CN114024746A - Network message processing method, virtual switch and processing system - Google Patents
Network message processing method, virtual switch and processing system Download PDFInfo
- Publication number
- CN114024746A CN114024746A CN202111301079.8A CN202111301079A CN114024746A CN 114024746 A CN114024746 A CN 114024746A CN 202111301079 A CN202111301079 A CN 202111301079A CN 114024746 A CN114024746 A CN 114024746A
- Authority
- CN
- China
- Prior art keywords
- security
- network element
- data
- data message
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title abstract description 13
- 238000001514 detection method Methods 0.000 claims abstract description 109
- 238000000034 method Methods 0.000 claims abstract description 45
- 230000008569 process Effects 0.000 claims abstract description 24
- 230000009471 action Effects 0.000 abstract description 7
- 230000001133 acceleration Effects 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The application discloses a network message processing method, a virtual switch and a processing system, wherein the method comprises the following steps: acquiring a data message and message information of the data message; determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element; adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message; and processing the data message by utilizing the safety net element in the determined safety service chain based on the mark information. The processing method can ensure the orderly detection of the data messages without causing disorder in the detection steps; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.
Description
Technical Field
The present application relates to the field of network information processing, and in particular, to a method, a virtual switch, and a system for processing a network packet.
Background
With the development of virtualization technology, cloud computing technology and SDN technology, the form of security protection is changed from the form of traditional physical security equipment into the form of virtualization more suitable for a cloud environment, a security resource pool is established by applying the security function virtualization technology and the SDN technology, the pooling of security capacity is realized, and the on-demand and elastic security cloud service capacity is better provided for a multi-tenant scene of the cloud environment. The security resource pool virtualizes a plurality of security devices by using a security function virtualization technology, and provides differentiated and on-demand security protection capabilities for different services. However, since the devices in the security resource pool are virtual, and the behavior of the hardware is calculated and simulated by software on the CPU, performance loss will undoubtedly result in the process of performing one or more different security detections on a large number of data packets, so that the security resource pool and the entire network system have low operating efficiency.
Disclosure of Invention
The embodiment of the application aims to provide a network message processing method, a virtual switch and a processing system. The method can reduce the detection action of the data message under the safe condition and effectively improve the forwarding efficiency of the data message.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for processing a network packet, including:
acquiring a data message and message information of the data message;
determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element;
adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message;
and processing the data message by using the determined safety network element in the safety service chain based on the mark information.
Optionally, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
Optionally, the method further comprises:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
Optionally, the adding flag information to the data packet includes:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
Optionally, the method further comprises:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
Optionally, determining, in the security resource pool, a security service chain corresponding to the data packet includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
Optionally, when there are a plurality of security network elements connected in series in the security service chain, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
Optionally, the method further comprises:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
An embodiment of the present application further provides a virtual switch, including:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is configured to acquire a data message and message information of the data message;
a determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element;
an adding module, configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet;
a processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
The embodiment of the present application further provides a system for processing a network packet, which includes the virtual switch and the secure resource pool.
The processing method of the embodiment of the application can ensure the orderly detection of the data message without causing disorder in the detection step; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.
Drawings
Fig. 1 is a flowchart of a network message processing method according to an embodiment of the present application;
FIG. 2 is a flowchart of one embodiment of step S400 of FIG. 1 according to an embodiment of the present application;
FIG. 3 is a flow chart of one embodiment of a processing method according to an embodiment of the present application;
FIG. 4 is a flow chart of another embodiment of a processing method according to an embodiment of the present application;
fig. 5 is a schematic diagram of a connection structure relationship between a virtual switch and a secure resource pool according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating an embodiment of a flow process of a data packet according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating another embodiment of a data packet forwarding process according to an embodiment of the present application;
fig. 8 is a block diagram of a virtual switch according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
The embodiment of the application provides a method for processing a network message, which can be applied to a virtual switch, and in one embodiment, the method can be applied to an acceleration engine in the virtual switch, receives and processes a data message, including reasonably utilizing a security network element in a virtual security resource pool to perform security detection on the data message, reducing the flow of the data message in the security resource pool, and improving the operating efficiency of the security resource pool.
The processing method is described in detail below with reference to the accompanying drawings, and fig. 1 is a flowchart of a processing method of a network packet according to an embodiment of the present application, as shown in fig. 1 and with reference to fig. 5 to 7, the processing method includes the following steps:
s100, acquiring a data message and message information of the data message.
The data message may be a message in a session (connection) established by the user during access to the target device. In the access process, the data message needs to be processed, especially security detection is carried out, so that the data message is ensured to be secure for the whole system. For example, a user can establish a session (connection) when accessing a resource in a server, which may include one or more data packets. Before being transferred to the target device, the data message needs to be sent to the virtual switch in advance, so that the virtual switch can perform security detection on the data message by using the security resource pool.
The virtual switch acquires the data message and message information of the data message through a data message inlet. The message information is related information of the data message, and may include a source address, a destination address, and an identification number of the data message, and the related information may be used to indicate a security service chain required by the data message.
S200, determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element.
The secure resource pool may be configured to perform secure processing on the data packet, where the secure resource pool includes one or more secure service chains, each secure service chain has a security function and/or a service function, and can serve different service objects (data packets).
One security service chain (SFC) includes one or more virtual security network elements, each security network element has a respective security detection function, for example, the security network element may be a network element having a respective security detection function and of a type such as vFW, vpps, vWAF, and vAV, and may perform different types of security detection on the data packet. The security network elements in the security service chain may be sequentially connected in series, so that the data packets may be sequentially detected.
In this embodiment, the security service chain corresponding to the data packet may be determined according to the packet information, for example, the corresponding security service chain is determined according to the specific content in the packet information, so that the security service chain may be found in the security resource pool, and the security service chain is further used to perform a service, especially a security detection, on the data packet.
S300, adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message.
Specifically, the identification information is used to instruct the security network element to process the data packet. In particular for indicating whether all security network elements in the security service chain that have been determined to be used need to process data messages.
The flag information corresponds to the security network element, which may specifically be that specific content in the flag information corresponds to the security network element, for example, the flag information is a character string, each character in the character string corresponds to the security network element, and the character may be applied to indicate the security network element corresponding to the character string; the flag information may also be a byte including a plurality of bits, each byte corresponds to the security network element, for example, the byte may be "11111111" of 8 bits, each "1" is a bit and corresponds to a respective security network element, for example, "1" may indicate that the security network element performs security detection on the data packet, and if "0" indicates that the security network element does not need to perform security detection on the data packet.
The process of adding the flag information into the data packet may be that after the data packet enters the acceleration engine, the acceleration engine adds the flag information (SFC _ mask flag bit) into the data packet. Of course, the acceleration engine may modify the flag information according to the situation.
S400, based on the mark information, the data message is processed by the security network element in the determined security service chain.
In particular, the security network elements in each security service chain may be different, for example, the first security service chain includes a first security network element, a second security network element, and a third security network element connected in series; the second safety service chain comprises a first safety network element, a third safety network element and a fourth safety network element which are connected indirectly in series.
The security service roles of different security network elements are also different. The flag information may indicate that the determined security network elements in the security service chain serve the data packet, which includes indicating that all the security network elements perform sequential security services on the data packet, and also includes indicating that some of the security network elements perform security services on the data packet. Therefore, whether the data message is completely detected or not or whether partial safety network elements are used for detecting the safety of the data message can be determined according to the specific situation of the data message. On one hand, the data message can be orderly detected according to the application service chain rule, and the increase of the mark information can not cause disorder in the detection step; on the other hand, if only part of the security network elements can be used for detecting the data message, the accuracy and the effectiveness of the detection can still be ensured, so that the security detection mode can effectively reduce the detection action of the data message and improve the detection efficiency.
In addition, in this embodiment, with reference to fig. 6 and fig. 7, if the security network element performs security detection on the first data packet in the session and then determines that the first data packet is in the security state, the flag information may be modified, for example, from "11111111" to "01111111", where the first bit is changed from "1" to "0", the security detection policy of the security network element corresponding to the first bit is changed, and the original security detection on the data packet is changed to not perform security detection on subsequent data packets in the same session (connection), so that the detection time can be saved, and the detection efficiency is also improved.
The processing method of the embodiment of the application can ensure the orderly detection of the data message without causing disorder in the detection step; and detection actions on the data message can be reduced under the safe condition, the forwarding efficiency of the data message is effectively improved, and the use experience of a user is improved.
In an embodiment of the present application, the method further includes forwarding the data packet stream to the corresponding security service chain. Specifically, the data packet flows into the virtual switch from the data packet inlet, and the acceleration engine in the virtual switch can acquire the data packet. And determining a security service chain corresponding to the data message according to the message information of the data message, and further transferring the data message flow to the corresponding security service chain so that the security service chain can process the data message.
In an embodiment of the present application, the processing the data packet by using the determined security network element in the security service chain based on the flag information, as shown in fig. 2, includes the following steps:
s410, according to the mark information, sequentially using a plurality of the safety network elements in the safety service chain to carry out safety detection on the data message.
The security service chain may include a plurality of security network elements connected in series, and the security network elements may perform security detection on the data packets in sequence according to the sequence of the series connection.
Specifically, the security detection processing is performed on the data message according to the flag bit corresponding to the security network element in the flag information, which includes performing the security detection processing on the data message sequentially by using all the security network elements in the security service chain, and performing the security detection processing on the data message sequentially by using part of the security network elements in the security service chain. The roles of each safety network element are different, and the safety detection actions of each safety network element can be carried out.
For example, when the content of the flag information is specifically "11111111," it may indicate that all the security network elements in the security service chain need to be invoked in sequence to perform security detection on the data packet. If the content of the flag information is specifically "00000000", it may indicate that all the security network elements in the security service chain do not need to perform security detection on the data packet, and so on.
S420, when the security network element detects that the data packet conforms to the security condition, modifying an information bit corresponding to the security network element in the identification information, so that the security network element does not perform security detection on other data packets in the same session as the data packet.
Specifically, the security condition may be that the security network element detects the data packet to meet a security detection condition specified by itself. The security conditions may be different for each security network element. And if the first safety network element detects that the data message meets the safety condition, the data message meets the safety condition specified by the first safety network element. Thus indicating that other data packets in the same session as the data packet are also in compliance with the security condition. In this case, the acceleration engine modifies the information bit corresponding to the first security network element in the identification information, for example, from "1" to "0", so that for other data packets in the same session as the data packet, if the security service chain is entered again, the first security network element does not perform security detection on other data packets, but other security network elements still perform security detection on other data packets. This undoubtedly saves the detection time and improves the detection efficiency.
In one embodiment of the present application, as shown in fig. 3, the method further comprises the steps of:
s500, obtaining a path instruction sent by the security network element, where the path instruction has a first data structure, and the first data structure is configured with at least instruction data and an instruction identifier for identifying the path instruction.
S600, determining whether the data message meets the safety condition or not based on the instruction data.
With reference to fig. 6 and fig. 7, the security network element may send a path instruction to the acceleration engine, where the path instruction is used to instruct the security network element to detect the data packet, for example, to send a detection result formed by detecting the data packet to the acceleration engine, which is then a security result. The acceleration engine can convert the flag bit corresponding to the security network element in the SFC _ mask (flag information) in the previous data packet to "0" when the next data packet arrives, so that security detection is not performed on the next data packet any more.
The path instruction has a first data structure including instruction data and an instruction identification for identifying the path instruction.
In connection with particular embodiments, the path instruction may employ a private protocol, where h _ proto of the data link layer is identified using a custom protocol number VGRD _ ETH _ P _ HVCH (0x 8888). The specific format of the first data structure of the path instruction is shown in the following table:
ethhdr | hvchdr | fsphdr | instruction data |
Wherein, ethhdr is the command identifier, hvhdr is the starting address pointing to the three-layer protocol header, and fsphdr is the starting address pointing to the four-layer protocol header.
Based on the instruction data, it may be determined that the data packet meets the security condition. Of course, it may also indicate that the data message has not reached a security condition. For example, the instruction data content may be: FW _ Fastpath _ Accept, the instruction data determining that the data message meets the security condition. After receiving the path instruction, the acceleration engine module searches for a corresponding session according to the content in the path instruction, sets the flag bit corresponding to the location of the security network element in the SFC _ mask flag bit in the session to 0, and at this time, the subsequent data message in the same session will not enter the security network element any more according to the above description.
When all network elements on the security service chain have sent the path instruction, the SFC _ mask (flag information) on the session is cleared to 0, and then all subsequent other data packets of the session (connection) are directly forwarded through the formed fast path, thereby improving the forwarding efficiency.
In an embodiment of the application, the adding flag information to the data packet includes:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
When the virtual switch is newly connected with other equipment, the acceleration engine in the virtual switch marks the data message, initial mark information is added in the session, and the session enters the virtual switch for the first time and does not perform any security detection on the session, so that the initial mark information indicates that all security network elements in a determined security service chain in a security resource pool need to perform security detection on the first data message in the session, thereby preventing security problems.
For example, the initial flag information is "11111111". Each type of security network element has a corresponding bit (e.g., security network element FW- - -0x80, security network element IPS- - -0x60, security network element WAF- - -0x40, etc.), and the value of the corresponding bit determines whether subsequent other data packets continue to enter the security network element, which is as follows:
a) when the corresponding bit in the SFC _ mask is 1, the security service chain process is continued, and the subsequent other data packets directly enter the corresponding network element to perform security policy matching, for example, after the data packet flows into the OVS virtual switch from the virtual firewall exit, the acceleration engine does not receive the path instruction of the virtual firewall, and the flag of the corresponding virtual firewall is still 1, indicating that the next data packet still needs to be sent to perform security detection.
b) When the corresponding bit in the SFC _ mask is 0, the subsequent other data messages do not enter the corresponding security network element, the subsequent bit matching in the flag information is continued until the next bit of 1 is found, and then the subsequent other data messages continue to enter the security network element corresponding to the bit, for example, after the data message comes out of a virtual firewall (a security network element), an acceleration engine receives a path instruction (a fast forwarding instruction), the identifier of the corresponding virtual firewall (a security network element) is marked as 0, the subsequent other data messages do not enter the virtual firewall any more, but the SFC _ mask is continuously and sequentially inquired, the security network element corresponding to the next bit of 1 in the SFC _ mask is found, and the subsequent other data messages are uploaded to the security network element;
c) until all the SFC _ mask values are 0, the fast path forwarding is directly performed through the acceleration engine, that is, all the security network elements on the security service chain judge that the session (connection) is secure, and the subsequent data packet can be directly transmitted.
In one embodiment of the present application, the method further comprises: and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
Specifically, the security resource pool performs security detection independently for different sessions, for example, after performing security detection on a first session (first connection), if a second session (second connection) is received, security detection is performed again for the second session. And adding the initial mark information into the message data in the second session again, thereby realizing the safety detection of all the sessions and ensuring the safety of the whole network message processing system.
In an embodiment of the present application, the message information includes at least one of: the source address, the destination address and the identification card identification number of the data message;
correspondingly, the determining, in the virtual secure resource pool, the secure service chain corresponding to the data packet based on the packet information includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
Specifically, the data message and the security service chain have a corresponding relationship, and the corresponding relationship can be determined through a source address, a destination address and an identification card identification number of the data message, so that the security service chain corresponding to the data message in the security resource pool is determined based on the corresponding relationship. The security service chain can be adapted to the data message, so that a more adaptive security service is provided for the data message.
In an embodiment of the present application, in a case that the security service chain has a plurality of security network elements connected in series, the processing the data packet by using the determined security network element in the security service chain based on the flag information includes:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
In particular, each security network element has its own independent security detection policy, which may implement detection operations that are unique to that security network element. The mode used when the data message is detected safely by using the respective security detection strategies may be different in the emphasis and the time of use.
For example, the security detection policies used by the security network elements vFW, vpps, vWAF and vAV when processing the data packet are different, and the specific steps of processing the plurality of security network elements may be sequentially performed, for example, the steps of processing the data packet by the security network elements vFW, vpps, vWAF and vAV are sequentially connected in series (as shown in fig. 5 to 7), when performing security detection on the data packet, the data packet may be detected by the security network element vFW first, after the detection is completed, the security network element vpps performs detection, after the detection is completed, the security network element vWAF performs detection, and after the detection is completed, the security network element vAV performs detection. The security detection policies used by each complete network element are not the same. Therefore, even if some of the security network elements in the security service chain do not perform the corresponding first security detection on the data packet, other security network elements may perform other security detections on the data packet, such as the second security detection, the third security detection, and the like.
In one embodiment of the present application, as shown in fig. 4, the method further comprises:
s700, acquiring the data message processed by the safety network element;
and S800, sending the acquired data message to corresponding target equipment based on the message information.
Specifically, after the security resource pool performs security detection on the data message, the data message after the security detection may be sent to the virtual switch, and after the acceleration engine in the virtual switch obtains the data message, the obtained data message may be sent to the corresponding target device based on the message information. Therefore, a data path between the device (such as a client) used by the user and the target device (such as a server) is established, and further, the user can access the network, such as the client logs in the server to perform data interaction.
An embodiment of the present application further provides a virtual switch, as shown in fig. 8 in combination with fig. 5 to 7, including:
the device comprises an acquisition module configured to acquire a data packet and packet information of the data packet.
The data message may be a message in a session (connection) established by the user during access to the target device. In the access process, the data message needs to be processed, especially security detection is carried out, so that the data message is ensured to be secure for the whole system. For example, a user can establish a session (connection) when accessing a resource in a server, which may include one or more data packets. Before being transferred to the target device, the data message needs to be sent to the virtual switch in advance, so that the virtual switch can perform security detection on the data message by using the security resource pool.
The acquisition module of the virtual switch acquires the data message and the message information of the data message through the data message inlet. The message information is related information of the data message, and may include a source address, a destination address, and an identification number of the data message, and the related information may be used to indicate a security service chain required by the data message.
A determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element.
Specifically, the secure resource pool may be configured to perform secure processing on the data packet, where the secure resource pool includes one or more secure service chains, and each secure service chain has a respective secure function and/or service function, and can serve different service objects (data packets).
One security service chain (SFC) includes one or more virtual security network elements, each security network element has a respective security detection function, for example, the security network element may be a network element having a respective security detection function and of a type such as vFW, vpps, vWAF, and vAV, and may perform different types of security detection on the data packet. The security network elements in the security service chain may be sequentially connected in series, so that the data packets may be sequentially detected.
In this embodiment, the determining module may determine the security service chain corresponding to the data packet according to the packet information, for example, the corresponding security service chain is determined according to the specific content in the packet information, so that the security service chain may be found in the security resource pool, and then the security service chain is used to perform service, especially security detection, on the data packet.
And an adding module configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet.
Specifically, the identification information is used to instruct the security network element to process the data packet. In particular for indicating whether all security network elements in the security service chain that have been determined to be used need to process data messages.
The flag information corresponds to the security network element, which may specifically be that specific content in the flag information corresponds to the security network element, for example, the flag information is a character string, each character in the character string corresponds to the security network element, and the character may be applied to indicate the security network element corresponding to the character string; the flag information may also be a byte including a plurality of bits, each byte corresponds to the security network element, for example, the byte may be "11111111" of 8 bits, each "1" is a bit and corresponds to a respective security network element, for example, "1" may indicate that the security network element performs security detection on the data packet, and if "0" indicates that the security network element does not need to perform security detection on the data packet.
The adding module may add the flag information into the data packet by adding the flag information (SFC _ mask flag bit) into the data packet through the acceleration engine after the data packet enters the acceleration engine. Of course, the adding module can modify the mark information through the acceleration engine according to the situation.
A processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
Specifically, in a process that the processing module drives the security service chains to detect the data message, the security network elements in each security service chain may be different, for example, the first security service chain includes a first security network element, a second security network element, and a third security network element that are connected in series; the second safety service chain comprises a first safety network element, a third safety network element and a fourth safety network element which are connected indirectly in series.
The security service roles of different security network elements are also different. The flag information may indicate that the determined security network elements in the security service chain serve the data packet, which includes indicating that all the security network elements perform sequential security services on the data packet, and also includes indicating that some of the security network elements perform security services on the data packet. Therefore, whether the data message is completely detected or not or whether partial safety network elements are used for detecting the safety of the data message can be determined according to the specific situation of the data message. On one hand, the data message can be orderly detected according to the application service chain rule, and the increase of the mark information can not cause disorder in the detection step; on the other hand, if only part of the security network elements can be used for detecting the data message, the accuracy and the effectiveness of the detection can still be ensured, so that the security detection mode can effectively reduce the detection action of the data message and improve the detection efficiency.
In addition, in this embodiment, if the security network element performs security detection on the first data packet in the session and then determines that the first data packet is in the security state, the flag information may be modified, for example, from "11111111" to "01111111", where the first bit is changed from "1" to "0", the security detection policy of the security network element corresponding to the first bit is changed, and the original security detection on the data packet is changed into no security detection on subsequent data packets in the same session (connection), so that the detection time can be saved, and the detection efficiency is also improved.
In one embodiment of the present application, the processing module is further configured to:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
In one embodiment of the present application, the obtaining module is further configured to:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
In one embodiment of the present application, the adding module is further configured to:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
In one embodiment of the present application, the adding module is further configured to:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
In an embodiment of the present application, the message information includes at least one of: the source address, the destination address and the identification card identification number of the data message;
accordingly, the determination module is further configured to:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
In an embodiment of the application, in case there are a plurality of said security network elements connected in series in said security service chain, the processing module is further configured to:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
In one embodiment of the present application, the processing module is further configured to:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
The embodiment of the present application further provides a system for processing a network packet, which includes the virtual switch and the secure resource pool.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.
Claims (10)
1. A method for processing a network message is characterized by comprising the following steps:
acquiring a data message and message information of the data message;
determining a security service chain corresponding to the data message in a virtual security resource pool based on the message information, wherein the security resource pool comprises at least one security service chain, and the security service chain comprises at least one virtual security network element;
adding mark information into the data message, wherein the mark information corresponds to the safety network element and is used for indicating the safety network element to process the data message;
and processing the data message by using the determined safety network element in the safety service chain based on the mark information.
2. The method of claim 1, wherein the processing the data packet using the determined security network element in the security service chain based on the flag information comprises:
according to the mark information, sequentially using a plurality of safety network elements in the safety service chain to carry out safety detection on the data message;
and under the condition that the safety network element detects that the data message meets the safety condition, modifying the information bit corresponding to the safety network element in the identification information, so that the safety network element does not perform safety detection on other data messages in the same session with the data message any more.
3. The method of claim 2, further comprising:
acquiring a path instruction sent by the security network element, wherein the path instruction has a first data structure, and at least instruction data and an instruction identifier for identifying the path instruction are configured in the first data structure;
and determining whether the data message meets the safety condition or not based on the instruction data.
4. The method of claim 1, wherein adding flag information to the data packet comprises:
and adding initial mark information to the data message, wherein the initial mark information is used for indicating that all the determined safety network elements in the safety service chain perform safety detection on the data message.
5. The method of claim 4, further comprising:
and under the condition of receiving message data in another session, adding the initial mark information to the message data in the other session again.
6. The method of claim 1, wherein the message information comprises at least one of: the source address, the destination address and the identification card identification number of the data message;
correspondingly, the determining, in the virtual secure resource pool, the secure service chain corresponding to the data packet based on the packet information includes:
and determining the safety service chain based on the source address, the destination address and the identification card identification number.
7. The method of claim 1, wherein, in the case that there are a plurality of security network elements connected in series in the security service chain, the processing the data packet by using the determined security network element in the security service chain based on the flag information comprises:
and driving each safety network element to use the respective safety detection strategy to carry out safety detection on the data message.
8. The method of claim 1, further comprising:
acquiring the data message processed by the safety network element;
and sending the acquired data message to corresponding target equipment based on the message information.
9. A virtual switch, comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is configured to acquire a data message and message information of the data message;
a determining module configured to determine, based on the message information, a security service chain corresponding to the data message in a virtual security resource pool, where the security resource pool includes at least one security service chain, and the security service chain includes at least one virtual security network element;
an adding module, configured to add flag information to the data packet, where the flag information corresponds to the security network element and is used to instruct the security network element to process the data packet;
a processing module configured to process the data packet by using the determined security network element in the security service chain based on the flag information.
10. A system for processing network messages, comprising the virtual switch of claim 9 and the secure resource pool.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111301079.8A CN114024746B (en) | 2021-11-04 | 2021-11-04 | Processing method, virtual switch and processing system of network message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111301079.8A CN114024746B (en) | 2021-11-04 | 2021-11-04 | Processing method, virtual switch and processing system of network message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114024746A true CN114024746A (en) | 2022-02-08 |
CN114024746B CN114024746B (en) | 2023-11-28 |
Family
ID=80060804
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111301079.8A Active CN114024746B (en) | 2021-11-04 | 2021-11-04 | Processing method, virtual switch and processing system of network message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114024746B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114584376A (en) * | 2022-03-04 | 2022-06-03 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107409096A (en) * | 2015-04-23 | 2017-11-28 | 思科技术公司 | Self-adapting load balances |
CN107896191A (en) * | 2017-11-27 | 2018-04-10 | 深信服科技股份有限公司 | A kind of virtual secure component based on container is across cloud system and method |
CN108092934A (en) * | 2016-11-21 | 2018-05-29 | 中国移动通信有限公司研究院 | Safety service system and method |
US20190028347A1 (en) * | 2017-07-21 | 2019-01-24 | Cisco Technology, Inc. | Service function chain optimization using live testing |
CN109495391A (en) * | 2018-12-18 | 2019-03-19 | 天津城建大学 | A kind of security service catenary system and data packet matched retransmission method based on SDN |
CN112437023A (en) * | 2020-10-12 | 2021-03-02 | 北京天融信网络安全技术有限公司 | Virtualized security network element data processing method, system, medium and cloud platform |
CN112910705A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for arranging network flow |
-
2021
- 2021-11-04 CN CN202111301079.8A patent/CN114024746B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107409096A (en) * | 2015-04-23 | 2017-11-28 | 思科技术公司 | Self-adapting load balances |
CN108092934A (en) * | 2016-11-21 | 2018-05-29 | 中国移动通信有限公司研究院 | Safety service system and method |
US20190028347A1 (en) * | 2017-07-21 | 2019-01-24 | Cisco Technology, Inc. | Service function chain optimization using live testing |
CN110959270A (en) * | 2017-07-21 | 2020-04-03 | 思科技术公司 | Service function chain optimization using real-time testing |
CN107896191A (en) * | 2017-11-27 | 2018-04-10 | 深信服科技股份有限公司 | A kind of virtual secure component based on container is across cloud system and method |
CN109495391A (en) * | 2018-12-18 | 2019-03-19 | 天津城建大学 | A kind of security service catenary system and data packet matched retransmission method based on SDN |
CN112437023A (en) * | 2020-10-12 | 2021-03-02 | 北京天融信网络安全技术有限公司 | Virtualized security network element data processing method, system, medium and cloud platform |
CN112910705A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for arranging network flow |
Non-Patent Citations (1)
Title |
---|
徐俭;: "基于SDN服务链的云平台数据中心安全技术探究", 电视工程, no. 04 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
CN114584376A (en) * | 2022-03-04 | 2022-06-03 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
CN114584376B (en) * | 2022-03-04 | 2024-04-26 | 中电科网络空间安全研究院有限公司 | Traffic handling method, device, equipment and computer readable storage medium |
CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN114024746B (en) | 2023-11-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114024746A (en) | Network message processing method, virtual switch and processing system | |
US9110703B2 (en) | Virtual machine packet processing | |
CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
US20200304521A1 (en) | Bot Characteristic Detection Method and Apparatus | |
US9774710B2 (en) | System and method for network protocol offloading in virtual networks | |
US7948979B2 (en) | Programmable network interface card | |
CN110011935A (en) | Data flow processing method and relevant device | |
CN107071034A (en) | A kind of data pack transmission method and system | |
CN103428032A (en) | Attack positioning and assistant positioning device and method | |
CN106789652A (en) | Service shunting method and device | |
CN108833430B (en) | Topology protection method of software defined network | |
CN111404768A (en) | DPI recognition realization method and equipment | |
EP3589024A1 (en) | Method and apparatus for processing message | |
CN109218176A (en) | A kind of method and device of Message processing | |
US20100238930A1 (en) | Router and method of forwarding ipv6 packets | |
CN106936718B (en) | PPPoE message transmission method and PPPoE server | |
CN113660279B (en) | Security protection method, device, equipment and storage medium of network host | |
CN105471839B (en) | A kind of method for judging router data and whether being tampered | |
WO2020170802A1 (en) | Detection device and detection method | |
JP4027213B2 (en) | Intrusion detection device and method | |
CN108156117B (en) | Method for carrying out safety control, switch and filtering equipment | |
CN106067864B (en) | Message processing method and device | |
JPWO2005050935A1 (en) | Intrusion detection device and method | |
CN110620785A (en) | Parallel detection method, system and storage medium based on message marking data stream | |
CN115190077B (en) | Control method, control device and computing equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |