CN114584376B - Traffic handling method, device, equipment and computer readable storage medium - Google Patents
Traffic handling method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114584376B CN114584376B CN202210213203.3A CN202210213203A CN114584376B CN 114584376 B CN114584376 B CN 114584376B CN 202210213203 A CN202210213203 A CN 202210213203A CN 114584376 B CN114584376 B CN 114584376B
- Authority
- CN
- China
- Prior art keywords
- network element
- determining
- security
- initial
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000006870 function Effects 0.000 claims description 117
- 238000004590 computer program Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000004808 supercritical fluid chromatography Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 108010083526 asialo-von Willebrand Factor Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flow disposal method, which comprises the following steps: analyzing the received initial flow packet to obtain a target flow type; determining an initial network element according to the target traffic type; performing safe disposal operation on the initial traffic packet by using the initial network element to obtain a safe disposal result and a current traffic packet; determining a next-hop network element corresponding to the target network element according to the security treatment result; and carrying out safe handling operation on the current traffic packet by using the next-hop network element. By applying the traffic handling method provided by the invention, unnecessary safety network elements are avoided, safety service resources are saved, and safe, efficient and automatic handling is realized. The invention also discloses a flow handling device, equipment and a storage medium, which have corresponding technical effects.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a traffic handling method, apparatus, device, and computer readable storage medium.
Background
With the rapid development of new generation information technologies such as 5G, cloud computing, internet of things and big data, the service scenes of network information services are diversified, and the problems of complex deployment scheme, high migration cost, high later maintenance difficulty and the like are faced in the traditional service resource deployment modes such as computing, storage and network based on special hardware equipment. In particular, dedicated hardware-based network security devices (e.g., firewalls, encryption and decryption, intrusion detection, etc.) face the following realistic challenges in deployment: firstly, the security capability is solidified, and cannot be dynamically adjusted according to the change of the network environment; secondly, the security function is difficult to update, the upgrading period of various proprietary security devices is long, the maintenance cost is high, the replacement process is complicated, and the network security attack is difficult to deal with in time; third, the security functions overlap, the security equipment functions that different security manufacturers provide are different, different security equipment of a plurality of manufacturers is deployed in the same network, there are the problem that the security functions overlap, security function redundancy is extravagant.
Network function virtualization (NFV, network Function Virtualization) is a network function deployment method based on a virtualization technology, and provides network services in a virtualization manner on general hardware, so that combined reconstruction and rapid migration of resources can be realized. The application of the NFV technology can improve the convenience of network service maintenance and upgrading and greatly reduce the network information operation cost. Service function chains (SFCs, service Function Chain) are one type of application of NFV, which means that a virtual link is constructed to connect a plurality of virtual network function network elements (VNFs), and a fixed source node and a fixed destination node are set for traffic, so as to implement sequential and serial network services. Network security service function chains (NS-SFCs, network Security Service Function Chain) are devices that implement the deployment of security services using SFC technology, where VNFs are virtual security resources with specific functions. The NS-SFC deployment mode is flexible, can be used as an independent safety management and service module to be deployed in a network, can be fused with the existing network arrangement, and can embed the safety network elements and the safety arrangement rules into the network arrangement system.
The general deployment process of NS-SFC as an independent security service is that, first, a specific service scenario defines and instantiates a set of security functions, such as vwf (virtual Firewall), vIDS (virtual Intrusion Detection System ), vIPS (virtual Intrusion Prevention System, virtual intrusion prevention system), etc., constructs a virtual link, configures a corresponding security service policy for a specific data packet or network traffic, and forms several SFCs. When the service flow enters, the flow is pulled to the existing SFC according to the flow classifier strategy, and the end-to-end security service is provided for the existing network.
The existing NS-SFC deployment scheme has the following problems: firstly, the service chain cannot be dynamically adjusted, and the configuration flexibility is lacking. The service chain is unchanged after virtual function instantiation and security policy configuration, and the same kind of traffic after simple classification always passes through the same service chain, so that security services cannot be dynamically adjusted according to actual traffic security disposal conditions. If the data packets are processed in a serial connection mode according to a given sequence, the data packets may pass through unnecessary safety network elements, so that service resource waste is caused; and secondly, the selection rule of the security service function is ambiguous. For network security services, the security service functions are not independent of each other, and many service functions have a strict use sequence, so that the sequence of the security function service selection chain is complex and tedious.
In summary, how to effectively solve the problems that the data packet may pass through unnecessary security network elements, resulting in service resource waste, and the sequence of the security function service selection chain is complex and tedious is an urgent need of those skilled in the art at present.
Disclosure of Invention
The invention aims to provide a traffic handling method, which avoids unnecessary safety network elements, saves safety service resources and realizes safe and efficient automatic handling; another object of the present invention is to provide a traffic handling apparatus, a device and a computer readable storage medium.
In order to solve the technical problems, the invention provides the following technical scheme:
a method of traffic handling, comprising:
Analyzing the received initial flow packet to obtain a target flow type;
Determining an initial network element according to the target traffic type;
Performing safe disposal operation on the initial traffic packet by using the initial network element to obtain a safe disposal result and a current traffic packet;
Determining a next-hop network element corresponding to the target network element according to the safety treatment result;
and carrying out safe handling operation on the current flow packet by utilizing the next hop network element.
In a specific embodiment of the present invention, determining an initial network element according to the target traffic type includes:
Determining a safety service function list according to the target flow type;
and determining the initial network element according to the security service function list.
In a specific embodiment of the present invention, determining, according to the security handling result, a next hop network element corresponding to the target network element includes:
Determining a security function server dependency relationship according to the security service function list;
and determining a next-hop network element corresponding to the target network element by combining the security treatment result and the security function server dependency relationship.
In a specific embodiment of the present invention, determining a next-hop network element corresponding to the target network element by combining the security handling result and the security function server dependency relationship includes:
Determining the selection weights corresponding to the network elements in the security service function list according to the security disposal result and the security function server dependency relationship;
and determining the next-hop network element corresponding to the target network element according to the selection weights respectively corresponding to the network elements.
In one embodiment of the present invention, after determining the list of security service functions according to the target traffic type, the method further includes:
encapsulating the security service function list to the head of the initial flow packet to obtain a network service header;
Determining the initial network element according to the security service function list, including:
reading the list of security service functions from the network service header;
and determining the initial network element according to the security service function list.
In one embodiment of the present invention, after obtaining the security treatment result and the current traffic packet, the method further includes:
Storing the security disposition result to the network service header;
determining a next-hop network element corresponding to the target network element according to the security treatment result, including:
reading the security handling result from the network service header;
and determining a next-hop network element corresponding to the target network element according to the safety treatment result.
In one embodiment of the present invention, the method further comprises:
Reading a prestored destination port from the network service header when the safety treatment result is that the treatment of the traffic is completed; the network service header is pre-stored with a source port, a destination port, a source IP address, a destination IP address and a transport layer protocol corresponding to the initial flow packet;
The current traffic packet is directed to the destination port.
A flow handling apparatus comprising:
the flow type obtaining module is used for analyzing the received initial flow packet to obtain a target flow type;
an initial network element determining module, configured to determine an initial network element according to the target traffic type;
The first safety disposal module is used for carrying out safety disposal operation on the initial flow packet by utilizing the initial network element to obtain a safety disposal result and a current flow packet;
A next-hop network element determining module, configured to determine a next-hop network element corresponding to the target network element according to the security handling result;
And the second safety disposal module is used for carrying out safety disposal operation on the current flow packet by utilizing the next hop network element.
A traffic handling device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the traffic handling method as described above when executing the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the steps of a traffic handling method as described above.
The flow disposal method provided by the invention analyzes the received initial flow packet to obtain the target flow type; determining an initial network element according to the target traffic type; performing safe disposal operation on the initial traffic packet by using the initial network element to obtain a safe disposal result and a current traffic packet; determining a next-hop network element corresponding to the target network element according to the security treatment result; and carrying out safe handling operation on the current traffic packet by using the next-hop network element.
According to the technical scheme, the safety service chain is not pre-arranged and fixed any more by dynamically constructing the service function path mode according to the safety service requirement and the safety disposal result, but flexibly adjusted according to the current service and the safety disposal result, so that dynamic and flexible arrangement of the safety service is realized. Unnecessary safety network elements are avoided, and safety service resources are saved. The next-hop safety network element can be determined according to the safety service requirement of the current flow packet, and the whole process is automatically decided by a pre-programming program, so that the sequence complexity and complexity of a safety function service selection chain are reduced, and the safe and efficient automatic treatment is realized.
Correspondingly, the invention further provides a flow treatment device, equipment and a computer readable storage medium corresponding to the flow treatment method, which have the technical effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an implementation of a method of traffic handling in an embodiment of the present invention;
FIG. 2 is a block diagram of a security function service system according to an embodiment of the present invention;
FIG. 3 is a flow chart of another implementation of the method of traffic handling in an embodiment of the present invention;
FIG. 4 is a schematic diagram of a security function service chain according to an embodiment of the present invention;
FIG. 5 is a block diagram of a flow handling apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram of a flow handling apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a specific structure of a flow handling apparatus according to this embodiment.
Detailed Description
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart showing an implementation of a method for handling traffic in an embodiment of the present invention, the method may include the following steps:
s101: and analyzing the received initial flow packet to obtain the target flow type.
When an initial flow packet to be treated is received, analyzing the received initial flow packet to obtain a target flow type. Traffic types may include office traffic, access traffic, and the like.
S102: and determining an initial network element according to the target traffic type.
Referring to fig. 2, fig. 2 is a block diagram illustrating a security function service system according to an embodiment of the present invention. Virtual security service (VNF) is configured on a Virtualized Infrastructure (VIM) in an instantiation mode according to the requirements of a service scene on security service functions and the constraint of computing resource capacity, a virtual link VL from the VNF to a service function repeater is constructed, a security resource pool { VNFi } 0.ltoreq.i.ltoreq.n and a virtual link set { VLi } 0.ltoreq.i.ltoreq.n with n security function service network elements are formed, and logical connection between the security function service network elements and the service function repeater is ensured. The initial flow packet enters the flow classifier from the flow inlet, is forwarded to the corresponding network element through the service function forwarder for flow treatment, and finally outputs the current flow packet obtained after treatment through the flow outlet.
After the target traffic type to which the initial traffic packet belongs is obtained through analysis, determining an initial network element according to the target traffic type. The classifier can be utilized to determine an initial network element according to the target traffic type, for example, when traffic packet encryption is determined to be required according to the target traffic type, the network element with the encryption function is determined to be the initial network element; when the traffic packet blocking is determined to be needed according to the target traffic type, the network element with the blocking function is determined to be an initial network element.
S103: and carrying out safe disposal operation on the initial traffic packet by utilizing the initial network element to obtain a safe disposal result and a current traffic packet.
And after the initial network element is determined, performing safety treatment operation on the initial traffic packet by using the initial network element to obtain a safety treatment result and a current traffic packet. If the initial network element is a network element with encryption function, the initial network element is utilized to encrypt the initial flow packet, so as to obtain the current flow packet in ciphertext form.
S104: and determining a next-hop network element corresponding to the target network element according to the security treatment result.
After the security disposal result and the current flow packet are obtained, determining the security service function required by the current flow packet according to the security disposal result, and determining the next-hop network element corresponding to the target network element according to the security service function required by the current flow packet.
S105: and carrying out safe handling operation on the current traffic packet by using the next-hop network element.
And after determining the next-hop network element corresponding to the target network element according to the security disposal result, performing security disposal operation on the current flow packet by using the next-hop network element. Therefore, the dynamic and flexible arrangement of the security service is realized by flexibly adjusting according to the current service and the security disposal result. Unnecessary safety network elements are avoided, and safety service resources are saved. The next-hop safety network element can be determined according to the safety service requirement of the current flow packet, and the whole process is automatically decided by a pre-programming program, so that the sequence complexity and complexity of a safety function service selection chain are reduced, and the safe and efficient automatic treatment is realized.
According to the technical scheme, the safety service chain is not pre-arranged and fixed any more by dynamically constructing the service function path mode according to the safety service requirement and the safety disposal result, but flexibly adjusted according to the current service and the safety disposal result, so that dynamic and flexible arrangement of the safety service is realized. Unnecessary safety network elements are avoided, and safety service resources are saved. The next-hop safety network element can be determined according to the safety service requirement of the current flow packet, and the whole process is automatically decided by a pre-programming program, so that the sequence complexity and complexity of a safety function service selection chain are reduced, and the safe and efficient automatic treatment is realized.
It should be noted that, based on the above embodiments, the embodiments of the present invention further provide corresponding improvements. The following embodiments relate to the same steps as those in the above embodiments or the steps corresponding to the steps may be referred to each other, and the corresponding beneficial effects may also be referred to each other, which will not be described in detail in the following modified embodiments.
Referring to fig. 3, fig. 3 is a flowchart of another implementation of a method for handling traffic in an embodiment of the present invention, which may include the steps of:
S301: and analyzing the received initial flow packet to obtain the target flow type.
S302: and determining a security service function list according to the target traffic type.
After the target flow type of the initial flow packet is obtained through analysis, a security service function list is determined according to the target flow type. The security service function list contains information of each network element which may be required for handling the initial traffic packet.
S303: and determining the initial network element according to the security service function list.
After the security service function list is determined according to the target traffic type, an initial network element is determined according to the security service function list. And if the network elements in the security service function list are subjected to primary ranking according to the security function server dependency relationship obtained by empirical summary in advance, determining the network element ranked at the forefront in the primary ranking result as the initial network element.
In a specific embodiment of the present invention, after step S302, the method may further include the steps of:
encapsulating the security service function list to the head of the initial flow packet to obtain a network service header;
accordingly, step S303 may include the steps of:
Step one: reading a list of security service functions from a network service header;
step two: and determining the initial network element according to the security service function list.
For convenience of description, the above steps may be combined to describe.
After determining the list of security service functions according to the target traffic type, the list of security service functions is encapsulated into the header of the initial traffic packet, resulting in a Network service header (Network SERVICE HEADER, NSH). When the initial network element is determined, the security service function list is read from the network service header, and the initial network element is determined according to the security service function list.
S304: and carrying out safe disposal operation on the initial traffic packet by utilizing the initial network element to obtain a safe disposal result and a current traffic packet.
S305: the security handling result is stored to the web service header.
After the security handling operation is performed on the initial traffic packet by the initial network element, the security handling result is stored in the network service header, e.g. the security handling result may be stored in metadata form in the network service header.
S306: and determining the security function server dependency relationship according to the security service function list.
Each network element in the security service function list has a corresponding dependency relationship, and after the security treatment result is stored in the network service header, the security function server dependency relationship is determined according to the security service function list.
S307: the security handling result is read from the network service header.
When a next hop network element determination is required, the security handling result is read from the network service header.
S308: and determining the next-hop network element corresponding to the target network element by combining the security treatment result and the security function server dependency.
And after the security treatment result is read, determining the next-hop network element corresponding to the target network element by combining the security treatment result and the security function server dependency relationship. The next-hop network element is determined by combining the security treatment result and the security function server dependency relationship, so that the accuracy of the determined next-hop network element is greatly improved.
In one embodiment of the present invention, step S308 may include the steps of:
Step one: determining the selection weights corresponding to the network elements in the security service function list according to the security disposal result and the security function server dependency relationship;
step two: and determining the next-hop network element corresponding to the target network element according to the selection weights respectively corresponding to the network elements.
For convenience of description, the above two steps may be combined for explanation.
Referring to fig. 4, fig. 4 is a logic schematic diagram of a security function service chain according to an embodiment of the present invention. Between the source node and the destination node there are a plurality of service function chains SFC constituted by the network elements. After the security disposal result and the security function server dependency relationship are respectively obtained, the selection weights corresponding to the network elements in the security service function list are determined according to the security disposal result and the security function server dependency relationship, and as different traffic packet imports may exist in the network, the selection weights corresponding to the network elements can be determined according to the security disposal result and the network element bifurcation numbers corresponding to the network elements, and the next hop network element corresponding to the target network element is determined according to the selection weights corresponding to the network elements. And (3) sequentially advancing the network elements with multiple branches, classifying the flow by utilizing the branching priority of the network elements, and reducing the number of the subsequent converging network elements.
The next hop network element may be calculated as follows:
Step 1: the dependency weight { D (VNF j)}0≤j≤m) of each network element in { VNF j}0≤j≤m is calculated.
The specific calculation process of the function D (x) is as follows:
(1) If it is D (x) =1, calculation stops;
(2) If it is Then D (x) = Σ y∈S(x) D (y).
Where S (x) is a set of elements in { VNF j}0≤j≤m that have a lower level dependency with network element x.
Step 2: select { D (maximum value D (VNF k) among VNFs j)}0≤j≤m.
Step 3: VNF k is determined to serve the next-hop security function.
S309: and carrying out safe handling operation on the current traffic packet by using the next-hop network element.
S310: when the security treatment result is that the traffic has completed treatment, the pre-stored destination port is read from the network service header.
The network service header pre-stores a source port, a destination port, a source IP address, a destination IP address and a transport layer protocol corresponding to the initial flow packet.
The source port, the destination port, the source IP address, the destination IP address and the transport layer protocol corresponding to the initial flow packet are stored in the network service header in advance. When the security treatment result is that the traffic has completed treatment, the pre-stored destination port is read from the network service header.
S311: the current traffic packet is pulled to the destination port.
After reading the pre-stored destination port from the network service header, the current traffic packet is pulled to the destination port, thereby completing the entire traffic handling process. When the safety treatment result is traffic blocking, a treatment report is generated, and the flow is terminated.
Corresponding to the above method embodiments, the present invention also provides a flow handling apparatus, the flow handling apparatus described below and the flow handling method described above may be referred to in correspondence with each other.
Referring to fig. 5, fig. 5 is a block diagram illustrating a flow handling apparatus according to an embodiment of the present invention, the apparatus may include:
The flow type obtaining module 51 is configured to parse the received initial flow packet to obtain a target flow type;
an initial network element determining module 52, configured to determine an initial network element according to the target traffic type;
a first security handling module 53, configured to perform a security handling operation on an initial traffic packet by using an initial network element, so as to obtain a security handling result and a current traffic packet;
a next-hop network element determining module 54, configured to determine a next-hop network element corresponding to the target network element according to the security handling result;
A second security handling module 55, configured to perform a security handling operation on the current traffic packet by using the next hop network element.
According to the technical scheme, the safety service chain is not pre-arranged and fixed any more by dynamically constructing the service function path mode according to the safety service requirement and the safety disposal result, but flexibly adjusted according to the current service and the safety disposal result, so that dynamic and flexible arrangement of the safety service is realized. Unnecessary safety network elements are avoided, and safety service resources are saved. The next-hop safety network element can be determined according to the safety service requirement of the current flow packet, and the whole process is automatically decided by a pre-programming program, so that the sequence complexity and complexity of a safety function service selection chain are reduced, and the safe and efficient automatic treatment is realized.
In one embodiment of the present invention, the initial network element determining module 52 includes:
The service list determination submodule is used for determining a safety service function list according to the target flow type;
and the initial network element determining submodule is used for determining the initial network element according to the safety service function list.
In one embodiment of the present invention, the next hop network element determining module 54 includes:
The dependency relationship determination submodule is used for determining the dependency relationship of the safety function server according to the safety service function list;
And the next-hop network element determining submodule is used for determining the next-hop network element corresponding to the target network element by combining the security disposal result and the security function server dependency relationship.
In a specific embodiment of the present invention, the next hop network element determining submodule includes:
A selection weight determining unit, configured to determine selection weights corresponding to each network element in the security service function list according to the security handling result and the security function server dependency relationship;
and the next-hop network element determining unit is used for determining the next-hop network element corresponding to the target network element according to the selection weights respectively corresponding to the network elements.
In one embodiment of the present invention, the apparatus may further include:
the network service header obtaining module is used for packaging the safety service function list to the head of the initial flow packet after determining the safety service function list according to the target flow type to obtain a network service header;
The initial network element determination submodule includes:
a service list reading unit for reading the security service function list from the network service header;
and the initial network element determining unit is used for determining the initial network element according to the security service function list.
In one embodiment of the present invention, the apparatus may further include:
A handling result storage module for storing the security handling result to the network service header after obtaining the security handling result and the current traffic packet;
The next hop network element determination module 54 includes:
A security handling result reading sub-module for reading the security handling result from the network service header;
And the next-hop network element determining submodule is used for determining the next-hop network element corresponding to the target network element according to the safety disposal result.
In one embodiment of the present invention, the apparatus may further include:
The port reading module is used for reading a prestored destination port from the network service header when the safety treatment result is that the traffic is treated completely; the network service header is pre-stored with a source port, a destination port, a source IP address, a destination IP address and a transport layer protocol corresponding to the initial flow packet;
And the flow packet traction module is used for traction of the current flow packet to the destination port.
Corresponding to the above method embodiment, referring to fig. 6, fig. 6 is a schematic diagram of a flow handling apparatus provided by the present invention, which may include:
a memory 332 for storing a computer program;
A processor 322 for implementing the steps of the traffic handling method of the above method embodiment when executing a computer program.
Specifically, referring to fig. 5, fig. 5 is a schematic diagram of a specific structure of a flow handling apparatus according to the present embodiment, where the flow handling apparatus may have a relatively large difference due to different configurations or performances, and may include a processor (central processing units, CPU) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Wherein the memory 332 may be transient storage or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a series of instruction operations in the data processing apparatus. Still further, the processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the flow handling device 301.
The traffic handling device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input output interfaces 358, and/or one or more operating systems 341.
The steps in the traffic handling method described above may be implemented by the structure of the traffic handling device.
Corresponding to the above method embodiments, the present invention also provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor, performs the steps of:
Analyzing the received initial flow packet to obtain a target flow type; determining an initial network element according to the target traffic type; performing safe disposal operation on the initial traffic packet by using the initial network element to obtain a safe disposal result and a current traffic packet; determining a next-hop network element corresponding to the target network element according to the security treatment result; and carrying out safe handling operation on the current traffic packet by using the next-hop network element.
The computer readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
For the description of the computer-readable storage medium provided by the present invention, refer to the above method embodiments, and the disclosure is not repeated here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. The apparatus, device and computer readable storage medium of the embodiments are described more simply because they correspond to the methods of the embodiments, and the description thereof will be given with reference to the method section.
The principles and embodiments of the present invention have been described herein with reference to specific examples, but the description of the examples above is only for aiding in understanding the technical solution of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.
Claims (7)
1. A method of traffic handling, comprising:
Analyzing the received initial flow packet to obtain a target flow type;
Determining a safety service function list according to the target flow type;
determining an initial network element according to the security service function list;
Performing safe disposal operation on the initial traffic packet by using the initial network element to obtain a safe disposal result and a current traffic packet;
Determining a security function server dependency relationship according to the security service function list;
Determining the selection weights corresponding to the network elements in the security service function list according to the security disposal result and the security function server dependency relationship;
Determining a next-hop network element corresponding to the target network element according to the selection weights respectively corresponding to the network elements;
and carrying out safe handling operation on the current flow packet by utilizing the next hop network element.
2. The traffic handling method according to claim 1, further comprising, after determining a list of security service functions from the target traffic type:
encapsulating the security service function list to the head of the initial flow packet to obtain a network service header;
Determining the initial network element according to the security service function list, including:
reading the list of security service functions from the network service header;
and determining the initial network element according to the security service function list.
3. The traffic handling method according to claim 2, further comprising, after obtaining the security handling result and the current traffic packet:
Storing the security disposition result to the network service header;
Determining a next-hop network element corresponding to the target network element according to the security treatment result, including:
reading the security handling result from the network service header;
and determining a next-hop network element corresponding to the target network element according to the safety treatment result.
4. A traffic handling method according to claim 3, further comprising:
Reading a prestored destination port from the network service header when the safety treatment result is that the treatment of the traffic is completed; the network service header is pre-stored with a source port, a destination port, a source IP address, a destination IP address and a transport layer protocol corresponding to the initial flow packet;
The current traffic packet is directed to the destination port.
5. A flow handling apparatus, comprising:
the flow type obtaining module is used for analyzing the received initial flow packet to obtain a target flow type;
The system comprises an initial network element determining module, a safety service function list determining module and a safety service function list determining module, wherein the initial network element determining module comprises a service list determining sub-module and an initial network element determining sub-module, and the service list determining sub-module is used for determining the safety service function list according to the target flow type;
the initial network element determining submodule is used for determining an initial network element according to the safety service function list;
The first safety disposal module is used for carrying out safety disposal operation on the initial flow packet by utilizing the initial network element to obtain a safety disposal result and a current flow packet;
The next-hop network element determining module comprises a dependency determining sub-module and a next-hop network element determining sub-module, wherein the dependency determining sub-module is used for determining a security function server dependency according to a security service function list;
The next-hop network element determining submodule comprises a selection weight determining unit and a next-hop network element determining unit, wherein the selection weight determining unit is used for determining the selection weight corresponding to each network element in the security service function list according to the security disposal result and the security function server dependency relationship;
The next-hop network element determining unit is used for determining a next-hop network element corresponding to the target network element according to the selection weights respectively corresponding to the network elements;
And the second safety disposal module is used for carrying out safety disposal operation on the current flow packet by utilizing the next hop network element.
6. A flow handling apparatus, comprising:
a memory for storing a computer program;
Processor for implementing the steps of the traffic handling method according to any of claims 1 to 4 when executing said computer program.
7. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the traffic handling method according to any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210213203.3A CN114584376B (en) | 2022-03-04 | 2022-03-04 | Traffic handling method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210213203.3A CN114584376B (en) | 2022-03-04 | 2022-03-04 | Traffic handling method, device, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584376A CN114584376A (en) | 2022-06-03 |
| CN114584376B true CN114584376B (en) | 2024-04-26 |
Family
ID=81774344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210213203.3A Active CN114584376B (en) | 2022-03-04 | 2022-03-04 | Traffic handling method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584376B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106533966A (en) * | 2016-05-27 | 2017-03-22 | 清华大学 | Network service resource arranging method and apparatus |
| CN107548024A (en) * | 2016-06-27 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of traffic management, acquisition methods, device and core net node |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN108173761A (en) * | 2017-12-22 | 2018-06-15 | 南京邮电大学 | A kind of method for optimizing resources of SDN and NFV fusions |
| CN108173759A (en) * | 2016-12-07 | 2018-06-15 | 中国电信股份有限公司 | Selection method, device and the gateway in business function path |
| CN109922002A (en) * | 2017-12-13 | 2019-06-21 | 中国电信股份有限公司 | Business datum retransmission method and Overlay system based on SFC |
| US10333822B1 (en) * | 2017-05-23 | 2019-06-25 | Cisco Technology, Inc. | Techniques for implementing loose hop service function chains price information |
| CN110086675A (en) * | 2019-05-05 | 2019-08-02 | 广东技术师范大学 | Construction method, equipment and the computer readable storage medium of service chaining |
| WO2019242715A1 (en) * | 2018-06-22 | 2019-12-26 | 贵州白山云科技股份有限公司 | Virtual cloud network control method and system, and network device |
| CN111343025A (en) * | 2020-03-04 | 2020-06-26 | 中国科学技术大学苏州研究院 | Extensible server deployment method in function virtualization network |
| CN111464443A (en) * | 2020-03-10 | 2020-07-28 | 中移(杭州)信息技术有限公司 | Message forwarding method, device, equipment and storage medium based on service function chain |
| CN111654386A (en) * | 2020-01-15 | 2020-09-11 | 许继集团有限公司 | Method and system for establishing service function chain |
| CN113708972A (en) * | 2021-08-31 | 2021-11-26 | 广东工业大学 | Service function chain deployment method and device, electronic equipment and storage medium |
| CN114024746A (en) * | 2021-11-04 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Network message processing method, virtual switch and processing system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020010557A1 (en) * | 2018-07-11 | 2020-01-16 | 上海诺基亚贝尔股份有限公司 | Implementation of service function chain on basis of software-defined network |
-
2022
- 2022-03-04 CN CN202210213203.3A patent/CN114584376B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106533966A (en) * | 2016-05-27 | 2017-03-22 | 清华大学 | Network service resource arranging method and apparatus |
| CN107548024A (en) * | 2016-06-27 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of traffic management, acquisition methods, device and core net node |
| CN108173759A (en) * | 2016-12-07 | 2018-06-15 | 中国电信股份有限公司 | Selection method, device and the gateway in business function path |
| US10333822B1 (en) * | 2017-05-23 | 2019-06-25 | Cisco Technology, Inc. | Techniques for implementing loose hop service function chains price information |
| CN109922002A (en) * | 2017-12-13 | 2019-06-21 | 中国电信股份有限公司 | Business datum retransmission method and Overlay system based on SFC |
| CN108173761A (en) * | 2017-12-22 | 2018-06-15 | 南京邮电大学 | A kind of method for optimizing resources of SDN and NFV fusions |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| WO2019242715A1 (en) * | 2018-06-22 | 2019-12-26 | 贵州白山云科技股份有限公司 | Virtual cloud network control method and system, and network device |
| CN110086675A (en) * | 2019-05-05 | 2019-08-02 | 广东技术师范大学 | Construction method, equipment and the computer readable storage medium of service chaining |
| CN111654386A (en) * | 2020-01-15 | 2020-09-11 | 许继集团有限公司 | Method and system for establishing service function chain |
| CN111343025A (en) * | 2020-03-04 | 2020-06-26 | 中国科学技术大学苏州研究院 | Extensible server deployment method in function virtualization network |
| CN111464443A (en) * | 2020-03-10 | 2020-07-28 | 中移(杭州)信息技术有限公司 | Message forwarding method, device, equipment and storage medium based on service function chain |
| CN113708972A (en) * | 2021-08-31 | 2021-11-26 | 广东工业大学 | Service function chain deployment method and device, electronic equipment and storage medium |
| CN114024746A (en) * | 2021-11-04 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Network message processing method, virtual switch and processing system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584376A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109802852B (en) | Method and system for constructing network simulation topology applied to network target range | |
| CN107196807A (en) | Network intermediary device and its dispositions method | |
| WO2021228102A1 (en) | Method, device, and storage medium | |
| US20160091913A1 (en) | Smart power management in switches and routers | |
| US20200252296A1 (en) | Knowledge aggregation for gan-based anomaly detectors | |
| CN104320350A (en) | Method and system for providing credit-based flow control | |
| Li et al. | A blockchain-based architecture for traffic signal control systems | |
| Mao et al. | Joint resource management and flow scheduling for SFC deployment in hybrid edge-and-cloud network | |
| US20200014763A1 (en) | Session management in a forwarding plane | |
| CN110191105A (en) | OpenStack encrypted link realization method and system | |
| CN114584376B (en) | Traffic handling method, device, equipment and computer readable storage medium | |
| US11304091B2 (en) | User plane replicator | |
| US10104202B2 (en) | Collectively loading programs in a multiple program multiple data environment | |
| US20220417269A1 (en) | Edge-based polymorphic network with advanced agentless security | |
| CN113395183B (en) | Virtual node scheduling method and system for network simulation platform VLAN interconnection | |
| Allahvirdi et al. | Placement of dynamic service function chains in partially VNF-enabled networks | |
| Manju Bala et al. | Blockchain-based iot architecture for software-defined networking | |
| Hu et al. | 5G Network Slicing: Methods to Support Blockchain and Reinforcement Learning | |
| US20130198411A1 (en) | Packet processing apparatus and method for load balancing of multi-layered protocols | |
| Wang et al. | Cost-aware and delay-constrained service function orchestration in multi-data-center networks | |
| Shen et al. | Paragraph: Subgraph-level network function composition with delay balanced parallelism | |
| Teshabayev et al. | The formation of the structure of a multiservice network based on communication equipment from different manufacturers | |
| Xu et al. | Coordinated resource allocation with VNFs precedence constraints in inter-datacenter networks over elastic optical infrastructure | |
| CN117240599B (en) | Security protection method, device, equipment, network and storage medium | |
| CN115242885B (en) | Cloud data center system, data message transmission method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |