WO2014154040A1 - Procédé, dispositif et système de contrôle d'accès - Google Patents

Procédé, dispositif et système de contrôle d'accès Download PDF

Info

Publication number
WO2014154040A1
WO2014154040A1 PCT/CN2014/070715 CN2014070715W WO2014154040A1 WO 2014154040 A1 WO2014154040 A1 WO 2014154040A1 CN 2014070715 W CN2014070715 W CN 2014070715W WO 2014154040 A1 WO2014154040 A1 WO 2014154040A1
Authority
WO
WIPO (PCT)
Prior art keywords
network data
network
data flow
data stream
security domain
Prior art date
Application number
PCT/CN2014/070715
Other languages
English (en)
Chinese (zh)
Inventor
王雨晨
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2014154040A1 publication Critical patent/WO2014154040A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention relates to the field of computer and communication technologies, and in particular, to an access control method, device, and system.
  • the "multi-instance" of a security device means that in a security application scenario such as cloud computing, multiple tenants share a security device, and each tenant can set its own security policy according to its own needs without worrying about other security policies.
  • the tenant's security policy conflicts with the technology.
  • a physical security device needs to be divided into multiple logical security devices for use. Multiple logical security devices can be configured with separate security policies.
  • network traffic of different logical security devices is isolated by default.
  • the system will use the virtual local area network ID (Vlan ID) / multi-protocol label switching and virtual private network label (; Multi-Protocol Label Switching Virtual Private Network, MPLS VPN), the virtual ingress interface to determine the virtual firewall to which the data flow belongs (ie: which tenant this traffic belongs to).
  • Vlan ID virtual local area network ID
  • MPLS VPN Multi-Protocol Label Switching Virtual Private Network
  • the current security devices support the network isolation technology (such as virtual local area network/virtual private network, VLAN/VPN) in the security device itself to achieve the above functions.
  • network isolation technology such as virtual local area network/virtual private network, VLAN/VPN
  • firewall devices are mostly based on VLANs or VPNs to implement "multi-instance", that is, firewall ports need to set virtual ports for different VLANs or VPNs, and then set corresponding security policies for each virtual port (where the security policy includes data).
  • the traffic attribute is bound to the virtual port. Therefore, when the firewall receives the network data flow, it finds the corresponding security policy according to the data flow attribute.
  • the virtual port processes the data stream.
  • the embodiments of the present invention provide an access control method, device, and system, which are used to avoid a virtual port of a network isolation technology supported by a security device itself when a multi-tenant shares a security device (such as: VLAN virtual port) or network isolation technology (such as VLAN/VPN technology, etc.).
  • the present application provides an access control method, device, and system, which can correspond to different tenant security policies according to conventional network data flow attributes, and aims to solve multiple tenants without relying on specific technologies such as VLAN/VPN. Sharing a security device does not affect each other.
  • the first aspect provides an access control method, including: after receiving a network data flow, the network traffic processing device requests, from the policy management device, a control behavior corresponding to the network data flow, where the control behavior includes allowing the network data flow to pass or Blocking the network data stream; the network traffic processing device processes the network data stream according to the control behavior.
  • the requesting, by the policy management device, the control behavior corresponding to the network data flow specifically: the network traffic processing device to the policy management The device sends the data flow, and receives a control behavior returned by the policy management device; or the network traffic processing device extracts an attribute value of the network data flow from the network data flow, and sends the attribute to the policy management device.
  • the attribute value is received, and the control behavior returned by the policy management device is received, where the attribute value includes a source physical port, a virtual local area network identifier, a source network hardware address, a target network hardware address, a source IP address, a target IP address, and a source transmission control protocol. At least one attribute value in the port, target transport control protocol port.
  • the second aspect provides an access control method, including: the policy management device receives a network data flow control behavior request from a network traffic processing device, and obtains an attribute value of the network data flow from the request, where the attribute value includes At least one attribute value of a source physical port, a virtual local area network identifier, a source network hardware address, a target network hardware address, a source IP address, a destination IP address, a source transmission control protocol port, and a destination transmission control protocol port;
  • the flow attribute determines a security domain to which the network data flow belongs, and the security domain is a network in which the same tenant adopts the same security policy.
  • the network data stream is processed.
  • the policy management device receives a network data flow control behavior request from a network traffic processing device, and obtains the network data flow from the request Before the step of the attribute, the method further includes: the policy management device generates, according to the security policy information of each tenant, the control policy of each security domain based on the network data flow attribute.
  • the security policy information of each tenant includes at least a security domain identifier, a security domain, and a network data flow attribute.
  • the security policy in the security domain the determining the security domain to which the network data flow belongs according to the attribute value of the network data flow, specifically: according to the correspondence between the security domain and the network data flow attribute, from the The attribute value corresponding to the security domain is extracted from the attribute value of the network data stream; the extracted attribute value is matched with the attribute value corresponding to each security domain, and the security domain to which the network data flow belongs is determined.
  • the corresponding relationship between the security domain and the network data stream attribute includes a security domain and a virtual local area network identifier, and a network hardware address.
  • the network traffic processing device is a switch
  • the policy management device is a controller
  • a network traffic processing device including a requesting module and a processing module, where: the requesting module is configured to request, after receiving a network data flow, a control behavior corresponding to the network data flow to a policy management device, where The controlling behavior includes allowing a network data flow to pass or block the network data flow; the processing module is configured to use the control behavior returned by the policy management device to the network The data stream is processed.
  • the requesting module is configured to send the network data stream or the network data stream extracted from the network data stream to the policy management device And an attribute value, to request, to the policy management device, a control behavior corresponding to the network data flow, where the attribute value includes a source physical port, a virtual local area network identifier, a source network hardware address, a target network hardware address, a source IP address, a target IP address, At least one attribute value of the source transmission control protocol port and the target transmission control protocol port.
  • the fourth aspect provides a policy management device, including a receiving module, a first determining module, a searching module, a second determining module, and a sending module, where: the receiving module is configured to receive network data flow control from a network traffic processing device. An action request, obtaining an attribute value of the network data stream from the request, and sending the attribute value to the determining module, where the attribute value includes a source physical port, a virtual local area network identifier, a source network hardware address, and a target At least one attribute value of the network hardware address, the source IP address, the target IP address, the source transmission control protocol port, and the target transmission control protocol port; the first determining module is configured to determine, according to the attribute value of the network data stream
  • the security domain to which the network data flow belongs, the security domain is a set of networks or systems in which the same tenant adopts the same security policy, and the network data flows belonging to the same security domain share the same set of control policies; Determining, by the determining module, the security domain to search for a corresponding
  • the device further includes: a policy generating module, configured to generate, according to the security policy information of each tenant, each security domain based on a network data flow attribute Control strategy.
  • the security policy information of each tenant includes at least a security domain identifier, a security domain, and a network Correspondence between network data attributes and security policies within the security domain.
  • the corresponding relationship between the security domain and the network data stream attribute includes a security domain and a virtual local area network identifier, and a network hardware address The correspondence between the collection, the virtual private network tunnel collection, the collection of source physical ports, or the combination of two or more network data flow attributes.
  • the fifth aspect provides a network system, including the network traffic processing device of any one of the foregoing third aspect or the third aspect, and any one of the foregoing fourth or fourth possible implementations.
  • the policy management device described in the manner.
  • the policy management device of the present application determines the security domain to which the network data flow belongs according to the attribute of the network data flow flowing through the network traffic processing device, and then Determining, according to a network data flow attribute-based control policy of the security domain in the policy management device and an attribute value of the network data flow, a control behavior adopted by the network data flow; the network traffic processing device according to the control The behavior processes the network data stream. Because the security domain is based on the scope of each tenant security policy. Therefore, in this way, the number of security device virtualization can no longer be limited by the number of protocol-related virtual devices such as "virtual ports" supported by the professional security device itself, but only by the security device itself.
  • FIG. 1 is a schematic diagram of an embodiment of a network system applied to an access control method of the present application
  • FIG. 2 is a flowchart of an embodiment of an access control method of the present application
  • FIG. 3 is a flow chart of another embodiment of the access control method of the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of a network traffic processing device of the present application.
  • FIG. 5 is a schematic structural diagram of an implementation manner of a policy management device of the present application.
  • FIG. 6 is a schematic structural diagram of another embodiment of a network traffic processing device of the present application.
  • FIG. 7 is a schematic structural diagram of another embodiment of the policy management device of the present application. detailed description
  • FIG. 1 is a schematic diagram of an embodiment of a network system applied to an access control method according to the present application.
  • the network system includes a network traffic processing device 100, a policy management device 200, and a plurality of virtual machines 300, wherein the same tenant may have several
  • the virtual machine 300 for example, the tenant 1 includes three virtual machines A, B, and C, and the tenant 2 includes three virtual machines of 1, 2, and 3. Virtual machine A, virtual machine B, and virtual machine 1 are located in host 1, and virtual machine 2, virtual machine 3, and virtual machine C are located in host 2.
  • the network traffic processing device can be a virtual switch or a physical switch or firewall. Each tenant's virtual machine belongs to the same security domain.
  • a corresponding network data flow is generated.
  • the network traffic processing device 100 requests the policy management device 200 for the control behavior of the network data flow it receives, and the policy.
  • the management device 200 finds the security domain to which the network data flow belongs according to the data stream attribute value, finds the corresponding control policy based on the network data flow attribute according to the security domain, and determines the network according to the found control policy and the attribute value of the network data flow.
  • the control behavior corresponding to the data flow is such that the network traffic processing device 100 processes the received network data stream according to the control behavior returned by the policy management device 200.
  • the network traffic processing device 100 and the policy management device 200 may be physical devices that are separately disposed in the network, or may be integrated into the existing network device as a functional module.
  • the network traffic processing device 100 may be a virtual switch in the host machine, a common physical switch, or a firewall device, and the policy management device 200 may be integrated into a DNS server or a mail server in the local area network;
  • the network traffic processing device 100 is a switch (Switch, SW), and the policy management device 200 is a controller.
  • FIG. 2 is a flowchart of an embodiment of the access control method of the present application.
  • the access control method of the present embodiment is described by the network traffic processing device.
  • the access control method of this embodiment includes:
  • Step S101 After receiving the network data flow, the network traffic processing device requests the policy management device to request a control behavior corresponding to the network data flow;
  • a corresponding network data stream is generated.
  • the network traffic processing device sends a request to the policy management device to obtain a control behavior corresponding to the network data flow.
  • the network traffic processing device sends a request to the policy management device, and the network data stream is directly sent to the policy management device, and the policy management device extracts the attribute value of the network data stream from the network data stream, where the attribute value includes the source physical port, Vlan ID, source network hardware address (Media Access Control, MAC), destination MAC address, source IP address, destination IP address, source transmission control protocol (TCP) port, destination TCP port, at least one attribute value.
  • TCP transmission control protocol
  • the IP address of tenant 1 is 10.0.0.1.
  • the attributes of the corresponding network data stream generated are as shown in Table 1: XX represents a specific value);
  • the policy management device determines, according to the attribute value of the data flow, which security domain the data flow belongs to, and determines the network data flow according to the control policy based on the network data flow attribute and the attribute value of the network data flow in each security domain in the policy management device.
  • the control behavior employed.
  • the control strategy based on the network data flow attribute includes a control behavior adopted by the network data flow that meets the preset condition belonging to the security domain, and the preset condition includes at least one attribute value range of the attribute, and the control behavior includes: Various processing methods are employed, wherein the control behavior includes allowing network data streams to pass or block network data streams.
  • the control behavior can also include various processing methods such as address replacement and address translation, which are not performed here - enumeration.
  • the control strategy based on the network data stream attributes may also include one or more attribute values of the network data stream.
  • the control strategy includes a flow table matching domain (ie, the preset condition described above) and a flow table control behavior.
  • the flow table matching domain refers to the matching result between the attribute value of the network data stream and the data stream attribute in the control policy
  • the flow table control behavior is a specific processing method for a network data stream, such as but not limited to allowing the network data stream to pass ( "Accept” ) or block network data stream ("Drop") and so on.
  • the policy management device sends control actions to the network traffic processing device.
  • the network traffic processing device may also extract the attribute value of the data stream from the network data stream, and send the extracted data stream attribute value to the policy management device to obtain the control behavior corresponding to the data stream.
  • the policy management device directly finds the security domain to which the data flow belongs according to the data flow attribute value, and determines the control adopted on the network data flow according to the control policy based on the network data flow attribute and the attribute value of the network data flow in each security domain in the policy management device. Behave and send to the network traffic processing device.
  • Step S102 The network traffic processing device processes the network data flow according to the control behavior; the network traffic processing device receives the control behavior returned by the policy management device, and processes the network data flow according to the control behavior.
  • FIG. 3 is a flowchart of another embodiment of the access control method of the present application.
  • the access control method of the present embodiment is described by the foregoing policy management device.
  • the access control method of the implementation method includes:
  • Step S201 The policy management device receives a network data flow control behavior request from the network traffic processing device, and obtains an attribute value of the network data flow from the request.
  • the network traffic processing device After receiving the network data flow, the network traffic processing device requests the policy management device to control the network data flow.
  • the policy management device receives the request, where the request carries the attribute value of the network data stream or the network data stream, and the policy management device extracts the attribute value of the network data stream from the network data stream or directly obtains the attribute value of the network data stream from the request. .
  • the attribute values of the network data stream include one or more attribute values in the source physical port, Vlan ID, source MAC address, destination MAC address, source IP address, destination IP address, source TCP port, and destination TCP port. Of course, other attribute values than this can also be included.
  • Step S202 Determine a security domain to which the network data flow belongs according to the network data flow attribute value.
  • the policy management device determines the security domain to which the network data flow belongs according to the network data flow attribute value.
  • a security domain is a collection of networks or systems in which the same tenant uses the same security policy. Data flows of the same security domain share the same control policy. For example, "tenant 1" rents three computers A, B, and C, and "tenant 2" rents 1, 2, and 3 computers; can define “tenant's computer belongs to "security domain 1" and "tenant 2" The computer belongs to "Security Domain 2." Differentiating between different tenants can be done through each tenant's VLAN—ID, MAC address, VPN tunnel, etc.
  • “Security domain ⁇ ” can include the following MAC address combinations: MACA, MACB, MACC; "Security Domain 2" may include the following combinations of MAC addresses: MAC1, MAC2, MAC3, and so on.
  • the policy management device generates, according to the security policy information of each tenant, a control policy of each security domain based on the network data flow attribute.
  • the security policy information of each tenant includes at least the security domain identifier, the correspondence between the security domain and the network data flow attribute, and the security policy in the security domain.
  • the correspondence between the security domain and the network data flow attribute is used to describe which attributes of the network data flow are used to determine the security domain to which the data flow belongs.
  • security domain consists of three virtual machines A, B, and C distributed on different HOSTs.
  • the respective MAC addresses are MacA, MacB, MacC, and the IP addresses are 10.0.0.1, 10.0.0.2, 10.0.0.3;
  • “Security Domain 2" consists of three virtual machines 1, 2, and 3 distributed on different HOSTs.
  • the respective MAC addresses are Macl, Mac2, Mac3, and the IP addresses are 10.0.0.1, 10.0.0.2, 10.0.0.3;
  • Security domain ⁇ corresponds to "tenant ⁇ , set the following security policy : any to 10.0.0.2 -dport 80 -j Accept; (that is, the tenant requires that the firewall allow all hosts to send to port 80 with IP address 10.0.0.2 through any port ⁇ .)
  • “Security Domain 2" corresponds to "Tenant 2", set the following security policy: any to 10.0.0.3 -dport 80 -j Drop; (ie, the tenant requires that the firewall prohibit any host from sending to the IP address of 10.0.0.3 through any port The 80-port message passed.)
  • the "correspondence between the security domain and the network data stream attribute” may be more than four types, and may be a combination of network attributes of any single or multiple network traffic.
  • the above embodiment is exemplified by only one correspondence relationship. Similar correspondences include, but are not limited to, VLAN ID corresponding to "security domain”, MPLS VPN The label corresponds to the "security domain”, the combination of the source physical port corresponds to the "security domain”, and so on.
  • the security domain According to the "correspondence between the security domain and the network data flow attribute", it can be determined by which network data flow attributes the security domain is described, and the attribute value corresponding to the security domain is extracted from the attribute value of the network data flow (that is, The attribute value describing the attribute of the security domain is matched; the extracted attribute value is matched with the attribute value corresponding to each security domain, thereby determining the security domain to which the network data flow belongs.
  • the security domain is described by a combination of MAC addresses, and then the source MAC and the destination MAC address of the data stream are extracted from the network data stream, and the combination of the MAC addresses of the data stream determines which security domain the data stream belongs to. If the security domain is described by VLAN-ID, the VLAN-ID of the data stream is extracted from the network data stream, and the VLAN-ID of the data stream is used to know which security i or the data stream belongs to.
  • Step S203 Search for a corresponding control strategy based on network data flow attributes according to the security domain.
  • the policy management device determines which security domain a data flow belongs to, and searches for a control policy based on the network data flow attribute in the security domain.
  • the control policy includes the control behavior applied to the network data flow belonging to the security domain that meets the preset conditions.
  • the preset condition includes at least one attribute value range of the attribute.
  • the control strategy includes a flow table matching domain and a flow table control behavior
  • the flow table matching domain refers to a matching result of the network data flow attribute and the data flow attribute in the control policy (ie, the preset condition described above)
  • the flow table control behavior is
  • the specific processing method of a network data stream for example, allows the network data stream to pass "Accept" or block the network data stream "Drop".
  • the control behavior can be any other way of processing the network data stream, such as address exchange.
  • “Security Domain ⁇ corresponds to MAC Group 1 : MacA, MacB, MacC, that is, a system consisting of three network devices with MAC addresses of MacA, MacB, and MacC is called "Security Domain 1";
  • “Security Domain 2" corresponds to MAC Group2: Macl, Mac2, Mac3, that is, a system consisting of three network devices with MAC addresses of Macl, Mac2, and Mac3 is called “Security Domain 2";
  • Table 7 Controls based on network data flow attributes in Security Domain 2 Behavior source VLAN ID source target source IP destination IP protocol source
  • each security domain corresponds to a control policy based on network data flow attributes
  • the policy management device can find a corresponding security domain according to the security domain to which the data flow belongs according to the security domain to which the network data flow belongs. Controlling the policy based on the network data flow attribute, and matching the attribute value of the network data flow with the network data flow attribute value in the control policy to determine a control behavior adopted by the network data flow to guide the network traffic processing device to The network data stream is processed accordingly.
  • the above Flowl by obtaining the attribute value of the data stream, as shown in Table 1 above, the combination of the source MAC address of the Flowl MacA and the target MAC address MacB, the table can be found that the Flowl belongs to the MAC Group 1, that is, belongs to the "Security Domain 1". , Flow1 is processed by the control strategy of "Security Domain 1".
  • the control policy based on the network data flow attribute of "Security Domain 1" is as shown in Table 6 above. It can be known that the control behavior adopted by the network data flow Flow1 in the security domain is "Accept", and the control behavior is sent to the network traffic processing device.
  • the processing of other data streams is similar to the above method.
  • Each data stream determines the security domain to which it belongs according to its flow table attribute, and finds the control behavior of the corresponding network data stream according to the security domain. For those data flows that do not match the rules of the preset security domain, the policy management device needs to set the other control policies to guide the network traffic processing device for processing, which is not illustrated here.
  • Step S205 Send the control behavior to the network traffic processing device, so that the network traffic processing device processes the network data flow according to the control behavior.
  • the policy management device sends the control behavior of the corresponding network data flow to the network traffic processing device, and the network traffic processing device processes the network data flow according to the returned control behavior. For example, according to the returned flow control behavior, it is known that the flow table control behavior corresponding to the Flow1 should be "Accept", and the "Accept" operation is decided on the Flowl to allow normal access of the data flow.
  • the network traffic processing device mentioned above is a switch, and the policy management device is a controller.
  • the network traffic processing device can also be a firewall.
  • Example 1 Virtual machine A with tenant IP address 10.0.0.1 accessing port 80 of virtual machine B with IP address 10.0.0.2
  • the switch receives a data flow Flowl, such as: Flowl, that is, the virtual machine A with the IP address of 10.0.0.1 of the tenant 1 accesses port 80 of the virtual machine B with the IP address 10.0.0.2, and obtains the data stream attribute: (XX indicates a specific value), as described in the above Table 1.
  • Flowl a data flow Flowl
  • Flowl the virtual machine A with the IP address of 10.0.0.1 of the tenant 1 accesses port 80 of the virtual machine B with the IP address 10.0.0.2, and obtains the data stream attribute: (XX indicates a specific value), as described in the above Table 1.
  • the switch sends the attributes of the above flowl to the Controller to inquire about the processing of this stream.
  • the switch directly sends the data stream Flow1 to the Controller to query the processing of the data stream.
  • the controller After receiving the attributes of the data stream or the data stream, the controller determines which security domain the data stream belongs to according to the attributes of the data stream. Specifically, the controller learns that the "security domain" in the present embodiment is described by MAC grou through the "correspond relationship between the security domain and the network data stream attribute"; and further, the source MAC address of the MAC1 in the Flow1, the destination MAC address of the MacB. Combination, look up the table to know that Flowl belongs to MAC Group 1, that is: belongs to "Security Domain 1".
  • the Controller obtains the "flow table control behavior" for this data flow under the "control policy” of the "security domain” of the network data flow. That is, the Controller matches the attributes of Flowl itself through the “control strategy” under MAC Groupl.
  • Table 8 The results of the above Table 1 matching Table 6 above are shown in Table 8 below:
  • the "flow table control behavior" corresponding to Flow 1 should be "Accept”.
  • the switch SW decides to perform an "Accept” operation on Flow1 according to the "flow table control behavior" returned by the Controller for Flowl, allowing normal access of the data stream. .
  • Example 2 The virtual machine with the IP address 10.0.0.2 of the tenant 2 accesses the 80 port of the virtual machine 3 with the IP address 10.0.0.3
  • the switch receives a data flow Flow2, that is, when the virtual machine 2 with the IP address of 10.0.0.2 of the tenant 2 accesses port 80 of the virtual machine 3 with the IP address of 10.0.0.3, the following data stream attribute values are obtained (XX indicates a certain Specific values):
  • the switch sends the attribute value of flow2 to the Controller to query the processing of this stream.
  • the controller After receiving the attribute value of the data stream or the data stream, the controller determines which security domain the data stream belongs to according to the attribute value of the data stream. Specifically, the Controller learns that the "security domain" in the present embodiment is described by the MAC group through the "correspondence between the security domain and the network data stream attribute"; and further, the source MAC address of the flow2, the target MAC address of the Mac3, Combination, check The table shows that Flow2 belongs to MAC Group2, namely: belongs to "Security Domain 2"
  • the Controller obtains the "flow table control behavior" for this data flow under the "control policy” of the "security domain” of the network data flow. That is, the Controller matches the attribute of Flow2 by the "control policy” under MAC Group2.
  • Table 10 The attribute of Flow2 matches the control policy of its security domain.
  • the switch SW decides to perform a "Drop" operation on Flow2 according to the "flow table control behavior" returned by the Controller for Flow2, and prohibits normal access of the data stream.
  • the policy management device of the embodiment of the present application determines the security domain to which the network data flow belongs according to the attribute of the network data flow flowing through the network traffic processing device, and then manages each device according to the policy. Determining a control behavior adopted by the network data flow according to the control policy of the network data flow attribute and the attribute value of the network data flow in the security domain; the network traffic processing device performing the network data flow according to the control behavior deal with. Because the security domain is based on the scope of each tenant security policy. Therefore, in this way, the number of security device virtualization can no longer be limited by the number of protocol-related virtual devices such as "virtual ports" supported by the professional security device itself, but only by the security device itself.
  • FIG. 4 is a schematic structural diagram of an embodiment of a network traffic processing device according to the present application.
  • the network traffic processing device 100 includes a requesting module 11 and a processing module 12, where:
  • the requesting module 11 is configured to request, after receiving the network data flow, a control behavior corresponding to the network data flow to the policy management device, where the control behavior includes allowing the network data flow to pass or block the network data flow; when the virtual machine performs data access , generate the corresponding network data stream. After receiving the network data stream, the requesting module 11 sends a request to the policy management device to obtain the control behavior corresponding to the network data stream.
  • the requesting module 11 sends a request to the policy management device, and the network data stream can be directly sent to the policy management device, and the policy management device extracts the attribute value of the network data stream from the network data stream, where the attribute value includes the source physical port and the Vlan ID. At least one attribute value of the source MAC address, the destination MAC address, the source IP address, the destination IP address, the source TCP port, and the destination TCP port. Of course, other data stream attribute values can also be included.
  • the requesting module 11 may also extract the attribute value of the data stream from the network data stream, and send the extracted data stream attribute value to the policy management device to obtain the control behavior corresponding to the data stream.
  • the policy management device directly finds the security domain to which the data flow belongs according to the data flow attribute value, finds a control policy based on the network data flow attribute according to the security domain, and determines the network data according to the found control policy and the network data flow attribute. The flow controls the behavior and sends the control behavior to the processing module 12.
  • the processing module 12 is configured to receive the control behavior returned by the policy management device, and process the network data flow according to the control behavior.
  • FIG. 5 is a schematic structural diagram of an embodiment of a policy management device according to the present application.
  • the policy management device 200 includes a receiving module 21, a first determining module 22, a searching module 23, a first determining module 24, and a sending module 25, where :
  • the receiving module 21 is configured to receive a network data flow control behavior request from the network traffic processing device, obtain an attribute value of the network data flow from the request, and send the attribute value to the determining module 22, where the attribute value includes the source physical port, and the virtual At least one of a local area network identifier, a source network hardware address, a target network hardware address, a source IP address, a destination IP address, a source transmission control protocol port, and a target transmission control protocol port;
  • the network traffic processing device After receiving the network data flow, the network traffic processing device requests the policy management device for the control behavior of the network data flow.
  • the receiving module 21 receives the request, and the request carries the attribute value of the network data stream or the network data stream, and the receiving module 21 extracts the attribute value of the network data stream from the network data stream or directly obtains the attribute value of the network data stream from the request. , sending the attribute value of the network data stream to the determining mode Block 22.
  • the first determining module 22 is configured to determine, according to the network data stream attribute value, a security domain to which the network data flow belongs, where the security domain is a set of networks or systems in which the same tenant adopts the same security policy, and the network data flows belonging to the same security domain share the same set. Control strategy;
  • the first determining module 22 determines, according to the network data stream attribute value, which security domain the network data stream belongs to.
  • the searching module 23 is configured to search for a corresponding control strategy based on the network data flow attribute according to the obtained security domain determined by the determining module 22;
  • the second determining module 24 is configured to determine, according to the control policy found by the searching module 23 and the attribute value of the network data stream, the control behavior corresponding to the network data flow, and output the control behavior to the sending module 25, where the control policy includes the security domain.
  • the searching module 23 searches for the corresponding control policy based on the network data flow attribute according to the security domain to which the network data flow determined by the determining module 22 belongs, that is, the corresponding security domain.
  • the control strategy determines the control behavior corresponding to the network data flow according to the found control policy and the attribute value of the network data flow.
  • each security domain corresponds to a control policy based on network data flow attributes, and as long as the security domain of the data flow belongs to, the corresponding control policy is found according to the security domain to which the data flow belongs.
  • the second determining module 24 determines the control behavior corresponding to the network data flow according to the found control policy and the network data flow attribute, so as to guide the network traffic processing device to perform corresponding processing on the network data flow.
  • the sending module 25 is configured to send the control behavior to the network traffic processing device, so that the network traffic processing device processes the network data stream according to the control behavior.
  • the sending module 25 sends the control behavior of the corresponding network data stream to the network traffic processing device, and the network traffic processing device processes the network data stream according to the returned control behavior. Used to generate a control policy based on network traffic attributes for each security domain based on the security policy information of each tenant.
  • the security policy information of each tenant includes at least the security domain identifier, the correspondence between the security domain and the network data flow attribute, and the security policy in the security domain. Pair of the security domain and network data flow attributes The relationship should be used to describe which attributes of the network data stream are used to determine the security domain to which the data flow belongs.
  • the "correspondence between the security domain and the network data flow attribute” may be more than four types, and may be a combination of network attribute values of any single or multiple network traffic.
  • the above embodiment is exemplified by only one correspondence. Similar correspondences include, but are not limited to, the VLAN-ID corresponding to the "security domain”, the MPLS VPN label corresponding to the "security domain”, and the combination of the source physical port corresponding to the "security domain”.
  • the receiving module 21 obtains the corresponding value of the network data stream when the network data stream attribute value is extracted.
  • the network data stream attribute values of the relationship are matched, and the first determining module 22 further determines the security domain to which the network data stream belongs.
  • the security domain is described by a combination of MAC addresses, and then the source MAC and the destination MAC address of the data stream are extracted from the network data stream, and the combination of the MAC addresses of the data stream determines which security domain the data stream belongs to. If the security domain is described by VLAN-ID, the VLAN-ID of the data stream is extracted from the network data stream, and the VLAN-ID of the data stream is used to know which security i or the data stream belongs to.
  • the second determining module 24 determines, according to the found control policy and the attribute of the network data flow, the network data flow corresponding to the network data flow. Control behavior.
  • the control policy includes the control behavior of the network data flow in the security domain that meets the preset conditions.
  • the control strategy includes the flow table matching domain (that is, the preset condition described above) and the flow table control behavior.
  • the flow table matching domain refers to the matching result of the network data flow attribute and the data flow attribute in the control policy, and the flow table control behavior is a specific control behavior of a network data flow, such as but not limited to "Accept" or "Drop" Wait.
  • the network traffic processing device of the foregoing embodiment is a switch, and the policy management device is a controller.
  • network traffic processing devices can also It is a firewall.
  • FIG. 6 is a schematic structural diagram of another embodiment of a network traffic processing device according to the present application.
  • the network traffic processing device 100 of the present embodiment includes a processor 31, a receiver 32, and a transmitter.
  • Random access memory 34 Read only memory 35, bus 36, and network interface unit 37.
  • the processor 31 is respectively coupled to the receiver 32, the transmitter 33, and the random access memory via the bus 36.
  • Receiver 32 receives the network data stream that needs to be processed.
  • the processor 31 is configured to extract an attribute value of the data stream from the network data stream, where the attribute value of the data stream includes a source physical port, a Vlan ID, a source MAC address, a target MAC address, a source IP address, a target IP address, and a source TCP. At least one attribute value in the port, target TCP port. Of course, other data stream attribute values can also be included.
  • the transmitter 33 is configured to send the attribute value of the data stream or the data stream extracted by the processor 31 to the policy management device to obtain a control behavior corresponding to the network data stream.
  • the processor 31 further processes the network data stream according to the control behavior corresponding to the network data stream returned by the policy management device.
  • the control behavior includes various specific processing methods for the network data stream. For example, allowing network data streams to pass or block network data streams, and other processing methods, such as address exchange, address translation, and the like.
  • the processor 31 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • FIG. 7 is a schematic structural diagram of another embodiment of a policy management device according to the present application.
  • the policy management device 200 of the present embodiment includes a processor 41, a receiver 42, a transmitter 43, a random access memory 44, and a read only memory. 45 and bus 46.
  • the processor 41 is coupled to the receiver 42, the transmitter 43, the random access memory 44, and the read only memory 45 via a bus 46, respectively.
  • the booting is performed by the bootloader booting system in the basic input/output system or the embedded system in the read-only memory 45, and the booting policy management device enters a normal running state. After the policy management device enters the normal running state, in the random access memory 44 Run the application and operating system, and make:
  • the receiver 42 receives a control behavior request for the network data stream from the network traffic processing device, the request including the attribute value of the network data stream or the network data stream.
  • the processor 41 obtains the attribute value of the network data stream from the control behavior request, and determines the security domain to which the network data flow belongs according to the attribute value of the network data flow.
  • the security domain is a set of networks or systems in which the same tenant adopts the same security policy, and belongs to Network data flows of the same security domain share the same set of control policies. For example, "tenants rent three computers A, B, and C, and "tenant 2" rents 1, 2, and 3 computers; computers that can define “tenant computers belong to "security domain 1" and "tenant 2" Belongs to "Security Domain 2".
  • Different tenants can be identified by each tenant's VLAN—ID, MAC address, VPN tunnel, and so on.
  • "secure domain” may include the following MAC address combinations: MACA, MACB, MACC; "Security Domain 2" may include the following MAC address combinations: MAC1, MAC2, MAC3, and so on.
  • Processor 41 further according to the network The security domain to which the data flow belongs, finds a corresponding control policy based on the network data flow attribute, determines a control behavior corresponding to the network data flow according to the found control policy and the network data flow attribute, and outputs the control behavior to the sender 43.
  • the processor 41 is further configured to generate, according to the security policy information of each tenant, a control policy of each security domain based on the network data flow attribute.
  • the security policy information of each tenant includes at least the security domain identifier, the correspondence between the security domain and the network data flow attribute, and the security policy in the security domain.
  • the corresponding relationship between the security domain and the network data flow attribute is used to describe which attributes of the network data flow are used to determine the security domain to which the data flow belongs.
  • the "correspondence between the security domain and the network data flow attribute” may be more than four types, and may be a combination of network attribute values of any single or multiple network traffic.
  • the VLAN-ID corresponds to the "security domain”
  • the MPLS VPN label corresponds to the "security domain”
  • the combination of the source physical port corresponds to the "security domain”.
  • the processor 41 can determine which network data stream attribute values are used by the security domain, and obtain the corresponding relationship with the security domain when extracting the network data stream attribute value.
  • the network data stream attribute values are matched to determine the security domain to which the network data stream belongs.
  • the security domain is described by a combination of MAC addresses, and then the source MAC and the destination MAC address of the data stream are extracted from the network data stream, and the combination of the MAC addresses of the data stream determines which security domain the data stream belongs to. If the security domain is described by VLAN-ID, the VLAN-ID of the data stream is extracted from the network data stream, and the VLAN-ID of the data stream is used to know which security i or the data stream belongs to.
  • the control policy includes the control behavior of the network data flow in the security domain that meets the preset conditions.
  • the control strategy includes the flow table matching domain (that is, the above preset conditions) and the flow table control behavior.
  • the flow table matching domain refers to the matching result of the network data flow attribute and the data flow attribute in the control policy, and the flow table control behavior is a specific control behavior of the network data flow, such as but not limited to "Accept" or "Drop". .
  • the processor 41 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the transmitter 43 sends the control behavior of the corresponding network data stream obtained by the processor 41 to the network traffic processing device, so that the network traffic processing device performs corresponding processing on the network data stream according to the control behavior.
  • the present application further provides a network system, where the network system includes a network traffic processing device 100 and a policy management device 200, wherein the network traffic processing device 100 and the policy management device 200 implement communication,
  • the network system includes a network traffic processing device 100 and a policy management device 200, wherein the network traffic processing device 100 and the policy management device 200 implement communication
  • the network system includes a network traffic processing device 100 and a policy management device 200, wherein the network traffic processing device 100 and the policy management device 200 implement communication
  • the network traffic processing device mentioned in the foregoing implementation manner is a switch, and the policy management device is a controller. If applied in a scenario other than SDN, the network traffic processing device can also be a firewall.
  • the policy management device is based on the network data flow flowing through the network traffic processing device. Attributes, determining a security domain to which the network data flow belongs, and then determining, according to a network data flow attribute-based control policy and an attribute value of the network data flow in each security domain of the policy management device, Controlling behavior; the network traffic processing device processes the network data stream according to the control behavior. Because the security domain is based on the scope of each tenant security policy. Therefore, in this way, the number of security device virtualization can no longer be limited by the number of protocol-related virtual devices such as "virtual ports" supported by the professional security device itself, but only by the security device itself.
  • security device virtualization Restriction; The technology of security device virtualization is no longer required to be implemented based on specific technologies such as VLAN/VPN; after the security device is virtualized, multiple tenants can share one security device without affecting each other, and can use different tenants in the SDN system. Security policy to implement security features.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device implementations described above are merely illustrative.
  • the division of the modules or units is only a logical function division.
  • there may be another division manner for example, multiple units or components may be used. Combined or can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the present embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software function unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium Including a plurality of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to execute various embodiments of the present application All or part of the steps of the method.
  • the foregoing storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program code. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Procédé, dispositif et système de contrôle d'accès. Le procédé de contrôle d'accès comporte les étapes suivantes: un dispositif de gestion de politiques reçoit une demande de comportement de régulation de flux de données en réseau en provenance d'un dispositif de traitement du trafic de réseau, et obtient une valeur d'attribut du flux de données en réseau à partir de la demande; le dispositif détermine un domaine de sécurité du flux de données en réseau en fonction de la valeur d'attribut du flux de données en réseau; le dispositif recherche, en fonction du domaine de sécurité, une politique de contrôle correspondante sur la base d'un attribut du flux de données en réseau, et le dispositif détermine un comportement de contrôle sur le flux de données en réseau en fonction de la politique de contrôle trouvée et de la valeur d'attribut du flux de données en réseau; et envoie le comportement de contrôle au dispositif de traitement du trafic de réseau, de telle façon que le dispositif de traitement du trafic de réseau traite le flux de données en réseau selon le comportement de contrôle. Au moyen de la procédure ci-dessus, la présente invention est indépendante d'un port virtuel d'une technologie d'isolation de réseau ou de la technologie d'isolation de réseau prise en charge par un dispositif de sécurité, de telle sorte que des utilisateurs multiples partagent un même dispositif de sécurité et appliquent séparément leurs stratégies de sécurité sans s'influencer mutuellement.
PCT/CN2014/070715 2013-03-26 2014-01-16 Procédé, dispositif et système de contrôle d'accès WO2014154040A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310101301.9 2013-03-26
CN201310101301.9A CN103152361B (zh) 2013-03-26 2013-03-26 访问控制方法及设备、系统

Publications (1)

Publication Number Publication Date
WO2014154040A1 true WO2014154040A1 (fr) 2014-10-02

Family

ID=48550223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/070715 WO2014154040A1 (fr) 2013-03-26 2014-01-16 Procédé, dispositif et système de contrôle d'accès

Country Status (2)

Country Link
CN (1) CN103152361B (fr)
WO (1) WO2014154040A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113452722A (zh) * 2021-08-30 2021-09-28 统信软件技术有限公司 一种用户隔离方法、数据传输方法、计算设备及存储介质

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152361B (zh) * 2013-03-26 2015-12-02 华为技术有限公司 访问控制方法及设备、系统
WO2015066878A1 (fr) * 2013-11-07 2015-05-14 华为技术有限公司 Dispositif de commande et procédé de commande dans un réseau défini par logiciel (sdn)
CN103581325B (zh) * 2013-11-11 2017-11-03 中国联合网络通信集团有限公司 一种云计算资源池系统及其实现方法
US10009287B2 (en) * 2013-12-26 2018-06-26 Huawei Technologies Co., Ltd. Hierarchical software-defined network traffic engineering controller
CN103701824B (zh) * 2013-12-31 2017-06-06 大连环宇移动科技有限公司 一种安全隔离管控系统
CN103763309B (zh) * 2013-12-31 2018-03-30 曙光云计算集团有限公司 基于虚拟网络的安全域控制方法和系统
WO2015113279A1 (fr) * 2014-01-29 2015-08-06 华为技术有限公司 Réseau de communication, dispositif, et procédé de commande
CN104023034B (zh) * 2014-06-25 2017-05-10 武汉大学 一种基于软件定义网络的安全防御系统及防御方法
CN104092684B (zh) * 2014-07-07 2017-10-03 新华三技术有限公司 一种OpenFlow协议支持VPN的方法及设备
CN105450603A (zh) * 2014-08-22 2016-03-30 杭州迪普科技有限公司 一种报文处理方法和装置
CN105656841B (zh) * 2014-11-11 2018-12-11 新华三技术有限公司 一种软件定义网络中实现虚拟防火墙的方法和装置
CN104394080A (zh) * 2014-11-28 2015-03-04 杭州华三通信技术有限公司 实现安全组功能的方法及装置
CN104506511A (zh) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 一种sdn网络动态目标防御系统及方法
CN105763512B (zh) * 2014-12-17 2019-03-15 新华三技术有限公司 Sdn虚拟化网络的通信方法和装置
CN104580168B (zh) * 2014-12-22 2019-02-26 华为技术有限公司 一种攻击数据包的处理方法、装置及系统
WO2016145629A1 (fr) 2015-03-18 2016-09-22 华为技术有限公司 Procédé et appareil pour établir une communication dans un réseau social défini par logiciel et système de communication
CN105591953B (zh) * 2015-09-18 2019-09-06 新华三技术有限公司 一种OpenFlow实例的实现方法和装置
CN108156117B (zh) * 2016-12-05 2021-04-27 中国移动通信有限公司研究院 一种进行安全控制的方法、交换机以及过滤设备
CN107563224B (zh) * 2017-09-04 2020-07-28 浪潮集团有限公司 一种多用户物理隔离方法及装置
CN107819683B (zh) * 2017-10-25 2021-01-26 杭州安恒信息技术股份有限公司 安全资源池实现租户业务流量编排的方法、装置及电子设备
CN107864126A (zh) * 2017-10-30 2018-03-30 国云科技股份有限公司 一种云平台虚拟网络行为检测方法
CN108228318B (zh) * 2017-12-29 2021-08-06 优刻得科技股份有限公司 云容器与管理装置通信的方法、宿主机、系统和存储介质
CN110351394B (zh) * 2018-04-02 2022-11-22 深信服科技股份有限公司 网络数据的处理方法及装置、计算机装置及可读存储介质
CN109088886B (zh) * 2018-09-29 2021-10-01 郑州云海信息技术有限公司 在防火墙上监控策略的管理方法和装置
CN112532405A (zh) * 2019-09-17 2021-03-19 中兴通讯股份有限公司 软件定义网络sdn网络构建方法及装置
CN112769879A (zh) * 2019-11-01 2021-05-07 上汽通用汽车有限公司 用于保护车载通信系统安全的方法和装置
KR20220126736A (ko) * 2020-01-17 2022-09-16 광동 오포 모바일 텔레커뮤니케이션즈 코포레이션 리미티드 보안 정보 발견 방법, 보안 정보 구성 방법 및 기기
CN113114640B (zh) * 2021-03-29 2022-05-27 新华三大数据技术有限公司 一种认证方法及装置
CN115086017A (zh) * 2022-06-14 2022-09-20 杭州安恒信息安全技术有限公司 基于安全域的网络数据处理方法、装置、系统和电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412996A (zh) * 2002-04-15 2003-04-23 华为技术有限公司 网络设备中基于接口的网络访问控制方法
CN101115018A (zh) * 2007-09-17 2008-01-30 中兴通讯股份有限公司 控制设备访问的方法
CN102404325A (zh) * 2011-11-23 2012-04-04 华为技术有限公司 报文访问控制方法及交换机
CN103152361A (zh) * 2013-03-26 2013-06-12 华为技术有限公司 访问控制方法及设备、系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412996A (zh) * 2002-04-15 2003-04-23 华为技术有限公司 网络设备中基于接口的网络访问控制方法
CN101115018A (zh) * 2007-09-17 2008-01-30 中兴通讯股份有限公司 控制设备访问的方法
CN102404325A (zh) * 2011-11-23 2012-04-04 华为技术有限公司 报文访问控制方法及交换机
CN103152361A (zh) * 2013-03-26 2013-06-12 华为技术有限公司 访问控制方法及设备、系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113452722A (zh) * 2021-08-30 2021-09-28 统信软件技术有限公司 一种用户隔离方法、数据传输方法、计算设备及存储介质

Also Published As

Publication number Publication date
CN103152361A (zh) 2013-06-12
CN103152361B (zh) 2015-12-02

Similar Documents

Publication Publication Date Title
WO2014154040A1 (fr) Procédé, dispositif et système de contrôle d'accès
US11656900B2 (en) Frameworks and interfaces for offload device-based packet processing
JP6487979B2 (ja) オフロードデバイスベースのパケット処理のためのフレームワークおよびインターフェース
US9698995B2 (en) Systems and methods for providing multicast routing in an overlay network
US10320838B2 (en) Technologies for preventing man-in-the-middle attacks in software defined networks
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US8880771B2 (en) Method and apparatus for securing and segregating host to host messaging on PCIe fabric
US9042403B1 (en) Offload device for stateless packet processing
EP2779531B1 (fr) Système et procédé d'abstraction de politique de réseau à partir d'interfaces physiques et de création de politique de réseau portable
US8837476B2 (en) Overlay network capable of supporting storage area network (SAN) traffic
Kreeger et al. Network Virtualization Overlay Control Protocol Requirements
US20110090911A1 (en) Method and apparatus for transparent cloud computing with a virtualized network infrastructure
US20180006969A1 (en) Technique for gleaning mac and ip address bindings
US11019025B2 (en) Support for optimized microsegmentation of end points using layer 2 isolation and proxy-ARP within data center
WO2015014187A1 (fr) Procédé de transmission de données et appareil qui prend en charge de multiples locataires
US10432628B2 (en) Method for improving access control for TCP connections while optimizing hardware resources
WO2014134919A1 (fr) Procédé pour une communication entre serveurs dans un même preneur, et dispositif de réseau
US10423434B2 (en) Logical port authentication for virtual machines
US20170237691A1 (en) Apparatus and method for supporting multiple virtual switch instances on a network switch
US9485219B1 (en) VPN for containers and virtual machines in local area networks
US20230069306A1 (en) Policy enforcement on multi-destination packets in a distributed tunnel fabric

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14772877

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14772877

Country of ref document: EP

Kind code of ref document: A1