CN114338851B - Matching method and device based on tunnel message - Google Patents
Matching method and device based on tunnel message Download PDFInfo
- Publication number
- CN114338851B CN114338851B CN202111634158.0A CN202111634158A CN114338851B CN 114338851 B CN114338851 B CN 114338851B CN 202111634158 A CN202111634158 A CN 202111634158A CN 114338851 B CN114338851 B CN 114338851B
- Authority
- CN
- China
- Prior art keywords
- tunnel
- message
- layer
- service data
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of tunnel messages and provides a matching method and device based on tunnel messages. Arranging fields in the protocol header content of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings; generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis; and obtaining the feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, and otherwise, the corresponding tunnel message is judged to be a missed tunnel message. The invention adds a new matching mode to detect the data message more comprehensively, and better guarantees the analysis and the safety of the data message.
Description
[ technical field ] A
The present invention relates to the technical field of tunnel messages, and in particular, to a matching method and apparatus based on a tunnel message.
[ background ] A method for producing a semiconductor device
Tunneling is a method of establishing a virtual link between networks by using the infrastructure of the internet to transfer data, and by establishing a tunnel, it is possible to implement functions of forcing data to a specific address, hiding a private network address, transferring a non-IP data packet over an IP network, and providing data security support. The current processing of the tunnel message is to match the outermost layer or the innermost layer of the tunnel, only the inner layer or the outer layer of the tunnel message can be matched through switch control, and the data message is not matched at the same time or the data message matching is ensured as long as the inner layer or the outer layer of the tunnel is matched. With the strict complexity of network security, some special devices have more strict requirements on message detection, and some requirements require that the inner layer and the outer layer of a tunnel message are matched at the same time or that the inner layer and the outer layer are matched with any layer, the message is considered to be hit.
In view of this, overcoming the drawbacks of the prior art is a problem to be solved urgently in the art.
[ summary of the invention ]
The invention aims to solve the technical problem that the existing inner layer or outer layer of the tunnel has low matching analysis efficiency.
The technical problem to be further solved by the present invention is that in the prior art, the use modes of the inner layer tunnel and the outer layer tunnel provided by the tunnel message and the possible intermediate layer tunnel are not flexible, which results in a problem of low processing efficiency in a complex service scenario.
The invention adopts the following technical scheme:
in a first aspect, the present invention provides a matching method based on a tunnel packet, which is implemented by converting into a feature code rule, and the method includes:
arranging fields in the protocol header content of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings;
generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis;
and obtaining the feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, and otherwise, the corresponding tunnel message is judged to be a missed tunnel message.
Preferably, the identification basis of the tunnel packet is quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
Preferably, before converting the fields in the header contents of the protocol at the innermost layer and the outermost layer of the tunnel into 16-ary character strings after arranging the fields according to a preset sequence, the method further includes:
analyzing the first tunnel of the innermost layer according to the network state, wherein the first tunnel cannot be passed through, and obtaining a second alternative tunnel according to analysis and calculation;
determining service data originally set to be transmitted through a first tunnel of an innermost layer which cannot be communicated at present, and when data packets are packed for subsequent data of the service data, packing a second tunnel into the tunnel of the innermost layer and packing the first tunnel into a tunnel of an outermost layer;
a hit strategy is formulated, and the situation that the matching simultaneously contains the respective quintuple information and/or the triplet information of the first tunnel and the second tunnel is regarded as hit is judged;
wherein the tunnel historically disposed at the innermost layer is designated for use as the highest priority selected tunnel.
Preferably, the method further comprises:
the hit strategy is synchronously sent to a service data request end;
and the service data request end acquires the service data from the destination address of the second tunnel after partially acquiring the service data from the destination address of the first tunnel according to the repackaged tunnel information.
Preferably, the hit tunnel message represents that the service data request end needs to obtain the remaining content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the historically-sent service data from the destination end of the first tunnel of the outermost layer; and only if the matching information which is simultaneously satisfied that the innermost tunnel and the outermost tunnel jointly constitute is the same, the tunnel object which needs to be obtained by the service data concatenation is corresponded.
Preferably, the tunnel packet further includes one or more intermediate layer tunnels, each layer tunnel is configured with a tunnel health indicator, and the tunnel health indicator is carried in a reserved field of the header, and the method further includes:
monitoring each tunnel involved in the tunnel message, and updating a tunnel health index value in the tunnel message according to a monitoring result;
and if the tunnel proportion of the tunnel health index value used by the tunnel message does not reach the standard exceeds 7 percent of the total number of the tunnel health index value used by the tunnel message from the innermost tunnel to the outermost tunnel, the reassignment of the tunnel message from the innermost tunnel to the outermost tunnel is triggered.
Preferably, the tunnel health indicator is represented by 1 bit, and includes: a normal state and a fault state.
In a second aspect, the present invention further provides a matching apparatus based on a tunnel packet, which is used to implement the matching method based on the tunnel packet in the first aspect, and the apparatus includes:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executable by the processor for performing the tunneling packet-based matching method of the first aspect.
In a third aspect, the present invention further provides a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions are executed by one or more processors, and are configured to complete the matching method based on the tunnel packet according to the first aspect.
The invention can detect the tunnel message more flexibly and more completely, increases two modes of inner and outer matching of the tunnel message and inner or outer matching of the tunnel message, increases a new matching mode, can detect the data message more comprehensively, and has better guarantee on data message analysis and safety.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 5 is a schematic diagram of program code and 16-ary translation based on tunnel messages according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a matching device based on a tunnel packet according to an embodiment of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the description of the present invention, the terms "inner", "outer", "longitudinal", "lateral", "upper", "lower", "top", "bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, and are for convenience only to describe the present invention without requiring the present invention to be necessarily constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1:
in step 201, fields in the header contents of the innermost layer and/or the outermost layer of the tunnel are arranged according to a preset sequence and then converted into a 16-ary character string.
In step 202, a corresponding mask is generated for the contents of the innermost and/or outermost protocol header of the tunnel as a basis for tunnel packet identification.
In step 203, the feature code of the tunnel is obtained through the logical and operation of the mask and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, it is determined that the tunnel message is a hit tunnel message, otherwise, it is determined that the corresponding tunnel message is a miss tunnel message.
The embodiment of the invention can detect the tunnel message more flexibly and more completely, increases two modes of inner and outer matching of the tunnel message and inner or outer matching of the tunnel message, increases a new matching mode, can detect the data message more comprehensively, and has better guarantee on data message analysis and safety.
In this embodiment of the present invention, the identification basis of the tunnel packet is quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
The identification basis of the tunnel message can also be mac address information.
Next, the data length provided by the corresponding tunnel packet in the case of including different tunnels will be described from the MAC layer and the VLAN layer (i.e., the five-tuple information).
IPiniP example
A mac layer may appear in a tunnel message in a first network and a current network; layer 1 mac, mac in mac layer 2 mac, where layer 1 mac is 12 bytes and layer 2 mac is 12+4 (type and lower layer protocol identifier is totally 4 bytes) +12 ═ 28 bytes;
second, 2 bytes (next layer protocol identification);
thirdly, a vlan layer which can appear on a mac layer may appear in a tunnel message in the current network; carrying 1-layer vlan, QinQ 2-layer vlan and QinQ messages, and encapsulating the 1-layer vlan into a 3-layer vlan (no vlan0+ byte, one-layer vlan +4byte, two-layer vlan + 8byte and 3-layer vlan +12 byte);
fourth, possible tunnel IP combinations, ipv4inipv4, ipv4inipv6, ipv6inipv4, ipv6inipv 6;
aiming at the tunnel message of which the outer IP is V4, the tunnel mark is in the 10 th byte;
aiming at the tunnel message with the outer IP being v6, the tunnel mark is in the 20 th byte;
for a tunnel with an outer layer of V4, the possible tunnel identification locations are:
"1 layer of mac 0 layer vlan 12 bytes +2 bytes +10 bytes — tunnel identification location (i.e., v4 or v6 as expressed in the embodiments of the present invention);
1 layer mac 1 layer vlan 12byte +2byte +4byte +10 byte-tunnel identification position;
1 layer of mac 2 layer vlan 12byte +2byte +4byte +4byte +10 byte-tunnel identification position;
2-layer mac 0-layer vlan 28byte +2byte +10 byte-tunnel identification position;
a 2-layer mac 1-layer vlan 28byte +2byte +4byte +10 byte-tunnel identification position;
the 2-layer mac 2-layer vlan 28byte +2byte +4byte +4byte +10byte is a tunnel identification position;
layer 2 mac3 vlan 28byte +2byte +4byte +4byte +10 byte-tunnel identification location;
for a tunnel with an outer layer of V6, then the tunnel identification positions that may occur are:
1 layer of mac 0 layer vlan 12byte +2byte +20 byte-tunnel identification position;
1 layer mac 1 layer vlan 12byte +2byte +4byte +20 byte-tunnel identification position;
1 layer mac 2 layer vlan 12byte +2byte +4byte +4byte +20 byte-tunnel identification position;
2-layer mac 0-layer vlan 28byte +2byte +20 byte-tunnel identification position;
the vlan 28byte +2byte +4byte +20byte of the mac 1 layer of the 2 layer is the tunnel identification position;
the 2-layer mac 2-layer vlan 28byte +2byte +4byte +4byte +20byte is a tunnel identification position;
layer 2 mac3 layer vlan 28byte +2byte +4byte +4byte +20 byte-tunnel identification location ".
If the tunnel identifier is 04, the lower layer tunnel is v 4;
if the tunnel identifier is 06, the lower layer tunnel is v 6;
when data is searched, the type of the tunnel message can be judged only by searching the position where the tunnel mark is likely to appear without searching the full message. Similarly, the other tunnel message identification positions define the tunnel positions according to the message characteristics. Just by finding the location where the tunnel identification is likely to occur.
In the prior art, in the use of a tunnel, an inner tunnel and an outer tunnel are actually used as an alternative relationship, and in a scenario where a network is relatively simple in practical application, a tunnel message only includes a layer of tunnel information as a transmission basis, and in such a scenario, for a case where a tunnel interrupt occurs during a transmission process, it is not easy for a service data request end to quickly locate and trace back according to tunnel message data, whereas in a preferred embodiment of the present invention, an improved scheme for using the inner tunnel and the outer tunnel in a cooperation manner is proposed for such a simple network scenario, before converting fields in header contents of innermost and outermost protocol headers of the tunnel into a 16-ary character string after arranging the fields according to a preset sequence, as shown in fig. 2, the method further includes:
in step 301, the first tunnel in the innermost layer is analyzed according to the network status, and a candidate second tunnel is obtained according to the analysis calculation.
In step 302, service data originally set to be transmitted through a first tunnel of an innermost layer that cannot be currently passed through is determined, and when subsequent data of the service data is subjected to data packet packing, the second tunnel is packed into a tunnel of the innermost layer, and the first tunnel is packed into a tunnel of an outermost layer.
In step 303, a hit policy is formulated, and it is determined that the matching of the five tuple information and/or the triple information of the first tunnel and the second tunnel is a hit.
Wherein the tunnel historically disposed at the innermost tier correspondingly is designated for use by the highest priority selected tunnel.
In the process based on steps 301 to 303, the present invention has a problem of low processing efficiency in a complex service scenario due to the lack of flexibility in the use modes of the inner layer tunnel and the outer layer tunnel provided by the tunnel packet and the possible intermediate layer tunnel.
As shown in fig. 3, after step 303, the following method steps are also typically involved:
in step 304, the hit policy is synchronously sent to the service data request end.
In step 305, the service data requester obtains the service data from the destination address of the second tunnel after partially obtaining the service data from the destination address of the first tunnel according to the repackaged tunnel information.
At this time, the hit tunnel message represents that the service data request end needs to obtain the rest content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the service data sent historically from the destination end of the first tunnel of the outermost layer; and only if the matching information which is simultaneously satisfied that the innermost tunnel and the outermost tunnel jointly constitute is the same, the tunnel object which needs to be obtained by the service data concatenation is corresponded.
In addition to the extended schemes such as step 301 to step 303, which are generated depending on the special application scenarios and can be proposed by the present invention, another feasible implementation manner is proposed in combination with the embodiments of the present invention, where the application scenarios are exactly opposite to the steps 301 to step 303, and in the method described below, the application scenarios are that the network link environment is relatively diversified, and a variety of scenarios of tunnel selection can be provided, that is, the tunnel message further includes one or more intermediate layer tunnels, each layer of tunnel is configured with a tunnel health index, and the tunnel health index is carried in a reserved field of the header, as shown in fig. 4, the method further includes:
in step 401, each tunnel involved in the tunnel message is monitored, and the tunnel health index value in the tunnel message is updated according to the monitoring result.
In step 402, if the ratio of tunnels used by the tunnel message currently and having a tunnel health index value not meeting the standard exceeds 7 of the total number of the tunnels from the innermost tunnel to the outermost tunnel, reassignment of the tunnel message from the innermost tunnel to the outermost tunnel is triggered.
Wherein the tunnel health indicator is represented by 1 bit, comprising: a normal state and a fault state.
The method can maintain the safety and the effectiveness of the tunnel message which is currently transmitted, and is extremely suitable for scenes with extremely high transmission effectiveness requirements.
Example 2:
the embodiment of the present invention continues the method content of embodiment 1, and explains the implementation of the method content of the above-mentioned step 201-203 by combining the example tunnel message content shown in fig. 5.
As shown in fig. 5, in the corresponding frame of the outer SIP + DIP: SIP is 10.0.0.1 (convert 16 to 0a 000001); the DIP is 172.0.0.1 (converting the 16 th system into ac 000001), and the next layer Protocol corresponds to the IP Protocol 4in the frame (corresponding to the 16 th system as 04, shown as Internet Protocol Version 4in the figure).
The corresponding frame content of the inner SIP + DIP is as follows: SIP is 11.12.13.1 (convert 16 to 0b 0c 0d 01); DIP is 11.12.13.254 (converted into 16 system of 0b 0c 0d fe), the frame corresponds to port number Sport1024 (converted into 16 system of 0400), Dport 1024 (converted into 16 system of 0400), and the frame corresponds to protocol number udp 17 (converted into 16 system of 11).
The first scheme of the interior and exterior: setting the matching start position of the feature code rule as three-layer matching (starting from three-layer head, starting from the outer layer 4500 xxxx), converting the message into the feature code rule, namely the 16-system feature code rule, and only needing to relate to the information related to the inner and outer quintuple groups. By way of example:
the rule content is as follows:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
a mask field:
0000000000000000000000fffffffffffffffff0000000000000000ff0000ffffffffffffffffffffffff
specification of the rules: the mask field is 0, no matter what value the rule content is, f is all care, matching must be carried out according to 16-system character strings, the content of the field which is not care can be written to 0 or other 16 systems, because no care is carried out, any value is not meaning, the rule is the inner and outer eight-tuple information all care content, and according to the rule requirement, selective care can be carried out, if only the outer SIP and the inner DIP are concerned, the corresponding rule and mask are as follows:
the rule content is as follows:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
a mask field:
0000000000000000000000ffffffff0000000000000000000000000000000000000000fffffff00000000
when the rule is searched, the characteristic code rule can be matched internally and externally, the tunnel message is hit, otherwise, the tunnel message is not hit.
The first internal or external implementation scheme is as follows: as with the internal and external ideas, the method also converts the rules into the 16-system feature codes for matching. Only two feature code rules need to be issued. Continuing with the above message example, the matching start position starts from the three-layer header:
and (3) outer rule content: 00000000000000000000000a000001ac000001
Outer layer concerned field: 00000000000000000000000 fffffffffffffffff
Inner layer rule content:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
inner layer care field:
0000000000000000000000000000000000000000000000000000000ff000000000000ffffffffffffffff
when the rules are searched, the internal or external switch of the tunnel message is opened, the tunnel message is considered to be hit as long as any one feature code rule is matched, and otherwise, the tunnel message is not hit.
The second implementation scheme is implemented inside and outside: and issuing two quintuple rules which respectively correspond to the inner and outer quintuple information of the tunnel message. Continuing with the above message example:
the outer layer rule is: the triple information has SIP of 10.0.0.1DIP of 172.0.0.1, and the lower layer protocol corresponding to black border of IP protocol 4
The inner layer rule is as follows: quintuple information, SIP 11.12.13.1, DIP 11.12.13.254, Sport1024, Dport 1024, protocol number udp 17
Two rules can be issued according to the rule requirements and are respectively used for matching the inner layer and the outer layer of the tunnel message. After the tunnel message is started, the external switch and the secondary search switch are started, when the external layer of the tunnel message is hit, the rule corresponding to the internal layer information is continuously searched, only when the two rules are hit simultaneously, the tunnel message is considered to be hit, otherwise, the tunnel message is not hit.
The second implementation scheme is internal or external: and when the tunnel message hits the outer layer rule, the tunnel message is not searched, the tunnel message is directly considered to be hit, when the tunnel message outer layer information is not hit by the relevant rule, the inner layer quintuple rule is continuously searched, if the inner layer quintuple rule is hit, the tunnel message is considered to be hit, otherwise, the tunnel message is not hit.
Example 3:
fig. 6 is a schematic structural diagram of a matching apparatus based on a tunnel packet according to an embodiment of the present invention. The matching device based on the tunnel message of the embodiment includes one or more processors 21 and a memory 22. In fig. 6, one processor 21 is taken as an example.
The processor 21 and the memory 22 may be connected by a bus or other means, and fig. 6 illustrates the connection by a bus as an example.
The memory 22, which is a non-volatile computer-readable storage medium, may be used to store a non-volatile software program and a non-volatile computer-executable program, such as the tunneling message-based matching method in embodiment 1. Processor 21 executes the tunneling message-based matching method by executing non-volatile software programs and instructions stored in memory 22.
The memory 22 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, and these remote memories may be connected to the processor 21 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules are stored in the memory 22 and, when executed by the one or more processors 21, perform the tunneling message-based matching method of embodiment 1, for example, perform the steps shown in fig. 1 to 4 described above.
It should be noted that, for the information interaction, execution process and other contents between the modules and units in the apparatus and system, the specific contents may refer to the description in the embodiment of the method of the present invention because the same concept is used as the embodiment of the processing method of the present invention, and are not described herein again.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (5)
1. A matching method based on tunnel message is characterized in that the matching method is realized by converting into a feature code rule, and the method comprises the following steps:
arranging fields in the protocol header content of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings;
generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis;
obtaining a feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, otherwise, the corresponding tunnel message is judged to be a missed tunnel message;
before converting each field in the header contents of the protocol of the innermost layer and the outermost layer of the tunnel into a 16-system character string after arranging the fields according to a preset sequence, the method further comprises the following steps:
analyzing the first tunnel of the innermost layer of the network state according to the network state, wherein the first tunnel cannot be passed through, and obtaining an alternative second tunnel according to analysis and calculation;
determining service data originally set to be transmitted through a first tunnel of an innermost layer which cannot be communicated at present, and when data packets are packed for subsequent data of the service data, packing a second tunnel into the tunnel of the innermost layer and packing the first tunnel into a tunnel of an outermost layer;
a hit strategy is formulated, and the situation that the matching simultaneously contains the respective quintuple information and/or the triplet information of the first tunnel and the second tunnel is regarded as hit is judged;
wherein the tunnel historically disposed at the innermost layer is designated for use as the highest priority selected tunnel.
2. The matching method according to claim 1, wherein the tunnel packet identification is based on quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
3. The matching method based on tunnel packets according to claim 1, wherein the method further comprises:
the hit strategy is synchronously sent to a service data request end;
and the service data request end acquires the service data from the destination address of the second tunnel after partially acquiring the service data from the destination address of the first tunnel according to the repackaged tunnel information.
4. The matching method based on tunnel message according to claim 1, wherein the hit tunnel message represents that the service data request end needs to obtain the remaining content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the service data sent historically from the destination end of the first tunnel of the outermost layer; and only if the matching information which is simultaneously satisfied that the innermost tunnel and the outermost tunnel jointly constitute is the same, the tunnel object which needs to be obtained by the service data concatenation is corresponded.
5. A matching device based on tunnel packets, the device comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to perform the tunneling message-based matching method of any of claims 1-4.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111634158.0A CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
| CN202210695134.4A CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111634158.0A CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210695134.4A Division CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338851A CN114338851A (en) | 2022-04-12 |
| CN114338851B true CN114338851B (en) | 2022-08-19 |
Family
ID=81016815
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210695134.4A Active CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
| CN202111634158.0A Active CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210695134.4A Active CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN115103038B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002243B (en) * | 2022-08-02 | 2022-11-01 | 上海秉匠信息科技有限公司 | Data processing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106878184A (en) * | 2017-02-28 | 2017-06-20 | 新华三技术有限公司 | A kind of data message transmission method and device |
| CN112073285A (en) * | 2019-06-10 | 2020-12-11 | 华为技术有限公司 | Error code notification method and related equipment |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425971B (en) * | 2008-12-02 | 2011-03-16 | 中兴通讯股份有限公司 | T-MPLS path layer tunnel switching method |
| CN101707588B (en) * | 2009-09-25 | 2012-10-10 | 曙光信息产业(北京)有限公司 | Method and device for processing messages on basis of rule set |
| CN102624611B (en) * | 2011-12-31 | 2015-01-21 | 华为数字技术(成都)有限公司 | Method, device, processor and network equipment for message dispersion |
| GB2536079B (en) * | 2014-06-25 | 2021-04-28 | Pismo Labs Technology Ltd | Methods and systems for transmitting and receiving data through one or more tunnel for packets satisfying one or more conditions |
| CN104301184B (en) * | 2014-10-31 | 2017-10-27 | 北京百度网讯科技有限公司 | The health examination method and device of link |
| CN106992915B (en) * | 2016-01-21 | 2020-11-03 | 中兴通讯股份有限公司 | Message de-encapsulation processing and data writing method and device |
| CN108600021B (en) * | 2018-04-28 | 2021-06-18 | 盛科网络(苏州)有限公司 | Tunnel packaging chip implementation method and device capable of being flexibly programmed and configured |
| CN109039916B (en) * | 2018-09-13 | 2021-08-06 | 迈普通信技术股份有限公司 | Message forwarding method, device and storage medium |
| CN111404776A (en) * | 2020-03-11 | 2020-07-10 | 深圳市东晟数据有限公司 | System and method for realizing depth data filtering and shunting by open hardware |
| CN111770049B (en) * | 2020-05-09 | 2022-06-03 | 优刻得科技股份有限公司 | Global cache variable and message information storage method and device |
| CN112491901B (en) * | 2020-11-30 | 2023-03-24 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
| CN112685612B (en) * | 2020-12-31 | 2022-08-30 | 武汉思普崚技术有限公司 | Feature code searching and matching method, device and storage medium |
| CN113452594B (en) * | 2021-06-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Inner layer message matching method and device of tunnel message |
-
2021
- 2021-12-29 CN CN202210695134.4A patent/CN115103038B/en active Active
- 2021-12-29 CN CN202111634158.0A patent/CN114338851B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106878184A (en) * | 2017-02-28 | 2017-06-20 | 新华三技术有限公司 | A kind of data message transmission method and device |
| CN112073285A (en) * | 2019-06-10 | 2020-12-11 | 华为技术有限公司 | Error code notification method and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115103038B (en) | 2023-02-03 |
| CN114338851A (en) | 2022-04-12 |
| CN115103038A (en) | 2022-09-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735221B2 (en) | Flexible processor of a port extender device | |
| US9479620B2 (en) | Packet parsing and key generation in a network device | |
| CN108259291B (en) | VXLAN message processing method, device and system | |
| CN104243315B (en) | Device and method for uniquely enumerating the path in analytic tree | |
| CN102238083B (en) | For the system and method for adapted packet process streamline | |
| KR101215208B1 (en) | Outbound transmission of packet based on routing search key constructed from packet destination address and outbound interface | |
| JP6369532B2 (en) | Network control method, network system and apparatus, and program | |
| CN113328915B (en) | Associated network measuring method based on SRv6 | |
| CN114338851B (en) | Matching method and device based on tunnel message | |
| CN109547316A (en) | Method, the system, storage medium of VXLAN message cross-over NAT equipment | |
| US20150295729A1 (en) | Hardware accelerator for tunnel processing | |
| WO2022042503A1 (en) | Message transmission method, apparatus, and system | |
| CN112136108A (en) | Header analysis device and method | |
| JP4059388B2 (en) | Apparatus and method for identifying protocol pattern in protocol data unit | |
| CN110166361B (en) | Message forwarding method and device | |
| CN112087387A (en) | Network processor and data packet forwarding method | |
| JP6678401B2 (en) | Method and apparatus for dividing a packet into individual layers for change and joining the layers after change by information processing | |
| EP2958296B1 (en) | A method of using a unique packet identifier to identify structure of a packet and an apparatus thereof | |
| CN102263700B (en) | Method, device and system for sending and receiving messages | |
| US7653070B2 (en) | Method and system for supporting efficient and cache-friendly TCP session lookup operations based on canonicalization tags | |
| EP2958287B1 (en) | A method of using bit vectors to allow expansion and collapse of header layers within packets for enabling flexible modifications and an apparatus thereof | |
| US11962673B2 (en) | Packet tunneling and decapsulation with split-horizon attributes | |
| CN109450792B (en) | Data message packaging method and device | |
| US20210105345A1 (en) | Inner vxlan tunnel packet detection | |
| CN112532519A (en) | Method for slightly controlling data Flow behavior by adopting BGP Flow Specification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |