WO2017063578A1 - Procédé et appareil de traitement de paquet de données - Google Patents
Procédé et appareil de traitement de paquet de données Download PDFInfo
- Publication number
- WO2017063578A1 WO2017063578A1 PCT/CN2016/102045 CN2016102045W WO2017063578A1 WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1 CN 2016102045 W CN2016102045 W CN 2016102045W WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mac
- entry
- learned
- data packet
- mac address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Definitions
- MAC Media Access Control or Medium Access Control
- IP whitelist/blacklist IP binding
- TCP connection limit TCP connection limit
- MAC binding/IP binding needs to design a special binding table. After the service receives a specific port data stream and obtains the MAC/IP address used by the port, it sets its MAC/IP address to the relevant binding table, and Prevents subsequent data forwarding of MAC/IP addresses in (whitelisted) or not (blacklisted) binding tables.
- the MAC learning restriction function can be based on a port or a VLAN. After the number of MAC entries learned from a specified port or VLAN reaches a limit, the new MAC address is no longer learned, and the data stream containing the new source MAC address is discarded.
- the TCP connection limit technology analyzes the number of TCP connections established by the user. After the number of connections is reached, the new connection data packet is discarded.
- Some of the above mentioned technologies require more resources to implement and may reduce system performance, such as MAC/IP binding technology; some require upper layer protocols to participate more, such as MAC/IP binding technology and TCP connection limit technology; After the learning limit function is enabled, a malicious user, an illegal user, or a new device of the user can access the MAC address entry of a specific port.
- the embodiment of the invention provides a data forwarding method and device, which can solve at least the problem that the MAC learning function in the related art cannot restrict user access after the MAC address entry of a specific port is aged.
- a data packet processing method including: configuring a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function is to the MAC table.
- the item is not aged.
- the data packet is processed according to the configuration of the port.
- the data packet is forwarded; or the data packet is discarded if the MAC address entry corresponding to the source MAC address is not learned.
- the method further includes: configuring the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
- the learning of the MAC address of the data packet according to the configuration of the port includes: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the determination result is yes, the data packet is directly forwarded; the number of MAC entry entries learned is learned. If the number of MAC entry entries that are allowed to learn is greater than that, the MAC entry corresponding to the source MAC address is not learned.
- configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or The no aging field is set to 1.
- a data packet processing apparatus including: a configuration module, configured to configure a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function The function is that the MAC entry is not aged; the processing module is configured to process the data packet according to the configuration of the port.
- the learning unit includes: a determining subunit, configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, If the judgment result is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the subunit is determined, and the MAC address is set to be learned. If the number of entry entries is greater than the number of MAC entry entries allowed to learn, it is determined that the MAC entry corresponding to the source MAC address is not learned.
- a storage medium is also provided.
- the storage medium is arranged to store program code for performing the following steps:
- the dynamic media access control MAC entry for the predetermined port is configured to not perform the aging function, wherein the non-aging function does not perform aging processing on the MAC entry; and the data packet is configured according to the configuration of the port.
- the problem is that the MAC learning function in the related art cannot limit the access of the user after the aging of the MAC address entry of the specific port, which effectively limits the access of the user after the MAC entry is aged.
- FIG. 2 is a block diagram of a data message processing apparatus according to an embodiment of the present invention.
- FIG. 3 is a block diagram 1 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
- FIG. 4 is a block diagram 2 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
- FIG. 1 is a flowchart of a data packet processing method according to an embodiment of the present invention.
- Step S102 Configure a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry.
- Step S104 processing the data packet according to the configuration of the port.
- the dynamic media access control MAC address entry of the predetermined port is not aged; the data packet is processed according to the configuration of the port, and the MAC learning function in the related art cannot limit the user after the MAC address entry of the specific port is aged.
- the access problem effectively limits the access of users after the MAC entry is aged.
- the processing of the data packet according to the configuration of the port may include: learning the source MAC address of the data packet according to the configuration of the port; and forwarding the datagram if the MAC entry corresponding to the source MAC address is learned. Or, if the MAC entry corresponding to the source MAC address is not learned, the data packet is discarded.
- the number of MAC entry entries allowed for learning is configured for the dynamic MAC address of the predetermined port, and is prepared for learning the MAC address.
- the learning of the MAC address of the data packet according to the configuration of the port may include: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the number of learned MAC entry entries is greater than In the case where the number of MAC entry entries allowed to be learned is determined, it is determined that the MAC entry corresponding to the source MAC address is not learned.
- configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
- FIG. 2 is a block diagram of a data packet processing apparatus according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
- the configuration module 22 is configured to configure a dynamic media access control MAC entry for the predetermined port.
- the aging function does not perform aging processing on MAC entries.
- the processing module 24 is configured to process the data packet according to the configuration of the port.
- FIG. 3 is a block diagram of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 3, the processing module 24 includes:
- the forwarding unit 34 is configured to forward the data packet if the MAC entry corresponding to the source MAC address is learned; or
- FIG. 4 is a block diagram 2 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 4, the apparatus further includes:
- FIG. 5 is a block diagram 3 of a data message processing apparatus according to a preferred embodiment of the present invention.
- the learning unit 32 includes:
- the determining sub-unit 52 is configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of learned MAC entry entries, and if the determination result is negative, Determining to learn the MAC entry corresponding to the source MAC address; if the judgment result is yes, directly forwarding the data packet;
- FIG. 6 is a block diagram 4 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 6, the apparatus further includes:
- the user port attribute table is set, wherein the user attribute table describes various attributes of the user port, and a dynamic MAC address non-aging function switch field is added to the attribute table.
- the MAC address table is used as the basis for data packet exchange.
- the maximum value of the dynamic aging time field or the aging time field is added to the table.
- the aging time maximum value indicates that the entry is not aged. This value is not used for general purposes. ).
- the MAC entry processing module, the MAC entry restriction function module, and the MAC address entry aging module can work together to complete MAC address entry processing, MAC entry restriction, and aging.
- the specific limitation of the user access of the present invention includes: configuring a dynamic MAC address non-aging function switch of a specific user port, and the number of MAC entry entries that the port is allowed to learn.
- the MAC processing module determines whether to learn the MAC address of the packet according to the port configuration, and whether the MAC entry is dynamically aged or not, and forwards or discards the data packet according to the result.
- the MAC address entry aging module polls the MAC entry, it determines whether the MAC entry is aged according to the aging time field of the MAC entry and/or the dynamic aging field.
- Step S704 If the MAC entry is a static MAC entry, the entry is not operated, and the packet is forwarded. If the MAC entry is a dynamic MAC address entry, the aging time of the entry is updated, and the packet is forwarded.
- step S802 it is determined whether the MAC entry is a dynamic entry, if the determination result is yes, step S804 is performed, and if the determination result is negative, step S808 is performed;
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
L'invention concerne un procédé et un appareil de traitement de paquet de données. Le procédé comprend les étapes consistant à : configurer une fonction de saut de traitement de vieillissement pour une entrée d'accès de commande de média (MAC) dynamique d'un port prédéterminé, la fonction de saut de traitement de vieillissement consistant à sauter un traitement de vieillissement pour l'entrée MAC ; et traiter un paquet de données selon la configuration du port. L'invention résout ainsi le problème lié, dans l'état de la technique, au fait qu'une fonction d'apprentissage MAC ne peut pas limiter l'accès utilisateur après qu'une entrée MAC d'un port spécifié a vieilli. Selon l'invention, l'accès utilisateur est effectivement limité après qu'une entrée MAC d'un port spécifié a vieilli.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510669960.1 | 2015-10-15 | ||
CN201510669960.1A CN106603468A (zh) | 2015-10-15 | 2015-10-15 | 数据报文处理方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017063578A1 true WO2017063578A1 (fr) | 2017-04-20 |
Family
ID=58517084
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/102045 WO2017063578A1 (fr) | 2015-10-15 | 2016-10-13 | Procédé et appareil de traitement de paquet de données |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106603468A (fr) |
WO (1) | WO2017063578A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108418759B (zh) * | 2018-05-31 | 2020-09-08 | 新华三技术有限公司 | 一种mac地址表项处理方法及装置 |
CN114390023A (zh) * | 2021-12-27 | 2022-04-22 | 锐捷网络股份有限公司 | 一种动态地址不老化方法、装置、电子设备及存储介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1571349A (zh) * | 2003-07-25 | 2005-01-26 | 华为技术有限公司 | 基于媒体接入控制地址的网络接入控制方法 |
CN102594704A (zh) * | 2012-03-20 | 2012-07-18 | 神州数码网络(北京)有限公司 | 一种基于安全端口地址访问网络的控制方法 |
CN103019858A (zh) * | 2012-12-03 | 2013-04-03 | 中兴通讯股份有限公司 | 媒体访问控制老化方法及网络处理器 |
-
2015
- 2015-10-15 CN CN201510669960.1A patent/CN106603468A/zh active Pending
-
2016
- 2016-10-13 WO PCT/CN2016/102045 patent/WO2017063578A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1571349A (zh) * | 2003-07-25 | 2005-01-26 | 华为技术有限公司 | 基于媒体接入控制地址的网络接入控制方法 |
CN102594704A (zh) * | 2012-03-20 | 2012-07-18 | 神州数码网络(北京)有限公司 | 一种基于安全端口地址访问网络的控制方法 |
CN103019858A (zh) * | 2012-12-03 | 2013-04-03 | 中兴通讯股份有限公司 | 媒体访问控制老化方法及网络处理器 |
Also Published As
Publication number | Publication date |
---|---|
CN106603468A (zh) | 2017-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3192230B1 (fr) | Système et procédé pour fournir un pare-feu intégré pour des communications de réseau sécurisées dans un environnement à plusieurs détenteurs | |
JP5111618B2 (ja) | Macテーブルのオーバーフロー攻撃に対する防御を容易にすること | |
EP3151506A1 (fr) | Attribution et distribution améliorées de paramètres de configuration de réseau à des dispositifs | |
US8576866B2 (en) | Hierarchical rate limiting of control packets | |
US10701582B2 (en) | Dynamic application QoS profile provisioning | |
US10397047B2 (en) | Apparatus, system, and method for secure remote configuration of network devices | |
WO2017063458A1 (fr) | Procédé et appareil d'authentification de contournement d'adresse physique basés un réseautage défini par logiciel | |
CN105635084A (zh) | 终端认证装置及方法 | |
US7826447B1 (en) | Preventing denial-of-service attacks employing broadcast packets | |
CN107707435A (zh) | 一种报文处理方法和装置 | |
US20230198939A1 (en) | System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device | |
WO2016086544A1 (fr) | Procédé de configuration d'interface réseau et appareil pour dispositif de réseau et support d'informations | |
WO2017063578A1 (fr) | Procédé et appareil de traitement de paquet de données | |
US11201781B2 (en) | Systems and methods for automatically configuring network isolation | |
WO2014169812A1 (fr) | Procédé et dispositif de traitement de transfert de message | |
CN110224932B (zh) | 一种数据快速转发的方法及系统 | |
US20160352637A1 (en) | Client-based port filter table | |
US10341259B1 (en) | Packet forwarding using programmable feature prioritization | |
KR101629089B1 (ko) | 레거시 네트워크 프로토콜 기능과 sdn 기능이 하이브리드하게 동작하는 오픈플로우 동작 방법 | |
US20150085666A1 (en) | Communication Apparatus, Control Apparatus, Communication System, Communication Method, Method for Controlling Communication Apparatus, and Program | |
US9712541B1 (en) | Host-to-host communication in a multilevel secure network | |
EP3160080A1 (fr) | Procédé, appareil et système pour configurer des paramètres de qualité de service (qos) | |
US9118555B1 (en) | Secure unauthenticated virtual local area network | |
US10574596B2 (en) | Software defined networking FCoE initialization protocol snooping bridge system | |
EP3687131A1 (fr) | Procédé, appareil et système permettant de restaurer rapidement un service pendant une commutation de trajet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16854954 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16854954 Country of ref document: EP Kind code of ref document: A1 |