WO2011026345A1 - Deep packet inspection system and packet processing method - Google Patents

Deep packet inspection system and packet processing method Download PDF

Info

Publication number
WO2011026345A1
WO2011026345A1 PCT/CN2010/072882 CN2010072882W WO2011026345A1 WO 2011026345 A1 WO2011026345 A1 WO 2011026345A1 CN 2010072882 W CN2010072882 W CN 2010072882W WO 2011026345 A1 WO2011026345 A1 WO 2011026345A1
Authority
WO
WIPO (PCT)
Prior art keywords
control
policy
module
control policy
detection result
Prior art date
Application number
PCT/CN2010/072882
Other languages
French (fr)
Chinese (zh)
Inventor
宋晓丽
杨波
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011026345A1 publication Critical patent/WO2011026345A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic
    • H04L47/805QOS or priority aware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/78Architectures of resource allocation
    • H04L47/781Centralised allocation of resources

Definitions

  • the present invention relates to the field of data communication, and in particular to an in-depth message detection system and a method for processing a deep message that can be simultaneously applied to an NGN (Next Generation Network) and a non-NGN environment.
  • NGN Next Generation Network
  • DPI Deep Packet Inspection
  • DPI equipment With business data flow identification and business data flow control capabilities, working in the transport layer to application layer (layer 2 to layer 7) of the OSI (Open System Interconnect) model, with high data stream processing capability, capable of network
  • the services carried are identified and traffic management, and can be deployed on the backbone network, the metropolitan area network, and the network equipment inside the enterprise network.
  • the Resource Access Control Facility (RACF) in the NGN environment is based on the QoS (Quality of Service) control of the transmission resources in the NGN based on the transport layer authentication information, the service level, the network policy, and the traffic priority.
  • QoS Quality of Service
  • specific strategies include bandwidth reservation, bandwidth allocation, packet filtering, traffic shaping, and priority service processing.
  • UE User equipment
  • the object of the present invention is to provide a deep message detection system and a message processing method, which can
  • the present invention provides a deep packet detection system, including a management unit, a control unit, and an execution unit, where the execution unit includes a detection module and a policy control module, where:
  • the management unit is configured to save and manage system information, and is provided with a first interface for interacting with an entity in a next generation network;
  • the detecting module is configured to: perform a deep packet detection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is a rule that is sent by the entity in the next generation network through the first interface;
  • the control unit is configured to deliver a control policy, where the control policy is a policy generated according to the first detection result and system information;
  • a policy control module configured to control service traffic in a next generation network environment according to the control policy.
  • the deep packet detection system wherein the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network;
  • the detecting module performs deep packet inspection on the data packet according to the identification rule of the static configuration of the network management, and obtains the second detection result;
  • the control unit is further configured to generate a fourth control policy according to the second detection result and system information
  • the policy control module is further configured to perform control of service traffic according to the fourth control policy.
  • control strategy includes:
  • An entity in the next generation network generates a second control policy based on the first detection result and the system information.
  • control unit when the control policy is the first control policy, the control unit specifically includes:
  • a first receiving module configured to receive the detection result
  • a policy generating module configured to generate the first control policy according to the detection result and the system information
  • the first sending module is configured to send the first control policy to the policy control module.
  • the above-mentioned deep packet detection system wherein, when the control policy is the second control policy, the control unit specifically includes:
  • a first receiving module configured to receive the detection result
  • An uploading module configured to upload the detection result to an entity in the next generation network by using the first interface
  • a second receiving module configured to receive the second control policy that is sent by the entity in the next generation network by using the first interface
  • control policy further includes a third control policy
  • control unit further includes:
  • a third sending module configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
  • control unit further includes:
  • the information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection.
  • control unit further includes:
  • the associated stream processing module is configured to identify a service type used to generate the control policy according to the multiple detection results saved in the information collection module.
  • the embodiment of the present invention further provides a packet processing method, including: the deep packet detection system performs deep packet inspection on the data packet according to the identification rule sent by the entity in the next generation network, and obtains the first a test result;
  • the deep packet inspection system controls the traffic according to the control policy.
  • control policy includes:
  • An entity in the next generation network generates a second control policy based on the first detection result and the system information. .
  • the deep packet detection system performs deep packet detection on the data packet according to the identification rule, and further includes:
  • the depth message detection system generates a fourth control policy according to the second detection result and system information
  • the depth packet detection system performs control of service traffic according to the fourth control policy.
  • the foregoing packet processing method wherein the control policy further includes a third control policy for static configuration of the network management.
  • the data packet is sent by the detection module according to the identification rule issued by the entity in the NGN.
  • the policy control module is configured to control the traffic according to the control policy generated by using the detection result and the system information, so that any service in the NGN can be performed Control, therefore, can guarantee the quality of service and meet the needs of users.
  • the deep packet detection system and the packet processing method of the present invention can be simultaneously applied to other than NGN and NGN by setting an interface that interacts with an entity in the NGN and an entity in a network other than the NGN.
  • Network versatile.
  • FIG. 1 is a schematic structural diagram of a depth packet detecting system according to a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of a first structure of a control unit according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a second structure of a control unit according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart diagram of a method according to an embodiment of the present invention. detailed description
  • the packet detection system identifies the packet according to the identification rule sent by the entity in the NGN network, and uses the detection result to control the service data packet, so that the NGN is used. All services in the network can achieve Qos control.
  • the deep packet detection system of the embodiment of the present invention includes a management unit, a control unit, and an execution unit, where the execution unit is provided with a detection module and a policy control module, where: the management unit is configured to save And managing system information, and setting a first interface that interacts with the first application domain in the NGN;
  • the detecting module is configured to perform a deep packet inspection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is that the entity set in the first application domain is provided by the management unit. Rules issued by the interface;
  • the control unit is configured to deliver a control policy, where the control policy is based on the first detection Results and strategies for generating system information;
  • the policy control module is configured to control service traffic according to a control policy
  • the control policy is a policy generated according to the detection result and the system information.
  • the control policy in the NGN environment, is:
  • the control unit generates and delivers the first control policy to the policy control module according to the first detection result and system information; and/or
  • the entity in the first application domain is generated and delivered to the second control policy of the policy control module according to the first detection result and the system information.
  • the entity in the first application domain is an RACF, a NACF (Network Attachment Control Function) entity, and an SCF (Service Control Function) entity.
  • RACF Access Control Function
  • NACF Network Attachment Control Function
  • SCF Service Control Function
  • the RACF is taken as an example for detailed description.
  • the management unit and the execution unit are connected by a control unit, it should be understood that the management unit may also be directly connected to the execution unit, and therefore, the RACF entity passes the
  • the identification rule delivered by the interface provided by the management unit can be delivered to the execution unit by the management unit through the control unit, and the management unit and the execution unit can be directly connected to the management unit. Execution unit.
  • control of the service traffic includes shaping, current limiting, packet modification, packet dropping, and the like.
  • the performing deep packet detection on the data packet according to the identification rule may include user identification, content identification, service identification, priority recognition, and the like.
  • the system information is preset by a network administrator, and the content includes but is not limited to: user information, service information, subscription policy information, and associated information.
  • the deep packet detection system is generally provided with multiple, where the associated information records a deep-text detection system that can be mutually backed up or has an associated relationship. If there is a problem in some units in the current depth detection system (such as abnormal system operation, heavy load, etc.), according to the related information, it can be processed by other deep packet inspection systems to ensure the stability of the system.
  • RACF Whether the RACF or the control unit generates a control policy, it needs to consider user information, service information, and subscription policy information, as illustrated below.
  • control policy it is determined whether the service type of the identified data packet is a customized service type. If not, the control policy is to discard the data packet. Otherwise, the control policy is to discard the data packet. For forwarding packets.
  • the subscription policy information is a data packet for discarding the P2P service
  • the control policy when the control policy is formulated, it is determined whether the service type of the identified data packet is a P2P service, and if yes, the control policy is to discard the data packet, otherwise, For forwarding packets.
  • the policy control module performs the control of the service traffic according to the control policy, where the control policy includes two situations, which may be the first control policy generated by the control unit according to the detection result and the system information, It may be a second control strategy generated by the RACF according to the detection result and the system information, and the structures of the control unit in each of the two cases are respectively described below.
  • the control unit When the control policy is the first control policy, the control unit needs to generate a control policy by combining the detection result and the system information. As shown in FIG. 2, the control unit specifically includes: a first receiving module, configured to receive The detection result;
  • a policy generating module configured to generate the first control policy according to the detection result and the system information
  • the first sending module is configured to send the first control policy to the policy control module.
  • the control unit specifically includes: a first receiving module. , for receiving the detection result;
  • a uploading module configured to upload the detection result to the RACF by using the management unit
  • a second receiving module configured to receive the second control policy that is sent by the RACF by using the management unit
  • control unit further includes:
  • a third sending module configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
  • control unit may include all of the aforementioned modules (a first receiving module, a policy generating module, a first sending module, a second receiving module, and a second sending unit).
  • control unit further includes:
  • the information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection, for charging, statistics, and query.
  • control unit further includes an associated stream processing module. Identifying a service type according to the packet detection result saved in the information collection module, where the policy generation module generates the first control policy or the RACF generates the second control policy.
  • the associated flow processing module When the service type identified by the associated flow processing module is used by the policy generation module to generate the first control policy, the associated flow processing module is connected to the information collection module and the policy generation module, and Describe the service type identified by the associated stream processing module for the RACF When the second control policy is generated, the associated flow processing module is connected to the information collection module and the uploading module, and the uploading module is further configured to upload the service type detection result to the RACF through the management unit. .
  • the data message can also be controlled by the RACF.
  • the management unit is further provided with a second interface of an entity in a second application domain of a network other than the NGN.
  • the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network.
  • the detecting module is further configured to perform deep packet detection on the data packet according to the static configuration rule of the network management, to obtain a second detection result, where the control unit is further configured to use the second detection result and the system information according to the second detection result.
  • Generating a fourth control policy the policy control module is further configured to perform control of service traffic in a network environment other than the next generation network according to the fourth control policy.
  • the entities in the second application domain include an AAA server, a security management entity, a linkage management entity, and the like.
  • non-NGN network a network other than the NGN
  • the difference is only in the difference of the interactive content and in the non-NGN network.
  • the entity cannot control the data packet by itself, so its control policy must be generated by the control unit, so the generation of the control policy is the same as the first control policy, and will not be described in detail here.
  • the method for processing the text in the specific embodiment of the present invention is as shown in FIG. 4, and includes:
  • Step 41 The management unit of the deep packet detection system acquires the identification rule delivered by the entity in the application domain of the NGN through the first interface.
  • Step 42 The detection module in the deep packet detection system performs logarithm according to the identification rule. Perform deep packet inspection based on the packet to obtain the detection result;
  • Step 43 The policy control module in the deep packet detection system controls the traffic according to the control policy; the control policy is a policy generated according to the detection result and the system information.
  • control strategy for the NGN environment includes:
  • the steps 42 and 43 further include: the detecting module in the deep packet detecting system uploading the detection result to the RACF through the management unit;
  • the management unit in the deep packet detection system acquires the second control policy by using the first interface, and sends the second control policy to the policy control module.
  • control strategy for a network environment other than NGN includes:
  • the control unit is further configured to generate a fourth control policy according to the second detection result and the system information; and the second detection result is that the detection module performs deep packet detection on the data packet according to the identification rule of the network management static configuration.
  • the results obtained In the prior art, in an NGN environment, certain services do not have resource request functions (such as games, network-critical services, etc.), and therefore, the network operator cannot guarantee the QoS of these high-quality services, and the embodiment of the present invention The device and method can solve the above problems.
  • the RACF first formulates an identification rule and sends it to the management unit in the deep packet detection system through the interface; After receiving the identification rule, the management unit sends the identification rule to the detection module directly or through the control unit;
  • the detecting module After receiving the identification rule, the detecting module performs packet depth detection on the received data packet, and obtains the detection result;
  • control strategy can be formulated in two ways, respectively.
  • the detecting module sends the detection result to the control unit
  • the control unit uses the system information and the detection result in the management unit to formulate a control strategy; the control unit delivers the control policy to the policy control module;
  • the policy control module uses the control policy to process the data packet accordingly.
  • the control unit finds that the feature word of the current data packet is A according to the detection result
  • the control unit determines the corresponding control according to the detection result and the information in the management unit.
  • the policy is "forwarding with the highest priority.”
  • the policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
  • the network operator can guarantee the QoS of these high-quality services.
  • the detection module reports the detection result to the NACF through the interface set in the management unit;
  • NACF uses the system information and test results in the management unit to formulate control strategies;
  • the NACF sends the control policy to the management unit through the interface set in the management unit.
  • the management unit sends the control policy to the policy control module directly or through the control unit.
  • the policy control module uses the control policy to perform corresponding data packet. deal with.
  • the NACF finds that the feature word of the current data packet is A;
  • the NACF determines the corresponding control strategy according to the detection result and the information in the management unit. For "forwarding with the highest priority.”
  • the policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
  • the network operator can guarantee the QoS of these high-quality services.
  • control strategy is merely an example, and the specific control strategy is not limited in the specific embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A deep packet inspection system and a packet processing method are disclosed. The system comprises a management unit, a control unit and an enforcement unit, the enforcement unit comprises an inspection module and a policy control module, wherein the management unit is used for preserving and managing system information and is provided with the first interface for interaction with an entity in a next generation network; the inspection module performs deep packet inspection for data packets according to identification rules and obtains the first inspection result, the identification rules are issued through the first interface by the entity in the next generation network; the control unit is used for issuing a control policy, the control policy is generated according to the first inspection result and the system information; the policy control module is used for controlling the service flow according to the control policy in the next generation network environment. The technical solution is capable of controlling any service in the next generation network, therefore, the quality of service can be ensured and the needs of users can be met.

Description

一种深度报文检测系统及报文处理方法 技术领域  Deep message detection system and message processing method
本发明涉及数据通信领域, 尤其为一种可同时适用于 NGN ( Next Generation Network, 下一代网络)以及非 NGN环境下的深度报文检测系统 及才艮文处理方法。 背景技术  The present invention relates to the field of data communication, and in particular to an in-depth message detection system and a method for processing a deep message that can be simultaneously applied to an NGN (Next Generation Network) and a non-NGN environment. Background technique
随着运营商对于网络流量可管可控的需求的日益增强, 具有深度报文 检测功能的 DPI ( Deep Packet Inspection, 深度报文检测)功能的设备在网 络中的运用越来越广泛, DPI设备具备业务数据流识别、业务数据流控制能 力, 工作在 OSI ( Open System Interconnect, 开放式系统互联)模型的传输 层到应用层(层 2到层 7 ), 具有高数据流处理能力, 能够对网络所承载的 业务进行识别和流量管理, 可部署于骨干网、 城域网和企业网内部的网络 设备。  With the increasing demand for network traffic control, the DPI (Deep Packet Inspection) device with deep packet inspection function is more and more widely used in the network. DPI equipment With business data flow identification and business data flow control capabilities, working in the transport layer to application layer (layer 2 to layer 7) of the OSI (Open System Interconnect) model, with high data stream processing capability, capable of network The services carried are identified and traffic management, and can be deployed on the backbone network, the metropolitan area network, and the network equipment inside the enterprise network.
NGN环境下 RACF ( Resource Access Control Facility, 资源接入控制实 体)是基于传输层认证信息、 业务服务等级、 网络策略、 流量优先级等对 NGN中传输资源进行 QoS ( Quality of Service )控制的一项在研技术, 具体 策略包括带宽预留、 带宽分配、 包过滤、 流量整形, 优先业务处理等。 目 前的 RACF中, 支持的资源控制模式分两种, 一种是从业务层触发, 另一 种是 UE ( User equipment , 用户设备 ) 利用传输层信令触发。  The Resource Access Control Facility (RACF) in the NGN environment is based on the QoS (Quality of Service) control of the transmission resources in the NGN based on the transport layer authentication information, the service level, the network policy, and the traffic priority. In research technology, specific strategies include bandwidth reservation, bandwidth allocation, packet filtering, traffic shaping, and priority service processing. In the current RACF, there are two supported resource control modes, one is triggered from the service layer, and the other is UE (User equipment) triggered by transport layer signaling.
然而, 上述的两种资源控制模式无法适用于 NGN网络中的所有业务, 不具备通用性, 如对于某些业务(比如游戏、 网络关键业务)就无法适用 上述两种资源控制模式。 发明内容 However, the above two resource control modes cannot be applied to all services in the NGN network, and are not universal. For example, for some services (such as games and network critical services), the above two resource control modes cannot be applied. Summary of the invention
本发明的目的是提供一种深度报文检测系统及报文处理方法, 能够对 The object of the present invention is to provide a deep message detection system and a message processing method, which can
NGN网络中的所有业务进行控制。 All services in the NGN network are controlled.
为了实现上述目的, 本发明提供了一种深度报文检测系统, 包括管理 单元、 控制单元和执行单元, 所述执行单元中包括检测模块和策略控制模 块, 其中:  In order to achieve the above object, the present invention provides a deep packet detection system, including a management unit, a control unit, and an execution unit, where the execution unit includes a detection module and a policy control module, where:
所述管理单元, 用于保存并管理系统信息, 且设置有用于与下一代网 络中的实体进行交互的第一接口;  The management unit is configured to save and manage system information, and is provided with a first interface for interacting with an entity in a next generation network;
所述检测模块, 用于根据识别规则对数据报文进行深度报文检测, 获 取第一检测结果, 所述识别规则是所述下一代网络中的实体通过所述第一 接口下发的规则;  The detecting module is configured to: perform a deep packet detection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is a rule that is sent by the entity in the next generation network through the first interface;
所述控制单元用于下发控制策略, 所述控制策略是根据所述第一检测 结果和系统信息生成的策略;  The control unit is configured to deliver a control policy, where the control policy is a policy generated according to the first detection result and system information;
策略控制模块, 用于根据所述控制策略在下一代网络环境中进行业务 流量的控制。  And a policy control module, configured to control service traffic in a next generation network environment according to the control policy.
上述的深度报文检测系统, 其中, 所述管理单元还设置有用于与所述 下一代网络之外的网络中的实体进行交互的第二接口;  The deep packet detection system, wherein the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network;
所述检测模块根据网管静态配置的识别规则对数据报文进行深度报文 检测, 获取第二检测结果;  The detecting module performs deep packet inspection on the data packet according to the identification rule of the static configuration of the network management, and obtains the second detection result;
所述控制单元还用于根据所述第二检测结果和系统信息生成第四控制 策略;  The control unit is further configured to generate a fourth control policy according to the second detection result and system information;
所述策略控制模块还用于根据所述第四控制策略进行业务流量的控 制。  The policy control module is further configured to perform control of service traffic according to the fourth control policy.
上述的深度报文检测系统, 其中, 所述控制策略, 包括:  The above-mentioned deep packet detection system, wherein the control strategy includes:
所述控制单元根据所述第一检测结果和系统信息生成的第一控制策 略; 和 /或 a first control policy generated by the control unit according to the first detection result and system information Slightly; and/or
所述下一代网络中的实体根据所述第一检测结果和所述系统信息生成 的第二控制策略。  An entity in the next generation network generates a second control policy based on the first detection result and the system information.
上述的深度报文检测系统, 其中, 所述控制策略是所述第一控制策略 时, 所述控制单元具体包括:  In the above-mentioned deep packet detection system, when the control policy is the first control policy, the control unit specifically includes:
第一接收模块, 用于接收所述检测结果;  a first receiving module, configured to receive the detection result;
策略生成模块, 用于根据所述检测结果和所述系统信息生成所述第一 控制策略;  a policy generating module, configured to generate the first control policy according to the detection result and the system information;
第一下发模块, 用于将所述第一控制策略下发给所述策略控制模块。 上述的深度报文检测系统, 其中, 所述控制策略是所述第二控制策略 时, 所述控制单元具体包括:  The first sending module is configured to send the first control policy to the policy control module. The above-mentioned deep packet detection system, wherein, when the control policy is the second control policy, the control unit specifically includes:
第一接收模块, 用于接收所述检测结果;  a first receiving module, configured to receive the detection result;
上传模块, 用于将所述检测结果通过所述第一接口上传给所述下一代 网络中的实体;  An uploading module, configured to upload the detection result to an entity in the next generation network by using the first interface;
第二接收模块, 用于接收所述下一代网络中的实体通过所述第一接口 下发的所述第二控制策略;  a second receiving module, configured to receive the second control policy that is sent by the entity in the next generation network by using the first interface;
第二下发模块, 用于下发所述第二控制策略到所述策略控制模块。 上述的深度报文检测系统, 其中, 所述控制策略还包括第三控制策略; 所述控制单元还包括:  And a second sending module, configured to send the second control policy to the policy control module. The above-mentioned deep packet detection system, wherein the control policy further includes a third control policy; the control unit further includes:
第三下发模块, 用于将从所述管理单元接收到的网管静态配置的第三 控制策略下发到所述策略控制模块。  And a third sending module, configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
上述的深度报文检测系统, 其中, 所述控制单元中还包括:  The above-mentioned deep packet detection system, wherein the control unit further includes:
信息釆集模块, 用于釆集并保存所述检测模块进行深度报文检测得到 的检测结果。  The information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection.
上述的深度报文检测系统, 其中, 所述控制单元中还包括: 关联流处理模块, 用于根据所述信息釆集模块中保存的多个检测结果 识别用于生成控制策略的业务类型。 The above-mentioned deep packet detection system, wherein the control unit further includes: The associated stream processing module is configured to identify a service type used to generate the control policy according to the multiple detection results saved in the information collection module.
为了实现上述目的, 本发明实施例还提供了一种报文处理方法, 包括: 深度报文检测系统根据下一代网络中的实体下发的识别规则对数据报 文进行深度报文检测, 获取第一检测结果;  In order to achieve the above object, the embodiment of the present invention further provides a packet processing method, including: the deep packet detection system performs deep packet inspection on the data packet according to the identification rule sent by the entity in the next generation network, and obtains the first a test result;
根据所述第一检测结果和系统信息生成控制策略  Generating a control strategy according to the first detection result and system information
所述深度报文检测系统根据所述控制策略进行业务流量的控制。  The deep packet inspection system controls the traffic according to the control policy.
上述的报文处理方法, 其中, 在下一代网络环境下, 所述控制策略包 括:  The foregoing packet processing method, wherein, in a next generation network environment, the control policy includes:
所述控制单元根据所述第一检测结果和系统信息生成的第一控制策 略; 和 /或  a first control policy generated by the control unit according to the first detection result and system information; and/or
所述下一代网络中的实体根据所述第一检测结果和所述系统信息生成 的第二控制策略。。  An entity in the next generation network generates a second control policy based on the first detection result and the system information. .
上述的报文处理方法, 其中, 在所述下一代网络之外的网络环境中, 所述深度报文检测系统根据识别规则对数据报文进行深度报文检测, 还包 括:  The foregoing packet processing method, wherein, in a network environment other than the next generation network, the deep packet detection system performs deep packet detection on the data packet according to the identification rule, and further includes:
根据网管静态配置的识别规则对数据报文进行深度报文检测, 获取第 二检测结果;  Performing deep packet inspection on the data packet according to the identification rule of the static configuration of the network management system, and obtaining the second detection result;
所述深度报文检测系统根据所述第二检测结果和系统信息生成第四控 制策略;  The depth message detection system generates a fourth control policy according to the second detection result and system information;
所述深度报文检测系统根据所述第四控制策略进行业务流量的控制。 上述的报文处理方法, 其中, 所述控制策略还包括网管静态配置的第 三控制策略。  The depth packet detection system performs control of service traffic according to the fourth control policy. The foregoing packet processing method, wherein the control policy further includes a third control policy for static configuration of the network management.
本发明具有以下的有益效果:  The invention has the following beneficial effects:
本发明中,由检测模块根据 NGN中的实体下发的识别规则对数据报文 进行深度报文检测, 获取一检测结果, 然后策略控制模块用于根据利用该 检测结果和系统信息生成的控制策略进行业务流量的控制, 所以对于 NGN 中的任何业务而言, 都能对其进行控制, 因此能够保证服务质量, 满足用 户需求。 In the present invention, the data packet is sent by the detection module according to the identification rule issued by the entity in the NGN. Performing deep packet inspection to obtain a detection result, and then the policy control module is configured to control the traffic according to the control policy generated by using the detection result and the system information, so that any service in the NGN can be performed Control, therefore, can guarantee the quality of service and meet the needs of users.
同时, 本发明中, 通过设置与 NGN中的实体和 NGN之外的网络中的 实体交互的接口, 使得本发明的深度报文检测系统及报文处理方法能够同 时应用于 NGN和 NGN之外的网络, 具有通用性。 附图说明  In the present invention, the deep packet detection system and the packet processing method of the present invention can be simultaneously applied to other than NGN and NGN by setting an interface that interacts with an entity in the NGN and an entity in a network other than the NGN. Network, versatile. DRAWINGS
图 1为本发明第一实施例的深度报文检测系统的结构示意图; 图 2 为本发明实施例中控制单元的第一种结构示意图。  1 is a schematic structural diagram of a depth packet detecting system according to a first embodiment of the present invention; and FIG. 2 is a schematic diagram of a first structure of a control unit according to an embodiment of the present invention.
图 3 为本发明实施例中控制单元的第二种结构示意图;  3 is a schematic diagram of a second structure of a control unit according to an embodiment of the present invention;
图 4为本发明实施例的方法的流程示意图。 具体实施方式  FIG. 4 is a schematic flowchart diagram of a method according to an embodiment of the present invention. detailed description
本发明实施例中, 对于 NGN网络, 由深度 4艮文检测系统根据由 NGN 网络中的实体下发的识别规则对报文进行识别, 并利用该检测结果进行业 务数据报文的控制, 使得 NGN网络中的所有业务都能实现 Qos控制。  In the embodiment of the present invention, for the NGN network, the packet detection system identifies the packet according to the identification rule sent by the entity in the NGN network, and uses the detection result to control the service data packet, so that the NGN is used. All services in the network can achieve Qos control.
本发明实施例的深度报文检测系统如图 1 所示, 包括管理单元、 控制 单元和执行单元, 所述执行单元中设置有检测模块和策略控制模块, 其中: 所述管理单元, 用于保存并管理系统信息, 并设置有与 NGN中的第一 应用域交互的第一接口;  As shown in FIG. 1 , the deep packet detection system of the embodiment of the present invention includes a management unit, a control unit, and an execution unit, where the execution unit is provided with a detection module and a policy control module, where: the management unit is configured to save And managing system information, and setting a first interface that interacts with the first application domain in the NGN;
所述检测模块用于根据识别规则对数据报文进行深度报文检测, 获取 第一检测结果, 所述识别规则为设置于所述第一应用域中的实体通过所述 管理单元提供的第一接口下发的规则;  The detecting module is configured to perform a deep packet inspection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is that the entity set in the first application domain is provided by the management unit. Rules issued by the interface;
所述控制单元用于下发控制策略, 所述控制策略为根据所述第一检测 结果和系统信息生成的策略; The control unit is configured to deliver a control policy, where the control policy is based on the first detection Results and strategies for generating system information;
所述策略控制模块用于根据控制策略进行业务流量的控制;  The policy control module is configured to control service traffic according to a control policy;
所述控制策略为根据所述检测结果和所述系统信息生成的策略, 在本 发明的具体实施例中, 在 NGN环境下, 该控制策略为:  The control policy is a policy generated according to the detection result and the system information. In a specific embodiment of the present invention, in the NGN environment, the control policy is:
所述控制单元根据所述第一检测结果和系统信息生成并下发到所述策 略控制模块的第一控制策略; 和 /或  The control unit generates and delivers the first control policy to the policy control module according to the first detection result and system information; and/or
所述第一应用域中的实体根据所述第一检测结果和所述系统信息生成 并下发到所述策略控制模块的第二控制策略。  The entity in the first application domain is generated and delivered to the second control policy of the policy control module according to the first detection result and the system information.
在本发明的具体实施例中, 该第一应用域中的实体为 RACF、 NACF(Network Attachment Control Function , 网络附属控制功能)实体和 SCF(Service Control Function , 业务控制功能)实体等。  In a specific embodiment of the present invention, the entity in the first application domain is an RACF, a NACF (Network Attachment Control Function) entity, and an SCF (Service Control Function) entity.
在本发明的具体实施例中 , 以 RACF为例进行详细说明。  In the specific embodiment of the present invention, the RACF is taken as an example for detailed description.
同时, 在图 1 中, 虽然所述管理单元和所述执行单元之间通过控制单 元连接, 但应当了解的是, 该管理单元也可以和执行单元直接连接, 因此, 所述 RACF实体通过所述管理单元提供的接口下发的识别规则既可以由管 理单元通过控制单元下发到所述执行单元, 而在该管理单元和执行单元直 接连接的情况, 也可以由管理单元直接下发给所述执行单元。  Meanwhile, in FIG. 1, although the management unit and the execution unit are connected by a control unit, it should be understood that the management unit may also be directly connected to the execution unit, and therefore, the RACF entity passes the The identification rule delivered by the interface provided by the management unit can be delivered to the execution unit by the management unit through the control unit, and the management unit and the execution unit can be directly connected to the management unit. Execution unit.
在本发明的具体实施例中, 所述业务流量的控制包括整形、 限流、 数 据包修改、 数据包丟弃等。  In a specific embodiment of the present invention, the control of the service traffic includes shaping, current limiting, packet modification, packet dropping, and the like.
在本发明的具体实施例中, 所述根据识别规则对数据报文进行深度报 文检测可以是包括用户识别、 内容识别、 业务识别以及优先级识别等。  In a specific embodiment of the present invention, the performing deep packet detection on the data packet according to the identification rule may include user identification, content identification, service identification, priority recognition, and the like.
在本发明的具体实施例中, 该系统信息是由网络管理员预先设置的, 其内容包括但不限于: 用户信息、 业务信息、 预订策略信息和关联信息等。  In a specific embodiment of the present invention, the system information is preset by a network administrator, and the content includes but is not limited to: user information, service information, subscription policy information, and associated information.
对于用户信息、 业务信息、 预订策略信息在此不作详细描述, 对于关 联信息详细描述如下。 一般情况下, 考虑到系统的稳定性和处理能力, 该深度报文检测系统 一般设置有多个, 在此, 该关联信息记录了可以互为备份或者具有关联关 系的深度才艮文检测系统, 如果当前深度才艮文检测系统中有部分单元出现问 题时(如系统运作异常、 负载过重等), 根据该关联信息, 可以通过其他深 度报文检测系统进行处理, 保证系统的稳定性。 The user information, service information, and subscription policy information are not described in detail here. The related information is described in detail below. Generally, considering the stability and processing capability of the system, the deep packet detection system is generally provided with multiple, where the associated information records a deep-text detection system that can be mutually backed up or has an associated relationship. If there is a problem in some units in the current depth detection system (such as abnormal system operation, heavy load, etc.), according to the related information, it can be processed by other deep packet inspection systems to ensure the stability of the system.
不管是由 RACF还是由控制单元生成控制策略, 其都需要考虑用户信 息、 业务信息和预订策略信息等, 举例说明如下。  Whether the RACF or the control unit generates a control policy, it needs to consider user information, service information, and subscription policy information, as illustrated below.
假定用户信息中记录了用户定制的业务类型, 则在制定控制策略时, 需要判断识别出来数据包的业务类型是否是用户定制的业务类型, 如果不 是, 则控制策略为丟弃该数据包, 否则为转发数据包。  Assume that the user-defined service type is recorded in the user information. When the control policy is formulated, it is determined whether the service type of the identified data packet is a customized service type. If not, the control policy is to discard the data packet. Otherwise, the control policy is to discard the data packet. For forwarding packets.
又如, 预订策略信息为丟弃 P2P业务的数据包, 则在制定控制策略时, 需要判断识别出来数据包的业务类型是否为 P2P业务, 如果是, 则控制策 略为丟弃该数据包, 否则为转发数据包。  For example, if the subscription policy information is a data packet for discarding the P2P service, when the control policy is formulated, it is determined whether the service type of the identified data packet is a P2P service, and if yes, the control policy is to discard the data packet, otherwise, For forwarding packets.
当然, 还可以是其他的信息, 在此不——列举说明。  Of course, it can be other information, not here - to give an explanation.
同时, 从前面可以看到, 策略控制模块根据控制策略进行业务流量的 控制, 该控制策略包括两种情况, 可以是控制单元根据所述检测结果和所 述系统信息生成的第一控制策略, 也可以是所述 RACF根据所述检测结果 和所述系统信息生成的第二控制策略, 下面对这两种情况下控制单元的结 构分别进行说明。  At the same time, it can be seen from the foregoing that the policy control module performs the control of the service traffic according to the control policy, where the control policy includes two situations, which may be the first control policy generated by the control unit according to the detection result and the system information, It may be a second control strategy generated by the RACF according to the detection result and the system information, and the structures of the control unit in each of the two cases are respectively described below.
在所述控制策略为所述第一控制策略时, 所述控制单元需要结合检测 结果和系统信息生成控制策略, 如图 2所示, 所述控制单元具体包括: 第一接收模块, 用于接收所述检测结果;  When the control policy is the first control policy, the control unit needs to generate a control policy by combining the detection result and the system information. As shown in FIG. 2, the control unit specifically includes: a first receiving module, configured to receive The detection result;
策略生成模块, 用于根据所述检测结果和所述系统信息生成所述第一 控制策略;  a policy generating module, configured to generate the first control policy according to the detection result and the system information;
第一下发模块, 用于将所述第一控制策略下发给所述策略控制模块。 而在所述控制策略为所述第二控制策略时, 且所述管理单元与所述执 行单元之间通过控制单元连接时, 如图 3所示, 所述控制单元具体包括: 第一接收模块, 用于接收所述检测结果; The first sending module is configured to send the first control policy to the policy control module. When the control policy is the second control policy, and the management unit and the execution unit are connected by the control unit, as shown in FIG. 3, the control unit specifically includes: a first receiving module. , for receiving the detection result;
上传模块, 用于将所述检测结果通过所述管理单元上传给所述 RACF; 第二接收模块, 用于接收 RACF通过所述管理单元下发的所述第二控 制策略;  a uploading module, configured to upload the detection result to the RACF by using the management unit; and a second receiving module, configured to receive the second control policy that is sent by the RACF by using the management unit;
第二下发模块, 用于下发所述第二控制策略到所述策略控制模块。 当然, 在某些情况下, 所述控制单元中还包括:  And a second sending module, configured to send the second control policy to the policy control module. Of course, in some cases, the control unit further includes:
第三下发模块, 用于将从所述管理单元接收到的网管静态配置的第三 控制策略下发到所述策略控制模块。  And a third sending module, configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
当然, 考虑到系统的全面性,该控制单元可以包括前述的所有模块(第 一接收模块、 策略生成模块、 第一下发模块、 第二接收模块和第二下发单 元)。  Of course, considering the comprehensiveness of the system, the control unit may include all of the aforementioned modules (a first receiving module, a policy generating module, a first sending module, a second receiving module, and a second sending unit).
而且应当了解的是, 前述的所有单元可以单独设置, 也可以集中设置。 同时, 为了方便计费、 统计和查询, 该控制单元中还包括:  Moreover, it should be understood that all of the aforementioned units may be provided separately or collectively. At the same time, in order to facilitate billing, statistics and query, the control unit further includes:
信息釆集模块, 用于釆集并保存所述检测模块进行深度报文检测得到 的所述检测结果, 供计费、 统计和查询之用。  The information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection, for charging, statistics, and query.
同时, 对于某些业务, 如 FTP业务, 其需要通过多个报文检测结果才 能确认业务类型, 在这种情况下, 本发明实施例中, 该控制单元中还设置 有关联流处理模块, 用于根据所述信息釆集模块中保存的报文检测结果识 别业务类型, 供所述策略生成模块生成所述第一控制策略或所述 RACF生 成所述第二控制策略之用。  At the same time, for some services, such as an FTP service, it is necessary to use a plurality of packet detection results to confirm the service type. In this case, in the embodiment of the present invention, the control unit further includes an associated stream processing module. Identifying a service type according to the packet detection result saved in the information collection module, where the policy generation module generates the first control policy or the RACF generates the second control policy.
在所述关联流处理模块识别出的业务类型供所述策略生成模块生成所 述第一控制策略之用时, 该关联流处理模块与该信息釆集模块和所述策略 生成模块连接, 而在所述关联流处理模块识别出的业务类型供所述 RACF 生成所述第二控制策略之用时, 该关联流处理模块与该信息釆集模块和所 述上传模块连接, 所述上传模块还用于将业务类型检测结果通过所述管理 单元上传给所述 RACF。 When the service type identified by the associated flow processing module is used by the policy generation module to generate the first control policy, the associated flow processing module is connected to the information collection module and the policy generation module, and Describe the service type identified by the associated stream processing module for the RACF When the second control policy is generated, the associated flow processing module is connected to the information collection module and the uploading module, and the uploading module is further configured to upload the service type detection result to the RACF through the management unit. .
当然, 考虑到 RACF本身就已经具备数据报文的控制能力, 在本发明 的实施例中, 也可以由 RACF进行数据报文的控制。  Of course, in consideration of the fact that the RACF itself already has the control capability of the data message, in the embodiment of the present invention, the data message can also be controlled by the RACF.
当然, 考虑到应用环境, 本发明实施例中, 所述管理单元还设置有与 NGN之外的网络的第二应用域中的实体的第二接口。  Of course, in consideration of the application environment, in the embodiment of the present invention, the management unit is further provided with a second interface of an entity in a second application domain of a network other than the NGN.
所述深度报文检测系统应用于所述下一代网络之外的网络环境中时, 除了所述管理单元还设置有用于与所述下一代网络之外的网络中的实体进 行交互的第二接口之外, 所述检测模块还用于根据网管静态配置的识别规 则对数据报文进行深度报文检测, 获取第二检测结果; 所述控制单元还用 于根据所述第二检测结果和系统信息生成第四控制策略; 所述策略控制模 块还用于根据第四控制策略在所述下一代网络之外的网络环境中进行业务 流量的控制。  When the deep packet inspection system is applied to a network environment other than the next generation network, the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network. In addition, the detecting module is further configured to perform deep packet detection on the data packet according to the static configuration rule of the network management, to obtain a second detection result, where the control unit is further configured to use the second detection result and the system information according to the second detection result. Generating a fourth control policy; the policy control module is further configured to perform control of service traffic in a network environment other than the next generation network according to the fourth control policy.
在 NGN之外的网络中, 该第二应用域中的实体包括 AAA服务器、 安 全管理实体和联动管理实体等。  In a network other than the NGN, the entities in the second application domain include an AAA server, a security management entity, a linkage management entity, and the like.
当本发明实施例的装置应用到非 NGN网络(NGN之外的网络), 与应 用于 NGN网络相比, 从以上描述可以看出, 其中的区别仅在于交互内容的 不同和非 NGN网络中的实体无法自己控制数据报文, 因此其控制策略必须 由控制单元生成, 所以控制策略的生成与第一控制策略相同, 在此不作详 细描述。  When the apparatus of the embodiment of the present invention is applied to a non-NGN network (a network other than the NGN), as compared with the application to the NGN network, it can be seen from the above description that the difference is only in the difference of the interactive content and in the non-NGN network. The entity cannot control the data packet by itself, so its control policy must be generated by the control unit, so the generation of the control policy is the same as the first control policy, and will not be described in detail here.
本发明具体实施例的 4艮文处理方法如图 4所示, 包括:  The method for processing the text in the specific embodiment of the present invention is as shown in FIG. 4, and includes:
步骤 41 , 所述深度报文检测系统的管理单元通过第一接口获取设置于 NGN的应用域中的实体下发的识别规则;  Step 41: The management unit of the deep packet detection system acquires the identification rule delivered by the entity in the application domain of the NGN through the first interface.
步骤 42, 所述深度报文检测系统中的检测模块根据所述识别规则对数 据报文进行深度报文检测, 获取检测结果; Step 42: The detection module in the deep packet detection system performs logarithm according to the identification rule. Perform deep packet inspection based on the packet to obtain the detection result;
步骤 43, 所述深度报文检测系统中的策略控制模块根据控制策略进行 业务流量的控制; 所述控制策略为根据所述检测结果和所述系统信息生成 的策略。  Step 43: The policy control module in the deep packet detection system controls the traffic according to the control policy; the control policy is a policy generated according to the detection result and the system information.
在本发明的具体实施例中, 对于 NGN环境该控制策略包括:  In a specific embodiment of the invention, the control strategy for the NGN environment includes:
所述深度报文检测系统中的控制单元根据所述检测结果和系统信息生 成的第一控制策略; 和 /或  a first control policy generated by the control unit in the depth message detection system based on the detection result and system information; and/or
所述第一应用域中的实体根据所述检测结果和所述系统信息生成的第 二控制策略。  a second control policy generated by an entity in the first application domain according to the detection result and the system information.
在所述控制策略为第二控制策略时, 步骤 42和 43之间还包括: 所述深度报文检测系统中的检测模块将所述检测结果通过所述管理单 元上传给所述 RACF;  When the control policy is the second control policy, the steps 42 and 43 further include: the detecting module in the deep packet detecting system uploading the detection result to the RACF through the management unit;
所述深度报文检测系统中的管理单元通过所述第一接口获取所述第二 控制策略, 并下发到所述策略控制模块。  The management unit in the deep packet detection system acquires the second control policy by using the first interface, and sends the second control policy to the policy control module.
在本发明的具体实施例中, 对于 NGN之外的网络环境该控制策略包 括:  In a specific embodiment of the invention, the control strategy for a network environment other than NGN includes:
所述控制单元还用于根据所述第二检测结果和系统信息生成第四控制 策略; 而该第二检测结果是所述检测模块根据网管静态配置的识别规则对 数据报文进行深度报文检测得到的结果。 现有技术中,在 NGN环境下,某些业务不具备资源请求功能(如游戏, 或网络关键业务等), 因此, 网络运营商无法保证这些高质量需求的业务的 QoS, 而本发明实施例的装置和方法可以解决上述问题。  The control unit is further configured to generate a fourth control policy according to the second detection result and the system information; and the second detection result is that the detection module performs deep packet detection on the data packet according to the identification rule of the network management static configuration. The results obtained. In the prior art, in an NGN environment, certain services do not have resource request functions (such as games, network-critical services, etc.), and therefore, the network operator cannot guarantee the QoS of these high-quality services, and the embodiment of the present invention The device and method can solve the above problems.
假定需要为游戏业务提供 QoS保证, 则 RACF首先制定一识别规则, 并通过接口下发到所述深度报文检测系统中的管理单元; 管理单元在接收到识别规则后, 将该识别规则直接或通过控制单元下 发到检测模块; It is assumed that the QoS guarantee needs to be provided for the game service, and the RACF first formulates an identification rule and sends it to the management unit in the deep packet detection system through the interface; After receiving the identification rule, the management unit sends the identification rule to the detection module directly or through the control unit;
检测模块接收到该识别规则后, 对接收到的数据报文进行报文深度检 测, 并获取检测结果;  After receiving the identification rule, the detecting module performs packet depth detection on the received data packet, and obtains the detection result;
在获取该检测结果后, 可以通过两种方式来制定控制策略, 分别说明 ^口下。  After obtaining the test result, the control strategy can be formulated in two ways, respectively.
<方式一 >  <Method 1>
检测模块将检测结果发送给控制单元;  The detecting module sends the detection result to the control unit;
控制单元利用管理单元中的系统信息和检测结果制定控制策略; 控制单元将该控制策略下发到策略控制模块;  The control unit uses the system information and the detection result in the management unit to formulate a control strategy; the control unit delivers the control policy to the policy control module;
策略控制模块利用该控制策略对数据报文进行相应的处理。  The policy control module uses the control policy to process the data packet accordingly.
举例说明 ^下。  For example, ^ below.
控制单元根据检测结果发现当前数据报文的特征字为 A;  The control unit finds that the feature word of the current data packet is A according to the detection result;
对于特征字为 A的 ^艮文所对应的业务为游戏业务 A, 而系统信息中记 录了游戏业务 A申请了带宽增值服务, 则控制单元根据该检测结果和管理 单元中的信息确定对应的控制策略为 "以最高优先级转发"。  For the service corresponding to the feature word A, the game service A, and the system information records that the game service A applies for the bandwidth value-added service, the control unit determines the corresponding control according to the detection result and the information in the management unit. The policy is "forwarding with the highest priority."
而策略控制模块根据该控制策略, 以最高优先级转发数据报文, 保证 服务的 Qos。  The policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
通过上述的处理, 在 NGN环境下, 即使某些业务不具备资源请求功能 (如游戏, 或网络关键业务等), 网络运营商还是能够保证这些高质量需求 的业务的 QoS。  Through the above processing, in the NGN environment, even if some services do not have resource request functions (such as games, or network-critical services, etc.), the network operator can guarantee the QoS of these high-quality services.
<方式二 >  <Method 2>
检测模块将检测结果通过管理单元中设置的接口将检测结果上报给 NACF;  The detection module reports the detection result to the NACF through the interface set in the management unit;
NACF利用管理单元中的系统信息和检测结果制定控制策略; NACF将该控制策略通过管理单元中设置的接口下发到管理单元; 管理单元将该控制策略直接或通过控制单元下发到策略控制模块; 策略控制模块利用该控制策略对数据报文进行相应的处理。 NACF uses the system information and test results in the management unit to formulate control strategies; The NACF sends the control policy to the management unit through the interface set in the management unit. The management unit sends the control policy to the policy control module directly or through the control unit. The policy control module uses the control policy to perform corresponding data packet. deal with.
举例说明 ^下。  For example, ^ below.
NACF根据检测结果发现当前数据报文的特征字为 A;  According to the detection result, the NACF finds that the feature word of the current data packet is A;
对于特征字为 A的 ^艮文所对应的业务为游戏业务 A, 而系统信息中记 录了游戏业务 A申请了带宽增值服务, 则 NACF根据该检测结果和管理单 元中的信息确定对应的控制策略为 "以最高优先级转发"。  For the service corresponding to the feature word A, the game service A, and the system information records that the game service A applies for the bandwidth value-added service, the NACF determines the corresponding control strategy according to the detection result and the information in the management unit. For "forwarding with the highest priority."
而策略控制模块根据该控制策略, 以最高优先级转发数据报文, 保证 服务的 Qos。  The policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
通过上述的处理, 在 NGN环境下, 即使某些业务不具备资源请求功能 (如游戏, 或网络关键业务等), 网络运营商还是能够保证这些高质量需求 的业务的 QoS。  Through the above processing, in the NGN environment, even if some services do not have resource request functions (such as games, or network-critical services, etc.), the network operator can guarantee the QoS of these high-quality services.
当然, 上述的控制策略仅仅是一个举例说明, 本发明具体实施例中并 不限定具体的控制策略。  Of course, the above control strategy is merely an example, and the specific control strategy is not limited in the specific embodiment of the present invention.
以上所述仅是本发明的优选实施方式, 应当指出, 对于本技术领域的 普通技术人员来说, 在不脱离本发明原理的前提下, 还可以做出若干改进 和润饰, 这些改进和润饰也应视为本发明的保护范围。  The above description is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种深度报文检测系统, 其特征在于, 包括管理单元、 控制单元和 执行单元, 所述执行单元中包括检测模块和策略控制模块, 其中:  A deep packet detection system, comprising: a management unit, a control unit and an execution unit, wherein the execution unit comprises a detection module and a policy control module, wherein:
所述管理单元, 用于保存并管理预置的系统信息, 且设置有用于与下 一代网络中的实体进行交互的第一接口;  The management unit is configured to save and manage preset system information, and is provided with a first interface for interacting with an entity in a next generation network;
所述检测模块, 用于根据识别规则对数据报文进行深度报文检测, 获 取第一检测结果, 所述识别规则是所述下一代网络中实体通过所述第一接 口下发的规则;  The detecting module is configured to perform a deep packet inspection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is a rule that is sent by the entity in the next generation network through the first interface;
所述控制单元, 用于下发控制策略, 所述控制策略是根据所述第一检 测结果和所述系统信息生成的策略;  The control unit is configured to send a control policy, where the control policy is a policy generated according to the first detection result and the system information;
策略控制模块, 用于根据所述控制策略在下一代网络环境中进行业务 流量的控制。  And a policy control module, configured to control service traffic in a next generation network environment according to the control policy.
2、 根据权利要求 1所述的深度报文检测系统, 其特征在于, 所述管理 单元, 还设置有用于与所述下一代网络之外的网络中的实体进行交互的第 二接口;  2. The deep packet inspection system according to claim 1, wherein the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network;
所述检测模块, 根据网管静态配置的识别规则对数据报文进行深度报 文检测, 获取第二检测结果;  The detecting module performs deep packet inspection on the data packet according to the identification rule of the static configuration of the network management device, and obtains the second detection result;
所述控制单元, 还用于根据所述第二检测结果和系统信息生成第四控 制策略;  The control unit is further configured to generate a fourth control policy according to the second detection result and system information;
所述策略控制模块, 还用于根据所述第四控制策略进行业务流量的控 制。  The policy control module is further configured to perform control of service traffic according to the fourth control policy.
3、 根据权利要求 1所述的深度报文检测系统, 其特征在于, 所述控制 策略, 包括:  The depth message detection system according to claim 1, wherein the control policy comprises:
所述控制单元根据所述第一检测结果和系统信息生成的第一控制策 略; 和 /或 所述下一代网络中的实体根据所述第一检测结果和所述系统信息生成 的第二控制策略。 a first control policy generated by the control unit according to the first detection result and system information; and/or a second control policy generated by an entity in the next generation network according to the first detection result and the system information.
4、 根据权利要求 3所述的深度报文检测系统, 其特征在于, 所述控制 策略是所述第一控制策略时, 所述控制单元具体包括:  The deep packet detection system according to claim 3, wherein, when the control policy is the first control policy, the control unit specifically includes:
第一接收模块, 用于接收所述检测结果;  a first receiving module, configured to receive the detection result;
策略生成模块, 用于根据所述检测结果和所述系统信息生成所述第一 控制策略;  a policy generating module, configured to generate the first control policy according to the detection result and the system information;
第一下发模块, 用于将所述第一控制策略下发给所述策略控制模块。 The first sending module is configured to send the first control policy to the policy control module.
5、 根据权利要求 3所述的深度报文检测系统, 其特征在于, 所述控制 策略是所述第二控制策略时, 所述控制单元具体包括: The deep packet detection system according to claim 3, wherein, when the control policy is the second control policy, the control unit specifically includes:
第一接收模块, 用于接收所述检测结果;  a first receiving module, configured to receive the detection result;
上传模块, 用于将所述检测结果通过所述第一接口上传给所述下一代 网络中的实体;  An uploading module, configured to upload the detection result to an entity in the next generation network by using the first interface;
第二接收模块, 用于接收所述下一代网络中的实体通过所述第一接口 下发的所述第二控制策略;  a second receiving module, configured to receive the second control policy that is sent by the entity in the next generation network by using the first interface;
第二下发模块, 用于下发所述第二控制策略到所述策略控制模块。 And a second sending module, configured to send the second control policy to the policy control module.
6、根据权利要求 1至 5任一项所述的深度报文检测系统,其特征在于: 所述控制策略还包括第三控制策略; The deep packet inspection system according to any one of claims 1 to 5, wherein: the control policy further comprises a third control policy;
所述控制单元还包括: 第三下发模块, 用于将从所述管理单元接收到 的网管静态配置的第三控制策略下发到所述策略控制模块。  The control unit further includes: a third sending module, configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
7、根据权利要求 1至 5任一项所述的深度报文检测系统,其特征在于, 所述控制单元中还包括:  The depth message detecting system according to any one of claims 1 to 5, wherein the control unit further comprises:
信息釆集模块, 用于釆集并保存所述检测模块进行深度报文检测得到 的检测结果。  The information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection.
8、 根据权利要求 7所述的深度报文检测系统, 其特征在于, 所述控制 单元中还包括: 关联流处理模块, 用于根据所述信息釆集模块中保存的多 个检测结果识别用于生成控制策略的业务类型。 8. The deep packet inspection system according to claim 7, wherein the control The unit further includes: an associated stream processing module, configured to identify a service type used to generate the control policy according to the multiple detection results saved in the information collection module.
9、 一种 文处理方法, 其特征在于, 包括:  9. A text processing method, characterized in that:
深度报文检测系统根据下一代网络中实体下发的识别规则, 对数据报 文进行深度报文检测, 获取第一检测结果;  The deep packet inspection system performs deep packet inspection on the data packet according to the identification rule sent by the entity in the next generation network, and obtains the first detection result;
根据所述第一检测结果和预置的系统信息生成控制策略;  Generating a control strategy according to the first detection result and the preset system information;
所述深度报文检测系统根据所述控制策略进行业务流量的控制。  The deep packet inspection system controls the traffic according to the control policy.
10、 根据权利要求 9所述的报文处理方法, 其特征在于, 在下一代网 络环境下, 所述控制策略包括:  The packet processing method according to claim 9, wherein in the next generation network environment, the control policy comprises:
所述控制单元根据所述第一检测结果和系统信息生成的第一控制策 略; 和 /或  a first control policy generated by the control unit according to the first detection result and system information; and/or
所述下一代网络中的实体根据所述第一检测结果和所述系统信息生成 的第二控制策略。  An entity in the next generation network generates a second control policy based on the first detection result and the system information.
11、 根据权利要求 9 所述的报文处理方法, 其特征在于, 在所述下一 代网络之外的网络环境中, 所述深度报文检测系统根据识别规则对数据报 文进行深度 文检测, 该方法还包括:  The packet processing method according to claim 9, wherein in the network environment other than the next generation network, the deep packet detection system performs deep text detection on the data packet according to the identification rule. The method also includes:
根据网管静态配置的识别规则对数据报文进行深度报文检测, 获取第 二检测结果;  Performing deep packet inspection on the data packet according to the identification rule of the static configuration of the network management system, and obtaining the second detection result;
所述深度报文检测系统根据所述第二检测结果和系统信息生成第四控 制策略;  The depth message detection system generates a fourth control policy according to the second detection result and system information;
所述深度报文检测系统根据所述第四控制策略进行业务流量的控制。 The depth packet detection system performs control of service traffic according to the fourth control policy.
12、 根据权利要求 10所述的报文处理方法, 其特征在于, 所述控制策 略还包括: 网管静态配置的第三控制策略。 The packet processing method according to claim 10, wherein the control policy further comprises: a third control policy configured by the network management system.
PCT/CN2010/072882 2009-09-02 2010-05-18 Deep packet inspection system and packet processing method WO2011026345A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910168943.4A CN102006216B (en) 2009-09-02 2009-09-02 Deep packet inspection system and packet processing method
CN200910168943.4 2009-09-02

Publications (1)

Publication Number Publication Date
WO2011026345A1 true WO2011026345A1 (en) 2011-03-10

Family

ID=43648863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/072882 WO2011026345A1 (en) 2009-09-02 2010-05-18 Deep packet inspection system and packet processing method

Country Status (2)

Country Link
CN (1) CN102006216B (en)
WO (1) WO2011026345A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011157137A2 (en) * 2011-05-31 2011-12-22 华为技术有限公司 Policy control method, apparatus and communication system
CN102868571B (en) 2012-08-07 2015-04-08 华为技术有限公司 Method and device for rule matching
CN104935478A (en) * 2015-06-19 2015-09-23 上海斐讯数据通信技术有限公司 Intelligent terminal depth perception method and system thereof
CN107645400B (en) * 2016-07-22 2019-09-03 中兴通讯股份有限公司 Tactful sending, receiving method, device and controller
CN115150338A (en) * 2021-03-29 2022-10-04 华为技术有限公司 Message flow control method, device, equipment and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
US20080307081A1 (en) * 2007-06-05 2008-12-11 Dobbins Kurt A System and method for controlling non-compliant applications in an IP multimedia subsystem
CN101399749A (en) * 2007-09-27 2009-04-01 华为技术有限公司 Method, system and device for packet filtering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
US20080307081A1 (en) * 2007-06-05 2008-12-11 Dobbins Kurt A System and method for controlling non-compliant applications in an IP multimedia subsystem
CN101399749A (en) * 2007-09-27 2009-04-01 华为技术有限公司 Method, system and device for packet filtering

Also Published As

Publication number Publication date
CN102006216A (en) 2011-04-06
CN102006216B (en) 2015-04-01

Similar Documents

Publication Publication Date Title
JP5880560B2 (en) Communication system, forwarding node, received packet processing method and program
US9906527B2 (en) Device blocking tool
US9240946B2 (en) Message restriction for diameter servers
EP2629554B1 (en) Service control method and system, enodeb and packet data network gateway
RU2435205C2 (en) Method for legal eavesdropping and apparatus for realising said method
US8681803B2 (en) Communication system, policy management apparatus, communication method, and program
US11252196B2 (en) Method for managing data traffic within a network
US9553891B1 (en) Device blocking tool
WO2009132548A1 (en) Strategy determining function entity, home gateway, service quality controlling method and the system thereof
WO2014101228A1 (en) Capability exposure system, gateway, proxy, and method of wireless network
WO2010003354A1 (en) An authentication server and a control method for the mobile communication terminal accessing the virtual private network
WO2009152702A1 (en) Flow control method, system and bearer layer equipment thereof
WO2011026345A1 (en) Deep packet inspection system and packet processing method
US20060120284A1 (en) Apparatus and method for controlling abnormal traffic
WO2022206252A1 (en) Network attack processing method and apparatus, and device, computer-readable storage medium and computer program product
CN111245740A (en) Service quality strategy method and device for configuration service and computing equipment
WO2009021460A1 (en) Method for reporting implement result of policy, network communication system and equipment
WO2014101731A1 (en) System and method for opening network capabilities, and related network elements
WO2015192498A1 (en) Link information sending method and apparatus, and traffic control method and apparatus
WO2016109970A1 (en) Network entity and service policy management method
WO2007090322A1 (en) A method, an apparatus and a system for controlling the up traffic of the access network
WO2012037817A1 (en) Method and system for implementing strategy synchronization
KR102318746B1 (en) Method for processing plurality of pdu sessions using virtual id and smf performing method
WO2012028008A1 (en) Method and system for controlling heterogeneous networks
WO2009056022A1 (en) Method, apparatus and system for obtaining network security state

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10813267

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10813267

Country of ref document: EP

Kind code of ref document: A1