S802. Wherein, the preset length may be 32 bits.

In the embodiment of the invention, the lengths of the addresses included in the resolved address field are the same.

S802, judging whether the highest bit of the starting address and the highest bit of the ending address of the address field to be analyzed are the same. If yes, go to S803; if not, go to S804.

S803, the address field to be analyzed is analyzed.

In one embodiment, the address segment to be resolved may be resolved by using the resolving method in the related art.

S804, it is determined whether the address range of the address field to be resolved is a global range. If yes, go to S805; if not, go to S806.

In one embodiment, when the preset length is 32 bits, the difference between the start address and the end address of the address segment to be resolved can be calculated, and if the difference is equal to 0xffffffff, the address segment to be resolved is the global range. If the difference is not equal to 0xffffffff, the address segment to be resolved is not the global range.

And S805, obtaining a preset analysis result.

Optionally, the preset analysis result is: key:0, mask: 0. Because the address segment to be analyzed is a global range, and the global range comprises all addresses, the received messages can be matched with the ACL rules.

S806, the address segment to be analyzed is divided into two sub-address segments with the same highest bit, and each sub-address segment is analyzed.

Because the highest bit of the start address and the highest bit of the end address of the address segment to be resolved are different, and the address segment to be resolved is not a global range, the highest bit of the start address of the address segment to be resolved is 0, and the highest bit of the end address of the address segment to be resolved is 1.

The start address of one of the sub-address segments may be set as the start address of the address segment to be resolved, and the end address may be set as 0x7 fffffff.

Correspondingly, the start address of another sub-address segment is set to 0x80000000, and the end address is set to the end address of the address segment to be resolved.

In the embodiment of the present invention, when the step S304 is executed to parse the field to be parsed, the steps S802 to S806 may be utilized to complete parsing.

The embodiment of the invention can resolve the address field with more than 32 bits after being split in the mode shown in figure 3; analyzing the address segment within 32 bits and with the same highest bit by using an analysis mode of a related technology; and splitting the address segment with different highest bits within 32 bits into two address segments with the same highest bits, and then analyzing by using an analysis mode of a related technology. Therefore, the embodiment of the invention can not only analyze the address field with more than 32 bits, but also analyze the address field with different highest bits.

Referring to fig. 9, the following explains an overall flow of the address field resolution method provided in the embodiment of the present invention, by taking the address field to be resolved as an IPV6 address field as an example:

dividing the start address and the end address of the IPV6 address field into 4 fields by one segment of 32 bits, and defining S_iIs the ith segment of the start address, E_iFor the i-th segment of the termination address, a0 indicates that the value of each bit included in the field is 0, and a1 indicates that the value of each bit included in the field is 1.

Assume a starting address segment of S₁,S₂,S₃,S₄The termination address field is E₁,E₂,E₃,E₄。

Step 1, assuming that the first pair of unequal field indexes of the starting address and the ending address of the address segment to be resolved is i, the maximum range rule segment included between the starting address and the ending address is S₁+1,A0,A0,A0—E ₁1, A1, A1, A1 (the field to be resolved is S)₁+1 and E₁-1 composed address field).

And if the starting address is the same as the ending address, acquiring a preset analysis result. And if i is 4, taking the field to be resolved as a rule segment.

Step 2, aiming at the first address segment S₁,S₂,S₃,S₄—S₁A1, a1, a1, assume that the first address segment start subaddress and stop subaddress comprise a first-to-unequal field index of d.

If S is₁～S₄Are all A0, d<i is less than or equal to 4, or the first pair of unequal fields included by the starting sub-address and the ending sub-address of the first address segment are not found, and the first address segment is taken as a rule segment.

Otherwise, assuming that d is 2, the first address segment is divided into two segments, which are:

irregular section: s₁,S₂,S₃,S₄—S₁,S₂,A1,A1

A rule section: s₁,S₂+1,A0,A0—S₁A1, A1, A1 (the field to be resolved is S)₂+1 and A1 address field)

Continuing to the irregular segment S by the same method₁,S₂,S₃,S₄—S₁,S₂A1 and a1 are divided to obtain two rule segments: s₁,S₂,S₃,S₄—S₁,S₂,S₃A1 (field to be resolved is S)₄And a 1); s₁,S₂,S₃+1,A0—S₁,S₂A1, A1 (field to be resolved is S)₃Address field of +1 and a 1).

Step 3. for the second address segment E₁,A0,A0,A0—E₁,E₂,E₃,E₄Let d be the first-to-unequal field index included in the start subaddress and the end subaddress of the second address fragment.

If E is₁～E₄Are all A1, d<i is less than or equal to 4, or the first pair of unequal fields included by the starting sub-address and the ending sub-address of the second address field is not found, the second address field is used as a rule field.

Otherwise, assuming that d is 2, the second address field is divided into two segments, which are:

a rule section: e₁,A0,A0,A0—E₁,E ₂1, A1, A1 (fields to be resolved are A0 and E)₂-1 address field of

Irregular section: e₁,E₂,A0,A0—E₁,E₂,E₃,E₄

Continuing to the irregular section E by the same method₁,E₂,A0,A0—E₁,E₂,E₃,E₄Dividing to obtain two rule segments: e₁,E₂,A0,A0—E₁,E₂,E ₃1, A1 (fields to be resolved are A0 and E)₃-1 composed address field); e₁,E₂,E₃,A0—E₁,E₂,E₃,E₄(fields to be resolved are A0 and E₄A composed address field).

And then analyzing the fields to be analyzed in all the rule segments, and encapsulating the analysis result of the fields to be analyzed and the rest fields included in the rule segment to which the fields belong to obtain the analysis result of each rule segment. And taking the analysis results of all the rule segments included in the address segment to be analyzed as the analysis results of the address segment to be analyzed.

Referring to fig. 10, the address field parsing process provided by the embodiment of the present invention is described below by way of an example (S in fig. 10 denotes a start address, and E denotes an end address):

assume that the IPV6 address field has a start address of 0000,0011,0001,0010 and an end address of 0000,0110,1010,0100. Wherein for simplicity of illustration, 4 bits are used to represent 32 bits.

Due to S₁＝E₁And S₂≠E₂The maximum range rule segment is 0000,0100,0000,0000-0000,0101,1111,1111 (address segment composed of 0100 and 0101 to be resolved).

For the first address segment 0000,0011,0001,0010-0000,0011,1111,1111, the head-to-unequal field index d is 3, and S₃And S₄Are not equal to a0, so the first address segment is divided into two segments: 0000,0011,0001,0010-0000,0011,0001,1111 (address field composed of 0010 and 1111 as fields to be resolved); 0000,0011,0010,0000-0000,0011,1111,1111 (address field composed of 0010 and 1111 as fields to be resolved).

For the second address fragment 0000,0110,0000,0000-0000,0110,1010,0100, the head-to-unequal-field index d is 3, and S₃And S₄None are equal to a1, so the second address fragment is divided into two fragments: 0000,0110,0000,0000-0000, 0110,1001,1111 (address field composed of 0000 and 1001 to be resolved); 0000,0110,1010,0000-0000,0110,1010,0100 (address field composed of 0000 and 0100 for field to be resolved).

Based on the same inventive concept, corresponding to the above method embodiment, an embodiment of the present invention provides an address fragment parsing apparatus, as shown in fig. 11, including: a dividing module 1101, a determining module 1102 and an analyzing module 1103;

a dividing module 1101, configured to divide a start address and an end address in an address segment to be resolved into a preset number of fields based on a preset dividing rule, where a length of each field is less than or equal to a preset length;

a determining module 1102, configured to compare the start address and the end address divided by the dividing module 1101 from the highest bit one by one, and determine first-to-unequal fields included in the start address and the end address;

the dividing module 1101 is further configured to divide the address segment to be resolved into a plurality of rule segments based on the first-to-unequal fields included in the start address and the end address determined by the determining module 1102; the starting sub-address and the terminating sub-address of the rule segment comprise a field to be analyzed, the fields before the field to be analyzed are the same, and the mask of the field after the field to be analyzed is 0 or the field to be analyzed is the last field;

the parsing module 1103 is configured to parse the field to be parsed included in each rule segment partitioned by the partitioning module 1101, and encapsulate the parsing result of the field to be parsed and the remaining fields included in the rule segment to which the field belongs, so as to obtain the parsing result of each rule segment;

the determining module 1102 is further configured to use the parsing results of all rule segments included in the address segment to be parsed as the parsing result of the address segment to be parsed.

Optionally, the dividing module 1101 is specifically configured to:

determining a maximum range rule segment included between the starting address and the ending address based on a first pair of unequal fields included by the starting address and the ending address;

dividing an address before a maximum range rule segment in an address segment to be analyzed into a first address segment, and dividing an address after the maximum range rule segment into a second address segment;

and based on first-to-unequal fields included by the starting sub-address and the ending sub-address of the second address field, the second address field is divided step by step until the last-stage address fields obtained by division are regular fields.

Optionally, the apparatus may further include: a judgment module; a determination module configured to:

dividing an address before a maximum range rule segment in an address segment to be analyzed into a first address segment, dividing an address after the maximum range rule segment into a second address segment, and judging whether the first address segment is a rule segment or not; if not, executing the step of dividing the first address segment step by step based on the first pair of unequal fields included by the starting subaddress and the terminating subaddress of the first address segment; if so, taking the first address segment as a rule segment included in the address segment to be analyzed;

judging whether the second address field is a rule field or not; if not, executing the step of dividing the second address segment step by step based on the first pair of unequal fields included by the starting subaddress and the ending subaddress of the second address segment; if yes, the second address field is used as a rule field included in the address field to be analyzed.

Optionally, the dividing module 1101 is specifically configured to:

taking the first address segment as a current address segment to be divided;

determining a first pair of unequal fields included by a starting subaddress and a terminating subaddress of a current address segment to be divided;

dividing the current address segment to be divided into two sub-address segments, wherein the starting sub-address of one sub-address segment is the starting sub-address of the current address segment to be divided, and the terminating sub-address is as follows: setting all fields behind unequal fields included in the initial sub-address of the current address segment to be divided as 1 to obtain an address;

if yes, ending the division of the current address segment to be divided;

the dividing module 1101 is specifically configured to:

taking the second address field as the current address field to be divided;

dividing the current address segment to be divided into two sub-address segments, wherein the terminator address of one sub-address segment is the terminator address of the current address segment to be divided, and the starting sub-address is as follows: setting all fields behind unequal fields included in a terminator address of the current address segment to be divided as 0 to obtain an address;

if yes, ending the division of the current address segment to be divided;

Optionally, the determining module 1102 is specifically configured to:

and each field to be analyzed is processed as follows:

the judging module is used for judging whether the length of each address included in the address segment to be analyzed is greater than the preset length or not before dividing the starting address and the ending address in the address segment to be analyzed into the preset number of fields respectively based on the preset dividing rule;

the judging module is also used for judging whether the highest bit of the starting address and the highest bit of the ending address of the address segment to be analyzed are the same or not if the judging module judges that the highest bit is not the same;

the analyzing module 1103 is further configured to, if the determining module determines that the address field to be analyzed is positive, analyze the address field to be analyzed;

the parsing module 1103 is further configured to, if the determining module determines that the address range of the address segment to be parsed is not the global range, split the address segment to be parsed into two sub-address segments with the same highest bits, and parse each sub-address segment respectively.

An embodiment of the present invention further provides an electronic device, as shown in fig. 12, including a processor 1201, a communication interface 1202, a memory 1203, and a communication bus 1204, where the processor 1201, the communication interface 1202, and the memory 1203 complete mutual communication through the communication bus 1204,

a memory 1203 for storing a computer program;

the processor 1201 is configured to implement the method steps in the above-described method embodiments when executing the program stored in the memory 1203.

The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above address segment parsing methods.

In yet another embodiment, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform any of the address fragment parsing methods of the embodiments described above.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. A method for address segment resolution, comprising:

2. The method of claim 1, wherein the dividing the segment of addresses to be resolved into a plurality of rule segments based on a head-to-tail inequality field included in the start address and the end address comprises:

3. The method of claim 2, wherein after dividing the address before the maximum range rule segment into a first address segment and dividing the address after the maximum range rule segment into a second address segment in the address segment to be resolved, the method further comprises:

4. The method according to claim 2 or 3, wherein the step-by-step dividing the first address segment based on the first pair of unequal fields included in the start subaddress and the stop subaddress of the first address segment until all the divided last address segments are regular segments comprises:

taking the first address segment as a current address segment to be divided;

if yes, ending the division of the current address segment to be divided;

taking the second address field as a current address field to be divided;

if yes, ending the division of the current address segment to be divided;

5. The method of claim 1, wherein the parsing result comprises a data portion and a mask portion; the encapsulating the analysis result of the field to be analyzed and the rest fields included in the rule segment to which the field belongs to obtain the analysis result of each rule segment includes:

and each field to be analyzed is processed as follows:

6. The method according to claim 1, wherein before the dividing the start address and the end address in the address segment to be resolved into a preset number of fields based on a preset dividing rule, the method further comprises:

if so, analyzing the address segment to be analyzed;

7. An address fragment resolution apparatus, comprising:

8. The apparatus according to claim 7, wherein the partitioning module is specifically configured to:

9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;

a memory for storing a computer program;

a processor for implementing the method steps of any of claims 1-6 when executing a program stored in the memory.

10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.