WO2009030172A1 - A method and system for controlling network service - Google Patents

A method and system for controlling network service Download PDF

Info

Publication number
WO2009030172A1
WO2009030172A1 PCT/CN2008/072220 CN2008072220W WO2009030172A1 WO 2009030172 A1 WO2009030172 A1 WO 2009030172A1 CN 2008072220 W CN2008072220 W CN 2008072220W WO 2009030172 A1 WO2009030172 A1 WO 2009030172A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
service
information
deep packet
identifier
Prior art date
Application number
PCT/CN2008/072220
Other languages
French (fr)
Chinese (zh)
Inventor
Zhenzhu Lv
Chuntao Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2007101456280A external-priority patent/CN101166153B/en
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009030172A1 publication Critical patent/WO2009030172A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and system for controlling network services.
  • IP-based broadband bearer networks will become the next generation telecommunications network.
  • QoS quality of service
  • security issues of telecommunications services are key issues that must be addressed in IP-based next-generation telecommunications networks.
  • the next generation telecommunication network in order to ensure service transmission, it is necessary to effectively control the use of the entire bearer network, especially for the voice or multimedia service based on the P2P method that is constantly appearing on the network.
  • the gateway implements control functions based on dynamic policies issued by the Policy and Charging Rules Function (Factors for Policy Control and Flow-based Accounting Control) to ensure the legitimacy of data flows. Traffic policing and shaping, and queue scheduling.
  • Policy and Charging Rules Function Factors for Policy Control and Flow-based Accounting Control
  • TISPAN Telecommunications and
  • the method of implementing the network control is mainly to place a firewall in front of the edge node of the core network boundary, and to implement the control of the P2P service by statically configuring the policy of the P2P service on the firewall.
  • the policy for P2P services is implemented through static configuration and the control cannot be refined to specific users, and cannot be flexibly applied to various service operation modes (for example, users are allowed to use P2P services for paying extra charges). Other users are not allowed to use it).
  • the new P2P service has the characteristics of rapid emergence and development. Therefore, when the P2P service changes, the service policy configuration rule can be added or modified through frequent manual operations, which is not conducive to network operation and maintenance.
  • Embodiments of the present invention provide a method for controlling network services, which solves the problem in the above-mentioned next generation telecommunication network.
  • the embodiment of the invention further provides a system for controlling network services, which solves the defect that the control strategy for the P2P service in the next generation telecommunication network is too simple and not flexible enough.
  • a method for controlling network services, where the network services are transmitted between terminals via a policy enforcement point including the following steps:
  • the policy enforcement point obtains a dynamic deep packet inspection service control strategy from the policy decision point;
  • the policy enforcement point uses a deep packet inspection method to identify a service identifier of the data stream from the terminal; and selects a dynamic deep packet detection service control policy that matches the service type of the data stream, and according to the dynamic The deep packet inspection service control policy processes the data stream.
  • a system for controlling network services the network services being transmitted between terminals via a policy enforcement point, including a policy enforcement point, a policy decision point, a user subscription database, and an operator policy database connected to the network,
  • the policy decision points include:
  • a policy generation module obtains user subscription information and business policy information locally, or obtains user subscription information from the user subscription database and acquires the industry from the operator policy database. Transmitting policy information, and generating a dynamic deep packet inspection service control policy according to the user subscription information and the business policy information;
  • the policy enforcement points include:
  • a deep packet inspection module configured to detect and identify a user identifier and a service identifier of a data stream from the terminal by using a deep packet inspection method
  • a policy execution module configured to process the data flow from the terminal according to the dynamic deep packet inspection service control policy obtained from the policy decision point.
  • the technical solution provided by the embodiment of the present invention for the network service forwarded between the terminals through the policy execution point, uses the dynamic deep packet detection service control obtained from the policy decision point by the policy execution point.
  • the strategy processes the data flow and implements dynamic control of such services, thereby solving the shortcomings of the existing next-generation telecommunication network that the control strategy for such services is too simple and not flexible; and realizing the network operators to such services Control, which reduces the cost of network operations.
  • the embodiment of the present invention can implement differentiated service quality assurance when different users use the network service.
  • FIG. 1 is a schematic structural diagram of a system for controlling a network service according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for controlling a network service in an embodiment of the present invention
  • Figure 3 is a schematic view of the first embodiment of the method of Figure 2;
  • Figure 4 is a schematic illustration of a second embodiment of the method of Figure 2.
  • FIG. 1 is a schematic structural diagram of a system for controlling network services in an embodiment of the present invention.
  • the system for controlling network services includes a Policy Enforcement Point (PEP) 12 connected to a network, a Policy Decision Point (POP) 15, and a Subscription Profile Repository (SPR) 13 and The Policy Provision Repository (PPR) 14 , wherein the policy enforcement point 12 is connected to a plurality of terminals 11 , so that the terminal 11 can perform data transmission via the policy execution point 12 .
  • the user refers to a virtual entity that enters the system using the user ID on the terminal 11 and uses the system, and the user's operation in the system is implemented by the terminal 11.
  • the operator policy database 14 includes service policy information, and the service policy information includes The SLA (Service Level Agreement) policy and the service feature mode information of the user group, the service or the third-party operator, and the service feature mode information includes the P2P service feature mode information.
  • the user subscription database 13 includes user subscription information, which is information signed with the network operator, and the information is based on user-level quality of service (QoS) policy information, including user group information, user service quality subscription information, and service. Order relationship, etc.
  • QoS quality of service
  • the policy decision point 15 retrieves the policy from the operator policy database 14 and the user subscription database 13 and interprets the policy and sends the policy to the policy enforcement point 12 for execution.
  • the policy decision point 15 needs to translate the policies retrieved from the operator policy database 14 and the user subscription database 13 into a format that the corresponding policy enforcement point 12 can understand.
  • the policy decision point 15 also receives the policy request message from the policy enforcement point 12 and returns the corresponding policy.
  • the policy decision point 15 includes a policy generation module 151.
  • the policy generation module 151 obtains service policy information from the operator policy database 14, and obtains user subscription information from the user subscription database 13, and then according to the service policy information and The user subscription information generates a dynamic deep packet inspection service control strategy.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet inspection service control policy may further include other some information.
  • the policy enforcement point 12 includes a deep packet inspection module 121 and a policy enforcement module 122.
  • the deep packet inspection module 121 is configured to detect and identify the user identifier of the data packet from the terminal 11 and the service identifier of the marked service type by using a Deep Packet Inspection (DPI) method.
  • the policy execution module 122 is configured to obtain a specific policy from the policy decision point 15 and process the data flow passing through the policy execution point 12 according to the specific policy obtained above.
  • the data flow is transmitted from one terminal to another terminal, and the policy enforcement point 12 is an intermediate node in the data channel.
  • the policy execution point 12 includes a gateway, a firewall, a router, a security operating system, and the like.
  • the policy execution module 122 detects the data flow of the service control policy processing terminal 11 according to the dynamic deep data packet from the policy decision point 15. For example, CAR (Committed Access Rate), traffic limiting, marking priority, congestion avoidance, packet loss, and so on.
  • CAR Committed Access Rate
  • a first trigger module is included, and the first trigger module triggers the policy generation module 151 to generate a corresponding dynamic depth number when receiving the policy request message from the policy execution point 12.
  • the policy request message includes the user identifier obtained by the deep packet inspection module 121 and the service identifier generation.
  • a second triggering module is configured to trigger the policy generation module 151 to generate a corresponding dynamic deep packet inspection service control policy when the terminal 11 receives the online message, the online message Information including a user identification or similar tag login terminal 11.
  • the policy generation module 151 acquires the service policy information of all types of services from the operator policy database 14, and generates a plurality of dynamic deep packet inspection service control policies to be transmitted to the policy execution point 12.
  • the dynamic depth packet detection service control policy matching the service type of the data stream is selected to process the data stream.
  • FIG. 2 it is a flowchart of a method for controlling network services according to an embodiment of the present invention.
  • the network service is transmitted between the terminals 11 via the policy enforcement point 12, and includes the following steps:
  • Step S21 The policy execution point 12 acquires a dynamic deep packet inspection service control policy of the corresponding user from the policy decision point 15.
  • the dynamic deep packet inspection service control policy is generated by the policy decision point 15 according to the user subscription information of the user subscription database and the business policy information of the operator policy database.
  • the dynamic deep packet inspection service control strategy can also be directly set as needed.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth.
  • the policy decision point 15 generates a dynamic deep packet inspection service control policy upon receiving the policy request message from the policy enforcement point 12, or generates a dynamic deep packet inspection service control policy upon receiving the online message of the terminal 11.
  • Step S22 The policy execution point processes the data flow from the terminal according to the dynamic deep data packet detection service control policy. For example, CAR, current limit, mark priority, congestion avoidance, packet loss, etc.
  • FIG. 3 it is a data flow diagram of the first embodiment of the method of FIG. 2.
  • the interaction process belongs to the prior art, and thus does not appear in the figure.
  • the result of the interaction is expressed, and the service feature pattern information and the corresponding service identifier are sent to the policy execution point 12 for record keeping.
  • the policy execution point 12 can also obtain the service feature mode information and the corresponding service identifier in a static configuration manner.
  • the service feature mode information includes P2P service feature mode information, for example, The business feature mode of BT download is "
  • P2P service feature mode information for example, The business feature mode of BT download is "
  • service feature mode information may also be included in a specific application.
  • the service identifier may be information of the quintuple information (including the source and destination IP addresses, the source and destination port numbers, and the protocol number), the service name string, the service identifier index, or the port number used to identify the service.
  • the user subscription information is obtained from the user subscription database 13 and the user subscription information is saved to its local record.
  • the service policy information is obtained from the vendor policy database 14 and the service policy information is saved to its local record.
  • the service policy information includes the service identifier and the corresponding operator policy rule.
  • the terminal 11 initiates a service to generate a data stream and sends the data stream to the policy enforcement point 12.
  • the policy execution point 12 receives the data stream, it performs deep packet inspection on the data stream, identifies the service identifier corresponding to the data stream, and obtains the user identifier corresponding to the data stream, and then proceeds to the policy according to the service identifier and the user identifier.
  • the decision point 15 initiates a policy request message to obtain a data flow processing policy, where the policy request message carries a user identifier and a service identifier. In this process, for unrecognized traffic, you can implement packet loss or use BF (ie, best effort forwarding) to schedule and forward.
  • BF best effort forwarding
  • DPI technology As a flexible and effective service identification technology, DPI technology has been rapidly developed in recent years in firewalls, service control gateways, and policy control systems. The so-called “depth” is compared with the normal message analysis hierarchy.
  • the normal message analysis only analyzes the content below the transport layer of the IP packet, including the source address, destination address, source port, destination port, and protocol type.
  • DPI also adds application layer analysis.
  • the DPI method is used to identify the service identifier of the data stream, and the content of the transport layer may be identified first.
  • the data stream may be determined as a File Transfer Protocol (FTP).
  • FTP File Transfer Protocol
  • the data flow of the service can obtain the service identifier corresponding to the data flow by the correspondence between the stored service type and the service identifier. If the service type cannot be determined by analyzing the content of the transport layer, further in-depth analysis is performed to match the service feature mode information. , Get the business identifier of the data stream. For example, if DPI detection is performed on the data stream and "
  • the policy decision point 15 determines and associates the policy information according to the user identifier and the service identifier in the policy request, and determines, when the policy decision point 15 determines that the data flow belongs to the P2P service according to the service identifier, the policy decision Point 15 generates a dynamic deep packet inspection service control strategy. If the user has the user subscription information locally, the user obtains the user subscription information directly; if the policy decision point 15 has the local service policy information, the user subscription information is directly obtained from the local; Local user-free data and service information data, query and obtain user subscription information according to the user identifier to the user subscription database 13, and query and obtain business policy information according to the service identifier to the vendor policy database 14, and then according to the user subscription information and business policy information.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, a quality of service level, a current limit number, and an uplink and downlink bandwidth.
  • Subsequent occurrences of other events, such as termination/subscription of the business relationship by the end user, or changes in the information of the supplier policy database 14 may also trigger the policy decision point 15 to actively update the dynamic deep packet inspection service control policy. Since the dynamic deep packet inspection service control policy is generated when the terminal accesses the system, when the terminal accesses the system, if the user subscription database or the vendor policy database changes, a new dynamic deep data packet is generated according to the changed information. The service control policy is detected, so that the dynamic deep packet inspection service control policy is automatically updated.
  • the policy enforcement point 12 detects the service control policy according to the obtained deep data packet, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing, on the data flow.
  • FIG. 4 it is a schematic diagram of a second embodiment of the method of FIG. 2.
  • the policy decision point 15 obtains user subscription information by interacting with the user subscription database 13 , wherein the user subscription information includes user group information, user service quality level, and service subscription relationship. At the same time, the policy decision point 15 also obtains service policy information of all types of services by interacting with the operator policy database 14, wherein each service policy information includes an SLA policy based on the user group, the service or the third party operator, and also features of the P2P service. Mode information and corresponding service identifiers.
  • the policy decision point 15 When receiving the user online message, the policy decision point 15 performs comprehensive decision according to the user subscription information and the service policy information of all types of services, and forms a plurality of dynamic deep packet inspection service control policies, wherein the user online message includes the user identifier, and each The dynamic deep packet inspection service control policy includes at least one of a user identifier, a service identifier, and a QoS level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet detection service control policy is sent to the policy execution point 12 .
  • the policy decision point 15 is also triggered to update the dynamic deep packet inspection service control strategy.
  • the policy decision point 15 can learn the status of the uplink and the offline of the terminal 11 in two ways: First, the status of the uplink and the offline of the terminal 11 is directly reported to the policy decision point 15 through the policy execution point 12; The NASS notifies the policy decision point 15 that the terminal 11 goes online and offline.
  • the policy decision point 15 receives the user subscription information locally, the policy decision point 15 directly obtains the user subscription information locally; if the user does not have the user subscription information locally, the policy decision point 15 actively signs the user to the user. Obtained in database 13. Similarly, if the policy decision point 15 locally has the service policy information, the user subscription information is directly obtained from the local; or the service policy information does not exist locally, and the policy decision point 15 actively obtains the information from the vendor policy database 14.
  • the policy decision point 15 sends all the dynamic deep packet inspection service control policies and all the service feature mode information and the corresponding service identifiers to the policy enforcement point 12 after the dynamic deep packet detection service control policy is generated.
  • the policy execution point 12 uses the deep data packet detection method to match the service feature mode information to identify the service type of the data flow and the corresponding service identifier, and according to the identified service identifier, multiple
  • the dynamic deep packet inspection service control policy selects a dynamic deep packet detection service control policy that matches the service identifier, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing actions on the data flow;
  • the data stream implements packet loss or uses BF mode scheduling and forwarding.
  • a policy execution point requests a dynamic deep data packet from a policy decision point.
  • the service control policy is detected, and a corresponding deep packet inspection service control policy is performed on the data flow corresponding to the network service.
  • the policy decision point can generate a dynamic deep packet inspection service control strategy, thereby solving the defect that the control strategy of the P2P service in the existing next generation telecommunication network is too simple and not flexible enough.
  • the service information may be dynamically generated according to the subscription information of the user, thereby facilitating the service operator to implement flexible control on the service for different users. For example, users who pay extra fees are allowed to use P2P services, which makes it easier for operators to operate and maintain the network.
  • the network service control is implemented by using the technical solution of the embodiment of the present invention, and the prior art is not required.
  • a firewall is used for service control during operation, manual operation is frequently performed to add and modify business policy configuration rules, thereby saving human resources and simplifying the business control process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for controlling network service which is transferred among the terminals by policy enforcement point includes: (a) policy enforcement point obtains dynamic deep packet inspection service controlling policy from policy decision point; (b) policy enforcement point detects service identifier of data stream from terminals by deep packet inspection method; policy enforcement point selects dynamic deep packet inspection service controlling policy matching the service type of data stream and processes the data stream according to the dynamic deep packet inspection service controlling policy. A corresponding system for controlling network service is also provided. Processing data stream by dynamic deep packet inspection service controlling policy realizes the different service qualities guarantee when different users use network service. Meanwhile, the control of network service is realized by providing dynamic policy control and then the cost of network operation is reduced.

Description

一种控制网络业务的方法及系统  Method and system for controlling network service
本申请要求于 2007 年 09 月 06 日提交中国专利局、 申请号为 200710145628.0、 发明名称为"一种控制网络业务的方法及系统"的中国专利申 请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200710145628.0, entitled "A Method and System for Controlling Network Services", filed on September 06, 2007, the entire contents of which is incorporated herein by reference. In the application.
技术领域 Technical field
本发明涉及通信领域, 具体涉及一种控制网络业务的方法及系统。  The present invention relates to the field of communications, and in particular, to a method and system for controlling network services.
背景技术 Background technique
随着 IP技术的不断发展, 基于 IP的宽带承载网络将成为下一代电信网。 电信业务的服务质量(QoS )及安全问题是基于 IP 的下一代电信网的必须解 决的关键问题。 在下一代电信网中, 为了保证业务传输, 需有效控制整个承载 网络的使用 ,特别是对于目前在网络上不断出现的基于 P2P方式提供语音或多 媒体业务。  With the continuous development of IP technology, IP-based broadband bearer networks will become the next generation telecommunications network. The quality of service (QoS) and security issues of telecommunications services are key issues that must be addressed in IP-based next-generation telecommunications networks. In the next generation telecommunication network, in order to ensure service transmission, it is necessary to effectively control the use of the entire bearer network, especially for the voice or multimedia service based on the P2P method that is constantly appearing on the network.
目前业界相关标准组织都提出类似的基于承载控制层来实现 QoS保证。 例如在 3GPP ( The Third Generation Partnership Project, 第三代合作方案) 的 PCC ( Policy and Charging Control architecture, 策略和计费控制架构) 中, 通 过基于业务和用户签约信息的策略控制机制, 当数据流经过网关(GW ) 时, 网关根据 PCRF ( Policy and Charging Rules Function, 用于策略控制和基于流 的计费控制的功能实体) 下发的动态策略实施控制功能以确保数据流的合法 性, 同时还执行流量监管及整形, 以及队列调度等功能。  At present, relevant standards organizations in the industry have proposed similar bearer control layers to achieve QoS guarantee. For example, in the PCC (Policy and Charging Control Architecture) of 3GPP (The Third Generation Partnership Project), the data flow is passed through a policy control mechanism based on service and user subscription information. At the gateway (GW), the gateway implements control functions based on dynamic policies issued by the Policy and Charging Rules Function (Factors for Policy Control and Flow-based Accounting Control) to ensure the legitimacy of data flows. Traffic policing and shaping, and queue scheduling.
而在 ETSI (欧洲电信标准化协会 ) 的 TISPAN ( Telecommunications and And at ETSI (European Telecommunications Standardization Institute) TISPAN (Telecommunications and
Internet Protocol Harmonization Over Networks , 基于网络的通信和网络十办议十办 调)中, 也提出类似的 RACS ( Resource and Admission Control Sub-system, 资 源和接纳控制子系统 )架构, 其中 SPDF的功能类似于 3GPP的 PCRF的部分 功能, 当然这两个标准在制定时由于其重点考虑的接入网类型不一致,导致两 者的实现细节等方面稍有些差异。 In the Internet Protocol Harmonization Over Networks, a similar RACS (Resource and Admission Control Sub-system) architecture, the functionality of SPDF is similar. Part of the functions of the PCRF of 3GPP. Of course, the two standards are slightly different in terms of the implementation details of the access network due to their inconsistency.
然而,无论是目前的 3GPP的 PCC还是 ETSI TISPAN的 RACS提出的 QoS 控制流程及相关策略主要是针对会话型业务, 即 PDF (策略控制功能)是通过 与 AF (适配模块 )交互获得动态业务信息。 然而此类 QoS控制机制无法适用 于当前 P2P ( Peer to Peer, 点对点)业务如 Skype、 BT、 MSN等。 此类 P2P 业务的最大特点是: 由第三方内容商提供和控制业务, 网络运营商的设备不参 与业务建立的信令交互过程。因此网络运营商无法确保用户在请求业务前第三 方 AF会主动与 PDF交互,从而使得网络运营商无法保证可以实施此类业务的 动态策略控制, 不利于网络的运营维护。 However, both the current 3GPP PCC and ETSI TISPAN RACS proposed QoS control procedures and related strategies are mainly for session-based services, that is, PDF (Policy Control Function) is to obtain dynamic service information by interacting with AF (adaptive module). . However, such QoS control mechanisms cannot be applied to current P2P (Peer-to-Peer) services such as Skype, BT, MSN, and the like. Such P2P The biggest feature of the service is: The third-party content provider provides and controls the service, and the network operator's device does not participate in the signaling interaction process of the service establishment. Therefore, the network operator cannot ensure that the third-party AF will actively interact with the PDF before requesting the service, so that the network operator cannot guarantee the dynamic policy control that can implement such a service, which is not conducive to the operation and maintenance of the network.
目前实现网络控制的方法主要是在核心网边界的边缘节点前放置一防火 墙, 通过在防火墙上静态配置对 P2P业务的策略来实现对 P2P业务的控制。 然而在该方案中,对 P2P业务的策略是通过静态配置实现的且控制不能细化到 特定用户 , 不能够灵活适用于各种业务运营模式(如对于支付额外费用用户允 许其使用 P2P业务, 而其他用户则不允许使用)。 同时由于新的 P2P业务具有 出现和发展速度快的特点, 因此在 P2P业务产生变化时,只能通过频繁地手工 操作来增加或修改业务策略配置规则 , 不利于网络的运营维护。  At present, the method of implementing the network control is mainly to place a firewall in front of the edge node of the core network boundary, and to implement the control of the P2P service by statically configuring the policy of the P2P service on the firewall. However, in this solution, the policy for P2P services is implemented through static configuration and the control cannot be refined to specific users, and cannot be flexibly applied to various service operation modes (for example, users are allowed to use P2P services for paying extra charges). Other users are not allowed to use it). At the same time, the new P2P service has the characteristics of rapid emergence and development. Therefore, when the P2P service changes, the service policy configuration rule can be added or modified through frequent manual operations, which is not conducive to network operation and maintenance.
发明内容 Summary of the invention
本发明实施例提供一种控制网络业务的方法,解决上述下一代电信网中对 Embodiments of the present invention provide a method for controlling network services, which solves the problem in the above-mentioned next generation telecommunication network.
P2P业务的控制策略过于简单、 不够灵活的缺陷。 The control strategy of P2P services is too simple and not flexible enough.
本发明实施例还提供一种控制网络业务的系统,解决上述下一代电信网中 对 P2P业务的控制策略过于简单、 不够灵活的缺陷。  The embodiment of the invention further provides a system for controlling network services, which solves the defect that the control strategy for the P2P service in the next generation telecommunication network is too simple and not flexible enough.
为达到上述目的, 本发明实施例的技术方案是这样实现的:  To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
一种控制网络业务的方法, 所述网络业务经由策略执行点在终端间传递, 包括以下步骤:  A method for controlling network services, where the network services are transmitted between terminals via a policy enforcement point, including the following steps:
( a )策略执行点从策略决策点获取动态深度数据包检测业务控制策略; (a) The policy enforcement point obtains a dynamic deep packet inspection service control strategy from the policy decision point;
( b )所述策略执行点利用深度数据包检测方法, 识别来自终端的数据流 的业务标识;选择与所述数据流的业务类型匹配的动态深度数据包检测业务控 制策略, 并根据所述动态深度数据包检测业务控制策略处理所述数据流。 (b) the policy enforcement point uses a deep packet inspection method to identify a service identifier of the data stream from the terminal; and selects a dynamic deep packet detection service control policy that matches the service type of the data stream, and according to the dynamic The deep packet inspection service control policy processes the data stream.
一种控制网络业务的系统, 所述网络业务经由策略执行点在终端间传递, 包括有连接到网络的策略执行点、策略决策点、用户签约数据库以及运营商策 略数据库,  A system for controlling network services, the network services being transmitted between terminals via a policy enforcement point, including a policy enforcement point, a policy decision point, a user subscription database, and an operator policy database connected to the network,
所述策略决策点包括有:  The policy decision points include:
策略生成模块,所述策略生成模块从本地获取用户签约信息和业务策略信 息 ,或者从用户签约数据库获取用户签约信息以及从运营商策略数据库获取业 务策略信息 ,并根据所述用户签约信息和业务策略信息生成动态深度数据包检 测业务控制策略; a policy generation module, where the policy generation module obtains user subscription information and business policy information locally, or obtains user subscription information from the user subscription database and acquires the industry from the operator policy database. Transmitting policy information, and generating a dynamic deep packet inspection service control policy according to the user subscription information and the business policy information;
所述策略执行点包括有:  The policy enforcement points include:
深度数据包检测模块, 用于利用深度数据包检测方法,检测和识别来自终 端的数据流的用户标识及业务标识;  a deep packet inspection module, configured to detect and identify a user identifier and a service identifier of a data stream from the terminal by using a deep packet inspection method;
策略执行模块,用于根据从所述策略决策点获取的动态深度数据包检测业 务控制策略处理来自终端的数据流。  And a policy execution module, configured to process the data flow from the terminal according to the dynamic deep packet inspection service control policy obtained from the policy decision point.
与现有技术相比,本发明实施例所提供的技术方案,对于通过策略执行点 进行在终端之间转发的网络业务,由策略执行点使用从策略决策点获取的动态 深度数据包检测业务控制策略处理数据流, 实现了这类业务的动态控制,从而 解决了现有的下一代电信网中对这类业务的控制策略过于简单、不够灵活的缺 陷; 且实现了网络运营商对此类业务的控制, 从而降低了网络运营的成本。 同 时, 本发明实施例可以实现不同用户使用网络业务时的差异化业务质量保证。 附图说明  Compared with the prior art, the technical solution provided by the embodiment of the present invention, for the network service forwarded between the terminals through the policy execution point, uses the dynamic deep packet detection service control obtained from the policy decision point by the policy execution point. The strategy processes the data flow and implements dynamic control of such services, thereby solving the shortcomings of the existing next-generation telecommunication network that the control strategy for such services is too simple and not flexible; and realizing the network operators to such services Control, which reduces the cost of network operations. At the same time, the embodiment of the present invention can implement differentiated service quality assurance when different users use the network service. DRAWINGS
图 1是本发明实施例中控制网络业务的系统的结构示意图;  1 is a schematic structural diagram of a system for controlling a network service according to an embodiment of the present invention;
图 2是本发明实施例中控制网络业务的方法的流程图;  2 is a flowchart of a method for controlling a network service in an embodiment of the present invention;
图 3是图 2中方法第一实施例的示意图;  Figure 3 is a schematic view of the first embodiment of the method of Figure 2;
图 4是图 2中方法第二实施例的示意图。  Figure 4 is a schematic illustration of a second embodiment of the method of Figure 2.
具体实施方式 detailed description
下面结合附图及具体实施例对本发明进行伴细说明。  The invention will be described in detail below with reference to the accompanying drawings and specific embodiments.
如图 1所示,是本发明实施例中控制网络业务的系统的结构示意图。本发 明控制网络业务的系统, 包括有连接到网络的策略执行点(Policy Enforcement Point , PEP ) 12、 策略决策点 ( Policy Decision Point , POP ) 15、 用户签约 数据库( Subscription Profile Repository, SPR ) 13以及运营商策略数据库( Policy Provision Repository, PPR ) 14 , 其中策略执行点 12连接有多个终端 11, 从而 终端 11可经由该策略执行点 12进行数据传递。 用户是指在终端 11上使用用 户标识进入系统并使用系统的虚拟实体, 用户在系统中的操作通过终端 11实 现。  FIG. 1 is a schematic structural diagram of a system for controlling network services in an embodiment of the present invention. The system for controlling network services includes a Policy Enforcement Point (PEP) 12 connected to a network, a Policy Decision Point (POP) 15, and a Subscription Profile Repository (SPR) 13 and The Policy Provision Repository (PPR) 14 , wherein the policy enforcement point 12 is connected to a plurality of terminals 11 , so that the terminal 11 can perform data transmission via the policy execution point 12 . The user refers to a virtual entity that enters the system using the user ID on the terminal 11 and uses the system, and the user's operation in the system is implemented by the terminal 11.
运营商策略数据库 14中包括有业务策略信息, 该业务策略信息包括基于 用户群、 业务或第三方运营商的 SLA ( Service Level Agreement, 服务等级协 议)策略以及业务特征模式信息等,其中业务特征模式信息包括 P2P业务特征 模式信息。 用户签约数据库 13包括有用户签约信息, 该用户签约信息是与网 络运营商签约的信息, 该信息是基于用户层面的服务质量(QoS )策略信息, 包括用户群信息、 用户服务质量签约信息以及业务订购关系等。 The operator policy database 14 includes service policy information, and the service policy information includes The SLA (Service Level Agreement) policy and the service feature mode information of the user group, the service or the third-party operator, and the service feature mode information includes the P2P service feature mode information. The user subscription database 13 includes user subscription information, which is information signed with the network operator, and the information is based on user-level quality of service (QoS) policy information, including user group information, user service quality subscription information, and service. Order relationship, etc.
策略决策点 15从运营商策略数据库 14和用户签约数据库 13中检索策略、 解释策略并将策略发送到策略执行点 12执行。策略决策点 15需要将从运营商 策略数据库 14和用户签约数据库 13 中检索到的策略翻译成对应策略执行点 12能够理解的格式。 策略决策点 15还从策略执行点 12接收策略请求消息并 返回相应策略。  The policy decision point 15 retrieves the policy from the operator policy database 14 and the user subscription database 13 and interprets the policy and sends the policy to the policy enforcement point 12 for execution. The policy decision point 15 needs to translate the policies retrieved from the operator policy database 14 and the user subscription database 13 into a format that the corresponding policy enforcement point 12 can understand. The policy decision point 15 also receives the policy request message from the policy enforcement point 12 and returns the corresponding policy.
在本实施例中, 策略决策点 15 包括有策略生成模块 151 , 该策略生成模 块 151从运营商策略数据库 14获取业务策略信息, 并从用户签约数据库 13 获取用户签约信息 ,然后根据业务策略信息和用户签约信息生成动态深度数据 包检测业务控制策略。该动态深度数据包检测业务控制策略包括用户标识、业 务标识, 以及下面三个中的至少一个: 服务质量等级、 限流次数以及上下行带 宽, 此外动态深度数据包检测业务控制策略还可以包括其他一些信息。  In this embodiment, the policy decision point 15 includes a policy generation module 151. The policy generation module 151 obtains service policy information from the operator policy database 14, and obtains user subscription information from the user subscription database 13, and then according to the service policy information and The user subscription information generates a dynamic deep packet inspection service control strategy. The dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet inspection service control policy may further include other some information.
策略执行点 12包括有深度数据包检测模块 121及策略执行模块 122。 深 度数据包检测模块 121用于利用动态深度数据包检测( Deep Packet Inspection, DPI )方法检测和识别来自终端 11的数据包的用户标识及标记业务类型的业务 标识。 策略执行模块 122用于从策略决策点 15获取具体策略, 并根据上述获 取的具体策略处理经过该策略执行点 12的数据流。 数据流从一个终端传送到 另一终端, 策略执行点 12是该数据通道中的一个中间节点, 在实际应用中, 策略执行点 12包括网关、 防火墙、 路由器、 安全操作系统等。 在本实施例中, 策略执行点 12由深度数据包检测模块 121识别数据包类型后, 通过策略执行 模块 122根据来自策略决策点 15的动态深度数据包检测业务控制策略处理终 端 11的数据流, 例如 CAR ( Committed Access Rate, 接入速率限制)、 限流、 标记优先级、 拥塞避免、 丢包等。  The policy enforcement point 12 includes a deep packet inspection module 121 and a policy enforcement module 122. The deep packet inspection module 121 is configured to detect and identify the user identifier of the data packet from the terminal 11 and the service identifier of the marked service type by using a Deep Packet Inspection (DPI) method. The policy execution module 122 is configured to obtain a specific policy from the policy decision point 15 and process the data flow passing through the policy execution point 12 according to the specific policy obtained above. The data flow is transmitted from one terminal to another terminal, and the policy enforcement point 12 is an intermediate node in the data channel. In practical applications, the policy execution point 12 includes a gateway, a firewall, a router, a security operating system, and the like. In this embodiment, after the policy execution point 12 identifies the data packet type by the deep data packet detecting module 121, the policy execution module 122 detects the data flow of the service control policy processing terminal 11 according to the dynamic deep data packet from the policy decision point 15. For example, CAR (Committed Access Rate), traffic limiting, marking priority, congestion avoidance, packet loss, and so on.
在本实施例中, 包括一个第一触发模块,该第一触发模块在接收到来自策 略执行点 12的策略请求消息时触发策略生成模块 151生成对应的动态深度数 据包检测业务控制策略,其中策略请求消息包括深度数据包检测模块 121检测 获得的用户标识以及业务标识生成。 In this embodiment, a first trigger module is included, and the first trigger module triggers the policy generation module 151 to generate a corresponding dynamic depth number when receiving the policy request message from the policy execution point 12. According to the packet detection service control policy, the policy request message includes the user identifier obtained by the deep packet inspection module 121 and the service identifier generation.
在本发明的另一实施例中, 包括一个第二触发模块,该第二触发模块在接 收到终端 11上线消息时触发策略生成模块 151生成对应的动态深度数据包检 测业务控制策略, 该上线消息包括用户标识或类似标记登录终端 11的信息。 此时, 策略生成模块 151从运营商策略数据库 14获取所有类型业务的业务策 略信息, 并生成多条动态深度数据包检测业务控制策略传送到策略执行点 12。 策略执行点 12通过深度数据包检测方法识别数据流后, 选择与数据流的业务 类型匹配的动态深度数据包检测业务控制策略处理数据流。  In another embodiment of the present invention, a second triggering module is configured to trigger the policy generation module 151 to generate a corresponding dynamic deep packet inspection service control policy when the terminal 11 receives the online message, the online message Information including a user identification or similar tag login terminal 11. At this time, the policy generation module 151 acquires the service policy information of all types of services from the operator policy database 14, and generates a plurality of dynamic deep packet inspection service control policies to be transmitted to the policy execution point 12. After the policy execution point 12 identifies the data stream by the deep packet inspection method, the dynamic depth packet detection service control policy matching the service type of the data stream is selected to process the data stream.
如图 2所示,是本发明实施例控制网络业务的方法的流程图。其中网络业 务经由策略执行点 12在终端 11间传递, 包括以下步骤:  As shown in FIG. 2, it is a flowchart of a method for controlling network services according to an embodiment of the present invention. The network service is transmitted between the terminals 11 via the policy enforcement point 12, and includes the following steps:
步骤 S21 : 策略执行点 12从策略决策点 15获取对应用户的动态深度数据 包检测业务控制策略。 该动态深度数据包检测业务控制策略由策略决策点 15 根据用户签约数据库的用户签约信息、 运营商策略数据库的业务策略信息生 成。 当然该动态深度数据包检测业务控制策略也可直接根据需要设置。该动态 深度数据包检测业务控制策略包括有用户标识、业务标识, 以及下面三个中的 至少一个: 服务质量等级、 限流次数以及上下行带宽。  Step S21: The policy execution point 12 acquires a dynamic deep packet inspection service control policy of the corresponding user from the policy decision point 15. The dynamic deep packet inspection service control policy is generated by the policy decision point 15 according to the user subscription information of the user subscription database and the business policy information of the operator policy database. Of course, the dynamic deep packet inspection service control strategy can also be directly set as needed. The dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth.
策略决策点 15在接收到来自策略执行点 12的策略请求消息时生成动态深 度数据包检测业务控制策略, 或者在接收到终端 11上线消息时生成动态深度 数据包检测业务控制策略。  The policy decision point 15 generates a dynamic deep packet inspection service control policy upon receiving the policy request message from the policy enforcement point 12, or generates a dynamic deep packet inspection service control policy upon receiving the online message of the terminal 11.
步骤 S22: 策略执行点根据所述动态深度数据包检测业务控制策略处理来 自终端的数据流。 例如 CAR、 限流、 标记优先级、 拥塞避免、 丢包等。  Step S22: The policy execution point processes the data flow from the terminal according to the dynamic deep data packet detection service control policy. For example, CAR, current limit, mark priority, congestion avoidance, packet loss, etc.
如图 3所示, 是图 2所述方法的第一实施例的数据流图。  As shown in FIG. 3, it is a data flow diagram of the first embodiment of the method of FIG. 2.
首先, 在策略执行点 12启动后或者在运行过程中, 通过与网管或供应商 策略数据库 14或其它第三方数据库交互, 该交互过程属于现有技术, 因此并 未在图中出现, 图中只表述了交互的结果,获取业务特征模式信息及对应的业 务标识等下发给策略执行点 12记录保存。策略执行点 12也可以采用静态配置 的方式获得业务特征模式信息及对应的业务标识。  First, after the policy execution point 12 is started or during the operation, by interacting with the network management or the supplier policy database 14 or other third-party database, the interaction process belongs to the prior art, and thus does not appear in the figure. The result of the interaction is expressed, and the service feature pattern information and the corresponding service identifier are sent to the policy execution point 12 for record keeping. The policy execution point 12 can also obtain the service feature mode information and the corresponding service identifier in a static configuration manner.
在本实施例中 ,上述业务特征模式信息包括 P2P业务特征模式信息 ,例如, BT下载的业务特征模式为" |13|BitTorrent protocol"。 当然, 在具体应用中也可 包括其他类型的业务特征模式信息。 In this embodiment, the service feature mode information includes P2P service feature mode information, for example, The business feature mode of BT download is "|13|BitTorrent protocol". Of course, other types of service feature mode information may also be included in a specific application.
业务标识可以是五元组信息(包括源和目的 IP地址、 源和目的端口号及 协议号)、 业务名称字符串、 业务标识索引或端口号用于标识业务的信息。  The service identifier may be information of the quintuple information (including the source and destination IP addresses, the source and destination port numbers, and the protocol number), the service name string, the service identifier index, or the port number used to identify the service.
此外, 策略决策点 15启动后,从用户签约数据库 13获取用户签约信息, 并将该用户签约信息保存到其本地记录。 同样地, 策略决策点 15启动后,从供 应商策略数据库 14获取业务策略信息,并将业务策略信息保存到其本地记录, 业务策略信息包括业务标识及对应的运营商策略规则等。  In addition, after the policy decision point 15 is initiated, the user subscription information is obtained from the user subscription database 13 and the user subscription information is saved to its local record. Similarly, after the policy decision point 15 is started, the service policy information is obtained from the vendor policy database 14 and the service policy information is saved to its local record. The service policy information includes the service identifier and the corresponding operator policy rule.
终端 11启动业务产生数据流, 并将数据流发送到策略执行点 12。 策略执 行点 12接收到数据流时, 对该数据流进行深度数据包检测, 识别该数据流对 应的业务标识, 并获取该数据流对应的用户标识,再才 据该业务标识和用户标 识向策略决策点 15发起策略请求消息以获得数据流处理策略, 其中策略请求 消息携带用户标识及业务标识。在此过程中,对于无法识别业务流可以实施丢 包或使用 BF (即 Best effort forwarding,尽力转发 ) 方式调度及转发。  The terminal 11 initiates a service to generate a data stream and sends the data stream to the policy enforcement point 12. When the policy execution point 12 receives the data stream, it performs deep packet inspection on the data stream, identifies the service identifier corresponding to the data stream, and obtains the user identifier corresponding to the data stream, and then proceeds to the policy according to the service identifier and the user identifier. The decision point 15 initiates a policy request message to obtain a data flow processing policy, where the policy request message carries a user identifier and a service identifier. In this process, for unrecognized traffic, you can implement packet loss or use BF (ie, best effort forwarding) to schedule and forward.
DPI技术作为一种灵活和有效的业务识别技术, 近年来在防火墙、 业务控 制网关、 策略控制系统上得到了迅速的发展。 所谓"深度"是和普通的报文分析 层次相比较而言的, 普通报文分析仅分析 IP包的传输层以下的内容, 包括源 地址、 目的地址、 源端口、 目的端口以及协议类型, 而 DPI除了对前面的层次 分析外, 还增加了应用层分析。  As a flexible and effective service identification technology, DPI technology has been rapidly developed in recent years in firewalls, service control gateways, and policy control systems. The so-called "depth" is compared with the normal message analysis hierarchy. The normal message analysis only analyzes the content below the transport layer of the IP packet, including the source address, destination address, source port, destination port, and protocol type. In addition to the previous analytic hierarchy analysis, DPI also adds application layer analysis.
本实施例中利用 DPI方法识别数据流的业务标识,可以首先识别传输层的 内容, 例如识别到固定 FTP业务使用的端口号, 则可以确定该数据流为文件 传输协议(FTP, File Transfer Protocol )业务的数据流, 通过存储的业务类型 与业务标识的对应关系, 即可获得数据流对应的业务标识; 如果通过分析传输 层的内容无法确定业务类型,则进一步进行深度分析,匹配业务特征模式信息, 获取数据流的业务标识。 例如如果对数据流进行 DPI 检测, 检测到 "|13|BitTorrent protocol", 则策略执行点 12通过匹配本地保存的业务特征模式 信息 , 就可以获得 BT业务的业务标识。  In this embodiment, the DPI method is used to identify the service identifier of the data stream, and the content of the transport layer may be identified first. For example, if the port number used by the fixed FTP service is identified, the data stream may be determined as a File Transfer Protocol (FTP). The data flow of the service can obtain the service identifier corresponding to the data flow by the correspondence between the stored service type and the service identifier. If the service type cannot be determined by analyzing the content of the transport layer, further in-depth analysis is performed to match the service feature mode information. , Get the business identifier of the data stream. For example, if DPI detection is performed on the data stream and "|13|BitTorrent protocol" is detected, the policy execution point 12 can obtain the service identifier of the BT service by matching the locally stored service feature pattern information.
策略决策点 15 据策略请求中的用户标识和业务标识来确定和关联策略 信息, 在策略决策点 15根据业务标识判断数据流属于 P2P业务时, 策略决策 点 15生成动态深度数据包检测业务控制策略。若策略决策点 15本地已存在用 户签约信息, 则直接获取从本地获取用户签约信息; 若策略决策点 15本地已 存在业务策略信息, 则直接从本地获取用户签约信息; 若此时策略执行点 15 本地无用户数据和业务信息数据, 根据用户标识到用户签约数据库 13查询并 获取用户签约信息, 并根据业务标识到供应商策略数据库 14查询并获取业务 策略信息, 然后根据用户签约信息和业务策略信息进行综合决策, 生成动态深 度数据包检测业务控制策略并返回给策略执行点 12。 上述动态深度数据包检 测业务控制策略包括用户标识、 业务标识、服务质量等级、 限流次数以及上下 行带宽等。 The policy decision point 15 determines and associates the policy information according to the user identifier and the service identifier in the policy request, and determines, when the policy decision point 15 determines that the data flow belongs to the P2P service according to the service identifier, the policy decision Point 15 generates a dynamic deep packet inspection service control strategy. If the user has the user subscription information locally, the user obtains the user subscription information directly; if the policy decision point 15 has the local service policy information, the user subscription information is directly obtained from the local; Local user-free data and service information data, query and obtain user subscription information according to the user identifier to the user subscription database 13, and query and obtain business policy information according to the service identifier to the vendor policy database 14, and then according to the user subscription information and business policy information. A comprehensive decision is made to generate a dynamic deep packet inspection service control policy and return to the policy enforcement point 12. The dynamic deep packet inspection service control policy includes a user identifier, a service identifier, a quality of service level, a current limit number, and an uplink and downlink bandwidth.
后续发生其他事件如因终端用户解除 /预订业务关系, 或者供应商策略数 据库 14信息改变等,则相应也会触发策略决策点 15主动更新动态深度数据包 检测业务控制策略。由于在终端接入系统时才产生动态深度数据包检测业务控 制策略, 因此当终端接入系统时若用户签约数据库或供应商策略库有变化, 则 按照变化后的信息生成新的动态深度数据包检测业务控制策略,从而实现动态 深度数据包检测业务控制策略自动更新。  Subsequent occurrences of other events, such as termination/subscription of the business relationship by the end user, or changes in the information of the supplier policy database 14 may also trigger the policy decision point 15 to actively update the dynamic deep packet inspection service control policy. Since the dynamic deep packet inspection service control policy is generated when the terminal accesses the system, when the terminal accesses the system, if the user subscription database or the vendor policy database changes, a new dynamic deep data packet is generated according to the changed information. The service control policy is detected, so that the dynamic deep packet inspection service control policy is automatically updated.
最后, 策略执行点 12根据获取的深度数据包检测业务控制策略, 对数据 流实施相应的策略调度如优先级标记、 流量监管 /整形或拥塞处理动作等。  Finally, the policy enforcement point 12 detects the service control policy according to the obtained deep data packet, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing, on the data flow.
如图 4所示, 是图 2所述方法的第二实施例的示意图。  As shown in FIG. 4, it is a schematic diagram of a second embodiment of the method of FIG. 2.
首先策略决策点 15通过与用户签约数据库 13交互获得用户签约信息,其 中用户签约信息包括用户群信息、用户服务质量等级以及业务订购关系等。 同 时策略决策点 15还通过与运营商策略数据库 14交互获得所有类型业务的业务 策略信息, 其中每一业务策略信息包括基于用户群、 业务或第三方运营商的 SLA策略, 还包括 P2P业务的特征模式信息及对应的业务标识等。  First, the policy decision point 15 obtains user subscription information by interacting with the user subscription database 13 , wherein the user subscription information includes user group information, user service quality level, and service subscription relationship. At the same time, the policy decision point 15 also obtains service policy information of all types of services by interacting with the operator policy database 14, wherein each service policy information includes an SLA policy based on the user group, the service or the third party operator, and also features of the P2P service. Mode information and corresponding service identifiers.
策略决策点 15在接收到用户上线消息时, 根据用户签约信息及所有类型 业务的业务策略信息进行综合决策,形成多条动态深度数据包检测业务控制策 略,其中用户上线消息包括用户标识,每一动态深度数据包检测业务控制策略 包括用户标识、 业务标识、 以及服务质量等级、 限流次数和上下行带宽等的至 少一个, 并将该动态深度数据包检测业务控制策略下发到策略执行点 12。  When receiving the user online message, the policy decision point 15 performs comprehensive decision according to the user subscription information and the service policy information of all types of services, and forms a plurality of dynamic deep packet inspection service control policies, wherein the user online message includes the user identifier, and each The dynamic deep packet inspection service control policy includes at least one of a user identifier, a service identifier, and a QoS level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet detection service control policy is sent to the policy execution point 12 .
后续发生其他事件如因终端用户解除 /预订业务关系 , 或者供应商策略数 据库 14信息改变等,则相应也会触发策略决策点 15更新动态深度数据包检测 业务控制策略。 在本实施例中, 策略决策点 15可以通过两种途径来得知终端 11上下线状态: 一是通过策略执行点 12直接把终端 11上下线状态上报给策 略决策点 15; 二是通过其他设备如 NASS来通知策略决策点 15终端 11上下 线状态。 Subsequent events such as termination/subscription of business relationships by end users, or number of supplier policies According to the information change of the library 14, etc., the policy decision point 15 is also triggered to update the dynamic deep packet inspection service control strategy. In this embodiment, the policy decision point 15 can learn the status of the uplink and the offline of the terminal 11 in two ways: First, the status of the uplink and the offline of the terminal 11 is directly reported to the policy decision point 15 through the policy execution point 12; The NASS notifies the policy decision point 15 that the terminal 11 goes online and offline.
如果策略决策点 15在收到终端上线消息时,策略决策点 15本地存在用户 签约信息,则直接获取从本地获取用户签约信息;若本地不存在用户签约信息, 则策略决策点 15主动到用户签约数据库 13 中获取。 同样地, 若策略决策点 15 本地存在业务策略信息, 则直接从本地获取用户签约信息; 或本地不存在 业务策略信息, 则策略决策点 15主动到供应商策略数据库 14中获取。  If the policy decision point 15 receives the user subscription information locally, the policy decision point 15 directly obtains the user subscription information locally; if the user does not have the user subscription information locally, the policy decision point 15 actively signs the user to the user. Obtained in database 13. Similarly, if the policy decision point 15 locally has the service policy information, the user subscription information is directly obtained from the local; or the service policy information does not exist locally, and the policy decision point 15 actively obtains the information from the vendor policy database 14.
策略决策点 15在生成动态深度数据包检测业务控制策略后, 向策略执行 点 12下发所有动态深度数据包检测业务控制策略及所有业务特征模式信息和 对应的业务标识。在数据流到达策略执行点 12时, 策略执行点 12利用深度数 据包检测方法, 匹配业务特征模式信息, 以识别该数据流的业务类型及对应的 业务标识,根据识别的业务标识,从多条动态深度数据包检测业务控制策略中 选择业务标识匹配的动态深度数据包检测业务控制策略,对该数据流实施相应 的策略调度, 如优先级标记、 流量监管 /整形或拥塞处理动作; 对于不匹配的 数据流实施丢包或使用 BF方式调度及转发等。  The policy decision point 15 sends all the dynamic deep packet inspection service control policies and all the service feature mode information and the corresponding service identifiers to the policy enforcement point 12 after the dynamic deep packet detection service control policy is generated. When the data flow reaches the policy execution point 12, the policy execution point 12 uses the deep data packet detection method to match the service feature mode information to identify the service type of the data flow and the corresponding service identifier, and according to the identified service identifier, multiple The dynamic deep packet inspection service control policy selects a dynamic deep packet detection service control policy that matches the service identifier, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing actions on the data flow; The data stream implements packet loss or uses BF mode scheduling and forwarding.
由以上所述可以看出,本发明实施例所提供的技术方案,对于通过策略执 行点在终端之间进行转发的网络业务,例如 P2P业务, 由策略执行点从策略决 策点请求动态深度数据包检测业务控制策略,并对网络业务对应的数据流执行 相应的深度数据包检测业务控制策略。 利用本发明的方案, 策略决策点可以生 成动态深度数据包检测业务控制策略, 从而解决了现有的下一代电信网中对 P2P业务的控制策略过于简单、 不够灵活的缺陷。  It can be seen from the foregoing that, in the technical solution provided by the embodiment of the present invention, for a network service that is forwarded between terminals through a policy execution point, for example, a P2P service, a policy execution point requests a dynamic deep data packet from a policy decision point. The service control policy is detected, and a corresponding deep packet inspection service control policy is performed on the data flow corresponding to the network service. With the solution of the invention, the policy decision point can generate a dynamic deep packet inspection service control strategy, thereby solving the defect that the control strategy of the P2P service in the existing next generation telecommunication network is too simple and not flexible enough.
同时, 由于本发明实施例的技术方案中,在生成动态深度数据包检测业务 控制策略时,可以根据用户的签约信息动态生成, 因此方便了业务运营商针对 不同用户, 实现对业务的灵活控制, 例如, 对于支付额外费用的用户允许使用 P2P业务, 从而更方便了运营商对于网络的运营和维护。  In addition, in the technical solution of the embodiment of the present invention, when the dynamic deep packet detection service control policy is generated, the service information may be dynamically generated according to the subscription information of the user, thereby facilitating the service operator to implement flexible control on the service for different users. For example, users who pay extra fees are allowed to use P2P services, which makes it easier for operators to operate and maintain the network.
另外, 利用本发明实施例的技术方案实现网络业务控制, 不需要如现有技 术中采用防火墙进行业务控制时,频繁地手工操作以增加和修改业务策略配置 规则, 从而节省了人力资源, 简化了业务控制过程。 In addition, the network service control is implemented by using the technical solution of the embodiment of the present invention, and the prior art is not required. When a firewall is used for service control during operation, manual operation is frequently performed to add and modify business policy configuration rules, thereby saving human resources and simplifying the business control process.
以上所述仅为本发明的较佳实施例而已, 并非用于限定本发明的保护范 围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  The above description is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种控制网络业务的方法, 所述网络业务经由策略执行点在终端间传 递, 其特征在于, 包括以下步骤:  A method for controlling network services, wherein the network service is transmitted between terminals via a policy enforcement point, and the method includes the following steps:
(a)策略执行点从策略决策点获取动态深度数据包检测业务控制策略; (b)所述策略执行点利用深度数据包检测方法, 识别来自终端的数据流 的业务标识;选择与所述数据流的业务类型匹配的动态深度数据包检测业务控 制策略, 并根据所述动态深度数据包检测业务控制策略处理所述数据流。  (a) the policy enforcement point obtains the dynamic deep packet inspection service control policy from the policy decision point; (b) the policy enforcement point uses the deep packet detection method to identify the service identifier of the data stream from the terminal; selecting and the data The dynamic deep packet detection service control policy matched by the traffic type of the flow, and the data flow is processed according to the dynamic deep packet inspection service control policy.
2、 根据权利要求 1所述的控制网络业务的方法, 其特征在于, 所述步骤 (a)之前还包括:  The method for controlling network services according to claim 1, wherein the step (a) further comprises:
(al )策略决策点根据用户签约信息及业务策略信息动态生成动态深度数 据包检测业务控制策略。  (al) The policy decision point dynamically generates a dynamic deep packet inspection service control policy based on the user subscription information and the business policy information.
3、 根据权利要求 1所述的控制网络业务的方法, 其特征在于, 所述步骤 (a)之前还包括: (al )策略决策点在接收到用户上线消息时, 根据用户签约 信息及业务策略信息动态生成动态深度数据包检测业务控制策略。  The method for controlling network services according to claim 1, wherein the step (a) further comprises: (al) the policy decision point, when receiving the user online message, according to the user subscription information and the service policy The information dynamically generates a dynamic deep packet inspection service control strategy.
4、 根据权利要求 3所述的控制网络业务的方法, 其特征在于, 所述步骤 4. The method of controlling network services according to claim 3, wherein the steps are
(al )具体包括: (al) specifically includes:
(all')策略决策点检测到用户上线;  (all') policy decision point detects that the user is online;
(al2, )策略决策点直接从本地获取用户签约信息和所有类型业务的业务 策略信息; 或从用户签约数据库获取用户签约信息,从运营商策略数据库获取 所有类型业务的业务策略信息;  (al2, ) the policy decision point directly obtains the user subscription information and the service policy information of all types of services from the local; or obtains the user subscription information from the user subscription database, and obtains the business policy information of all types of services from the operator policy database;
( al3, ) 策略决策点^^据所述用户签约信息和所述业务策略信息动态生 成多条动态深度数据包检测业务控制策略。  (al3, ) The policy decision point dynamically generates a plurality of dynamic deep packet inspection service control policies according to the user subscription information and the service policy information.
5、 根据权利要求 1所述的控制网络业务的方法, 其特征在于, 所述步骤 (a)之前还包括:  The method for controlling network services according to claim 1, wherein the step (a) further comprises:
策略执行点在启动后或者运行过程中 ,从网管或运营商策略数据库或者其 它第三方数据库,获取业务特征模式信息及对应的业务标识,或采用静态配置 的方式获得业务特征模式信息及对应业务标识;  The service execution point obtains the service feature mode information and the corresponding service identifier from the network management or the operator policy database or other third-party database, or obtains the service feature mode information and the corresponding service identifier in a static configuration manner. ;
策略执行点在接收到来自终端的数据流时, 使用深度数据包检测方法, 匹 配业务特征模式, 识别出所述数据流的对应业务标识及用户标识; 策略执行点根据所述业务标识生成策略请求消息 ,并将所述策略请求消息 发送给策略决策点。 When receiving the data flow from the terminal, the policy enforcement point uses the deep packet detection method to match the service feature pattern, and identifies the corresponding service identifier and user identifier of the data stream; The policy enforcement point generates a policy request message according to the service identifier, and sends the policy request message to the policy decision point.
6、 根据权利要求 5所述的控制网络业务的方法, 其特征在于, 进一步包 括:  The method of controlling network services according to claim 5, further comprising:
( al )策略决策点在接收到来自策略执行点的策略请求消息时, 根据用户 签约信息及业务策略信息生成动态深度数据包检测业务控制策略,所述策略请 求消息包括用户标识以及业务标识。  ( al ) The policy decision point generates a dynamic deep packet inspection service control policy according to the user subscription information and the service policy information when receiving the policy request message from the policy enforcement point, where the policy request message includes the user identifier and the service identifier.
7、 根据权利要求 6所述的控制网络业务的方法, 其特征在于, 所述步骤 ( al )具体包括:  The method for controlling network services according to claim 6, wherein the step (al) specifically includes:
( al l )策略决策点接收策略执行点发送的策略请求消息, 所述策略请求 消息包括用户标识和业务标识;  ( al l ) the policy decision point receives the policy request message sent by the policy enforcement point, where the policy request message includes a user identifier and a service identifier;
( al2 )策略决策点根据所述用户标识, 从本地获取用户签约信息, 根据 所述业务标识从本地获取业务策略信息;  (al2) the policy decision point obtains the user subscription information locally according to the user identifier, and obtains the service policy information locally according to the service identifier;
或根据所述用户标识从用户签约数据库获取用户签约信息,根据所述业务 标识从运营商策略数据库获取业务策略信息;  Or obtaining user subscription information from the user subscription database according to the user identifier, and obtaining service policy information from the operator policy database according to the service identifier;
( al3 ) 策略决策点^ ^据所述用户签约信息和所述业务策略信息生成动态 深度数据包检测业务控制策略。  (al3) The policy decision point generates a dynamic deep packet inspection service control policy according to the user subscription information and the service policy information.
8、 根据权利要求 1至 7中任一项所述的控制网络业务的方法, 其特征在 于, 所述动态深度数据包检测业务控制策略包括有用户标识、 业务标识, 以及 服务质量等级、 限流次数和上下行带宽这三者中的至少一个。  The method for controlling network services according to any one of claims 1 to 7, wherein the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and a quality of service level and a current limit. At least one of the number of times and the uplink and downlink bandwidth.
9、 一种控制网络业务的系统, 所述网络业务经由策略执行点在终端间传 递, 包括有连接到网络的策略执行点、 策略决策点、 用户签约数据库以及运营 商策略数据库, 其特征在于,  9. A system for controlling network services, wherein the network service is transmitted between terminals via a policy enforcement point, including a policy enforcement point, a policy decision point, a user subscription database, and an operator policy database connected to the network, wherein
所述策略决策点包括有:  The policy decision points include:
策略生成模块,所述策略生成模块从本地获取用户签约信息和业务策略信 息,或者从用户签约数据库获取用户签约信息以及从运营商策略数据库获取业 务策略信息 ,并根据所述用户签约信息和业务策略信息生成动态深度数据包检 测业务控制策略;  a policy generation module, which acquires user subscription information and business policy information locally, or obtains user subscription information from the user subscription database, and obtains business policy information from the operator policy database, and according to the user subscription information and the business policy. Information generation dynamic deep packet inspection service control strategy;
所述策略执行点包括有: 深度数据包检测模块, 用于利用深度数据包检测方法,检测和识别来自终 端的数据流的用户标识及业务标识; The policy enforcement points include: a deep packet inspection module, configured to detect and identify a user identifier and a service identifier of a data stream from the terminal by using a deep packet inspection method;
策略执行模块,用于根据从所述策略决策点获取的动态深度数据包检测业 务控制策略处理来自终端的数据流。  And a policy execution module, configured to process the data flow from the terminal according to the dynamic deep packet inspection service control policy obtained from the policy decision point.
10、根据权利要求 9所述的控制网络业务的系统, 其特征在于, 还包括第 一触发模块, 所述第一触发模块在接收到来自策略执行点的策略请求消息时, 触发策略生成模块生成对应用户的动态深度数据包检测业务控制策略,所述策 略请求消息包括用户标识以及业务标识。  The system for controlling network services according to claim 9, further comprising a first triggering module, wherein when the first triggering module receives the policy request message from the policy execution point, the triggering policy generating module generates A dynamic deep packet detection service control policy corresponding to the user, where the policy request message includes a user identifier and a service identifier.
11、 根据权利要求 9所述的控制网络业务的系统, 其特征在于, 还包括第 二触发模块, 所述第二触发模块在接收到来自终端的上线消息时, 触发策略生 成模块;  The system for controlling network services according to claim 9, further comprising a second triggering module, wherein the second triggering module triggers a policy generating module when receiving an online message from the terminal;
所述策略生成模块从本地或运营商策略数据库获取所有类型业务的业务 策略信息,并生成多条动态深度数据包检测业务控制策略传送到策略执行点中 的策略执行模块;  The policy generation module acquires service policy information of all types of services from a local or carrier policy database, and generates a plurality of dynamic deep packet detection service control policies to be transmitted to the policy execution module in the policy execution point;
所述策略执行模块根据所述深度数据包检测模块识别出来的数据流业务 标识选择与所述数据流的业务类型匹配的动态深度数据包检测业务控制策略 处理数据流。  The policy execution module selects a dynamic deep packet detection service control policy processing data stream that matches the service type of the data flow according to the data flow service identifier identified by the deep data packet detection module.
PCT/CN2008/072220 2007-09-06 2008-09-01 A method and system for controlling network service WO2009030172A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710145628.0 2007-09-06
CN2007101456280A CN101166153B (en) 2006-10-18 2007-09-06 A method for controlling network service

Publications (1)

Publication Number Publication Date
WO2009030172A1 true WO2009030172A1 (en) 2009-03-12

Family

ID=40428470

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072220 WO2009030172A1 (en) 2007-09-06 2008-09-01 A method and system for controlling network service

Country Status (1)

Country Link
WO (1) WO2009030172A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191160A (en) * 2019-05-10 2019-08-30 深圳前海微众银行股份有限公司 A kind of concurrency control method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050088977A1 (en) * 2000-12-14 2005-04-28 Nortel Networks Limited Dynamic virtual private network (VPN) tunnel quality of service (QoS) treatment
US20060048142A1 (en) * 2004-09-02 2006-03-02 Roese John J System and method for rapid response network policy implementation
CN1768518A (en) * 2003-03-31 2006-05-03 英特尔公司 Methods and systems for managing security policies
CN1905555A (en) * 2005-07-30 2007-01-31 华为技术有限公司 Fire wall controlling system and method based on NGN service
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN101166153A (en) * 2006-10-18 2008-04-23 华为技术有限公司 A method and system for controlling network service

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050088977A1 (en) * 2000-12-14 2005-04-28 Nortel Networks Limited Dynamic virtual private network (VPN) tunnel quality of service (QoS) treatment
CN1768518A (en) * 2003-03-31 2006-05-03 英特尔公司 Methods and systems for managing security policies
US20060048142A1 (en) * 2004-09-02 2006-03-02 Roese John J System and method for rapid response network policy implementation
CN1905555A (en) * 2005-07-30 2007-01-31 华为技术有限公司 Fire wall controlling system and method based on NGN service
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN101166153A (en) * 2006-10-18 2008-04-23 华为技术有限公司 A method and system for controlling network service

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191160A (en) * 2019-05-10 2019-08-30 深圳前海微众银行股份有限公司 A kind of concurrency control method and device

Similar Documents

Publication Publication Date Title
WO2008046326A1 (en) A method and system for network service controlling
KR100822707B1 (en) Apparatus and method for managing quality of service in integrated network of heterogeneous mobile networks
JP4520705B2 (en) Communication system and communication method
EP1718006B1 (en) A resource admission control subsystem in ngn and method thereof
US7209439B2 (en) Pool-based resource management in a data network
US7069337B2 (en) Policy-based synchronization of per-class resources between routers in a data network
US7796608B2 (en) Edge-based per-flow QoS admission control in a data network
JP3977331B2 (en) Method and apparatus in IP communication network
US7971228B2 (en) System and method for providing application-specific on-line charging in a communications environment
EP1788747A1 (en) A METHOD AND SYSTEM FOR DYNAMIC CONSULTING QoS IN NGN
CN101166153B (en) A method for controlling network service
KR100748095B1 (en) Method and system of guarantee qos in broadband convergence network deployed mobile ip
KR20070118535A (en) Method of transferring data between a sending station in a first network and a receiving station in a second network, and apparatus for controlling the communication between the sending station in the first network and the receiving station in the second network
CN100450087C (en) Method of implementing a set of specific stream QoS control
WO2009056013A1 (en) A policy control method and system for layer two device
JP2009105949A (en) TERMINAL CAPABLE OF EXECUTING QoS CONTROL
WO2009030172A1 (en) A method and system for controlling network service
US20110149734A1 (en) Smart border router and method for transmitting flow using the same
Jian-jun et al. Research of the QoS guaranty system in IMS based on MPLS
Liu et al. A framework for end-to-end differentiated services qos context transfer in mobile ipv6
Gomes et al. A transsignaling strategy for QoS support in heterogeneous networks
WO2012072026A1 (en) Method and system for negotiating security policy in ngn
WO2008154847A1 (en) An operation indication method, device and system
Turner et al. Lightweight Flow Setup in the Internet
AU2002244313A1 (en) Pool-based resource management in a data network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800732

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800732

Country of ref document: EP

Kind code of ref document: A1