WO2009030172A1 - Procédé et système pour contrôler un service de réseau - Google Patents

Procédé et système pour contrôler un service de réseau Download PDF

Info

Publication number
WO2009030172A1
WO2009030172A1 PCT/CN2008/072220 CN2008072220W WO2009030172A1 WO 2009030172 A1 WO2009030172 A1 WO 2009030172A1 CN 2008072220 W CN2008072220 W CN 2008072220W WO 2009030172 A1 WO2009030172 A1 WO 2009030172A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
service
information
deep packet
identifier
Prior art date
Application number
PCT/CN2008/072220
Other languages
English (en)
Chinese (zh)
Inventor
Zhenzhu Lv
Chuntao Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2007101456280A external-priority patent/CN101166153B/zh
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009030172A1 publication Critical patent/WO2009030172A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and system for controlling network services.
  • IP-based broadband bearer networks will become the next generation telecommunications network.
  • QoS quality of service
  • security issues of telecommunications services are key issues that must be addressed in IP-based next-generation telecommunications networks.
  • the next generation telecommunication network in order to ensure service transmission, it is necessary to effectively control the use of the entire bearer network, especially for the voice or multimedia service based on the P2P method that is constantly appearing on the network.
  • the gateway implements control functions based on dynamic policies issued by the Policy and Charging Rules Function (Factors for Policy Control and Flow-based Accounting Control) to ensure the legitimacy of data flows. Traffic policing and shaping, and queue scheduling.
  • Policy and Charging Rules Function Factors for Policy Control and Flow-based Accounting Control
  • TISPAN Telecommunications and
  • the method of implementing the network control is mainly to place a firewall in front of the edge node of the core network boundary, and to implement the control of the P2P service by statically configuring the policy of the P2P service on the firewall.
  • the policy for P2P services is implemented through static configuration and the control cannot be refined to specific users, and cannot be flexibly applied to various service operation modes (for example, users are allowed to use P2P services for paying extra charges). Other users are not allowed to use it).
  • the new P2P service has the characteristics of rapid emergence and development. Therefore, when the P2P service changes, the service policy configuration rule can be added or modified through frequent manual operations, which is not conducive to network operation and maintenance.
  • Embodiments of the present invention provide a method for controlling network services, which solves the problem in the above-mentioned next generation telecommunication network.
  • the embodiment of the invention further provides a system for controlling network services, which solves the defect that the control strategy for the P2P service in the next generation telecommunication network is too simple and not flexible enough.
  • a method for controlling network services, where the network services are transmitted between terminals via a policy enforcement point including the following steps:
  • the policy enforcement point obtains a dynamic deep packet inspection service control strategy from the policy decision point;
  • the policy enforcement point uses a deep packet inspection method to identify a service identifier of the data stream from the terminal; and selects a dynamic deep packet detection service control policy that matches the service type of the data stream, and according to the dynamic The deep packet inspection service control policy processes the data stream.
  • a system for controlling network services the network services being transmitted between terminals via a policy enforcement point, including a policy enforcement point, a policy decision point, a user subscription database, and an operator policy database connected to the network,
  • the policy decision points include:
  • a policy generation module obtains user subscription information and business policy information locally, or obtains user subscription information from the user subscription database and acquires the industry from the operator policy database. Transmitting policy information, and generating a dynamic deep packet inspection service control policy according to the user subscription information and the business policy information;
  • the policy enforcement points include:
  • a deep packet inspection module configured to detect and identify a user identifier and a service identifier of a data stream from the terminal by using a deep packet inspection method
  • a policy execution module configured to process the data flow from the terminal according to the dynamic deep packet inspection service control policy obtained from the policy decision point.
  • the technical solution provided by the embodiment of the present invention for the network service forwarded between the terminals through the policy execution point, uses the dynamic deep packet detection service control obtained from the policy decision point by the policy execution point.
  • the strategy processes the data flow and implements dynamic control of such services, thereby solving the shortcomings of the existing next-generation telecommunication network that the control strategy for such services is too simple and not flexible; and realizing the network operators to such services Control, which reduces the cost of network operations.
  • the embodiment of the present invention can implement differentiated service quality assurance when different users use the network service.
  • FIG. 1 is a schematic structural diagram of a system for controlling a network service according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for controlling a network service in an embodiment of the present invention
  • Figure 3 is a schematic view of the first embodiment of the method of Figure 2;
  • Figure 4 is a schematic illustration of a second embodiment of the method of Figure 2.
  • FIG. 1 is a schematic structural diagram of a system for controlling network services in an embodiment of the present invention.
  • the system for controlling network services includes a Policy Enforcement Point (PEP) 12 connected to a network, a Policy Decision Point (POP) 15, and a Subscription Profile Repository (SPR) 13 and The Policy Provision Repository (PPR) 14 , wherein the policy enforcement point 12 is connected to a plurality of terminals 11 , so that the terminal 11 can perform data transmission via the policy execution point 12 .
  • the user refers to a virtual entity that enters the system using the user ID on the terminal 11 and uses the system, and the user's operation in the system is implemented by the terminal 11.
  • the operator policy database 14 includes service policy information, and the service policy information includes The SLA (Service Level Agreement) policy and the service feature mode information of the user group, the service or the third-party operator, and the service feature mode information includes the P2P service feature mode information.
  • the user subscription database 13 includes user subscription information, which is information signed with the network operator, and the information is based on user-level quality of service (QoS) policy information, including user group information, user service quality subscription information, and service. Order relationship, etc.
  • QoS quality of service
  • the policy decision point 15 retrieves the policy from the operator policy database 14 and the user subscription database 13 and interprets the policy and sends the policy to the policy enforcement point 12 for execution.
  • the policy decision point 15 needs to translate the policies retrieved from the operator policy database 14 and the user subscription database 13 into a format that the corresponding policy enforcement point 12 can understand.
  • the policy decision point 15 also receives the policy request message from the policy enforcement point 12 and returns the corresponding policy.
  • the policy decision point 15 includes a policy generation module 151.
  • the policy generation module 151 obtains service policy information from the operator policy database 14, and obtains user subscription information from the user subscription database 13, and then according to the service policy information and The user subscription information generates a dynamic deep packet inspection service control strategy.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet inspection service control policy may further include other some information.
  • the policy enforcement point 12 includes a deep packet inspection module 121 and a policy enforcement module 122.
  • the deep packet inspection module 121 is configured to detect and identify the user identifier of the data packet from the terminal 11 and the service identifier of the marked service type by using a Deep Packet Inspection (DPI) method.
  • the policy execution module 122 is configured to obtain a specific policy from the policy decision point 15 and process the data flow passing through the policy execution point 12 according to the specific policy obtained above.
  • the data flow is transmitted from one terminal to another terminal, and the policy enforcement point 12 is an intermediate node in the data channel.
  • the policy execution point 12 includes a gateway, a firewall, a router, a security operating system, and the like.
  • the policy execution module 122 detects the data flow of the service control policy processing terminal 11 according to the dynamic deep data packet from the policy decision point 15. For example, CAR (Committed Access Rate), traffic limiting, marking priority, congestion avoidance, packet loss, and so on.
  • CAR Committed Access Rate
  • a first trigger module is included, and the first trigger module triggers the policy generation module 151 to generate a corresponding dynamic depth number when receiving the policy request message from the policy execution point 12.
  • the policy request message includes the user identifier obtained by the deep packet inspection module 121 and the service identifier generation.
  • a second triggering module is configured to trigger the policy generation module 151 to generate a corresponding dynamic deep packet inspection service control policy when the terminal 11 receives the online message, the online message Information including a user identification or similar tag login terminal 11.
  • the policy generation module 151 acquires the service policy information of all types of services from the operator policy database 14, and generates a plurality of dynamic deep packet inspection service control policies to be transmitted to the policy execution point 12.
  • the dynamic depth packet detection service control policy matching the service type of the data stream is selected to process the data stream.
  • FIG. 2 it is a flowchart of a method for controlling network services according to an embodiment of the present invention.
  • the network service is transmitted between the terminals 11 via the policy enforcement point 12, and includes the following steps:
  • Step S21 The policy execution point 12 acquires a dynamic deep packet inspection service control policy of the corresponding user from the policy decision point 15.
  • the dynamic deep packet inspection service control policy is generated by the policy decision point 15 according to the user subscription information of the user subscription database and the business policy information of the operator policy database.
  • the dynamic deep packet inspection service control strategy can also be directly set as needed.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, and at least one of the following three: a quality of service level, a current limit number, and an uplink and downlink bandwidth.
  • the policy decision point 15 generates a dynamic deep packet inspection service control policy upon receiving the policy request message from the policy enforcement point 12, or generates a dynamic deep packet inspection service control policy upon receiving the online message of the terminal 11.
  • Step S22 The policy execution point processes the data flow from the terminal according to the dynamic deep data packet detection service control policy. For example, CAR, current limit, mark priority, congestion avoidance, packet loss, etc.
  • FIG. 3 it is a data flow diagram of the first embodiment of the method of FIG. 2.
  • the interaction process belongs to the prior art, and thus does not appear in the figure.
  • the result of the interaction is expressed, and the service feature pattern information and the corresponding service identifier are sent to the policy execution point 12 for record keeping.
  • the policy execution point 12 can also obtain the service feature mode information and the corresponding service identifier in a static configuration manner.
  • the service feature mode information includes P2P service feature mode information, for example, The business feature mode of BT download is "
  • P2P service feature mode information for example, The business feature mode of BT download is "
  • service feature mode information may also be included in a specific application.
  • the service identifier may be information of the quintuple information (including the source and destination IP addresses, the source and destination port numbers, and the protocol number), the service name string, the service identifier index, or the port number used to identify the service.
  • the user subscription information is obtained from the user subscription database 13 and the user subscription information is saved to its local record.
  • the service policy information is obtained from the vendor policy database 14 and the service policy information is saved to its local record.
  • the service policy information includes the service identifier and the corresponding operator policy rule.
  • the terminal 11 initiates a service to generate a data stream and sends the data stream to the policy enforcement point 12.
  • the policy execution point 12 receives the data stream, it performs deep packet inspection on the data stream, identifies the service identifier corresponding to the data stream, and obtains the user identifier corresponding to the data stream, and then proceeds to the policy according to the service identifier and the user identifier.
  • the decision point 15 initiates a policy request message to obtain a data flow processing policy, where the policy request message carries a user identifier and a service identifier. In this process, for unrecognized traffic, you can implement packet loss or use BF (ie, best effort forwarding) to schedule and forward.
  • BF best effort forwarding
  • DPI technology As a flexible and effective service identification technology, DPI technology has been rapidly developed in recent years in firewalls, service control gateways, and policy control systems. The so-called “depth” is compared with the normal message analysis hierarchy.
  • the normal message analysis only analyzes the content below the transport layer of the IP packet, including the source address, destination address, source port, destination port, and protocol type.
  • DPI also adds application layer analysis.
  • the DPI method is used to identify the service identifier of the data stream, and the content of the transport layer may be identified first.
  • the data stream may be determined as a File Transfer Protocol (FTP).
  • FTP File Transfer Protocol
  • the data flow of the service can obtain the service identifier corresponding to the data flow by the correspondence between the stored service type and the service identifier. If the service type cannot be determined by analyzing the content of the transport layer, further in-depth analysis is performed to match the service feature mode information. , Get the business identifier of the data stream. For example, if DPI detection is performed on the data stream and "
  • the policy decision point 15 determines and associates the policy information according to the user identifier and the service identifier in the policy request, and determines, when the policy decision point 15 determines that the data flow belongs to the P2P service according to the service identifier, the policy decision Point 15 generates a dynamic deep packet inspection service control strategy. If the user has the user subscription information locally, the user obtains the user subscription information directly; if the policy decision point 15 has the local service policy information, the user subscription information is directly obtained from the local; Local user-free data and service information data, query and obtain user subscription information according to the user identifier to the user subscription database 13, and query and obtain business policy information according to the service identifier to the vendor policy database 14, and then according to the user subscription information and business policy information.
  • the dynamic deep packet inspection service control policy includes a user identifier, a service identifier, a quality of service level, a current limit number, and an uplink and downlink bandwidth.
  • Subsequent occurrences of other events, such as termination/subscription of the business relationship by the end user, or changes in the information of the supplier policy database 14 may also trigger the policy decision point 15 to actively update the dynamic deep packet inspection service control policy. Since the dynamic deep packet inspection service control policy is generated when the terminal accesses the system, when the terminal accesses the system, if the user subscription database or the vendor policy database changes, a new dynamic deep data packet is generated according to the changed information. The service control policy is detected, so that the dynamic deep packet inspection service control policy is automatically updated.
  • the policy enforcement point 12 detects the service control policy according to the obtained deep data packet, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing, on the data flow.
  • FIG. 4 it is a schematic diagram of a second embodiment of the method of FIG. 2.
  • the policy decision point 15 obtains user subscription information by interacting with the user subscription database 13 , wherein the user subscription information includes user group information, user service quality level, and service subscription relationship. At the same time, the policy decision point 15 also obtains service policy information of all types of services by interacting with the operator policy database 14, wherein each service policy information includes an SLA policy based on the user group, the service or the third party operator, and also features of the P2P service. Mode information and corresponding service identifiers.
  • the policy decision point 15 When receiving the user online message, the policy decision point 15 performs comprehensive decision according to the user subscription information and the service policy information of all types of services, and forms a plurality of dynamic deep packet inspection service control policies, wherein the user online message includes the user identifier, and each The dynamic deep packet inspection service control policy includes at least one of a user identifier, a service identifier, and a QoS level, a current limit number, and an uplink and downlink bandwidth, and the dynamic deep packet detection service control policy is sent to the policy execution point 12 .
  • the policy decision point 15 is also triggered to update the dynamic deep packet inspection service control strategy.
  • the policy decision point 15 can learn the status of the uplink and the offline of the terminal 11 in two ways: First, the status of the uplink and the offline of the terminal 11 is directly reported to the policy decision point 15 through the policy execution point 12; The NASS notifies the policy decision point 15 that the terminal 11 goes online and offline.
  • the policy decision point 15 receives the user subscription information locally, the policy decision point 15 directly obtains the user subscription information locally; if the user does not have the user subscription information locally, the policy decision point 15 actively signs the user to the user. Obtained in database 13. Similarly, if the policy decision point 15 locally has the service policy information, the user subscription information is directly obtained from the local; or the service policy information does not exist locally, and the policy decision point 15 actively obtains the information from the vendor policy database 14.
  • the policy decision point 15 sends all the dynamic deep packet inspection service control policies and all the service feature mode information and the corresponding service identifiers to the policy enforcement point 12 after the dynamic deep packet detection service control policy is generated.
  • the policy execution point 12 uses the deep data packet detection method to match the service feature mode information to identify the service type of the data flow and the corresponding service identifier, and according to the identified service identifier, multiple
  • the dynamic deep packet inspection service control policy selects a dynamic deep packet detection service control policy that matches the service identifier, and implements corresponding policy scheduling, such as priority marking, traffic policing/shaping, or congestion processing actions on the data flow;
  • the data stream implements packet loss or uses BF mode scheduling and forwarding.
  • a policy execution point requests a dynamic deep data packet from a policy decision point.
  • the service control policy is detected, and a corresponding deep packet inspection service control policy is performed on the data flow corresponding to the network service.
  • the policy decision point can generate a dynamic deep packet inspection service control strategy, thereby solving the defect that the control strategy of the P2P service in the existing next generation telecommunication network is too simple and not flexible enough.
  • the service information may be dynamically generated according to the subscription information of the user, thereby facilitating the service operator to implement flexible control on the service for different users. For example, users who pay extra fees are allowed to use P2P services, which makes it easier for operators to operate and maintain the network.
  • the network service control is implemented by using the technical solution of the embodiment of the present invention, and the prior art is not required.
  • a firewall is used for service control during operation, manual operation is frequently performed to add and modify business policy configuration rules, thereby saving human resources and simplifying the business control process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé pour contrôler un service de réseau qui est transféré parmi les terminaux par un client de serveur de règles. Le procédé consiste à ce que : (a) un client de serveur de règles obtienne d'un serveur de règles des règles de contrôle de service d'inspection de paquet en profondeur dynamique ; (b) le client de serveur de règles détecte, par un procédé d'inspection de paquet en profondeur un identifiant de service de flux de données provenant de terminaux; le client de serveur de règles sélectionne des règles de contrôle de service d'inspection de paquet en profondeur dynamique correspondant au type de service de flux de données et traite le flux de données conformément aux règles de contrôle de service d'inspection de paquet en profondeur dynamique. L'invention concerne aussi un système correspondant pour contrôler un service de réseau. Le traitement d'un flux de données par des règles de contrôle de service d'inspection de paquet en profondeur dynamique réalise la garantie des qualités des différents services lorsque différents utilisateurs utilisent un service de réseau. Simultanément, le contrôle de service de réseau est réalisé par fourniture d'un contrôle par règles dynamiques, ce qui permet de réduire le coût d'exploitation du réseau.
PCT/CN2008/072220 2007-09-06 2008-09-01 Procédé et système pour contrôler un service de réseau WO2009030172A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710145628.0 2007-09-06
CN2007101456280A CN101166153B (zh) 2006-10-18 2007-09-06 一种控制网络业务的方法

Publications (1)

Publication Number Publication Date
WO2009030172A1 true WO2009030172A1 (fr) 2009-03-12

Family

ID=40428470

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072220 WO2009030172A1 (fr) 2007-09-06 2008-09-01 Procédé et système pour contrôler un service de réseau

Country Status (1)

Country Link
WO (1) WO2009030172A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050088977A1 (en) * 2000-12-14 2005-04-28 Nortel Networks Limited Dynamic virtual private network (VPN) tunnel quality of service (QoS) treatment
US20060048142A1 (en) * 2004-09-02 2006-03-02 Roese John J System and method for rapid response network policy implementation
CN1768518A (zh) * 2003-03-31 2006-05-03 英特尔公司 用于管理安全策略的方法和系统
CN1905555A (zh) * 2005-07-30 2007-01-31 华为技术有限公司 基于ngn业务的防火墙控制系统及方法
CN1937623A (zh) * 2006-10-18 2007-03-28 华为技术有限公司 一种控制网络业务的方法及系统
CN101166153A (zh) * 2006-10-18 2008-04-23 华为技术有限公司 一种控制网络业务的方法及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050088977A1 (en) * 2000-12-14 2005-04-28 Nortel Networks Limited Dynamic virtual private network (VPN) tunnel quality of service (QoS) treatment
CN1768518A (zh) * 2003-03-31 2006-05-03 英特尔公司 用于管理安全策略的方法和系统
US20060048142A1 (en) * 2004-09-02 2006-03-02 Roese John J System and method for rapid response network policy implementation
CN1905555A (zh) * 2005-07-30 2007-01-31 华为技术有限公司 基于ngn业务的防火墙控制系统及方法
CN1937623A (zh) * 2006-10-18 2007-03-28 华为技术有限公司 一种控制网络业务的方法及系统
CN101166153A (zh) * 2006-10-18 2008-04-23 华为技术有限公司 一种控制网络业务的方法及系统

Similar Documents

Publication Publication Date Title
WO2008046326A1 (fr) Procédé et système de contrôle de service de réseau
KR100822707B1 (ko) 통합망 시스템에서의 서비스 품질 관리 장치 및 그 방법
EP1718006B1 (fr) Sous-systeme de commande d'admission de ressources dans ngn et son procede
US7209439B2 (en) Pool-based resource management in a data network
US7796608B2 (en) Edge-based per-flow QoS admission control in a data network
JP3977331B2 (ja) Ip通信網における方法及び装置
US7971228B2 (en) System and method for providing application-specific on-line charging in a communications environment
JP2004532545A (ja) データネットワークにおけるルータ間のクラス毎の資源のポリシに基づく同期。
EP1788747A1 (fr) Methode et systeme pour une consultation dynamique de qualite de service dans un reseau de la prochaine generation (ngn)
CN101166153B (zh) 一种控制网络业务的方法
KR100748095B1 (ko) 이동 인터넷 프로토콜(ip)을 수용하는 광대역 통합망에서서비스품질 제공 방법 및 시스템
KR20070118535A (ko) 제 1 네트워크 내 송신국과 제 2 네트워크 내 수신국사이의 데이터 전송 방법 및 제 1 네트워크 내 송신국과 제2 네트워크 내 수신국 사이의 통신을 제어하기 위한 장치
WO2009056013A1 (fr) Procédé et système de commande de politique pour dispositif de couche deux
WO2007025461A1 (fr) Procede et systeme de gestion de la qos d'un ensemble de flux speciaux
JP2009105949A (ja) QoS制御を実行することが可能な端末
US20110149734A1 (en) Smart border router and method for transmitting flow using the same
WO2009030172A1 (fr) Procédé et système pour contrôler un service de réseau
CN101188518A (zh) 下一代网络中动态协商服务质量的系统及其实现方法
Jian-jun et al. Research of the QoS guaranty system in IMS based on MPLS
Liu et al. A framework for end-to-end differentiated services qos context transfer in mobile ipv6
Gomes et al. A transsignaling strategy for QoS support in heterogeneous networks
US20100046422A1 (en) Operation indication method, device and system
WO2012072026A1 (fr) Procédé et système de négociation de politique de sécurité dans un ngn
Turner et al. Lightweight Flow Setup in the Internet
AU2002244313A1 (en) Pool-based resource management in a data network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800732

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800732

Country of ref document: EP

Kind code of ref document: A1