CN114024746A - Network message processing method, virtual switch and processing system - Google Patents

Network message processing method, virtual switch and processing system Download PDF

Info

Publication number
CN114024746A
CN114024746A CN202111301079.8A CN202111301079A CN114024746A CN 114024746 A CN114024746 A CN 114024746A CN 202111301079 A CN202111301079 A CN 202111301079A CN 114024746 A CN114024746 A CN 114024746A
Authority
CN
China
Prior art keywords
security
network element
data
data message
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111301079.8A
Other languages
Chinese (zh)
Other versions
CN114024746B (en
Inventor
李玮
王林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111301079.8A priority Critical patent/CN114024746B/en
Publication of CN114024746A publication Critical patent/CN114024746A/en
Application granted granted Critical
Publication of CN114024746B publication Critical patent/CN114024746B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The application discloses a network message processing method, a virtual switch and a processing system, wherein the method comprises the following steps: acquiring a data message and message information of the data message; determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element; adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message; and processing the data message by utilizing the safety net element in the determined safety service chain based on the mark information. The processing method can ensure the orderly detection of the data messages without causing disorder in the detection steps; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.

Description

Network message processing method, virtual switch and processing system
Technical Field
The present application relates to the field of network information processing, and in particular, to a method, a virtual switch, and a system for processing a network packet.
Background
With the development of virtualization technology, cloud computing technology and SDN technology, the form of security protection is changed from the form of traditional physical security equipment into the form of virtualization more suitable for a cloud environment, a security resource pool is established by applying the security function virtualization technology and the SDN technology, the pooling of security capacity is realized, and the on-demand and elastic security cloud service capacity is better provided for a multi-tenant scene of the cloud environment. The security resource pool virtualizes a plurality of security devices by using a security function virtualization technology, and provides differentiated and on-demand security protection capabilities for different services. However, since the devices in the security resource pool are virtual, and the behavior of the hardware is calculated and simulated by software on the CPU, performance loss will undoubtedly result in the process of performing one or more different security detections on a large number of data packets, so that the security resource pool and the entire network system have low operating efficiency.
Disclosure of Invention
The embodiment of the application aims to provide a network message processing method, a virtual switch and a processing system. The method can reduce the detection action of the data message under the safe condition and effectively improve the forwarding efficiency of the data message.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for processing a network packet, including:
acquiring a data message and message information of the data message;
determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element;
adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message;
and processing the data message by using the determined safety network element in the safety service chain based on the mark information.
Optionally, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
Optionally, the method further comprises:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
Optionally, the adding flag information to the data packet includes:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
Optionally, the method further comprises:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
Optionally, determining, in the security resource pool, a security service chain corresponding to the data packet includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
Optionally, when there are a plurality of security network elements connected in series in the security service chain, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
Optionally, the method further comprises:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
An embodiment of the present application further provides a virtual switch, including:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is configured to acquire a data message and message information of the data message;
a determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element;
an adding module, configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet;
a processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
The embodiment of the present application further provides a system for processing a network packet, which includes the virtual switch and the secure resource pool.
The processing method of the embodiment of the application can ensure the orderly detection of the data message without causing disorder in the detection step; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.
Drawings
Fig. 1 is a flowchart of a network message processing method according to an embodiment of the present application;
FIG. 2 is a flowchart of one embodiment of step S400 of FIG. 1 according to an embodiment of the present application;
FIG. 3 is a flow chart of one embodiment of a processing method according to an embodiment of the present application;
FIG. 4 is a flow chart of another embodiment of a processing method according to an embodiment of the present application;
fig. 5 is a schematic diagram of a connection structure relationship between a virtual switch and a secure resource pool according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating an embodiment of a flow process of a data packet according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating another embodiment of a data packet forwarding process according to an embodiment of the present application;
fig. 8 is a block diagram of a virtual switch according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
The embodiment of the application provides a method for processing a network message, which can be applied to a virtual switch, and in one embodiment, the method can be applied to an acceleration engine in the virtual switch, receives and processes a data message, including reasonably utilizing a security network element in a virtual security resource pool to perform security detection on the data message, reducing the flow of the data message in the security resource pool, and improving the operating efficiency of the security resource pool.
The processing method is described in detail below with reference to the accompanying drawings, and fig. 1 is a flowchart of a processing method of a network packet according to an embodiment of the present application, as shown in fig. 1 and with reference to fig. 5 to 7, the processing method includes the following steps:
s100, acquiring a data message and message information of the data message.
The data message may be a message in a session (connection) established by the user during access to the target device. In the access process, the data message needs to be processed, especially security detection is carried out, so that the data message is ensured to be secure for the whole system. For example, a user can establish a session (connection) when accessing a resource in a server, which may include one or more data packets. Before being transferred to the target device, the data message needs to be sent to the virtual switch in advance, so that the virtual switch can perform security detection on the data message by using the security resource pool.
The virtual switch acquires the data message and message information of the data message through a data message inlet. The message information is related information of the data message, and may include a source address, a destination address, and an identification number of the data message, and the related information may be used to indicate a security service chain required by the data message.
S200, determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element.
The secure resource pool may be configured to perform secure processing on the data packet, where the secure resource pool includes one or more secure service chains, each secure service chain has a security function and/or a service function, and can serve different service objects (data packets).
One security service chain (SFC) includes one or more virtual security network elements, each security network element has a respective security detection function, for example, the security network element may be a network element having a respective security detection function and of a type such as vFW, vpps, vWAF, and vAV, and may perform different types of security detection on the data packet. The security network elements in the security service chain may be sequentially connected in series, so that the data packets may be sequentially detected.
In this embodiment, the security service chain corresponding to the data packet may be determined according to the packet information, for example, the corresponding security service chain is determined according to the specific content in the packet information, so that the security service chain may be found in the security resource pool, and the security service chain is further used to perform a service, especially a security detection, on the data packet.
S300, adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message.
Specifically, the identification information is used to instruct the security network element to process the data packet. In particular for indicating whether all security network elements in the security service chain that have been determined to be used need to process data messages.
The flag information corresponds to the security network element, which may specifically be that specific content in the flag information corresponds to the security network element, for example, the flag information is a character string, each character in the character string corresponds to the security network element, and the character may be applied to indicate the security network element corresponding to the character string; the flag information may also be a byte including a plurality of bits, each byte corresponds to the security network element, for example, the byte may be "11111111" of 8 bits, each "1" is a bit and corresponds to a respective security network element, for example, "1" may indicate that the security network element performs security detection on the data packet, and if "0" indicates that the security network element does not need to perform security detection on the data packet.
The process of adding the flag information into the data packet may be that after the data packet enters the acceleration engine, the acceleration engine adds the flag information (SFC _ mask flag bit) into the data packet. Of course, the acceleration engine may modify the flag information according to the situation.
S400, based on the mark information, the data message is processed by the security network element in the determined security service chain.
In particular, the security network elements in each security service chain may be different, for example, the first security service chain includes a first security network element, a second security network element, and a third security network element connected in series; the second safety service chain comprises a first safety network element, a third safety network element and a fourth safety network element which are connected indirectly in series.
The security service roles of different security network elements are also different. The flag information may indicate that the determined security network elements in the security service chain serve the data packet, which includes indicating that all the security network elements perform sequential security services on the data packet, and also includes indicating that some of the security network elements perform security services on the data packet. Therefore, whether the data message is completely detected or not or whether partial safety network elements are used for detecting the safety of the data message can be determined according to the specific situation of the data message. On one hand, the data message can be orderly detected according to the application service chain rule, and the increase of the mark information can not cause disorder in the detection step; on the other hand, if only part of the security network elements can be used for detecting the data message, the accuracy and the effectiveness of the detection can still be ensured, so that the security detection mode can effectively reduce the detection action of the data message and improve the detection efficiency.
In addition, in this embodiment, with reference to fig. 6 and fig. 7, if the security network element performs security detection on the first data packet in the session and then determines that the first data packet is in the security state, the flag information may be modified, for example, from "11111111" to "01111111", where the first bit is changed from "1" to "0", the security detection policy of the security network element corresponding to the first bit is changed, and the original security detection on the data packet is changed to not perform security detection on subsequent data packets in the same session (connection), so that the detection time can be saved, and the detection efficiency is also improved.
The processing method of the embodiment of the application can ensure the orderly detection of the data message without causing disorder in the detection step; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.
In an embodiment of the present application, the method further includes forwarding the data packet stream to the corresponding security service chain. Specifically, the data packet flows into the virtual switch from the data packet inlet, and the acceleration engine in the virtual switch can acquire the data packet. And determining a security service chain corresponding to the data message according to the message information of the data message, and further transferring the data message flow to the corresponding security service chain so that the security service chain can process the data message.
In an embodiment of the present application, the processing the data packet by using the determined security network element in the security service chain based on the flag information, as shown in fig. 2, includes the following steps:
s410, according to the mark information, sequentially using a plurality of the safety network elements in the safety service chain to carry out safety detection on the data message.
The security service chain may include a plurality of security network elements connected in series, and the security network elements may perform security detection on the data packets in sequence according to the sequence of the series connection.
Specifically, the security detection processing is performed on the data message according to the flag bit corresponding to the security network element in the flag information, which includes performing the security detection processing on the data message sequentially by using all the security network elements in the security service chain, and performing the security detection processing on the data message sequentially by using part of the security network elements in the security service chain. The roles of each safety network element are different, and the safety detection actions of each safety network element can be carried out.
For example, when the content of the flag information is specifically "11111111," it may indicate that all the security network elements in the security service chain need to be invoked in sequence to perform security detection on the data packet. If the content of the flag information is specifically "00000000", it may indicate that all the security network elements in the security service chain do not need to perform security detection on the data packet, and so on.
S420, when the security network element detects that the data packet conforms to the security condition, modifying an information bit corresponding to the security network element in the identification information, so that the security network element does not perform security detection on other data packets in the same session as the data packet.
Specifically, the security condition may be that the security network element detects the data packet to meet a security detection condition specified by itself. The security conditions may be different for each security network element. And if the first safety network element detects that the data message meets the safety condition, the data message meets the safety condition specified by the first safety network element. Thus indicating that other data packets in the same session as the data packet are also in compliance with the security condition. In this case, the acceleration engine modifies the information bit corresponding to the first security network element in the identification information, for example, from "1" to "0", so that for other data packets in the same session as the data packet, if the security service chain is entered again, the first security network element does not perform security detection on other data packets, but other security network elements still perform security detection on other data packets. This undoubtedly saves the detection time and improves the detection efficiency.
In one embodiment of the present application, as shown in fig. 3, the method further comprises the steps of:
s500, obtaining a path instruction sent by the security network element, where the path instruction has a first data structure, and the first data structure is configured with at least instruction data and an instruction identifier for identifying the path instruction.
S600, determining whether the data message meets the safety condition or not based on the instruction data.
With reference to fig. 6 and fig. 7, the security network element may send a path instruction to the acceleration engine, where the path instruction is used to instruct the security network element to detect the data packet, for example, to send a detection result formed by detecting the data packet to the acceleration engine, which is then a security result. The acceleration engine can convert the flag bit corresponding to the security network element in the SFC _ mask (flag information) in the previous data packet to "0" when the next data packet arrives, so that security detection is not performed on the next data packet any more.
The path instruction has a first data structure including instruction data and an instruction identification for identifying the path instruction.
In connection with particular embodiments, the path instruction may employ a private protocol, where h _ proto of the data link layer is identified using a custom protocol number VGRD _ ETH _ P _ HVCH (0x 8888). The specific format of the first data structure of the path instruction is shown in the following table:
ethhdr hvchdr fsphdr instruction data
Wherein, ethhdr is the command identifier, hvhdr is the starting address pointing to the three-layer protocol header, and fsphdr is the starting address pointing to the four-layer protocol header.
Based on the instruction data, it may be determined that the data packet meets the security condition. Of course, it may also indicate that the data message has not reached a security condition. For example, the instruction data content may be: FW _ Fastpath _ Accept, the instruction data determining that the data message meets the security condition. After receiving the path instruction, the acceleration engine module searches for a corresponding session according to the content in the path instruction, sets the flag bit corresponding to the location of the security network element in the SFC _ mask flag bit in the session to 0, and at this time, the subsequent data message in the same session will not enter the security network element any more according to the above description.
When all network elements on the security service chain have sent the path instruction, the SFC _ mask (flag information) on the session is cleared to 0, and then all subsequent other data packets of the session (connection) are directly forwarded through the formed fast path, thereby improving the forwarding efficiency.
In an embodiment of the application, the adding flag information to the data packet includes:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
When the virtual switch is newly connected with other equipment, the acceleration engine in the virtual switch marks the data message, initial mark information is added in the session, and the session enters the virtual switch for the first time and does not perform any security detection on the session, so that the initial mark information indicates that all security network elements in a determined security service chain in a security resource pool need to perform security detection on the first data message in the session, thereby preventing security problems.
For example, the initial flag information is "11111111". Each type of security network element has a corresponding bit (e.g., security network element FW- - -0x80, security network element IPS- - -0x60, security network element WAF- - -0x40, etc.), and the value of the corresponding bit determines whether subsequent other data packets continue to enter the security network element, which is as follows:
a) when the corresponding bit in the SFC _ mask is 1, the security service chain process is continued, and the subsequent other data packets directly enter the corresponding network element to perform security policy matching, for example, after the data packet flows into the OVS virtual switch from the virtual firewall exit, the acceleration engine does not receive the path instruction of the virtual firewall, and the flag of the corresponding virtual firewall is still 1, indicating that the next data packet still needs to be sent to perform security detection.
b) When the corresponding bit in the SFC _ mask is 0, the subsequent other data messages do not enter the corresponding security network element, the subsequent bit matching in the flag information is continued until the next bit of 1 is found, and then the subsequent other data messages continue to enter the security network element corresponding to the bit, for example, after the data message comes out of a virtual firewall (a security network element), an acceleration engine receives a path instruction (a fast forwarding instruction), the identifier of the corresponding virtual firewall (a security network element) is marked as 0, the subsequent other data messages do not enter the virtual firewall any more, but the SFC _ mask is continuously and sequentially inquired, the security network element corresponding to the next bit of 1 in the SFC _ mask is found, and the subsequent other data messages are uploaded to the security network element;
c) until all the SFC _ mask values are 0, the fast path forwarding is directly performed through the acceleration engine, that is, all the security network elements on the security service chain judge that the session (connection) is secure, and the subsequent data packet can be directly transmitted.
In one embodiment of the present application, the method further comprises: and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
Specifically, the security resource pool performs security detection independently for different sessions, for example, after performing security detection on a first session (first connection), if a second session (second connection) is received, security detection is performed again for the second session. And adding the initial mark information into the message data in the second session again, thereby realizing the safety detection of all the sessions and ensuring the safety of the whole network message processing system.
In an embodiment of the present application, the message information includes at least one of: the source address, the destination address and the identification card identification number of the data message;
correspondingly, the determining, in the virtual secure resource pool, the secure service chain corresponding to the data packet based on the packet information includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
Specifically, the data message and the security service chain have a corresponding relationship, and the corresponding relationship can be determined through a source address, a destination address and an identification card identification number of the data message, so that the security service chain corresponding to the data message in the security resource pool is determined based on the corresponding relationship. The security service chain can be adapted to the data message, so that a more adaptive security service is provided for the data message.
In an embodiment of the present application, in a case that the security service chain has a plurality of security network elements connected in series, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
In particular, each security network element has its own independent security detection policy, which may implement detection operations that are unique to that security network element. The mode used when the data message is detected safely by using the respective security detection strategies may be different in the emphasis and the time of use.
For example, the security detection policies used by the security network elements vFW, vpps, vWAF and vAV when processing the data packet are different, and the specific steps of processing the plurality of security network elements may be sequentially performed, for example, the steps of processing the data packet by the security network elements vFW, vpps, vWAF and vAV are sequentially connected in series (as shown in fig. 5 to 7), when performing security detection on the data packet, the data packet may be detected by the security network element vFW first, after the detection is completed, the security network element vpps performs detection, after the detection is completed, the security network element vWAF performs detection, and after the detection is completed, the security network element vAV performs detection. The security detection policies used by each complete network element are not the same. Therefore, even if some of the security network elements in the security service chain do not perform the corresponding first security detection on the data packet, other security network elements may perform other security detections on the data packet, such as the second security detection, the third security detection, and the like.
In one embodiment of the present application, as shown in fig. 4, the method further comprises:
s700, acquiring the data message processed by the safety network element;
and S800, sending the acquired data message to corresponding target equipment based on the message information.
Specifically, after the security resource pool performs security detection on the data message, the data message after the security detection may be sent to the virtual switch, and after the acceleration engine in the virtual switch obtains the data message, the obtained data message may be sent to the corresponding target device based on the message information. Therefore, a data path between the device (such as a client) used by the user and the target device (such as a server) is established, and further, the user can access the network, such as the client logs in the server to perform data interaction.
An embodiment of the present application further provides a virtual switch, as shown in fig. 8 in combination with fig. 5 to 7, including:
the device comprises an acquisition module configured to acquire a data packet and packet information of the data packet.
The data message may be a message in a session (connection) established by the user during access to the target device. In the access process, the data message needs to be processed, especially security detection is carried out, so that the data message is ensured to be secure for the whole system. For example, a user can establish a session (connection) when accessing a resource in a server, which may include one or more data packets. Before being transferred to the target device, the data message needs to be sent to the virtual switch in advance, so that the virtual switch can perform security detection on the data message by using the security resource pool.
The acquisition module of the virtual switch acquires the data message and the message information of the data message through the data message inlet. The message information is related information of the data message, and may include a source address, a destination address, and an identification number of the data message, and the related information may be used to indicate a security service chain required by the data message.
A determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element.
Specifically, the secure resource pool may be configured to perform secure processing on the data packet, where the secure resource pool includes one or more secure service chains, and each secure service chain has a respective secure function and/or service function, and can serve different service objects (data packets).
One security service chain (SFC) includes one or more virtual security network elements, each security network element has a respective security detection function, for example, the security network element may be a network element having a respective security detection function and of a type such as vFW, vpps, vWAF, and vAV, and may perform different types of security detection on the data packet. The security network elements in the security service chain may be sequentially connected in series, so that the data packets may be sequentially detected.
In this embodiment, the determining module may determine the security service chain corresponding to the data packet according to the packet information, for example, the corresponding security service chain is determined according to the specific content in the packet information, so that the security service chain may be found in the security resource pool, and then the security service chain is used to perform service, especially security detection, on the data packet.
And an adding module configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet.
Specifically, the identification information is used to instruct the security network element to process the data packet. In particular for indicating whether all security network elements in the security service chain that have been determined to be used need to process data messages.
The flag information corresponds to the security network element, which may specifically be that specific content in the flag information corresponds to the security network element, for example, the flag information is a character string, each character in the character string corresponds to the security network element, and the character may be applied to indicate the security network element corresponding to the character string; the flag information may also be a byte including a plurality of bits, each byte corresponds to the security network element, for example, the byte may be "11111111" of 8 bits, each "1" is a bit and corresponds to a respective security network element, for example, "1" may indicate that the security network element performs security detection on the data packet, and if "0" indicates that the security network element does not need to perform security detection on the data packet.
The adding module may add the flag information into the data packet by adding the flag information (SFC _ mask flag bit) into the data packet through the acceleration engine after the data packet enters the acceleration engine. Of course, the adding module can modify the mark information through the acceleration engine according to the situation.
A processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
Specifically, in a process that the processing module drives the security service chains to detect the data message, the security network elements in each security service chain may be different, for example, the first security service chain includes a first security network element, a second security network element, and a third security network element that are connected in series; the second safety service chain comprises a first safety network element, a third safety network element and a fourth safety network element which are connected indirectly in series.
The security service roles of different security network elements are also different. The flag information may indicate that the determined security network elements in the security service chain serve the data packet, which includes indicating that all the security network elements perform sequential security services on the data packet, and also includes indicating that some of the security network elements perform security services on the data packet. Therefore, whether the data message is completely detected or not or whether partial safety network elements are used for detecting the safety of the data message can be determined according to the specific situation of the data message. On one hand, the data message can be orderly detected according to the application service chain rule, and the increase of the mark information can not cause disorder in the detection step; on the other hand, if only part of the security network elements can be used for detecting the data message, the accuracy and the effectiveness of the detection can still be ensured, so that the security detection mode can effectively reduce the detection action of the data message and improve the detection efficiency.
In addition, in this embodiment, if the security network element performs security detection on the first data packet in the session and then determines that the first data packet is in the security state, the flag information may be modified, for example, from "11111111" to "01111111", where the first bit is changed from "1" to "0", the security detection policy of the security network element corresponding to the first bit is changed, and the original security detection on the data packet is changed into no security detection on subsequent data packets in the same session (connection), so that the detection time can be saved, and the detection efficiency is also improved.
In one embodiment of the present application, the processing module is further configured to:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
In one embodiment of the present application, the obtaining module is further configured to:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
In one embodiment of the present application, the adding module is further configured to:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
In one embodiment of the present application, the adding module is further configured to:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
In an embodiment of the present application, the message information includes at least one of: the source address, the destination address and the identification card identification number of the data message;
accordingly, the determination module is further configured to:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
In an embodiment of the application, in case there are a plurality of said security network elements connected in series in said security service chain, the processing module is further configured to:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
In one embodiment of the present application, the processing module is further configured to:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
The embodiment of the present application further provides a system for processing a network packet, which includes the virtual switch and the secure resource pool.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.

Claims (10)

1. A method for processing a network message is characterized by comprising the following steps:
acquiring a data message and message information of the data message;
determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element;
adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message;
and processing the data message by using the determined safety network element in the safety service chain based on the mark information.
2. The method of claim 1, wherein the processing the data packet using the determined security network element in the security service chain based on the flag information comprises:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
3. The method of claim 2, further comprising:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
4. The method of claim 1, wherein adding flag information to the data packet comprises:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
5. The method of claim 4, further comprising:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
6. The method of claim 1, wherein the message information comprises at least one of: the source address, the destination address and the identification card identification number of the data message;
correspondingly, the determining, in the virtual secure resource pool, the secure service chain corresponding to the data packet based on the packet information includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
7. The method of claim 1, wherein, in the case that there are a plurality of security network elements connected in series in the security service chain, the processing the data packet by using the determined security network element in the security service chain based on the flag information comprises:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
8. The method of claim 1, further comprising:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
9. A virtual switch, comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is configured to acquire a data message and message information of the data message;
a determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element;
an adding module, configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet;
a processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
10. A system for processing network messages, comprising the virtual switch of claim 9 and the secure resource pool.
CN202111301079.8A 2021-11-04 2021-11-04 Processing method, virtual switch and processing system of network message Active CN114024746B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111301079.8A CN114024746B (en) 2021-11-04 2021-11-04 Processing method, virtual switch and processing system of network message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111301079.8A CN114024746B (en) 2021-11-04 2021-11-04 Processing method, virtual switch and processing system of network message

Publications (2)

Publication Number Publication Date
CN114024746A true CN114024746A (en) 2022-02-08
CN114024746B CN114024746B (en) 2023-11-28

Family

ID=80060804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111301079.8A Active CN114024746B (en) 2021-11-04 2021-11-04 Processing method, virtual switch and processing system of network message

Country Status (1)

Country Link
CN (1) CN114024746B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584376A (en) * 2022-03-04 2022-06-03 中电科网络空间安全研究院有限公司 Traffic handling method, device, equipment and computer readable storage medium
CN114629853A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Traffic classification control method based on security service chain analysis in security resource pool
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107409096A (en) * 2015-04-23 2017-11-28 思科技术公司 Self-adapting load balances
CN107896191A (en) * 2017-11-27 2018-04-10 深信服科技股份有限公司 A kind of virtual secure component based on container is across cloud system and method
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method
US20190028347A1 (en) * 2017-07-21 2019-01-24 Cisco Technology, Inc. Service function chain optimization using live testing
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
CN112437023A (en) * 2020-10-12 2021-03-02 北京天融信网络安全技术有限公司 Virtualized security network element data processing method, system, medium and cloud platform
CN112910705A (en) * 2021-02-02 2021-06-04 杭州安恒信息技术股份有限公司 Method, device and storage medium for arranging network flow

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107409096A (en) * 2015-04-23 2017-11-28 思科技术公司 Self-adapting load balances
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method
US20190028347A1 (en) * 2017-07-21 2019-01-24 Cisco Technology, Inc. Service function chain optimization using live testing
CN110959270A (en) * 2017-07-21 2020-04-03 思科技术公司 Service function chain optimization using real-time testing
CN107896191A (en) * 2017-11-27 2018-04-10 深信服科技股份有限公司 A kind of virtual secure component based on container is across cloud system and method
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
CN112437023A (en) * 2020-10-12 2021-03-02 北京天融信网络安全技术有限公司 Virtualized security network element data processing method, system, medium and cloud platform
CN112910705A (en) * 2021-02-02 2021-06-04 杭州安恒信息技术股份有限公司 Method, device and storage medium for arranging network flow

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐俭;: "基于SDN服务链的云平台数据中心安全技术探究", 电视工程, no. 04 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114629853A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Traffic classification control method based on security service chain analysis in security resource pool
CN114584376A (en) * 2022-03-04 2022-06-03 中电科网络空间安全研究院有限公司 Traffic handling method, device, equipment and computer readable storage medium
CN114584376B (en) * 2022-03-04 2024-04-26 中电科网络空间安全研究院有限公司 Traffic handling method, device, equipment and computer readable storage medium
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium

Also Published As

Publication number Publication date
CN114024746B (en) 2023-11-28

Similar Documents

Publication Publication Date Title
CN114024746A (en) Network message processing method, virtual switch and processing system
US9110703B2 (en) Virtual machine packet processing
CN108881328B (en) Data packet filtering method and device, gateway equipment and storage medium
US20200304521A1 (en) Bot Characteristic Detection Method and Apparatus
US9774710B2 (en) System and method for network protocol offloading in virtual networks
US7948979B2 (en) Programmable network interface card
CN110011935A (en) Data flow processing method and relevant device
CN107071034A (en) A kind of data pack transmission method and system
CN103428032A (en) Attack positioning and assistant positioning device and method
CN106789652A (en) Service shunting method and device
CN108833430B (en) Topology protection method of software defined network
CN111404768A (en) DPI recognition realization method and equipment
EP3589024A1 (en) Method and apparatus for processing message
CN109218176A (en) A kind of method and device of Message processing
US20100238930A1 (en) Router and method of forwarding ipv6 packets
CN106936718B (en) PPPoE message transmission method and PPPoE server
CN113660279B (en) Security protection method, device, equipment and storage medium of network host
CN105471839B (en) A kind of method for judging router data and whether being tampered
WO2020170802A1 (en) Detection device and detection method
JP4027213B2 (en) Intrusion detection device and method
CN108156117B (en) Method for carrying out safety control, switch and filtering equipment
CN106067864B (en) Message processing method and device
JPWO2005050935A1 (en) Intrusion detection device and method
CN110620785A (en) Parallel detection method, system and storage medium based on message marking data stream
CN115190077B (en) Control method, control device and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant