CN114244625A - Method and system for rapidly forwarding message of physical isolation equipment - Google Patents
Method and system for rapidly forwarding message of physical isolation equipment Download PDFInfo
- Publication number
- CN114244625A CN114244625A CN202111667732.2A CN202111667732A CN114244625A CN 114244625 A CN114244625 A CN 114244625A CN 202111667732 A CN202111667732 A CN 202111667732A CN 114244625 A CN114244625 A CN 114244625A
- Authority
- CN
- China
- Prior art keywords
- message
- hash value
- fast
- forwarded
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000002955 isolation Methods 0.000 title claims abstract description 18
- 238000006243 chemical reaction Methods 0.000 claims abstract description 7
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000000875 corresponding effect Effects 0.000 description 17
- 238000012545 processing Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Abstract
The invention discloses a method and a system for rapidly forwarding a message of physical isolation equipment, which are used for acquiring a message stream to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and establishing a rapid table for a first message in a forwarding stage; calculating hash values of all elements in the non-first message to be forwarded; taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; judging whether the hash value is data in an illegal data table or not; and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message. The gigabit line speed forwarding of the network message is realized on embedded platforms with relatively limited resources at low main frequencies.
Description
Technical Field
The present invention relates to the field of packet forwarding technologies, and in particular, to a method and a system for quickly forwarding a packet of a physical isolation device.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
In network communication, the physical isolation has the function of information ferry, namely conditional access between different completely isolated network segments can be realized, and the physical isolation re-encapsulates an ip packet by using a protocol of the physical isolation and then accesses the ip packet. Because the ip packet needs to be re-packaged by the own protocol, the processing data is more and the speed is slow.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a method and a system for rapidly forwarding a message of a physical isolation device;
in a first aspect, the present invention provides a method for fast forwarding a packet of a physical isolation device;
a method for fast forwarding a message of a physical isolation device comprises the following steps:
acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
calculating hash values of all elements in the non-first message to be forwarded;
taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; if not, the next step is carried out;
judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if the data is not illegal, the next step is carried out;
and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
In a second aspect, the present invention provides a message fast forwarding system of a physical isolation device;
a message fast forwarding system of a physical isolation device comprises:
an acquisition module configured to: acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
a hash value calculation module configured to: calculating hash values of all elements in the non-first message to be forwarded;
a positioning module configured to: taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; if not, entering a first judgment module;
a first determination module configured to: judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if the data is not illegal data, entering a second judgment module;
a second determination module configured to: and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
Compared with the prior art, the invention has the beneficial effects that:
by the processing mode, the effects of one-time processing and subsequent line speed forwarding of the message can be achieved, and gigabit line speed forwarding of the network message can be realized on embedded platforms with relatively limited resources at low main frequencies.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, or may be learned by practice of the invention.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
FIG. 1 is a flow chart of the method of the first embodiment.
Detailed Description
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
All data are obtained according to the embodiment and are legally applied on the data on the basis of compliance with laws and regulations and user consent.
Interpretation of terms:
TCP: transmission Control Protocol, Transmission Control Protocol.
UDP, User Datagram Protocol, provide a method for applications to send encapsulated IP datagrams without establishing a connection.
A quintuple: and a quintuple consisting of the source IP, the source port, the destination IP, the destination port and the tcp/udp according to the message.
And Policy: a legal data table, i.e., a rule set of legal data, is generated based on policy information configured in the device maintenance tool.
Drop: a rule set for illegal data that is outside the rules for legal data.
Example one
The embodiment provides a message fast forwarding method of a physical isolation device;
as shown in fig. 1, a method for fast forwarding a packet of a physical isolation device includes:
s101: acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
s102: calculating hash values of all elements in the non-first message to be forwarded;
s103: taking the hash value as an index value of the table structure, positioning the table entry of the fast table according to the index value, and entering S104 if the corresponding hash value as the index value has a corresponding table entry in the fast table; if not, go to S105;
s104: according to the table entry content corresponding to the hash value, performing protocol conversion on the message, and then forwarding;
s105: judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if not, go to S106;
s106: and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
Further, the S101 divides the packet stream to be forwarded into a plurality of packets; the method specifically comprises the following steps:
and dividing the message flow to be forwarded into a plurality of messages according to a quintuple consisting of the source IP, the source port, the destination IP, the destination port and the transmission protocol of the message.
Further, in S101, a fast table is established for the first packet, and the process of establishing the fast table is as follows:
and traversing and comparing the fields of the five-tuple of the message to be forwarded one by one in the legal data table, judging whether the fields of the five-tuple are in the fields of the legal data table, and if the fields of the five-tuple of the message to be forwarded are in the sections of the legal data table, establishing a fast table with the hash value of the five-tuple of the message to be forwarded as an index.
Further, the composition structure of the legal data table is as follows: a source IP address section, a source port section, a destination IP address section, a destination port section and a transmission protocol tcp/udp, also called a quintuple.
Further, the S102: calculating hash values of all elements in the non-first message; the method specifically comprises the following steps:
and calculating the hash value of a quintuple consisting of a source IP, a source port, a destination IP, a destination port and a transmission protocol of the non-first message.
Further, the calculating of the hash value is to calculate the hash value by a cryptographic algorithm.
Further, the cryptographic algorithm is a cryptographic SM3 algorithm.
Further, S103 locates the table entry of the fast table according to the index value, where the locating step includes:
and forming a balanced binary tree according to the quick table, and searching the index value in the quick table by using the characteristic of the balanced binary tree structure.
Further, the step S104 of converting and then forwarding the protocol according to the entry content corresponding to the hash value includes:
replacing a source IP in a message quintuple to be forwarded with a virtual source IP;
and replacing the destination IP in the message quintuple to be forwarded with the virtual destination IP.
Further, according to whether the message is forwarded through a fast table or by traversing a legal data table first and then forming a fast table, the forwarding process is divided into a fast path and a slow path, the first message of each flow goes through the slow path, and subsequent messages go through the fast path. The same quintuple of packets is the same flow.
Illustratively, the fast table is established for the first message; the method specifically comprises the following steps:
firstly, a table of legal data is searched, the table allows fuzzy definition, namely definition of an ip address segment and a port segment, the fuzzy definition cannot be compared through hash and can be only compared one by one according to the sequence of the table, and the process is slow.
And comparing to a table entry meeting the requirement, replacing corresponding fields according to the table entry, for example, replacing the virtual source ip with the source ip and replacing the destination ip with the virtual destination ip, and storing the replacement values in another data structure, namely the table entry of the fast table.
Because the table entry of the fast table is a completely clearly defined five-tuple and its replacement information, the information can be indexed by the hash.
The fast table contains a hash bucket, actually an array, 64K items in total, each table entry of the fast table calculates a hash value according to the quintuple, takes 16 bits (the maximum value is 65535), finds a hash bucket according to the value, and then puts the table entry in the bucket. The hash bucket is a linked list, and binary tree search is used in the table.
When a message is received, the hash value is calculated according to the quintuple, then the corresponding hash bucket is found according to the 16-bit hash value, and the comparison is carried out in the bucket to find out a specific table item. And replacing according to the replacement information of the table entry, and forwarding or discarding according to the value indicated by the table entry.
Any flow goes through this flow and if not a flow within the legal data, an entry is also generated, but the corresponding action is to drop. This has the advantage that the processing of only one packet per flow is complex, with the other packets going on first.
The message forwarding is divided into a fast path and a slow path, the first message of each flow goes through the slow path, and the subsequent messages go through the fast path. According to the quintuple of the message, the messages of the same quintuple are the same flow and are directly and quickly forwarded. Any flow goes through the flow, if the flow is not the flow in policy, the corresponding table entry is also generated, but the action is drop, and the table entry drop is just needed to be searched when forwarding. This has the advantage that the processing of only one packet per flow is complex, the others going on first. By the processing mode, the effects of one-time processing and subsequent line speed forwarding of the message can be achieved.
Fast path:
fp_pkt_port_entry
hash16_calc_aux
fp_table_match_fast
fp_pkt_match
slow path:
fp_pkt_port_entry
hash16_calc_aux
sp_pkt_no_match
fast control block recovery:
fp_recycle_entry
and no message is forwarded for 10 minutes and is recycled.
Example two
The embodiment provides a message fast forwarding system of a physical isolation device;
a message fast forwarding system of a physical isolation device comprises:
an acquisition module configured to: acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
a hash value calculation module configured to: calculating hash values of all elements in the non-first message to be forwarded;
a positioning module configured to: taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; if not, the next step is carried out;
a first determination module configured to: judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if the data is not illegal, the next step is carried out;
a second determination module configured to: and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for fast forwarding a message of a physical isolation device is characterized by comprising the following steps:
acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
calculating hash values of all elements in the non-first message to be forwarded;
taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; if not, the next step is carried out;
judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if the data is not illegal, the next step is carried out;
and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
2. The method as claimed in claim 1, wherein the message stream to be forwarded is divided into a plurality of messages; the method specifically comprises the following steps:
and dividing the message flow to be forwarded into a plurality of messages according to a quintuple consisting of the source IP, the source port, the destination IP, the destination port and the transmission protocol of the message.
3. The method as claimed in claim 1, wherein the fast forwarding table is established for the first packet, and the procedure of establishing the fast table is as follows:
and traversing and comparing the fields of the five-tuple of the message to be forwarded one by one in the legal data table, judging whether the fields of the five-tuple are in the fields of the legal data table, and if the fields of the five-tuple of the message to be forwarded are in the sections of the legal data table, establishing a fast table with the hash value of the five-tuple of the message to be forwarded as an index.
4. The method as claimed in claim 1, wherein the legal data table comprises the following structure: a source IP address field, a source port field, a destination IP address field, a destination port field and a transmission protocol five part, also called as a quintuple.
5. The method as claimed in claim 1, wherein the hash value is calculated for all elements in the non-first message to be forwarded; the method specifically comprises the following steps:
and calculating the hash value of a quintuple consisting of a source IP, a source port, a destination IP, a destination port and a transmission protocol of the non-first message.
6. The method as claimed in claim 5, wherein the calculating the hash value is performed by using a cryptographic algorithm.
7. The method as claimed in claim 6, wherein the step of locating the table entry of the fast table according to the index value comprises:
and forming a balanced binary tree according to the quick table, and searching the index value in the quick table by using the characteristic of the balanced binary tree structure.
8. The method as claimed in claim 1, wherein the generating of the entry content corresponding to the hash value comprises:
replacing a source IP in a message quintuple to be forwarded with a virtual source IP;
and replacing the destination IP in the message quintuple to be forwarded with the virtual destination IP.
9. The method as claimed in claim 1, wherein the forwarding process is divided into fast path and slow path according to whether the packet is forwarded through fast table or by traversing legal data table and then forming fast table, the first packet of each flow goes through slow path and the subsequent packets go through fast path.
10. A message fast forwarding system of physical isolation equipment is characterized by comprising:
an acquisition module configured to: acquiring a message flow to be forwarded; dividing a message flow to be forwarded into a plurality of messages, and dividing the obtained messages into a first message and a non-first message; in the forwarding stage, a fast table is established for the first message;
a hash value calculation module configured to: calculating hash values of all elements in the non-first message to be forwarded;
a positioning module configured to: taking the hash value as an index value of a table structure, positioning table items of the fast table according to the index value, and if the corresponding hash value is taken as the index value and has a corresponding table item in the fast table, performing protocol conversion on the message according to the table item content corresponding to the hash value, and then forwarding the message; if not, entering a first judgment module;
a first determination module configured to: judging whether the hash value is data in an illegal data table or not; if the data is illegal data, the message is directly discarded; if the data is not illegal data, entering a second judgment module;
a second determination module configured to: and judging whether the hash value is data in a legal data table, if so, adding the hash value into the fast table, and if not, discarding the message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111667732.2A CN114244625A (en) | 2021-12-30 | 2021-12-30 | Method and system for rapidly forwarding message of physical isolation equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111667732.2A CN114244625A (en) | 2021-12-30 | 2021-12-30 | Method and system for rapidly forwarding message of physical isolation equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114244625A true CN114244625A (en) | 2022-03-25 |
Family
ID=80745163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111667732.2A Pending CN114244625A (en) | 2021-12-30 | 2021-12-30 | Method and system for rapidly forwarding message of physical isolation equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244625A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
| CN102195887A (en) * | 2011-05-31 | 2011-09-21 | 北京星网锐捷网络技术有限公司 | Message processing method, device and network security equipment |
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
| CN104468381A (en) * | 2014-12-01 | 2015-03-25 | 国家计算机网络与信息安全管理中心 | Implementation method for multi-field rule matching |
| CN107124402A (en) * | 2017-04-12 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of packet filtering |
| CN109361609A (en) * | 2018-12-14 | 2019-02-19 | 东软集团股份有限公司 | Message forwarding method, device, equipment and the storage medium of firewall box |
| CN113114574A (en) * | 2021-03-30 | 2021-07-13 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
-
2021
- 2021-12-30 CN CN202111667732.2A patent/CN114244625A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
| CN102195887A (en) * | 2011-05-31 | 2011-09-21 | 北京星网锐捷网络技术有限公司 | Message processing method, device and network security equipment |
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN104468381A (en) * | 2014-12-01 | 2015-03-25 | 国家计算机网络与信息安全管理中心 | Implementation method for multi-field rule matching |
| CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
| CN107124402A (en) * | 2017-04-12 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of packet filtering |
| CN109361609A (en) * | 2018-12-14 | 2019-02-19 | 东软集团股份有限公司 | Message forwarding method, device, equipment and the storage medium of firewall box |
| CN113114574A (en) * | 2021-03-30 | 2021-07-13 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11032190B2 (en) | Methods and systems for network security universal control point | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| US7535906B2 (en) | Packet classification | |
| US7415018B2 (en) | IP Time to Live (TTL) field used as a covert channel | |
| US9270643B2 (en) | State-transition based network intrusion detection | |
| US7545809B2 (en) | Packet classification | |
| EP2541854B1 (en) | Hybrid port range encoding | |
| US20060221967A1 (en) | Methods for performing packet classification | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN104579940B (en) | Search the method and device of accesses control list | |
| US7251651B2 (en) | Packet classification | |
| CN104821890A (en) | Realization method for OpenFlow multi-level flow tables based on ordinary switch chip | |
| EP2112802B1 (en) | Packet transfer controlling apparatus and packet transfer controlling method | |
| US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
| CN116132187A (en) | Data packet filtering method and system | |
| US8964748B2 (en) | Methods, systems, and computer readable media for performing flow compilation packet processing | |
| CN112953841B (en) | Message distribution method and system | |
| US10944724B2 (en) | Accelerating computer network policy search | |
| CN111950000A (en) | Access access control method and device | |
| CN114244625A (en) | Method and system for rapidly forwarding message of physical isolation equipment | |
| CN115514579B (en) | Method and system for realizing service identification based on IPv6 address mapping flow label | |
| CN109905482B (en) | Caching method based on video live broadcast system in named data network | |
| CN108777654B (en) | Message forwarding method and routing equipment | |
| US10205658B1 (en) | Reducing size of policy databases using bidirectional rules | |
| Wakabayashi et al. | Traffic-aware access control list reconstruction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |