CN114827044B - Message processing method, device and network equipment - Google Patents
Message processing method, device and network equipment Download PDFInfo
- Publication number
- CN114827044B CN114827044B CN202210454424.XA CN202210454424A CN114827044B CN 114827044 B CN114827044 B CN 114827044B CN 202210454424 A CN202210454424 A CN 202210454424A CN 114827044 B CN114827044 B CN 114827044B
- Authority
- CN
- China
- Prior art keywords
- message
- session table
- network
- network message
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 76
- 238000000034 method Methods 0.000 claims description 55
- 238000011217 control strategy Methods 0.000 claims description 11
- 239000000758 substrate Substances 0.000 claims 1
- 230000009471 action Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 239000000284 extract Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The application provides a message processing method, a message processing device and network equipment, wherein the network equipment comprises a CPU and a forwarding chip. The CPU receives a network message of the data stream sent by the forwarding chip; performing application identification processing on the data flow according to the data in the network message; if the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message; and transmitting the session table item to the forwarding chip so that the forwarding chip forwards the new network message according to the session table item after receiving the new network message. Therefore, after application identification is carried out, all messages are not required to be sent to a CPU for processing and are directly forwarded by a forwarding chip, so that the forwarding speed of the messages in the network equipment is improved, and meanwhile, the application can be effectively identified and the processing performance of the network equipment is improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a network device for processing a message.
Background
With the continuous development of internet technology, new demands on network security are made on new-age networks, and traffic forwarding control is based on users and applications. Aiming at the characteristics of the network in the new era, the firewall increasingly needs the identification capability of users and applications so as to ensure finer and more visible flow control. Conventional network applications equal ports, which are intended to implement application-based flow control, may be implemented by directly allowing or disabling ports. In the new era of networks, most applications are concentrated on a few ports, and application programs are increasingly web-shaped, so that specific applications cannot be identified through simple ports. Thus, the need to identify applications based on traffic content is becoming more and more urgent. When the gateway equipment forwards the message, the method comprises two modes of software forwarding and hardware forwarding, and when the software forwarding is carried out, a CPU (central processing unit ) can carry out fine processing on the flow so as to realize richer functions; when forwarding based on hardware, the message is processed and forwarded by a hardware logic chip (also called a forwarding chip) such as an FPGA (field programmable gate array ) or an ASIC (application specific integrated circuit, application Specific Integrated Circuit), so that the forwarding speed is higher, but the hardware logic chip cannot further identify the message. Therefore, to implement the function of identifying applications based on traffic content, the message of each data stream must be sent to the CPU, and the CPU further identifies the content of the message, however, once the data stream is sent to the CPU, software forwarding is required subsequently, which results in a significant reduction in the performance of the gateway device.
Therefore, how to improve the forwarding speed of the message in the network device when the application is identified, and effectively identify the application and improve the processing performance of the network device is one of the technical problems worth considering.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a network device for processing a message, which are used to improve the forwarding speed of a message in a network device when performing application identification, and effectively identify an application and improve the processing performance of the network device.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, a method for processing a message is provided, which is applied to a CPU in a network device, where the network device further includes a forwarding chip; the method comprises the following steps:
receiving a network message of the data stream sent by the forwarding chip;
performing application identification processing on the data flow according to the data in the network message;
if the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message;
and transmitting the session table item to the forwarding chip so that the forwarding chip forwards the new network message according to the session table item after receiving the new network message.
According to a second aspect of the present application, a method for processing a message is provided, which is applied to a forwarding chip in a network device, where the network device further includes a CPU;
the network message of the received data stream is sent to the CPU;
receiving a session table entry issued by the CPU, wherein the session table entry is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message;
receiving a new network message of the data stream;
and forwarding the new network message according to the session table entry.
According to a third aspect of the present application, there is provided a packet processing device, provided in a central processing unit CPU in a network device, where the network device further includes a forwarding chip; the device comprises:
the receiving module is used for receiving the network message of the data stream sent by the forwarding chip;
the identification module is used for carrying out application identification processing on the data flow according to the data in the network message;
the generation module is used for generating a session table item according to the message characteristics of the network message if the identification module identifies that the data flow has the corresponding application based on the network message;
And the sending module is used for sending the session table item to the forwarding chip so that the forwarding chip forwards the new network message according to the session table item after receiving the new network message.
According to a fourth aspect of the present application, there is provided a packet processing apparatus, provided in a forwarding chip in a network device, the network device further including a central processing unit CPU, the apparatus including:
the first receiving module is used for receiving the network message of the data stream;
the sending module is used for sending the network message to the CPU;
the second receiving module is used for receiving a session table item issued by the CPU, wherein the session table item is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message;
the first receiving module is configured to receive a new network packet of the data stream;
and the forwarding module is used for forwarding the new network message according to the session table item.
According to a fifth aspect of the present application, there is provided a network device, including a central processing unit CPU and a forwarding chip, where the CPU is configured to execute the packet processing method provided in the first aspect, and the forwarding chip is configured to execute the packet processing method provided in the second aspect.
According to a sixth aspect of the present application there is provided a machine readable storage medium storing a computer program which, when invoked and executed by a central processing unit CPU, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are that:
in the message processing method, the message processing device and the network equipment provided by the embodiment of the application, after receiving the network message of the data stream sent by the forwarding chip, the CPU performs application identification processing on the data stream according to the data in the network message; when the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message; and then the session list item is issued to the forwarding chip, so that after the forwarding chip receives the new network message, the forwarding chip can forward the new network message according to the session list item. Therefore, the forwarding chip does not need to send all network messages of the data flow to the CPU one by one for application identification processing, and only needs to directly execute message forwarding operation on the subsequently received new network messages based on the session table entry after receiving the session table entry, so that the forwarding rate of the messages is greatly improved and the processing performance of the network equipment is also improved on the basis of identifying the application.
Drawings
Fig. 1 is a flow chart of a message processing method provided in an embodiment of the present application;
FIG. 2 is a flow chart of another message processing method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of another message processing apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic hardware structure of a network device for implementing a message processing method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The message processing method provided in the present application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a message processing method provided in the present application, where the method is applied to a CPU in a network device, and the network device further includes a forwarding chip. When the CPU in the network equipment implements the message processing method, the method can comprise the following steps:
s101, receiving a network message of the data stream sent by the forwarding chip.
In this step, since the forwarding chip itself does not have the capability of application identification, in order to be able to identify whether the received data volume has an application, the forwarding chip needs to upload the received network packet of each data flow to the CPU, so that the CPU performs application identification based on the received network packet.
S102, carrying out application identification processing on the data flow according to the data in the network message.
In this step, in order to avoid the problem that the processing pressure of the CPU is high, which is caused by uploading all the messages of the same data stream to the CPU, and the forwarding performance of the messages is affected because the CPU needs to perform application identification on each received message, the application proposes that after each data stream is received by the forwarding chip from the outside, before the CPU does not issue a session table entry, the network message of the data stream is continuously uploaded to the CPU, so that after the CPU receives the network message, the CPU performs application identification processing according to the data in the network message. When the application is identified, the specific matching method may be implemented by using the currently provided application identification method, for example, the data in the network packet may be, but not limited to, a domain name, etc., where based on the foregoing, the CPU may identify whether the domain name in the network packet is an application domain name of a preconfigured application, and when the domain name is an application domain name of the preconfigured application, confirm that the application is identified, that is, that there is a corresponding application in the data flow to which the network packet belongs. For example, in a network packet interacted between a client and a server, except for a three-way handshake packet of TCP, a first network packet of the clienthello type performing SSL negotiation carries an application domain name of an application to be accessed, for example www.baidu.com, when the network packet is received, the domain name carried by the network packet is identified as a hundred-degree domain name, and then it can be determined that the application corresponding to the data flow to which the network packet belongs is hundred degrees.
S103, if the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message.
In this step, when the data stream is identified to have a corresponding application based on the network message received this time, it indicates that the application is identified, and further indicates that the CPU does not need to identify the subsequent network messages one by one to affect the forwarding rate of the messages. Specifically, the message characteristics in the network message may be written into the session table entry.
S104, the conversation list item is issued to the forwarding chip, so that the forwarding chip forwards the new network message according to the conversation list item after receiving the new network message.
In this step, in order to achieve normal forwarding of the network packet of each data flow and improve forwarding performance, the CPU sends the generated session table entry to the forwarding chip. Thus, when receiving new network message, the forwarding chip can forward the message of the new network message according to the session list item.
By implementing the message processing method provided by the application, after receiving the network message of the data stream sent by the forwarding chip, the CPU performs application identification processing on the data stream according to the data in the network message; when the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message; and then the session list item is issued to the forwarding chip, so that after the forwarding chip receives the new network message, the forwarding chip can forward the new network message according to the session list item. Therefore, the forwarding chip does not need to send all network messages of the data flow to the CPU one by one for application identification processing, and only needs to directly execute message forwarding operation on the subsequently received new network messages based on the session table entry after receiving the session table entry, so that the forwarding rate of the messages is greatly improved and the processing performance of the network equipment is also improved on the basis of identifying the application.
Optionally, before generating the session table entry according to the message characteristics of the network message, the method further includes: inquiring the application control strategy of the corresponding application; and confirming the application control policy to allow the data flow corresponding to the application to be released.
On the basis, the message processing method provided by the embodiment further comprises the following steps: and forwarding the network message when confirming that the data flow corresponding to the application is allowed to be released.
Specifically, when an application is identified based on step S103, then an application control policy corresponding to the identified application may be queried, then it is confirmed whether the application control policy is a data flow that grants permission to access the application, and when the execution action of the application control policy is permission to release, the network packet is forwarded to the outside. And discarding the network message when the application control policy is to prohibit forwarding.
It should be noted that, the network device may store the application control policy of each application in advance, and the application control policy of each application may be dynamically updated.
On the basis, the session table item only comprises the message characteristics of the network message, and the message characteristics are the same as the message characteristics of the network message following the data flow, so that after the forwarding chip receives a new network message, the message characteristics in the new network message are matched with the session table item, when the session table item is successfully matched, the new network message hits the session table item, and the forwarding chip directly forwards the new network message to the outside without reporting the new network message to the CPU for application recognition processing, thereby improving the message forwarding speed of the network message.
Optionally, the method for processing a message provided in this embodiment further includes: and discarding the network messages of the data stream if the application of the data stream is not recognized based on the network messages and the number of the network messages used for recognizing the data stream reaches the set number corresponding to the message protocol of the network messages.
Specifically, when no application is identified based on the network message received this time, it may be determined that the number of network messages received based on the data stream CPU is accumulated, that is, the number of network messages used in accumulating when determining to identify the application to the data stream is determined, and then it is determined whether the number reaches a set number corresponding to a message protocol used in the network message, and when reaching, it indicates that the data stream does not have a corresponding application, and then the subsequent message does not need to perform application identification processing. At this point, the CPU may discard the network message. Further, taking the case that the client accesses the server through the security device as an example, in the process of interaction between the client and the server, the client generally confirms that the opposite party receives the message by receiving the ack message, so that when the CPU discards the network message, the client can not receive the ack message, and the client can automatically terminate the sending of the message of the data stream, so that the forwarding chip can not receive the network message of the data stream, and the message forwarding speed is improved to a certain extent.
In addition, if the application of the data stream is not identified based on the network message, and the number of the network messages used for identifying the data stream does not reach the set number corresponding to the message protocol of the network message, waiting for the receiving and forwarding chip to send the network message of the data stream.
Specifically, when the application is not identified based on the network message received this time, it can be determined whether the data of the network message used for application identification on the data stream reaches the set number corresponding to the network message protocol, and when the set number is not reached, it indicates that the number of network messages currently used for identification on the application is relatively small, and at this time, it can still continue to wait for receiving the next network message of the data stream from the forwarding chip. Therefore, the accuracy of application identification is improved to a certain extent, and the forwarding speed of the messages is not influenced temporarily because the number of the messages for application identification is small at the moment.
It should be noted that, the set number corresponding to different message protocols is different, for example, if the protocol to which the received network message belongs to http or https protocol, the set number may be, but is not limited to, 5, that is, in general, the CPU can characterize that the data stream does not exist in an upper layer application by using 5 network messages and belongs to pure http or https traffic if the data stream cannot be identified as having an application; when the message protocol of the network message belongs to tcp or udp, the set number may be, but not limited to, 48-50, that is, the CPU may determine that the data stream does not have an upper layer application by using 48 network messages and not identifying that the data stream belongs to pure tcp or udp flow. Further, when the number exceeds the set number and the application of the data stream is still not recognized, the fact that the message is deeply recognized to recognize the application is confirmed, and the fact that the subsequent network message is sent to a CPU to be processed by software is confirmed, and the message can be directly forwarded by a forwarding chip through hardware logic; similarly, when the application is identified, once the application is confirmed to be unchanged, the subsequent network message does not need to be sent to a CPU for software processing, and the subsequent network message can be directly forwarded by a forwarding chip through hardware logic without being sent to the software for processing, so that the method is particularly suitable for a scene with more video streams, and the forwarding performance of the message of the video streams can be greatly improved.
Optionally, based on the foregoing embodiment, in this embodiment, the generating the session table entry according to the message characteristics of the network message in step S103 may be further performed according to the following method: inquiring the application control strategy of the corresponding application; and generating the session table item according to the message characteristics and the application control strategy.
On the basis, the message forwarding method provided by the embodiment further comprises the following steps: and forwarding the network message when the application control policy is confirmed to be the data flow corresponding to the application allowed to be released.
Specifically, when the execution action of the application control policy of the application identified by the network device is permission release, the CPU may directly forward the network packet to the outside; if the identified application control policy of the application is to prohibit release, the CPU may directly discard the network packet.
Specifically, after the corresponding application is identified, the application control policy corresponding to the identified application can be queried according to the application control policy of each application which is configured in advance, then when the session table entry is generated, the session table entry is generated according to the message characteristics of the network message and the queried application control policy, that is, the message characteristics of the network message and the queried application control policy are written into the session table entry, and then the session table entry is sent to the forwarding chip. When receiving the session table item, the forwarding chip extracts the message characteristics in the new network message when receiving the new network message subsequently, then matches the session table item by using the message characteristics, extracts the application control strategy from the session table item when matching is successful, and then executes the forwarding operation of the new network message based on the application control strategy, for example, the execution action included in the application control strategy is release, the forwarding chip can directly forward the new network message to the outside and does not send the new network message to the CPU to execute the application identification processing flow; if the execution action included in the application control policy is forbidden to pass, the forwarding chip can directly discard the new network message, and the CPU (Central processing Unit) and forwarding processing are not required, so that the forwarding speed of the network message is saved.
Optionally, the above message feature may include five-tuple information, and on the basis of this, step S102 may be performed according to the following method: and generating the session table item according to the quintuple information.
Specifically, the five-tuple information included between the network messages of the same data stream is consistent, so that after the session table entries generated based on the five-tuple information are issued to the forwarding chip, the forwarding chip can more quickly and accurately match whether the new network message received subsequently can hit the session table entries, and forwarding processing is performed based on the session table entries.
Optionally, the message features may include, but are not limited to, five-tuple information, and the like. The five-tuple information may include but is not limited to an ingress interface, an egress interface, a source IP address and a destination IP address,
based on any of the above embodiments, in this embodiment, step S104 may be performed according to the following procedure: and transmitting the session table item to the forwarding chip through a driving interface. Specifically, the forwarding chip and the CPU may communicate through a driving interface, so that the CPU may forward through the driving interface when sending the session table entry to the forwarding chip.
Based on the same inventive concept, the embodiment also provides a message processing method, which is applied to a forwarding chip in a network device, wherein the network device further comprises a CPU, and the forwarding chip can execute the message processing method according to the flow shown in fig. 2, and the method comprises the following steps:
S201, the received network message of the data stream is sent to the CPU.
In this step, since the forwarding chip itself does not have a software recognition function, it is necessary to forward the network packet of the received data stream to the CPU capable of application recognition, so that the CPU performs application recognition processing on the network packet received from the forwarding chip.
S202, receiving a session table entry issued by the CPU, wherein the session table entry is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has the corresponding application based on the network message.
In this step, when the CPU recognizes that the data flow has a corresponding application, a session table entry is generated according to the network packet and sent to the forwarding chip, so that the forwarding chip will receive the session table entry sent by the CPU.
It should be noted that, the process of identifying whether the data flow has an application and the process of generating the session table entry by the CPU based on the network packet may refer to the execution process corresponding to the CPU, which is not described in detail herein.
It is noted that the forwarding chip may receive, through a driving interface between the forwarding chip and the forwarding chip, a session table entry issued by the CPU, where the session table entry includes a message feature of a network message sent to the CPU by the forwarding chip.
S203, receiving a new network message of the data flow.
S204, forwarding the new network message according to the session table item.
In this step, the forwarding chip continuously receives a new network message, when receiving the new network message, extracts a message feature from the new network message, and then matches the session table entry by using the extracted message feature, and when matching is successful, the forwarding operation of the new network message can be executed according to the session table entry.
The forwarding chip sends the network message of the received data stream to the CPU by implementing the message processing method of the forwarding chip side; receiving a session table entry issued by the CPU, wherein the session table entry is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message; receiving a new network message of the data stream; and forwarding the new network message according to the session table entry. Therefore, the forwarding chip does not need to send the network messages of each data stream to the CPU one by one for application identification processing, and the CPU in the network equipment does not need to execute identification matching work one by one on all the messages in each data stream, so that the message processing pressure of the CPU is greatly reduced, and the forwarding rate of the messages is also improved.
It should be noted that, the forwarding chip may receive multiple data streams simultaneously, and correspondingly, the forwarding chip may send network messages of each data stream to the CPU respectively, and correspondingly, when the CPU recognizes that multiple data streams have corresponding applications, the CPU may also issue a corresponding number of session table entries correspondingly, and the forwarding chip may store the received session table entries in the session table entry list, so, after the forwarding chip receives the network message, the forwarding chip may utilize the message characteristics in the network message to match the session table entry list, and then perform forwarding processing on the network message according to the matched session table entries.
It should be noted that, the message processing method provided in this embodiment further includes: for each data stream, after the forwarding chip processes the last network message of the data stream according to the flow shown in fig. 2, deleting the session table entry corresponding to the local data stream. For example, the session table entry corresponding to the message feature of the data flow may be deleted from the session table entry list.
In one embodiment, when the session table entry is generated by the CPU when it is confirmed that the application control policy of the corresponding application is such as to allow the release of the data flow corresponding to the application; step S204 may be performed as follows: if the new network message hits the session table entry, forwarding the new network message; and discarding the new network message if the new network message does not hit the session table entry.
Specifically, when the CPU recognizes that there is a corresponding application in the data flow to which the network packet belongs and confirms that the execution action of the application control policy of the corresponding application is to allow the data flow to be released, a session table entry is generated according to the packet characteristics of the network packet, and if the application is not recognized, the session table entry is not generated. Therefore, after receiving the session table entry, if the forwarding chip subsequently receives a new network message, the forwarding chip uses the message characteristics in the new network message to match the session table entry, when the matching is successful, the session table entry is hit, and the forwarding chip can directly forward the new network message to the outside at this time, so that the forwarding processing of the network message is improved without uploading the new network message to a CPU for application identification processing.
If the upper session table entry is not matched and other session table entries are not matched, then the method can further judge that if the data stream does not belong to a new data stream and the network message of the data stream is sent to the CPU in advance for processing, then the network message of the data stream can be continuously sent to the CPU for processing so as to execute the flow shown in fig. 1; if the data stream is a new data stream, the network message of the data stream needs to be sent to the CPU for processing, so as to execute the flow shown in fig. 1.
In another embodiment, the session table entry includes an application control policy of the corresponding application; on this basis, step S204 may be performed according to the following procedure: if the new network message hits the session table entry, if the application control policy is to allow the data flow corresponding to the application to be released, forwarding the new network message; and if the application control policy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
Specifically, after the network device receives a new network message, a message feature can be extracted from the new network message, then the session table entry is matched by using the message feature, and when the matching is successful, the forwarding operation of the new network message is executed based on the application control policy in the session table entry. For example, if the execution action of the application control policy in the session table entry is allowed to pass, the network device may directly forward the new network packet to the outside without uploading to the CPU, thereby improving the forwarding speed of the packet; when the execution action of the application control strategy is forbidden to pass, the network equipment can discard the new network message, so that the processing performance of the CPU for processing the network message is improved.
Optionally, the message feature includes five-tuple information; on this basis, the session table entry can be confirmed by the following method: and if the five-tuple information of the new network message is consistent with the five-tuple information in the session table entry, confirming that the new network message hits the session table entry.
In order to better understand the message processing method provided in any embodiment of the present application, taking the data stream sent to the network device as an http data stream as an example for explanation, if the forwarding chip receives the 1 st to 4 th network messages of the http data stream, the data stream will be reported to the CPU, the CPU may not recognize the application based on the received network messages at this time, if the forwarding chip sends the 5 th network message of the http data stream to the CPU, the CPU recognizes that the data stream belongs to the http data stream based on the data in the 5 th network message, and then the CPU will generate a session table according to the message characteristics of the network message and send the session table to the forwarding chip. When receiving new network message, the forwarding chip extracts message characteristics from the new network message, if the message characteristics hit the session table entry, the forwarding chip forwards the new network message directly outwards, so that the new network message does not need to be uploaded to a CPU for application identification processing, and the forwarding speed of the message is further improved.
Therefore, through the software cooperative processing based on the forwarding chip (hardware logic chip) and the CPU, the forwarding performance of the message and the service processing performance of the network equipment are greatly improved, the performance of the network equipment is greatly improved when the application is identified, and the high-throughput low-delay deployment requirement of a large-scale network outlet is met.
It should be noted that the network device may be, but not limited to, a network security device, and the like, and the network security device may be, but not limited to, a firewall, a security gateway, and the like.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method of the CPU side. The implementation of the message processing apparatus may refer to the description of the message processing method by the CPU, which is not discussed here.
Referring to fig. 3, fig. 3 is a schematic diagram of a message processing apparatus according to an exemplary embodiment of the present application, which is disposed in a central processing unit CPU in a network device, where the network device further includes a forwarding chip; the device comprises:
a receiving module 301, configured to receive a network packet of the data stream sent by the forwarding chip;
the identification module 302 is configured to perform application identification processing on the data stream according to the data in the network packet;
A generating module 303, configured to generate a session table entry according to a message feature of the network message if the identifying module identifies that the data flow has a corresponding application based on the network message;
and the sending module 304 is configured to send the session table entry to the forwarding chip, so that the forwarding chip forwards the new network packet according to the session table entry after receiving the new network packet.
Optionally, based on the foregoing embodiment, the message processing apparatus provided in this embodiment further includes:
and the discarding module (not shown in the figure) is used for discarding the network message of the data stream if the application of the data stream is not recognized based on the network message and the number of the network messages used for recognizing the data stream reaches the set number corresponding to the message protocol of the network message.
Optionally, based on any one of the foregoing embodiments, the message processing apparatus provided in this embodiment further includes:
a query module (not shown in the figure) configured to query the application control policy of the corresponding application before the generating module 303 generates a session table entry according to the message characteristics of the network message;
A determining module (not shown in the figure) for determining that the application control policy is a data flow corresponding to the application;
on the basis, the message processing device provided in this embodiment further includes:
and the forwarding module (not shown in the figure) is used for forwarding the network message when the determining module confirms that the data flow corresponding to the application is allowed to be released.
Optionally, the generating module 303 is further configured to query an application control policy of the corresponding application; generating the session table item according to the message characteristics and the application control strategy;
on the basis, the message processing device provided in this embodiment further includes:
and the forwarding module (not shown in the figure) is used for forwarding the network message when the application control policy is confirmed to be the data flow corresponding to the application allowed to be released.
Optionally, the message feature includes five-tuple information; the generating module 303 is specifically configured to generate the session table entry according to the quintuple information.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method of the forwarding chip side. The implementation of the message processing device can refer to the description of the message processing method by the forwarding chip, and will not be discussed here.
Referring to fig. 4, fig. 4 is a message processing apparatus provided in an exemplary embodiment of the present application, where the message processing apparatus is disposed in a forwarding chip in a network device, and the network device further includes a central processing unit CPU, where the apparatus includes:
a first receiving module 401, configured to receive a network packet of a data stream;
a sending module 402, configured to send the network packet to the CPU;
a second receiving module 403, configured to receive a session table entry issued by the CPU, where the session table entry is generated by the CPU according to a message feature of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message;
the first receiving module 401 is configured to receive a new network packet of the data stream;
and a forwarding module 404, configured to forward the new network packet according to the session table entry.
Optionally, the session table entry is generated when the CPU confirms that the application control policy of the corresponding application is a policy that allows the data flow corresponding to the application to be released; the forwarding module 404 is specifically configured to forward the new network packet if the new network packet hits the session table entry; and discarding the new network message if the new network message does not hit the session table entry.
Optionally, the session table entry includes an application control policy of the corresponding application; the forwarding module 404 is specifically configured to forward the new network packet if the new network packet hits the session table entry, and if the application control policy is to allow the data flow corresponding to the application to be released; and if the application control policy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
Optionally, the message feature includes five-tuple information; the forwarding module 404 is specifically configured to confirm that the new network packet hits the session table entry according to the following method: and if the five-tuple information of the new network message is consistent with the five-tuple information in the session table entry, confirming that the new network message hits the session table entry.
Based on the same inventive concept, the embodiment of the present application provides a network device, as shown in fig. 5, where the network device includes a Central Processing Unit (CPU) 500, a forwarding chip 501, and a machine-readable storage medium 502, where the machine-readable storage medium 502 stores a computer program capable of being executed by the CPU500, and the CPU500 is caused by the computer program to execute a packet processing method provided by any embodiment on the CPU side of the present application, and the forwarding chip 501 is configured to execute the packet processing method provided by any embodiment on the forwarding chip side of the present application. The network device further comprises a communication interface 503 and a communication bus 504, wherein the CPU500, the forwarding chip 501, the communication interface 503, and the machine readable storage medium 502 perform communication with each other via the communication bus 504.
The communication bus mentioned by the above network device may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the network device and other devices.
The machine-readable storage medium 502 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The forwarding chip may be a digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
For network devices and machine-readable storage medium embodiments, the description is relatively simple, as far as reference is made to a part of the description of the method embodiments, since the method content involved is substantially similar to the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (12)
1. The message processing method is characterized by being applied to a CPU in network equipment, wherein the network equipment also comprises a forwarding chip; the method comprises the following steps:
receiving a network message of the data stream sent by the forwarding chip;
performing application identification processing on the data flow according to the data in the network message;
if the data flow is identified to have the corresponding application based on the network message, generating a session table item according to the message characteristics of the network message;
and transmitting the session table item to the forwarding chip so that the forwarding chip forwards the new network message according to the session table item after receiving the new network message.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
and discarding the network messages of the data stream if the application of the data stream is not recognized based on the network messages and the number of the network messages used for recognizing the data stream reaches the set number corresponding to the message protocol of the network messages.
3. The method of claim 1, further comprising, prior to generating a session table entry based on the message characteristics of the network message:
Inquiring the application control strategy of the corresponding application;
confirming the application control policy to allow the release of the data flow corresponding to the application;
the method further comprises the steps of:
and forwarding the network message when confirming that the data flow corresponding to the application is allowed to be released.
4. The method of claim 1, wherein generating a session table entry according to the message characteristics of the network message comprises:
inquiring the application control strategy of the corresponding application;
generating the session table item according to the message characteristics and the application control strategy;
the method further comprises the steps of:
and forwarding the network message when the application control policy is confirmed to be the data flow corresponding to the application allowed to be released.
5. The method of claim 1, wherein the message characteristics include five-tuple information;
generating a session table item according to the message characteristics of the network message, including:
and generating the session table item according to the quintuple information.
6. The message processing method is characterized by being applied to a forwarding chip in network equipment, wherein the network equipment also comprises a CPU; the method comprises the following steps:
the network message of the received data stream is sent to the CPU;
Receiving a session table entry issued by the CPU, wherein the session table entry is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message;
receiving a new network message of the data stream;
and forwarding the new network message according to the session table entry.
7. The method of claim 6, wherein the session table entry is generated by the CPU upon confirming that an application control policy of the corresponding application is such as to allow release of a data flow corresponding to the application;
forwarding the new network message according to the session table entry, including:
if the new network message hits the session table entry, forwarding the new network message;
and discarding the new network message if the new network message does not hit the session table entry.
8. The method of claim 6, wherein the session table entry includes an application control policy of the corresponding application;
forwarding the new network message according to the session table entry, including:
if the new network message hits the session table entry, if the application control policy is to allow the data flow corresponding to the application to be released, forwarding the new network message;
And if the application control policy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
9. The method according to claim 7 or 8, wherein the message characteristics include five-tuple information;
the new network message is confirmed to hit the session table item according to the following method:
and if the five-tuple information of the new network message is consistent with the five-tuple information in the session table entry, confirming that the new network message hits the session table entry.
10. The message processing device is characterized by being arranged in a Central Processing Unit (CPU) in network equipment, wherein the network equipment also comprises a forwarding chip; the device comprises:
the receiving module is used for receiving the network message of the data stream sent by the forwarding chip;
the identification module is used for carrying out application identification processing on the data flow according to the data in the network message;
the generation module is used for generating a session table item according to the message characteristics of the network message if the identification module identifies that the data flow has the corresponding application based on the network message;
and the sending module is used for sending the session table item to the forwarding chip so that the forwarding chip forwards the new network message according to the session table item after receiving the new network message.
11. A message processing apparatus, which is disposed in a forwarding chip in a network device, the network device further comprising a central processing unit CPU, the apparatus comprising:
the first receiving module is used for receiving the network message of the data stream;
the sending module is used for sending the network message to the CPU;
the second receiving module is used for receiving a session table item issued by the CPU, wherein the session table item is generated by the CPU according to the message characteristics of the network message when the CPU recognizes that the data flow has a corresponding application based on the network message;
the first receiving module is configured to receive a new network packet of the data stream;
and the forwarding module is used for forwarding the new network message according to the session table item.
12. The network equipment is characterized by comprising a Central Processing Unit (CPU) and a forwarding chip, wherein the CPU is used for executing the message processing method according to any one of claims 1 to 5, and the forwarding chip is used for executing the message processing method according to any one of claims 6 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454424.XA CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454424.XA CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114827044A CN114827044A (en) | 2022-07-29 |
| CN114827044B true CN114827044B (en) | 2023-12-26 |
Family
ID=82508826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210454424.XA Active CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114827044B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014177097A1 (en) * | 2013-08-16 | 2014-11-06 | 中兴通讯股份有限公司 | Flow table entry generation method and corresponding device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN105939397A (en) * | 2015-08-13 | 2016-09-14 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN108234323A (en) * | 2017-12-08 | 2018-06-29 | 中国电子科技集团公司第三十研究所 | A kind of safely controllable performance is up to the network processes and retransmission method of linear speed |
| CN111131539A (en) * | 2019-12-23 | 2020-05-08 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN112333097A (en) * | 2020-09-29 | 2021-02-05 | 新华三信息安全技术有限公司 | Message forwarding method and device and gateway equipment |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
| CN114189905A (en) * | 2020-09-15 | 2022-03-15 | 华为技术有限公司 | Message processing method and related equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013089771A1 (en) * | 2011-12-16 | 2013-06-20 | Intel Corporation | Secure user attestation and authentication to a remote server |
-
2022
- 2022-04-27 CN CN202210454424.XA patent/CN114827044B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014177097A1 (en) * | 2013-08-16 | 2014-11-06 | 中兴通讯股份有限公司 | Flow table entry generation method and corresponding device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN105939397A (en) * | 2015-08-13 | 2016-09-14 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN108234323A (en) * | 2017-12-08 | 2018-06-29 | 中国电子科技集团公司第三十研究所 | A kind of safely controllable performance is up to the network processes and retransmission method of linear speed |
| CN111131539A (en) * | 2019-12-23 | 2020-05-08 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN114189905A (en) * | 2020-09-15 | 2022-03-15 | 华为技术有限公司 | Message processing method and related equipment |
| CN112333097A (en) * | 2020-09-29 | 2021-02-05 | 新华三信息安全技术有限公司 | Message forwarding method and device and gateway equipment |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| M. Reza HoseinyFarahabady ; Ali Jannesari ; Zahir Tari ; Javid Taheri ; Albert Y. Zomaya.Dynamic Control of CPU Cap Allocations in Stream Processing and Data-Flow Platforms.《2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)》.2019,全文. * |
| 基于国产龙芯CPU的高性能防火墙转发性能的研究与实现;陈绍黔;王湘新;幸雪初;肖晨阳;梁剑;;《电脑知识与技术》(20);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114827044A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7636305B1 (en) | Method and apparatus for monitoring network traffic | |
| CN109617931B (en) | DDoS attack defense method and system of SDN controller | |
| WO2017004947A1 (en) | Method and apparatus for preventing domain name hijacking | |
| WO2014187238A1 (en) | Application type identification method and network device | |
| US11496403B2 (en) | Modifying the congestion control algorithm applied to a connection based on request characteristics | |
| WO2014101758A1 (en) | Method, apparatus and device for detecting e-mail bomb | |
| CN110519265B (en) | Method and device for defending attack | |
| US8320249B2 (en) | Method and system for controlling network access on a per-flow basis | |
| WO2018121742A1 (en) | Method and device for transmitting stream data | |
| CN104994016B (en) | Method and apparatus for packet classification | |
| CN102098272A (en) | Protocol identification method, device and system | |
| US11223568B2 (en) | Packet processing method and apparatus | |
| US11509749B2 (en) | Data processing method and apparatus, and computer | |
| WO2015014196A1 (en) | Method, device and system for determining content acquisition path and processing request | |
| WO2017162117A1 (en) | Accurate speed limiting method and apparatus for cluster | |
| CN107682267B (en) | Network data forwarding method and system of Linux equipment | |
| WO2007045144A1 (en) | Methods for peer-to-peer application message identifying and operating realization and their corresponding devices | |
| US9680739B2 (en) | Information transmission system, information communication apparatus, and information transmission apparatus | |
| US9942161B1 (en) | Methods and systems for configuring and updating session-based quality of service for multimedia traffic in a local area network | |
| WO2005004410A1 (en) | A method controlling retransmission of a data message in a routing device | |
| CN110224932B (en) | Method and system for rapidly forwarding data | |
| CN114827044B (en) | Message processing method, device and network equipment | |
| CN114793199B (en) | Message processing method, device and network equipment | |
| WO2012122832A1 (en) | Hot backup method and apparatus for network address translation entry | |
| WO2024060408A1 (en) | Network attack detection method and apparatus, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |