WO2008131665A1 - Lawful interception method, communication system, router and interception gateway - Google Patents

Lawful interception method, communication system, router and interception gateway Download PDF

Info

Publication number
WO2008131665A1
WO2008131665A1 PCT/CN2008/070539 CN2008070539W WO2008131665A1 WO 2008131665 A1 WO2008131665 A1 WO 2008131665A1 CN 2008070539 W CN2008070539 W CN 2008070539W WO 2008131665 A1 WO2008131665 A1 WO 2008131665A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
interception
label switching
monitoring
gateway
Prior art date
Application number
PCT/CN2008/070539
Other languages
French (fr)
Chinese (zh)
Inventor
Zhuoming Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008131665A1 publication Critical patent/WO2008131665A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • the present invention relates to the field of communication technologies, and in particular, to a lawful interception method, a communication system, a router, and a interception gateway.
  • Lawful interception refers to the activities of the law enforcement agency to monitor the communication service of a specific target user within the scope of legal authorization. According to national laws and regulations, all operating communication networks must enable the national security agencies, judicial investigation agencies, police stations and other law enforcement agencies to conduct lawful interception of specific target users. The carrier's communication network equipment needs to provide an interface for legitimate interception.
  • the interception gateway is a function that must be provided at the required time according to national laws and regulations. In some countries, these functions are integrated into the legal enforcement agency domain where the monitoring center is located.
  • FIG. 1 it is a network structure diagram of an existing lawful interception system.
  • the interception access point (IAP) function is integrated in the ingress router LER1 of the user access backbone network, and the interception gateway 11 can set the interception target parameter to the IAP in the ingress router LER1, for example, the login user name of the target 12 is monitored. IP address, protocol type, port number, etc.
  • the ingress router LER1 filters all traffic flowing through it. For some specific services, it needs to go deep into the packet for deep filtering. If the filtered data matches the interception target parameter, the ingress router LER1 copies the IP packet, and transmits the copied IP packet to the Transmission Control Protocol (TCP) while the original IP packet is normally delivered.
  • TCP Transmission Control Protocol
  • the IP address of the listening gateway 11 is used as the destination address of the re-encapsulated packet. If the network is carried on the MPLS network, the ingress router is re-based. The destination IP address of the encapsulated text, mapping the interception data to the destination address of the interception gateway 11. The corresponding forwarding equivalence class is forwarded to the access router LER2 connected to the interception gateway 11 through the label switching path. After receiving the interception data, the access router LER2 sends the interception data to the interception gateway 11 according to the destination address of the interception data. After receiving the interception data, the interception gateway 11 performs necessary processing, and then transmits the monitor data to the interception center 10.
  • UDP User Datagram Protocol
  • FIG. 2 is a structural diagram of a unit of a conventional label switching router for processing a lawful intercepting portion.
  • the existing label switching router processes a legal listening data portion including a monitoring target management unit 21, a monitoring trigger unit 22, a monitoring copy unit 23, and a monitoring processing unit 24. And transmitting unit 25.
  • the monitoring target management unit 21 is configured to receive the monitoring command and set the monitoring target parameter to the monitoring triggering unit 22; the monitoring triggering unit 22 is configured to filter the received data, and send the filtered monitoring data to the monitoring and copying unit 23 to monitor
  • the copying unit 23 is configured to copy the listening data, forward the original listening data according to the normal process, and send the copied monitoring data to the monitoring processing unit 24, and the monitoring processing unit 24 is configured to encapsulate the monitoring data and encapsulate the data in the TCP or UDP message.
  • the sending unit 25 And sending the encapsulated interception data to the sending unit 25 by using the IP address of the intercepting gateway as the destination IP address, and the sending unit 25 maps the intercepting data to the address of the intercepting gateway according to the destination address encapsulated by the intercepting processing unit 24 for the intercepting data.
  • the corresponding forwarding equivalence class is sent to the transport network by forwarding the label switching path corresponding to the equivalence class.
  • the ingress router often provides services for many users, and the data traffic is very large.
  • the filtered listener data needs to be repackaged.
  • the IP address of the address to the listening gateway is complicated, and it takes up more ingress router resources.
  • Embodiments of the present invention provide a lawful interception method, a communication system, a router, and a snooping gateway, which can reduce the complexity of the ingress router performing a lawful interception function.
  • An embodiment of the present invention provides a method for lawful interception, including:
  • the border label switching router as the interception access point receives the interception data and obtains a monitor flag corresponding to the interception data;
  • Embodiments of the present invention provide a communication system, the system comprising:
  • a border label switching router as a listening access point, configured to receive the monitoring data, and obtain a monitoring flag corresponding to the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag; and compare the monitoring data by the forwarding
  • the label switching path corresponding to the class is sent to the intercepting gateway; the destination address of the forwarding equivalence class is the intercepting gateway;
  • the intercepting gateway is configured to receive the intercepting data from the label switching path, where the intercepting data includes a flag that the last hop label switching router encapsulates for the listening data.
  • An embodiment of the present invention provides a label switching router, including:
  • a receiving unit configured to receive monitoring data
  • An obtaining unit configured to acquire a listening flag corresponding to the intercepting data and a forwarding equivalence class corresponding to the monitoring flag;
  • a sending unit configured to send the intercepting data according to a label switching path corresponding to the forwarding equivalence class determined by the acquiring unit.
  • An embodiment of the present invention provides a monitoring gateway, including:
  • a label switching unit configured to establish a label switching path with the border label switching router
  • a monitoring data receiving unit configured to receive the monitoring data by using the label switching path
  • a data processing unit configured to receive the monitoring received by the monitoring data receiving unit The data is processed.
  • Figure 1 is a network architecture diagram of an existing lawful interception system.
  • FIG. 2 is a structural diagram of a unit of a conventional border label switching router processing a lawful interception portion.
  • FIG. 3 is a schematic diagram of networking of a lawful interception system in an embodiment of the present invention.
  • FIG. 4 is a schematic flow chart of a lawful interception method in an embodiment of the present invention.
  • FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention.
  • Figure 6 is a block diagram showing the structure of a router in the embodiment of the present invention.
  • FIG. 7 is a structural diagram of a unit of another router in the embodiment of the present invention.
  • FIG. 8 is a structural diagram of a unit of a monitoring gateway in an embodiment of the present invention.
  • FIG. 9 is a structural diagram of a unit of a listening gateway according to another embodiment of the present invention. detailed description
  • MPLS Multi-Protocol Label Switch
  • the fundamental idea of MPLS is to move the router to the edge of the network, put a fast and simple switching device in the network center, integrate the basic technology of label switching and forwarding data and network layer routing, and implement a routing request for one connection request. Secondary exchange.
  • the Label Switching Router groups data streams according to certain policies. This subset of packets is called Forwarding Equivalence Class (FEC).
  • FEC Forwarding Equivalence Class
  • the existing criteria for dividing FEC are generally based on data.
  • the network layer destination address is used, and each forwarding equivalence class is assigned a unique tag value. This process is called tag allocation.
  • the router performs the same processing on the packet data of the same forwarding equivalence class, for example, to the same next hop router; the label switching router distributes the binding information of the tag value and the forwarding equivalence class to the upstream and downstream label switching routers. This process is called tag distribution. Through tag distribution, the entire MPLS network establishes an interconnected label switched path.
  • Each label switching router maintains two tables, one for forwarding the mapping table between the equivalence class and the tag, and the other for the forwarding table.
  • the simplified format of the forwarding table is:
  • the label switching router retrieves the forwarding table according to the marking information carried by the packet header, that is, looks up the entry in the forwarding table whose entry label is equal to the label carried by the packet, and after retrieving, the packet header is The originally carried tag pops up, and the egress tag corresponding to the entry tag in the forwarding table is pushed into the packet as a new tag, and the packet is forwarded to the corresponding output port and sent to the next hop address.
  • the process of popping the original markup and pushing in the new mark is called markup. Through this process, the entire packet is switched to the corresponding output port according to the marked of the packet.
  • the embodiment of the present invention provides a lawful interception party according to the basic principle of MPLS technology. Laws, communication systems, routers, and listening gateways to reduce the complexity of the ingress router performing lawful interception.
  • FIG. 3 is a schematic diagram of networking of a lawful interception system according to an embodiment of the present invention, where user T is a monitoring target, user C is a communication peer of user T, and LER1 and LER2 are border label switching routers, wherein LER1 is a listening access point.
  • the LIG is a monitoring gateway located at the boundary of the core network (ie, MPLS network), and has a label switching path with LER1 and LER2.
  • LSR1, LSR2 and LSR3 are label switching routers carrying the MPLS network.
  • FIG. 4 is a schematic flowchart of a lawful interception method according to an embodiment of the present invention, which is described in conjunction with FIG. 3.
  • the embodiment of the present invention requires that all the communication traffic of the user T be monitored.
  • the steps of the lawful interception method in this embodiment include:
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
  • the LER1 uses the data structure to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is LIG.
  • the interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
  • the LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
  • the LER1 receives the interception command, adds the IP address of the source IP address to the IP address, the destination IP address, and the filtering parameter of the IP address of the destination IP address and the source IP address to the access control list, and access control. Set the listener flag in the list;
  • the LER1 receives the uplink and downlink data, filters the flow data through the access control list, filters the data to the interception data, and directly reads the monitoring flag corresponding to the monitoring data in the access control list, or sends a command to the unit that manages the access control list.
  • the message returns the interception flag by the unit that manages the access control list, and copies the interception data, one of which is forwarded according to the normal process, and the other reads the corresponding forwarding equivalence class in the two-dimensional or multi-dimensional table according to the interception flag. Or sending a command to the unit managing the aforementioned two-dimensional or multi-dimensional table, and returning the corresponding forwarding equivalence class by the unit managing the aforementioned two-dimensional or multi-dimensional table;
  • the LER1 intercepts the data by using a label corresponding to the forwarding equivalence class whose destination address is LIG. Change the path and send the monitoring data to the LIG;
  • the LIG receives the monitoring data, processes the monitoring data, and distributes it to the monitoring center.
  • the interception flag may also be a pointer to the forwarding equivalence class whose destination address is LIG, so that the forwarding equivalence class whose destination address is LIG pointed to by the pointer can be obtained by listening to the flag.
  • the ingress router ie, the border label switching router
  • the interception data is sent to the lawful interception gateway through the label switching path corresponding to the forwarding equivalence class.
  • This solution simplifies the process of processing the interception data by the ingress router, reduces the burden on the network device for legitimate interception processing, and reduces the complexity of the system.
  • the network device only adds the monitoring processing flow in the original forwarding processing flow, and the monitoring processing flow and the standard forwarding processing flow are consistent in the processing action, and it is no longer necessary to design a special monitoring triggering and processing part for the network device, especially Avoid designing specialized hardware parts for the listening function.
  • FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention, which is described in conjunction with FIG. 3.
  • the embodiment of the present invention requires that all communication traffic of the user T be monitored.
  • the processing of the uplink traffic and the downlink traffic in the embodiment of the present invention is separately described.
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
  • the interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
  • the LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
  • the LER1 receives the interception command, as shown in FIG. 5, the IP address whose source IP address is T, The destination IP address is arbitrary, and the filtering parameters of the IP address of the destination IP address and the source IP address are added to the access control list, and the interception flag is set in the access control list;
  • the LER1 receives the uplink data, filters the uplink data through the access control list, obtains the interception flag, and uses the mapping relationship between the monitored monitoring data and the forwarding equivalence class to the destination address LIG according to the intercepted flag.
  • the corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
  • the LER1 sends the interception data to the LIG through the label switching path corresponding to the forwarding equivalence class whose destination address is LIG.
  • the LIG copies the monitoring data, and the IP address of the user C according to the destination address of the monitoring data, selects the label switching path between the LIG and the LER2, and sends the monitoring data to the LER2, and the other
  • the analysis is processed and distributed to each monitoring center.
  • LER2 After receiving the interception data, LER2 sends the interception data to user C according to the destination IP address of the intercepted data.
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a tag for the forwarding equivalence class, and establishes a tag switching path corresponding to the forwarding equivalence class by using a tag allocation and a tag distribution process;
  • LER1 establishes a mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG;
  • the LIG sends a listening command to the border router LER1, and requests to listen to all communication traffic of the user T;
  • the LER1 receives the interception command. As shown in Figure 5, the IP address of the source IP address, the destination IP address, and the IP address of the destination IP address and the source IP address are added to the access control list. And set the listener flag in the access control list;
  • the LER1 receives the downlink data, filters the downlink data through the access control list, obtains the interception flag, and displays the intercepted flag according to the mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG.
  • the corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
  • the LER1 will listen to the data through the label switching path corresponding to the forwarding equivalence class of the LIG, and send the intercepting data to the LIG; 7. After receiving the monitoring data, the LIG copies the monitoring data, and selects a label switching path between the LIG and the LER1 according to the destination address of the monitoring data, that is, the IP address of the user T, and the LIG adds the monitoring data sent to the LER1. Special tag, send the monitoring data to LER1, and the other one is analyzed and distributed to each monitoring center;
  • the LER1 After receiving the data sent by the LIG, the LER1 first detects whether the data carries the special tag. If the special tag is detected, the intercepted data is directly sent to the user ⁇ according to the destination IP address of the intercepted data.
  • a multi-protocol label switching virtual private network technology can be used to establish a virtual private network between LER1 and LIG
  • a multi-protocol label switching virtual private network uses a label stack technology, at the innermost layer of the label stack (ie, the bottom of the stack) ) is a mark distributed within the scope of the virtual private network, called the bottom mark, and the outer layer is the mark distributed throughout the network, used to forward along the mark exchange path in the network.
  • the identification information of the virtual private network is included in the bottom of the stack.
  • the special flag added by the LIG to the interception data may be the bottom mark of the virtual private network between the LIG and the LER1.
  • the manner of obtaining the monitoring flag and determining the corresponding forwarding equivalence class according to the monitoring flag may refer to the previous embodiment.
  • the monitoring gateway completes the replication of the target traffic, which further simplifies the function of the monitoring access point of the network device.
  • the process of performing the lawful interception by the router is basically the same as the process of forwarding the normal data traffic, and can be integrated into the normal data traffic processing process, so that the router can be utilized.
  • the advantages of high-performance dedicated hardware enable high-speed processing, eliminating the need to implement complex monitoring traffic replication and packet delivery processing. This greatly reduces the processing burden of network devices such as routers performing lawful interception and ensures service processing performance.
  • the border label switching router pre-establishes a label forwarding path to the intercepting gateway through the label distribution and determines a forwarding equivalence class using the label forwarding path, because the border label switching router maps the listening flag and the forwarding equivalence class, so
  • the monitoring target traffic is sent to the label forwarding path, and the monitoring gateway must pass through the monitoring gateway in the process of forwarding in the MPLS network, so that the border router no longer needs to use a special mechanism to ensure that the monitoring traffic is reliably delivered to the monitoring center, thereby further simplifying the network.
  • the processing mechanism of the device's lawful interception improves the reliability of the interception data transmission.
  • the program can be completed by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
  • An embodiment of the present invention provides a communication system, including a border label switching router and a monitoring gateway as a listening access point, where
  • a border label switching router as a listening access point, configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, and copy the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag, and the destination address of the forwarding equivalence class is
  • the monitoring gateway sends the intercepted data to the intercepting gateway through the label switching path corresponding to the forwarding equivalence class, and forwards the original monitoring data according to a normal process; and the monitoring gateway is configured to receive the monitoring data from the label switching path.
  • the monitoring data includes a flag of the last hop label switching router for intercepting the data packet, processing the monitoring data, and transmitting the processed monitoring result to the monitoring center.
  • the border label switching router which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a listening gateway, allocate a label for the forwarding equivalence class, and establish the forwarding equivalence class corresponding by the label distribution process. Labeling the path, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
  • An embodiment of the present invention provides another communication system including a border label switching router and a listening gateway as a listening access point, wherein
  • a border label switching router which is used as a monitoring access point, is configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, determine a corresponding forwarding equivalence class according to the monitoring flag, and exchange the monitoring data through the label corresponding to the forwarding equivalence class.
  • the path is sent to the listening gateway;
  • a monitoring gateway configured to establish a label switching path between the border label switching routers, and receive the monitoring data from the label switching path, where the monitoring data includes a label that is encapsulated by the last hop label switching router for listening data, and the monitoring is copied.
  • Data, one of the interception data is sent to the border label switching router through the label switching path corresponding to the destination address of the monitoring data, and another listening data is processed and sent to the monitoring center, if the border label switching router is used as a monitor
  • the border of the access point is marked as a switching router, and the intercepting gateway is further configured to add a special flag to the sent intercepting data.
  • the border label switching router which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a intercepting gateway, assign a label to the forwarding equivalence class, and establish the Forwarding the label switching path corresponding to the equivalence class, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
  • the border label switching router as the intercepting access point is further configured to detect whether the intercepting data sent by the intercepting gateway carries the special tag, and if the data carries the special tag, the intercepting data is in accordance with a normal process. Forward.
  • the specific implementation of obtaining the interception flag and determining the corresponding forwarding equivalence class according to the interception flag may refer to the above method embodiment.
  • the system of the embodiment of the present invention only needs to include a monitoring processing flow in the forwarding processing flow of the original network device, and the monitoring processing flow and the standard forwarding processing flow are consistent in processing actions, and no need to design for the network device.
  • the special monitoring triggering and processing part in particular, avoids the need to design a special hardware part for the listening function, so that the network device can perform the legal monitoring function complexity.
  • FIG. 6 is a structural diagram of a unit for legally listening to a relevant part of a router according to an embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
  • the path establishing unit 61 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
  • the mapping unit 62 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
  • the receiving unit 63 is configured to receive the monitoring data, and send the monitoring data to the copying unit 64;
  • the copying unit 64 is configured to copy the monitoring data, one of which is forwarded according to a normal process, and the other is sent to the sending unit 65;
  • the obtaining unit 66 is configured to obtain a monitoring flag corresponding to the monitoring data, and obtain a forwarding equivalence class corresponding to the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit, where the destination address of the forwarding equivalence class is a legal listening gateway ;
  • the sending unit 65 is configured to send the interception data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 66.
  • the specific implementation manners of the obtaining unit 66 and the mapping unit 62 in this embodiment may refer to the description in the method embodiment.
  • the router in the embodiment of the present invention establishes a forwarding equivalence class of the lawful interception gateway by establishing a destination address, a label switching path corresponding to the forwarding equivalence class, and a mapping relationship between the interception flag and the forwarding equivalence class, and setting the interception flag in the access control list, filtering the flow data through the access control list, thereby
  • the forwarding equivalence class corresponding to the interception flag may be obtained according to the interception flag in the access control list, and the interception data is sent to the legal interception gateway by using the label exchange path corresponding to the forwarding equivalence class.
  • the overhead of re-encapsulating TCP or UDP packets for the interception data in the prior art is avoided, and the overhead of performing fragmentation on the border label switching router and performing fragment reassembly on the interception gateway is avoided.
  • FIG. 7 is a structural diagram of a unit of another router legally listening to a relevant part in the embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
  • the path establishing unit 71 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
  • the mapping unit 72 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
  • the receiving unit 73 is configured to receive the monitoring data, and send the monitoring data to the sending unit 75.
  • the acquiring unit 76 is configured to acquire the monitoring flag corresponding to the monitoring data, and obtain the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit 72.
  • Forwarding equivalence class, the destination address of the forwarding equivalence class is a lawful interception gateway;
  • the sending unit 75 is configured to send the monitoring data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 76.
  • the receiving unit 73 may further include a special tag detecting module 731 and a forwarding unit 732, and the special tag detecting module 731 is configured to detect whether the intercepting data sent by the legal intercepting gateway has a special tag added by the legal intercepting gateway for the monitoring data, if the monitoring The data detection has the special flag, and the forwarding unit 732 forwards the data according to the normal flow.
  • the special tag detecting module 731 is configured to detect whether the intercepting data sent by the legal intercepting gateway has a special tag added by the legal intercepting gateway for the monitoring data, if the monitoring The data detection has the special flag, and the forwarding unit 732 forwards the data according to the normal flow.
  • FIG. 8 is a structural diagram of a unit of a monitoring gateway according to an embodiment of the present invention. As shown in FIG. 8, the monitoring gateway includes:
  • a label switching unit 81 configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class;
  • the monitoring data receiving unit 82 is configured to receive the monitoring data through the label switching path, and send the monitoring data to the data processing unit 83;
  • the data processing unit 83 is configured to process the monitoring data received by the monitoring data receiving unit 82.
  • FIG. 9 is a structural diagram of a unit of a monitoring gateway according to another embodiment of the present invention. As shown in FIG. 9, the monitoring gateway includes:
  • a label switching unit 91 configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class;
  • the monitoring data receiving unit 92 is configured to receive the monitoring data through the label switching path.
  • the monitoring data copying unit 94 is configured to copy the monitoring data received by the monitoring data receiving unit 92, and send a piece of monitoring data to the data processing unit 93. Another listening data is sent to the monitoring data transmitting unit 95;
  • a data processing unit 93 configured to process the interception data
  • the monitoring data sending unit 95 is configured to send the monitoring data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
  • the snoop data transmitting unit 95 may further include a special tag adding module 951 and a forwarding unit 952 for adding a special tag to the snoop data transmitted to the border tag switching router as the snooping access point, the forwarding The unit 952 is configured to send the intercept data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
  • the intercepting gateway of the embodiment of the present invention receives the interception data from the label switching path by establishing a label switching path to the border label switching router, thereby avoiding the overhead of re-entering TCP or UDP packet encapsulation data in the prior art. This avoids the overhead of performing fragment reassembly on the listening gateway.

Landscapes

  • Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A lawful interception method and communication system thereof, a Label Switching Router and an interception gateway are provided. The lawful interception method includes steps: a boundary Label Switching Router receiving interception data as an interception access point, and obtaining an interception identification corresponding to the interception data; determining the corresponding Forwarding Equivalence Class according to the interception identification, in which the destination address of Forwarding Equivalence Class is the interception gateway; sending the interception data to the interception gateway through label switching path corresponding to the Forwarding Equivalence Class.

Description

合法监听的方法、 通信系统、 路由器以及监听网关 本申请要求于 2007 年 4 月 28 日提交中国专利局、 申请号为 200710074168.7、 发明名称为"合法监听的方法、 通信系统、 路由器以及监听 网关"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  Method for legal monitoring, communication system, router and monitoring gateway This application claims to be submitted to the Chinese Patent Office on April 28, 2007, the application number is 200710074168.7, and the invention name is "legal monitoring method, communication system, router and monitoring gateway". Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference.
技术领域 Technical field
本发明涉及通信技术领域, 更具体而言, 涉及一种合法监听的方法、 通信 系统、 路由器以及监听网关。  The present invention relates to the field of communication technologies, and in particular, to a lawful interception method, a communication system, a router, and a interception gateway.
背景技术 Background technique
合法监听是指在法律授权范围内,法律执行机构监听特定目标用户通信业 务的活动。根据国家法律和法规要求, 所有运营的通信网络必须使国家授权的 国家安全机关、 司法调查机关、警察局等法律执行机构的监听中心能够对特定 的目标用户进行合法监听。运营商的通信网络设备需要提供实现合法监听的接 口。监听网关是根据国家法律法规在需要的时刻必须提供的功能,在某些国家 这些功能是融入到监听中心所在的法律执行机构域中的。  Lawful interception refers to the activities of the law enforcement agency to monitor the communication service of a specific target user within the scope of legal authorization. According to national laws and regulations, all operating communication networks must enable the national security agencies, judicial investigation agencies, police stations and other law enforcement agencies to conduct lawful interception of specific target users. The carrier's communication network equipment needs to provide an interface for legitimate interception. The interception gateway is a function that must be provided at the required time according to national laws and regulations. In some countries, these functions are integrated into the legal enforcement agency domain where the monitoring center is located.
随着互联网等数据通信网络的发展, 尤其是 VoIP ( Voice over IP )技术的 普及, 人们的通信手段越来越丰富, 已经不局限于传统的电路交换网络, 国家 法律执行机构除了在固定和移动电话网络上进行合法监听外,越来越需要在互 联网等分组交换网络上执行合法监听。  With the development of data communication networks such as the Internet, especially the popularization of VoIP (voice over IP) technology, people's means of communication are becoming more and more abundant. It is not limited to the traditional circuit-switched network, and the national law enforcement agencies are not only fixed and mobile. In addition to lawful interception on the telephone network, it is increasingly necessary to perform lawful interception on a packet switched network such as the Internet.
如图 1所示,是现有的合法监听系统的网络结构图。在用户接入骨干网的 入口路由器 LER1中集成监听接入点 ( IAP , Interception Access Point ) 功能, 监听网关 11能够向入口路由器 LER1中的 IAP设置监听目标参数, 例如监听 目标 12的登录用户名, IP地址, 协议类型、 端口号等。 入口路由器 LER1对 所有流经它的流量进行过滤,对于一些特定业务, 需要深入到数据包内部进行 深度过滤。 如果过滤的数据和监听目标参数匹配, 那么入口路由器 LER1就把 这个 IP包复制一份, 在正常传递原来的 IP包的同时, 把复制出来的 IP包封 装传输控制协议 ( TCP, Transmission Control Protocol )或用户数据 4艮文协议 ( UDP, User Datagram Protocol )报文, 把监听网关 11的 IP地址作为重新封 装后的报文的目的地址,如果网络是承载在 MPLS网络之上,则入口路由器根 据重新封装的 文的目的 IP地址,将监听数据映射到监听网关 11的目的地址 对应的转发等价类, 通过标记交换路径转发到与监听网关 11相连的接入路由 器 LER2, 接入路由器 LER2收到监听数据后, 根据监听数据的目的地址将监 听数据发送到监听网关 11。 监听网关 11收到监听数据后, 进行必要处理, 然 后把监听数据发送到监听中心 10。 As shown in Figure 1, it is a network structure diagram of an existing lawful interception system. The interception access point (IAP) function is integrated in the ingress router LER1 of the user access backbone network, and the interception gateway 11 can set the interception target parameter to the IAP in the ingress router LER1, for example, the login user name of the target 12 is monitored. IP address, protocol type, port number, etc. The ingress router LER1 filters all traffic flowing through it. For some specific services, it needs to go deep into the packet for deep filtering. If the filtered data matches the interception target parameter, the ingress router LER1 copies the IP packet, and transmits the copied IP packet to the Transmission Control Protocol (TCP) while the original IP packet is normally delivered. Or the user data UDP (User Datagram Protocol) packet, the IP address of the listening gateway 11 is used as the destination address of the re-encapsulated packet. If the network is carried on the MPLS network, the ingress router is re-based. The destination IP address of the encapsulated text, mapping the interception data to the destination address of the interception gateway 11. The corresponding forwarding equivalence class is forwarded to the access router LER2 connected to the interception gateway 11 through the label switching path. After receiving the interception data, the access router LER2 sends the interception data to the interception gateway 11 according to the destination address of the interception data. After receiving the interception data, the interception gateway 11 performs necessary processing, and then transmits the monitor data to the interception center 10.
图 2是现有的标记交换路由器处理合法监听部分的单元结构图,现有的标 记交换路由器处理合法监听数据部分包括监听目标管理单元 21 , 监听触发单 元 22, 监听复制单元 23 , 监听处理单元 24和发送单元 25。 其中监听目标管 理单元 21用于接收监听命令以及将监听目标参数设置到监听触发单元 22; 监 听触发单元 22用于过滤接收到的数据, 并将过滤出来的监听数据发送至监听 复制单元 23 , 监听复制单元 23用于复制监听数据, 将原始监听数据按照正常 流程转发, 将复制的监听数据发送至监听处理单元 24, 监听处理单元 24用于 封装监听数据, 将其封装在 TCP或 UDP报文中, 并以监听网关的 IP地址作 为目的 IP地址, 将封装后的监听数据发送至发送单元 25, 发送单元 25根据 监听处理单元 24为监听数据封装的目的地址, 将监听数据映射到监听网关的 地址对应的转发等价类中,通过转发等价类对应的标记交换路径发送至传输网 络。  2 is a structural diagram of a unit of a conventional label switching router for processing a lawful intercepting portion. The existing label switching router processes a legal listening data portion including a monitoring target management unit 21, a monitoring trigger unit 22, a monitoring copy unit 23, and a monitoring processing unit 24. And transmitting unit 25. The monitoring target management unit 21 is configured to receive the monitoring command and set the monitoring target parameter to the monitoring triggering unit 22; the monitoring triggering unit 22 is configured to filter the received data, and send the filtered monitoring data to the monitoring and copying unit 23 to monitor The copying unit 23 is configured to copy the listening data, forward the original listening data according to the normal process, and send the copied monitoring data to the monitoring processing unit 24, and the monitoring processing unit 24 is configured to encapsulate the monitoring data and encapsulate the data in the TCP or UDP message. And sending the encapsulated interception data to the sending unit 25 by using the IP address of the intercepting gateway as the destination IP address, and the sending unit 25 maps the intercepting data to the address of the intercepting gateway according to the destination address encapsulated by the intercepting processing unit 24 for the intercepting data. The corresponding forwarding equivalence class is sent to the transport network by forwarding the label switching path corresponding to the equivalence class.
发明人在工作过程中, 发现这种合法监听的方法至少存在以下问题: 入口路由器往往为很多用户提供服务,数据流量很大, 在执行合法监听功 能时, 需要对过滤出来的监听数据重新封装目的地址到监听网关的 IP 4艮文, 操作流程复杂, 占用较多的入口路由器资源。  During the work process, the inventor found that the lawful interception method has at least the following problems: The ingress router often provides services for many users, and the data traffic is very large. When performing the lawful interception function, the filtered listener data needs to be repackaged. The IP address of the address to the listening gateway is complicated, and it takes up more ingress router resources.
发明内容 Summary of the invention
本发明的实施例提供了一种合法监听的方法、通信系统、路由器以及监听 网关, 可以降低入口路由器执行合法监听功能的复杂程度。  Embodiments of the present invention provide a lawful interception method, a communication system, a router, and a snooping gateway, which can reduce the complexity of the ingress router performing a lawful interception function.
本发明的实施例提供了一种合法监听的方法, 包括:  An embodiment of the present invention provides a method for lawful interception, including:
作为监听接入点的边界标记交换路由器接收监听数据,并获得监听数据对 应的监听标志;  The border label switching router as the interception access point receives the interception data and obtains a monitor flag corresponding to the interception data;
根据所述监听标志确定对应的转发等价类,所述转发等价类的目的地址为 监听网关;  Determining, according to the interception flag, a corresponding forwarding equivalence class, where the destination address of the forwarding equivalence class is a interception gateway;
将所述监听数据通过所述转发等价类对应的标记交换路径发送至监听网 关。 Sending the interception data to the interception network through a label switching path corresponding to the forwarding equivalence class turn off.
本发明的实施例提供了一种通信系统, 该系统包括:  Embodiments of the present invention provide a communication system, the system comprising:
作为监听接入点的边界标记交换路由器, 用于接收监听数据, 并获得监听 数据对应的监听标志; 根据所述监听标志确定对应的转发等价类; 将所述监听 数据通过所述转发等价类对应的标记交换路径发送至监听网关;所述转发等价 类的目的地址为所述监听网关;  a border label switching router as a listening access point, configured to receive the monitoring data, and obtain a monitoring flag corresponding to the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag; and compare the monitoring data by the forwarding The label switching path corresponding to the class is sent to the intercepting gateway; the destination address of the forwarding equivalence class is the intercepting gateway;
监听网关, 用于从所述标记交换路径接收监听数据, 所述监听数据中包含 有上一跳标记交换路由器为监听数据封装的标记。  The intercepting gateway is configured to receive the intercepting data from the label switching path, where the intercepting data includes a flag that the last hop label switching router encapsulates for the listening data.
本发明的实施例提供了一种标记交换路由器, 包括:  An embodiment of the present invention provides a label switching router, including:
接收单元, 用于接收监听数据;  a receiving unit, configured to receive monitoring data;
获取单元,用于获取所述监听数据对应的监听标志以及所述监听标志对应 的转发等价类;  An obtaining unit, configured to acquire a listening flag corresponding to the intercepting data and a forwarding equivalence class corresponding to the monitoring flag;
发送单元, 用于根据所述获取单元确定的转发等价类对应的标记交换路 径, 发送所述监听数据。  And a sending unit, configured to send the intercepting data according to a label switching path corresponding to the forwarding equivalence class determined by the acquiring unit.
本发明的实施例提供了一种监听网关, 包括:  An embodiment of the present invention provides a monitoring gateway, including:
标记交换单元, 用于与边界标记交换路由器建立标记交换路径; 监听数据接收单元, 用于通过所述标记交换路径接收监听数据; 数据处理单元, 用于对所述监听数据接收单元接收到的监听数据进行处 理。  a label switching unit, configured to establish a label switching path with the border label switching router, a monitoring data receiving unit, configured to receive the monitoring data by using the label switching path, and a data processing unit, configured to receive the monitoring received by the monitoring data receiving unit The data is processed.
附图说明 DRAWINGS
图 1是现有合法监听系统的网络架构图。  Figure 1 is a network architecture diagram of an existing lawful interception system.
图 2是现有的边界标记交换路由器处理合法监听部分的单元结构图。 图 3是本发明实施例中合法监听系统的组网示意图。  2 is a structural diagram of a unit of a conventional border label switching router processing a lawful interception portion. FIG. 3 is a schematic diagram of networking of a lawful interception system in an embodiment of the present invention.
图 4是本发明实施例中合法监听方法的流程示意图。  4 is a schematic flow chart of a lawful interception method in an embodiment of the present invention.
图 5是本发明另一实施例中合法监听方法的流程示意图。  FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention.
图 6是本发明实施例中路由器的单元结构图。  Figure 6 is a block diagram showing the structure of a router in the embodiment of the present invention.
图 7是本发明实施例中另一路由器的单元结构图。  FIG. 7 is a structural diagram of a unit of another router in the embodiment of the present invention.
图 8是本发明实施例中监听网关的单元结构图。  FIG. 8 is a structural diagram of a unit of a monitoring gateway in an embodiment of the present invention.
图 9是本发明另一实施例中监听网关的单元结构图。 具体实施方式 FIG. 9 is a structural diagram of a unit of a listening gateway according to another embodiment of the present invention. detailed description
为使本发明的目的、技术方案和优点更加清楚, 下面结合附图及具体实施 例对本发明作进一步地详细描述。  The present invention will be further described in detail below with reference to the drawings and specific embodiments.
多协议标记交换( MPLS, Multi-Protocol Label Switch )是近年来发展迅速 的数据通信技术, MPLS为网络层提供宽带高速交换, 大大提高了网络的传输 性能和带宽。 MPLS的根本思想是将路由器移到网络的边缘, 把快速简单的交 换设备置于网络中心,把标记交换转发数据的基本技术和网络层路由选择集成 起来, 对一个连接请求实现一次路由选择, 多次交换。  Multi-Protocol Label Switch (MPLS) is a rapidly developing data communication technology in recent years. MPLS provides broadband high-speed switching for the network layer, which greatly improves the transmission performance and bandwidth of the network. The fundamental idea of MPLS is to move the router to the edge of the network, put a fast and simple switching device in the network center, integrate the basic technology of label switching and forwarding data and network layer routing, and implement a routing request for one connection request. Secondary exchange.
MPLS技术的基本原理为:  The basic principles of MPLS technology are:
标记交换路由器 (LSR , Label Switching Router)根据某些策略对数据流进行 分组, 这种分组子集称为转发等价类 (FEC, Forwarding Equivalence Class ) , 现有的划分 FEC的准则一般是根据数据的网络层目的地址来进行的, 每个转 发等价类被分配唯一的标记值, 这个过程称为标记分配。路由器对相同的转发 等价类的分组数据进行相同的处理, 比如转发到同一个下一跳路由器; 标记交 换路由器把标记值与转发等价类的绑定信息分发给上下游的标记交换路由器, 这个过程称为标记分发。通过标记分发,整个 MPLS网络建立起了相互连接的 标记交换路径。  The Label Switching Router (LSR) groups data streams according to certain policies. This subset of packets is called Forwarding Equivalence Class (FEC). The existing criteria for dividing FEC are generally based on data. The network layer destination address is used, and each forwarding equivalence class is assigned a unique tag value. This process is called tag allocation. The router performs the same processing on the packet data of the same forwarding equivalence class, for example, to the same next hop router; the label switching router distributes the binding information of the tag value and the forwarding equivalence class to the upstream and downstream label switching routers. This process is called tag distribution. Through tag distribution, the entire MPLS network establishes an interconnected label switched path.
每个标记交换路由器维护两张表, 一张为转发等价类到标记之间的映射 表, 另一张是转发表, 转发表简化后的格式为:  Each label switching router maintains two tables, one for forwarding the mapping table between the equivalence class and the tag, and the other for the forwarding table. The simplified format of the forwarding table is:
Figure imgf000006_0001
Figure imgf000006_0001
当一个被标记过的分组进入标记交换路由器时,标记交换路由器根据分组 头携带的标记信息检索转发表,即查找转发表中入口标记等于分组携带的标记 的条目, 检索到以后, 把分组头部原来携带的标记弹出, 并把转发表中入口标 记对应的出口标记作为新的标记压入该分组,同时把分组转发到相应的输出端 口, 发送到下一跳地址。 弹出原来的标记并压入新标记的过程称为标记交换。 通过这个过程实现按照分组的标记把整个分组交换到相应的输出端口。  When a marked packet enters the label switching router, the label switching router retrieves the forwarding table according to the marking information carried by the packet header, that is, looks up the entry in the forwarding table whose entry label is equal to the label carried by the packet, and after retrieving, the packet header is The originally carried tag pops up, and the egress tag corresponding to the entry tag in the forwarding table is pushed into the packet as a new tag, and the packet is forwarded to the corresponding output port and sent to the next hop address. The process of popping the original markup and pushing in the new mark is called markup. Through this process, the entire packet is switched to the corresponding output port according to the marked of the packet.
本发明的实施例即依据 MPLS技术的基本原理, 提供一种合法监听的方 法、 通信系统、 路由器以及监听网关, 以降低入口路由器执行合法监听功能的 复杂程度。 The embodiment of the present invention provides a lawful interception party according to the basic principle of MPLS technology. Laws, communication systems, routers, and listening gateways to reduce the complexity of the ingress router performing lawful interception.
图 3是本发明实施例中合法监听系统的组网示意图,其中用户 T为监听目 标, 用户 C为用户 T 的通信对端, LER1和 LER2为边界标记交换路由器, 其 中 LER1作为监听接入点, LIG为监听网关, 位于核心网络(即 MPLS网络 ) 边界, 与 LER1和 LER2建立有标记交换路径, LSR1 , LSR2和 LSR3是承载 MPLS网络的标记交换路由器。  3 is a schematic diagram of networking of a lawful interception system according to an embodiment of the present invention, where user T is a monitoring target, user C is a communication peer of user T, and LER1 and LER2 are border label switching routers, wherein LER1 is a listening access point. The LIG is a monitoring gateway located at the boundary of the core network (ie, MPLS network), and has a label switching path with LER1 and LER2. LSR1, LSR2 and LSR3 are label switching routers carrying the MPLS network.
图 4是本发明实施例中合法监听方法的流程示意图, 结合图 3进行说明。 本发明实施例要求对用户 T的所有通信流量进行监听,则本实施例合法监听方 法的步骤包括:  FIG. 4 is a schematic flowchart of a lawful interception method according to an embodiment of the present invention, which is described in conjunction with FIG. 3. The embodiment of the present invention requires that all the communication traffic of the user T be monitored. The steps of the lawful interception method in this embodiment include:
511、 LER1建立目的地址为 LIG的转发等价类, 为所述转发等价类分配 标记,通过标记分配和标记分发过程, 建立所述转发等价类对应的标记交换路 径;  511. LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
512、 LER1使用数据结构建立监听标志和目的地址为 LIG的转发等价类 之间的映射关系,监听标志可以是一个特殊标识, 通过一个二维或多维表与转 发等价类建立映射;  512. The LER1 uses the data structure to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is LIG. The interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
513、 LIG向边界路由器 LER1发送监听命令, 要求监听用户 T的所有通 信流量;  513. The LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
514、 LER1接收到监听命令, 将源 IP地址为 T的 IP地址、 目的 IP地址 任意, 以及目的 IP地址为 T的 IP地址、 源 IP地址任意的过滤参数加入到访 问控制列表, 并在访问控制列表中设置监听标志;  514. The LER1 receives the interception command, adds the IP address of the source IP address to the IP address, the destination IP address, and the filtering parameter of the IP address of the destination IP address and the source IP address to the access control list, and access control. Set the listener flag in the list;
515、 LER1 接收上行和下行数据, 将流经数据通过访问控制列表过滤, 过滤到监听数据后, 直接在访问控制列表中读取监听数据对应的监听标志, 或 者向管理访问控制列表的单元发送命令消息,由管理访问控制列表的单元返回 监听标志, 并复制监听数据, 其中一份按照正常流程转发, 另一份根据监听标 志在所述的二维或多维表中读取对应的转发等价类,或者向管理前述的二维或 多维表的单元发送命令,由管理前述的二维或多维表的单元返回对应的转发等 价类;  515. The LER1 receives the uplink and downlink data, filters the flow data through the access control list, filters the data to the interception data, and directly reads the monitoring flag corresponding to the monitoring data in the access control list, or sends a command to the unit that manages the access control list. The message returns the interception flag by the unit that manages the access control list, and copies the interception data, one of which is forwarded according to the normal process, and the other reads the corresponding forwarding equivalence class in the two-dimensional or multi-dimensional table according to the interception flag. Or sending a command to the unit managing the aforementioned two-dimensional or multi-dimensional table, and returning the corresponding forwarding equivalence class by the unit managing the aforementioned two-dimensional or multi-dimensional table;
516、 LER1将监听数据通过目的地址为 LIG的转发等价类对应的标记交 换路径, 将监听数据发送至 LIG; 516. The LER1 intercepts the data by using a label corresponding to the forwarding equivalence class whose destination address is LIG. Change the path and send the monitoring data to the LIG;
S17、 LIG接收监听数据, 对监听数据进行处理, 并分发到监听中心。 在上述步骤中, 监听标志也可以是一个指针, 指向目的地址为 LIG 的转 发等价类, 这样通过监听标志就可以得到该指针指向的目的地址为 LIG 的转 发等价类。  S17. The LIG receives the monitoring data, processes the monitoring data, and distributes it to the monitoring center. In the above steps, the interception flag may also be a pointer to the forwarding equivalence class whose destination address is LIG, so that the forwarding equivalence class whose destination address is LIG pointed to by the pointer can be obtained by listening to the flag.
本实施例的技术方案中, 入口路由器(即边界标记交换路由器)通过建立 目的地址为合法监听网关的转发等价类、 所述转发等价类对应的标记交换路 径, 以及监听标志与所述转发等价类之间的映射关系, 并在访问控制列表中设 置该监听标志,将流经数据通过访问控制列表过滤,从而可以根据访问控制列 表中的监听标志获得该监听标志对应的转发等价类,通过该转发等价类对应的 标记交换路径将监听数据发送至合法监听网关。这种方案简化了入口路由器处 理监听数据的处理流程, 减少了网络设备在合法监听处理上的负担, 降低了系 统的复杂度。 网络设备只是在原来的转发处理流程中加入了监听处理流程, 并 且监听处理流程和标准的转发处理流程在处理动作上是一致的,不再需要为网 络设备设计专门的监听触发和处理部分,尤其避免了为监听功能设计专门的硬 件部分。  In the technical solution of the embodiment, the ingress router (ie, the border label switching router) establishes a forwarding equivalence class whose destination address is a lawful interception gateway, a label switching path corresponding to the forwarding equivalence class, and a interception flag and the forwarding. The mapping relationship between the equivalence classes, and setting the interception flag in the access control list, filtering the flow data through the access control list, so that the forwarding equivalence class corresponding to the interception flag can be obtained according to the interception flag in the access control list. The interception data is sent to the lawful interception gateway through the label switching path corresponding to the forwarding equivalence class. This solution simplifies the process of processing the interception data by the ingress router, reduces the burden on the network device for legitimate interception processing, and reduces the complexity of the system. The network device only adds the monitoring processing flow in the original forwarding processing flow, and the monitoring processing flow and the standard forwarding processing flow are consistent in the processing action, and it is no longer necessary to design a special monitoring triggering and processing part for the network device, especially Avoid designing specialized hardware parts for the listening function.
图 5是本发明另一实施例中合法监听方法的流程示意图,结合图 3进行说 明。本发明实施例要求对用户 T的所有通信流量进行监听,现对本发发明实施 例中上行流量和下行流量的处理分开进行说明。  FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention, which is described in conjunction with FIG. 3. The embodiment of the present invention requires that all communication traffic of the user T be monitored. The processing of the uplink traffic and the downlink traffic in the embodiment of the present invention is separately described.
本发明实施例合法监听方法对上行流量处理的具体步骤为:  The specific steps of the lawful interception method for the uplink traffic processing in the embodiment of the present invention are:
521、 LER1建立目的地址为 LIG的转发等价类, 为所述转发等价类分配 标记,通过标记分配和标记分发过程, 建立所述转发等价类对应的标记交换路 径;  521, LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
522、 使用数据结构建立监听标志和目的地址为 LIG的转发等价类之间的 映射关系,监听标志可以是一个特殊标识,通过一个二维或多维表与转发等价 类建立映射;  522. Using a data structure to establish a mapping relationship between the interception flag and the forwarding equivalence class of the LIG, the interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
523、 LIG向边界路由器 LER1发送监听命令, 要求监听用户 T的所有通 信流量;  523. The LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
524、 LER1接收到监听命令, 如图 5所示, 将源 IP地址为 T的 IP地址、 目的 IP地址任意, 以及目的 IP地址为 T的 IP地址、 源 IP地址任意的过滤参 数加入到访问控制列表, 并在访问控制列表中设置监听标志; 524. The LER1 receives the interception command, as shown in FIG. 5, the IP address whose source IP address is T, The destination IP address is arbitrary, and the filtering parameters of the IP address of the destination IP address and the source IP address are added to the access control list, and the interception flag is set in the access control list;
525、 LER1 收到上行数据, 将上行数据通过访问控制列表过滤, 获得监 听标志, 把过滤到的监听数据根据监听标志与到目的地址为 LIG 的转发等价 类之间的映射关系, 将监听标志对应的监听数据映射到目的地址为 LIG 的转 发等价类中;  525. The LER1 receives the uplink data, filters the uplink data through the access control list, obtains the interception flag, and uses the mapping relationship between the monitored monitoring data and the forwarding equivalence class to the destination address LIG according to the intercepted flag. The corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
526、 LER1将监听数据通过目的地址为 LIG的转发等价类对应的标记交 换路径, 将监听数据发送至 LIG;  526. The LER1 sends the interception data to the LIG through the label switching path corresponding to the forwarding equivalence class whose destination address is LIG.
527、 LIG收到监听数据后, 对监听数据进行复制, 一份根据监听数据的 目的地址即用户 C的 IP地址, 选择 LIG与 LER2之间的标记交换路径, 将监 听数据发送到 LER2, 另一份经过分析处理, 分发到各监听中心。  527. After receiving the monitoring data, the LIG copies the monitoring data, and the IP address of the user C according to the destination address of the monitoring data, selects the label switching path between the LIG and the LER2, and sends the monitoring data to the LER2, and the other The analysis is processed and distributed to each monitoring center.
LER2收到监听数据后,根据监听数据的目的 IP地址,将监听数据发送给 用户 C。  After receiving the interception data, LER2 sends the interception data to user C according to the destination IP address of the intercepted data.
本发明实施例合法监听方法对下行流量处理的步骤包括:  The steps of the lawful interception method for processing downlink traffic in the embodiment of the present invention include:
1、 LER1建立目的地址为 LIG的转发等价类, 为所述转发等价类分配标 记,通过标记分配和标记分发过程,建立所述转发等价类对应的标记交换路径;  1. LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a tag for the forwarding equivalence class, and establishes a tag switching path corresponding to the forwarding equivalence class by using a tag allocation and a tag distribution process;
2、 LER1建立监听标志与到目的地址为 LIG的转发等价类之间的映射关 系;  2. LER1 establishes a mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG;
3、 LIG向边界路由器 LER1发送监听命令, 要求监听用户 T的所有通信 流量;  3. The LIG sends a listening command to the border router LER1, and requests to listen to all communication traffic of the user T;
4、 LER1接收到监听命令, 如图 5所示, 将源 IP地址为 T的 IP地址、 目 的 IP地址任意和目的 IP地址为 T的 IP地址、 源 IP地址任意的过滤参数加入 到访问控制列表, 并在访问控制列表中设置监听标志;  4. The LER1 receives the interception command. As shown in Figure 5, the IP address of the source IP address, the destination IP address, and the IP address of the destination IP address and the source IP address are added to the access control list. And set the listener flag in the access control list;
5、 LER1 收到下行数据, 将下行数据通过访问控制列表过滤, 获得监听 标志, 把过滤到的监听数据根据监听标志与到目的地址为 LIG 的转发等价类 之间的映射关系, 将监听标志对应的监听数据映射到目的地址为 LIG 的转发 等价类中;  5. The LER1 receives the downlink data, filters the downlink data through the access control list, obtains the interception flag, and displays the intercepted flag according to the mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG. The corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
6、 LER1将监听数据通过目的地址为 LIG的转发等价类对应的标记交换 路径, 将监听数据发送至 LIG; 7、 LIG收到监听数据后, 对监听数据进行复制, 一份根据监听数据的目 的地址即用户 T的 IP地址, 选择 LIG与 LER1之间的标记交换路径, LIG为 发送至 LER1的监听数据添加特殊标记, 将监听数据发送到 LER1 , 另一份经 过分析处理, 分发到各监听中心; 6. The LER1 will listen to the data through the label switching path corresponding to the forwarding equivalence class of the LIG, and send the intercepting data to the LIG; 7. After receiving the monitoring data, the LIG copies the monitoring data, and selects a label switching path between the LIG and the LER1 according to the destination address of the monitoring data, that is, the IP address of the user T, and the LIG adds the monitoring data sent to the LER1. Special tag, send the monitoring data to LER1, and the other one is analyzed and distributed to each monitoring center;
8、 LER1收到 LIG发送来的数据后, 首先检测数据是否带有所述特殊标 记, 如果检测有所述特殊标记, 则根据监听数据的目的 IP地址, 将监听数据 直接发送给用户 τ。  8. After receiving the data sent by the LIG, the LER1 first detects whether the data carries the special tag. If the special tag is detected, the intercepted data is directly sent to the user τ according to the destination IP address of the intercepted data.
更具体而言, 利用多协议标记交换虚拟专用网技术, 可以建立 LER1 与 LIG之间的虚拟专用网, 多协议标记交换虚拟专用网使用标记栈技术, 在标记 栈的最内层(即栈底)是虚拟专用网范围内分发的标记, 称为栈底标记, 外层 是整个网络范围分发的标记, 用来在网络中沿着标记交换路径进行转发。栈底 标记中包含了虚拟专用网的标识信息。 则上述步骤 7中, LIG为监听数据添加 的特殊标记可以为所述 LIG与 LER1之间虚拟专用网的栈底标记。  More specifically, a multi-protocol label switching virtual private network technology can be used to establish a virtual private network between LER1 and LIG, and a multi-protocol label switching virtual private network uses a label stack technology, at the innermost layer of the label stack (ie, the bottom of the stack) ) is a mark distributed within the scope of the virtual private network, called the bottom mark, and the outer layer is the mark distributed throughout the network, used to forward along the mark exchange path in the network. The identification information of the virtual private network is included in the bottom of the stack. Then, in the above step 7, the special flag added by the LIG to the interception data may be the bottom mark of the virtual private network between the LIG and the LER1.
本实施例中 ,获得监听标志以及根据监听标志确定对应的转发等价类的实 现方式可以参考上一实施例。  In this embodiment, the manner of obtaining the monitoring flag and determining the corresponding forwarding equivalence class according to the monitoring flag may refer to the previous embodiment.
在本实施例中,通过将监听目标流量迂回到监听网关, 由监听网关完成目 标流量的复制, 进一步简化了网络设备的监听接入点功能。 虽然增加了作为监 听接入点的路由器与监听网关的交互,但是路由器执行合法监听的处理过程和 转发普通数据流量的处理过程基本相同,完全可以融合到普通数据流量处理过 程当中, 因此能够利用路由器高性能专用硬件的优势实现高速处理, 不再需要 专门实现复杂的监听流量复制和封装递交处理,因此在很大程度上减轻了路由 器等网络设备执行合法监听的处理负担, 保证了业务处理性能。  In this embodiment, by monitoring the target traffic back to the monitoring gateway, the monitoring gateway completes the replication of the target traffic, which further simplifies the function of the monitoring access point of the network device. Although the interaction between the router as the interception access point and the interception gateway is increased, the process of performing the lawful interception by the router is basically the same as the process of forwarding the normal data traffic, and can be integrated into the normal data traffic processing process, so that the router can be utilized. The advantages of high-performance dedicated hardware enable high-speed processing, eliminating the need to implement complex monitoring traffic replication and packet delivery processing. This greatly reduces the processing burden of network devices such as routers performing lawful interception and ensures service processing performance.
边界标记交换路由器通过标记分发预先建立到监听网关的标记转发路径 并确定釆用所述标记转发路径的转发等价类,因为边界标记交换路由器把监听 标志和所述转发等价类映射起来, 所以监听目标流量会送入所述标记转发路 径,在 MPLS网络内转发的过程中必然经过监听网关,这样边界路由器不再需 要通过专门的机制来保证监听流量可靠的送达监听中心,进一步简化了网络设 备合法监听的处理机制 , 提高了监听数据传输的可靠性。  The border label switching router pre-establishes a label forwarding path to the intercepting gateway through the label distribution and determines a forwarding equivalence class using the label forwarding path, because the border label switching router maps the listening flag and the forwarding equivalence class, so The monitoring target traffic is sent to the label forwarding path, and the monitoring gateway must pass through the monitoring gateway in the process of forwarding in the MPLS network, so that the border router no longer needs to use a special mechanism to ensure that the monitoring traffic is reliably delivered to the monitoring center, thereby further simplifying the network. The processing mechanism of the device's lawful interception improves the reliability of the interception data transmission.
本领域普通技术人员可以理解实现上述各实施例方法中的全部或部分步 骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机 可读取存储介质中, 所述的存储介质, 如: ROM/RAM、 磁碟、 光盘等。 One of ordinary skill in the art can understand all or part of the steps in implementing the above embodiments. The program can be completed by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
本发明实施例提供了一种通信系统,包括作为监听接入点的边界标记交换 路由器和监听网关, 其中,  An embodiment of the present invention provides a communication system, including a border label switching router and a monitoring gateway as a listening access point, where
作为监听接入点的边界标记交换路由器, 用于接收监听数据, 获得监听数 据对应的监听标志并复制监听数据; 根据监听标志确定对应的转发等价类, 所 述转发等价类的目的地址为监听网关;将复制的监听数据通过所述转发等价类 对应的标记交换路径发送至监听网关, 将原监听数据按照正常流程转发; 监听网关, 用于从所述标记交换路径接收监听数据, 所述监听数据中包含 有上一跳标记交换路由器为监听数据封装的标记, 处理监听数据, 并将处理后 的监听结果发送给监听中心。  a border label switching router as a listening access point, configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, and copy the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag, and the destination address of the forwarding equivalence class is The monitoring gateway sends the intercepted data to the intercepting gateway through the label switching path corresponding to the forwarding equivalence class, and forwards the original monitoring data according to a normal process; and the monitoring gateway is configured to receive the monitoring data from the label switching path. The monitoring data includes a flag of the last hop label switching router for intercepting the data packet, processing the monitoring data, and transmitting the processed monitoring result to the monitoring center.
所述作为监听接入点的边界标记交换路由器,还用于建立目的地址为监听 网关的转发等价类, 为所述转发等价类分配标记, 通过标记分发过程建立所述 转发等价类对应的标记交换路径,并建立所述监听标志与所述目的地址为监听 网关的转发等价类之间的映射关系。  The border label switching router, which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a listening gateway, allocate a label for the forwarding equivalence class, and establish the forwarding equivalence class corresponding by the label distribution process. Labeling the path, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
本发明的实施例给出另一个通信系统,包括作为监听接入点的边界标记交 换路由器和监听网关, 其中,  An embodiment of the present invention provides another communication system including a border label switching router and a listening gateway as a listening access point, wherein
作为监听接入点的边界标记交换路由器, 用于接收监听数据, 获取监听数 据对应的监听标志,根据监听标志确定对应的转发等价类,将监听数据通过所 述转发等价类对应的标记交换路径发送至监听网关;  A border label switching router, which is used as a monitoring access point, is configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, determine a corresponding forwarding equivalence class according to the monitoring flag, and exchange the monitoring data through the label corresponding to the forwarding equivalence class. The path is sent to the listening gateway;
监听网关, 用于建立到边界标记交换路由器之间的标记交换路径,从标记 交换路径接收监听数据,所述监听数据中包含有上一跳标记交换路由器为监听 数据封装的标记, 复制所述监听数据, 将其中一份监听数据通过监听数据的目 的地址对应的标记交换路径发送给边界标记交换路由器,另一份监听数据经过 处理后,发送给监听中心, 如果所述边界标记交换路由器是作为监听接入点的 边界标记交换路由器, 则所述监听网关还用于为发送的监听数据添加特殊标 记。  a monitoring gateway, configured to establish a label switching path between the border label switching routers, and receive the monitoring data from the label switching path, where the monitoring data includes a label that is encapsulated by the last hop label switching router for listening data, and the monitoring is copied. Data, one of the interception data is sent to the border label switching router through the label switching path corresponding to the destination address of the monitoring data, and another listening data is processed and sent to the monitoring center, if the border label switching router is used as a monitor The border of the access point is marked as a switching router, and the intercepting gateway is further configured to add a special flag to the sent intercepting data.
所述作为监听接入点的边界标记交换路由器,还用于建立目的地址为监听 网关的转发等价类, 为所述转发等价类分配标记, 通过标记分发过程建立所述 转发等价类对应的标记交换路径,并建立所述监听标志与所述建立目的地址为 监听网关的转发等价类之间的映射关系。 The border label switching router, which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a intercepting gateway, assign a label to the forwarding equivalence class, and establish the Forwarding the label switching path corresponding to the equivalence class, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
所述作为监听接入点的边界标记交换路由器,还用于检测所述监听网关发 送来的监听数据是否带有所述特殊标记,如果数据带有所述特殊标记, 则将监 听数据按照正常流程转发。  The border label switching router as the intercepting access point is further configured to detect whether the intercepting data sent by the intercepting gateway carries the special tag, and if the data carries the special tag, the intercepting data is in accordance with a normal process. Forward.
以上两个实施例中,获得监听标志以及根据监听标志确定对应的转发等价 类的具体实现可以参考上述方法实施例。  In the above two embodiments, the specific implementation of obtaining the interception flag and determining the corresponding forwarding equivalence class according to the interception flag may refer to the above method embodiment.
应用本发明实施例的系统,只需在原来网络设备的转发处理流程中加入了 监听处理流程,并且监听处理流程和标准的转发处理流程在处理动作上是一致 的, 不再需要为网络设备设计专门的监听触发和处理部分, 尤其避免了为监听 功能设计专门的硬件部分, 从而可以网络设备执行合法监听功能的复杂程度。  The system of the embodiment of the present invention only needs to include a monitoring processing flow in the forwarding processing flow of the original network device, and the monitoring processing flow and the standard forwarding processing flow are consistent in processing actions, and no need to design for the network device. The special monitoring triggering and processing part, in particular, avoids the need to design a special hardware part for the listening function, so that the network device can perform the legal monitoring function complexity.
图 6是本发明实施例中一种路由器合法监听相关部分的单元结构图,如图 6所示, 所述路由器具有标记交换功能, 包括:  FIG. 6 is a structural diagram of a unit for legally listening to a relevant part of a router according to an embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
路径建立单元 61 , 用于建立目的地址为合法监听网关的转发等价类, 为 所述转发等价类分配标记,通过标记分发建立所述转发等价类对应的标记交换 路径;  The path establishing unit 61 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
映射单元 62, 用于建立监听标志与所述目的地址为合法监听网关的转发 等价类之间的映射关系;  The mapping unit 62 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
接收单元 63 , 用于接收监听数据, 并将监听数据发送给复制单元 64; 复制单元 64, 用于复制所述监听数据, 其中一份按照正常流程转发, 另 一份发送给发送单元 65;  The receiving unit 63 is configured to receive the monitoring data, and send the monitoring data to the copying unit 64; the copying unit 64 is configured to copy the monitoring data, one of which is forwarded according to a normal process, and the other is sent to the sending unit 65;
获取单元 66, 用于获取监听数据对应的监听标志, 根据监听标志以及所 述映射单元建立的映射关系, 获取监听标志对应的转发等价类, 所述转发等价 类的目的地址为合法监听网关;  The obtaining unit 66 is configured to obtain a monitoring flag corresponding to the monitoring data, and obtain a forwarding equivalence class corresponding to the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit, where the destination address of the forwarding equivalence class is a legal listening gateway ;
发送单元 65 , 用于根据获取单元 66确定的转发等价类对应的标记交换路 径, 发送监听数据。  The sending unit 65 is configured to send the interception data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 66.
本实施例中获取单元 66和映射单元 62的具体实现方式可以参考方法实施 例中的描述。  The specific implementation manners of the obtaining unit 66 and the mapping unit 62 in this embodiment may refer to the description in the method embodiment.
本发明实施例的路由器通过建立目的地址为合法监听网关的转发等价类、 所述转发等价类对应的标记交换路径,以及监听标志与所述转发等价类之间的 映射关系, 并在访问控制列表中设置该监听标志, 将流经数据通过访问控制列 表过滤,从而可以根据访问控制列表中的监听标志获得该监听标志对应的转发 等价类,通过该转发等价类对应的标记交换路径将监听数据发送至合法监听网 关。 避免了现有技术中对监听数据重新进行 TCP或 UDP报文封装的开销, 避 免了在边界标记交换路由器上执行分片和在监听网关上执行分片重组的开销。 The router in the embodiment of the present invention establishes a forwarding equivalence class of the lawful interception gateway by establishing a destination address, a label switching path corresponding to the forwarding equivalence class, and a mapping relationship between the interception flag and the forwarding equivalence class, and setting the interception flag in the access control list, filtering the flow data through the access control list, thereby The forwarding equivalence class corresponding to the interception flag may be obtained according to the interception flag in the access control list, and the interception data is sent to the legal interception gateway by using the label exchange path corresponding to the forwarding equivalence class. The overhead of re-encapsulating TCP or UDP packets for the interception data in the prior art is avoided, and the overhead of performing fragmentation on the border label switching router and performing fragment reassembly on the interception gateway is avoided.
图 7是本发明实施例中另一种路由器合法监听相关部分的单元结构图,如 图 6所示, 所述路由器具有标记交换功能, 包括:  FIG. 7 is a structural diagram of a unit of another router legally listening to a relevant part in the embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
路径建立单元 71 , 用于建立目的地址为合法监听网关的转发等价类, 为 所述转发等价类分配标记,通过标记分发建立所述转发等价类对应的标记交换 路径;  The path establishing unit 71 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
映射单元 72, 用于建立监听标志与所述目的地址为合法监听网关的转发 等价类之间的映射关系;  The mapping unit 72 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
接收单元 73 , 用于接收监听数据, 并将监听数据发送给发送单元 75; 获取单元 76, 用于获取监听数据对应的监听标志, 根据监听标志以及映 射单元 72建立的映射关系, 获取监听标志对应的转发等价类, 所述转发等价 类的目的地址为合法监听网关;  The receiving unit 73 is configured to receive the monitoring data, and send the monitoring data to the sending unit 75. The acquiring unit 76 is configured to acquire the monitoring flag corresponding to the monitoring data, and obtain the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit 72. Forwarding equivalence class, the destination address of the forwarding equivalence class is a lawful interception gateway;
发送单元 75 , 用于根据获取单元 76确定的转发等价类对应的标记交换路 径, 发送监听数据。  The sending unit 75 is configured to send the monitoring data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 76.
接收单元 73可以进一步包括特殊标记检测模块 731和转发单元 732 , 所 述特殊标记检测模块 731 用于检测合法监听网关发送来的监听数据是否带有 合法监听网关为监听数据添加的特殊标记, 如果监听数据检测有所述特殊标 记, 则所述转发单元 732将此数据按照正常流程转发。 例中的描述。  The receiving unit 73 may further include a special tag detecting module 731 and a forwarding unit 732, and the special tag detecting module 731 is configured to detect whether the intercepting data sent by the legal intercepting gateway has a special tag added by the legal intercepting gateway for the monitoring data, if the monitoring The data detection has the special flag, and the forwarding unit 732 forwards the data according to the normal flow. The description in the example.
图 8是本发明实施例中监听网关的单元结构图,如图 8所示, 所述监听网 关包括:  FIG. 8 is a structural diagram of a unit of a monitoring gateway according to an embodiment of the present invention. As shown in FIG. 8, the monitoring gateway includes:
标记交换单元 81 , 用于建立到边界标记交换路由器的转发等价类以及转 发等价类对应的标记交换路径; 监听数据接收单元 82 , 用于通过所述标记交换路径接收监听数据, 并将 监听数据发送给数据处理单元 83; a label switching unit 81, configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class; The monitoring data receiving unit 82 is configured to receive the monitoring data through the label switching path, and send the monitoring data to the data processing unit 83;
数据处理单元 83 , 用于对监听数据接收单元 82接收到的监听数据进行处 理。  The data processing unit 83 is configured to process the monitoring data received by the monitoring data receiving unit 82.
图 9是本发明另一实施例中监听网关的单元结构图,如图 9所示, 所述监 听网关包括:  FIG. 9 is a structural diagram of a unit of a monitoring gateway according to another embodiment of the present invention. As shown in FIG. 9, the monitoring gateway includes:
标记交换单元 91 , 用于建立到边界标记交换路由器的转发等价类以及转 发等价类对应的标记交换路径;  a label switching unit 91, configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class;
监听数据接收单元 92 , 用于通过所述标记交换路径接收监听数据; 监听数据复制单元 94,用于复制监听数据接收单元 92接收到的监听数据, 将一份监听数据发送给数据处理单元 93 , 另一份监听数据发送给监听数据发 送单元 95;  The monitoring data receiving unit 92 is configured to receive the monitoring data through the label switching path. The monitoring data copying unit 94 is configured to copy the monitoring data received by the monitoring data receiving unit 92, and send a piece of monitoring data to the data processing unit 93. Another listening data is sent to the monitoring data transmitting unit 95;
数据处理单元 93 , 用于对所述监听数据进行处理;  a data processing unit 93, configured to process the interception data;
监听数据发送单元 95 , 用于将监听数据通过监听数据目的地址对应的标 记交换路径发送至边界标记交换路由器。  The monitoring data sending unit 95 is configured to send the monitoring data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
监听数据发送单元 95可以进一步包括特殊标记添加模块 951和转发单元 952, 所述特殊标记添加模块 951用于为发送至作为监听接入点的边界标记交 换路由器的监听数据添加特殊标记,所述转发单元 952用于将监听数据通过监 听数据目的地址对应的标记交换路径发送至边界标记交换路由器。  The snoop data transmitting unit 95 may further include a special tag adding module 951 and a forwarding unit 952 for adding a special tag to the snoop data transmitted to the border tag switching router as the snooping access point, the forwarding The unit 952 is configured to send the intercept data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
本发明实施例的监听网关,通过建立到边界标记交换路由器之间的标记交 换路径,从标记交换路径接收监听数据,从而避免了现有技术中对监听数据重 新进行 TCP或 UDP报文封装的开销,避免了在监听网关上执行分片重组的开 销。 总之, 以上所述仅为本发明技术方案的较佳实施例而已, 并非用于限定本 发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、 改进等, 均应包含在本发明的保护范围之内。  The intercepting gateway of the embodiment of the present invention receives the interception data from the label switching path by establishing a label switching path to the border label switching router, thereby avoiding the overhead of re-entering TCP or UDP packet encapsulation data in the prior art. This avoids the overhead of performing fragment reassembly on the listening gateway. In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种合法监听的方法, 其特征在于, 包括:  A method for lawful interception, characterized in that it comprises:
作为监听接入点的边界标记交换路由器接收监听数据,并获得监听数据对 应的监听标志;  The border label switching router as the interception access point receives the interception data and obtains a monitor flag corresponding to the interception data;
根据所述监听标志确定对应的转发等价类,所述转发等价类的目的地址为 监听网关;  Determining, according to the interception flag, a corresponding forwarding equivalence class, where the destination address of the forwarding equivalence class is a interception gateway;
将所述监听数据通过所述转发等价类对应的标记交换路径发送至所述监 听网关。  And transmitting the interception data to the monitoring gateway through a label switching path corresponding to the forwarding equivalence class.
2、 根据权利要求 1所述的合法监听的方法, 其特征在于, 该方法还包括: 预先建立目的地址为监听网关的转发等价类以及所述转发等价类对应的 标记交换路径。  The method of claim 1, wherein the method further comprises: pre-establishing a forwarding equivalence class whose destination address is a snooping gateway and a label switching path corresponding to the forwarding equivalence class.
3、 根据权利要求 1或 2所述的合法监听的方法, 其特征在于, 该方法还 包括:  The method of lawful interception according to claim 1 or 2, wherein the method further comprises:
预先建立监听标志与所述转发等价类之间的映射关系。  A mapping relationship between the monitoring flag and the forwarding equivalence class is established in advance.
4、 根据权利要求 1所述的合法监听的方法, 其特征在于, 通过访问控制 列表获得所述监听数据对应的监听标志。  The method of lawful interception according to claim 1, wherein the interception flag corresponding to the interception data is obtained by accessing a control list.
5、 根据权利要求 1所述的合法监听的方法, 其特征在于, 所述方法还包 括:  The method of lawful interception according to claim 1, wherein the method further comprises:
所述监听网关收到监听数据后, 复制所述监听数据;  After receiving the interception data, the interception gateway copies the interception data;
将其中一份监听数据通过监听数据的目的地址对应的标记交换路径发送 给边界标记交换路由器, 另一份监听数据经过处理后发送给监听中心。  One of the interception data is sent to the border label switching router through the label switching path corresponding to the destination address of the monitoring data, and another monitoring data is processed and sent to the monitoring center.
6、 根据权利要求 5所述的合法监听的方法, 其特征在于, 所述边界标记 交换路由器为作为监听接入点的边界标记交换路由器, 所述方法还包括:  The lawful interception method according to claim 5, wherein the border label switching router is a border label switching router as a listening access point, and the method further includes:
所述监听网关将其中一份监听数据发送给所述作为监听接入点的边界标 记交换路由器之前, 为该监听数据添加特殊标记;  Before the intercepting gateway sends one of the interception data to the border label switching router as the intercepting access point, adding a special flag to the intercepting data;
所述作为监听接入点的边界标记交换路由器收到带有所述特殊标记的监 听数据后, 按照正常流程转发该监听数据。  After receiving the monitoring data with the special tag, the border label switching router as the intercepting access point forwards the intercepting data according to a normal process.
7、 根据权利要求 6所述的合法监听的方法, 其特征在于, 所述特殊标记 为所述监听网关与所述作为监听接入点的边界标记交换路由器之间虚拟专用 网的栈底标己。 The method for lawful interception according to claim 6, wherein the special flag is a virtual private between the interception gateway and the border label switching router as a listening access point. The bottom of the net is marked.
8、 一种通信系统, 其特征在于, 该系统包括:  8. A communication system, characterized in that the system comprises:
作为监听接入点的边界标记交换路由器, 用于接收监听数据, 并将所述监 听数据通过标记交换路径发送至监听网关; 所述边界标记交换路由器包括: 接收单元, 用于接收监听数据;  a border label switching router as a listening access point, configured to receive the monitoring data, and send the monitoring data to the monitoring gateway through the label switching path; the border label switching router includes: a receiving unit, configured to receive the monitoring data;
获取单元,用于获取所述监听数据对应的监听标志以及所述监听标志对应 的转发等价类;  An obtaining unit, configured to acquire a listening flag corresponding to the intercepting data and a forwarding equivalence class corresponding to the monitoring flag;
发送单元, 用于通过所述获取单元确定的转发等价类对应的标记交换路 径, 发送所述监听数据;  a sending unit, configured to send the monitoring data by using a label switching path corresponding to the forwarding equivalence class determined by the acquiring unit;
监听网关, 用于从所述标记交换路径接收监听数据。  And a listening gateway, configured to receive the interception data from the label switching path.
9、 根据权利要求 10所述的通信系统, 其特征在于, 所述边界标记交换路 由器还包括:  The communication system according to claim 10, wherein the boundary label switching router further comprises:
路径建立单元,用于建立目的地址为监听网关的转发等价类以及所述转发 等价类对应的标记交换路径;  a path establishing unit, configured to establish a forwarding equivalence class whose destination address is a snooping gateway, and a label switching path corresponding to the forwarding equivalence class;
映射单元,用于建立所述监听标志与所述目的地址为监听网关的转发等价 类的映射关系。  The mapping unit is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
10、 根据权利要求 8或 9所述的通信系统, 其特征在于, 所述监听网关包 括:  10. The communication system according to claim 8 or 9, wherein the monitoring gateway comprises:
标记交换单元, 用于与边界标记交换路由器建立标记交换路径; 监听数据接收单元, 用于通过所述标记交换路径接收监听数据; 数据处理单元, 用于对所述监听数据接收单元接收到的监听数据进行处 理。  a label switching unit, configured to establish a label switching path with the border label switching router, a monitoring data receiving unit, configured to receive the monitoring data by using the label switching path, and a data processing unit, configured to receive the monitoring received by the monitoring data receiving unit The data is processed.
11、 一种标记交换路由器, 其特征在于, 包括:  11. A label switching router, comprising:
接收单元, 用于接收监听数据;  a receiving unit, configured to receive monitoring data;
获取单元,用于获取所述监听数据对应的监听标志以及所述监听标志对应 的转发等价类;  An obtaining unit, configured to acquire a listening flag corresponding to the intercepting data and a forwarding equivalence class corresponding to the monitoring flag;
发送单元, 用于通过所述获取单元确定的转发等价类对应的标记交换路 径, 发送所述监听数据。  And a sending unit, configured to send the intercepting data by using a label switching path corresponding to the forwarding equivalence class determined by the acquiring unit.
12、 根据权利要求 11所述的标记交换路由器, 其特征在于, 还包括: 路径建立单元,用于建立目的地址为监听网关的转发等价类以及所述转发 等价类对应的标记交换路径。 The label switching router according to claim 11, further comprising: The path establishing unit is configured to establish a forwarding equivalence class whose destination address is a snooping gateway and a label switching path corresponding to the forwarding equivalence class.
13、 根据权利要求 12所述的标记交换路由器, 其特征在于, 还包括: 映射单元,用于建立所述监听标志与所述目的地址为监听网关的转发等价 类的映射关系。  The label switching router according to claim 12, further comprising: a mapping unit, configured to establish a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
14、 根据权利要求 11所述的标记交换路由器, 其特征在于, 所述接收单 元包括:  The label switching router according to claim 11, wherein the receiving unit comprises:
特殊标记检测模块,用于检测所述接收单元接收的监听数据是否带有特殊 标记;  a special tag detecting module, configured to detect whether the monitoring data received by the receiving unit has a special tag;
转发单元,用于在所述特殊标记检测模块检测到所述监听数据有所述特殊 标记时, 将所述监听数据按照正常流程转发。  And a forwarding unit, configured to: when the special tag detecting module detects that the intercepting data has the special tag, forward the intercepting data according to a normal process.
15、 一种监听网关, 其特征在于, 包括:  15. A monitoring gateway, comprising:
标记交换单元, 用于与边界标记交换路由器建立标记交换路径; 监听数据接收单元, 用于通过所述标记交换路径接收监听数据; 数据处理单元, 用于对所述监听数据接收单元接收到的监听数据进行处 理。  a label switching unit, configured to establish a label switching path with the border label switching router, a monitoring data receiving unit, configured to receive the monitoring data by using the label switching path, and a data processing unit, configured to receive the monitoring received by the monitoring data receiving unit The data is processed.
16、 根据权利要求 15所述的监听网关, 其特征在于, 还包括:  The monitoring gateway according to claim 15, further comprising:
监听数据发送单元,用于通过所述监听数据的目的地址对应的标记交换路 径发送所述监听数据。  And a monitoring data sending unit, configured to send the monitoring data by using a label switching path corresponding to the destination address of the listening data.
17、 根据权利要求 16所述的监听网关, 其特征在于, 还包括:  The monitoring gateway according to claim 16, further comprising:
监听数据复制单元, 用于复制所述监听数据接收单元接收到的监听数据, 并将其中一份监听数据发送给所述监听数据发送单元,将另一份监听数据发送 给所述数据处理单元。  And a monitoring data copying unit, configured to copy the monitoring data received by the monitoring data receiving unit, and send one of the monitoring data to the monitoring data sending unit, and send another monitoring data to the data processing unit.
18、 根据权利要求 17所述的监听网关, 其特征在于, 所述监听数据发送 单元包括:  The monitoring gateway according to claim 17, wherein the monitoring data transmitting unit comprises:
特殊标记添加模块,用于为发送至作为监听接入点的边界标记交换路由器 的监听数据添加特殊标记;  A special tag adding module for adding a special tag to the interception data sent to the border tag switching router as the intercepting access point;
转发单元,用于将添加了所述特殊标记的监听数据通过监听数据目的地址 对应的标记交换路径发送至边界标记交换路由器。  And a forwarding unit, configured to send the interception data to which the special tag is added to the border label switching router by using a label switching path corresponding to the destination address of the interception data.
PCT/CN2008/070539 2007-04-28 2008-03-20 Lawful interception method, communication system, router and interception gateway WO2008131665A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710074168.7 2007-04-28
CN2007100741687A CN101296270B (en) 2007-04-28 2007-04-28 Legal monitoring method, communication system, router and monitoring gateway

Publications (1)

Publication Number Publication Date
WO2008131665A1 true WO2008131665A1 (en) 2008-11-06

Family

ID=39925202

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070539 WO2008131665A1 (en) 2007-04-28 2008-03-20 Lawful interception method, communication system, router and interception gateway

Country Status (2)

Country Link
CN (1) CN101296270B (en)
WO (1) WO2008131665A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333101A (en) * 2011-10-31 2012-01-25 杭州华三通信技术有限公司 Lawful interception method and equipment
CN106375266A (en) * 2015-07-22 2017-02-01 中兴通讯股份有限公司 Service monitoring control method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440166A (en) * 2002-02-04 2003-09-03 松下电器产业株式会社 Method and body for identifying lost packets
US20060018255A1 (en) * 2004-07-26 2006-01-26 Avaya Technology Corp. Defining a static path through a communications network to provide wiretap law compliance
CN1953406A (en) * 2005-10-19 2007-04-25 株式会社Ntt都科摩 A method to access hybrid network and gateway equipment, wireless terminal and communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719788A (en) * 2004-07-07 2006-01-11 中兴通讯股份有限公司 Method for call controlling and service monitoring of soft exchange monitoring

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440166A (en) * 2002-02-04 2003-09-03 松下电器产业株式会社 Method and body for identifying lost packets
US20060018255A1 (en) * 2004-07-26 2006-01-26 Avaya Technology Corp. Defining a static path through a communications network to provide wiretap law compliance
CN1953406A (en) * 2005-10-19 2007-04-25 株式会社Ntt都科摩 A method to access hybrid network and gateway equipment, wireless terminal and communication system

Also Published As

Publication number Publication date
CN101296270B (en) 2010-10-20
CN101296270A (en) 2008-10-29

Similar Documents

Publication Publication Date Title
WO2021207922A1 (en) Packet transmission method, device, and system
EP3400691B1 (en) Efficient packet capture for cyber threat analysis
EP1715628B1 (en) A method for realizing the multicast service
EP3080973B1 (en) Proxy interception
EP2378720B1 (en) Extranet networking method, system and device for multicast virtual private network
EP1942617B1 (en) Method, device and system for Ethernet-supported Source Specific Multicast forwarding
KR100894074B1 (en) Providing access bearer related information in a packet data network
WO2019033920A1 (en) Method and device enabling network side to identify and control remote user equipment
US12022327B2 (en) User data traffic handling
WO2015010307A1 (en) Service path allocation method, router and service execution entity
WO2009043258A1 (en) Method, system and device for message filtering
WO2012106869A1 (en) Message processing method and related device thereof
RU2660635C2 (en) Method and apparatus for controlling service chain of service flow
WO2011147371A1 (en) Method and system for implementing data transmission between virtual machines
WO2016107379A1 (en) Packet sending method and apparatus
WO2010063242A1 (en) Clock synchronization method, device and network system
WO2020259420A1 (en) Method for generating multicast forwarding table entry, and access gateway
WO2011044808A1 (en) Method and system for tracing anonymous communication
WO2015165249A1 (en) Method and device for establishing service path
JP2005295457A (en) P2p traffic dealing router and p2p traffic information sharing system using same
WO2013013567A1 (en) Method and apparatus for sending packet
WO2014201600A1 (en) Session management method, address management method and relevant device
US11405478B2 (en) System and method for providing redirections
WO2008131665A1 (en) Lawful interception method, communication system, router and interception gateway
WO2008141516A1 (en) Message transmitting method, transmitting device and transmitting system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08715275

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08715275

Country of ref document: EP

Kind code of ref document: A1