WO2017063578A1 - Procédé et appareil de traitement de paquet de données - Google Patents

Procédé et appareil de traitement de paquet de données Download PDF

Info

Publication number
WO2017063578A1
WO2017063578A1 PCT/CN2016/102045 CN2016102045W WO2017063578A1 WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1 CN 2016102045 W CN2016102045 W CN 2016102045W WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1
Authority
WO
WIPO (PCT)
Prior art keywords
mac
entry
learned
data packet
mac address
Prior art date
Application number
PCT/CN2016/102045
Other languages
English (en)
Chinese (zh)
Inventor
龙裕
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017063578A1 publication Critical patent/WO2017063578A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • MAC Media Access Control or Medium Access Control
  • IP whitelist/blacklist IP binding
  • TCP connection limit TCP connection limit
  • MAC binding/IP binding needs to design a special binding table. After the service receives a specific port data stream and obtains the MAC/IP address used by the port, it sets its MAC/IP address to the relevant binding table, and Prevents subsequent data forwarding of MAC/IP addresses in (whitelisted) or not (blacklisted) binding tables.
  • the MAC learning restriction function can be based on a port or a VLAN. After the number of MAC entries learned from a specified port or VLAN reaches a limit, the new MAC address is no longer learned, and the data stream containing the new source MAC address is discarded.
  • the TCP connection limit technology analyzes the number of TCP connections established by the user. After the number of connections is reached, the new connection data packet is discarded.
  • Some of the above mentioned technologies require more resources to implement and may reduce system performance, such as MAC/IP binding technology; some require upper layer protocols to participate more, such as MAC/IP binding technology and TCP connection limit technology; After the learning limit function is enabled, a malicious user, an illegal user, or a new device of the user can access the MAC address entry of a specific port.
  • the embodiment of the invention provides a data forwarding method and device, which can solve at least the problem that the MAC learning function in the related art cannot restrict user access after the MAC address entry of a specific port is aged.
  • a data packet processing method including: configuring a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function is to the MAC table.
  • the item is not aged.
  • the data packet is processed according to the configuration of the port.
  • the data packet is forwarded; or the data packet is discarded if the MAC address entry corresponding to the source MAC address is not learned.
  • the method further includes: configuring the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
  • the learning of the MAC address of the data packet according to the configuration of the port includes: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the determination result is yes, the data packet is directly forwarded; the number of MAC entry entries learned is learned. If the number of MAC entry entries that are allowed to learn is greater than that, the MAC entry corresponding to the source MAC address is not learned.
  • configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or The no aging field is set to 1.
  • a data packet processing apparatus including: a configuration module, configured to configure a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function The function is that the MAC entry is not aged; the processing module is configured to process the data packet according to the configuration of the port.
  • the learning unit includes: a determining subunit, configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, If the judgment result is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the subunit is determined, and the MAC address is set to be learned. If the number of entry entries is greater than the number of MAC entry entries allowed to learn, it is determined that the MAC entry corresponding to the source MAC address is not learned.
  • a storage medium is also provided.
  • the storage medium is arranged to store program code for performing the following steps:
  • the dynamic media access control MAC entry for the predetermined port is configured to not perform the aging function, wherein the non-aging function does not perform aging processing on the MAC entry; and the data packet is configured according to the configuration of the port.
  • the problem is that the MAC learning function in the related art cannot limit the access of the user after the aging of the MAC address entry of the specific port, which effectively limits the access of the user after the MAC entry is aged.
  • FIG. 2 is a block diagram of a data message processing apparatus according to an embodiment of the present invention.
  • FIG. 3 is a block diagram 1 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
  • FIG. 4 is a block diagram 2 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
  • FIG. 1 is a flowchart of a data packet processing method according to an embodiment of the present invention.
  • Step S102 Configure a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry.
  • Step S104 processing the data packet according to the configuration of the port.
  • the dynamic media access control MAC address entry of the predetermined port is not aged; the data packet is processed according to the configuration of the port, and the MAC learning function in the related art cannot limit the user after the MAC address entry of the specific port is aged.
  • the access problem effectively limits the access of users after the MAC entry is aged.
  • the processing of the data packet according to the configuration of the port may include: learning the source MAC address of the data packet according to the configuration of the port; and forwarding the datagram if the MAC entry corresponding to the source MAC address is learned. Or, if the MAC entry corresponding to the source MAC address is not learned, the data packet is discarded.
  • the number of MAC entry entries allowed for learning is configured for the dynamic MAC address of the predetermined port, and is prepared for learning the MAC address.
  • the learning of the MAC address of the data packet according to the configuration of the port may include: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the number of learned MAC entry entries is greater than In the case where the number of MAC entry entries allowed to be learned is determined, it is determined that the MAC entry corresponding to the source MAC address is not learned.
  • configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
  • FIG. 2 is a block diagram of a data packet processing apparatus according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • the configuration module 22 is configured to configure a dynamic media access control MAC entry for the predetermined port.
  • the aging function does not perform aging processing on MAC entries.
  • the processing module 24 is configured to process the data packet according to the configuration of the port.
  • FIG. 3 is a block diagram of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 3, the processing module 24 includes:
  • the forwarding unit 34 is configured to forward the data packet if the MAC entry corresponding to the source MAC address is learned; or
  • FIG. 4 is a block diagram 2 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 4, the apparatus further includes:
  • FIG. 5 is a block diagram 3 of a data message processing apparatus according to a preferred embodiment of the present invention.
  • the learning unit 32 includes:
  • the determining sub-unit 52 is configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of learned MAC entry entries, and if the determination result is negative, Determining to learn the MAC entry corresponding to the source MAC address; if the judgment result is yes, directly forwarding the data packet;
  • FIG. 6 is a block diagram 4 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 6, the apparatus further includes:
  • the user port attribute table is set, wherein the user attribute table describes various attributes of the user port, and a dynamic MAC address non-aging function switch field is added to the attribute table.
  • the MAC address table is used as the basis for data packet exchange.
  • the maximum value of the dynamic aging time field or the aging time field is added to the table.
  • the aging time maximum value indicates that the entry is not aged. This value is not used for general purposes. ).
  • the MAC entry processing module, the MAC entry restriction function module, and the MAC address entry aging module can work together to complete MAC address entry processing, MAC entry restriction, and aging.
  • the specific limitation of the user access of the present invention includes: configuring a dynamic MAC address non-aging function switch of a specific user port, and the number of MAC entry entries that the port is allowed to learn.
  • the MAC processing module determines whether to learn the MAC address of the packet according to the port configuration, and whether the MAC entry is dynamically aged or not, and forwards or discards the data packet according to the result.
  • the MAC address entry aging module polls the MAC entry, it determines whether the MAC entry is aged according to the aging time field of the MAC entry and/or the dynamic aging field.
  • Step S704 If the MAC entry is a static MAC entry, the entry is not operated, and the packet is forwarded. If the MAC entry is a dynamic MAC address entry, the aging time of the entry is updated, and the packet is forwarded.
  • step S802 it is determined whether the MAC entry is a dynamic entry, if the determination result is yes, step S804 is performed, and if the determination result is negative, step S808 is performed;

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de traitement de paquet de données. Le procédé comprend les étapes consistant à : configurer une fonction de saut de traitement de vieillissement pour une entrée d'accès de commande de média (MAC) dynamique d'un port prédéterminé, la fonction de saut de traitement de vieillissement consistant à sauter un traitement de vieillissement pour l'entrée MAC ; et traiter un paquet de données selon la configuration du port. L'invention résout ainsi le problème lié, dans l'état de la technique, au fait qu'une fonction d'apprentissage MAC ne peut pas limiter l'accès utilisateur après qu'une entrée MAC d'un port spécifié a vieilli. Selon l'invention, l'accès utilisateur est effectivement limité après qu'une entrée MAC d'un port spécifié a vieilli.
PCT/CN2016/102045 2015-10-15 2016-10-13 Procédé et appareil de traitement de paquet de données WO2017063578A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510669960.1 2015-10-15
CN201510669960.1A CN106603468A (zh) 2015-10-15 2015-10-15 数据报文处理方法及装置

Publications (1)

Publication Number Publication Date
WO2017063578A1 true WO2017063578A1 (fr) 2017-04-20

Family

ID=58517084

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/102045 WO2017063578A1 (fr) 2015-10-15 2016-10-13 Procédé et appareil de traitement de paquet de données

Country Status (2)

Country Link
CN (1) CN106603468A (fr)
WO (1) WO2017063578A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108418759B (zh) * 2018-05-31 2020-09-08 新华三技术有限公司 一种mac地址表项处理方法及装置
CN114390023A (zh) * 2021-12-27 2022-04-22 锐捷网络股份有限公司 一种动态地址不老化方法、装置、电子设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571349A (zh) * 2003-07-25 2005-01-26 华为技术有限公司 基于媒体接入控制地址的网络接入控制方法
CN102594704A (zh) * 2012-03-20 2012-07-18 神州数码网络(北京)有限公司 一种基于安全端口地址访问网络的控制方法
CN103019858A (zh) * 2012-12-03 2013-04-03 中兴通讯股份有限公司 媒体访问控制老化方法及网络处理器

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571349A (zh) * 2003-07-25 2005-01-26 华为技术有限公司 基于媒体接入控制地址的网络接入控制方法
CN102594704A (zh) * 2012-03-20 2012-07-18 神州数码网络(北京)有限公司 一种基于安全端口地址访问网络的控制方法
CN103019858A (zh) * 2012-12-03 2013-04-03 中兴通讯股份有限公司 媒体访问控制老化方法及网络处理器

Also Published As

Publication number Publication date
CN106603468A (zh) 2017-04-26

Similar Documents

Publication Publication Date Title
EP3192230B1 (fr) Système et procédé pour fournir un pare-feu intégré pour des communications de réseau sécurisées dans un environnement à plusieurs détenteurs
JP5111618B2 (ja) Macテーブルのオーバーフロー攻撃に対する防御を容易にすること
EP3151506A1 (fr) Attribution et distribution améliorées de paramètres de configuration de réseau à des dispositifs
US8576866B2 (en) Hierarchical rate limiting of control packets
US10701582B2 (en) Dynamic application QoS profile provisioning
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
WO2017063458A1 (fr) Procédé et appareil d'authentification de contournement d'adresse physique basés un réseautage défini par logiciel
CN105635084A (zh) 终端认证装置及方法
US7826447B1 (en) Preventing denial-of-service attacks employing broadcast packets
CN107707435A (zh) 一种报文处理方法和装置
US20230198939A1 (en) System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device
WO2016086544A1 (fr) Procédé de configuration d'interface réseau et appareil pour dispositif de réseau et support d'informations
WO2017063578A1 (fr) Procédé et appareil de traitement de paquet de données
US11201781B2 (en) Systems and methods for automatically configuring network isolation
WO2014169812A1 (fr) Procédé et dispositif de traitement de transfert de message
CN110224932B (zh) 一种数据快速转发的方法及系统
US20160352637A1 (en) Client-based port filter table
US10341259B1 (en) Packet forwarding using programmable feature prioritization
KR101629089B1 (ko) 레거시 네트워크 프로토콜 기능과 sdn 기능이 하이브리드하게 동작하는 오픈플로우 동작 방법
US20150085666A1 (en) Communication Apparatus, Control Apparatus, Communication System, Communication Method, Method for Controlling Communication Apparatus, and Program
US9712541B1 (en) Host-to-host communication in a multilevel secure network
EP3160080A1 (fr) Procédé, appareil et système pour configurer des paramètres de qualité de service (qos)
US9118555B1 (en) Secure unauthenticated virtual local area network
US10574596B2 (en) Software defined networking FCoE initialization protocol snooping bridge system
EP3687131A1 (fr) Procédé, appareil et système permettant de restaurer rapidement un service pendant une commutation de trajet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16854954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16854954

Country of ref document: EP

Kind code of ref document: A1