WO2016180020A1 - Message processing method, device and system - Google Patents

Message processing method, device and system Download PDF

Info

Publication number
WO2016180020A1
WO2016180020A1 PCT/CN2015/097553 CN2015097553W WO2016180020A1 WO 2016180020 A1 WO2016180020 A1 WO 2016180020A1 CN 2015097553 W CN2015097553 W CN 2015097553W WO 2016180020 A1 WO2016180020 A1 WO 2016180020A1
Authority
WO
WIPO (PCT)
Prior art keywords
gre
packet
tunnel
user
access device
Prior art date
Application number
PCT/CN2015/097553
Other languages
French (fr)
Chinese (zh)
Inventor
唐亮
蒋维廉
韩涛
王滨
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016180020A1 publication Critical patent/WO2016180020A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling

Definitions

  • the present invention relates to the field of network technologies, and in particular, to a packet processing method, device, and system.
  • Tunneling is a way to pass data between networks by using the infrastructure of the Internet.
  • CPE customer premises equipment
  • DHCP dynamic host configuration protocol
  • Universal Plug and Play Universal Plug and Play
  • Server UPnP server
  • TR069 protocol Technical Report 069
  • user management functions user management functions
  • NAT network address translation
  • the multi-functional integration of CPE also causes an increase in the operation and maintenance and management costs of the existing network.
  • the different functions of the CPE can be decomposed into different devices, for example, the control plane function is decomposed into a Broadband Remote Access Server (BRAS).
  • BRAS Broadband Remote Access Server
  • the Layer 2 client-side device L2-CPE Only the basic Layer 2 forwarding function is required.
  • the BRAS device encapsulates the L2-CPE user traffic into different Generic Routing Encapsulation (GRE) and sends it to the carrier-level network address translation through the tunnel. , CGN) equipment.
  • GRE Generic Routing Encapsulation
  • the foregoing method of the prior art needs to configure an independent GRE tunnel for each user end, and at least the following problems exist: (1) For a large number of users, a large number of GRE tunnels need to be set to support, and the overhead of the tunnel resources is increased. (2) GRE tunnel is statically configured for mass use The client will greatly increase the configuration of the client; (3) The massive GRE tunnel enables Keep alive detection, which increases system overhead and occupies a large amount of network resources.
  • the embodiments of the present invention provide a packet processing method, device, and system, so as to reduce the overhead of tunnel resources when accessing a large number of users.
  • a message processing method includes:
  • the access device establishes at least one tunnel with the CGN device
  • the first data packet sent by the first user end is GRE-encapsulated to obtain a first GRE packet, where the first GRE packet carries the first user identifier;
  • the access device sends the first GRE message to the CGN device by using the at least one tunnel.
  • the method further includes:
  • the access device receives a second GRE message sent by the CGN device through the at least one tunnel, where the second GRE message is a second data packet sent by the CGN device to the server to the second user end.
  • the second GRE packet carries the second user identifier corresponding to the second user end.
  • the access device sends the second data packet to the second user end.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the method before the sending the first GRE message by using the at least one tunnel, the method further includes: performing Internet protocol security on the first GRE message (English full name: Internet Protocol Security, English abbreviation: IPsec) protocol encapsulation.
  • Internet protocol security English full name: Internet Protocol Security, English abbreviation: IPsec
  • a second aspect is a message processing method, where the method is applied to a CGN device, and the CGN device and the access device include at least one tunnel established by the access device, and the method includes:
  • the CGN device Receiving, by the CGN device, the first GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is sent by the access device to the first data packet from the first user end
  • the first GRE packet carries the first user identifier corresponding to the first user end, as obtained by the GRE encapsulation;
  • the CGN device sends the first data packet to a server.
  • the method further includes:
  • the CGN device sends the second GRE message to the access device by using the at least one tunnel.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the sending, by using the at least one tunnel Before the second GRE packet the method further includes: performing the second GRE packet IPsec encapsulation.
  • an access device includes at least one tunnel between the access device and the CGN device; the access device includes:
  • a first receiving unit configured to receive a first data packet sent by the first user end
  • a processing unit configured to acquire an address of the first user end from the first data packet, and acquire a first user identifier corresponding to the first user end according to a mapping relationship between the user end address and the user identifier, where the first The first GRE packet carries the first user identifier, and the first GRE packet carries the first user identifier.
  • the first sending unit is configured to send the first GRE message to the CGN device by using the at least one tunnel.
  • the access device further includes: a second receiving unit and a second sending unit, where:
  • the second receiving unit is configured to receive a second GRE message that is sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the second user end of the server.
  • the second data message is obtained by the GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
  • the processing unit is configured to decapsulate the second GRE message and the second user identifier, and obtain the second data packet;
  • the second sending unit is configured to send the second data packet to the second user end.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the processing unit is further configured to send, by using the at least one tunnel
  • the first GRE packet is IPsec encapsulated before the first GRE packet.
  • a CGN device where the CGN device and the access device include at least one a tunnel established by the access device; the CGN device includes:
  • a first receiving unit configured to receive a first universal routing encapsulation protocol GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is sent by the access device from the first user
  • the first data packet is obtained by the GRE encapsulation, and the first GRE packet carries the first user identifier corresponding to the first user end.
  • a processing unit configured to decapsulate the first GRE packet, and obtain the first data packet
  • the first sending unit is configured to send the first data packet to the server.
  • the CGN device further includes a second receiving unit and a second sending unit, where:
  • the second receiving unit is configured to receive a second data packet sent by the server to the second user end;
  • the processing unit is configured to obtain a second user identifier corresponding to the second user end according to the mapping relationship between the user address and the user identifier, and perform the GRE encapsulation on the second data packet to obtain the second GRE report.
  • the second GRE packet carries the second user identifier;
  • the second sending unit is configured to send the second GRE message to the access device by using the at least one tunnel.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the processing unit is further configured to pass Before the at least one tunnel sends the second GRE packet, performing IPsec encapsulation on the second GRE packet.
  • a message processing system includes:
  • the access device provided by any one of the foregoing third aspect or the third aspect, and the CGN provided by any one of the foregoing fourth or fourth possible implementation manners device.
  • the packet processing method, device, and system provided by the embodiment of the present invention establish at least one tunnel with the CGN device by using the access device, and the access device receives the first data packet sent by the first user end.
  • the first data packet sent by the UE is encapsulated by the GRE to obtain the first GRE packet, where the first GRE packet carries the first user identifier, and the access device uses the at least one tunnel to the
  • the CGN device sends the first GRE packet; correspondingly, the CGN device receives and decapsulates the first GRE packet, acquires the first data packet, and then sends the first data packet to the server.
  • the method, device, and system of the embodiments of the present invention are applied, so that when a large number of users access the network, the overhead of the
  • FIG. 1 is a flowchart of a message processing method according to a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of a format of a GRE packet header in the prior art
  • FIG. 3 is a first schematic diagram of a format of a GRE packet header according to an embodiment of the present invention.
  • FIG. 4 is a second schematic diagram of a format of a GRE packet header according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of IPsec encapsulation of a GRE packet according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a packet processing method according to a second embodiment of the present invention.
  • FIG. 7 is a flowchart of an application scenario of an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an access device according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of hardware of an access device according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a CGN device according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of hardware of a CGN device according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • the embodiment of the invention provides a packet processing method, device and system, which can reduce the overhead of the tunnel resource, simplify the configuration process, save system overhead and network resources in the service scenario of the user accessing the network.
  • FIG. 1 is a flowchart of a packet processing method according to a first embodiment of the present invention. As shown in FIG. 1, the method may include:
  • the access device establishes at least one tunnel with the CGN device.
  • the access device is a bridge between the broadband access network and the backbone network, providing basic access means and management functions of the broadband access network, and the access device is located at the edge of the network to provide broadband access services and implement
  • the aggregation and forwarding of multiple services can meet the requirements of different users for transmission capacity and bandwidth utilization.
  • the access device may be a BRAS device; the basic function of the CGN device is to translate an internal private Internet Protocol (IP) address into a public network IP address; the access device and the CGN device may be tunneled. .
  • IP Internet Protocol
  • the access device can establish at least one tunnel with the carrier-class network address translation CGN device, wherein each tunnel can carry data messages of multiple users.
  • a tunnel can be established between the access device and the CGN device to support a large number of users.
  • access devices and More than one tunnel can be established between CGN devices.
  • two tunnels can be constructed. In this case, one tunnel can be used as the primary tunnel and the other as the standby tunnel to form the hot standby redundancy mechanism.
  • the tunnels are all primary tunnels, and load sharing is performed on a large number of users.
  • the access device receives the first data packet sent by the first user end.
  • the access device can provide an access function for the UE and a management function for the broadband access network. Therefore, one side of the access device is used to connect multiple clients, so that the access device can receive the first data packet sent by the first user.
  • the first data packet is not limited, and the first data packet may be a service request or a data stream that is sent by the UE to the server.
  • the first data packet may include an access network request message, a request message for accessing a certain web address or data, an upload data message, and the like.
  • the access device acquires a first user address that is carried in the first data packet, and obtains a first user identifier corresponding to the first user end address according to a mapping relationship between the user address and the user identifier.
  • the first data packet sent by the first user end is encapsulated by a general routing encapsulation protocol (GRE) to obtain a first GRE packet, where the first GRE packet carries the first user identifier.
  • GRE general routing encapsulation protocol
  • the user identifier is used to identify the user end, so that different user terminals can be distinguished by the user identifier.
  • the user identifier may be directly allocated by the operator to the client when the user opens the account.
  • a mapping relationship between the client address and the user identifier is established on the access device.
  • the client address may include an IP address of the client.
  • the mapping relationship may be periodically updated by the operator or updated in real time. For example, a user terminal is added. When the user opens an account, the operator assigns a unique client identifier to the client. At the same time, the operator updates the user identifier to the mapping relationship of the access device in an updated manner.
  • the access device After receiving the first data packet sent by the first user end, acquires the first client address carried in the first data packet, and obtains and is based on the mapping relationship between the client address and the user identifier. The first user identifier corresponding to the first client address. Then, the first data packet sent by the first user end is GRE Encapsulation, the first GRE message is obtained.
  • the GRE protocol is applicable to the encapsulation of IP datagrams tunneled through the Internet. GRE can be used as a Layer 3 tunneling protocol to provide transparent transmission channels for data of any protocol.
  • the first GRE message carries the first user identifier.
  • the first data packet is GRE-encapsulated, and the first GRE packet carries the first user identifier corresponding to the obtained first user address.
  • the specific location of the first user identifier in the first GRE packet is not limited.
  • the first user identifier may be located in the header of the GRE, or in the payload of the GRE packet, or in other locations of the GRE packet, as long as the first GRE packet carries the first user identifier. .
  • the access device sends the first GRE packet to the CGN device by using the at least one tunnel.
  • the access device may send the first GRE packet to the CGN device by using at least one tunnel.
  • the first user identifier can be used to identify a unique user end, and a tunnel can allow multiple GRE packets to be shared. That is to say, a tunnel allows GRE packets of multiple users to be transmitted simultaneously or non-simultaneously. Since GRE packets carry user identifiers, multiple GRE packets are not confusing when a tunnel is used to transmit data.
  • the access device establishes at least one tunnel with the CGN device, and the access device enables the GRE packet to carry the user when receiving the data packet of the user end and performing GRE encapsulation.
  • the user ID of the data packet is used to distinguish the data packets from different users by the user ID, and the multiple GRE packets are allowed to share the same tunnel. Therefore, when a large number of users access the network, the cost of the tunnel resources can be reduced and the configuration can be simplified. Process, save system overhead and network resources.
  • the access device receives a second GRE packet sent by the CGN device by using the at least one tunnel, where the second GRE packet is sent by the CGN device to the second user end of the server.
  • the second data message is obtained by the GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
  • the access device may receive the first data packet from the first user end, and then send the packet to the CGN device after processing, if such data flow direction is referred to as an uplink direction.
  • the access device can also receive the second data packet from the server from the CGN device, and such data flow direction can be referred to as a downlink direction.
  • the second data packet is not limited to the second data packet, and the second data packet may be a service request response packet or a data stream that is sent by the server to the client.
  • the second data packet may include an access network request response message, a request response message for accessing a certain web address or data, a download data message, and the like.
  • the access device receives a second GRE message sent by the CGN device by using the at least one tunnel.
  • the second GRE packet is obtained by GRE encapsulating the second data packet from the server by the CGN device.
  • the second GRE message carries a second user identifier corresponding to the second data packet.
  • the same method as that provided by S106 in the first embodiment may be used, so that the GRE message carries the user identifier corresponding to the user end, thereby distinguishing according to the user identifier.
  • the access device decapsulates the second GRE packet, and obtains the second data packet, and sends the second data packet to the user end corresponding to the second data packet.
  • a verification method may be added. That is, the decapsulated second GRE packet is verified according to the mapping relationship between the client address and the user identifier established on the access device.
  • the specific process is: the second GRE packet carries the second user identifier, and the access device obtains the corresponding second client address by using the second user identifier according to the mapping relationship between the user address and the user identifier established on the access device.
  • first data packet and the “second data packet” in the embodiment are only used to distinguish the direction of the data stream, and the “first data packet” is used to represent the data flowing from the client to the server. Stream; use “second data message” to indicate the flow of data from the server to the client.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • the user identifier may be located in the GRE packet header, or in the payload of the GRE packet, or other location of the GRE packet. Further, for example, the user identifier may be located in a reserved field of the GRE header or an optional field of the GRE header.
  • FIG. 2 shows a GRE header format in the prior art
  • FIG. 3 schematically shows a GRE header format in the embodiment of the present invention
  • FIG. 4 schematically shows another embodiment of the present invention. GRE header format.
  • the GRE header of the prior art includes a key field (Key Field) and has a length of 32 bits.
  • the key field is used to perform end-to-end verification on the encapsulated packets.
  • the channel identification keyword key Key, also called a keyword
  • the key field provides a weak authentication mechanism.
  • the GRE packet header further includes a recursive control field and a flag field, and the two fields may be set as a reserved field, and thus, by way of example, the reserved field may be used to carry the user identifier.
  • the user identifier may be located in an optional field of the GRE packet header.
  • the key field may be used to carry the user identifier. As shown in FIG. 3, all the fields of the key field may be used to carry the user identifier to form a user identification field.
  • the length of the user identification field is 32 bits, and the user identification field can be used to identify 2 32 -1 users.
  • a tunnel can accommodate the first data packet of 2 32 -1 clients, that is, the user identifier field of the GRE header carries different subscriber identifiers, allowing 2 32 -1 users to use the same simultaneously. A tunnel, so a tunnel can meet the requirements of a large number of users, saving tunnel resources.
  • a part of a field of a key field may also be used to carry a user identifier to form a user identification field.
  • the user identifier can be carried by using 16 bits in the key field, so that the length of the user identification field is 16 bits, and the user identification field can be used to identify 2 16 -1 users.
  • This means that a tunnel can accommodate the first data packet of 2 16 -1 clients, that is, the user identifier field of the GRE header carries different subscriber identifiers, allowing 2 16 -1 users to use the same simultaneously.
  • a tunnel so a tunnel can meet the requirements of a large number of users, saving tunnel resources, and because the user identification field occupies part of the key field, the upper 16 bits of the key field can still remain.
  • the weak authentication mechanism features.
  • the implementation shown in FIG. 4 is only a representation of using a partial field of the key field to carry the user identifier. It should be understood that the location occupied by the user identifier field in the key field is not limited, for example, The user identification field is located at the upper 16 bits. Meanwhile, the length occupied by the user identification field in the key field is not limited. For example, the user identification field occupies 24 bits or 8 bits.
  • the manner in which the user identifier is carried by the key field can be used to share a tunnel with a maximum of 2 32 -1 clients. Therefore, a tunnel can be established to meet the needs of a large number of users.
  • more than one tunnel may be established between the access device and the CGN device.
  • the construction of two tunnels is used as an example. In this case, one tunnel can be used as the primary tunnel and the other as the standby tunnel to form a hot standby redundancy mechanism.
  • the specific method for sharing the number of users in a plurality of tunnels is not limited.
  • the manner in which multiple tunnels share a large amount of users can be understood as: when a tunnel is fully loaded (for example, 2 32 -1 users are carried)
  • the second tunnel is used to carry the redundant users; or the number of users can be shared by multiple tunnels even if the number of users is not full; or there are multiple CGN devices, and at least one tunnel is established for each CGN device.
  • the first data packet can be determined to enter the tunnel of the different CGN by parsing the source address and the destination address of the first data packet.
  • IPsec encapsulation method can provide high quality and mutual access to IP datagrams by authenticating and encrypting each IP packet in the data stream. Operational, cryptographic-based security, so data streams that need to be encrypted can be encapsulated with IPsec to ensure data security. As shown in FIG.
  • the GRE packet is encapsulated by IPsec, so that the data stream to be encrypted is encrypted by performing IPsec encapsulation on the outer layer of the GRE encapsulated packet. Encapsulation ensures data security.
  • the access device establishes at least one tunnel with the CGN device, and the access device carries the GRE packet when receiving the first data packet of the user end and performing GRE encapsulation.
  • the user identifier corresponding to the first data packet of the user end is used to distinguish the first data packet from the different user terminals by using the user identifier, and the GRE packets of the multiple users are allowed to share the same tunnel, so that a large number of users can access the network.
  • Reduces the overhead of tunnel resources simplifies the configuration process, and saves system overhead and network resources.
  • FIG. 6 is a flowchart of a packet processing method according to a second embodiment of the present invention.
  • the second embodiment of the present invention describes a packet processing method from the perspective of a CGN device. As shown in FIG. 6, the method is applied to a CGN device, the CGN device and the access device include at least one tunnel established by the access device; the method may include:
  • the CGN device receives a GRE message sent by the access device by using the at least one tunnel, where the first GRE message is performed by the access device to the first data packet from the first user end.
  • the first GRE message carries the first user end obtained by the GRE encapsulation Corresponding first user identifier.
  • the function of the CGN device is to translate the internal private IP address into a public network IP address, and the CGN device receives the first GRE message sent by the access device through the at least one tunnel, where the first GRE
  • the packet is obtained by GRE encapsulating the first data packet from the first user end by the access device, where the first GRE packet carries the first user identifier.
  • the execution process of the first GRE packet encapsulation and carrying the first user identifier refer to the corresponding description in the first embodiment.
  • the CGN device decapsulates the first GRE packet, and acquires the first data packet.
  • the CGN device decapsulates the first GRE packet and obtains the first data packet.
  • the CGN device may add a verification method, that is, according to the client address established on the CGN device.
  • the first GRE packet is verified by the first user identifier, and the first GRE packet carries the first user identifier, and the CGN device obtains the first user identifier according to the mapping relationship.
  • Corresponding the first client address comparing the first client address obtained by the mapping relationship with the client address corresponding to the first data packet in the decapsulated first GRE packet, thereby verifying the first
  • the data packet belongs to the first data packet sent by the first user.
  • the CGN device sends the first data packet to a server.
  • the CGN device After acquiring the first data packet, the CGN device translates the internal private IP address into a public network IP address, and sends the first data packet to the server, and performs corresponding processing on the server according to the request of the first data packet. access.
  • the CGN searches the NAT forward session table through the information of the quintuple (source IP address, destination IP address, source port number, destination port number, protocol number), and translates the IP address of the private network into a public network IP address.
  • the access device establishes at least one tunnel with the CGN device, and the GRE packet received by the CGN carries the user identifier, thereby allowing the GRE packets of multiple users to share the same tunnel.
  • the CGN device receives a second data packet that is sent by the server to the second user end; the CGN device acquires an address of the second user end, and obtains a location according to a mapping relationship between the user end address and the user identifier.
  • the second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier;
  • the CGN device sends the second GRE message to the access device by using the at least one tunnel.
  • the CGN device receives the second data packet sent by the server.
  • the second data packet is in the downlink data flow direction with respect to the first data packet, and the CGN passes the quintuple (source IP address, destination).
  • the IP address, the source port number, the destination port number, and the protocol number are used to search the NAT reverse session table, and the public network IP address is translated into the IP address of the private network.
  • the mapping relationship between the user address and the user identifier is established on the CGN device.
  • the client address may include an IP address, and the information of the mapping relationship may be updated by an operator cycle or in real time.
  • the CGN device acquires the first user identifier corresponding to the first user end, and performs the GRE encapsulation on the second data packet to obtain a second GRE packet, where the second GRE packet carries The second user identifier is sent by the CGN device to the access device by using the at least one tunnel.
  • the second GRE packet carrying the second user identifier, and transmitting the data through the tunnel refer to the corresponding description in the first embodiment.
  • the specific location of the second user identifier in the GRE packet is not limited, for example, it may be located in the GRE packet header, or in the packet payload, or other location, as long as the GRE report is guaranteed. This embodiment can be implemented by carrying a user identifier.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • FIG. 7 is a flowchart of an application scenario according to an embodiment of the present invention.
  • the application scenario flowchart may perform the packet processing method of the foregoing first embodiment and/or the second embodiment, as shown in FIG.
  • the device includes: a service device, a layer 2 client-side device L2-CPE, an access device, a CGN device, and a server.
  • the access device may be a BRAS device
  • the server may be an Internet network server.
  • the L2-CPE provides a basic Layer 2 forwarding function.
  • the L2-CPE as the user end is connected to multiple specific service devices.
  • the service device can be, but is not limited to, a personal computer, an intelligent mobile terminal, an IPTV, or an intelligent security device.
  • the upstream of the L2-CPE is connected to the BRAS device through a communication network (for example, Metro Network), and the BRAS device shares the control plane functions (such as user management and data forwarding) of the traditional integrated CPE, so that the L2-CPE is hanged through the BRAS.
  • the BRAS device is connected to the CGN device through a communication network (for example, the core network Core Network), the BRAS device establishes at least one tunnel with the CGN device, and the CGN device connects to the Internet network.
  • a communication network for example, the core network Core Network
  • the BRAS device establishes at least one tunnel with the CGN device
  • the CGN device connects to the Internet network.
  • the L2-CPE shown in FIG. 7 is not limited, and a conventional CPE may also be used in practical applications.
  • the flow direction of the data can be divided into an uplink process and a downlink process.
  • the following describes different data flow directions. It should be noted that, in the present embodiment, without special description, The appearance of the Tunnel - equivalent to the user identity in the present invention.
  • the BRAS device receives the first data packet sent by the user 1.
  • the BRAS device acquires the Tunnel-1 corresponding to the user 1, and performs the GRE encapsulation on the first data packet to obtain the first GRE packet, where the first GRE packet carries the Tunnel-1;
  • the mapping between the client address and the tunnel is established on the BRAS device.
  • the BRAS device sends the first GRE message by using the GRE tunnel.
  • the CGN device receives the first GRE message by using the GRE tunnel.
  • the CGN device decapsulates the first GRE packet, and obtains the first data packet.
  • the CGN device sends the first data packet to the Internet.
  • S720 The CGN device receives the second data packet sent by the Internet.
  • the CGN device acquires the Tunnel-2 corresponding to the user 2, and performs the GRE encapsulation on the second data packet to obtain the second GRE packet, where the second GRE packet carries the Tunnel-2;
  • mapping between the client address and the tunnel is established on the CGN device.
  • the CGN device sends a second GRE message by using a GRE tunnel.
  • the BRAS device receives the second GRE message by using the GRE tunnel.
  • the BRAS device decapsulates the second GRE packet, and obtains the second data packet.
  • the BRAS device sends a second data packet to the user 2.
  • the BRAS device and the CGN device shown in FIG. 7 can be used to perform the respective steps performed by the access device and the CGN device in the method of the previous embodiment.
  • the access device establishes at least one tunnel with the CGN device, so that the GRE packets of the multiple users are shared by the same tunnel, thereby reducing the overhead of the tunnel resource and simplifying the configuration process when a large number of users access the network. Save system overhead and network resources.
  • FIG. 8 is a schematic structural diagram of an access device according to an embodiment of the present invention. As shown in FIG. 8, the access device and the CGN device include at least one tunnel; the access device includes a first receiving unit 802, a processing unit 804, and First sending unit 806:
  • the first receiving unit 802 is configured to receive a first data packet sent by the first user end.
  • the processing unit 804 is configured to obtain an address of the first user end from the first data packet, and obtain a number corresponding to the first user end according to a mapping relationship between the user end address and the user identifier. a user identifier, the first data packet is GRE-encapsulated to obtain a first GRE packet, and the first GRE packet carries the first user identifier;
  • the first sending unit 806 is configured to send the first GRE message to the CGN device by using the at least one tunnel.
  • the access device further includes a second receiving unit 808 and a second sending unit 810.
  • the second receiving unit 808 is configured to receive a second GRE message that is sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the server to the second user end.
  • the second data packet is obtained by GRE encapsulation, and the second GRE packet carries the second user identifier corresponding to the second user end.
  • the processing unit 804 is further configured to decapsulate the second GRE report. And the second user identifier, the second data packet is obtained, and the second sending unit 810 is configured to send the second data packet to the second user end.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • the processing unit 804 is further configured to perform IPsec encapsulation on the first GRE packet before sending the first GRE packet by using the at least one tunnel.
  • the access device shown in Figure 8 can be used to perform the respective steps performed by the access device in the method of the previous embodiment.
  • the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
  • FIG. 9 is a schematic structural diagram of a hardware structure of an access device according to an embodiment of the present invention.
  • the access device includes a processor 901, a memory 902, an interface 903, and a bus 904.
  • the interface 903 can be implemented by using a wireless or wired manner. Specifically, it may be an element such as a network interface card (NIC), and the processor 901, the memory 902, and the interface 903 are connected by a bus 904.
  • NIC network interface card
  • the memory 902 is configured to store program code.
  • the program code may include an operating system program and an application.
  • the interface 903 is configured to receive a first data packet sent by the first user end.
  • the processor 901 is configured to obtain an address of the first user end from the first data packet, and obtain a first user identifier corresponding to the first user end according to a mapping relationship between the user end address and the user identifier,
  • the first data packet is GRE-encapsulated to obtain a first GRE packet, where the first GRE packet carries the first user identifier;
  • the interface 903 is further configured to send the first GRE message to the CGN device by using the at least one tunnel.
  • the interface 903 is further configured to receive a second GRE message sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the server to the second
  • the second data packet of the user end is obtained by GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
  • the processor 901 is further configured to decapsulate the second user identifier.
  • the GRE message and the second user identifier acquire the second data packet; the interface 903 is further configured to send the second data packet to the second user end.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • the processor 901 is further configured to perform IPsec encapsulation on the first GRE packet before sending the first GRE packet by using the at least one tunnel.
  • the access device shown in Figure 9 can be used to perform the corresponding steps performed by the access device in the method of the previous embodiment.
  • the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
  • the CGN device includes a first receiving unit 1002, a processing unit 1004, and a first Sending unit 1006:
  • the first receiving unit 1002 is configured to receive a first GRE message sent by the access device by using the at least one tunnel, where the first GRE message is sent by the access device from a first user end.
  • the first data packet is obtained by GRE encapsulation, and the first GRE packet carries The first user identifier corresponding to the first user end;
  • the processing unit 1004 is configured to decapsulate the first GRE packet, and obtain the first data packet.
  • the first sending unit 1006 is configured to send the first data packet to a server.
  • the CGN device further includes a second receiving unit, and further includes a second receiving unit 1008 and a second sending unit 1010.
  • the second receiving unit 1008 is configured to receive a second data packet sent by the server to the second user end, where the processing unit 1004 is further configured to acquire, according to a mapping relationship between the user end address and the user identifier, a second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier; the second sending The unit 1010 is configured to send the second GRE message to the access device by using the at least one tunnel.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • the processing unit 1004 is further configured to perform IPsec encapsulation on the second GRE packet before sending the second GRE packet by using the at least one tunnel.
  • the CGN device shown in Figure 10 can be used to perform the respective steps performed by the CGN device in the method of the previous embodiment.
  • the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
  • FIG. 11 is a schematic structural diagram of a hardware of a CGN device according to an embodiment of the present invention.
  • the access device includes a processor 1101, a memory 1102, an interface 1103, and a bus 1104.
  • the interface 1103 can be implemented by using a wireless or a wired manner.
  • it may be an element such as a network interface card (NIC), and the processor 1101, the memory 1102, and the interface 1103 are connected by a bus 1104.
  • NIC network interface card
  • the memory 1102 is configured to store program code.
  • the program code may include an operating system program and an application.
  • the interface 1103 is configured to receive a first GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is used by the access device to the first data from the first user end.
  • the first GRE packet carries the first user identifier corresponding to the first user end.
  • the processor 1101 is configured to decapsulate the first GRE packet, and obtain the first data packet.
  • the interface 1103 is further configured to send the first data packet to a server.
  • the interface 1103 is configured to receive a second data packet that is sent by the server to the second user end, where the processor 1101 is further configured to obtain a location according to a mapping relationship between the user address and the user identifier. a second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier; the interface 1103 And sending the second data packet to the second user end.
  • the GRE header of the first GRE packet carries the first user identifier.
  • the GRE header of the second GRE message carries the second user identifier.
  • the processor 1101 is further configured to perform IPsec encapsulation on the second GRE packet before sending the second GRE packet by using the at least one tunnel.
  • the CGN device shown in Figure 11 can be used to perform the respective steps performed by the CGN device in the method of the previous embodiment.
  • the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
  • FIG. 12 is a schematic structural diagram of a system according to an embodiment of the present invention. As shown in FIG. 12, the system includes an access device and a CGN device. The system can implement the technical solutions of the first embodiment and the second embodiment, and the implementation principles and technical effects are similar, and details are not described herein again.
  • aspects of the present invention, or possible implementations of various aspects may be embodied as a system, method, or computer program product.
  • aspects of the invention, or possible implementations of various aspects may be implemented in an entirely hardware embodiment. All software embodiments (including firmware, resident software, etc.), or a combination of software and hardware aspects, are collectively referred to herein as "circuits," “modules,” or “systems.”
  • aspects of the invention, or possible implementations of various aspects may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
  • the computer readable medium can be a computer readable signal medium or a computer readable storage medium.
  • the computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as a random access memory (English name: Random access memory, English abbreviation: RAM) ), read-only memory (English full name: Read-only memory, English abbreviation: ROM), erasable programmable read-only memory (English full name: Erasable programmable read only memory, English abbreviation: EPROM) or flash memory, Optical fiber, portable read-only memory (English full name: Compact disc read-only memory, English abbreviation: CD-ROM).
  • the processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.
  • the computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a message processing method, device and system. The method comprises: an access device establishing at least one tunnel between same and a CGN device; the access device receiving a first data message sent by a first user terminal; the access device acquiring, according to the mapping relationship between a user terminal address and a user identifier, a first user identifier corresponding to the first user terminal, and performing GRE encapsulation on the first data message, so as to obtain a first GRE message, wherein the first GRE message carries the first user identifier; and the access device sending the first GRE message to the CGN device through the at least one tunnel. By means of the embodiment, when a large number of users access a network, the overhead of tunnel resources can be reduced, the configuration process can be simplified, and the system overhead and network resources can be saved.

Description

一种报文处理方法、设备和系统Message processing method, device and system
本申请要求于2015年05月13日提交中国专利局、申请号为201510243026.3、发明名称为“一种报文处理方法、设备和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201510243026.3, entitled "A Message Processing Method, Apparatus and System", filed on May 13, 2015, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本发明涉及网络技术领域,特别涉及一种报文处理方法、设备和系统。The present invention relates to the field of network technologies, and in particular, to a packet processing method, device, and system.
背景技术Background technique
隧道技术(Tunneling)是一种通过使用互联网络的基础设施在网络之间传递数据的方式。例如,在家庭用户接入场景中,传统客户侧设备(Customer Premise Equipment,CPE)集成了控制平面的动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)、通用即插即用服务器(Universal Plug and Play Server,UPnP server)、TR069协议(Technical Report 069)、用户管理功能和转发平面的网络地址转换(Network Address Translation,NAT)、路由转发等功能,这些功能的集成基于CPE硬件支持。当运营商要部署新业务时,例如升级到第六版因特网协议(Internet Protocol version 6,IPv6),需要对分布在各个家庭的海量CPE进行软件和硬件的升级,导致设备投资成本的增加;同时CPE的多功能集成,也造成了现网的运维和管理成本的增加。为解决该问题,可以将CPE的不同功能分解到不同的设备上,例如,将控制平面功能分解到宽带远程接入服务器(Broadband Remote Access Server,BRAS),此时二层客户侧设备L2-CPE只需要提供基本的二层转发功能,BRAS设备将L2-CPE的用户流量封装到不同的通用路由封装协议(Generic Routing Encapsulation,GRE)中,通过隧道发送给运营商级网络地址转换(Carrier Grade NAT,CGN)设备。Tunneling is a way to pass data between networks by using the infrastructure of the Internet. For example, in the home user access scenario, the traditional customer premises equipment (CPE) integrates the dynamic host configuration protocol (DHCP) of the control plane and the universal plug and play server (Universal Plug and Play). Server, UPnP server), TR069 protocol (Technical Report 069), user management functions, and network address translation (NAT), routing and forwarding functions of the forwarding plane. The integration of these functions is based on CPE hardware support. When an operator wants to deploy a new service, such as upgrading to the Internet Protocol version 6, IPv6, software and hardware upgrades are required for the massive CPE distributed in each home, resulting in an increase in equipment investment costs. The multi-functional integration of CPE also causes an increase in the operation and maintenance and management costs of the existing network. To solve this problem, the different functions of the CPE can be decomposed into different devices, for example, the control plane function is decomposed into a Broadband Remote Access Server (BRAS). At this time, the Layer 2 client-side device L2-CPE Only the basic Layer 2 forwarding function is required. The BRAS device encapsulates the L2-CPE user traffic into different Generic Routing Encapsulation (GRE) and sends it to the carrier-level network address translation through the tunnel. , CGN) equipment.
但是,现有技术的上述方法需要针对每个用户端配置一条独立的GRE隧道,其至少存在如下问题:(1)对于海量的用户端,需要设置海量GRE隧道进行支持,增加了隧道资源的开销;(2)GRE隧道为静态配置,对于海量用 户端会大幅增加客户的配置工作;(3)海量GRE隧道启用保活(Keep alive)检测,增加了系统开销,并且占用大量网络资源。However, the foregoing method of the prior art needs to configure an independent GRE tunnel for each user end, and at least the following problems exist: (1) For a large number of users, a large number of GRE tunnels need to be set to support, and the overhead of the tunnel resources is increased. (2) GRE tunnel is statically configured for mass use The client will greatly increase the configuration of the client; (3) The massive GRE tunnel enables Keep alive detection, which increases system overhead and occupies a large amount of network resources.
发明内容Summary of the invention
有鉴于此,本发明实施例提供了一种报文处理方法、设备和系统,以便在海量用户接入时,减少隧道资源的开销。In view of this, the embodiments of the present invention provide a packet processing method, device, and system, so as to reduce the overhead of tunnel resources when accessing a large number of users.
本发明实施例提供的技术方案如下:The technical solution provided by the embodiment of the present invention is as follows:
第一方面,一种报文处理方法,包括:In a first aspect, a message processing method includes:
接入设备建立与CGN设备之间的至少一条隧道;The access device establishes at least one tunnel with the CGN device;
所述接入设备接收第一用户端发送的第一数据报文;Receiving, by the access device, the first data packet sent by the first user end;
所述接入设备获取所述第一数据报文携带的第一用户端地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端地址对应的第一用户标识,将所述第一用户端发送的第一数据报文进行GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识;Obtaining, by the access device, the first user address carried in the first data packet, and acquiring a first user identifier corresponding to the address of the first user terminal according to a mapping relationship between the user address and the user identifier, The first data packet sent by the first user end is GRE-encapsulated to obtain a first GRE packet, where the first GRE packet carries the first user identifier;
所述接入设备通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The access device sends the first GRE message to the CGN device by using the at least one tunnel.
在第一方面的第一种可能的实现方式中,该方法还包括:In a first possible implementation manner of the first aspect, the method further includes:
所述接入设备接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;The access device receives a second GRE message sent by the CGN device through the at least one tunnel, where the second GRE message is a second data packet sent by the CGN device to the server to the second user end. The second GRE packet carries the second user identifier corresponding to the second user end.
所述接入设备解封所述第二GRE报文,获取所述第二数据报文;Decapsulating the second GRE packet by the access device to obtain the second data packet;
所述接入设备向所述第二用户端发送所述第二数据报文。The access device sends the second data packet to the second user end.
结合上述第一方面,或第一方面的第一种可能的实现方式,第一方面的第二种可能的实现方式中,所述第一GRE报文的GRE头承载所述第一用户标识。With reference to the foregoing first aspect, or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the GRE header of the first GRE packet carries the first user identifier.
结合上述第一方面,或第一方面的任意一种可能的实现方式,第一方面 的第三种可能的实现方式中,在通过所述至少一条隧道发送所述第一GRE报文之前,该方法还包括:对所述第一GRE报文进行因特网协议安全(英文全称:Internet Protocol Security,英文缩写:IPsec)协议封装。In combination with the above first aspect, or any one of the possible implementations of the first aspect, the first aspect The third possible implementation manner, before the sending the first GRE message by using the at least one tunnel, the method further includes: performing Internet protocol security on the first GRE message (English full name: Internet Protocol Security, English abbreviation: IPsec) protocol encapsulation.
第二方面,一种报文处理方法,所述方法应用于CGN设备,所述CGN设备与接入设备之间包括至少一条由所述接入设备建立的隧道,所述方法包括:A second aspect is a message processing method, where the method is applied to a CGN device, and the CGN device and the access device include at least one tunnel established by the access device, and the method includes:
所述CGN设备接收所述接入设备通过所述至少一条隧道发送的第一GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端对应的第一用户标识;Receiving, by the CGN device, the first GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is sent by the access device to the first data packet from the first user end The first GRE packet carries the first user identifier corresponding to the first user end, as obtained by the GRE encapsulation;
所述CGN设备解封所述第一GRE报文,获取所述第一数据报文;Decapsulating the first GRE packet by the CGN device, and acquiring the first data packet;
所述CGN设备向服务器发送所述第一数据报文。The CGN device sends the first data packet to a server.
在第二方面的第一种可能的实现方式中,该方法还包括:In a first possible implementation manner of the second aspect, the method further includes:
所述CGN设备接收所述服务器发往第二用户端的第二数据报文;Receiving, by the CGN device, a second data packet sent by the server to the second user end;
所述CGN设备获取所述第二用户端的地址,根据用户端地址与用户标识的映射关系,获取所述第二用户端对应的所述第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;Obtaining, by the CGN device, the address of the second user end, acquiring the second user identifier corresponding to the second user end according to the mapping relationship between the user end address and the user identifier, and performing the second data packet on the GRE Encapsulating, obtaining a second GRE packet, where the second GRE packet carries the second user identifier;
所述CGN设备通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。The CGN device sends the second GRE message to the access device by using the at least one tunnel.
结合上述第二方面,或第二方面的第一种可能的实现方式,第二方面的第二种可能的实现方式中,所述第一GRE报文的GRE头承载所述第一用户标识。With reference to the foregoing second aspect, or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the GRE header of the first GRE packet carries the first user identifier.
结合上述第二方面的第一种可能的实现方式,或第二方面的第二种可能的实现方式,第二方面的第三种可能的实现方式中,在通过所述至少一条隧道发送所述第二GRE报文之前,该方法还包括:对所述第二GRE报文进行 IPsec封装。With reference to the first possible implementation manner of the foregoing second aspect, or the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the sending, by using the at least one tunnel Before the second GRE packet, the method further includes: performing the second GRE packet IPsec encapsulation.
第三方面,一种接入设备,所述接入设备与CGN设备之间包括至少一条隧道;所述接入设备包括:In a third aspect, an access device includes at least one tunnel between the access device and the CGN device; the access device includes:
第一接收单元,用于接收第一用户端发送的第一数据报文;a first receiving unit, configured to receive a first data packet sent by the first user end;
处理单元,用于从所述第一数据报文获取第一用户端的地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端对应的第一用户标识,将所述第一数据报文进行通用路由封装协议GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识;a processing unit, configured to acquire an address of the first user end from the first data packet, and acquire a first user identifier corresponding to the first user end according to a mapping relationship between the user end address and the user identifier, where the first The first GRE packet carries the first user identifier, and the first GRE packet carries the first user identifier.
第一发送单元,用于通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The first sending unit is configured to send the first GRE message to the CGN device by using the at least one tunnel.
在第三方面的第一种可能的实现方式中,该接入设备还包括:第二接收单元和第二发送单元,其中:In a first possible implementation manner of the third aspect, the access device further includes: a second receiving unit and a second sending unit, where:
所述第二接收单元,用于接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;The second receiving unit is configured to receive a second GRE message that is sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the second user end of the server. The second data message is obtained by the GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
所述处理单元,用于解封所述第二GRE报文及所述第二用户标识,获取所述第二数据报文;The processing unit is configured to decapsulate the second GRE message and the second user identifier, and obtain the second data packet;
所述第二发送单元,用于向所述第二用户端发送所述第二数据报文。The second sending unit is configured to send the second data packet to the second user end.
结合上述第三方面,或第三方面的第一种可能的实现方式,第三方面的第二种可能的实现方式中,所述第一GRE报文的GRE头承载所述第一用户标识。With reference to the foregoing third aspect, or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the GRE header of the first GRE packet carries the first user identifier.
结合上述第三方面,或第三方面的任意一种可能的实现方式,第三方面的第三种可能的实现方式中,所述处理单元,还用于在通过所述至少一条隧道发送所述第一GRE报文之前,对所述第一GRE报文进行IPsec封装。With reference to the foregoing third aspect, or any one of the possible implementation manners of the third aspect, in a third possible implementation manner of the third aspect, the processing unit is further configured to send, by using the at least one tunnel The first GRE packet is IPsec encapsulated before the first GRE packet.
第四方面,一种CGN设备,所述CGN设备与接入设备之间包括至少一 条由所述接入设备建立的隧道;所述CGN设备包括:A fourth aspect, a CGN device, where the CGN device and the access device include at least one a tunnel established by the access device; the CGN device includes:
第一接收单元,用于接收所述接入设备通过所述至少一条隧道发送的第一通用路由封装协议GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端对应的第一用户标识;a first receiving unit, configured to receive a first universal routing encapsulation protocol GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is sent by the access device from the first user The first data packet is obtained by the GRE encapsulation, and the first GRE packet carries the first user identifier corresponding to the first user end.
处理单元,用于解封所述第一GRE报文,获取所述第一数据报文;a processing unit, configured to decapsulate the first GRE packet, and obtain the first data packet;
第一发送单元,用于向服务器发送所述第一数据报文。The first sending unit is configured to send the first data packet to the server.
在第四方面的第一种可能的实现方式中,该CGN设备还包括第二接收单元和第二发送单元,其中:In a first possible implementation manner of the fourth aspect, the CGN device further includes a second receiving unit and a second sending unit, where:
所述第二接收单元,用于接收所述服务器发往第二用户端的第二数据报文;The second receiving unit is configured to receive a second data packet sent by the server to the second user end;
所述处理单元,用于根据用户端地址与用户标识的映射关系,获取与所述第二用户端对应的第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;The processing unit is configured to obtain a second user identifier corresponding to the second user end according to the mapping relationship between the user address and the user identifier, and perform the GRE encapsulation on the second data packet to obtain the second GRE report. The second GRE packet carries the second user identifier;
所述第二发送单元,用于通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。The second sending unit is configured to send the second GRE message to the access device by using the at least one tunnel.
结合上述第四方面,或第四方面的第一种可能的实现方式,第四方面的第二种可能的实现方式中,所述第一GRE报文的GRE头承载所述第一用户标识。With reference to the foregoing fourth aspect, or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the GRE header of the first GRE packet carries the first user identifier.
结合上述第四方面的第一种可能的实现方式,或第四方面的第二种可能的实现方式,第四方面的第三种可能的实现方式中,所述处理单元,还用于在通过所述至少一条隧道发送所述第二GRE报文之前,对所述第二GRE报文进行IPsec封装。In conjunction with the first possible implementation of the foregoing fourth aspect, or the second possible implementation of the fourth aspect, in a third possible implementation manner of the fourth aspect, the processing unit is further configured to pass Before the at least one tunnel sends the second GRE packet, performing IPsec encapsulation on the second GRE packet.
第五方面,一种报文处理系统,包括:In a fifth aspect, a message processing system includes:
上述第三方面或第三方面的任意一种可能的实现方式所提供的接入设备和上述第四方面或第四方面的任意一种可能的实现方式所提供的CGN 设备。The access device provided by any one of the foregoing third aspect or the third aspect, and the CGN provided by any one of the foregoing fourth or fourth possible implementation manners device.
通过上述方案,本发明实施例提供的报文处理方法、设备和系统,通过接入设备建立与CGN设备之间的至少一条隧道,所述接入设备接收第一用户端发送的第一数据报文,从所述第一数据报文获取所述第一用户端的地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端地址对应的第一用户标识,将所述第一用户端发送的第一数据报文进行GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识,所述接入设备通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文;相应的,所述CGN设备接收并解封所述第一GRE报文,获取所述第一数据报文,然后向服务器发送所述第一数据报文。应用本发明实施例的方法、设备和系统,从而,海量用户接入网络时,可以减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。With the foregoing solution, the packet processing method, device, and system provided by the embodiment of the present invention establish at least one tunnel with the CGN device by using the access device, and the access device receives the first data packet sent by the first user end. Obtaining, by the first data packet, the address of the first user end, and acquiring a first user identifier corresponding to the first user end address according to a mapping relationship between the user end address and the user identifier, where the first The first data packet sent by the UE is encapsulated by the GRE to obtain the first GRE packet, where the first GRE packet carries the first user identifier, and the access device uses the at least one tunnel to the The CGN device sends the first GRE packet; correspondingly, the CGN device receives and decapsulates the first GRE packet, acquires the first data packet, and then sends the first data packet to the server. . The method, device, and system of the embodiments of the present invention are applied, so that when a large number of users access the network, the overhead of the tunnel resource can be reduced, the configuration process can be simplified, and system overhead and network resources can be saved.
附图说明DRAWINGS
图1为本发明第一实施例的报文处理方法的流程图;1 is a flowchart of a message processing method according to a first embodiment of the present invention;
图2为现有技术中GRE报文头格式的示意图;2 is a schematic diagram of a format of a GRE packet header in the prior art;
图3为本发明实施例中GRE报文头格式的第一示意图;3 is a first schematic diagram of a format of a GRE packet header according to an embodiment of the present invention;
图4为本发明实施例中GRE报文头格式的第二示意图;4 is a second schematic diagram of a format of a GRE packet header according to an embodiment of the present invention;
图5为本发明实施例中对GRE报文进行IPsec封装的原理图;FIG. 5 is a schematic diagram of IPsec encapsulation of a GRE packet according to an embodiment of the present invention;
图6为本发明第二实施例的报文处理方法的流程图;FIG. 6 is a flowchart of a packet processing method according to a second embodiment of the present invention; FIG.
图7对本发明实施例的应用场景流程图;FIG. 7 is a flowchart of an application scenario of an embodiment of the present invention;
图8为本发明实施例的接入设备结构示意图;FIG. 8 is a schematic structural diagram of an access device according to an embodiment of the present invention;
图9为本发明实施例的接入设备硬件结构示意图;FIG. 9 is a schematic structural diagram of hardware of an access device according to an embodiment of the present invention;
图10为本发明实施例的CGN设备结构示意图;FIG. 10 is a schematic structural diagram of a CGN device according to an embodiment of the present invention;
图11为本发明实施例的CGN设备硬件结构示意图;11 is a schematic structural diagram of hardware of a CGN device according to an embodiment of the present invention;
图12为本发明实施例的系统结构示意图。FIG. 12 is a schematic structural diagram of a system according to an embodiment of the present invention.
具体实施方式 detailed description
本发明实施例提供一种报文处理方法、设备和系统,以实现用户接入组网的业务场景中,针对海量用户减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The embodiment of the invention provides a packet processing method, device and system, which can reduce the overhead of the tunnel resource, simplify the configuration process, save system overhead and network resources in the service scenario of the user accessing the network.
下面通过具体实施例,分别进行详细的说明。The detailed description will be respectively made below through specific embodiments.
为使得本发明的发明目的、特征、优点能更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚地描述,显然下面所描述的实施例仅仅是本发明一部分实施例,而非全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the object, the features and the advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention. The examples are only a part of the embodiments of the invention, but not all of them. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本申请的说明书和权利要求书及附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”不是排他的。例如包括了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,还可以包括没有列出的步骤或单元。The terms "first", "second", "third", and "fourth" and the like in the specification and claims of the present application are used to distinguish different objects, and are not intended to describe a particular order. Moreover, the terms "include" and "have" are not exclusive. For example, a process, method, system, product, or device that comprises a series of steps or units is not limited to the listed steps or units, and may include steps or units not listed.
图1为本发明第一实施例的报文处理方法的流程图,如图1所示,该方法可以包括:FIG. 1 is a flowchart of a packet processing method according to a first embodiment of the present invention. As shown in FIG. 1, the method may include:
S102,接入设备建立与CGN设备之间的至少一条隧道。S102. The access device establishes at least one tunnel with the CGN device.
举例来说,接入设备是宽带接入网和骨干网之间的桥梁,提供基本的接入手段和宽带接入网的管理功能,接入设备位于网络的边缘,提供宽带接入服务、实现多种业务的汇聚与转发,能满足不同用户对传输容量和带宽利用率的要求。示例性的,接入设备可以是BRAS设备;CGN设备的基本功能是把内部私有互联网协议(Internet Protocol,IP)地址翻译成公网IP地址;接入设备与CGN设备之间可以采用隧道方式传输。这样,接入设备可以建立与运营商级网络地址转换CGN设备之间的至少一条隧道,其中每条隧道可以承载多个用户的数据报文。需要说明的是,接入设备与CGN设备之间建立一条隧道就可以支持海量用户。当然,可选的,接入设备与 CGN设备之间也可以建立多于一条的隧道,例如,以建设2条隧道为例,此时,一条隧道可以作为主隧道,另一条作为备用隧道,形成热备冗余机制;或者,2条隧道均为主隧道,对海量用户进行负载分担。For example, the access device is a bridge between the broadband access network and the backbone network, providing basic access means and management functions of the broadband access network, and the access device is located at the edge of the network to provide broadband access services and implement The aggregation and forwarding of multiple services can meet the requirements of different users for transmission capacity and bandwidth utilization. Exemplarily, the access device may be a BRAS device; the basic function of the CGN device is to translate an internal private Internet Protocol (IP) address into a public network IP address; the access device and the CGN device may be tunneled. . In this way, the access device can establish at least one tunnel with the carrier-class network address translation CGN device, wherein each tunnel can carry data messages of multiple users. It should be noted that a tunnel can be established between the access device and the CGN device to support a large number of users. Of course, optional, access devices and More than one tunnel can be established between CGN devices. For example, two tunnels can be constructed. In this case, one tunnel can be used as the primary tunnel and the other as the standby tunnel to form the hot standby redundancy mechanism. The tunnels are all primary tunnels, and load sharing is performed on a large number of users.
S104,所述接入设备接收第一用户端发送的第一数据报文。S104. The access device receives the first data packet sent by the first user end.
举例来说,接入设备可以为用户端提供接入功能和宽带接入网的管理功能。因此,接入设备的一侧用于连接多个用户端,从而,接入设备能够接收第一用户端发送的第一数据报文。其中对于第一数据报文不做限定,该第一数据报文可以是用户端向服务器端传送的服务请求或数据流。示例性的,第一数据报文可以包括接入网络请求报文、访问某网址或数据的请求报文、上传数据报文等。For example, the access device can provide an access function for the UE and a management function for the broadband access network. Therefore, one side of the access device is used to connect multiple clients, so that the access device can receive the first data packet sent by the first user. The first data packet is not limited, and the first data packet may be a service request or a data stream that is sent by the UE to the server. For example, the first data packet may include an access network request message, a request message for accessing a certain web address or data, an upload data message, and the like.
S106,所述接入设备获取所述第一数据报文携带的第一用户端地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端地址对应的第一用户标识,将所述第一用户端发送的第一数据报文进行通用路由封装协议GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识。S106: The access device acquires a first user address that is carried in the first data packet, and obtains a first user identifier corresponding to the first user end address according to a mapping relationship between the user address and the user identifier. The first data packet sent by the first user end is encapsulated by a general routing encapsulation protocol (GRE) to obtain a first GRE packet, where the first GRE packet carries the first user identifier.
举例来说,对于每个用户端都具有一个唯一的用户标识,用户标识用于标识用户端,这样,可以通过用户标识区分不同的用户端。可选的,用户标识可以由运营商在用户进行开户时为用户端直接分配。相应的,在接入设备上,建立有用户端地址与用户标识的映射关系。其中,可选的,用户端地址可以包括用户端的IP地址。所述映射关系可以由运营商周期性更新或实时更新。例如,新增了一个用户端,在用户端开户时,运营商为用户端分配唯一的用户端标识,同时,运营商将这个用户端标识通过更新的方式更新到接入设备的映射关系中。因此,接入设备在接收到第一用户端发送的第一数据报文后,获取所述第一数据报文携带的第一用户端地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端地址对应的第一用户标识。然后,将所述第一用户端发送的第一数据报文进行GRE 封装,得到第一GRE报文。其中,GRE协议适用于通过因特网进行隧道传送的IP数据报的封装。GRE可以作为第三层隧道协议,为任意协议的数据提供透明传输通道。所述第一GRE报文携带所述第一用户标识。其中,对第一数据报文进行GRE封装,并且使第一GRE报文携带所述获取的所述第一用户端地址对应的第一用户标识。在本实施例中,对于第一用户标识在第一GRE报文中的具体位置不做限定。示例性的,该第一用户标识可以位于GRE的报文头中,或位于GRE报文的有效载荷中、或GRE报文的其他位置,只要保证第一GRE报文携带第一用户标识即可。For example, for each user end, there is a unique user identifier, and the user identifier is used to identify the user end, so that different user terminals can be distinguished by the user identifier. Optionally, the user identifier may be directly allocated by the operator to the client when the user opens the account. Correspondingly, a mapping relationship between the client address and the user identifier is established on the access device. Optionally, the client address may include an IP address of the client. The mapping relationship may be periodically updated by the operator or updated in real time. For example, a user terminal is added. When the user opens an account, the operator assigns a unique client identifier to the client. At the same time, the operator updates the user identifier to the mapping relationship of the access device in an updated manner. Therefore, after receiving the first data packet sent by the first user end, the access device acquires the first client address carried in the first data packet, and obtains and is based on the mapping relationship between the client address and the user identifier. The first user identifier corresponding to the first client address. Then, the first data packet sent by the first user end is GRE Encapsulation, the first GRE message is obtained. Among them, the GRE protocol is applicable to the encapsulation of IP datagrams tunneled through the Internet. GRE can be used as a Layer 3 tunneling protocol to provide transparent transmission channels for data of any protocol. The first GRE message carries the first user identifier. The first data packet is GRE-encapsulated, and the first GRE packet carries the first user identifier corresponding to the obtained first user address. In this embodiment, the specific location of the first user identifier in the first GRE packet is not limited. For example, the first user identifier may be located in the header of the GRE, or in the payload of the GRE packet, or in other locations of the GRE packet, as long as the first GRE packet carries the first user identifier. .
S108,所述接入设备通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。S108. The access device sends the first GRE packet to the CGN device by using the at least one tunnel.
举例来说,接入设备在完成第一GRE报文的封装后,可以通过至少一条隧道向CGN设备发送所述第一GRE报文。由于第一GRE报文中携带有第一用户标识,第一用户标识可以用于标识唯一的用户端,一条隧道可以允许多个GRE报文共用。也就是说,一条隧道允许同时或非同时传送多个用户端的GRE报文,由于GRE报文携带有用户标识,因此在共用一条隧道传送数据时,多个GRE报文不会发生混淆。For example, after completing the encapsulation of the first GRE packet, the access device may send the first GRE packet to the CGN device by using at least one tunnel. The first user identifier can be used to identify a unique user end, and a tunnel can allow multiple GRE packets to be shared. That is to say, a tunnel allows GRE packets of multiple users to be transmitted simultaneously or non-simultaneously. Since GRE packets carry user identifiers, multiple GRE packets are not confusing when a tunnel is used to transmit data.
本实施例提供的报文处理方法,通过接入设备建立与CGN设备之间的至少一条隧道,接入设备在接收到用户端的数据报文并进行GRE封装时,使GRE报文携带所述用户端的数据报文对应的用户标识,通过用户标识区分来自不同用户的数据报文,允许多个GRE报文共用同一个隧道,从而,海量用户接入网络时,可以减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。In the packet processing method provided by the embodiment, the access device establishes at least one tunnel with the CGN device, and the access device enables the GRE packet to carry the user when receiving the data packet of the user end and performing GRE encapsulation. The user ID of the data packet is used to distinguish the data packets from different users by the user ID, and the multiple GRE packets are allowed to share the same tunnel. Therefore, when a large number of users access the network, the cost of the tunnel resources can be reduced and the configuration can be simplified. Process, save system overhead and network resources.
可选的,所述接入设备接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识。 Optionally, the access device receives a second GRE packet sent by the CGN device by using the at least one tunnel, where the second GRE packet is sent by the CGN device to the second user end of the server. The second data message is obtained by the GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
举例来说,接入设备可以从第一用户端接收第一数据报文,处理后发送到CGN设备,如果将这样的数据流向称为上行方向。那么相应的,接入设备也可以从CGN设备接收来自服务器的第二数据报文,这样的数据流向可以称为下行方向。其中对于第二数据报文不做限定,所述第二数据报文可以是服务器向用户端传送的服务请求响应报文或数据流。示例性的,所述第二数据报文可以包括接入网络请求响应报文、访问某网址或数据的请求响应报文、下载数据报文等。所述接入设备接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文。所述第二GRE报文是由所述CGN设备对来自服务器的第二数据报文进行GRE封装得到的。相应的,所述第二GRE报文携带有对应所述第二数据报文的第二用户标识。对于下行方向,为了允许一条隧道可以承载多个用户的GRE报文,可以使用第一实施例中S106提供的相同方法,使得GRE报文携带有与用户端对应的用户标识,从而根据用户标识区分将要发送到不同用户端的数据报文。所述接入设备解封所述第二GRE报文,获取所述第二数据报文,向所述第二数据报文对应的用户端发送所述第二数据报文。For example, the access device may receive the first data packet from the first user end, and then send the packet to the CGN device after processing, if such data flow direction is referred to as an uplink direction. Correspondingly, the access device can also receive the second data packet from the server from the CGN device, and such data flow direction can be referred to as a downlink direction. The second data packet is not limited to the second data packet, and the second data packet may be a service request response packet or a data stream that is sent by the server to the client. Exemplarily, the second data packet may include an access network request response message, a request response message for accessing a certain web address or data, a download data message, and the like. The access device receives a second GRE message sent by the CGN device by using the at least one tunnel. The second GRE packet is obtained by GRE encapsulating the second data packet from the server by the CGN device. Correspondingly, the second GRE message carries a second user identifier corresponding to the second data packet. For the downlink direction, in order to allow a tunnel to carry GRE messages of multiple users, the same method as that provided by S106 in the first embodiment may be used, so that the GRE message carries the user identifier corresponding to the user end, thereby distinguishing according to the user identifier. Data packets to be sent to different clients. The access device decapsulates the second GRE packet, and obtains the second data packet, and sends the second data packet to the user end corresponding to the second data packet.
另外,可选的,在接入设备解封所述第二GRE报文获取所述第二数据报文的过程中,可以增加校验手段。也就是说,可以根据接入设备上建立的用户端地址与用户标识的映射关系,对解封的第二GRE报文进行校验。具体过程是:第二GRE报文携带有第二用户标识,接入设备根据接入设备上建立的用户端地址与用户标识的映射关系,通过第二用户标识获取相应的第二用户端地址。In addition, optionally, in the process of decapsulating the second GRE packet by the access device to obtain the second data packet, a verification method may be added. That is, the decapsulated second GRE packet is verified according to the mapping relationship between the client address and the user identifier established on the access device. The specific process is: the second GRE packet carries the second user identifier, and the access device obtains the corresponding second client address by using the second user identifier according to the mapping relationship between the user address and the user identifier established on the access device.
其中需要说明的是:实施例中的“第一数据报文”和“第二数据报文”仅仅用于区分数据流的方向,使用“第一数据报文”表示从用户端流向服务器的数据流;使用“第二数据报文”表示从服务器流向用户端的数据流。It should be noted that the “first data packet” and the “second data packet” in the embodiment are only used to distinguish the direction of the data stream, and the “first data packet” is used to represent the data flowing from the client to the server. Stream; use "second data message" to indicate the flow of data from the server to the client.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。 Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
可选地,在上述第一实施例中,用户标识可以位于GRE报文头中,或位于GRE报文的有效载荷中、或GRE报文的其他位置。进一步可选的,例如用户标识可以位于GRE报文头的预留字段中或GRE报文头的可选字段中。图2示出了现有技术中的GRE报文头格式,图3示意性地显示了本发明实施例的一种GRE报文头格式,图4示意性地显示了本发明实施例的另一种GRE报文头格式。Optionally, in the above-mentioned first embodiment, the user identifier may be located in the GRE packet header, or in the payload of the GRE packet, or other location of the GRE packet. Further, for example, the user identifier may be located in a reserved field of the GRE header or an optional field of the GRE header. FIG. 2 shows a GRE header format in the prior art, FIG. 3 schematically shows a GRE header format in the embodiment of the present invention, and FIG. 4 schematically shows another embodiment of the present invention. GRE header format.
如图2所示,现有技术的GRE报文头包括密钥字段(Key Field),长度为32位,密钥字段用于对隧道封装的报文进行端到端的校验,当GRE报文头中的“K”标志位值为1时,则隧道通道两端进行通道识别关键字(密钥Key,也可称为关键字)的验证,只有隧道两端设置的识别关键字完全一致时才能通过验证,否则丢弃报文。可见,密钥字段提供了一种弱验证机制。另外,GRE报文头还包括递归控制字段和标志字段,这两个字段可以设置为预留字段,从而,示例性的,可以使用所述预留字段承载用户标识。As shown in FIG. 2, the GRE header of the prior art includes a key field (Key Field) and has a length of 32 bits. The key field is used to perform end-to-end verification on the encapsulated packets. When the value of the "K" flag in the header is 1, the channel identification keyword (key Key, also called a keyword) is verified at both ends of the tunnel channel. Only when the identification keywords set at both ends of the tunnel are identical. To pass the authentication, otherwise the packet is discarded. As you can see, the key field provides a weak authentication mechanism. In addition, the GRE packet header further includes a recursive control field and a flag field, and the two fields may be set as a reserved field, and thus, by way of example, the reserved field may be used to carry the user identifier.
举例来说,用户标识可以位于GRE报文头的可选字段中,进一步,可选地,可以使用密钥字段承载用户标识。如图3所示,可以使用密钥字段的全部字段承载用户标识,形成用户标识字段。这样,用户标识字段的长度为32位,用户标识字段可以用于标识232-1个用户。这意味着,一条隧道可以容纳232-1个用户端的第一数据报文,也就是说,通过GRE报文头的用户标识字段携带不同的户标识,允许232-1个用户同时使用同一条隧道,因此使用一条隧道即可满足海量用户的要求,节省了隧道资源。For example, the user identifier may be located in an optional field of the GRE packet header. Further, optionally, the key field may be used to carry the user identifier. As shown in FIG. 3, all the fields of the key field may be used to carry the user identifier to form a user identification field. Thus, the length of the user identification field is 32 bits, and the user identification field can be used to identify 2 32 -1 users. This means that a tunnel can accommodate the first data packet of 2 32 -1 clients, that is, the user identifier field of the GRE header carries different subscriber identifiers, allowing 2 32 -1 users to use the same simultaneously. A tunnel, so a tunnel can meet the requirements of a large number of users, saving tunnel resources.
举例来说,如图4所示,也可以使用密钥字段的部分字段承载用户标识,形成用户标识字段。比如,可以使用密钥字段中的16位来承载用户标识,这样用户标识字段的长度为16位,用户标识字段可以用于标识216-1个用户。这意味着,一条隧道可以容纳216-1个用户端的第一数据报文,也就是说,通过GRE报文头的用户标识字段携带不同的户标识,允许216-1个用户同时使用同一条隧道,因此使用一条隧道即可满足海量用户的要求,节省了隧 道资源,而且,由于用户标识字段占用了密钥字段的部分字段,因此,密钥字段的高16位部分仍然可以保持原有的弱验证机制功能。For example, as shown in FIG. 4, a part of a field of a key field may also be used to carry a user identifier to form a user identification field. For example, the user identifier can be carried by using 16 bits in the key field, so that the length of the user identification field is 16 bits, and the user identification field can be used to identify 2 16 -1 users. This means that a tunnel can accommodate the first data packet of 2 16 -1 clients, that is, the user identifier field of the GRE header carries different subscriber identifiers, allowing 2 16 -1 users to use the same simultaneously. A tunnel, so a tunnel can meet the requirements of a large number of users, saving tunnel resources, and because the user identification field occupies part of the key field, the upper 16 bits of the key field can still remain. The weak authentication mechanism features.
需要说明的是,图4所示出的实现方式仅是使用密钥字段的部分字段承载用户标识的一种表现形式,应当理解,用户标识字段在密钥字段中占用的位置不进行限定,例如,用户标识字段位于高16位;同时,用户标识字段在密钥字段中占用的长度也不进行限定,例如,用户标识字段占用24位或8位。It should be noted that the implementation shown in FIG. 4 is only a representation of using a partial field of the key field to carry the user identifier. It should be understood that the location occupied by the user identifier field in the key field is not limited, for example, The user identification field is located at the upper 16 bits. Meanwhile, the length occupied by the user identification field in the key field is not limited. For example, the user identification field occupies 24 bits or 8 bits.
举例来说,上述通过密钥字段承载用户标识的方式最多可以使232-1个用户端共用一条隧道,因此建立一条隧道已经能够满足海量用户的需求。当然,可选的,接入设备与CGN设备之间也可以建立多于一条的隧道。例如,以建设2条隧道为例,此时,一条隧道可以作为主隧道,另一条作为备用隧道,形成热备冗余机制;或者,2条隧道均为主隧道,对海量用户进行负载分担。其中,对于多条隧道分担用户量的具体方式不进行限定,示例性的,使用多条隧道分担海量用户量的方式可以理解为:当一条隧道满负荷时(例如承载了232-1个用户),使用第二条隧道承载多余用户;或者即使用户量不达到满负荷,也可以使用多条隧道分担用户量;或者存在多个CGN设备,对于每一个CGN设备分别建立至少一条隧道。对于第一数据报文进入具体哪一条隧道的实现方式:可以通过解析第一数据报文的源地址和目的地址确定该第一数据报文进入到达不同CGN的隧道。For example, the manner in which the user identifier is carried by the key field can be used to share a tunnel with a maximum of 2 32 -1 clients. Therefore, a tunnel can be established to meet the needs of a large number of users. Of course, optionally, more than one tunnel may be established between the access device and the CGN device. For example, the construction of two tunnels is used as an example. In this case, one tunnel can be used as the primary tunnel and the other as the standby tunnel to form a hot standby redundancy mechanism. The specific method for sharing the number of users in a plurality of tunnels is not limited. For example, the manner in which multiple tunnels share a large amount of users can be understood as: when a tunnel is fully loaded (for example, 2 32 -1 users are carried) The second tunnel is used to carry the redundant users; or the number of users can be shared by multiple tunnels even if the number of users is not full; or there are multiple CGN devices, and at least one tunnel is established for each CGN device. For the implementation of the specific data packet, the first data packet can be determined to enter the tunnel of the different CGN by parsing the source address and the destination address of the first data packet.
可选的,在通过所述至少一条隧道发送所述第一GRE报文之前,对所述第一GRE报文进行IPsec封装。Optionally, before the sending the first GRE packet by using the at least one tunnel, performing IPsec encapsulation on the first GRE packet.
举例来说,虽然GRE报文头中有密钥字段,提供了一种弱验证机制。但从其实现机制看,这种弱验证机制并不能被认定为一种可靠的加密措施。实际上,用户端和服务器的交互过程中,一些数据流,例如视频、音频数据等,可能需要进行一定的加密措施保证安全。IPsec封装方式可以通过对数据流中的每个IP包进行鉴权和加密,为IP数据报提供了高质量的、可互 操作的、基于密码技术的安全性,因此对于需要加密的数据流,可以利用IPsec进行封装,保障数据安全性。如图5所示,在通过所述隧道发送GRE报文之前,对所述GRE报文进行IPsec封装,这样,通过在GRE封装报文外层进行IPsec封装的方式对需要加密的数据流进行加密封装,保证了数据安全性。For example, although there is a key field in the GRE header, a weak authentication mechanism is provided. However, from the perspective of its implementation mechanism, this weak authentication mechanism cannot be considered as a reliable encryption measure. In fact, during the interaction between the client and the server, some data streams, such as video and audio data, may need to be encrypted to ensure security. The IPsec encapsulation method can provide high quality and mutual access to IP datagrams by authenticating and encrypting each IP packet in the data stream. Operational, cryptographic-based security, so data streams that need to be encrypted can be encapsulated with IPsec to ensure data security. As shown in FIG. 5, before the GRE packet is sent through the tunnel, the GRE packet is encapsulated by IPsec, so that the data stream to be encrypted is encrypted by performing IPsec encapsulation on the outer layer of the GRE encapsulated packet. Encapsulation ensures data security.
在不采用本发明实施例方案的通常实现方式中,用户端与服务器进行交互的过程中,需要针对每个用户端配置一条独立的GRE隧道,然而在当今网络发展中,网络设备的集成度不断提高,用户量也不断提升,如此这样,在面对海量用户端时,如采用上述通常的实现方式,就需要设置海量GRE隧道进行支持,显然这增加了隧道资源的开销,而且,GRE隧道为静态配置,海量GRE隧道大幅增加了配置工作量,另外,GRE隧道通常要使用保活检测措施,对于海量GRE隧道启动保活检测,必然增加系统开销和网络资源的占用,因此,上述实现方式已经无法满足用户量也不断提升的需求。In a typical implementation manner in which the solution of the embodiment of the present invention is not used, in the process of interacting between the client and the server, an independent GRE tunnel needs to be configured for each client. However, in the current network development, the integration of the network device is continuously The number of users is also increasing. In this way, in the face of a large number of users, if the above-mentioned common implementation is adopted, a large number of GRE tunnels need to be set up for support, which obviously increases the overhead of the tunnel resources, and the GRE tunnel is Static configuration, massive GRE tunnels greatly increase the configuration workload. In addition, GRE tunnels usually use keep-alive detection measures. For the GRE tunnels to start keep-alive detection, system overhead and network resources are inevitably increased. Therefore, the above implementation method has been implemented. Unable to meet the increasing demand for users.
本发明实施例提供的技术方案中,通过接入设备建立与CGN设备之间的至少一条隧道,接入设备在接收到用户端的第一数据报文并进行GRE封装时,使GRE报文携带所述用户端的第一数据报文对应的用户标识,通过用户标识区分来自不同用户端的第一数据报文,允许多个用户的GRE报文共用同一个隧道,从而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。In the technical solution provided by the embodiment of the present invention, the access device establishes at least one tunnel with the CGN device, and the access device carries the GRE packet when receiving the first data packet of the user end and performing GRE encapsulation. The user identifier corresponding to the first data packet of the user end is used to distinguish the first data packet from the different user terminals by using the user identifier, and the GRE packets of the multiple users are allowed to share the same tunnel, so that a large number of users can access the network. Reduces the overhead of tunnel resources, simplifies the configuration process, and saves system overhead and network resources.
图6为本发明第二实施例的报文处理方法的流程图,本发明第二实施例是从CGN设备的角度,对报文处理方法进行说明,如图6所示,所述方法应用于CGN设备,所述CGN设备与接入设备之间包括至少一条由所述接入设备建立的隧道;所述方法可以包括:FIG. 6 is a flowchart of a packet processing method according to a second embodiment of the present invention. The second embodiment of the present invention describes a packet processing method from the perspective of a CGN device. As shown in FIG. 6, the method is applied to a CGN device, the CGN device and the access device include at least one tunnel established by the access device; the method may include:
S602,所述CGN设备接收所述接入设备通过所述至少一条隧道发送的GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端 对应的第一用户标识。S602, the CGN device receives a GRE message sent by the access device by using the at least one tunnel, where the first GRE message is performed by the access device to the first data packet from the first user end. The first GRE message carries the first user end obtained by the GRE encapsulation Corresponding first user identifier.
举例来说,CGN设备的作用是把内部私有IP地址翻译成公网IP地址,CGN设备接收所述接入设备通过所述至少一条隧道发送的第一GRE报文,其中,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有第一用户标识。第一GRE报文封装、携带第一用户标识的执行过程请参见第一实施例中的相应描述。For example, the function of the CGN device is to translate the internal private IP address into a public network IP address, and the CGN device receives the first GRE message sent by the access device through the at least one tunnel, where the first GRE The packet is obtained by GRE encapsulating the first data packet from the first user end by the access device, where the first GRE packet carries the first user identifier. For the execution process of the first GRE packet encapsulation and carrying the first user identifier, refer to the corresponding description in the first embodiment.
S604,所述CGN设备解封所述第一GRE报文,获取所述第一数据报文。S604. The CGN device decapsulates the first GRE packet, and acquires the first data packet.
举例来说,CGN设备解封所述第一GRE报文,获取所述第一数据报文。另外,可选的,在CGN设备解封所述第一GRE报文获取所述第一数据报文的过程中,可以增加校验手段,也就是说,可以根据CGN设备上建立的用户端地址与用户标识的映射关系,对解封的第一GRE报文进行校验,具体过程是:第一GRE报文携带有第一用户标识,CGN设备根据所述映射关系,通过第一用户标识获取相应的第一用户端地址,用通过该映射关系获得的第一用户端地址与解封的第一GRE报文中第一数据报文对应的用户端地址进行比较,从而校验出该第一数据报文是属于第一用户端发送的第一数据报文。For example, the CGN device decapsulates the first GRE packet and obtains the first data packet. In addition, optionally, in the process of decapsulating the first GRE packet to obtain the first data packet, the CGN device may add a verification method, that is, according to the client address established on the CGN device. The first GRE packet is verified by the first user identifier, and the first GRE packet carries the first user identifier, and the CGN device obtains the first user identifier according to the mapping relationship. Corresponding the first client address, comparing the first client address obtained by the mapping relationship with the client address corresponding to the first data packet in the decapsulated first GRE packet, thereby verifying the first The data packet belongs to the first data packet sent by the first user.
S606,所述CGN设备向服务器发送所述第一数据报文。S606. The CGN device sends the first data packet to a server.
举例来说,CGN设备在获取第一数据报文后,把内部私有IP地址翻译成公网IP地址,将第一数据报文发送到服务器,依据第一数据报文的请求对服务器进行相应的访问。其中,CGN通过五元组(源IP地址,目的IP地址,源端口号,目的端口号,协议号)信息查找NAT正向会话表,将私有网络的IP地址翻译成公网IP地址。For example, after acquiring the first data packet, the CGN device translates the internal private IP address into a public network IP address, and sends the first data packet to the server, and performs corresponding processing on the server according to the request of the first data packet. access. The CGN searches the NAT forward session table through the information of the quintuple (source IP address, destination IP address, source port number, destination port number, protocol number), and translates the IP address of the private network into a public network IP address.
本实施例提供的报文处理方法,通过接入设备建立与CGN设备之间的至少一条隧道,CGN接收到的GRE报文中携带了用户标识,从而允许多个用户的GRE报文共用同一个隧道。采用该实施方案,可以在有海量用户接 入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。In the packet processing method provided in this embodiment, the access device establishes at least one tunnel with the CGN device, and the GRE packet received by the CGN carries the user identifier, thereby allowing the GRE packets of multiple users to share the same tunnel. With this implementation, there can be a large number of users When entering the network, reduce the overhead of tunnel resources, simplify the configuration process, save system overhead and network resources.
可选的,所述CGN设备接收所述服务器发往第二用户端的第二数据报文;所述CGN设备获取所述第二用户端的地址,根据用户端地址与用户标识的映射关系,获取所述第二用户端对应的所述第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;所述CGN设备通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。Optionally, the CGN device receives a second data packet that is sent by the server to the second user end; the CGN device acquires an address of the second user end, and obtains a location according to a mapping relationship between the user end address and the user identifier. The second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier; The CGN device sends the second GRE message to the access device by using the at least one tunnel.
举例来说,CGN设备接收所述服务器发送的第二数据报文,根据前述,第二数据报文相对于第一数据报文是下行数据流方向,CGN通过五元组(源IP地址,目的IP地址,源端口号,目的端口号,协议号)信息查找NAT反向会话表,将公网IP地址翻译成私有网络的IP地址,CGN设备上建立有用户端地址与用户标识的映射关系,其中,可选的,用户端地址可以包括IP地址,所述映射关系的信息可以由运营商周期或实时更新。根据映射关系,CGN设备获取与所述第一用户端对应的所述第一用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;所述CGN设备通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。其中,对第二GRE报文的封装、第二GRE报文携带第二用户标识、及通过隧道发送数据的具体过程请参见第一实施例中的相应描述。同样的,对于第二用户标识在GRE报文中的具体位置不做限定,示例性的,例如其可以位于GRE报文头中,或位于报文有效载荷中、或其他位置,只要保证GRE报文携带用户标识,均可实现本实施例。For example, the CGN device receives the second data packet sent by the server. According to the foregoing, the second data packet is in the downlink data flow direction with respect to the first data packet, and the CGN passes the quintuple (source IP address, destination). The IP address, the source port number, the destination port number, and the protocol number are used to search the NAT reverse session table, and the public network IP address is translated into the IP address of the private network. The mapping relationship between the user address and the user identifier is established on the CGN device. Optionally, the client address may include an IP address, and the information of the mapping relationship may be updated by an operator cycle or in real time. According to the mapping relationship, the CGN device acquires the first user identifier corresponding to the first user end, and performs the GRE encapsulation on the second data packet to obtain a second GRE packet, where the second GRE packet carries The second user identifier is sent by the CGN device to the access device by using the at least one tunnel. For the specific process of encapsulating the second GRE packet, the second GRE packet carrying the second user identifier, and transmitting the data through the tunnel, refer to the corresponding description in the first embodiment. Similarly, the specific location of the second user identifier in the GRE packet is not limited, for example, it may be located in the GRE packet header, or in the packet payload, or other location, as long as the GRE report is guaranteed. This embodiment can be implemented by carrying a user identifier.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
举例来说,GRE报文通过GRE头承载用户标识的具体实现方式请参见第一实施例中的相应描述,其具有相同的原理和技术效果,此处不再进行 赘述。For the specific implementation of the GRE packet carrying the user identifier through the GRE header, refer to the corresponding description in the first embodiment, which has the same principle and technical effect, and is not performed here. Narration.
可选的,在通过所述至少一条隧道发送所述第二GRE报文之前,对所述第二GRE报文进行IPsec封装。Optionally, before the sending the second GRE packet by using the at least one tunnel, performing IPsec encapsulation on the second GRE packet.
举例来说,对GRE报文进行IPsec封装的原理和实现方式请参见第一实施例中的相应描述,其具有相同的原理和技术效果,此处不再进行赘述。For example, the principles and implementations of the IPsec encapsulation of the GRE packets are described in the corresponding description in the first embodiment, which have the same principles and technical effects, and are not described herein again.
图7对本发明实施例的应用场景流程图,所述应用场景流程图可以执行上述第一实施例和/或第二实施例的报文处理方法,如图7所示,所述应用场景中的设备包括:业务设备、二层客户侧设备L2-CPE、接入设备、CGN设备、服务器,其中,可选的,接入设备可以是BRAS设备,服务器可以是Internet网服务器。具体的,L2-CPE提供了基本的二层转发功能,作为用户端的L2-CPE下游连接多个具体业务设备,业务设备可以是但不局限于个人电脑、智能移动终端、IPTV、智能安防等设备,L2-CPE的上游通过通信网络(例如城域网Metro Network)连接到BRAS设备,BRAS设备分担了传统集成CPE的控制平面功能(例如用户管理、数据转发),这样通过BRAS下挂L2-CPE的方式完成用户端的管理,BRAS设备通过通信网络(例如核心网Core Network)连接到CGN设备,BRAS设备建立与CGN设备之间的至少一条隧道,CGN设备连接Internet网。需要说明的是,对图7中示出的L2-CPE不做限定,在实际应用中也可以使用传统的CPE。FIG. 7 is a flowchart of an application scenario according to an embodiment of the present invention. The application scenario flowchart may perform the packet processing method of the foregoing first embodiment and/or the second embodiment, as shown in FIG. The device includes: a service device, a layer 2 client-side device L2-CPE, an access device, a CGN device, and a server. Optionally, the access device may be a BRAS device, and the server may be an Internet network server. Specifically, the L2-CPE provides a basic Layer 2 forwarding function. The L2-CPE as the user end is connected to multiple specific service devices. The service device can be, but is not limited to, a personal computer, an intelligent mobile terminal, an IPTV, or an intelligent security device. The upstream of the L2-CPE is connected to the BRAS device through a communication network (for example, Metro Network), and the BRAS device shares the control plane functions (such as user management and data forwarding) of the traditional integrated CPE, so that the L2-CPE is hanged through the BRAS. The way to complete the management of the client, the BRAS device is connected to the CGN device through a communication network (for example, the core network Core Network), the BRAS device establishes at least one tunnel with the CGN device, and the CGN device connects to the Internet network. It should be noted that the L2-CPE shown in FIG. 7 is not limited, and a conventional CPE may also be used in practical applications.
如图7所示,根据数据的流向可以区分为上行方向过程和下行方向过程,下面针对不同的数据流方向分别进行说明,需要说明的是,在不进行特殊说明的情况下,本实施例中出现的Tunnel-等同于本发明中的用户标识。As shown in FIG. 7, the flow direction of the data can be divided into an uplink process and a downlink process. The following describes different data flow directions. It should be noted that, in the present embodiment, without special description, The appearance of the Tunnel - equivalent to the user identity in the present invention.
对于上行方向过程。For the upstream process.
S700,BRAS设备接收用户1发送的第一数据报文;S700. The BRAS device receives the first data packet sent by the user 1.
S702,BRAS设备获取与用户1对应的Tunnel-1,对所述第一数据报文进行GRE封装,得到第一GRE报文,所述第一GRE报文携带所述Tunnel-1; S702, the BRAS device acquires the Tunnel-1 corresponding to the user 1, and performs the GRE encapsulation on the first data packet to obtain the first GRE packet, where the first GRE packet carries the Tunnel-1;
其中,在所述BRAS设备上建立有用户端地址与Tunnel-的映射关系。The mapping between the client address and the tunnel is established on the BRAS device.
S704,BRAS设备经由GRE隧道发送第一GRE报文;S704. The BRAS device sends the first GRE message by using the GRE tunnel.
S706,CGN设备经由GRE隧道接收第一GRE报文;S706. The CGN device receives the first GRE message by using the GRE tunnel.
S708,CGN设备解封所述第一GRE报文,获取所述第一数据报文;S708. The CGN device decapsulates the first GRE packet, and obtains the first data packet.
S710,CGN设备向Internet网发送第一数据报文。S710. The CGN device sends the first data packet to the Internet.
对于下行方向过程。For the downstream process.
S720,CGN设备接收Internet网发送的第二数据报文;S720: The CGN device receives the second data packet sent by the Internet.
S722,CGN设备获取与用户2对应的Tunnel-2,对所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述Tunnel-2;S722, the CGN device acquires the Tunnel-2 corresponding to the user 2, and performs the GRE encapsulation on the second data packet to obtain the second GRE packet, where the second GRE packet carries the Tunnel-2;
其中,在所述CGN设备上建立有用户端地址与Tunnel-的映射关系。The mapping between the client address and the tunnel is established on the CGN device.
S724,CGN设备经由GRE隧道发送第二GRE报文;S724. The CGN device sends a second GRE message by using a GRE tunnel.
S726,BRAS设备经由GRE隧道接收第二GRE报文;S726. The BRAS device receives the second GRE message by using the GRE tunnel.
S728,BRAS设备解封所述第二GRE报文,获取所述第二数据报文;S728: The BRAS device decapsulates the second GRE packet, and obtains the second data packet.
S730,BRAS设备向用户2发送第二数据报文。S730. The BRAS device sends a second data packet to the user 2.
图7所示的BRAS设备和CGN设备可以用于执行前述实施例中方法中接入设备和CGN设备所执行的相应步骤。通过接入设备建立与CGN设备之间的至少一条隧道,从而允许多个用户的GRE报文共用同一个隧道,进而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The BRAS device and the CGN device shown in FIG. 7 can be used to perform the respective steps performed by the access device and the CGN device in the method of the previous embodiment. The access device establishes at least one tunnel with the CGN device, so that the GRE packets of the multiple users are shared by the same tunnel, thereby reducing the overhead of the tunnel resource and simplifying the configuration process when a large number of users access the network. Save system overhead and network resources.
图8为本发明实施例的接入设备结构示意图,如图8所示,接入设备与CGN设备之间的包括至少一条隧道;所述接入设备包括第一接收单元802、处理单元804和第一发送单元806:FIG. 8 is a schematic structural diagram of an access device according to an embodiment of the present invention. As shown in FIG. 8, the access device and the CGN device include at least one tunnel; the access device includes a first receiving unit 802, a processing unit 804, and First sending unit 806:
所述第一接收单元802,用于接收第一用户端发送的第一数据报文;The first receiving unit 802 is configured to receive a first data packet sent by the first user end.
所述处理单元804,用于从所述第一数据报文获取第一用户端的地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端对应的第 一用户标识,将所述第一数据报文进行GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识;The processing unit 804 is configured to obtain an address of the first user end from the first data packet, and obtain a number corresponding to the first user end according to a mapping relationship between the user end address and the user identifier. a user identifier, the first data packet is GRE-encapsulated to obtain a first GRE packet, and the first GRE packet carries the first user identifier;
所述第一发送单元806,用于通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The first sending unit 806 is configured to send the first GRE message to the CGN device by using the at least one tunnel.
可选的,所述接入设备还包括第二接收单元808和第二发送单元810。所述第二接收单元808,用于接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;所述处理单元804,还用于解封所述第二GRE报文及所述第二用户标识,获取所述第二数据报文;所述第二发送单元810,用于向所述第二用户端发送所述第二数据报文。Optionally, the access device further includes a second receiving unit 808 and a second sending unit 810. The second receiving unit 808 is configured to receive a second GRE message that is sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the server to the second user end. The second data packet is obtained by GRE encapsulation, and the second GRE packet carries the second user identifier corresponding to the second user end. The processing unit 804 is further configured to decapsulate the second GRE report. And the second user identifier, the second data packet is obtained, and the second sending unit 810 is configured to send the second data packet to the second user end.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
可选的,所述处理单元804,还用于在通过所述至少一条隧道发送所述第一GRE报文之前,对所述第一GRE报文进行IPsec封装。Optionally, the processing unit 804 is further configured to perform IPsec encapsulation on the first GRE packet before sending the first GRE packet by using the at least one tunnel.
图8所示的接入设备可以用于执行前述实施例中方法中接入设备所执行的相应步骤。通过接入设备与CGN设备之间的包括至少一条隧道,允许多个用户的GRE报文共用同一个隧道,从而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The access device shown in Figure 8 can be used to perform the respective steps performed by the access device in the method of the previous embodiment. Between the access device and the CGN device, the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
图9为本发明实施例的接入设备硬件结构示意图,如图9所示,接入设备包括处理器901、存储器902、接口903和总线904,其中接口903可以通过无线或有线的方式实现,具体来讲可以是例如网卡(Network Interface Card,NIC)等元件,上述处理器901、存储器902和接口903通过总线904连接。FIG. 9 is a schematic structural diagram of a hardware structure of an access device according to an embodiment of the present invention. As shown in FIG. 9, the access device includes a processor 901, a memory 902, an interface 903, and a bus 904. The interface 903 can be implemented by using a wireless or wired manner. Specifically, it may be an element such as a network interface card (NIC), and the processor 901, the memory 902, and the interface 903 are connected by a bus 904.
所述存储器902用于存储程序代码,可选的,程序代码可以包括操作系统程序和应用程序。The memory 902 is configured to store program code. Optionally, the program code may include an operating system program and an application.
所述接口903,用于接收第一用户端发送的第一数据报文; The interface 903 is configured to receive a first data packet sent by the first user end.
所述处理器901,用于从所述第一数据报文获取第一用户端的地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端对应的第一用户标识,将所述第一数据报文进行GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识;The processor 901 is configured to obtain an address of the first user end from the first data packet, and obtain a first user identifier corresponding to the first user end according to a mapping relationship between the user end address and the user identifier, The first data packet is GRE-encapsulated to obtain a first GRE packet, where the first GRE packet carries the first user identifier;
所述接口903,还用于通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The interface 903 is further configured to send the first GRE message to the CGN device by using the at least one tunnel.
可选的,所述接口903,还用于接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;所述处理器901,还用于解封所述第二GRE报文及所述第二用户标识,获取所述第二数据报文;所述接口903,还用于向所述第二用户端发送所述第二数据报文。Optionally, the interface 903 is further configured to receive a second GRE message sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the server to the second The second data packet of the user end is obtained by GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end. The processor 901 is further configured to decapsulate the second user identifier. The GRE message and the second user identifier acquire the second data packet; the interface 903 is further configured to send the second data packet to the second user end.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
可选的,所述处理器901,还用于在通过所述至少一条隧道发送所述第一GRE报文之前,对所述第一GRE报文进行IPsec封装。Optionally, the processor 901 is further configured to perform IPsec encapsulation on the first GRE packet before sending the first GRE packet by using the at least one tunnel.
图9所示的接入设备可以用于执行前述实施例中方法中接入设备所执行的相应步骤。通过接入设备与CGN设备之间的包括至少一条隧道,允许多个用户的GRE报文共用同一个隧道,从而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The access device shown in Figure 9 can be used to perform the corresponding steps performed by the access device in the method of the previous embodiment. Between the access device and the CGN device, the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
图10为本发明实施例的CGN设备结构示意图,如图10所示,接入设备与CGN设备之间的包括至少一条隧道;所述CGN设备包括第一接收单元1002、处理单元1004和第一发送单元1006:10 is a schematic structural diagram of a CGN device according to an embodiment of the present invention. As shown in FIG. 10, the access device and the CGN device include at least one tunnel. The CGN device includes a first receiving unit 1002, a processing unit 1004, and a first Sending unit 1006:
所述第一接收单元1002,用于接收所述接入设备通过所述至少一条隧道发送的第一GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所 述第一用户端对应的所述第一用户标识;The first receiving unit 1002 is configured to receive a first GRE message sent by the access device by using the at least one tunnel, where the first GRE message is sent by the access device from a first user end. The first data packet is obtained by GRE encapsulation, and the first GRE packet carries The first user identifier corresponding to the first user end;
所述处理单元1004,用于解封所述第一GRE报文,获取所述第一数据报文;The processing unit 1004 is configured to decapsulate the first GRE packet, and obtain the first data packet.
所述第一发送单元1006,用于向服务器发送所述第一数据报文。The first sending unit 1006 is configured to send the first data packet to a server.
可选的,所述CGN设备进一步包括第二接收单元设备还包括第二接收单元1008和第二发送单元1010。所述第二接收单元1008,用于接收所述服务器发往第二用户端的第二数据报文;所述处理单元1004,还用于根据用户端地址与用户标识的映射关系,获取与所述第二用户端对应的第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;所述第二发送单元1010,用于通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。Optionally, the CGN device further includes a second receiving unit, and further includes a second receiving unit 1008 and a second sending unit 1010. The second receiving unit 1008 is configured to receive a second data packet sent by the server to the second user end, where the processing unit 1004 is further configured to acquire, according to a mapping relationship between the user end address and the user identifier, a second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier; the second sending The unit 1010 is configured to send the second GRE message to the access device by using the at least one tunnel.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
可选的,所述处理单元1004,还用于在通过所述至少一条隧道发送所述第二GRE报文之前,对所述第二GRE报文进行IPsec封装。Optionally, the processing unit 1004 is further configured to perform IPsec encapsulation on the second GRE packet before sending the second GRE packet by using the at least one tunnel.
图10所示的CGN设备可以用于执行前述实施例中方法中CGN设备所执行的相应步骤。通过接入设备与CGN设备之间的包括至少一条隧道,允许多个用户的GRE报文共用同一个隧道,从而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The CGN device shown in Figure 10 can be used to perform the respective steps performed by the CGN device in the method of the previous embodiment. Between the access device and the CGN device, the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
图11为本发明实施例的CGN设备硬件结构示意图,如图11所示,接入设备包括处理器1101、存储器1102、接口1103和总线1104,其中接口1103可以通过无线或有线的方式实现,具体来讲可以是例如网卡(Network Interface Card,NIC)等元件,上述处理器1101、存储器1102、接口1103通过总线1104连接。FIG. 11 is a schematic structural diagram of a hardware of a CGN device according to an embodiment of the present invention. As shown in FIG. 11, the access device includes a processor 1101, a memory 1102, an interface 1103, and a bus 1104. The interface 1103 can be implemented by using a wireless or a wired manner. For example, it may be an element such as a network interface card (NIC), and the processor 1101, the memory 1102, and the interface 1103 are connected by a bus 1104.
所述存储器1102用于存储程序代码,可选的,程序代码可以包括操作系统程序和应用程序。 The memory 1102 is configured to store program code. Optionally, the program code may include an operating system program and an application.
所述接口1103,用于接收所述接入设备通过所述至少一条隧道发送的第一GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端对应的所述第一用户标识;The interface 1103 is configured to receive a first GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is used by the access device to the first data from the first user end. The first GRE packet carries the first user identifier corresponding to the first user end.
所述处理器1101,用于解封所述第一GRE报文,获取所述第一数据报文;The processor 1101 is configured to decapsulate the first GRE packet, and obtain the first data packet.
所述接口1103,还用于向服务器发送所述第一数据报文。The interface 1103 is further configured to send the first data packet to a server.
可选的,所述接口1103,用于接收所述服务器发往第二用户端的第二数据报文;所述处理器1101,还用于根据用户端地址与用户标识的映射关系,获取与所述第二用户端对应的第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;所述接口1103,还用于向所述第二用户端发送所述第二数据报文。Optionally, the interface 1103 is configured to receive a second data packet that is sent by the server to the second user end, where the processor 1101 is further configured to obtain a location according to a mapping relationship between the user address and the user identifier. a second user identifier corresponding to the second user end, the second data packet is GRE-encapsulated to obtain a second GRE packet, and the second GRE packet carries the second user identifier; the interface 1103 And sending the second data packet to the second user end.
可选的,所述第一GRE报文的GRE头承载所述第一用户标识。类似地,所述第二GRE报文的GRE头承载所述第二用户标识。Optionally, the GRE header of the first GRE packet carries the first user identifier. Similarly, the GRE header of the second GRE message carries the second user identifier.
可选的,所述处理器1101,还用于在通过所述至少一条隧道发送所述第二GRE报文之前,对所述第二GRE报文进行IPsec封装。Optionally, the processor 1101 is further configured to perform IPsec encapsulation on the second GRE packet before sending the second GRE packet by using the at least one tunnel.
图11所示的CGN设备可以用于执行前述实施例中方法中CGN设备所执行的相应步骤。通过接入设备与CGN设备之间的包括至少一条隧道,允许多个用户的GRE报文共用同一个隧道,从而,可以在有海量用户接入网络时,减少隧道资源的开销、简化配置过程、节省系统开销和网络资源。The CGN device shown in Figure 11 can be used to perform the respective steps performed by the CGN device in the method of the previous embodiment. Between the access device and the CGN device, the at least one tunnel is configured to allow the GRE packets of the multiple users to share the same tunnel. Therefore, when a large number of users access the network, the bandwidth of the tunnel resources is reduced, and the configuration process is simplified. Save system overhead and network resources.
图12为本发明实施例的系统结构示意图,如图12所示,所述系统包括接入设备和CGN设备。该系统可以执行第一实施例和第二实施例的技术方案,其实现原理和技术效果类似,此处,不再赘述。FIG. 12 is a schematic structural diagram of a system according to an embodiment of the present invention. As shown in FIG. 12, the system includes an access device and a CGN device. The system can implement the technical solutions of the first embodiment and the second embodiment, and the implementation principles and technical effects are similar, and details are not described herein again.
本领域普通技术人员将会理解,本发明的各个方面、或各个方面的可能实现方式可以被具体实施为系统、方法或者计算机程序产品。因此,本发明的各方面、或各个方面的可能实现方式可以采用完全硬件实施例、完 全软件实施例(包括固件、驻留软件等等),或者组合软件和硬件方面的实施例的形式,在这里都统称为“电路”、“模块”或者“系统”。此外,本发明的各方面、或各个方面的可能实现方式可以采用计算机程序产品的形式,计算机程序产品是指存储在计算机可读介质中的计算机可读程序代码。Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Thus, aspects of the invention, or possible implementations of various aspects, may be implemented in an entirely hardware embodiment. All software embodiments (including firmware, resident software, etc.), or a combination of software and hardware aspects, are collectively referred to herein as "circuits," "modules," or "systems." Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质包含但不限于电子、磁性、光学、电磁、红外或半导体系统、设备或者装置,或者前述的任意适当组合,如随机存取存储器(英文全称:Random access memory,英文缩写:RAM)、只读存储器(英文全称:Read-only memory,英文缩写:ROM)、可擦除可编程只读存储器((英文全称:Erasable programmable read only memory,英文缩写:EPROM)或者快闪存储器)、光纤、便携式只读存储器(英文全称:Compact disc read-only memory,英文缩写:CD-ROM)。The computer readable medium can be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as a random access memory (English name: Random access memory, English abbreviation: RAM) ), read-only memory (English full name: Read-only memory, English abbreviation: ROM), erasable programmable read-only memory (English full name: Erasable programmable read only memory, English abbreviation: EPROM) or flash memory, Optical fiber, portable read-only memory (English full name: Compact disc read-only memory, English abbreviation: CD-ROM).
计算机中的处理器读取存储在计算机可读介质中的计算机可读程序代码,使得处理器能够执行在流程图中每个步骤、或各步骤的组合中规定的功能动作;生成实施在框图的每一块、或各块的组合中规定的功能动作的装置。The processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.
计算机可读程序代码可以完全在用户的本地计算机上执行、部分在用户的本地计算机上执行、作为单独的软件包、部分在用户的本地计算机上并且部分在远程计算机上,或者完全在远程计算机或者服务器上执行。也应该注意,在某些替代实施方案中,在流程图中各步骤、或框图中各块所注明的功能可能不按图中注明的顺序发生。例如,依赖于所涉及的功能,接连示出的两个步骤、或两个块实际上可能被大致同时执行,或者这些块有时候可能被以相反顺序执行。The computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (17)

  1. 一种报文处理方法,其特征在于,所述方法包括:A packet processing method, characterized in that the method comprises:
    接入设备建立与运营商级网络地址转换CGN设备之间的至少一条隧道;The access device establishes at least one tunnel between the carrier-class network address translation CGN device;
    所述接入设备接收第一用户端发送的第一数据报文;Receiving, by the access device, the first data packet sent by the first user end;
    所述接入设备获取所述第一数据报文携带的第一用户端地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端地址对应的第一用户标识,将所述第一用户端发送的第一数据报文进行通用路由封装协议GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识;Obtaining, by the access device, the first user address carried in the first data packet, and acquiring a first user identifier corresponding to the address of the first user terminal according to a mapping relationship between the user address and the user identifier, The first data packet sent by the first user end is encapsulated by the Generic Routing Encapsulation Protocol (GRE) to obtain a first GRE packet, and the first GRE packet carries the first user identifier.
    所述接入设备通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The access device sends the first GRE message to the CGN device by using the at least one tunnel.
  2. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    所述接入设备接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;The access device receives a second GRE message sent by the CGN device through the at least one tunnel, where the second GRE message is a second data packet sent by the CGN device to the server to the second user end. The second GRE packet carries the second user identifier corresponding to the second user end.
    所述接入设备解封所述第二GRE报文,获取所述第二数据报文;Decapsulating the second GRE packet by the access device to obtain the second data packet;
    所述接入设备向所述第二用户端发送所述第二数据报文。The access device sends the second data packet to the second user end.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一GRE报文的GRE头承载所述第一用户标识。The method according to claim 1 or 2, wherein the GRE header of the first GRE message carries the first user identifier.
  4. 根据权利要求1-3中任一项所述的方法,其特征在于,在通过所述至少一条隧道发送所述第一GRE报文之前,该方法还包括:对所述第一GRE报文进行因特网协议安全IPsec协议封装。The method according to any one of claims 1-3, wherein before the sending the first GRE message by using the at least one tunnel, the method further comprises: performing the first GRE message Internet Protocol Secure IPsec Protocol Encapsulation.
  5. 一种报文处理方法,其特征在于,所述方法应用于运营商级网络地址转换CGN设备,所述CGN设备与接入设备之间包括至少一条由所述接入设备建立的隧道;所述方法包括: A packet processing method, the method is applied to a carrier-level network address translation CGN device, and the CGN device and the access device include at least one tunnel established by the access device; Methods include:
    所述CGN设备接收所述接入设备通过所述至少一条隧道发送的第一通用路由封装协议GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端对应的第一用户标识;Receiving, by the CGN device, a first Generic Route Encapsulation Protocol (GRE) message sent by the access device by using the at least one tunnel, where the first GRE message is the first device from the first user end by the access device The data packet is encapsulated by the GRE, and the first GRE packet carries the first user identifier corresponding to the first user end.
    所述CGN设备解封所述第一GRE报文,获取所述第一数据报文;Decapsulating the first GRE packet by the CGN device, and acquiring the first data packet;
    所述CGN设备向服务器发送所述第一数据报文。The CGN device sends the first data packet to a server.
  6. 根据权利要求5所述的方法,其特征在于,还包括:The method of claim 5, further comprising:
    所述CGN设备接收所述服务器发往第二用户端的第二数据报文;Receiving, by the CGN device, a second data packet sent by the server to the second user end;
    所述CGN设备获取所述第二用户端的地址,根据用户端地址与用户标识的映射关系,获取所述第二用户端对应的所述第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;Obtaining, by the CGN device, the address of the second user end, acquiring the second user identifier corresponding to the second user end according to the mapping relationship between the user end address and the user identifier, and performing the second data packet on the GRE Encapsulating, obtaining a second GRE packet, where the second GRE packet carries the second user identifier;
    所述CGN设备通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。The CGN device sends the second GRE message to the access device by using the at least one tunnel.
  7. 根据权利要求5或6所述的方法,其特征在于,所述第一GRE报文的GRE头承载所述第一用户标识。The method according to claim 5 or 6, wherein the GRE header of the first GRE message carries the first user identifier.
  8. 根据权利要求6或7所述的方法,其特征在于,在通过所述至少一条隧道发送所述第二GRE报文之前,该方法还包括:对所述第二GRE报文进行因特网协议安全IPsec协议封装。The method according to claim 6 or 7, wherein before the sending the second GRE message through the at least one tunnel, the method further comprises: performing Internet Protocol Security IPsec on the second GRE message Protocol encapsulation.
  9. 一种接入设备,其特征在于,所述接入设备与运营商级网络地址转换CGN设备之间包括至少一条隧道;所述接入设备包括:An access device, where the access device includes at least one tunnel between the access device and the carrier-level network address translation CGN device; the access device includes:
    第一接收单元,用于接收第一用户端发送的第一数据报文;a first receiving unit, configured to receive a first data packet sent by the first user end;
    处理单元,用于从所述第一数据报文获取第一用户端的地址,根据用户端地址与用户标识的映射关系,获取与所述第一用户端对应的第一用户标识,将所述第一数据报文进行通用路由封装协议GRE封装,得到第一GRE报文,所述第一GRE报文携带所述第一用户标识; a processing unit, configured to acquire an address of the first user end from the first data packet, and acquire a first user identifier corresponding to the first user end according to a mapping relationship between the user end address and the user identifier, where the first The first GRE packet carries the first user identifier, and the first GRE packet carries the first user identifier.
    第一发送单元,用于通过所述至少一条隧道向所述CGN设备发送所述第一GRE报文。The first sending unit is configured to send the first GRE message to the CGN device by using the at least one tunnel.
  10. 根据权利要求9所述的接入设备,其特征在于,还包括第二接收单元和第二发送单元,其中:The access device according to claim 9, further comprising a second receiving unit and a second transmitting unit, wherein:
    所述第二接收单元,用于接收所述CGN设备通过所述至少一条隧道发送的第二GRE报文,所述第二GRE报文是由所述CGN设备对服务器发往第二用户端的第二数据报文进行GRE封装得到的,所述第二GRE报文携带有所述第二用户端对应的第二用户标识;The second receiving unit is configured to receive a second GRE message that is sent by the CGN device by using the at least one tunnel, where the second GRE message is sent by the CGN device to the second user end of the server. The second data message is obtained by the GRE encapsulation, and the second GRE message carries the second user identifier corresponding to the second user end.
    所述处理单元,还用于解封所述第二GRE报文及所述第二用户标识,获取所述第二数据报文;The processing unit is further configured to decapsulate the second GRE message and the second user identifier, and obtain the second data packet;
    所述第二发送单元,用于向所述第二用户端发送所述第二数据报文。The second sending unit is configured to send the second data packet to the second user end.
  11. 根据权利要求9或10所述的接入设备,其特征在于,所述第一GRE报文的GRE头承载所述第一用户标识。The access device according to claim 9 or 10, wherein the GRE header of the first GRE message carries the first user identifier.
  12. 根据权利要求9-11中任一项所述的接入设备,其特征在于,所述处理单元,还用于在通过所述至少一条隧道发送所述第一GRE报文之前,对所述第一GRE报文进行因特网协议安全IPsec协议封装。The access device according to any one of claims 9-11, wherein the processing unit is further configured to: before sending the first GRE message by using the at least one tunnel, A GRE message is encapsulated in the Internet Protocol Secure IPsec protocol.
  13. 一种运营商级网络地址转换CGN设备,其特征在于,所述CGN设备与接入设备之间包括至少一条由所述接入设备建立的隧道;所述CGN设备包括:A carrier-level network address translation CGN device, wherein the CGN device and the access device include at least one tunnel established by the access device; the CGN device includes:
    第一接收单元,用于接收所述接入设备通过所述至少一条隧道发送的第一通用路由封装协议GRE报文,所述第一GRE报文是由所述接入设备对来自第一用户端的第一数据报文进行GRE封装得到的,所述第一GRE报文携带有所述第一用户端对应的第一用户标识;a first receiving unit, configured to receive a first universal routing encapsulation protocol GRE packet sent by the access device by using the at least one tunnel, where the first GRE packet is sent by the access device from the first user The first data packet is obtained by the GRE encapsulation, and the first GRE packet carries the first user identifier corresponding to the first user end.
    处理单元,用于解封所述第一GRE报文,获取所述第一数据报文;a processing unit, configured to decapsulate the first GRE packet, and obtain the first data packet;
    第一发送单元,用于向服务器发送所述第一数据报文。The first sending unit is configured to send the first data packet to the server.
  14. 根据权利要求13所述的CGN设备,其特征在于,还包括第二接收 单元和第二发送单元,其中,The CGN device of claim 13 further comprising a second receive a unit and a second sending unit, wherein
    所述第二接收单元,用于接收所述服务器发往第二用户端的第二数据报文;The second receiving unit is configured to receive a second data packet sent by the server to the second user end;
    所述处理单元,还用于根据用户端地址与用户标识的映射关系,获取与所述第二用户端对应的第二用户标识,将所述第二数据报文进行GRE封装,得到第二GRE报文,所述第二GRE报文携带所述第二用户标识;The processing unit is further configured to: obtain a second user identifier corresponding to the second user end according to the mapping relationship between the user address and the user identifier, and perform GRE encapsulation on the second data packet to obtain a second GRE. a packet, the second GRE packet carrying the second user identifier;
    所述第二发送单元,用于通过所述至少一条隧道向所述接入设备发送所述第二GRE报文。The second sending unit is configured to send the second GRE message to the access device by using the at least one tunnel.
  15. 根据权利要求13或14所述的CGN设备,其特征在于,所述第一GRE报文的GRE头承载所述第一用户标识。The CGN device according to claim 13 or 14, wherein the GRE header of the first GRE message carries the first user identifier.
  16. 根据权利要求14或15所述的CGN设备,其特征在于,所述处理单元,还用于在通过所述至少一条隧道发送所述第二GRE报文之前,对所述第二GRE报文进行因特网协议安全IPsec协议封装。The CGN device according to claim 14 or 15, wherein the processing unit is further configured to perform the second GRE message before sending the second GRE message through the at least one tunnel Internet Protocol Secure IPsec Protocol Encapsulation.
  17. 一种报文处理系统,其特征在于,包括权利要求9-12中任一项所述的接入设备和权利要求13-16中任一项所述的CGN设备。 A message processing system, comprising the access device according to any one of claims 9-12 and the CGN device according to any one of claims 13-16.
PCT/CN2015/097553 2015-05-13 2015-12-16 Message processing method, device and system WO2016180020A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510243026.3A CN104993993B (en) 2015-05-13 2015-05-13 A kind of message processing method, equipment and system
CN201510243026.3 2015-05-13

Publications (1)

Publication Number Publication Date
WO2016180020A1 true WO2016180020A1 (en) 2016-11-17

Family

ID=54305749

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/097553 WO2016180020A1 (en) 2015-05-13 2015-12-16 Message processing method, device and system

Country Status (2)

Country Link
CN (1) CN104993993B (en)
WO (1) WO2016180020A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112188301A (en) * 2019-07-04 2021-01-05 中国电信股份有限公司 Communication method, device, system, terminal and computer readable storage medium
CN112217909A (en) * 2019-07-11 2021-01-12 奇安信科技集团股份有限公司 Data forwarding method and data forwarding device based on session
CN113965910A (en) * 2021-11-17 2022-01-21 交控科技股份有限公司 Vehicle-ground communication redundant networking architecture

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104993993B (en) * 2015-05-13 2018-06-15 华为技术有限公司 A kind of message processing method, equipment and system
CN111490923B (en) * 2017-06-16 2021-10-01 华为技术有限公司 Message encapsulation method, device and system based on BRAS (broadband remote Access Server) system
CN108667695B (en) * 2017-09-06 2020-12-29 新华三技术有限公司 Backup method and device for BRAS transfer control separation
CN112887211B (en) * 2021-01-26 2021-11-16 北京树米网络科技有限公司 Internet protocol message data forwarding system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101128013A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A switching method for access gateway in mobile communication system
CN102546362A (en) * 2010-12-20 2012-07-04 中兴通讯股份有限公司 Message processing method, message processing system and customer premises equipment
US20130083691A1 (en) * 2011-10-04 2013-04-04 Juniper Networks, Inc. Methods and apparatus for a self-organized layer-2 enterprise network architecture
CN104993993A (en) * 2015-05-13 2015-10-21 华为技术有限公司 Message processing method, device, and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101325557A (en) * 2008-07-25 2008-12-17 华为技术有限公司 Method, system and apparatus for sharing tunnel load
CN102624935A (en) * 2011-01-26 2012-08-01 华为技术有限公司 Method, device and system for forwarding packet
CN102546407B (en) * 2011-12-29 2018-01-23 江苏悦达数梦技术有限公司 File transmitting method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101128013A (en) * 2006-08-14 2008-02-20 华为技术有限公司 A switching method for access gateway in mobile communication system
CN102546362A (en) * 2010-12-20 2012-07-04 中兴通讯股份有限公司 Message processing method, message processing system and customer premises equipment
US20130083691A1 (en) * 2011-10-04 2013-04-04 Juniper Networks, Inc. Methods and apparatus for a self-organized layer-2 enterprise network architecture
CN104993993A (en) * 2015-05-13 2015-10-21 华为技术有限公司 Message processing method, device, and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112188301A (en) * 2019-07-04 2021-01-05 中国电信股份有限公司 Communication method, device, system, terminal and computer readable storage medium
CN112188301B (en) * 2019-07-04 2022-07-22 中国电信股份有限公司 Communication method, apparatus, system, terminal, and computer-readable storage medium
CN112217909A (en) * 2019-07-11 2021-01-12 奇安信科技集团股份有限公司 Data forwarding method and data forwarding device based on session
CN113965910A (en) * 2021-11-17 2022-01-21 交控科技股份有限公司 Vehicle-ground communication redundant networking architecture
CN113965910B (en) * 2021-11-17 2024-03-15 交控科技股份有限公司 Redundant networking architecture for vehicle-ground communication

Also Published As

Publication number Publication date
CN104993993B (en) 2018-06-15
CN104993993A (en) 2015-10-21

Similar Documents

Publication Publication Date Title
CN107786613B (en) Broadband remote access server BRAS forwarding implementation method and device
WO2016180020A1 (en) Message processing method, device and system
CN109660443B (en) SDN-based physical device and virtual network communication method and system
CN107800602B (en) Message processing method, device and system
CN108092893B (en) Special line opening method and device
CN107995052B (en) Method and apparatus for common control protocol for wired and wireless nodes
ES2758779T3 (en) Broadband network system and its implementation procedure
CN116319516A (en) Secure SD-WAN port information distribution
CN113812126A (en) Message transmission method, device and system
US8611358B2 (en) Mobile network traffic management
CN103580980A (en) Automatic searching and automatic configuration method and device of VN
WO2020238327A1 (en) Method, apparatus and system for establishing user plane connection
JP2019515608A (en) Access control
CN114124618B (en) Message transmission method and electronic equipment
WO2014075312A1 (en) Method, device and system for providing network traversing service
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
KR20100103639A (en) Apparatus and method for concurrently accessing multiple wireless networks
CN110752979B (en) Tunnel transmission method, device and network equipment of message
WO2021174943A1 (en) Data forwarding method and apparatus, and device and storage medium
KR20190107709A (en) Load balancing of wireless subscriber packet processing through multiple packet processing cores on virtual machine platforms
WO2023125151A1 (en) Data migration system, method and apparatus for internet-of-things device, and storage medium
CN108306755B (en) Method and system for establishing management channel
WO2022007749A1 (en) Data transmission method and apparatus
CN113472625B (en) Transparent bridging method, system, equipment and storage medium based on mobile internet
CN112994928B (en) Virtual machine management method, device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15891714

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15891714

Country of ref document: EP

Kind code of ref document: A1