WO2008017275A1 - A packet classification method and system, encryption node, classification node thereof - Google Patents

A packet classification method and system, encryption node, classification node thereof Download PDF

Info

Publication number
WO2008017275A1
WO2008017275A1 PCT/CN2007/070412 CN2007070412W WO2008017275A1 WO 2008017275 A1 WO2008017275 A1 WO 2008017275A1 CN 2007070412 W CN2007070412 W CN 2007070412W WO 2008017275 A1 WO2008017275 A1 WO 2008017275A1
Authority
WO
WIPO (PCT)
Prior art keywords
classification
node
encrypted
data packet
encryption
Prior art date
Application number
PCT/CN2007/070412
Other languages
French (fr)
Chinese (zh)
Inventor
Yong Xie
Jianjun Wu
Liang Gu
Wenliang Liang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008017275A1 publication Critical patent/WO2008017275A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/18Negotiating wireless communication parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to the field of wireless communication technologies, and in particular, to a packet classification technique. Background of the invention
  • WiMAX Worldwide Interoperability for Microwave Access
  • BS base station
  • ASN-GW access service network gateway
  • CSN including logical entities such as Policy Server (PF), Authentication and Accounting Server (AAA Server), Application Server (AF), etc.
  • PF Policy Server
  • AAA Server Authentication and Accounting Server
  • AF Application Server
  • Wireless Metropolitan Area Network Access Technology Based on IEEE 802.16d/e Standard on Wireless Side of WiMAX Network R1, R2, R3, etc. in Fig. 1 represent a reference point, that is, an interface.
  • the ASN is a network function set that provides wireless access services for terminals, including the network element BS and the ASN-GW.
  • the CSN provides an IP connection service for the terminal.
  • the terminal is a mobile user equipment, and the user uses the terminal to access the WiMAX network.
  • a classifier is used to classify various services carried by the network into specific service flows of the bearer network.
  • the classifier of the uplink service is implemented on the terminal, and the downlink service is divided into The classifier is implemented on the BS or ASN-GW.
  • the service flow is the minimum operational object guaranteed by the WiMAX bearer network quality of service (QoS). Different service flows can have different QoS guarantees.
  • the classifier can allocate it to the corresponding service flow according to the different QoS requirements of the upper layer service.
  • the classifier consists of a series of classification rules.
  • the specific classification parameters are listed in the IEEE related standards. If the IP traffic is carried, one of the main classification parameters is the IP address. For example, for an IPv4 packet, a specific IP packet can be classified into a specific service flow based on the source/destination IP address, protocol type, and source/destination Transmission Control Protocol/User Data Protocol (TCP/UDP) port number.
  • TCP/UDP Transmission Control Protocol/User Data
  • the terminal and the home agent (HA) located at the CSN transmit data through the tunnel.
  • the terminal and the home agent (HA) located at the CSN transmit data through the tunnel.
  • different QoS data needs to be classified into different data channels for transmission, and corresponding to the WiMAX network, the IP data packets are classified into different service flows for transmission.
  • the existing IEEE standard defines a series of classifier rules, there is one situation that cannot be handled after ⁇ is applied to a WiMAX network.
  • IP security/encapsulated security load IPSec/ESP
  • the HA receives the encrypted data when it is encrypted.
  • the entire IP packet is encrypted and added to the tunnel IP header in front of the encrypted IP packet. Therefore, if the classifier relies on the information in the subsequent IP packet to distinguish different service flows, this IP packet cannot be implemented.
  • the classifier can only be unpacked on the terminal or the HA, but the classifier needs to classify the data packets on the ASN-GW, access router (AR) or BS classification nodes between the two physical transmission paths. Summary of the invention
  • the embodiment of the present invention provides a data packet classification method, and a method for counting A packet classification system, an encryption node, and a classification node are used to classify the encrypted data packets.
  • An embodiment of the present invention provides a data packet classification method, where the method includes:
  • the encryption node adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet to the classification node;
  • the classification node classifies the encrypted IP data packet according to the classification parameter.
  • An embodiment of the present invention further provides a system for data packet classification, where the system includes: an encryption node, configured to add or configure a classification parameter in an unencrypted portion of an encrypted IP data packet, and add the encrypted IP data.
  • the packet is sent to the classification node;
  • a classifying node including a classifier, wherein the classifier is configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
  • An embodiment of the present invention further provides an encryption node, including:
  • a sending unit configured to send the encrypted IP data packet to the classification node.
  • the embodiment of the present invention further provides a classification node, including: a receiving unit, configured to receive an encrypted IP data packet carrying a classification parameter in a non-encrypted portion;
  • a classifier configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
  • the encryption node adds the classification parameter for classification in the non-encrypted part of the encrypted IP data packet in the embodiment of the present invention
  • the classifier can directly read The classification parameter of the non-encrypted part is taken, so that the data packet can be classified according to the classification parameter.
  • the classification node can acquire the classification parameter without decrypting the data packet, and classify according to the classification parameter.
  • Embodiments of the present invention provide multiple acquisitions The method of classifying parameters improves the flexibility of classification. BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic diagram of a WiMAX network architecture in the prior art
  • FIG. 2 is a schematic flow chart of a first embodiment of the present invention
  • FIG. 3 is a schematic flow chart of a second embodiment of the present invention.
  • FIG. 4 is a schematic flow chart of a third embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a fourth embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a system according to a first embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a system according to a second embodiment and a third embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a system according to a fourth embodiment of the present invention. Mode for carrying out the invention
  • the encryption node adds or configures a classification parameter in the non-encrypted part of the encrypted IP data packet, and the subsequent encrypted IP data packet carries the classification parameter, and the classification node encrypts the data according to the classification parameter.
  • IP packets are classified.
  • adding the classification parameter means adding a new parameter to the non-encrypted part of the IP data packet after encryption, and adding the new parameter as the classification parameter; configuring the classification parameter means that the non-encrypted part of the encrypted IP data packet is already existing.
  • the parameters are configured and the configured parameters are used as encryption parameters.
  • the IP packets before encryption include: tunnel IP header, tunnel IP extension header, original IP header, original IP extension header, upper layer protocol header, and data.
  • the encrypted IP data packet when the IP data packet is encrypted and transmitted, for example, by IPSec/ESP encryption, the encrypted IP data packet includes: a tunnel IP header, a tunnel IP extension header, an ESP header, an encrypted data, and an ESP authentication (ESPAUTH).
  • the encrypted part includes encrypted data
  • the non-encrypted part includes a tunnel IP header, a tunnel IP extension header, an ESP header, and the like.
  • the encrypted data is formed by encrypting the original IP header, the original IP extension header, the upper layer protocol header, and the data part in the IP packet before encryption; the tunnel IP header must be constructed according to the actual situation except the destination address and the source address, and other field contents.
  • the corresponding field content of the original IP header may be constructed or copied by the encryption node according to the situation; the tunnel IP extension header is constructed by the encryption node itself, and the original IP extension header in the IP packet before encryption may not be copied.
  • the classification parameters described in the embodiments of the present invention are as shown in Table 3, but are not limited thereto.
  • the classification node can be classified according to any one of these parameters or any combination thereof.
  • Step 101 to step 102 the encryption node extracts the classification information that may be used for classification before encrypting the IP data packet, and adds the classification parameters to the non-encrypted portion of the encrypted IP data packet.
  • the tunnel IP extension header of this embodiment can be defined as follows: The name is a Filter Header; the Type can be determined; the structure can be as shown in Table 4. Referring to Table 4, the first 8 bits of the new tunnel IP extension header are the Next Header field, indicating the start of the Filter Header; the second 8 bits are the extended header length (Hdr Ext Len) field, indicating the length of the Filter Header. The following bits are the Options section, which is used to indicate the specific classification parameters.
  • the definitions of the Next Header and Hdr Ext Len fields can be the same as those of the usual IPv6 extension headers, and are not mentioned here.
  • the format of the Options section can be as shown in Table 5. It is arranged in the order of Filter type and Filter value.
  • the Filter type is the type in Table 3.
  • the Filter value is the value of the packet filter attribute in Table 3.
  • the classification parameter is the destination port.
  • the Filter type is 4, the Filter value is 8E.
  • the padding bit can be padded at the end to be an integer multiple of 8 bytes.
  • the encryption node may select the classification information to be added to the tunnel IP extension header of the encrypted IP data packet; if the encryption node does not know which classification node needs The information is classified and transmitted, and the encryption node can add all the classification information in Table 3 to the tunnel IP extension header of the encrypted IP data packet.
  • classification parameters such as SPI can be added to the ESP header.
  • Step 103 The encryption node sends the encrypted IP data packet with the classification parameter to the classifier in the classification node.
  • Step 104 The classifier in the classification node receives the foregoing IP data packet from the encryption node, classifies according to the classification parameter in the tunnel IP extension header, allocates it to the corresponding service flow, and transmits the data to the corresponding data channel. Decrypt the node.
  • the unnecessary partial or all classification parameters may be deleted.
  • Step 105 The classification node sends the classified IP data packet to the decryption node through the corresponding data channel. If the decryption node receives a packet with a Filter Header extension header, it can ignore the tunnel IP extension header without any processing.
  • the step includes querying the content that the classification parameter and the tunnel IP header of the encrypted IP data packet overlap, and in step 101, the non-coincident content of the classification parameter is formed into a tunnel IP extension header, and the tunnel of the encrypted IP data packet is filled in.
  • step 101 the classification parameter is formed into a tunnel IP extension header, and Fill in the tunnel IP extension header of the encrypted IP packet.
  • the classification node classifies according to the classification parameters in the tunnel IP header and the tunnel IP extension header.
  • the above method of the embodiment can be realized by the system shown in Fig. 6.
  • the system includes an encryption node and a classification node, and may further include a decryption node.
  • the encryption node adds a classification parameter to the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet.
  • the encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
  • the classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
  • the decryption node decrypts and processes the received encrypted IP packet.
  • the encryption node may further include an extracting unit and/or a query unit.
  • the extracting unit is configured to extract the classification parameter from the pre-encrypted IP data packet;
  • the query unit is configured to obtain the non-coincident content in the tunnel IP header of the encrypted IP data packet in the classification parameter, so as to fill in the encrypted IP data packet.
  • Tunnel IP extension header section is configured to extract the classification parameter from the pre-encrypted IP data packet.
  • the classification node shown in Fig. 6 may further include a deletion unit for deleting some or all of the classification parameters of the encrypted IP packet.
  • the encryption node in this embodiment may be an HA in a WiMAX system, and the classification node may For a base station or ASN-GW or AR in a WiMAX system, the decryption node can be a terminal in a WiMAX system.
  • the present invention is not limited to this.
  • the encryption node assigns different classification parameters to different traffic flows in advance through interaction with the decryption node or the classification node.
  • the present embodiment is described by taking a flow label as an example.
  • Flow Label In the basic header of IPv6, there is a How Label field, which is used to uniquely identify a service flow from the source address to the destination address. This value is generally assigned by the source, that is, it is allocated at the encryption node. .
  • Step 201 The encryption node and the decryption node exchange the classifier information of the classification node before the encryption, and assign different Flow Labels to different service flows. This process can be performed when the encryption node and the decryption node generate a security association (SA), or at other times.
  • SA security association
  • the decryption node has obtained the classifier information before the encryption of the classification node, for example, the decryption node acquires the classifier information by interacting with the classification node.
  • Step 202 The encryption node notifies the classification node of the service flow classifier information and the corresponding Flow Label before encryption. Since the decryption node also has the traffic classifier information before encryption and the corresponding Flow Label, in this step, the decryption node may also notify the classification node of the traffic classifier information before encryption and the corresponding Flow Label.
  • Step 203 The encryption node configures a Flow Label in the tunnel IP extension header of the encrypted IP data packet, and configures the flow label to be newly allocated in step 201 corresponding to the service flow to which the data packet belongs. In this way, the encryption node does not have to extract the original Flow Label from the pre-encrypted IP packet.
  • Step 204 The encrypted node sends the encrypted IP data packet configured with the Flow Label. go with.
  • Step 205 The classifier in the classification node receives the foregoing IP data packet from the encryption node, performs classification according to the Flow Label and other classification parameters in the tunnel IP extension header, and allocates the same to the corresponding service flow, thereby passing Different data channels are transmitted to the decryption node.
  • Step 206 The classification node sends the classified IP data packet to the decryption node through the corresponding data channel.
  • the encryption node and the classification node directly allocate different Flow Labds for different service flows by interaction.
  • the third embodiment includes the following steps:
  • Step 301 The encryption node and the decryption node generate an SA, and exchange the pre-encryption classifier signal.
  • Step 302 The encryption node and the classification node allocate different Flow Labels for different service flows by interaction.
  • Step 303 The encryption node configures a Flow Label in the tunnel IP extension header of the encrypted IP data packet, and configures the Flow Label in step 302 corresponding to the service flow to which the data packet belongs. In this way, the encryption node does not have to extract the original Flow Label from the pre-encrypted IP packet.
  • Step 304 The encryption node sends the encrypted IP data packet configured with the Flow Label allocated in step 302.
  • Step 305 The classifier in the classification node receives the foregoing IP data packet from the encryption node, performs classification according to the Flow Label and other classification parameters in the tunnel IP extension header, and assigns it to the corresponding service flow, thereby passing Different data channels are transmitted to the decryption node.
  • Step 306 the classification node sends the classified IP data packet through the corresponding data channel. Give the decryption node. After decrypting the IP packet received by the node, the tunnel IP extension header can be ignored without any processing.
  • the methods of the second embodiment and the third embodiment of the present invention can be realized by the system shown in Fig. 7.
  • the system includes an encryption node and a classification node, and may further include a decryption node.
  • the encryption node configures the classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the classification parameter to the classification node.
  • the encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
  • the classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
  • the decryption node decrypts and processes the received encrypted IP packet.
  • the encryption node further includes a first interaction unit
  • the classification node further includes a second interaction unit
  • the decryption node further includes a third interaction unit.
  • the first interaction unit and the second interaction unit allocate different encrypted classification parameters for different service flows by interaction; corresponding to the second embodiment, the first interaction unit and the third interaction unit pass The interaction allocates different encrypted classification parameters for different service flows, and notifies the classification node of the service flow and the corresponding encrypted classification parameters.
  • the encryption nodes in the second embodiment and the third embodiment may be HAs in the WiMAX system
  • the classification nodes may be base stations in the WiMAX system or ASN-GWs or ARs
  • the decryption nodes may be terminals in the WiMAX system.
  • the invention is not limited thereto. Fourth embodiment:
  • a fourth embodiment of the present invention is in encrypting nodes and classifications.
  • the node directly sets different classification parameters for different service flows.
  • a fourth embodiment of the present invention includes the following steps:
  • Step 401 Set different encrypted classification parameters, such as manual setting or automatic setting, for the different service flows in the encryption node and the classification node.
  • Step 402 The encryption node adds or configures an encrypted classification parameter corresponding to the service flow to which the data packet belongs in the non-encrypted portion of the encrypted IP data packet.
  • Step 403 The encryption node sends the encrypted IP data packet with the encrypted classification parameter added or configured.
  • Step 404 The classification node receives the foregoing IP data packet from the encryption node, classifies the classification parameter according to the non-encrypted part and the service flow information corresponding thereto, and allocates the same to the corresponding service flow, thereby transmitting through different data channels. Give the decryption node.
  • Step 405 The classification node sends the classified encrypted IP data packet to the decryption node through the corresponding data channel.
  • the decryption node receives the IP packet, it can ignore the classification parameters of the non-encrypted part without any processing.
  • the above method of the embodiment can be realized by the system shown in Fig. 8.
  • the system includes a decryption node and a classification node, and may further include a decryption node.
  • the encryption node adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet.
  • the encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
  • the classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
  • the decryption node decrypts and processes the received encrypted IP data packet.
  • the encryption node further includes a first configuration unit
  • the classification node further includes a second configuration unit.
  • the first configuration unit and the second configuration unit are configured to set different encrypted classification parameters for different service flows.
  • the encryption node in the fourth embodiment may be HA in the WiMAX system
  • the classification node may be a base station in the WiMAX system or an ASN-GW or an AR
  • the decryption node may be a terminal in the WiMAX system.
  • the invention is not limited thereto.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A packet classification method includes: the encryption node adds or configures classification parameters in the un-encrypted portion of the encrypted IP packets; the classification node classifies the encrypted IP packet according to said classification parameters. There are still a system, an encryption node and a classification node for packet classificating. The classification node is able to read the classification parameters of the un-encrypted portion after receiving the encrypted IP packets. There are still multiple methods for obtaining classification parameters, and so that the classfication flexibility is improved.

Description

数据包分类方法及其系统、 加密节点、 分类节点  Packet classification method and system thereof, encryption node, classification node
相关申请的交叉引用 Cross-reference to related applications
本申请要求于 2006 年 8 月 4 日提交中国专利局、 申请号为 200610103862.2、 发明名称为 "一种数据包分类方法及其系统"的中国专 利申请的优先权, 其全部内容通过引用合并于此。 技术领域  The present application claims priority to Chinese Patent Application No. 200610103862.2, entitled "A Packet Classification Method and System", filed on August 4, 2006, the entire contents of . Technical field
本发明涉及无线通信技术领域, 特别是一种数据包分类技术。 发明背景  The present invention relates to the field of wireless communication technologies, and in particular, to a packet classification technique. Background of the invention
全求接入 4敖波互操作' I"生 ( Worldwide Interoperability for Microwave Access, WiMAX )技术是一种基于电气与电子工程师协会( IEEE ) 802.16 标准的无线城域网技术。 图 1是现有技术中 WiMAX网络架构体系图。 参照图 1, WiMAX网络主要由三个部分组成:终端;接入业务网( ASN ), 包括基站(BS )和接入业务网网关 (ASN-GW ); 连接业务网 (CSN ), 包括策略服务器(PF )、 认证授权和计费服务器(AAA Server )、 应用服 务器(AF )等逻辑实体。 WiMAX网络无线侧基于 IEEE 802.16d/e标准 的无线城域网接入技术。 图 1中的 Rl、 R2、 R3等表示参考点(reference point ), 也就是接口。  Worldwide Interoperability for Microwave Access (WiMAX) technology is a wireless metropolitan area network technology based on the Institute of Electrical and Electronics Engineers (IEEE) 802.16 standard. Figure 1 is a prior art WiMAX network architecture diagram. Referring to Figure 1, the WiMAX network is mainly composed of three parts: terminal; access service network (ASN), including base station (BS) and access service network gateway (ASN-GW); (CSN), including logical entities such as Policy Server (PF), Authentication and Accounting Server (AAA Server), Application Server (AF), etc. Wireless Metropolitan Area Network Access Technology Based on IEEE 802.16d/e Standard on Wireless Side of WiMAX Network R1, R2, R3, etc. in Fig. 1 represent a reference point, that is, an interface.
在 WiMAX系统中, ASN是为终端提供无线接入服务的网络功能集 合, 包括网元 BS和 ASN-GW。 CSN为终端提供 IP连接服务。 终端为 移动用户设备, 用户使用该终端接入 WiMAX网络。  In the WiMAX system, the ASN is a network function set that provides wireless access services for terminals, including the network element BS and the ASN-GW. The CSN provides an IP connection service for the terminal. The terminal is a mobile user equipment, and the user uses the terminal to access the WiMAX network.
在 WiMAX网络中 , 分类器用于将网络承载的各种业务分类到承载 网络的具体业务流中。 上行业务的分类器在终端上实现, 下行业务的分 类器在 BS或 ASN-GW上实现。 业务流是 WiMAX承载网络服务质量 ( QoS )保证的最小操作对象, 不同的业务流可以有不同的 QoS保证, 分类器可以根据上层业务不同的 QoS要求, 将其分配到相应的业务流 中。 分类器由一系列分类规则组成, 具体分类参数见 IEEE相关标准。 如果承载的是 IP业务, 主要的分类参数之一就是 IP地址。 例如, 对于 IPv4数据包, 根据源 /目的 IP地址、 协议类型、 源 /目的传输控制协议 / 用户数据协议 ( TCP/UDP )端口号就可将特定 IP 包分类到某个具体业 务流。 In a WiMAX network, a classifier is used to classify various services carried by the network into specific service flows of the bearer network. The classifier of the uplink service is implemented on the terminal, and the downlink service is divided into The classifier is implemented on the BS or ASN-GW. The service flow is the minimum operational object guaranteed by the WiMAX bearer network quality of service (QoS). Different service flows can have different QoS guarantees. The classifier can allocate it to the corresponding service flow according to the different QoS requirements of the upper layer service. The classifier consists of a series of classification rules. The specific classification parameters are listed in the IEEE related standards. If the IP traffic is carried, one of the main classification parameters is the IP address. For example, for an IPv4 packet, a specific IP packet can be classified into a specific service flow based on the source/destination IP address, protocol type, and source/destination Transmission Control Protocol/User Data Protocol (TCP/UDP) port number.
在移动 IPv6协议 ( ΜΙΡνό )应用到 WiMAX网络中后, 终端和位于 CSN 的家乡代理(HA )之间通过隧道方式传输数据。 但由于无线网络 中, 为了更好的利用空口资源, 需要把不同 QoS的数据分类到不同的数 据通道中传输,对应到 WiMAX网络就是要把 IP数据包分类到不同的业 务流中传输。  After the mobile IPv6 protocol (ΜΙΡνό) is applied to the WiMAX network, the terminal and the home agent (HA) located at the CSN transmit data through the tunnel. However, in the wireless network, in order to make better use of the air interface resources, different QoS data needs to be classified into different data channels for transmission, and corresponding to the WiMAX network, the IP data packets are classified into different service flows for transmission.
现有 IEEE标准虽然定义了一系列的分类器规则, 但在 ΜΙΡνό应用 到 WiMAX网络后, 有一种情况将无法处理。 当终端与 HA之间的数据 采用 IP安全 /封装安全负荷(IPSec/ESP )加密的时候, 由于终端与 HA 之间的 IP数据包采用隧道模式, 因此 HA在加密的时候,把其收到的整 个 IP数据包都加密保护起来,并在加密的 IP数据包前面加入隧道 IP头, 因此,如果分类器要依靠后面 IP数据包中的信息区分不同的业务流就无 法实现, 因为这个 IP数据包只能在终端或 HA上才能解开, 而分类器却 需要在这两个实体传输路径之间的 ASN-GW、 接入路由器 ( AR )或 BS 等分类节点上对数据包进行分类。 发明内容  Although the existing IEEE standard defines a series of classifier rules, there is one situation that cannot be handled after ΜΙΡνό is applied to a WiMAX network. When the data between the terminal and the HA is encrypted by IP security/encapsulated security load (IPSec/ESP), since the IP data packet between the terminal and the HA adopts the tunnel mode, the HA receives the encrypted data when it is encrypted. The entire IP packet is encrypted and added to the tunnel IP header in front of the encrypted IP packet. Therefore, if the classifier relies on the information in the subsequent IP packet to distinguish different service flows, this IP packet cannot be implemented. The classifier can only be unpacked on the terminal or the HA, but the classifier needs to classify the data packets on the ASN-GW, access router (AR) or BS classification nodes between the two physical transmission paths. Summary of the invention
有鉴于此, 本发明实施例提出了一种数据包分类方法、 一种用于数 据包分类的系统、 一种加密节点以及一种分类节点, 用以实现对加密后 数据包的进行分类。 In view of this, the embodiment of the present invention provides a data packet classification method, and a method for counting A packet classification system, an encryption node, and a classification node are used to classify the encrypted data packets.
本发明实施例提供了一种数据包分类方法, 该方法包括:  An embodiment of the present invention provides a data packet classification method, where the method includes:
加密节点在加密后 IP数据包的非加密部分添加或配置分类参数,并 将该加密后 IP数据包发送给分类节点;  The encryption node adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet to the classification node;
分类节点根据所述分类参数对该加密后 IP数据包进行分类。  The classification node classifies the encrypted IP data packet according to the classification parameter.
本发明实施例还提供了一种用于数据包分类的系统 , 该系统包括: 加密节点,用于在加密后 IP数据包的非加密部分添加或配置分类参 数, 并将所述加密后 IP数据包发送给分类节点;  An embodiment of the present invention further provides a system for data packet classification, where the system includes: an encryption node, configured to add or configure a classification parameter in an unencrypted portion of an encrypted IP data packet, and add the encrypted IP data. The packet is sent to the classification node;
包括分类器的分类节点,所述分类器用于根据所述加密后 IP数据包 中的所述分类参数对所述加密后 IP数据包进行分类。  And a classifying node including a classifier, wherein the classifier is configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
本发明实施例还提供了一种加密节点, 包括:  An embodiment of the present invention further provides an encryption node, including:
添加配置单元,用于在加密后 IP数据包的非加密部分添加或配置分 类参数;  Add a configuration unit to add or configure a classification parameter in the non-encrypted portion of the encrypted IP packet;
发送单元, 用于将所述加密后 IP数据包发送给分类节点。  And a sending unit, configured to send the encrypted IP data packet to the classification node.
本发明实施例还提供了一种分类节点, 包括: 接收单元, 用于接收 在非加密部分携带分类参数的加密后 IP数据包;  The embodiment of the present invention further provides a classification node, including: a receiving unit, configured to receive an encrypted IP data packet carrying a classification parameter in a non-encrypted portion;
分类器,用于根据所述加密后 IP数据包中的所述分类参数对所述加 密后 IP数据包进行分类。  And a classifier, configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
从上述方案中可以看出, 由于本发明实施例中加密节点在加密后 IP 数据包的非加密部分添加了用于分类的分类参数, 当分类节点收到该数 据包后, 分类器可以直接读取非加密部分的分类参数, 从而可以根据分 类参数对该数据包进行分类。通过本发明的实施, 即使加密后 IP数据包 只能在解密节点被解密, 但是分类节点无需对数据包进行解密, 即可获 取分类参数, 并根据分类参数进行分类。 本发明实施例提供了多种获取 分类参数的方法, 提高了分类的灵活性。 附图简要说明 As can be seen from the foregoing solution, since the encryption node adds the classification parameter for classification in the non-encrypted part of the encrypted IP data packet in the embodiment of the present invention, after the classification node receives the data packet, the classifier can directly read The classification parameter of the non-encrypted part is taken, so that the data packet can be classified according to the classification parameter. Through the implementation of the present invention, even if the encrypted IP data packet can only be decrypted at the decryption node, the classification node can acquire the classification parameter without decrypting the data packet, and classify according to the classification parameter. Embodiments of the present invention provide multiple acquisitions The method of classifying parameters improves the flexibility of classification. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为现有技术中 WiMAX网络架构示意图;  1 is a schematic diagram of a WiMAX network architecture in the prior art;
图 2为本发明第一实施例的流程示意图;  2 is a schematic flow chart of a first embodiment of the present invention;
图 3为本发明第二实施例的流程示意图;  3 is a schematic flow chart of a second embodiment of the present invention;
图 4为本发明第三实施例的流程示意图;  4 is a schematic flow chart of a third embodiment of the present invention;
图 5为本发明第四实施例的流程示意图;  FIG. 5 is a schematic flowchart of a fourth embodiment of the present invention; FIG.
图 6为本发明第一实施例的系统结构示意图;  6 is a schematic structural diagram of a system according to a first embodiment of the present invention;
图 7为本发明第二实施例和第三实施例的系统结构示意图; 图 8为本发明第四实施例的系统结构示意图。 实施本发明的方式  7 is a schematic structural diagram of a system according to a second embodiment and a third embodiment of the present invention; and FIG. 8 is a schematic structural diagram of a system according to a fourth embodiment of the present invention. Mode for carrying out the invention
为使本发明的目的、 技术方案和优点更加清楚, 以下举实施例对本 发明进一步详细说明。  In order to make the objects, technical solutions and advantages of the present invention more comprehensible, the present invention will be further described in detail below.
在本发明实施例中,加密节点在加密后 IP数据包的非加密部分添加 或配置分类参数,后续的加密后 IP数据包都将携带分类参数,分类节点 则根据所述分类参数对该加密后 IP数据包进行分类。其中, 添加分类参 数是指在加密后 IP数据包的非加密部分增加新的参数,所添加的新参数 用作分类参数;配置分类参数是指对加密后 IP数据包的非加密部分已有 的参数进行配置, 所配置的参数用作加密参数。  In the embodiment of the present invention, the encryption node adds or configures a classification parameter in the non-encrypted part of the encrypted IP data packet, and the subsequent encrypted IP data packet carries the classification parameter, and the classification node encrypts the data according to the classification parameter. IP packets are classified. Wherein, adding the classification parameter means adding a new parameter to the non-encrypted part of the IP data packet after encryption, and adding the new parameter as the classification parameter; configuring the classification parameter means that the non-encrypted part of the encrypted IP data packet is already existing. The parameters are configured and the configured parameters are used as encryption parameters.
下面首先说明采用隧道模式传输时加密前 IP数据包和加密后 IP数 据包的结构。 参见表 1 , 加密前 IP数据包包括: 隧道 IP报头、 隧道 IP 扩展头、 原 IP报头、 原 IP扩展头、 上层协议报头以及数据。  The following describes the structure of the pre-encrypted IP packet and the encrypted IP packet when transmitting in tunnel mode. Referring to Table 1, the IP packets before encryption include: tunnel IP header, tunnel IP extension header, original IP header, original IP extension header, upper layer protocol header, and data.
表 1 隧道 IP 4艮头 隧道 IP扩展头 原 IP报头 原 IP扩展头 上层协议 4艮头 数据 表 2
Figure imgf000007_0001
参见表 2, 当对 IP数据包进行加密传输时, 例如采用 IPSec/ESP加 密时,加密后 IP数据包包括: 隧道 IP报头、 隧道 IP扩展头、 ESP报头、 加密数据、 ESP认证(ESPAUTH )。 其中, 加密部分包括加密数据, 非 加密部分包括隧道 IP报头、 隧道 IP扩展头、 ESP报头等。 加密数据是 对加密前 IP数据包中原 IP报头、 原 IP扩展头、 上层协议头以及数据部 分进行加密形成的;隧道 IP报头中除了目的地址和源地址必须按实际情 况构建外, 其它的字段内容可以根据情况由加密节点构建或拷贝原 IP 报头的相应字段内容; 隧道 IP扩展头是由加密节点自己构建的,通常不 能拷贝加密前 IP数据包中的原 IP扩展头。 通过表 1和表 2所示的结构 可以看出,如果加密节点和解密节点之间的分类节点需要通过加密前 IP 数据包中的信息进行分类, 那么由于所用的信息被加密, 因此, 分类节 点上的分类器无法直接 现有的加密后 IP数据包完成分类。 Table 1 Tunnel IP 4 Shantou tunnel IP extension header original IP header original IP extension header upper layer protocol 4 header data table 2
Figure imgf000007_0001
Referring to Table 2, when the IP data packet is encrypted and transmitted, for example, by IPSec/ESP encryption, the encrypted IP data packet includes: a tunnel IP header, a tunnel IP extension header, an ESP header, an encrypted data, and an ESP authentication (ESPAUTH). The encrypted part includes encrypted data, and the non-encrypted part includes a tunnel IP header, a tunnel IP extension header, an ESP header, and the like. The encrypted data is formed by encrypting the original IP header, the original IP extension header, the upper layer protocol header, and the data part in the IP packet before encryption; the tunnel IP header must be constructed according to the actual situation except the destination address and the source address, and other field contents. The corresponding field content of the original IP header may be constructed or copied by the encryption node according to the situation; the tunnel IP extension header is constructed by the encryption node itself, and the original IP extension header in the IP packet before encryption may not be copied. It can be seen from the structures shown in Table 1 and Table 2 that if the classification node between the encryption node and the decryption node needs to be classified by the information in the IP packet before encryption, since the information used is encrypted, the classification node The classifier on the top cannot directly classify the existing encrypted IP packets.
本发明实施例中所述的分类参数如表 3所示, 但不局限于此。 分类 节点可以根据这些参数中的任意一个或者它们的任意组合来进行分类。  The classification parameters described in the embodiments of the present invention are as shown in Table 3, but are not limited thereto. The classification node can be classified according to any one of these parameters or any combination thereof.
表 3  table 3
类型 包过滤属性 大小 (比特) Type Packet Filtering Property Size (bits)
1 源地址 ( Source Address ) 1281 Source Address 128
2 目的地址 ( Destination Address ) 1282 Destination Address 128
3 上层协议 ( Upper Layer Protocol ) 83 Upper Layer Protocol 8
4 目的端口 ( Destination Port ) 164 Destination Port 16
5 源端口 (Source Port ) 16 6 传输类 ( Traffic Class ) 8 5 Source Port 16 6 Transport Class 8
7 流标签( Flow Label ) 20  7 Flow Label 20
8 安全参数索引 (SPI ) 8 第一实施例:  8 Security Parameter Index (SPI) 8 First Embodiment:
参照图 2, 本发明第一实施例的流程如下:  Referring to Figure 2, the flow of the first embodiment of the present invention is as follows:
步骤 101至步骤 102, 加密节点在对 IP数据包加密之前将可能用于 分类的分类信息提取出来,并将这些分类参数添加到加密后 IP数据包的 非加密部分。  Step 101 to step 102, the encryption node extracts the classification information that may be used for classification before encrypting the IP data packet, and adds the classification parameters to the non-encrypted portion of the encrypted IP data packet.
这里以非加密部分为隧道 IP扩展头为例进行说明。本实施例的隧道 IP扩展头可以定义如下: 名称为过滤器头( Filter Header ); 类型( Type ) 可以待定; 结构可以如表 4所示。 参照表 4, 新隧道 IP扩展头的前 8比 特为下一个头 (Next Header )字段, 表示 Filter Header的开始; 第二个 8比特为扩展头长度 ( Hdr Ext Len )字段, 表示 Filter Header的长度; 后面的比特为选项 (Options )部分, 用来表示具体的分类参数。 其中, Next Header和 Hdr Ext Len字段的定义可以与通常 IPv6扩展头的定义相 同, 这里不再赞述。 Options部分的形式可以如表 5所示, 按照 Filter类 型、 Filter数值的顺序排列, 其中 Filter类型为表 3中的类型, Filter数 值为表 3中包过滤器属性的值,例如分类参数为目的端口时, Filter类型 为 4, Filter数值为 8E。 另外, 当扩展头的总长度不满足 8 字节的整数 倍时, 可以在最后采用填充位进行填充, 使其达到 8字节的整数倍。  Here, the non-encrypted part is used as a tunnel IP extension header as an example. The tunnel IP extension header of this embodiment can be defined as follows: The name is a Filter Header; the Type can be determined; the structure can be as shown in Table 4. Referring to Table 4, the first 8 bits of the new tunnel IP extension header are the Next Header field, indicating the start of the Filter Header; the second 8 bits are the extended header length (Hdr Ext Len) field, indicating the length of the Filter Header. The following bits are the Options section, which is used to indicate the specific classification parameters. The definitions of the Next Header and Hdr Ext Len fields can be the same as those of the usual IPv6 extension headers, and are not mentioned here. The format of the Options section can be as shown in Table 5. It is arranged in the order of Filter type and Filter value. The Filter type is the type in Table 3. The Filter value is the value of the packet filter attribute in Table 3. For example, the classification parameter is the destination port. When the Filter type is 4, the Filter value is 8E. In addition, when the total length of the extended header does not satisfy an integer multiple of 8 bytes, the padding bit can be padded at the end to be an integer multiple of 8 bytes.
表 4  Table 4
0 1 2 3 4 8 9 0 1 2 3 4 8 9 0 1 2 3 4  0 1 2 3 4 8 9 0 1 2 3 4 8 9 0 1 2 3 4
Next Header Hdr Ext Len Options 表 5
Figure imgf000009_0001
以上所述的隧道 IP扩展头只是作为本发明实施例的示例 ,本发明显 然并不局限于此。 Next Header Hdr Ext Len Options table 5
Figure imgf000009_0001
The tunnel IP extension header described above is merely an example of an embodiment of the present invention, and the present invention is obviously not limited thereto.
进一步, 如果加密节点预先了解分类节点需要哪些分类信息对数据 包进行分类传输,加密节点可以选择这些分类信息添加到加密后 IP数据 包的隧道 IP扩展头中;如果加密节点不知道分类节点需要哪些信息对数 据包进行分类传输, 加密节点可以将表 3中的全部分类信息都添加到加 密后 IP数据包的隧道 IP扩展头中。  Further, if the encryption node knows in advance which classification information is needed for the classification node to classify and transmit the data packet, the encryption node may select the classification information to be added to the tunnel IP extension header of the encrypted IP data packet; if the encryption node does not know which classification node needs The information is classified and transmitted, and the encryption node can add all the classification information in Table 3 to the tunnel IP extension header of the encrypted IP data packet.
除了在隧道 IP扩展头中添加分类参数外, 还可以在 ESP报头中添 加诸如 SPI等分类参数。  In addition to adding classification parameters to the tunnel IP extension header, classification parameters such as SPI can be added to the ESP header.
步骤 103, 加密节点将添加了分类参数的加密后 IP数据包发送给分 类节点中的分类器。  Step 103: The encryption node sends the encrypted IP data packet with the classification parameter to the classifier in the classification node.
步骤 104,分类节点中的分类器收到来自加密节点的上述 IP数据包, 根据隧道 IP扩展头中的分类参数进行分类, 将其分配到相应的业务流 中, 从而通过相应的数据通道传输给解密节点。  Step 104: The classifier in the classification node receives the foregoing IP data packet from the encryption node, classifies according to the classification parameter in the tunnel IP extension header, allocates it to the corresponding service flow, and transmits the data to the corresponding data channel. Decrypt the node.
进一步, 如果分类节点知道后续节点不再需要 Filter Header中部分 或全部分类参数, 则可以删除所述不需要的部分或全部分类参数。  Further, if the classification node knows that the subsequent node no longer needs some or all of the classification parameters in the Filter Header, the unnecessary partial or all classification parameters may be deleted.
步骤 105, 分类节点将分类后的 IP数据包通过对应的数据通道发送 给解密节点。 解密节点如果收到带有 Filter Header扩展头的数据包时, 可以忽略这个隧道 IP扩展头, 而不做任何处理。  Step 105: The classification node sends the classified IP data packet to the decryption node through the corresponding data channel. If the decryption node receives a packet with a Filter Header extension header, it can ignore the tunnel IP extension header without any processing.
另夕卜, 由于在隧道 IP报头中也存在 Traffic Class和 Flow Label这两 个字段, 如果隧道 IP报头中的这两个字段与原 IP报头一致的话, 在隧 道 IP扩展头中就可以不用携带它们。 因此,在步骤 101之前还可以进一 步包括查询到分类参数与加密后 IP数据包的隧道 IP报头存在重合的内 容, 则在步骤 101中将分类参数中不重合的内容组成隧道 IP扩展头, 并 填写到加密后 IP数据包的隧道 IP扩展头部分; 或者, 在步骤 101之前 进一步包括查询到所述分类参数与加密后 IP数据包的隧道 IP报头不存 在重合的内容,则在步骤 101中将分类参数组成隧道 IP扩展头,并填写 到加密后 IP数据包的隧道 IP扩展头部分。 相应地, 在步骤 104中, 分 类节点根据隧道 IP报头和隧道 IP扩展头中的分类参数进行分类。 In addition, since there are two fields, Traffic Class and Flow Label, in the tunnel IP header, if the two fields in the tunnel IP header are consistent with the original IP header, they can be carried in the tunnel IP extension header. . Therefore, you can also enter one before step 101. The step includes querying the content that the classification parameter and the tunnel IP header of the encrypted IP data packet overlap, and in step 101, the non-coincident content of the classification parameter is formed into a tunnel IP extension header, and the tunnel of the encrypted IP data packet is filled in. The IP extension header portion; or, before step 101, further comprising querying that the classification parameter does not overlap with the tunnel IP header of the encrypted IP data packet, then in step 101, the classification parameter is formed into a tunnel IP extension header, and Fill in the tunnel IP extension header of the encrypted IP packet. Correspondingly, in step 104, the classification node classifies according to the classification parameters in the tunnel IP header and the tunnel IP extension header.
本实施例的上述方法可以通过如图 6所示的系统来实现。 该系统包 括加密节点和分类节点, 还可以进一步包括解密节点。  The above method of the embodiment can be realized by the system shown in Fig. 6. The system includes an encryption node and a classification node, and may further include a decryption node.
其中, 加密节点在加密后 IP数据包的非加密部分添加分类参数, 并 发送该加密后 IP数据包。 加密节点至少包括添加配置单元和发送单元, 其中,添加配置单元在加密后 IP数据包的非加密部分添加或配置分类参 数, 发送单元则将所述加密后 IP数据包发送给分类节点。  The encryption node adds a classification parameter to the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet. The encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
分类节点包括接收单元和分类器 , 接收单元接收加密节点发送来的 在非加密部分携带分类参数的加密后 IP数据包,分类器根据所述分类参 数对该加密后 IP数据包进行分类, 并将分类后的数据包发送给解密节 点。  The classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
解密节点解密并处理所收到的加密后 IP数据包。  The decryption node decrypts and processes the received encrypted IP packet.
如图 6所示, 加密节点进一步可以包括提取单元和 /或查询单元。 其 中,提取单元用于从加密前 IP数据包中提取分类参数; 查询单元用于获 取分类参数中与加密后 IP数据包的隧道 IP报头中不重合的内容, 以便 填写到加密后 IP数据包的隧道 IP扩展头部分。  As shown in FIG. 6, the encryption node may further include an extracting unit and/or a query unit. The extracting unit is configured to extract the classification parameter from the pre-encrypted IP data packet; the query unit is configured to obtain the non-coincident content in the tunnel IP header of the encrypted IP data packet in the classification parameter, so as to fill in the encrypted IP data packet. Tunnel IP extension header section.
图 6中所示的分类节点还可以进一步包括删除单元, 该删除单元用 于删除加密后 IP数据包中部分或全部分类参数。  The classification node shown in Fig. 6 may further include a deletion unit for deleting some or all of the classification parameters of the encrypted IP packet.
本实施例的加密节点可以为 WiMAX系统中的 HA, 分类节点可以 为 WiMAX系统中的基站或 ASN-GW或 AR, 解密节点可以为 WiMAX 系统中的终端。 但是, 本发明并不局限于此。 第二实施例: The encryption node in this embodiment may be an HA in a WiMAX system, and the classification node may For a base station or ASN-GW or AR in a WiMAX system, the decryption node can be a terminal in a WiMAX system. However, the present invention is not limited to this. Second embodiment:
在第二实施例中, 加密节点预先通过与解密节点或分类节点的交互 为不同业务流分配不同的分类参数。 简便起见, 本实施例以分配流标签 ( Flow Label )为例进行说明。 首先简单介绍一下 Flow Label, 在 IPv6 的基本 头中有一个 How Label域, 用于唯一标识从源地址到目的地址 的一个业务流, 这个值由一般由源进行分配, 也就是在加密节点进行分 配。  In the second embodiment, the encryption node assigns different classification parameters to different traffic flows in advance through interaction with the decryption node or the classification node. For the sake of simplicity, the present embodiment is described by taking a flow label as an example. First, a brief introduction to Flow Label. In the basic header of IPv6, there is a How Label field, which is used to uniquely identify a service flow from the source address to the destination address. This value is generally assigned by the source, that is, it is allocated at the encryption node. .
步骤 201, 加密节点和解密节点通过交互, 交换分类节点的加密前 的分类器信息, 为不同业务流分配不同的 Flow Label。 这个过程可以是 在加密节点和解密节点生成安全联盟 ( SA )时进行, 也可以是在其它时 候进行。  Step 201: The encryption node and the decryption node exchange the classifier information of the classification node before the encryption, and assign different Flow Labels to different service flows. This process can be performed when the encryption node and the decryption node generate a security association (SA), or at other times.
这里^ ^设解密节点已经获知分类节点的加密前的分类器信息, 例如 解密节点通过与分类节点交互获取分类器信息。  Here, the decryption node has obtained the classifier information before the encryption of the classification node, for example, the decryption node acquires the classifier information by interacting with the classification node.
步骤 202, 加密节点将加密前的业务流分类器信息及对应的 Flow Label通知给分类节点。 由于解密节点也拥有加密前的业务流分类器信 息及对应的 Flow Label , 在本步骤中 , 也可以由解密节点将加密前的业 务流分类器信息及对应的 Flow Label通知给分类节点。  Step 202: The encryption node notifies the classification node of the service flow classifier information and the corresponding Flow Label before encryption. Since the decryption node also has the traffic classifier information before encryption and the corresponding Flow Label, in this step, the decryption node may also notify the classification node of the traffic classifier information before encryption and the corresponding Flow Label.
步骤 203,加密节点在加密后 IP数据包的隧道 IP扩展头中配置 Flow Label, 将其配置为与该数据包所属业务流对应的步骤 201 中新分配的 Flow Label。这样,加密节点就不必从加密前 IP数据包中提取原始的 Flow Label  Step 203: The encryption node configures a Flow Label in the tunnel IP extension header of the encrypted IP data packet, and configures the flow label to be newly allocated in step 201 corresponding to the service flow to which the data packet belongs. In this way, the encryption node does not have to extract the original Flow Label from the pre-encrypted IP packet.
步骤 204, 加密节点将配置了 Flow Label的加密后 IP数据包发送出 去。 Step 204: The encrypted node sends the encrypted IP data packet configured with the Flow Label. go with.
步骤 205 ,分类节点中的分类器收到来自加密节点的上述 IP数据包 , 才艮据隧道 IP扩展头中的 Flow Label以及其它分类参数进行分类, 将其 分配到相应的业务流中 , 从而通过不同的数据通道传输给解密节点。  Step 205: The classifier in the classification node receives the foregoing IP data packet from the encryption node, performs classification according to the Flow Label and other classification parameters in the tunnel IP extension header, and allocates the same to the corresponding service flow, thereby passing Different data channels are transmitted to the decryption node.
步骤 206, 分类节点将分类后的 IP数据包通过对应的数据通道发送 给解密节点。 第三实施例:  Step 206: The classification node sends the classified IP data packet to the decryption node through the corresponding data channel. Third embodiment:
与第二实施例不同的是, 在第三实施例中, 加密节点和分类节点直 接通过交互为不同业务流分配不同的 Flow Labd。 参见图 4, 第三实施 例包括以下步骤:  Different from the second embodiment, in the third embodiment, the encryption node and the classification node directly allocate different Flow Labds for different service flows by interaction. Referring to Figure 4, the third embodiment includes the following steps:
步骤 301, 加密节点和解密节点生成 SA, 并交换加密前的分类器信 步骤 302, 加密节点和分类节点通过交互为不同业务流分配不同的 Flow Label  Step 301: The encryption node and the decryption node generate an SA, and exchange the pre-encryption classifier signal. Step 302: The encryption node and the classification node allocate different Flow Labels for different service flows by interaction.
步骤 303,加密节点在加密后 IP数据包的隧道 IP扩展头中配置 Flow Label,将其配置为与该数据包所属业务流对应的步骤 302中分配的 Flow Label。 这样, 加密节点就不必从加密前 IP数据包中提取原始的 Flow Label  Step 303: The encryption node configures a Flow Label in the tunnel IP extension header of the encrypted IP data packet, and configures the Flow Label in step 302 corresponding to the service flow to which the data packet belongs. In this way, the encryption node does not have to extract the original Flow Label from the pre-encrypted IP packet.
步骤 304, 加密节点将配置了步骤 302中分配的 Flow Label的加密 后 IP数据包发送出去。  Step 304: The encryption node sends the encrypted IP data packet configured with the Flow Label allocated in step 302.
步骤 305 ,分类节点中的分类器收到来自加密节点的上述 IP数据包 , 才艮据隧道 IP扩展头中的 Flow Label以及其它分类参数进行分类, 将其 分配到相应的业务流中 , 从而通过不同的数据通道传输给解密节点。  Step 305: The classifier in the classification node receives the foregoing IP data packet from the encryption node, performs classification according to the Flow Label and other classification parameters in the tunnel IP extension header, and assigns it to the corresponding service flow, thereby passing Different data channels are transmitted to the decryption node.
步骤 306, 分类节点将分类后的 IP数据包通过对应的数据通道发送 给解密节点。 解密节点收到的该 IP数据包后, 可以忽略这个隧道 IP扩 展头, 而不做任何处理。 Step 306, the classification node sends the classified IP data packet through the corresponding data channel. Give the decryption node. After decrypting the IP packet received by the node, the tunnel IP extension header can be ignored without any processing.
本发明第二实施例和第三实施例的方法可以通过如图 7所示的系统 来实现。该系统包括加密节点和分类节点,还可以进一步包括解密节点。  The methods of the second embodiment and the third embodiment of the present invention can be realized by the system shown in Fig. 7. The system includes an encryption node and a classification node, and may further include a decryption node.
其中, 加密节点在加密后 IP数据包的非加密部分配置分类参数, 并 将其发送给分类节点。 加密节点至少包括添加配置单元和发送单元, 其 中, 添加配置单元在加密后 IP数据包的非加密部分添加或配置分类参 数, 发送单元则将所述加密后 IP数据包发送给分类节点。  The encryption node configures the classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the classification parameter to the classification node. The encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
分类节点包括接收单元和分类器 , 接收单元接收加密节点发送来的 在非加密部分携带分类参数的加密后 IP数据包,分类器根据所述分类参 数对该加密后 IP数据包进行分类, 并将分类后的数据包发送给解密节 点。  The classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
解密节点解密并处理所收到的加密后 IP数据包。  The decryption node decrypts and processes the received encrypted IP packet.
如图 7所示, 加密节点进一步包括第一交互单元, 分类节点进一步 包括第二交互单元, 解密节点进一步包括第三交互单元。 其中, 对应于 第三实施例, 第一交互单元和第二交互单元通过交互为不同业务流分配 不同的加密后的分类参数; 对应于第二实施例, 第一交互单元和第三交 互单元通过交互为不同业务流分配不同的加密后的分类参数, 并通知分 类节点所述业务流及对应加密后的分类参数。  As shown in FIG. 7, the encryption node further includes a first interaction unit, the classification node further includes a second interaction unit, and the decryption node further includes a third interaction unit. Corresponding to the third embodiment, the first interaction unit and the second interaction unit allocate different encrypted classification parameters for different service flows by interaction; corresponding to the second embodiment, the first interaction unit and the third interaction unit pass The interaction allocates different encrypted classification parameters for different service flows, and notifies the classification node of the service flow and the corresponding encrypted classification parameters.
同样, 第二实施例和第三实施例中的加密节点可以为 WiMAX系统 中的 HA, 分类节点可以为 WiMAX系统中的基站或 ASN-GW或 AR, 解密节点可以为 WiMAX系统中的终端。 但是, 本发明并不局限与此。 第四实施例:  Similarly, the encryption nodes in the second embodiment and the third embodiment may be HAs in the WiMAX system, the classification nodes may be base stations in the WiMAX system or ASN-GWs or ARs, and the decryption nodes may be terminals in the WiMAX system. However, the invention is not limited thereto. Fourth embodiment:
与前面的几个实施例不同, 本发明的第四实施例在加密节点和分类 节点直接为不同业务流设置不同的分类参数。 参照图 5, 本发明第四实 施例的包括以下步骤: Unlike the previous embodiments, the fourth embodiment of the present invention is in encrypting nodes and classifications. The node directly sets different classification parameters for different service flows. Referring to FIG. 5, a fourth embodiment of the present invention includes the following steps:
步骤 401, 在加密节点和分类节点为不同业务流设置不同的加密后 的分类参数, 例如人工设置或者自动设置。  Step 401: Set different encrypted classification parameters, such as manual setting or automatic setting, for the different service flows in the encryption node and the classification node.
步骤 402, 加密节点在加密后 IP数据包的非加密部分添加或配置与 该数据包所属业务流对应的加密后的分类参数。  Step 402: The encryption node adds or configures an encrypted classification parameter corresponding to the service flow to which the data packet belongs in the non-encrypted portion of the encrypted IP data packet.
步骤 403, 加密节点将添加或配置了加密后的分类参数的加密后 IP 数据包发送出去。  Step 403: The encryption node sends the encrypted IP data packet with the encrypted classification parameter added or configured.
步骤 404, 分类节点收到来自加密节点的上述 IP数据包, 据非加 密部分的分类参数以及与其对应的业务流信息进行分类 , 将其分配到相 应的业务流中, 从而通过不同的数据通道传输给解密节点。  Step 404: The classification node receives the foregoing IP data packet from the encryption node, classifies the classification parameter according to the non-encrypted part and the service flow information corresponding thereto, and allocates the same to the corresponding service flow, thereby transmitting through different data channels. Give the decryption node.
步骤 405, 分类节点将分类后的加密后 IP数据包通过对应的数据通 道发送给解密节点。解密节点收到该 IP数据包时,可以忽略非加密部分 的分类参数, 而不做任何处理。  Step 405: The classification node sends the classified encrypted IP data packet to the decryption node through the corresponding data channel. When the decryption node receives the IP packet, it can ignore the classification parameters of the non-encrypted part without any processing.
本实施例的上述方法可以通过如图 8所示的系统来实现。 该系统包 括解密节点和分类节点, 还可以进一步包括解密节点。  The above method of the embodiment can be realized by the system shown in Fig. 8. The system includes a decryption node and a classification node, and may further include a decryption node.
其中,加密节点在加密后 IP数据包的非加密部分添加或配置分类参 数, 并发送该加密后 IP数据包。加密节点至少包括添加配置单元和发送 单元,其中, 添加配置单元在加密后 IP数据包的非加密部分添加或配置 分类参数, 发送单元则将所述加密后 IP数据包发送给分类节点。  The encryption node adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet. The encryption node includes at least an adding configuration unit and a sending unit, wherein the adding configuration unit adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and the sending unit sends the encrypted IP data packet to the classification node.
分类节点包括接收单元和分类器 , 接收单元接收加密节点发送来的 在非加密部分携带分类参数的加密后 IP数据包,分类器根据所述分类参 数对该加密后 IP数据包进行分类, 并将分类后的数据包发送给解密节 点。  The classification node includes a receiving unit and a classifier, and the receiving unit receives the encrypted IP data packet that is sent by the encryption node and carries the classification parameter in the non-encrypted portion, and the classifier classifies the encrypted IP data packet according to the classification parameter, and The classified packet is sent to the decryption node.
解密节点解密并处理所收到的加密后 IP数据包。 如图 8所示, 加密节点进一步包括第一配置单元, 分类节点进一步 包括第二配置单元。 其中, 第一配置单元和第二配置单元用于为不同业 务流设置不同的加密后的分类参数。 The decryption node decrypts and processes the received encrypted IP data packet. As shown in FIG. 8, the encryption node further includes a first configuration unit, and the classification node further includes a second configuration unit. The first configuration unit and the second configuration unit are configured to set different encrypted classification parameters for different service flows.
同样, 第四实施例中的加密节点可以为 WiMAX系统中的 HA, 分 类节点可以为 WiMAX系统中的基站或 ASN-GW或 AR,解密节点可以 为 WiMAX系统中的终端。 但是, 本发明并不局限与此。  Similarly, the encryption node in the fourth embodiment may be HA in the WiMAX system, the classification node may be a base station in the WiMAX system or an ASN-GW or an AR, and the decryption node may be a terminal in the WiMAX system. However, the invention is not limited thereto.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are included in the spirit and scope of the present invention, should be included in the present invention. Within the scope of protection.

Claims

权利要求书 Claim
1、 一种数据包分类方法, 其特征在于, 该方法包括:  A packet classification method, the method comprising:
加密节点在加密后 IP数据包的非加密部分添加或配置分类参数,并 将该加密后 IP数据包发送给分类节点;  The encryption node adds or configures a classification parameter in the non-encrypted portion of the encrypted IP data packet, and sends the encrypted IP data packet to the classification node;
分类节点根据所述分类参数对该加密后 IP数据包进行分类。  The classification node classifies the encrypted IP data packet according to the classification parameter.
2、 根据权利要求 1所述的方法, 其特征在于, 所述分类参数包括: 源地址、 目的地址、 上层协议、 目的端口、 源端口、 传输类、 流标签、 安全参数索引 SPI其中之一或者它们的任意组合。  The method according to claim 1, wherein the classification parameter comprises: one of a source address, a destination address, an upper layer protocol, a destination port, a source port, a transmission class, a flow label, and a security parameter index SPI. Any combination of them.
3、根据权利要求 1所述的方法,其特征在于,所述非加密部分包括: 隧道 IP头、 隧道 IP扩展头、 封装安全负荷 ESP报头其中之一或者它们 的任意组合。  The method according to claim 1, wherein the non-encrypted portion comprises: one of a tunnel IP header, a tunnel IP extension header, an encapsulated security load ESP header, or any combination thereof.
4、 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 加密节点从加密前 IP数据包中提取分类参数。  4. The method according to claim 1, wherein the method further comprises: the encryption node extracting the classification parameter from the pre-encrypted IP data packet.
5、 根据权利要求 4所述的方法, 其特征在于, 所述在加密后 IP数 据包的非加密部分添加分类参数的步骤包括:  5. The method according to claim 4, wherein the step of adding a classification parameter to the non-encrypted portion of the encrypted IP data packet comprises:
将分类参数组成隧道 IP扩展头, 并填写到加密后 IP数据包的隧道 IP扩展头部分。  The classification parameters are formed into a tunnel IP extension header, and the tunnel IP extension header portion of the encrypted IP data packet is filled in.
6、 根据权利要求 4所述的方法, 其特征在于, 所述在加密后 IP数 据包的非加密部分添加分类参数的步骤包括:  The method according to claim 4, wherein the step of adding a classification parameter to the non-encrypted portion of the encrypted IP data packet comprises:
查询到所述分类参数与加密后 IP数据包的隧道 IP报头存在重合的 内容,则将分类参数中不重合的内容组成隧道 IP扩展头,并填写到加密 后 IP数据包的隧道 IP扩展头部分; 或者,  Querying the content of the classification parameter and the tunnel IP header of the encrypted IP data packet, the non-coincident content of the classification parameter is formed into a tunnel IP extension header, and is filled in the tunnel IP extension header part of the encrypted IP data packet. Or,
查询到所述分类参数与加密后 IP数据包的隧道 IP报头不存在重合 的内容, 则将分类参数组成隧道 IP扩展头, 并填写到加密后 IP数据包 的隧道 IP扩展头部分。 After querying that the classification parameter and the tunnel IP header of the encrypted IP data packet do not overlap, the classification parameter is formed into a tunnel IP extension header, and the encrypted IP data packet is filled in. The tunnel IP extension header part.
7、 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 加密节点和解密节点通过交互为不同业务流分配不同的分类参数; 加密节点或解密节点向分类节点通知所述业务流及对应的分类参 数。  7. The method according to claim 1, wherein the method further comprises: the encryption node and the decryption node assign different classification parameters to different service flows by interaction; the encryption node or the decryption node notifies the classification node of the service flow And corresponding classification parameters.
8、 根据权利要求 7所述的方法, 其特征在于, 该方法进一步包括: 加密节点和解密节点交换分类器信息。  8. The method of claim 7, wherein the method further comprises: the encryption node and the decryption node exchanging classifier information.
9、 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 加密节点和分类节点通过交互为不同的业务流分配不同的分类参 数。  9. The method according to claim 1, wherein the method further comprises: the encryption node and the classification node assign different classification parameters to different service flows by interaction.
10、根据权利要求 7、 8或 9所述的方法, 其特征在于, 所述分类参 数包括流标签。  10. Method according to claim 7, 8 or 9, characterized in that said classification parameter comprises a flow label.
11、根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 在加密节点为不同业务流设置不同的分类参数;  The method according to claim 1, wherein the method further comprises: setting different classification parameters for different service flows at the encryption node;
所述加密节点在加密后 IP数据包的非加密部分添加或配置分类参 数为:加密节点在加密后 IP数据包中添加或配置为该数据包所属的业务 流设置的分类参数。  The encryption node adds or configures the classification parameter in the non-encrypted part of the encrypted IP data packet: the encryption node adds or configures the classified parameter set for the service flow to which the data packet belongs in the encrypted IP data packet.
12、根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 分类节点删除加密后 IP数据包中部分或全部分类参数。  The method according to claim 1, wherein the method further comprises: the classification node deleting some or all of the classification parameters of the encrypted IP data packet.
13、 一种用于数据包分类的系统, 其特征在于, 该系统包括: 加密节点,用于在加密后 IP数据包的非加密部分添加或配置分类参 数, 并将所述加密后 IP数据包发送给分类节点;  13. A system for packet classification, the system comprising: an encryption node, configured to add or configure a classification parameter in an unencrypted portion of an encrypted IP data packet, and to encrypt the encrypted IP data packet Send to the classification node;
包括分类器的分类节点,所述分类器用于根据所述加密后 IP数据包 中的所述分类参数对所述加密后 IP数据包进行分类。  And a classifying node including a classifier, wherein the classifier is configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
14、根据权利要求 13所述的系统, 其特征在于, 所述加密节点进一 步包括: 提取单元和 /或查询单元, The system according to claim 13, wherein said encryption node is further Steps include: extracting units and/or query units,
其中, 提取单元, 用于从加密前 IP数据包中提取分类参数; 查询单元, 用于获取分类参数中与加密后 IP数据包的隧道 IP报头 不重合的内容作为要添加的分类参数。  The extracting unit is configured to extract the classification parameter from the pre-encrypted IP data packet, and the query unit is configured to obtain, as the classification parameter to be added, the content of the classification parameter that does not coincide with the tunnel IP header of the encrypted IP data packet.
15、根据权利要求 13所述的系统, 其特征在于, 所述分类节点进一 步包括: 删除单元, 用于删除加密后 IP数据包中部分或全部分类参数。  The system according to claim 13, wherein the classification node further comprises: a deleting unit, configured to delete some or all of the classification parameters of the encrypted IP data packet.
16、根据权利要求 13所述的系统, 其特征在于, 所述加密节点进一 步包括第一交互单元, 所述分类节点进一步包括第二交互单元; 所述第 一交互单元和第二交互单元用于通过交互为不同业务流分配不同的分 类参数。  The system according to claim 13, wherein the encryption node further comprises a first interaction unit, the classification node further comprises a second interaction unit; the first interaction unit and the second interaction unit are used Different classification parameters are assigned to different service flows through interaction.
17、根据权利要求 13所述的系统, 其特征在于, 所述加密节点进一 步包括第一配置单元, 所述分类节点进一步包括第二配置单元; 所述第 一配置单元和第二配置单元用于为不同业务流设置不同的分类参数。  The system according to claim 13, wherein the encryption node further comprises a first configuration unit, the classification node further comprises a second configuration unit; the first configuration unit and the second configuration unit are used for Set different classification parameters for different business flows.
18、才艮据权利要求 13 ~ 17之一所述的系统, 其特征在于, 所述加密 节点为全球接入微波互操作性 WiMAX系统中的家乡代理;  18. The system according to any one of claims 13 to 17, wherein the encryption node is a home agent in a global access microwave interoperability WiMAX system;
所述分类节点为 WiMAX系统中的基站或接入业务网网关。  The classification node is a base station or an access service network gateway in a WiMAX system.
19、根据权利要求 13所述的系统, 其特征在于, 所述加密节点进一 步包括第一交互单元; 该系统进一步包括解密节点, 该解密节点包括第 三交互单元;  The system according to claim 13, wherein the encryption node further comprises a first interaction unit; the system further comprising a decryption node, the decryption node comprising a third interaction unit;
所述第一交互单元和第三交互单元用于通过交互为不同业务流分配 不同的分类参数, 并向分类节点通知所述业务流及对应的分类参数。  The first interaction unit and the third interaction unit are configured to allocate different classification parameters for different service flows by interaction, and notify the classification node of the service flow and corresponding classification parameters.
20、根据权利要求 19所述的系统, 其特征在于, 所述加密节点为全 球接入 4敖波互操作性 WiMAX系统中的家乡代理;  The system according to claim 19, wherein said encryption node is a home agent in a globally connected 4 chop interoperability WiMAX system;
所述分类节点为 WiMAX系统中的基站或接入业务网网关或接入路 由器; 所述解密节点为 WiMAX系统中的终端。 The classification node is a base station or an access service network gateway or an access router in a WiMAX system; The decryption node is a terminal in a WiMAX system.
21、 一种加密节点, 其特征在于, 该加密节点包括:  21. An encryption node, wherein the encryption node comprises:
添加配置单元,用于在加密后 IP数据包的非加密部分添加或配置分 类参数;  Add a configuration unit to add or configure a classification parameter in the non-encrypted portion of the encrypted IP packet;
发送单元, 用于将所述加密后 IP数据包发送给分类节点。  And a sending unit, configured to send the encrypted IP data packet to the classification node.
22、根据权利要求 21所述的加密节点, 其特征在于, 所述加密节点 进一步包括: 提取单元和 /或查询单元,  The encryption node according to claim 21, wherein the encryption node further comprises: an extracting unit and/or a query unit,
其中, 提取单元, 用于从加密前 IP数据包中提取分类参数; 查询单元, 用于获取分类参数中与加密后 IP数据包的隧道 IP报头 不重合的内容作为要添加的分类参数, 并提供给添加配置单元。  The extracting unit is configured to extract the classification parameter from the pre-encryption IP data packet, and the query unit is configured to obtain, as the classification parameter to be added, the content that is not coincident with the tunnel IP header of the encrypted IP data packet in the classification parameter, and provides Add a hive.
23、根据权利要求 21所述的加密节点, 其特征在于, 所述加密节点 进一步包括第一交互单元, 用于通过与分类节点交互为不同业务流分配 不同的分类参数, 或者  The encryption node according to claim 21, wherein the encryption node further comprises a first interaction unit, configured to allocate different classification parameters for different service flows by interacting with the classification node, or
用于通过和解密节点交互为不同业务流分配不同的分类参数, 并向 分类节点通知所述业务流及对应的分类参数。  It is used to allocate different classification parameters for different service flows by interacting with the decryption node, and notify the classification node of the service flow and corresponding classification parameters.
24、根据权利要求 21所述的加密节点, 其特征在于, 所述加密节点 进一步包括第一配置单元 , 用于和分类节点一起为不同业务流设置不同 的分类参数。  The encryption node according to claim 21, wherein the encryption node further comprises a first configuration unit, configured to set different classification parameters for different service flows together with the classification node.
25、 根据权利要求 21 ~ 24中任一项所述的加密节点, 其特征在于, 所述加密节点为 WiMAX系统中的家乡代理。  The encryption node according to any one of claims 21 to 24, wherein the encryption node is a home agent in a WiMAX system.
26、 一种分类节点, 其特征在于, 该分类节点包括:  26. A classification node, wherein the classification node comprises:
接收单元, 用于接收在非加密部分携带分类参数的加密后 IP数据 包;  a receiving unit, configured to receive an encrypted IP data packet carrying a classification parameter in a non-encrypted portion;
分类器,用于根据所述加密后 IP数据包中的所述分类参数对所述加 密后 IP数据包进行分类。 And a classifier, configured to classify the encrypted IP data packet according to the classification parameter in the encrypted IP data packet.
27、根据权利要求 26所述的分类节点, 其特征在于, 所述分类节点 进一步包括:删除单元,用于删除加密后 IP数据包中部分或全部分类参 数。 The classification node according to claim 26, wherein the classification node further comprises: a deletion unit, configured to delete some or all of the classification parameters of the encrypted IP data packet.
28、根据权利要求 26所述的分类节点, 其特征在于, 所述分类节点 进一步包括第二交互单元 , 用于通过和加密节点交互为不同业务流分配 不同的分类参数。  The classification node according to claim 26, wherein the classification node further comprises a second interaction unit, configured to allocate different classification parameters for different service flows by interacting with the encryption node.
29、根据权利要求 26所述的分类节点,所述分类节点进一步包括第 二配置单元, 用于和加密节点一起为不同业务流设置不同的分类参数。  29. A classification node according to claim 26, said classification node further comprising a second configuration unit for setting different classification parameters for different traffic flows together with the encryption node.
30、 根据权利要求 26 ~ 29中任一项所述的分类节点, 其特征在于, 所述分类节点为 WiMAX系统中的基站、接入业务网网关或接入路由器。  The classification node according to any one of claims 26 to 29, wherein the classification node is a base station, an access service network gateway or an access router in a WiMAX system.
PCT/CN2007/070412 2006-08-04 2007-08-03 A packet classification method and system, encryption node, classification node thereof WO2008017275A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2006101038622A CN101119289A (en) 2006-08-04 2006-08-04 Data packet classification method and system
CN200610103862.2 2006-08-04

Publications (1)

Publication Number Publication Date
WO2008017275A1 true WO2008017275A1 (en) 2008-02-14

Family

ID=39032651

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070412 WO2008017275A1 (en) 2006-08-04 2007-08-03 A packet classification method and system, encryption node, classification node thereof

Country Status (2)

Country Link
CN (1) CN101119289A (en)
WO (1) WO2008017275A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109561046A (en) * 2017-09-26 2019-04-02 中兴通讯股份有限公司 A kind of method and device of converged communication public account content-encrypt
CN109819528A (en) * 2019-02-27 2019-05-28 努比亚技术有限公司 Without Netcom's communication method, mobile terminal and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004274666A (en) * 2003-03-12 2004-09-30 Mitsubishi Electric Information Systems Corp Data encryption equipment, console terminal, and management device and program
JP2004274493A (en) * 2003-03-10 2004-09-30 Toshiba Corp Communication apparatus, relaying apparatus, communication control method, and communication control program
CN1668026A (en) * 2004-03-13 2005-09-14 鸿富锦精密工业(深圳)有限公司 Network quality service system and method
US20050220091A1 (en) * 2004-03-31 2005-10-06 Lavigne Bruce E Secure remote mirroring

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004274493A (en) * 2003-03-10 2004-09-30 Toshiba Corp Communication apparatus, relaying apparatus, communication control method, and communication control program
JP2004274666A (en) * 2003-03-12 2004-09-30 Mitsubishi Electric Information Systems Corp Data encryption equipment, console terminal, and management device and program
CN1668026A (en) * 2004-03-13 2005-09-14 鸿富锦精密工业(深圳)有限公司 Network quality service system and method
US20050220091A1 (en) * 2004-03-31 2005-10-06 Lavigne Bruce E Secure remote mirroring

Also Published As

Publication number Publication date
CN101119289A (en) 2008-02-06

Similar Documents

Publication Publication Date Title
US11743767B2 (en) Compression of ethernet packet header
CA2814479C (en) Service data flow detection in a conforming 3gpp access network having a packet modification function
JP4918617B2 (en) Subheader for dummy padding in the MAC protocol data unit
CN101494538B (en) Data transmission control method and communication system and encipher control network element
US11558879B2 (en) Handling network traffic via a fixed access
WO2019033920A1 (en) Method and device enabling network side to identify and control remote user equipment
CN101442428B (en) Application method, system and equipment for end-to-end QoS
CN107006022A (en) LWA PDU method for routing and device
KR20050048684A (en) Method and apparatus for the use of micro-tunnels in a communications system
JP2004266310A (en) Service and address management method in wlan interconnetion
EP2625827B1 (en) Uplink traffic separation in an edge node of a communication network
WO2018126692A1 (en) Method and apparatus for controlling data transmission
WO2011044808A1 (en) Method and system for tracing anonymous communication
CN101374100B (en) Method, apparatus and system for sorting WiMAX business data stream packet
JP2023531312A (en) Data transmission method and device
WO2017035745A1 (en) Data packet processing method and equipment
WO2020135011A1 (en) Transmission method and device and message transmitting terminal and receiving terminal
KR102109704B1 (en) Method and apparatus for forwarding of data traffic
WO2008031362A1 (en) Bearing network, system, device and method for multicast broadcast service
WO2008017275A1 (en) A packet classification method and system, encryption node, classification node thereof
CN101227417B (en) Apparatus and method for data package classification
WO2017210811A1 (en) Security strategy execution method and apparatus
WO2009039797A1 (en) A method, system and apparatus for dynamically updating classifier information
WO2011109992A1 (en) Method, device and system for obtaining information
Wang et al. Research and Design of Next Generation Internet (IPV9) Datagram

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07785408

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07785408

Country of ref document: EP

Kind code of ref document: A1