WO2011032456A1 - 一种检测访问控制列表生效的方法和装置 - Google Patents
一种检测访问控制列表生效的方法和装置 Download PDFInfo
- Publication number
- WO2011032456A1 WO2011032456A1 PCT/CN2010/076326 CN2010076326W WO2011032456A1 WO 2011032456 A1 WO2011032456 A1 WO 2011032456A1 CN 2010076326 W CN2010076326 W CN 2010076326W WO 2011032456 A1 WO2011032456 A1 WO 2011032456A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- counter
- acl rule
- acl
- counting
- rule
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/54—Store-and-forward switching systems
- H04L12/56—Packet switching systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/74—Admission control; Resource allocation measures in reaction to resource unavailability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/02—Protocol performance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/28—Timers or timing mechanisms used in protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
Definitions
- the present invention relates to a service access control control management technology, and more particularly to a method and apparatus for detecting an access control list effective. Background technique
- the function of the Access Control List is to filter specific packets passing through the network device.
- the ACL classifies the data packet by a series of matching conditions, which may be the source address, the destination address, and the port number of the data packet.
- the switch detects the data packet according to the conditions specified in the ACL, thereby determining whether to forward or discard the data packet. .
- ACLs include port ACLs, global ACLs, and VLAN-ACLs.
- the port ACL is an ACL that configures different ACL actions for different ports on the device to implement different control on each port.
- the global ACL provides the user with an ACL configuration mechanism that takes effect on all ports on the device.
- the ACL of the virtual local area network (VLAN) allows the user to configure ACL action on the VLAN to implement access control on all ports in the VLAN.
- VLAN virtual local area network
- ACL acts as a "firewall" in network devices, whether it works properly or not, how to determine whether ACLs work properly becomes a key issue.
- An ACL rule in a general ACL contains two important parts: the matching rule part (Qualify) and the action part (Action).
- ⁇ 1 has some attempts, such as:
- One way is to modify the action of the ACL rule, and let it do a port mirroring action to mirror the data stream to a certain physical port.
- the ACL rule is valid, the ACL rule is valid. If the physical port of the mirror cannot capture such a data flow, the ACL rule is not matched, that is, the ACL rule does not take effect.
- Another way is to try to change the action part of the ACL rule to copy the data stream matching the ACL rule to the device's own central processing unit (CPU), that is, change the action to copy to cpu, so that if the data stream can match normally
- CPU central processing unit
- the CPU can receive the data stream.
- the data flow can be seen through the debugging mode of the CPU itself.
- the ACL rule is valid. If the ACL rule is not matched, the data stream is viewed on the CPU. If it is not, it means that the ACL rule does not take effect.
- the main purpose of the present invention is to provide a method and apparatus for detecting that an access control list is valid, and to effectively determine whether an ACL rule is valid.
- the invention provides a method for detecting that an access control list is valid, and the method includes: starting a hook of a currently executed ACL rule according to a hooking manner, each time the action part of the ACL rule is executed;
- the counter counts according to a preset counting manner, and stores the count value
- the ACL rule stored in the counter that is attached to the ACL rule is read. If there is a count, the current ACL rule is valid. Otherwise, the ACL rule that is currently read does not take effect.
- the hooking manner is: a manner in which the startup counter is used as an action in an action part of an ACL rule; or a method of starting a counter by detecting a result of an action part in an ACL rule.
- the counting mode is: a counting method of the number of packets or a counting method of the number of bytes of the packet;
- the counting method of the number of messages is that the counter automatically increments the value of the counter every time it is started; the counting method of the number of bytes of the message is the counter value of the counter every time it is started plus the current ACL matching the current execution. The number of bytes of the regular message.
- the counter is applied in advance in a counter resource pool of the device itself;
- the application is applied by a static application method or a dynamic application method;
- the application for the static application mode is: applying a counter for each ACL rule in the device, including applying a counter for each empty ACL rule;
- the application for the dynamic application mode is: each ACL that needs to be detected in the device.
- Each rule applies for a counter.
- the method further comprises clearing the counter value of the counter to zero.
- the invention provides a device for detecting that an access control list is valid, and the device includes: a startup module, a counter, and a reading module; wherein
- the startup module is configured to start a counter attached to the currently executed ACL rule according to the hook mode each time an action part of an ACL rule is executed;
- a counter for counting according to a preset counting manner and storing a counting value
- a reading module for reading a count value stored in a counter attached to the ACL rule, and if there is a counting value, determining a current reading The ACL rule takes effect. Otherwise, the current ACL rule is invalid.
- the reading module is further configured to clear the counter value of the counter after reading the count value stored in the counter.
- the method and the device for detecting the access control list are valid, and the counter is attached to the ACL rule according to a certain hooking manner by applying a counter in the counter resource pool of the device itself in advance;
- the counter attached to the ACL rule is started according to the hook mode, and the counter counts according to a preset counting manner.
- the counter value stored in the counter it is judged according to whether there is a count value.
- the ACL rule takes effect which means that the ACL rule does not increase the network load and does not impact the security of the CPU.
- the method of checking the count value to determine whether the ACL rule takes effect is simple and can speed up the network fault. The positioning speed.
- FIG. 1 is a schematic flowchart of a method for detecting that an access control list is valid according to the present invention
- FIG. 2 is a schematic structural diagram of an apparatus for implementing an effective detection of an access control list according to the present invention. detailed description
- the basic idea of the present invention is: pre-apply a counter in the counter resource pool of the device itself, and attach the counter to the ACL rule according to a certain hooking manner; each time the action part of the ACL rule is executed, the hook is started according to the hook mode.
- the counter is attached to the currently executed ACL rule.
- the counter counts according to the preset counting mode. By reading the counter value stored in the counter, it is determined whether the ACL rule is valid according to whether there is a count value.
- This method is a static application mode, which occupies the device counter resource, but is empty. When the ACL rule sets a new ACL rule, you do not need to apply for a counter again.
- the second method is to apply for a counter for each ACL rule to be detected in the device.
- This mode is a dynamic application mode. This mode occupies less device resources. However, when setting a new ACL rule to be detected, you need to add a new one. The ACL rule that needs to be detected performs the counter application.
- the hooking manner is specifically: a manner in which the startup counter is used as an action in an action part of an ACL rule; or a method of starting a counter by detecting a result of an action part in an ACL rule.
- the counting method includes a counting method of the number of packets and a counting method of the number of bytes of the packet.
- the present invention implements a method for detecting that an access control list is valid, and applies a counter in the counter resource pool of the device itself, and attaches the counter to the ACL rule. As shown in FIG. 1, the method includes the following steps:
- Step 101 Each time an action part of an ACL rule is executed, the counter attached to the currently executed ACL rule is started according to the hook mode, and is performed according to a preset counting manner. Count, and store the count value;
- the hook method in which the counter is attached to an ACL rule uses the startup counter as an action in the action part of the ACL rule, each time an action part of the ACL rule is executed, in this section
- the counter is started in the action part of the ACL rule, and the counter counts according to a preset counting manner; if the counter is attached to an ACL rule, the hook mode is used to detect the result of the action part of the ACL rule to start the counter.
- the method detects the result of the action part of the ACL rule each time the action part of the ACL rule is executed.
- the counter is started, the counter counts according to a preset counting manner, and the count value is performed. Store; when not detected, the counter is not started.
- the counter automatically increments the counting value every time it is started; when the preset counting mode is the message byte number counting mode, The count value of the counter each time it is started plus the number of bytes of the message conforming to this ACL rule.
- Step 102 Read the count value stored in the counter, and determine whether the ACL rule takes effect according to whether there is a count value;
- the counter value stored in the counter attached to the ACL rule may be read. If there is a count value, it is determined that the ACL rule takes effect, and vice versa. The ACL rule does not take effect;
- the present invention implements a device for detecting that an access control list is valid.
- the device includes: a startup module 21, a counter 22, and a reading module 23;
- the startup module 21 is configured to start, according to the hook mode, the counter 22 attached to the currently executed ACL rule each time the action part of an ACL rule is executed;
- the counter 22 is started as the action part of the ACL rule.
- the startup module 21 is triggered to start the counter 22 in the action part of the ACL rule; if the hook mode is used to detect the ACL rule The result of the middle action part is to start the counter 22, and each time the action part of the ACL rule is executed, the startup module 21 detects the result of the action part of the ACL rule, and when detected, starts the counter 22; When the modulo 21 block is not detected, the counter 22 is not activated;
- the counter 22 is configured to perform counting according to a preset counting manner, and store the counting value. Specifically, when the preset counting mode is the packet counting mode, the counter 22 is activated every time the startup module 21 is started. The count value is automatically incremented by one; when the preset counting mode is the message byte count mode, the counter 22 increments each time the module is started by the startup module 21, and adds the message conforming to the currently executed ACL rule. Number of bytes
- the reading module 23 is configured to read the count value stored in the counter 22 attached to an ACL rule. If there is a count value, it determines that the currently read ACL rule takes effect, and vice versa, determines the currently read ACL rule. Not effective;
- the reading module 23 is further configured to clear the count value of the counter 22 after reading the count value stored in the counter 22.
- the method of attaching the counter to the ACL rule can effectively determine whether the ACL rule takes effect, so that when the ACL rule is determined to be effective, the network load is not increased, and the CPU of the device is not impacted;
- the method of checking the count value to determine whether the ACL rule is effective is relatively simple, and can speed up the positioning speed of the network fault.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112012006123A BR112012006123A2 (pt) | 2009-09-17 | 2010-08-25 | método e dispositivo para detecção da validação da lista de controle de acesso. |
EP10816660.4A EP2466816B1 (en) | 2009-09-17 | 2010-08-25 | Method and device for detecting validation of an access control list |
US13/395,229 US20120174209A1 (en) | 2009-09-17 | 2010-08-25 | Method and Device for Detecting Validation of Access Control List |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100929619A CN101662425B (zh) | 2009-09-17 | 2009-09-17 | 一种检测访问控制列表生效的方法和装置 |
CN200910092961.9 | 2009-09-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011032456A1 true WO2011032456A1 (zh) | 2011-03-24 |
Family
ID=41790225
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/076326 WO2011032456A1 (zh) | 2009-09-17 | 2010-08-25 | 一种检测访问控制列表生效的方法和装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20120174209A1 (zh) |
EP (1) | EP2466816B1 (zh) |
CN (1) | CN101662425B (zh) |
BR (1) | BR112012006123A2 (zh) |
WO (1) | WO2011032456A1 (zh) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101662425B (zh) * | 2009-09-17 | 2012-07-04 | 中兴通讯股份有限公司 | 一种检测访问控制列表生效的方法和装置 |
CN103001828A (zh) * | 2012-12-04 | 2013-03-27 | 北京星网锐捷网络技术有限公司 | 基于数据流的报文统计方法和装置、网络设备 |
CN106302306B (zh) * | 2015-05-11 | 2020-06-05 | 中兴通讯股份有限公司 | 一种基于访问控制列表acl的流量统计方法及装置 |
CN107508836B (zh) * | 2017-09-27 | 2019-11-12 | 杭州迪普科技股份有限公司 | 一种acl规则下发的方法及装置 |
CN113328973B (zh) * | 2020-02-28 | 2022-09-23 | 华为技术有限公司 | 一种检测访问控制列表acl规则无效的方法和装置 |
CN117353960A (zh) * | 2022-06-29 | 2024-01-05 | 中兴通讯股份有限公司 | Acl规则处理方法、装置及存储介质 |
CN115529262A (zh) * | 2022-09-16 | 2022-12-27 | 杭州云合智网技术有限公司 | 一种sai thrift中acl命中确认方法、装置、设备及介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060294297A1 (en) * | 2005-06-22 | 2006-12-28 | Pankaj Gupta | Access control list processor |
CN101039271A (zh) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | 访问控制列表规则生效的方法及装置 |
CN101247397A (zh) * | 2008-03-07 | 2008-08-20 | 中兴通讯股份有限公司 | 一种镜像和访问控制列表功能生效顺序的优化方法 |
CN101364947A (zh) * | 2008-09-08 | 2009-02-11 | 中兴通讯股份有限公司 | 一种访问控制列表规则匹配方法及系统 |
CN101662425A (zh) * | 2009-09-17 | 2010-03-03 | 中兴通讯股份有限公司 | 一种检测访问控制列表生效的方法和装置 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6701432B1 (en) * | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
US7324514B1 (en) * | 2000-01-14 | 2008-01-29 | Cisco Technology, Inc. | Implementing access control lists using a balanced hash table of access control list binary comparison trees |
FR2844415B1 (fr) * | 2002-09-05 | 2005-02-11 | At & T Corp | Systeme pare-feu pour interconnecter deux reseaux ip geres par deux entites administratives differentes |
US7292531B1 (en) * | 2002-12-31 | 2007-11-06 | Packeteer, Inc. | Methods, apparatuses and systems facilitating analysis of the performance of network traffic classification configurations |
CN1333546C (zh) * | 2003-12-12 | 2007-08-22 | 华为技术有限公司 | 一种网络处理器转发故障的诊断方法 |
US7436770B2 (en) * | 2004-01-21 | 2008-10-14 | Alcatel Lucent | Metering packet flows for limiting effects of denial of service attacks |
EP1800439B1 (en) * | 2004-10-05 | 2008-03-05 | Telefonaktiebolaget LM Ericsson (publ) | Arrangement and method relating to service provisioning control |
CN100349445C (zh) * | 2005-03-08 | 2007-11-14 | 华为技术有限公司 | 下一代网络中实现代理请求模式资源预留的方法和系统 |
CN100466600C (zh) * | 2005-03-08 | 2009-03-04 | 华为技术有限公司 | 下一代网络中实现接入配置模式资源预留的方法 |
US7665128B2 (en) * | 2005-04-08 | 2010-02-16 | At&T Corp. | Method and apparatus for reducing firewall rules |
US7668969B1 (en) * | 2005-04-27 | 2010-02-23 | Extreme Networks, Inc. | Rule structure for performing network switch functions |
CN100428688C (zh) * | 2005-06-09 | 2008-10-22 | 杭州华三通信技术有限公司 | 网络攻击的防护方法 |
US9407662B2 (en) * | 2005-12-29 | 2016-08-02 | Nextlabs, Inc. | Analyzing activity data of an information management system |
CN101079798A (zh) * | 2006-05-26 | 2007-11-28 | 华为技术有限公司 | 网络地址转换方法及实现访问控制列表的方法 |
WO2008093320A1 (en) * | 2007-01-31 | 2008-08-07 | Tufin Software Technologies Ltd. | System and method for auditing a security policy |
US8140666B2 (en) * | 2007-03-29 | 2012-03-20 | International Business Machines Corporation | Method and apparatus for network distribution and provisioning of applications across multiple domains |
US20090125470A1 (en) * | 2007-11-09 | 2009-05-14 | Juniper Networks, Inc. | System and Method for Managing Access Control Lists |
CN101426014B (zh) * | 2008-12-02 | 2013-04-03 | 中兴通讯股份有限公司 | 防止组播源攻击的方法及系统 |
GB2487466A (en) * | 2009-11-06 | 2012-07-25 | Ibm | Method and system for managing security objects |
-
2009
- 2009-09-17 CN CN2009100929619A patent/CN101662425B/zh not_active Expired - Fee Related
-
2010
- 2010-08-25 WO PCT/CN2010/076326 patent/WO2011032456A1/zh active Application Filing
- 2010-08-25 BR BR112012006123A patent/BR112012006123A2/pt not_active Application Discontinuation
- 2010-08-25 EP EP10816660.4A patent/EP2466816B1/en not_active Not-in-force
- 2010-08-25 US US13/395,229 patent/US20120174209A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060294297A1 (en) * | 2005-06-22 | 2006-12-28 | Pankaj Gupta | Access control list processor |
CN101039271A (zh) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | 访问控制列表规则生效的方法及装置 |
CN101247397A (zh) * | 2008-03-07 | 2008-08-20 | 中兴通讯股份有限公司 | 一种镜像和访问控制列表功能生效顺序的优化方法 |
CN101364947A (zh) * | 2008-09-08 | 2009-02-11 | 中兴通讯股份有限公司 | 一种访问控制列表规则匹配方法及系统 |
CN101662425A (zh) * | 2009-09-17 | 2010-03-03 | 中兴通讯股份有限公司 | 一种检测访问控制列表生效的方法和装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2466816A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN101662425A (zh) | 2010-03-03 |
US20120174209A1 (en) | 2012-07-05 |
EP2466816A4 (en) | 2014-03-19 |
BR112012006123A2 (pt) | 2016-06-21 |
EP2466816B1 (en) | 2015-05-27 |
EP2466816A1 (en) | 2012-06-20 |
CN101662425B (zh) | 2012-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2011032456A1 (zh) | 一种检测访问控制列表生效的方法和装置 | |
US8958318B1 (en) | Event-based capture of packets from a network flow | |
Chen et al. | Slowing down internet worms | |
EP2950489B1 (en) | Method and device for generating cnm | |
US9819590B2 (en) | Method and apparatus for notifying network abnormality | |
US9929897B2 (en) | Performing a protocol, such as micro bidirectional forwarding detection, on member links of an aggregated link that uses an address of the aggregated link | |
CN102577240B (zh) | 用于采用速率限制进行病毒扼制的方法和装置 | |
WO2011088686A1 (zh) | 一种基于vpls的双归保护倒换方法及系统 | |
US20050276228A1 (en) | Self-isolating and self-healing networked devices | |
US10505952B2 (en) | Attack detection device, attack detection method, and attack detection program | |
CN108353068B (zh) | Sdn控制器辅助的入侵防御系统 | |
JP6518795B2 (ja) | 計算機システム及びその制御方法 | |
JP2002073433A (ja) | 侵入検知装置及び不正侵入対策管理システム及び侵入検知方法 | |
JP2004172871A (ja) | ウィルス拡散を防止する集線装置およびそのためのプログラム | |
WO2008080324A1 (fr) | Procédé et appareil pour empêcher une attaque par messages igmp | |
JP2011523242A (ja) | 例外パケットの動的帯域制限スローパス処理のための方法、システム、及びコンピュータ読取り可能な媒体 | |
WO2014075485A1 (zh) | 网络地址转换技术的处理方法、nat设备及bng设备 | |
US7668969B1 (en) | Rule structure for performing network switch functions | |
JP4694578B2 (ja) | コンピュータネットワークをパケットフラッド(flood)から保護するための方法及びシステム | |
WO2019096104A1 (zh) | 攻击防范 | |
CN106357652B (zh) | 一种vxlan报文防攻击的方法和装置 | |
JP3643087B2 (ja) | 通信網およびルータおよび分散型サービス拒絶攻撃検出防御方法 | |
EP3133790B1 (en) | Message sending method and apparatus | |
US9591025B2 (en) | IP-free end-point management appliance | |
WO2022057647A1 (zh) | 一种报文的处理方法、系统及设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10816660 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13395229 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2309/CHENP/2012 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010816660 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112012006123 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112012006123 Country of ref document: BR Kind code of ref document: A2 Effective date: 20120319 |