WO2012142868A1 - Method, system and device for monitoring network information - Google Patents
Method, system and device for monitoring network information Download PDFInfo
- Publication number
- WO2012142868A1 WO2012142868A1 PCT/CN2012/071314 CN2012071314W WO2012142868A1 WO 2012142868 A1 WO2012142868 A1 WO 2012142868A1 CN 2012071314 W CN2012071314 W CN 2012071314W WO 2012142868 A1 WO2012142868 A1 WO 2012142868A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- monitor
- policy
- supervisory
- channel
- lsp
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/70—Routing based on monitoring results
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method, system, and apparatus for implementing network information supervision. Background technique
- the present invention is directed to a method, system and apparatus for implementing network information supervision to solve the problem that harmful information existing in the prior art is not effectively detected and filtered during propagation.
- the present invention provides a method for implementing network information supervision, including:
- LSP Label Switched Path
- the PE forwards the suspicious packets to the Monitor through the LSP through the LSP channel, and performs corresponding actions according to the detection result of the Monitor feedback.
- the packet is forwarded to the normal LSP channel, and the packet is processed according to a predetermined forwarding policy.
- the method further includes:
- the PE sends a supervisory instance registration request to the Monitor through the supervisory LSP channel, and receives it.
- the suspicious packet is forwarded to the Monitor through the supervisory LSP channel, and the detection is:
- a supervisory label is assigned to the supervisory path established between the PE and the monitor. After the PE sends the supervisory label to the outer forwarding label of the received suspicious packet, the PE forwards the monitor to the monitor for detection.
- the method further includes: after the policy route configured on the PE inbound interface is deleted, the PE sends a supervision instance revocation request, and after receiving the instance revocation response of the Monitor feedback, revoking the supervision established between the PE and the Monitor path.
- the policy routing includes at least: a matching rule and a setting item forwarding entry.
- the present invention also provides a system for implementing network information supervision, including: an operator edge router (PE) and a supervisory router (Monitor), where
- the PE is configured to establish a LSP channel with the Monitor and configure the policy route on the inbound interface.
- the policy is forwarded to the Monitor through the LSP through the LSP and the detection result is based on the feedback of the Monitor.
- Corresponding action When the detection result is that the detection is passed, the packet is forwarded to the normal LSP channel to forward the packet, otherwise the packet is processed according to a predetermined forwarding policy;
- the monitor is configured to detect a suspicious packet sent by the PE, and feed back the detection result to the PE.
- the invention further provides an apparatus for implementing network information supervision, comprising:
- a channel establishment and management module configured to establish a supervisory LSP channel between the PE and the Monitor;
- a policy configuration module configured to configure policy routing on the inbound interface of the PE;
- the forwarding processing module is configured to forward the suspicious packet to the Monitor through the LSP channel according to the configured policy routing, and perform the corresponding action according to the detection result of the feedback: when the detection result is the detection, the switch is forwarded to the normal LSP channel.
- the packet is processed according to a predetermined forwarding policy.
- the device further includes:
- the instance management module is configured to send a supervision instance registration request to the monitor through the supervisory LSP channel, and establish a supervision path between the PE and the monitor after receiving the instance registration response fed back by the monitor.
- the device further includes:
- the label processing module is configured to allocate a supervised label to the supervised path established between the PE and the monitor, and put a supervised label on the outer forwarding label of the suspicious packet received by the PE, and the forwarding processing module forwards the label to the monitor through the supervising path. Detection.
- the instance management module is further configured to: after the policy route configured on the PE inbound interface is deleted, send a supervision instance revocation request to the Monitor through the supervised LSP channel, and after receiving the instance 4 response of the Monitor feedback, ⁇ The regulatory path established between ⁇ and Monitor.
- the invention realizes the control of message forwarding, and completely realizes the control and processing of harmful information in the process of propagation.
- FIG. 1 is a schematic structural diagram of an example of networking in an embodiment of the present invention.
- FIG. 2 is a schematic flowchart of a method according to an embodiment of the present invention.
- FIG. 3 is a schematic structural diagram of a system according to an embodiment of the present invention.
- FIG. 4 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. detailed description
- CE1 User Border Equipment 1
- CE2 are on the same private network.
- a normal Label Switching Path (LSP) channel exists between PE1 (the carrier edge router 1) and PE2.
- Monitor supervisor router
- you need to supervise the packets passing the PE1 you need to establish a supervised LSP channel between the Monitor and PE1.
- a supervisory LSP channel needs to be established between Monitor and PE2.
- FIG. 2 is a schematic flowchart of a method according to an embodiment of the present invention.
- the method may include the following steps:
- Step 201 Establish a supervisory LSP channel between PE1 and Monitor by running the supervisor enable command.
- Step 202 Configure a policy route on the inbound interface of the PE1, where the policy route includes at least a Match rule and a Set entry forwarding entry, where the Match rule is used to filter the packets passing the PE1 to determine the need. Suspicious message detected; Set item forwarding entry is used to configure the supervision path;
- Step 203 The PE sends a supervision instance registration request to the Monitor through the LSP channel, and after receiving the instance registration response fed back by the Monitor, the PE establishes a supervision path between the PE and the Monitor, and assigns a supervision label to the supervision path.
- Step 204 When the packet from the CE1 passes the PE1, if the packet is determined to be a suspicious packet according to the policy route, the PE1 cuts the forwarding path of the suspicious packet from the normal forwarding LSP channel. Switch to the supervisory LSP channel, and use the policy label forwarding technology to put the outer forwarding label of the suspicious file on the regulatory label and send it to Monitor through the supervisory path for detection;
- Step 205 When the Monitor receives the suspicious packet, the Monitor detects the packet and sends a response message to the PE1 to notify the PE1.
- the detection result may be the detection pass or the detection failure.
- Step 206 The PE1 performs the corresponding action according to the received detection result: If the detection succeeds, the PE1 re-switches the forwarding path of the suspicious packet to the normal forwarding LSP channel. Otherwise, the packet is discarded according to the forwarding policy preconfigured by the user. It is handled by the text or other methods, and the specific processing method needs to be determined according to the requirements of the operator.
- FIG. 3 is a schematic structural diagram of a system according to an embodiment of the present invention, which may include: a supervisory router (Monitor) and a PE, where
- the PE and the Monitor are configured to supervise the LSP and configure the policy route on the inbound interface of the PE.
- the policy is forwarded to the Monitor through the LSP.
- the detection is performed according to the detection result of the feedback from the monitor. If the detection succeeds, the packet is forwarded to the normal LSP channel to forward the packet, otherwise the packet is processed according to the predetermined forwarding policy.
- the Monitor detects the suspicious packets sent by the PE and feeds the detection results to the corresponding PEs.
- FIG. 4 is a schematic structural diagram of a device according to an embodiment of the present invention.
- the device in the embodiment of the present invention may be configured in a PE, and specifically includes: a channel establishment and management module, a policy configuration module, and a forwarding processing module. , an instance management module, and a tag processing module, wherein
- a channel management module establishing a supervisory LSP channel between the PE and the monitor;
- the policy configuration module configures a policy route on the inbound interface of the PE, where the policy route includes at least a Match rule and a Set entry forwarding entry, where the Match rule is used.
- the packets passing the PE1 are filtered to determine the suspicious packets that need to be detected.
- the Set entries are used to configure the supervised path.
- the forwarding processing module forwards the suspicious packet to the Monitor through the LSP channel according to the configured policy routing, and performs the corresponding action according to the detection result of the feedback: If the detection succeeds, the packet is forwarded to the normal LSP channel, otherwise the packet is forwarded. The packet is processed correspondingly according to a predetermined forwarding policy.
- the instance management module sends a supervisory instance registration request to the monitor through the supervisory LSP channel, and establishes a supervisory path between the PE and the monitor after receiving the instance registration response fed back by the monitor.
- the label processing module assigns a supervisory label to the supervisory path established between the PE and the monitor, and puts a supervised label on the outer forwarding label of the suspicious packet received by the PE, and the forwarding processing module forwards the monitor to the monitor through the supervisory path for detection.
- the instance management module After the policy route configured on the inbound interface of the PE is deleted, the instance management module sends a supervisory instance pin request to the Monitor through the supervisory LSP channel, and after receiving the instance revocation response of the Monitor feedback, the relationship between the PE and the Monitor is established. Regulatory path.
- the embodiments of the present invention provide a method, a system, and a device for implementing network information supervision.
- the invention implements a policy of controlling the LSP channel and switching between the supervisory LSP channel and the normal LSP channel by using a policy routing technology.
- the control of message forwarding completely realizes the control and processing of harmful information in the process of dissemination; it is more effective than the existing post-event supervision methods and technologies, and the implementation method is also simpler, which can meet the deployment of the current network. need.
Landscapes
- Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Disclosed are a method, system and device for monitoring network information. The method includes: establishing a monitoring LSP channel between a PE and a Monitor and configuring a policy route at an incoming interface thereof; the PE forwarding a suspicious message to the Monitor for detection via the monitoring LSP channel according to the configured policy route, and acting correspondingly according to the detection result fed back by the Monitor: switching to a normal LSP channel to forward the message when the detection result is that the detection is passed, otherwise, processing the message correspondingly according to a preset forwarding policy. In the present invention, the message forwarding is controlled by way of increasing monitoring channels and switching among different channels using the policy routing technology, realizing complete control and processing of harmful information during propagation.
Description
实现网络信息监管的方法、 系统及装置 技术领域 Method, system and device for realizing network information supervision
本发明涉及通信技术领域, 尤其涉及一种实现网络信息监管的方法、 系统及装置。 背景技术 The present invention relates to the field of communications technologies, and in particular, to a method, system, and apparatus for implementing network information supervision. Background technique
随着互联网业务的迅猛发展, 网络上各种有害信息也日益泛滥, 各个 运营商也被要求肩负起网络信息监管的责任。 比如通过前一段时间的网络 扫黄运动, 国内的各种网站目前都要求必须进行实名注册和管理。 这种监 管方法属于事后监管, 无法对信息传播过程进行干预, 并且对于租赁境外 服务器从事有害信息的途径, 无法有效予以监管, 因此总体效果十分有限。 如何能够通过网络技术, 在有害信息传播过程中进行检测和过滤, 成为一 个亟需解决的问题。 发明内容 With the rapid development of Internet services, various harmful information on the Internet is also increasingly rampant, and various operators are also required to shoulder the responsibility of network information supervision. For example, through the network anti-vice campaign in the past period of time, various domestic websites require real-name registration and management. This kind of supervision method is post-event supervision, it is unable to intervene in the information dissemination process, and the way to lease harmful information from overseas servers cannot be effectively supervised, so the overall effect is very limited. How to detect and filter in the process of harmful information transmission through network technology becomes an urgent problem to be solved. Summary of the invention
鉴于上述的分析, 本发明旨在提供一种实现网络信息监管的方法、 系 统及装置, 用以解决现有技术中存在的有害信息在传播过程中没有得到有 效检测和过滤的问题。 In view of the above analysis, the present invention is directed to a method, system and apparatus for implementing network information supervision to solve the problem that harmful information existing in the prior art is not effectively detected and filtered during propagation.
本发明的目的主要是通过以下技术方案实现的: The object of the present invention is mainly achieved by the following technical solutions:
本发明提供了一种实现网络信息监管的方法, 包括: The present invention provides a method for implementing network information supervision, including:
在运营商边缘路由器(PE )建立和监管路由器(Monitor )之间的监管 标签交换路径(LSP )通道以及在自身的入接口配置策略路由; Establishing and supervising the Label Switched Path (LSP) channel between the Carrier Edge Router (PE) and the Monitor (Monitor) and configuring policy routing on its own ingress interface;
PE根据配置的策略路由将可疑报文通过监管 LSP通道转发给 Monitor 进行检测, 并根据 Monitor反馈的检测结果进行相应动作: 当检测结果为
检测通过时, 切换到正常 LSP通道转发所述报文, 否则根据预定的转发策 略对所述艮文进行相应处理。 The PE forwards the suspicious packets to the Monitor through the LSP through the LSP channel, and performs corresponding actions according to the detection result of the Monitor feedback. When the detection is passed, the packet is forwarded to the normal LSP channel, and the packet is processed according to a predetermined forwarding policy.
进一步地, 在所述建立监管 LSP通道之后, 所述方法还包括: Further, after the establishing the LSP channel, the method further includes:
PE通过监管 LSP通道发送监管实例注册请求给 Monitor, 并在收到 The PE sends a supervisory instance registration request to the Monitor through the supervisory LSP channel, and receives it.
Monitor反馈的实例注册响应后, PE和 Monitor之间建立监管路径。 After the instance feedback response of the Monitor feedback, a supervisory path is established between the PE and the Monitor.
进一步地, 所述将可疑报文通过监管 LSP通道转发给 Monitor进行检 测为: Further, the suspicious packet is forwarded to the Monitor through the supervisory LSP channel, and the detection is:
给 PE和 Monitor之间建立的监管路径分配一个监管标签 , PE对接收到 的可疑报文的外层转发标签打上监管标签后, 通过所述监管路径转发给 Monitor进行检测。 A supervisory label is assigned to the supervisory path established between the PE and the monitor. After the PE sends the supervisory label to the outer forwarding label of the received suspicious packet, the PE forwards the monitor to the monitor for detection.
进一步地, 所述方法还包括: 当在 PE入接口配置的策略路由被删除 后, PE发送监管实例撤销请求, 并在收到 Monitor反馈的实例撤销响应 后, 撤销 PE和 Monitor之间建立的监管路径。 Further, the method further includes: after the policy route configured on the PE inbound interface is deleted, the PE sends a supervision instance revocation request, and after receiving the instance revocation response of the Monitor feedback, revoking the supervision established between the PE and the Monitor path.
其中, 所述策略路由至少包括: 匹配项规则和设置项转发条目。 本发明还提供了一种实现网络信息监管的系统, 包括: 运营商边缘 路由器(PE )和监管路由器(Monitor ) , 其中, The policy routing includes at least: a matching rule and a setting item forwarding entry. The present invention also provides a system for implementing network information supervision, including: an operator edge router (PE) and a supervisory router (Monitor), where
PE, 用于和 Monitor之间建立监管 LSP通道以及在自身的入接口配置 策略路由; 并根据配置的策略路由将可疑报文通过监管 LSP通道转发给 Monitor进行检测 , 以及根据 Monitor反馈的检测结果进行相应动作: 当检 测结果为检测通过时, 切换到正常 LSP通道转发所述报文, 否则根据预定 的转发策略对所述报文进行相应处理; The PE is configured to establish a LSP channel with the Monitor and configure the policy route on the inbound interface. The policy is forwarded to the Monitor through the LSP through the LSP and the detection result is based on the feedback of the Monitor. Corresponding action: When the detection result is that the detection is passed, the packet is forwarded to the normal LSP channel to forward the packet, otherwise the packet is processed according to a predetermined forwarding policy;
Monitor, 用于对 PE发来的可疑报文进行检测, 并将检测结果反馈给 所述 PE。 The monitor is configured to detect a suspicious packet sent by the PE, and feed back the detection result to the PE.
本发明又提供了一种实现网络信息监管的装置, 包括: The invention further provides an apparatus for implementing network information supervision, comprising:
通道建立及管理模块, 用于在 PE和 Monitor之间建立监管 LSP通道;
策略配置模块, 用于在 PE的入接口配置策略路由; a channel establishment and management module, configured to establish a supervisory LSP channel between the PE and the Monitor; a policy configuration module, configured to configure policy routing on the inbound interface of the PE;
转发处理模块, 用于根据配置的策略路由将可疑报文通过监管 LSP通 道转发给 Monitor进行检测, 并根据 Monitor反馈的检测结果进行相应动 作: 当检测结果为检测通过时, 切换到正常 LSP通道转发所述报文, 否则 根据预定的转发策略对所述报文进行相应处理。 The forwarding processing module is configured to forward the suspicious packet to the Monitor through the LSP channel according to the configured policy routing, and perform the corresponding action according to the detection result of the feedback: when the detection result is the detection, the switch is forwarded to the normal LSP channel. The packet is processed according to a predetermined forwarding policy.
进一步地, 所述装置还包括: Further, the device further includes:
实例管理模块, 用于通过监管 LSP 通道发送监管实例注册请求给 Monitor, 并在收到 Monitor反馈的实例注册响应后, 在 PE和 Monitor之间 建立监管路径。 The instance management module is configured to send a supervision instance registration request to the monitor through the supervisory LSP channel, and establish a supervision path between the PE and the monitor after receiving the instance registration response fed back by the monitor.
进一步, 所述装置还包括: Further, the device further includes:
标签处理模块, 用于给 PE和 Monitor之间建立的监管路径分配一个监 管标签, 并对 PE接收到的可疑报文的外层转发标签打上监管标签, 由转 发处理模块通过监管路径转发给 Monitor进行检测。 The label processing module is configured to allocate a supervised label to the supervised path established between the PE and the monitor, and put a supervised label on the outer forwarding label of the suspicious packet received by the PE, and the forwarding processing module forwards the label to the monitor through the supervising path. Detection.
进一步地, 所述实例管理模块, 还用于在 PE入接口配置的策略路由 被删除后, 通过监管 LSP通道发送监管实例撤销请求给 Monitor, 并在收到 Monitor反馈的实例 4敦销响应后, ·ί敦销 ΡΕ和 Monitor之间建立的监管路径。 Further, the instance management module is further configured to: after the policy route configured on the PE inbound interface is deleted, send a supervision instance revocation request to the Monitor through the supervised LSP channel, and after receiving the instance 4 response of the Monitor feedback, · The regulatory path established between 敦敦敦 and Monitor.
本发明有益效果如下: The beneficial effects of the present invention are as follows:
本发明通过增加监管通道, 用策略路由技术在不同的通道之间进行切 换, 实现对报文转发的控制, 完全实现了对有害信息在传播过程中的控制 和处理。 附图说明 By adding a supervisory channel and using policy routing technology to switch between different channels, the invention realizes the control of message forwarding, and completely realizes the control and processing of harmful information in the process of propagation. DRAWINGS
图 1为本发明实施例的组网示例的结构示意图; 1 is a schematic structural diagram of an example of networking in an embodiment of the present invention;
图 2为本发明实施例所述方法的流程示意图; 2 is a schematic flowchart of a method according to an embodiment of the present invention;
图 3为本发明实施例所述系统的结构示意图; 3 is a schematic structural diagram of a system according to an embodiment of the present invention;
图 4为本发明实施例所述装置的结构示意图。
具体实施方式 FIG. 4 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. detailed description
下面结合附图来具体描述本发明的优选实施例, 其中, 附图构成本申 请一部分, 并与本发明的实施例一起用于阐释本发明的原理。 The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings in which FIG.
首先结合附图 1和附图 2对本发明实施例所述方法进行详细说明。 为了便于说明, 以下将附图 1 所示的组网为例对本发明实施例所述方 法进行详细说明。 First, the method according to the embodiment of the present invention will be described in detail with reference to FIG. 1 and FIG. 2. For convenience of description, the method described in the embodiment of the present invention will be described in detail below by taking the networking shown in FIG. 1 as an example.
如图 1所示, CE1 (用户边界设备 1 )和 CE2位于同一个私网中, PE1 (运营商边缘路由器 1 ) 和 PE2之间存在一条正常的监管标签交换路径 ( Label Switching Path, LSP )通道; 在本网络中设置一个 Monitor (监管路 由器), 如果需要对经过 PE1的报文进行监管, 则 Monitor与 PE1之间需要 建立一条监管 LSP通道; 同理, 如果需要对经过 PE2的报文进行监管, 那 么 Monitor与 PE2之间也需要建立一条监管 LSP通道。 As shown in Figure 1, CE1 (User Border Equipment 1) and CE2 are on the same private network. A normal Label Switching Path (LSP) channel exists between PE1 (the carrier edge router 1) and PE2. In this network, you need to set up a Monitor (supervisor router). If you need to supervise the packets passing the PE1, you need to establish a supervised LSP channel between the Monitor and PE1. Similarly, if you need to supervise the packets passing the PE2. Then, a supervisory LSP channel needs to be established between Monitor and PE2.
如图 2所示, 图 2为本发明实施例所述方法的流程示意图, 设定经过 PE1的报文需要被监管, 则所述方法具体可以包括如下步驟: As shown in FIG. 2, FIG. 2 is a schematic flowchart of a method according to an embodiment of the present invention. When a packet that passes through PE1 needs to be supervised, the method may include the following steps:
步驟 201: 通过运行监管使能命令, 在 PE1和 Monitor之间建立一条监 管 LSP通道; Step 201: Establish a supervisory LSP channel between PE1 and Monitor by running the supervisor enable command.
步驟 202: 在 PE1的入接口配置策略路由, 该策略路由至少包括 Match (匹配)项规则和 Set (设置)项转发条目, 其中, Match项规则用于对经 过 PE1的报文进行过滤, 确定需要被检测的可疑报文; Set项转发条目用于 配置监管路径; Step 202: Configure a policy route on the inbound interface of the PE1, where the policy route includes at least a Match rule and a Set entry forwarding entry, where the Match rule is used to filter the packets passing the PE1 to determine the need. Suspicious message detected; Set item forwarding entry is used to configure the supervision path;
步驟 203: PE通过监管 LSP通道发送监管实例注册请求给 Monitor, 并在收到 Monitor反馈的实例注册响应后, PE和 Monitor之间建立起监管 路径, 并为该监管路径分配一个监管标签; Step 203: The PE sends a supervision instance registration request to the Monitor through the LSP channel, and after receiving the instance registration response fed back by the Monitor, the PE establishes a supervision path between the PE and the Monitor, and assigns a supervision label to the supervision path.
步驟 204: 从 CE1出发的报文, 经过 PE1时, 如果根据策略路由确定 为可疑报文时, 则 PE1将该可疑报文的转发路径从正常的转发 LSP通道切
换到监管 LSP通道, 利用策略标签转发技术将该可疑 ·^艮文的外层转发标签 打上监管标签后通过监管路径发送给 Monitor进行检测; Step 204: When the packet from the CE1 passes the PE1, if the packet is determined to be a suspicious packet according to the policy route, the PE1 cuts the forwarding path of the suspicious packet from the normal forwarding LSP channel. Switch to the supervisory LSP channel, and use the policy label forwarding technology to put the outer forwarding label of the suspicious file on the regulatory label and send it to Monitor through the supervisory path for detection;
步驟 205: Monitor收到该可疑报文时, 对其进行检测, 并向 PE1发送 应答消息, 将检测结果告知 PE1 , 这里, 检测结果可以为检测通过或检测 不通过; Step 205: When the Monitor receives the suspicious packet, the Monitor detects the packet and sends a response message to the PE1 to notify the PE1. The detection result may be the detection pass or the detection failure.
步驟 206: PE1根据接收到的检测结果进行相应动作: 如果检测通过, 则 PE1将该可疑报文的转发路径重新切换到正常的转发 LSP通道, 否则根 据用户预先配置的转发策略, 选择丟弃报文或其他方式处理, 具体采取哪 种处理方式需要根据运营商的要求而定。 Step 206: The PE1 performs the corresponding action according to the received detection result: If the detection succeeds, the PE1 re-switches the forwarding path of the suspicious packet to the normal forwarding LSP channel. Otherwise, the packet is discarded according to the forwarding policy preconfigured by the user. It is handled by the text or other methods, and the specific processing method needs to be determined according to the requirements of the operator.
接下来, 对本发明实施例所述系统进行详细说明。 Next, the system described in the embodiment of the present invention will be described in detail.
如图 3所示, 图 3为本发明实施例所述系统的结构示意图,具体可以包 括: 监管路由器(Monitor )和 PE, 其中, As shown in FIG. 3, FIG. 3 is a schematic structural diagram of a system according to an embodiment of the present invention, which may include: a supervisory router (Monitor) and a PE, where
当经过某个 PE的报文需要被监管时, 该 PE和 Monitor之间建立监管 LSP通道以及在 PE的入接口配置策略路由; 根据配置的策略路由将可疑报 文通过监管 LSP通道转发给 Monitor进行检测, 并根据 Monitor反馈的检测 结果进行相应动作: 如果检测通过, 则切换到正常 LSP通道转发该报文, 否则根据预定的转发策略对该报文进行相应处理。 Monitor对 PE发来的可 疑报文进行检测, 并将检测结果反馈给对应的 PE。 When a packet passing through a PE is to be supervised, the PE and the Monitor are configured to supervise the LSP and configure the policy route on the inbound interface of the PE. The policy is forwarded to the Monitor through the LSP. The detection is performed according to the detection result of the feedback from the monitor. If the detection succeeds, the packet is forwarded to the normal LSP channel to forward the packet, otherwise the packet is processed according to the predetermined forwarding policy. The Monitor detects the suspicious packets sent by the PE and feeds the detection results to the corresponding PEs.
最后, 对本发明实施例所述装置进行详细说明。 Finally, the device according to the embodiment of the present invention is described in detail.
如图 4所示, 图 4为本发明实施例所述装置的结构示意图, 本发明实 施例所述装置可以设置于 PE中,具体可以包括: 通道建立及管理模块、 策 略配置模块、 转发处理模块、 实例管理模块和标签处理模块, 其中, As shown in FIG. 4, FIG. 4 is a schematic structural diagram of a device according to an embodiment of the present invention. The device in the embodiment of the present invention may be configured in a PE, and specifically includes: a channel establishment and management module, a policy configuration module, and a forwarding processing module. , an instance management module, and a tag processing module, wherein
通道管理模块 , 在 PE和 Monitor之间建立监管 LSP通道; a channel management module, establishing a supervisory LSP channel between the PE and the monitor;
策略配置模块, 在 PE 的入接口配置策略路由, 该策略路由至少包括 Match (匹配)项规则和 Set (设置)项转发条目, 其中, Match项规则用于
对经过 PE1的报文进行过滤, 确定需要被检测的可疑报文; Set项转发条目 用于配置监管路径; The policy configuration module configures a policy route on the inbound interface of the PE, where the policy route includes at least a Match rule and a Set entry forwarding entry, where the Match rule is used. The packets passing the PE1 are filtered to determine the suspicious packets that need to be detected. The Set entries are used to configure the supervised path.
转发处理模块, 根据配置的策略路由将可疑报文通过监管 LSP通道转 发给 Monitor进行检测 , 并根据 Monitor反馈的检测结果进行相应动作: 如 果检测通过, 则切换到正常 LSP通道转发该报文, 否则根据预定的转发策 略对该报文进行相应处理。 The forwarding processing module forwards the suspicious packet to the Monitor through the LSP channel according to the configured policy routing, and performs the corresponding action according to the detection result of the feedback: If the detection succeeds, the packet is forwarded to the normal LSP channel, otherwise the packet is forwarded. The packet is processed correspondingly according to a predetermined forwarding policy.
实例管理模块, 通过监管 LSP通道发送监管实例注册请求给 Monitor, 并在收到 Monitor反馈的实例注册响应后, 在 PE和 Monitor之间建立起监 管路径。 The instance management module sends a supervisory instance registration request to the monitor through the supervisory LSP channel, and establishes a supervisory path between the PE and the monitor after receiving the instance registration response fed back by the monitor.
标签处理模块, 给 PE和 Monitor之间建立的监管路径分配一个监管标 签, 并对 PE接收到的可疑报文的外层转发标签打上监管标签, 由转发处 理模块通过监管路径转发给 Monitor进行检测。 The label processing module assigns a supervisory label to the supervisory path established between the PE and the monitor, and puts a supervised label on the outer forwarding label of the suspicious packet received by the PE, and the forwarding processing module forwards the monitor to the monitor through the supervisory path for detection.
当在 PE入接口配置的策略路由被删除后, 实例管理模块通过监管 LSP 通道发送监管实例 销请求给 Monitor, 并在收到 Monitor反馈的实例撤销 响应后, ·ί敦销 PE和 Monitor之间建立的监管路径。 After the policy route configured on the inbound interface of the PE is deleted, the instance management module sends a supervisory instance pin request to the Monitor through the supervisory LSP channel, and after receiving the instance revocation response of the Monitor feedback, the relationship between the PE and the Monitor is established. Regulatory path.
需要说明的是, 对于系统以及装置的具体实现过程, 由于上述方法中 已有详细说明, 故此处不再赘述。 It should be noted that the specific implementation process of the system and the device is described in detail in the above method, and therefore will not be described herein.
综上所述, 本发明实施例提供了一种实现网络信息监管的方法、 系统 及装置, 本发明通过增加监管 LSP通道, 用策略路由技术在监管 LSP通道 和正常 LSP通道之间进行切换, 实现对报文转发的控制, 完全实现了对有 害信息在传播过程中的控制和处理; 比现有的事后监管方法和技术更加有 效, 实现方法也更加简单, 可以满足在当前网络中大 莫部署的需要。 In summary, the embodiments of the present invention provide a method, a system, and a device for implementing network information supervision. The invention implements a policy of controlling the LSP channel and switching between the supervisory LSP channel and the normal LSP channel by using a policy routing technology. The control of message forwarding completely realizes the control and processing of harmful information in the process of dissemination; it is more effective than the existing post-event supervision methods and technologies, and the implementation method is also simpler, which can meet the deployment of the current network. need.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并 不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本
发明的保护范围应该以权利要求书的保护范围为准。
The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, this The scope of protection of the invention should be determined by the scope of the claims.
Claims
1、 一种实现网络信息监管的方法, 其特征在于, 所述方法包括: 运营商边缘路由器 PE建立和监管路由器 Monitor之间的建立监管标签 交换路径 LSP通道以及在自身的入接口配置策略路由; A method for implementing network information supervision, the method includes: the operator edge router PE establishes and supervises establishing a regulatory label switching path LSP channel between the routers and configuring a policy route on the inbound interface of the router;
PE根据配置的策略路由将可疑报文通过监管 LSP通道转发给 Monitor 进行检测, 并根据 Monitor反馈的检测结果进行相应动作: 当检测结果为 检测通过时, 切换到正常 LSP通道转发所述报文, 否则根据预定的转发策 略对所述艮文进行相应处理。 The PE forwards the suspicious packet to the Monitor through the LSP through the LSP, and performs the corresponding action according to the detection result of the feedback. When the detection result is the detection, the switch forwards the packet to the normal LSP channel. Otherwise, the message is processed according to a predetermined forwarding policy.
2、 根据权利要求 1所述的方法, 其特征在于, 在所述建立监管 LSP通 道之后, 所述方法还包括: The method according to claim 1, wherein after the establishing the RRC channel, the method further includes:
PE通过监管 LSP通道发送监管实例注册请求给 Monitor, 并在收到 Monitor反馈的实例注册响应后, PE和 Monitor之间建立监管路径。 The PE sends a supervisory instance registration request to the Monitor through the LSP channel. After receiving the instance registration response from the Monitor, the PE establishes a supervisory path between the PE and the Monitor.
3、 根据权利要求 2所述的方法, 其特征在于, 所述将可疑报文通过监 管 LSP通道转发给 Monitor进行检测为: The method according to claim 2, wherein the suspicious message is forwarded to the monitor through the monitoring LSP channel, and the detection is:
给 PE和 Monitor之间建立的监管路径分配一个监管标签 , PE对接收到 的可疑报文的外层转发标签打上监管标签后, 通过所述监管路径转发给 Monitor进行检测。 A supervisory label is assigned to the supervisory path established between the PE and the monitor. After the PE sends the supervisory label to the outer forwarding label of the received suspicious packet, the PE forwards the monitor to the monitor for detection.
4、 根据权利要求 2 或 3 所述的方法, 其特征在于, 所述方法还包 括: 4. The method according to claim 2 or 3, wherein the method further comprises:
当在 PE入接口配置的策略路由被删除后, PE发送监管实例撤销请 求, 并在收到 Monitor反馈的实例 4敦销响应后, ·ί敦销 ΡΕ和 Monitor之间建 立的监管路径。 After the policy route configured on the PE inbound interface is deleted, the PE sends a supervisory instance revocation request, and after receiving the instance 4 response from the Monitor feedback, the supervisory path established between the license and the monitor is established.
5、 根据权利要求 1 所述的方法, 其特征在于, 所述策略路由至少包 括: 匹配项规则和设置项转发条目。 The method according to claim 1, wherein the policy routing includes at least: a matching rule and a setting item forwarding entry.
6、 一种实现网络信息监管的系统, 其特征在于, 包括: 运营商边缘 路由器 PE和监管路由器 Monitor, 其中, 6. A system for implementing network information supervision, characterized in that it comprises: an operator edge Router PE and supervisor router Monitor, where
PE, 用于和 Monitor之间建立监管标签交换路径 LSP通道以及在自身 的入接口配置策略路由; 并根据配置的策略路由将可疑报文通过监管 LSP 通道转发给 Monitor进行检测 , 以及根据 Monitor反馈的检测结果进行相应 动作: 当检测结果为检测通过时, 切换到正常 LSP通道转发所述报文, 否 则根据预定的转发策略对所述报文进行相应处理; The PE is used to establish a RRC channel between the MPLS interface and the inbound interface of the device. The policy is configured to forward the spoofed packets to the Monitor through the LSP channel and detect it according to the Monitor. The detection result is performed correspondingly: when the detection result is that the detection is passed, the packet is switched to the normal LSP channel to forward the packet, otherwise the packet is processed according to a predetermined forwarding policy;
Monitor, 用于对 PE发来的可疑报文进行检测, 并将检测结果反馈给 所述 PE。 The monitor is configured to detect a suspicious packet sent by the PE, and feed back the detection result to the PE.
7、 一种实现网络信息监管的装置, 其特征在于, 包括: 7. A device for implementing network information supervision, characterized in that:
通道建立及管理模块, 用于在运营商边缘路由器 PE 和监管路由器 Monitor之间建立监管 LSP通道; a channel establishment and management module, configured to establish a supervisory LSP channel between the operator edge router PE and the supervisor router monitor;
策略配置模块, 用于在 PE的入接口配置策略路由; a policy configuration module, configured to configure policy routing on the inbound interface of the PE;
转发处理模块, 用于根据配置的策略路由将可疑报文通过监管 LSP通 道转发给 Monitor进行检测, 并根据 Monitor反馈的检测结果进行相应动 作: 当检测结果为检测通过时, 切换到正常 LSP通道转发所述报文, 否则 根据预定的转发策略对所述报文进行相应处理。 The forwarding processing module is configured to forward the suspicious packet to the Monitor through the LSP channel according to the configured policy routing, and perform the corresponding action according to the detection result of the feedback: when the detection result is the detection, the switch is forwarded to the normal LSP channel. The packet is processed according to a predetermined forwarding policy.
8、 根据权利要求 7所述的装置, 其特征在于, 所述装置还包括: 实例管理模块, 用于通过监管 LSP 通道发送监管实例注册请求给 Monitor, 并在收到 Monitor反馈的实例注册响应后, 在 PE和 Monitor之间 建立监管路径。 The device according to claim 7, wherein the device further includes: an instance management module, configured to send a supervision instance registration request to the Monitor through the supervisory LSP channel, and after receiving the instance registration response of the Monitor feedback Establish a supervisory path between PE and Monitor.
9、 根据权利要求 8所述的装置, 其特征在于, 所述装置还包括: 标签处理模块, 用于给 PE和 Monitor之间建立的监管路径分配一个监 管标签, 并对 PE接收到的可疑报文的外层转发标签打上监管标签, 由转 发处理模块通过监管路径转发给 Monitor进行检测。 The device according to claim 8, wherein the device further comprises: a label processing module, configured to allocate a supervision label to the supervision path established between the PE and the Monitor, and report the suspicious report received by the PE. The outer forwarding label of the text is marked with a supervision label, and the forwarding processing module forwards it to the Monitor through the supervision path for detection.
10、 根据权利要求 8或 9所述的装置, 其特征在于, 所述实例管理模 块, 还用于在 PE入接口配置的策略路由被删除后, 通过监管 LSP通道发送 监管实例 t销请求给 Monitor, 并在收到 Monitor反馈的实例 :销响应后, PE和 Monitor之间建立的监管路径。 10. The apparatus according to claim 8 or 9, wherein the instance management module The block is also used to send a supervision instance t-pin request to the Monitor through the supervisory LSP channel after the policy route configured on the PE inbound interface is deleted, and after receiving the instance of the feedback from the monitor: the pin response, the PE and the Monitor are established. Regulatory path.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110096488.9 | 2011-04-18 | ||
CN201110096488.9A CN102158362B (en) | 2011-04-18 | 2011-04-18 | Network information monitoring realization method, system and device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012142868A1 true WO2012142868A1 (en) | 2012-10-26 |
Family
ID=44439563
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/071314 WO2012142868A1 (en) | 2011-04-18 | 2012-02-20 | Method, system and device for monitoring network information |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN102158362B (en) |
WO (1) | WO2012142868A1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102158362B (en) * | 2011-04-18 | 2015-05-06 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
CN102377603B (en) * | 2011-10-26 | 2014-10-29 | 国家广播电影电视总局广播科学研究院 | Policy processing method and policy processing devices |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050220030A1 (en) * | 2004-03-30 | 2005-10-06 | Intec Netcore, Inc. | System and method for monitoring label switched path in network |
CN1983955A (en) * | 2006-05-09 | 2007-06-20 | 华为技术有限公司 | Method and system for monitoring illegal message |
CN101355567A (en) * | 2008-09-03 | 2009-01-28 | 中兴通讯股份有限公司 | Method for protecting safety of route-exchanging device central processing unit |
CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
CN101399835A (en) * | 2007-09-17 | 2009-04-01 | 英特尔公司 | Method and apparatus for dynamic switching and real time security control on virtualized systems |
CN102158362A (en) * | 2011-04-18 | 2011-08-17 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1719829A (en) * | 2004-07-09 | 2006-01-11 | 北京航空航天大学 | Implementing flow control and defensing DOS attack by using MPLS display route |
CN101820391A (en) * | 2010-03-17 | 2010-09-01 | 中兴通讯股份有限公司 | Route forwarding method used for IP network and network equipment |
CN101848222B (en) * | 2010-05-28 | 2013-05-01 | 武汉烽火网络有限责任公司 | Inspection method and device of Internet deep packet |
-
2011
- 2011-04-18 CN CN201110096488.9A patent/CN102158362B/en active Active
-
2012
- 2012-02-20 WO PCT/CN2012/071314 patent/WO2012142868A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050220030A1 (en) * | 2004-03-30 | 2005-10-06 | Intec Netcore, Inc. | System and method for monitoring label switched path in network |
CN1983955A (en) * | 2006-05-09 | 2007-06-20 | 华为技术有限公司 | Method and system for monitoring illegal message |
CN101399835A (en) * | 2007-09-17 | 2009-04-01 | 英特尔公司 | Method and apparatus for dynamic switching and real time security control on virtualized systems |
CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
CN101355567A (en) * | 2008-09-03 | 2009-01-28 | 中兴通讯股份有限公司 | Method for protecting safety of route-exchanging device central processing unit |
CN102158362A (en) * | 2011-04-18 | 2011-08-17 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
Also Published As
Publication number | Publication date |
---|---|
CN102158362A (en) | 2011-08-17 |
CN102158362B (en) | 2015-05-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101900154B1 (en) | SDN capable of detection DDoS attacks and switch including the same | |
US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
EP3366020B1 (en) | Sdn controller assisted intrusion prevention systems | |
KR101488648B1 (en) | Bootstrapping fault detection sessions over a p2mp tunnel | |
CN101399749B (en) | Method, system and device for packet filtering | |
Nam et al. | A Study on SDN security enhancement using open source IDS/IPS Suricata | |
EP2991292B1 (en) | Network collaborative defense method, device and system | |
JP2006339933A (en) | Network access control method and system thereof | |
CN103609070A (en) | Network traffic detection method, system, equipment and controller | |
CN104541483B (en) | When for connectivity fault the method and system re-routed is enabled for home network | |
WO2015062295A1 (en) | Traffic cleaning method and device, and computer storage medium | |
Aldrin et al. | Seamless Bidirectional Forwarding Detection (S-BFD) Use Cases | |
CN112822103B (en) | Information reporting method, information processing method and equipment | |
WO2016177131A1 (en) | Method, apparatus, and system for preventing dos attacks | |
US8925084B2 (en) | Denial-of-service attack protection | |
Tran et al. | FlowTracker: A SDN stateful firewall solution with adaptive connection tracking and minimized controller processing | |
WO2012142888A1 (en) | Tunnel group protection method and device based on multi-protocol label switching network | |
WO2012142868A1 (en) | Method, system and device for monitoring network information | |
CN103036781A (en) | Method and device for processing main path link failures | |
CN107682342A (en) | A kind of method and system of the DDoS flow leads based on openflow | |
JP4244356B2 (en) | Traffic analysis and control system | |
JP4279324B2 (en) | Network control method | |
WO2012071933A1 (en) | Method and system for service processing | |
JP4260848B2 (en) | Network control method | |
WO2016095750A1 (en) | Communication method and device in virtual switching cluster |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12774612 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12774612 Country of ref document: EP Kind code of ref document: A1 |