WO2022001735A1 - 报文处理方法、up设备及cp设备 - Google Patents
报文处理方法、up设备及cp设备 Download PDFInfo
- Publication number
- WO2022001735A1 WO2022001735A1 PCT/CN2021/101332 CN2021101332W WO2022001735A1 WO 2022001735 A1 WO2022001735 A1 WO 2022001735A1 CN 2021101332 W CN2021101332 W CN 2021101332W WO 2022001735 A1 WO2022001735 A1 WO 2022001735A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- user
- information
- type
- pfcp
- Prior art date
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 239000013256 coordination polymer Substances 0.000 claims abstract description 333
- 238000000034 method Methods 0.000 claims abstract description 276
- 238000004891 communication Methods 0.000 claims abstract description 82
- 230000003068 static effect Effects 0.000 claims description 169
- 238000012545 processing Methods 0.000 claims description 100
- 238000012217 deletion Methods 0.000 claims description 99
- 230000037430 deletion Effects 0.000 claims description 99
- 230000002159 abnormal effect Effects 0.000 claims description 58
- 230000004044 response Effects 0.000 claims description 46
- 238000003860 storage Methods 0.000 claims description 34
- 238000001514 detection method Methods 0.000 claims description 18
- 230000005641 tunneling Effects 0.000 claims description 9
- 208000037550 Primary familial polycythemia Diseases 0.000 claims 27
- 208000017693 primary familial polycythemia due to EPO receptor mutation Diseases 0.000 claims 27
- 230000009471 action Effects 0.000 description 59
- 230000008569 process Effects 0.000 description 45
- 230000006870 function Effects 0.000 description 44
- 230000000875 corresponding effect Effects 0.000 description 40
- 238000010586 diagram Methods 0.000 description 29
- 238000007726 management method Methods 0.000 description 25
- 238000000926 separation method Methods 0.000 description 16
- 230000007246 mechanism Effects 0.000 description 15
- 238000004590 computer program Methods 0.000 description 10
- 238000001914 filtration Methods 0.000 description 9
- 239000010410 layer Substances 0.000 description 9
- 239000004744 fabric Substances 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 8
- 238000013475 authorization Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 238000005538 encapsulation Methods 0.000 description 6
- 239000000284 extract Substances 0.000 description 6
- 230000032683 aging Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 239000002356 single layer Substances 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 101150054617 FCPF gene Proteins 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 101000579423 Homo sapiens Regulator of nonsense transcripts 1 Proteins 0.000 description 1
- 101001090935 Homo sapiens Regulator of nonsense transcripts 3A Proteins 0.000 description 1
- 102100028287 Regulator of nonsense transcripts 1 Human genes 0.000 description 1
- 102100021087 Regulator of nonsense transcripts 2 Human genes 0.000 description 1
- 102100035026 Regulator of nonsense transcripts 3A Human genes 0.000 description 1
- 101710028540 UPF2 Proteins 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- RGNPBRKPHBKNKX-UHFFFAOYSA-N hexaflumuron Chemical compound C1=C(Cl)C(OC(F)(F)C(F)F)=C(Cl)C=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F RGNPBRKPHBKNKX-UHFFFAOYSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000005693 optoelectronics Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/42—Centralised routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/56—Routing software
- H04L45/566—Routing instructions carried by the data packet, e.g. active networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Definitions
- the present application relates to the field of communication technologies, and in particular, to a message processing method, a UP device, and a CP device.
- a Broadband Network Gateway is an access gateway for broadband networks.
- the BNG is responsible for authentication and Internet Protocol (Internet Protocol, IP) address allocation so as to connect the terminal to the broadband network.
- IP Internet Protocol
- the functions of BNG are divided into control plane and forwarding plane.
- the control plane is used to provide services such as access management, session management, authentication, authorization and accounting (Authentication, Authorization, Accounting, AAA), address allocation, and service policy control.
- the forwarding plane is used to implement final forwarding processing, including sending access protocol packets to the control plane, and forwarding control packets sent by the control plane to the terminal to the terminal, and so on.
- the BNG can adopt a control plane and user plane separation (Control Plane and User Plane Disaggregated, CU separation) architecture.
- the control plane and forwarding plane of the BNG are separated and deployed on different devices.
- the BNG separated by the CU includes a control plane (Control Plane, CP) device and a user plane (User Plane, UP) device.
- the CP device is mainly responsible for the control plane function
- the UP device is mainly responsible for the forwarding plane function.
- the UP device will receive the packet and send the packet to the CP device.
- the CP device receives the packet, it matches the information in the packet with the pre-stored user information. If the matching is successful, the CP device authenticates the packet.
- the CP device is at great risk of being attacked by malicious IP packet flows, which affects the network security of the CP device.
- the embodiments of the present application provide a packet processing method, a UP device, and a CP device, which can improve the network security of the CP device.
- the technical solution is as follows:
- a first aspect provides a message processing method, which is applied to a UP device included in a communication system in which the control plane CP and the user plane UP are separated.
- the UP device receives a message;
- the first information is matched with the information of the first type of user.
- the first type of user has a fixed Internet Protocol IP address; if the first information and the information of the first type of user meet the first matching condition, the UP device sends the message to the CP device included in the communication system.
- the above provides a method for preventing the CP device from being attacked in the scenario where the BNG separated by the CU performs access authentication.
- the UP device receives the packet, the information in the packet and the information of the user with a fixed IP address are analyzed. If the match is successful, the UP device sends the packet to the CP device. Since the task of checking whether a packet comes from a user with a fixed IP address is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced.
- the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from a user with a fixed IP address, thus reducing the vulnerability of the CP device to being attacked by the malicious IP packet flow. risk, and improve the network security of CP equipment.
- the first type of users includes static users.
- the UP device matches the information in the packet with the static user information when receiving the packet. If the matching is successful, the UP device will The packet is sent to the CP device. Since the task of checking whether the packets come from static users is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced. In particular, if a malicious IP packet flow initiates a network attack, since the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from a static user, the risk of the CP device being attacked by the malicious IP packet flow is reduced, and the Cybersecurity of CP devices.
- the first type of users includes abnormal offline users.
- the UP device when receiving the packet, the UP device matches the information in the packet with the information of the abnormally offline user, and if the matching is successful , the UP device sends the packet to the CP device. Since the task of checking whether the packets come from abnormally offline users is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced. In particular, if a malicious IP packet flow initiates a network attack, since the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from an abnormally offline user, the risk of the CP device being attacked by the malicious IP packet flow is reduced. Improve the network security of CP equipment.
- the method further includes: the UP device matches the second information included in the packet with the information of the second type of user. The information is matched, and the second type of user has passed the authentication; the UP device determines that the second information and the information of the second type of user do not meet the second matching condition.
- the UP device sends the message to the CP device included in the communication system, including: if the first information and the packet detection The information of the first type of user in the information PDI satisfies the first matching condition, the UP device acts PA according to the packet corresponding to the PDI, and sends the message to the CP device included in the communication system, and the PA is used to indicate redirection to the CP device.
- the CP reuses the mechanism for processing PFCP sessions in PFCP, uses the information of the first type of user as the matching field in the PDI, and uses the redirection action as the PA executed when the PDI is hit, so that the UPF is executed on the UPF.
- the security policy solution is more smoothly integrated with the PFCP architecture, which facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of solution implementation and configuration.
- the method further includes: the UP device receives a first policy from the CP device, where the first policy is used to indicate the relationship between the first information included in the message and the first type If the user's information satisfies the first matching condition, the packet is redirected to the CP device.
- the UP device receiving the first policy from the CP device includes: the UP device receives a first packet forwarding control protocol PFCP message from the CP device, where the packet detection rule PDR carried in the first PFCP message is the first policy , the first PFCP message is a PFCP session establishment request.
- the CP multiplexes the PFCP session message such as the PFCP session establishment request, and multiplexes the mechanism of delivering PDR through the PFCP session in PFCP, so that the information of users with fixed IP addresses and redirection
- the action of the UP is sent to the UP, so that the security policy implementation scheme on the UPF is more smoothly integrated with the PFCP architecture, which facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of the implementation and configuration of the scheme.
- the UP device receiving the first policy from the CP device includes: the UP device receives a first packet forwarding control protocol PFCP message from the CP device, and the packet detection rule PDR carried in the first PFCP message is the first PFCP message.
- the first PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the CP uses the PCFP message of the new message type to deliver the information of the user with a fixed IP address and the redirection action to the UP, so that after the authentication is passed, the CP can uniformly use the PFCP session establishment request to deliver sessions, thus reducing the complexity of the CP's processing of normal terminal access.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, where the access interface is an interface accessed by a terminal of the first type of user.
- the CP notifies the UP of the access interface of the user with a fixed IP address in the form of an interface index, so that the UP can use the interface accessed by the terminal to match the interface index pre-delivered by the CP.
- the process of access authentication takes the location factor into consideration, thus helping to improve the security of the authentication.
- the interface index is carried in an IE having a first information element IE type, and the first IE type is used to identify that the IE includes the interface index.
- a new type of IE is extended to carry the interface index, so that the format of the IE in the PFCP message is reused to deliver the interface index to the UP, so that the scheme of implementing the security policy on the UPF and the PFCP architecture are smoother It can be integrated to reduce the complexity of solution implementation and configuration complexity.
- the UP device sends the message to the CP device included in the communication system, including: the UP device adds a GTP-U header of the user plane part of the Universal Radio Packet Service Tunneling Protocol to the message, and sends the GTP-U header added with the GTP-U header.
- the UP uses the GTP-U tunnel or the Vxlan tunnel to carry the packets that need to be redirected to the CP.
- the overhead of the tunnel header is small and the scalability is good.
- the Vxlan-GPE tunnel is used to carry the packets that need to be redirected to the CP, the overhead of the Vxlan header and the CU extension header is only 14 bytes, and the packet encapsulation format is simple, reducing the transmission of packets between CUs. bandwidth and performance overhead.
- the method further includes: the UP device receives a redirection parameter from the CP device, where the redirection parameter includes at least one of GTP-U tunnel information or Vxlan tunnel information.
- the CP sends the redirection parameters to the UP, so that the UP can encapsulate the tunnel header according to the redirection parameters sent by the CP to redirect the packets to the CP, thereby avoiding the tediousness of manually configuring the redirection parameters operation, reducing the complexity of solution implementation and the complexity of configuration.
- the redirection parameter is carried in an IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- a new type of IE is extended to carry redirection parameters, thereby multiplexing the format of the IE in the PFCP message to deliver redirection parameters to the UP, reducing the complexity of solution implementation and configuration.
- the Vxlan tunnel information is carried in an IE having a third IE type, and the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- a new type of IE is extended to carry the Vxlan tunnel information, thereby multiplexing the format of the IE in the PFCP message to deliver the Vxlan tunnel information to the UP, reducing the complexity of solution implementation and configuration.
- the method further includes: the UP device receives a deletion request from the CP device; the UP device deletes the first deletion request in response to the deletion request Class user information.
- the deletion request is a second PFCP message; in scenarios such as the configuration of a static user is deleted or the lease of an abnormally offline user expires, the CP clears the user information with a fixed IP address by instructing the UP, so that the user information is invalid. Timely release the storage space occupied by user information on the UP.
- the second PFCP message is a PFCP session deletion request.
- the CP can clear the information of users with fixed IP addresses on the UP, so that the implementation of the security policy on the UPF is the same as the solution.
- the PFCP architecture is more smoothly integrated, which facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of implementation and configuration.
- the second PFCP message includes a PFCP session message of a second message type, where the second message type is used to instruct to delete the PFCP session of the first type of user.
- the CP uses the PCFP message of the new message type to instruct the UP to delete the user information, which reduces the complexity of the CP's processing of normal terminal access.
- the method further includes: if the first information and the information of the first type of user do not satisfy the first information If the conditions are met, the UP device discards the packet.
- the UP discards the packet when the information in the packet fails to match the information of the user with a fixed IP address, so that the failed matching packet will not be transmitted to the CP, thereby preventing the CP from processing such packets. performance overhead and wasted processing resources.
- the UP will discard the malicious message, making the transmission of the malicious message impossible. It is blocked at the UP and will not reach the CP through the UP. Therefore, the CP is prevented from performing access processing on malicious packets, thereby reducing the risk of the CP being attacked by the network.
- a packet processing method is provided, which is applied to a CP device included in a communication system in which the control plane CP and the user plane UP are separated.
- the CP device sends a message to the user plane UP device included in the communication system.
- a first policy where the first policy is used to indicate that the packet is redirected to the CP device when the first information included in the packet and the information of the first type of user meet the first matching condition, and the first type of user It has a fixed Internet Protocol IP address; the CP device receives the message from the UP device; the CP device performs access processing according to the message.
- the first type of user includes at least one of a static user or an abnormally offline user
- the static user refers to a user with a fixed IP address
- the abnormally offline user refers to an IP address assigned in the communication system. Users who go offline abnormally due to the failure of the communication system during the lease period of the address.
- the sending the first policy includes: sending a first packet forwarding control protocol PFCP message, where the first PFCP message carries the first policy;
- the first PFCP message is a PFCP session establishment request; or, the first PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the message is added with a general wireless packet service tunneling protocol user plane part GTP-U header or a virtual extended local area network Vxlan header, before the CP device receives the message from the UP device, the method further includes:
- the CP device sends a redirection parameter to the UP device, where the redirection parameter includes at least one item of GTP-U tunnel information or Vxlan tunnel information.
- the method includes: the CP device detects that the configuration information of the first type of user is deleted or the lease of the first type of user times out; the CP device Send a deletion request to the UP device, where the deletion request is used to instruct deletion of the information of the first type of user.
- the deletion request is a second PFCP message; the second PFCP message is a PFCP session deletion request; or, the second PFCP message includes a PFCP session message of a second message type, and the second message type is used to indicate deletion The PFCP session of the first type of user.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, and the access interface is an interface accessed by the terminal of the first type of static user or the abnormally offline The interface accessed by the user's terminal.
- the interface index is carried in a grouped IE having a first information element IE type, where the first IE type is used to identify that the IE includes the interface index.
- the redirection parameter is carried in a grouped IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- the Vxlan tunnel information is carried in an embedded IE having a third IE type, where the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- a UP device is provided, the UP device is located in a communication system where the UP and the CP are separated, and the UP device includes:
- the receiving module is used to receive the message
- a matching module configured to match the first information included in the message with the information of a first type of user, and the first type of user has a fixed Internet Protocol IP address;
- a sending module configured to send the message to the control plane CP device if the first information and the information of the first type of user satisfy a first matching condition.
- the first type of users includes at least one of static users or abnormal offline users.
- the matching module is further configured to match the second information included in the message with the information of a second type of user, and the second type of user has passed authentication;
- the UP device further includes: a determination module configured to determine that the second information and the information of the second type of user do not satisfy a second matching condition.
- the sending module is configured to send the first type of user information to the CP device according to the packet action PA corresponding to the PDI if the first information and the information of the first type of user in the packet detection information PDI meet the first matching condition.
- the PA is used to indicate redirection to the CP device.
- the receiving module is further configured to receive a first policy from the CP device, where the first policy is used to indicate that the first information included in the message and the information of the first type of user satisfy the first matching condition In the case of redirecting the packet to the CP device.
- the receiving module is configured to receive a first packet forwarding control protocol PFCP message from the CP device, where the packet detection rule PDR carried in the first PFCP message is the first policy; wherein the first PFCP message is PFCP A session establishment request; or, the first PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, where the access interface is an interface accessed by a terminal of the first type of user.
- the interface index is carried in an IE having a first information element IE type, and the first IE type is used to identify that the IE includes the interface index.
- the sending module is configured to add a GTP-U header of the user plane part of the Universal Radio Packet Service Tunneling Protocol to the message, and send the message with the GTP-U header added; or, add a virtual message to the message. Extend the LAN Vxlan header, and send the packet with the Vxlan header added.
- the receiving module is further configured to receive redirection parameters from the CP device, where the redirection parameters include at least one item of GTP-U tunnel information or Vxlan tunnel information.
- the redirection parameter is carried in an IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- the Vxlan tunnel information is carried in an IE having a third IE type, and the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- the receiving module is further configured to receive a deletion request from the CP device; the UP device further includes: a deletion module, configured to delete the information of the first type of user in response to the deletion request.
- the deletion request is a second PFCP message
- the second PFCP message is a PFCP session deletion request, or the second PFCP message includes a PFCP session message of a second message type, where the second message type is used to instruct deletion of the PFCP session of the first type of user.
- the UP device further includes: a discarding module, configured to discard the packet if the first information and the information of the first type of user do not satisfy the first matching condition.
- a discarding module configured to discard the packet if the first information and the information of the first type of user do not satisfy the first matching condition.
- a CP device is provided, the CP device is located in a communication system in which the CP and the UP are separated, and the CP device includes:
- a sending module configured to send a first policy to the user plane UP device, where the first policy is used to indicate that the packet is to be replayed when the first information included in the packet and the information of the first type of user meet the first matching condition Directed to the CP device, the first type of user has a fixed Internet Protocol IP address;
- a receiving module for receiving the message from the UP device
- the processing module is configured to perform access processing according to the message.
- the first type of user includes at least one of a static user or an abnormally offline user
- the static user refers to a user with a fixed IP address
- the abnormally offline user refers to an IP address assigned in the communication system. Users who go offline abnormally due to the failure of the communication system during the lease period of the address.
- the sending module is configured to send a first packet forwarding control protocol PFCP message, where the first PFCP message carries the first policy; wherein, the first PFCP message is a PFCP session establishment request; or, the first PFCP message
- the PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the message is added with a general wireless packet service tunneling protocol user plane part GTP-U header or a virtual extended local area network Vxlan header
- the sending module is also used to send redirection parameters to the UP device, and the redirection parameters include: At least one of GTP-U tunnel information or Vxlan tunnel information.
- the CP device includes: a detection module for detecting that the configuration information of the first type of user is deleted or the lease of the first type of user is overtime;
- the sending module is further configured to send a deletion request to the UP device, where the deletion request is used to instruct deletion of the information of the first type of user.
- the deletion request is a second PFCP message
- the second PFCP message is a PFCP session deletion request
- the second PFCP message includes a PFCP session message of a second message type, where the second message type is used to instruct to delete the PFCP session of the first type of user.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, and the access interface is an interface accessed by the terminal of the first type of static user or the abnormally offline The interface accessed by the user's terminal.
- the interface index is carried in a grouped IE having a first information element IE type, where the first IE type is used to identify that the IE includes the interface index.
- the redirection parameter is carried in a grouped IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- the Vxlan tunnel information is carried in an embedded IE having a third IE type, where the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- a UP device in a fifth aspect, includes a processor and a communication interface, the processor is configured to execute an instruction, so that the UP device executes the above-mentioned first aspect or any optional manner of the first aspect.
- the message processing method, the communication interface is used to receive or send messages.
- a CP device in a sixth aspect, includes a processor and a communication interface, and the processor is used to execute an instruction, so that the CP device executes the above-mentioned second aspect or any optional manner of the second aspect.
- the message processing method, the communication interface is used to receive or send messages.
- a computer-readable storage medium where at least one instruction is stored in the storage medium, and the instruction is read by a processor to cause the UP device to perform the above-mentioned first aspect or any optional manner of the first aspect The provided message processing method.
- a computer-readable storage medium is provided, and at least one instruction is stored in the storage medium, and the instruction is read by the processor to cause the CP device to execute the second aspect or any optional manner of the second aspect.
- the provided message processing method is provided.
- a computer program comprising computer instructions stored in a computer-readable storage medium.
- the processor of the UP device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the UP device executes the first aspect or the packet processing method provided in any optional manner of the first aspect .
- a computer program comprising computer instructions stored in a computer-readable storage medium.
- the processor of the CP device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the CP device executes the packet processing method provided by the second aspect or any optional manner of the second aspect .
- An eleventh aspect provides a chip that, when the chip runs on a UP device, enables the UP device to execute the packet processing method provided in the first aspect or any optional manner of the first aspect.
- a twelfth aspect provides a chip that, when the chip runs on a CP device, enables the CP device to execute the packet processing method provided in the second aspect or any optional manner of the second aspect.
- a thirteenth aspect provides a communication system, the communication system includes a UP device and a CP device, and the UP device is the UP device provided in the third aspect, any optional manner of the third aspect, or the fifth aspect, The CP device is the CP device provided in the fourth aspect, any optional manner of the fourth aspect, or the sixth aspect.
- the present application provides a UP device, where the UP device includes: a main control board and an interface board.
- a switch fabric board is also included.
- the main control board includes: a first processor and a first memory.
- the interface board includes: a second processor, a second memory and an interface card. The main control board and the interface board are coupled.
- the first memory can be used to store program codes, and the first processor is used to call the program codes in the first memory to perform the following operations: the first information included in the message is matched with the information of the first type of user, and the first type of user information is matched. Users have fixed IP addresses.
- the second memory may be used for storing program codes
- the second processor is used for calling the program codes in the second memory, and triggering the interface card to perform the following operations: receiving a message. If the first information and the information of the first type of user satisfy the first matching condition, the packet is sent to the CP device.
- an inter-process communication (inter-process communication, IPC) channel is established between the main control board and the interface board, and the main control board and the interface board communicate through the IPC channel.
- IPC inter-process communication
- FIG. 1 is a schematic diagram of the location of a BNG in a network provided by an embodiment of the present application
- FIG. 2 is a schematic diagram of a protocol stack for BNG processing provided by an embodiment of the present application
- Fig. 3 is a kind of system architecture diagram including BNG provided by the embodiment of the present application.
- FIG. 4 is a schematic diagram of a BNG access AN device provided by an embodiment of the present application.
- FIG. 5 is an architecture diagram of functional modules in a BNG provided by an embodiment of the present application.
- FIG. 6 is an architecture diagram of a functional module in a BNG with CU separation provided by an embodiment of the present application
- FIG. 7 is an architecture diagram of functional modules in a BNG with CU separation provided by an embodiment of the present application.
- FIG. 8 is a schematic diagram of a control packet redirection interface provided by an embodiment of the present application.
- FIG. 9 is a schematic diagram of a state control interface provided by an embodiment of the present application.
- FIG. 10 is a schematic diagram of a scenario of static user access provided by an embodiment of the present application.
- FIG. 11 is a flowchart of a method 100 for a static user accessing BNG provided by an embodiment of the present application.
- FIG. 12 is a schematic diagram of a scenario of an abnormally offline IPoE user access provided by an embodiment of the present application.
- FIG. 13 is a flowchart of an IPoE terminal accessing and renewing a lease through a DHCP protocol provided by an embodiment of the present application;
- FIG. 14 is a flowchart of a method 200 for an abnormally offline IPoE terminal to access a BNG provided by an embodiment of the present application;
- 15 is a schematic diagram of the location of a PFCP in a protocol stack provided by an embodiment of the present application.
- 16 is a schematic diagram of establishing multiple PFCP alliances between a CPF and a UPF according to an embodiment of the present application
- FIG. 17 is a schematic diagram of a PFCP alliance and a PFCP session provided by an embodiment of the present application.
- FIG. 18 is a schematic diagram of a flow of a UPF processing message provided by an embodiment of the present application.
- FIG. 19 is a schematic diagram of a PFCP session provided by an embodiment of the present application.
- FIG. 20 is a schematic diagram of a PDR provided by an embodiment of the present application.
- FIG. 21 is a schematic diagram of a UPF performing session processing based on PFCP according to an embodiment of the present application.
- FIG. 22 is an architecture diagram of a network system 300 provided by an embodiment of the present application.
- FIG. 24 is a flowchart of a packet processing method 400 provided by an embodiment of the present application.
- FIG. 25 is a flowchart of a packet processing method 500 provided by an embodiment of the present application.
- FIG. 26 is a flowchart of a packet processing method 600 provided by an embodiment of the present application.
- FIG. 27 is a flowchart of a packet processing method 700 provided by an embodiment of the present application.
- FIG. 28 is a schematic structural diagram of a UP device 800 provided by an embodiment of the present application.
- FIG. 29 is a schematic structural diagram of a CP device 810 provided by an embodiment of the present application.
- FIG. 30 is a schematic structural diagram of a device 900 provided by an embodiment of the present application.
- FIG. 31 is a schematic structural diagram of a device 1000 provided by an embodiment of the present application.
- FIG. 32 is a schematic structural diagram of a communication system 1100 provided by an embodiment of the present application.
- the term "BNG separated by CU” generally refers to a BNG in which the control plane and the forwarding plane are located on different devices.
- the devices where the control plane is located and the devices where the forwarding plane is located are distributed in different locations.
- the quantitative relationship between the device where the control plane is located and the device where the forwarding plane is located is, for example, a one-to-one correspondence or a one-to-many relationship, that is, a device where a control plane is located can be used to control a device where a forwarding plane is located, or can control both. Devices where multiple forwarding planes are located.
- CU separation may have different names.
- different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "CU separation”.
- CU separation may also sometimes be referred to as “control and forwarding separation”, “forwarding control separation”, “control plane and user plane separation”, “control and user separation”, and the like.
- the "CU-separated BNG” may have different names.
- different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for the "CU-separated BNG”.
- the term "CU-separated BNG” may sometimes be referred to as a "disaggregated BNG system (Disaggregated BNG, DBNG)", and accordingly, the CP device in the CU-separated BNG may be called a DBNG-CP, and the CU-separated BNG The UP device in the BNG may be referred to as DBNG-UP.
- CU-separated BNG may also sometimes be referred to as "Virtual Broadband Network Gateway (Virtual BNG, vBNG) control plane and user plane separation system (Control Plane and User Plane Disaggregated System, CU system)", that is "vBNG CU system", correspondingly, the CP device in the CU-separated BNG may be referred to as vBNG-CP, and the UP device in the CU-separated BNG may be referred to as vBNG-UP.
- vBNG-CP Control Plane and User Plane Disaggregated System
- BNG separated by CU may also sometimes be referred to as a "virtual Broadband Remote Access Server (vBRAS) CU system", that is, “vBRAS CU system”, correspondingly, the BNG separated by CU
- vBRAS-CP the CP device in the CU
- UP device in the CU-split BNG may be referred to as vBRAS-UP.
- DBNG "vBNG CU system” and “vBRAS CU system” are used interchangeably herein.
- CP may have different names.
- different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "CP”.
- CP may also sometimes be referred to as "CP Function (CPF)" or "CP Face”.
- CPF CP Function
- CP face CP, “CPF” and “CP face” are used interchangeably herein.
- CP device refers to any device that implements CP functionality.
- UP may have different names.
- different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "UP”.
- UP may also sometimes be referred to as "UP Function (UPF)" or "UP face”.
- UPF UP Function
- UP face is used interchangeably herein.
- UP device refers to any device that implements UP functionality.
- the BNG is introduced below.
- the BNG is used to undertake the function of connecting the user equipment to the broadband network, and is a key device in the network.
- FIG. 1 is an example of the location of the BNG in the network
- the BB gateway Network Gateway in FIG. 1 is an example of the BNG.
- the protocol stack processed by BNG includes, but is not limited to, IP protocol over Ethernet (Internet Protocol Over Ethernet, IPoE), Point-to-Point Protocol over Ethernet (PPPoE), 802.1ad protocol, Ethernet protocol and some 802.3 Phy protocols.
- IP protocol over Ethernet Internet Protocol Over Ethernet
- PPPoE Point-to-Point Protocol over Ethernet
- 802.1ad protocol 802.1ad protocol
- Ethernet protocol 802.3 Phy protocols.
- FIG. 2 which is an illustration of an access-side protocol stack for BNG processing.
- a, b and c in FIG. 2 represent three parallel forms.
- the BNG can encapsulate the message in the form corresponding to the protocol stack shown in any of a, b, and c.
- BNG is mainly responsible for authentication and Internet Protocol (Internet Protocol, IP) address allocation.
- the authentication process is implemented based on the Remote Authentication Dial In User Service (Radius).
- Radius client Radius client
- Radius Server Radius server
- BARS Broadband Remote Access Server
- FIG. 3 the broadband remote access server (Broadband Remote Access Server, BARS) in FIG. 3 is an example of BNG.
- the function of BARS is basically the same as that of BNG.
- the terminal of Internet Protocol version 4 Internet Protocol version 4, IPv4 user 1, the terminal of IPv4 user 2 and the terminal of IPv4 user 3 and digital subscriber line access multiplexer (Digital Subscriber Line Access Multiplexer, DSLAM ) or an optical line terminal (OLT) network connection.
- DSLAM/OLT is connected with BARS.
- BARS is networked with NGN server, Radius server, Dynamic Host Configuration Protocol (DHCP) server and IPTV server.
- BARS is used to assign IP addresses to the terminal of IPv4 user 1, the terminal of IPv4 user 2 and the terminal of IPv4 user 3 respectively, and to authenticate the terminal of IPv4 user 1, the terminal of IPv4 user 2 and the terminal of IPv4 user 3 respectively.
- the BNG includes multiple physical ports, and different physical ports can be connected to different access node (AN) devices.
- the manner in which the AN device accesses the BNG includes, but is not limited to, the direct connection between the AN device and the BNG, and the connection between the AN device and the BNG through an aggregation device, and the like.
- FIG. 4 is an illustration of a BNG providing multiple physical ports to access different AN devices.
- a terminal will be marked with a unique virtual local area network (Virtual LAN, VLAN) tag (VLAN Tag), and the terminal is accessed from a fixed physical port of the BNG.
- the physical port information and VLAN tag of the terminal accessing the BNG are equivalent to the location of the terminal.
- FIG. 5 is an example of the functional modules inside the BNG.
- the upper dashed box in Figure 5 is the control surface of the BNG.
- the control plane of the BNG provides functions such as access management, session management, authentication, authorization, accounting (Authentication, Authorization, Accounting, AAA), address allocation, and service policy control.
- the lower dashed box in FIG. 5 is the forwarding plane of the BNG.
- the forwarding plane of the BNG is used to implement the forwarding processing of the terminal, including: uploading access protocol packets to the control plane, forwarding the control packets sent by the control plane to the terminal to the terminal, and performing binding checks on the terminal uplink data packets ( After the authentication is passed, the corresponding binding table will be generated on the forwarding plane) and IP forwarding, quality of service (Quality of Service, QoS) processing, statistics, etc. will be performed.
- FIG. 6 shows the BNG of the CU split architecture defined in BBF TR-384.
- the control plane (CPF) is deconstructed from the physical BNG and deployed to the data center.
- the physical BNG retains the forwarding plane function and is still deployed in the original location.
- the BNG separated by the CU includes multiple UPFs.
- the BNG separated by the CU shown in FIG. 6 includes three UPFs, UPF1 , UPF2 and UPF3 .
- multiple UPFs in the BNG of the CU split architecture are distributed in different locations.
- multiple UPFs in the BNG of the CU-separated architecture cooperate to share forwarding tasks based on a distributed architecture.
- Fig. 7 shows the control plane (Control Plane, CP for short, also called control plane) and user plane (User Plane, UP for short, also called forwarding plane) in the vBNG CU system defined in BBF TR-459 or user plane) between the three interfaces.
- the three interfaces between CPF and UPF include management interface (Mi), control packet redirection interface (CPRi), and state control interface (SCi).
- the management interface uses the XML-based Network Configuration Protocol (Netconf)/yang (a data modeling language) protocol to communicate.
- Netconf XML-based Network Configuration Protocol
- yang a data modeling language
- the control packet redirection interface is used to complete the forwarding of protocol packets between the Customer Premise Equipment (CPE) and the CPF.
- the control packet redirection interface adopts the GPRS tunneling protocol (GTP) user plane (GTP-u) tunnel.
- GTP GPRS tunneling protocol
- GTP-u GPRS tunneling protocol
- FIG. 8 is an example illustrating the function of the control message redirection interface.
- the state control interface adopts the Packet Forwarding Control Protocol (PFCP) defined in 3GPP TS 29.244 to communicate.
- PFCP Packet Forwarding Control Protocol
- the state control interface mainly implements the function that UPF reports node information to CPF, and after CPF completes terminal access, it sends forwarding control behavior to UPF for execution, UPF completes statistics, and reports it to CPF.
- FIG. 9 is an illustration of the function of the state control interface.
- the BNG separated by the CU has been introduced above, and the packet processing method provided by the embodiment of the present application can be applied to the scenario where the BNG separated by the CU performs access authentication for static users or abnormally offline users.
- the following two scenarios are illustrated by way of scenario A and scenario B.
- Scenario A Scenario of static user access.
- Static users are users with fixed IP addresses. Static users are also called private line users. A fixed IP address is also called a static IP address. Specifically, the IP address of the static user is preconfigured on the BNG.
- ARP Address Resolution Protocol
- ND Neighbor Discovery
- IPv6 Internet Protocol version 6
- FIG. 10 shows a scenario of static user access.
- Four static user entries are preconfigured on the BNG, and each entry stores a static user's IP address and static user access location information.
- the location information is represented by the slot ID, card ID and port (also called optical port or physical port, port) ID accessed by the IPoE terminal on the BNG.
- the content of the static user entry is represented in the format of "IP address/interface type/slot/card/port".
- the four entries shown in Figure 10 respectively contain 125.1.3.2 g1/0/0, 2012:1234::01 g1/0/0, 123.1.1.2 g2/0/0 and 2003::01 g2/ 0/0.
- 125.1.3.2 indicates that the IPv4 address of static user 1 is 125.1.3.2
- g indicates that the interface type accessed by static user 1 is GigaEthernet (GE).
- GE GigaEthernet
- 1/0/0 indicates that the slot ID accessed by static user 1 is 1, the card ID is 0, and the port ID is 0.
- 2012:1234::01 indicates that the IPv6 address of static user 1 is 125.1.3.2
- g indicates that the interface type accessed by static user 1 is GE
- 1/ 0/0 indicates that the slot ID of static user 1 is 1, the card ID is 0, and the port ID is 0.
- Both the VOD server and the enterprise gateway in FIG. 5 are examples of IPoE terminals of static users.
- the VOD server has fixed IP addresses 125.1.3.2/30 and 2012:1234::1.
- the VOD server can trigger access through any IP address of 125.1.3.2/30 and 2012:1234::1.
- the enterprise gateway has fixed IP addresses 123.1.1.2/30 and 2003::01.
- the enterprise gateway can trigger access through either IP address 123.1.1.2/30 and 2003::01.
- FIG. 11 shows a flowchart of a method 100 for static user access to BNG. Since there is no authentication protocol interaction part when the IPoE terminal of a static user accesses, the following S101 to S150 are usually used for access authentication.
- the IPoE terminal of the static user sends an ARP packet, an IPv4 data packet, an ND packet or an IPv6 data packet.
- the BNG receives an ARP packet, an IPv4 data packet, an ND packet, or an IPv6 data packet from the inbound interface, and extracts the source IP address in the packet. BNG judges whether the authentication has passed according to the source IP address. If the authentication fails, execute the following S120. If the authentication has passed, execute the following S150.
- the BNG matches the local static user list according to the packet. If the match is successful, execute the following S130, and then enter the authentication. If the matching fails, execute the following S140.
- the BNG performs access processing. Specifically, the authentication of static users adopts binding authentication, that is, the location information of the terminal access is used (the BNG will use the IP+Port+VLAN tag to identify the location of the terminal), and the BNG fills the location information into the Radius authentication request message , the background Radius server identifies the location information for authentication and authorization.
- the BNG discards the ARP packet, the IPv4 data packet, the ND packet, or the IPv6 data packet.
- the BNG forwards the IPv4 data message or the IPv6 data message, or the BNG processes the ARP message or the ND message based on the protocol.
- Scenario B a scenario in which a user accesses abnormally when IPoE goes offline.
- An abnormally offline user refers to a user whose IP address is dynamically obtained by IPoE. Due to the link failure or hardware failure of the BNG, the BNG will interrupt the service of the affected IPoE user. At this time, the user does not perceive the above-mentioned failure. The IP address continues to be held during the address lease period.
- FIG. 12 shows a scenario in which an IPoE offline user accesses abnormally.
- the IPTV set-top box in FIG. 12 is an example of an IPoE terminal.
- the set-top box of the IPTV accesses the BNG through the IPoE mode (ie, the mode based on the DHCP protocol). Because the DHCP protocol does not have an authentication process, this type of terminal also uses binding authentication to access. The specific process is the same as the static user access process in scenario A.
- the BNG cannot detect the terminal or an interface failure occurs, the BNG will record the abnormal offline list of online IPoE terminals.
- the BNG will receive the IP stream of the IPoE terminal, match the abnormal offline list of the IPoE terminal, and start the fast recovery process to avoid the delay caused by the IPoE terminal waiting for the lease timeout to access.
- FIG. 13 shows a flow chart of the access and lease renewal of the IPoE terminal through the DHCP protocol.
- the IPoE terminal obtains the IP address and lease period through the DHCP protocol.
- the lease period is three days by default, and the lease period can be configured to be smaller in deployment, for example, the lease period can be 2 hours.
- the terminal determines that it can continue to hold the IP address through DHCP lease renewal.
- the DHCP lease renewal process can be triggered when the lease time reaches 1/2 of the lease period.
- FIG. 14 shows a flowchart of a method 200 for accessing a BNG by an abnormally offline IPoE terminal.
- the method 200 includes the following S201 to S250.
- the IPoE abnormal terminal access process is the same as the static user access process, but the difference lies in the different tables.
- the table queried in the above S220 is a static user list
- the table queried in the following S220 is a list of abnormally offline terminals with different IPoE.
- the BNG receives the ARP packet, the IPv4 data packet, the ND packet or the IPv6 data packet from the ingress interface, and extracts the source IP address in the packet. BNG judges whether the authentication has passed according to the source IP address. If the authentication fails, execute the following S220. If the authentication has passed, execute the following S250.
- the BNG matches the local IPoE abnormally offline terminal list according to the packet. If the match is successful, execute the following S230, and then enter the authentication. If the matching fails, execute the following S240.
- the BNG performs access processing. Specifically, the authentication of the abnormally offline IPoE terminal adopts the binding authentication, that is, the location information of the terminal access is used (the BNG will use the IP+Port+VLAN tag to identify the location of the terminal), and the BNG fills the location information into the Radius authentication request. In the message, the Radius server in the background identifies the location information for authentication and authorization.
- the BNG discards ARP packets, IPv4 data packets, ND packets, or IPv6 data packets.
- the BNG forwards the IPv4 data message or the IPv6 data message, or the BNG processes the ARP message or the ND message based on the protocol.
- PFCP is a communication protocol between the control plane and the user plane.
- FIG. 15 is an illustration of the position of PFCP in the protocol stack.
- PFCP is carried on the User Datagram Protocol (UDP), and the IP layer can be IPv4 or IPv6.
- UPF User Datagram Protocol
- IP layer can be IPv4 or IPv6.
- UP is called UPF
- CP is called CPF.
- PFCP is defined in the 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) TS 29.244 specification.
- the UDP Destination port number in the Request message in PFCP is 8805, and the UDP Source port number is allocated locally by the sender of the PFCP message.
- the UDP destination port number in the Response message in PFCP is the source port number in the request message.
- the UDP source port number of the response message in PFCP is the destination port number of the corresponding request message.
- FIG. 16 is an illustration of establishing multiple PFCP alliances between CPF and UPF.
- CPF and two UPFs have established three PFCP alliances.
- CPF and UPF(A) have established two PFCP alliances, PFCP Association 1 and PFCP Association 2.
- CPF and UPF (B) established the PFCP Association 3, the PFCP alliance.
- each PFCP alliance corresponds to a part of the control information of the PFCP session.
- each PFCP alliance corresponds to the control information of a part of the sub-session (Sub-Session), then when sending the response message of the PFCP session, it is necessary to find the IP header (IP Header) of the request message of the corresponding PFCP session to exchange the destination IP .
- IP Header IP header of the request message of the corresponding PFCP session to exchange the destination IP .
- the source IP encapsulates the IP header of the response message.
- the data is the network sequence.
- a PFCP message includes two parts: a PFCP message header (PFCP message header) and an information element (Information Element, IE).
- PFCP message header PFCP message header
- Information Element IE
- one PFCP Message includes at least one PFCP message header (PFCP message header), and optionally also includes IE.
- the number of IEs in a PFCP Message can be one or more.
- the FO (Follow ON) flag in the preceding PFCP message header in the UDP packet is 1.
- the FO flag of the last PFCP message header r is 0.
- the message header is a variable-length structure, and the first 4 bytes are in a fixed format.
- the Flag field identifies whether to carry additional information. As shown in Table 3, the message header is required to be in a 4-byte alignment format, and the members are in network order.
- the PFCP message header starts from the 5th byte, and the filling content is related to the Flag order in the 1st byte, which appears in the order of bit1 ⁇ bit8, and is filled when the corresponding bit is 1. See Table 5 below, which is an example of a message header format of a PFCP node message (Node message).
- SEID starts from the 5th byte.
- SEID in the message header is the SEID (remote peer's SEID) of the remote peer node, that is, the SEID of the receiver is indicated.
- IE can be understood as a property.
- IE has a TLV encapsulation format.
- IE is divided into grouped IE (grouped IE) and embedded IE (embedded IE).
- Embedded IE is a property of the smallest unit.
- a grouped IE can contain multiple embedded IEs. See Table 8 and Table 9 below, where Table 8 shows the format of the IE, and Table 9 shows the meaning of each field in the IE.
- PFCP PFCP messages
- a UDP packet can carry multiple PFCP messages, and the SN of each message header is independent. If this bundled message is discarded during transmission and needs to be retransmitted, it does not necessarily need to follow the above A bundle sequence retransmission.
- PFCP defines a set of abstract UPF models based on the 5th generation mobile networks (5th generation mobile networks or 5th generation wireless systems, 5th-Generation, 5G) business. Based on this model, it defines the node messages between C/U, Session messages and a series of IEs. For example, see FIG. 18 , which is an illustration of the flow of UPF processing a message. The process of UPF processing packets is forwarded by flow matching, which is similar to the principle of Access Control Lists (ACL). Referring to Figure 18, after the message enters the system, it matches the rule table of the Packet Detection Rule (PDR), and then executes according to a fixed action after hitting.
- ACL Access Control Lists
- FIG. 19 is an example of a PFCP session (PFCP Session).
- the SMF issues a flow processing policy (Packet Detection Rule, also known as the Packet Detection Rule PDR) through the PFCP session of the N4 interface, and the UPF executes the PDR to implement the function of processing packets.
- Packet Detection Rule also known as the Packet Detection Rule PDR
- PDR is used to define how to match packets.
- Each PDR contains a set of "MAR+FAR+QER+URR".
- the MAR in FIG. 18 represents a multi-access rule (Multi-Access Rule, a kind of packet matching rule), and the MAR is similar to the process of checking the forwarding information base (Forward Information dataBase, FIB) and ACL.
- FIB Forward Information dataBase
- the information in the PDR includes the incoming interface (Incoming Interface), the local full tunnel endpoint identifier (Local Full Qualified TEID, Local-F-TEID, an access form corresponding to the tunnel termination mode, tunnel ID), network instance (Network Instance) , namely VRF instance), user equipment (User Equipment, UE) IP (terminal IP address), terminal media access control (Media Access Control, Client MAC) address.
- PDR is a combination of flow detection information (Packet Detection Information, PDI) and packet action (Packet Action, PA, also known as flow action).
- PDI Packet Detection Information
- PA Packet Action
- FIG. 21 is an example of UPF's session processing based on PFCP. After the downlink packet on the user plane enters the UPF, the UPF finds the PFCP session to which the packet belongs according to the matching PDR, selects the PDR with the highest priority that is successfully matched in the PFCP session, and executes the flow action of the PDR to complete the pairing. message processing.
- the PA is used to instruct the UPF to perform the processing action on the message.
- the PA includes Forwarding Action Rule (FAR), QoS Enforcement Rule (QER), and Usage Reporting Rule (URR).
- FAR Forwarding Action Rule
- QER QoS Enforcement Rule
- URR Usage Reporting Rule
- FAR corresponds to an action performed by the UPF.
- Actions include, but are not limited to, discard, forward, cache, notify CPF (Notify the CPF, NOCP), DUPL (Duplication), and IPMA (IP Multicast Accept).
- the forwarding action is GTP encapsulation and decapsulation.
- NOCP marks the arrival of the first downstream flow and buffers it.
- DUPL stands for duplication of packets, and is used in scenarios such as legal interception and mirroring.
- IPMA means joining or leaving a multicast group.
- FAR is a forwarding action, including encapsulation. FAR is similar to the behavior definition after the Forwarding Information Base (FIB) and ACL.
- FIB Forwarding Information Base
- the Usage Reporting Rule is used to perform statistical reporting actions, such as offline charging reporting.
- URR corresponds to a session.
- CPF such as traffic quota, completion of a certain period, or occurrence of a certain event.
- QER represents the quality of service (Quality of Service, QoS) processing rule, which is used for bandwidth guarantee and priority scheduling.
- QoS Quality of Service
- Car Committed Access Rate
- Queue Queue
- Mirror Mirror
- Lawful Interception Lawful Interception, LW.
- an embodiment of the present application provides a network system 300 .
- the network system 300 includes: UPF 301 , CPF 302 , core network 303 , RG 304 and AN 305 .
- the UPF 301 is an example of the UP device in the following method embodiments
- the CPF 302 is an example of the CP device in the following method embodiments.
- Different network elements in the UPF 301 , the CPF 302 , the core network 303 , the RG 304 and the AN 305 are connected through a wireless network or a wired network.
- the CPF sends the configured static user table and the IPoE abnormal offline user table to the UPF.
- the static user management module 3021 in the CPF302 obtains the configured static user table
- the IPoE abnormal terminal management module 3022 records the IPoE abnormal offline user table
- the CPF302 sends the static user table and the IPoE abnormal offline user table to the state control interface.
- IP flow filtering module 3011 in UPF is
- the UPF will check the static user table and the abnormal IPoE offline user table. Specifically, the UPF deploys an IP flow filtering module 3011. When UPF receives an ARP, IPv4 data packet, ND packet or IPv6 data packet, if it fails to check the local authentication binding table, it will first match it in the IP flow filtering module 3011, and then send it to the CPF after the match is successful. . In addition, the IP flow filtering module 3011 provides upload CPF rate limit control.
- the UPF includes an IP flow filtering module 3011 , a PFCP module 3012 and a PFCP session management module 3013 .
- the IP stream filtering module 3011 is used to perform filtering of IP data streams.
- the PFCP module 3012 is configured to receive the PFCP data delivered by the CPF, parse out the session content and distribute it to the PFCP session management module 3013 .
- the PFCP session management module 3013 is used to parse the message, and notify the IP flow filtering module to add a session, delete a session, and update a session.
- the CPF includes a static user management module 3021 , an IPoE abnormal terminal management module 3022 , a PFCP session management module 3023 , a PFCP module 3024 , an access management module 3024 , a UPF node management module 3025 , and an AAA module 3026 .
- the static user management module 3021 is used to process static user configuration.
- the IPoE abnormal terminal management module 3022 is used to process the abnormal offline of the IPoE terminal, generate a record, and notify the PFCP session management module 3023 to deliver it to the UPF.
- the PFCP session management module 3023 is configured to receive a notification from the service layer module, and deliver a list of static sessions and abnormal sessions to the UPF.
- the PFCP module 3024 is configured to encapsulate the session information into a PFCP format and send it to the opposite party.
- Method 400 , method 500 , method 600 , and method 700 are exemplified below to introduce the method flow of the communication system processing based on CU separation introduced above, and the communication system can implement the functions of the above-mentioned BNG.
- the BNG in method 400, method 500, method 600, or method 700 is an illustration of a communication system.
- the method 400, the method 500, the method 600 or the method 700 is not applied to the BNG, but is applied to other communication systems with a CU-separated architecture other than the BNG, for example, applied to a CU-separated Serving Gateway.
- S-GW another example is applied in the packet data network gateway (PDN GateWay, PGW) separated from CU, and another example is applied in the network element including mobility management function (Access and Mobility Management Function, AMF), session management function (Session management function)
- AMF Access and Mobility Management Function
- Session management function Session management function
- the AMF or CPF is equivalent to the CPF in the BNG
- the UPF is equivalent to the UPF in the BNG.
- AMF Access gateway function
- AGF access gateway function
- method 400 focuses on introducing the process of UPF implementing security policies
- method 500 focuses on introducing the overall process including multiple stages of packet triggering access, data forwarding, offline processing, and clearing processing
- methods 600 and 700 focus on introducing how to use PFCP implements method 500 .
- FIG. 24 is a flowchart of a packet processing method 400 provided by an embodiment of the present application.
- the method 400 is performed, for example, by an IP flow filtering module in the UPF.
- the method 400 includes S410 to S460.
- S410 extract information such as the source IP address, MAC address, VLAN tag, and interface (ie, the port on the UP device that receives the packet).
- S420 Determine whether the authentication is passed. If the authentication is not passed, execute the following S430. If the authentication is passed, the following S460 is performed.
- S430 Determine whether the match to the static user table or the abnormal offline user table is successful. If the match is successful, execute the following S440. If the matching fails, the following S450 is performed.
- the S420 sends the packet to the CPF only after the S420 is successfully matched, which reduces the burden on the CPF and reduces the risk of the CPF being attacked.
- FIG. 25 is a flowchart of a packet processing method 500 provided by an embodiment of the present application.
- the method 500 includes S501 to S522.
- the method 500 is performed by the BNG in the system architecture shown in The CU-separated BNG shown in any one of 23 is executed, or executed by the BNG in the static user access scenario shown in FIG. 10 , or executed by the BNG in the abnormally offline user access scenario shown in FIG. 12 .
- the method 500 may be processed by a general-purpose central processing unit (CPU), or may be jointly processed by the CPU and/or a network processor (NP), or the CPU or NP may not be used, but other suitable applications may be used.
- CPU central processing unit
- NP network processor
- method 500 is not limited.
- the CP device sends the first policy to the UP device included in the BNG.
- the term "policy” refers to information containing rules and action identifiers.
- the policy can specify that the device executes the action corresponding to the action flag on the message when the information in the message satisfies the rule. Actions include, but are not limited to, redirection, forwarding, discarding, QoS control, statistical reporting, and the like. For example, when PFCP is adopted, the policy is PDR, the rule is PDI, and the action identifier is PA.
- the CP device delivers a policy to the UP device. When the UP device receives a packet, it will perform corresponding actions on the packet according to the policy pre-delivered by the CP device.
- the first policy is used to instruct to redirect the packet to the CP device under the condition that the first information included in the packet and the information of the first type of user satisfy the first matching condition.
- the matching rules in the first policy include information of the first type of users.
- the action identifier in the first policy is used to identify the redirected action.
- the action identifier in the first policy includes the identifier of the CP device.
- the first category of users refers to users with fixed Internet Protocol IP addresses.
- the information of the first type of user includes, but is not limited to, at least one item of an IP address, a MAC address, a VLAN tag, an interface index, and a port number.
- the information of the first type of users is stored and transmitted in the form of a table.
- the first policy includes a user table.
- the user table includes information on the first type of users.
- each entry (or called each entry) of the user table includes information of a first-type user.
- the first type of users includes at least one of static users or abnormally offline users.
- the user table includes at least one of a static user table or an abnormal user table.
- the static user table is also called the static user list.
- the static user table includes information on static users. For example, each entry in the static user table includes information about one static user.
- the abnormal user table is also called the abnormal user list or the abnormal offline user list.
- the abnormal user table includes information of abnormal offline users. For example, each entry in the abnormal user table includes information about an abnormal offline user.
- static users and abnormal offline users please refer to the introduction above.
- the static user table and the abnormal user table are separated into different tables or merged into the same table.
- the static user table and the exception user table are two separate tables.
- the static user table and the exception user table belong to the same table.
- the user table includes two attributes, which correspond to static users and abnormal offline users, respectively.
- the user table includes correspondence between user information and actions, and whether the user has been authenticated is identified by the action corresponding to the user information. For example, if the action corresponding to the user information is "To CPF", it indicates that the user has not been authenticated; if the action corresponding to the user information is an action other than "To CPF", it indicates that the user has been authenticated. In other embodiments, whether the user is authenticated or not is identified by other attributes in the user table.
- the static user corresponds to the first attribute of the user table
- the attribute value of the first attribute is the information of the static user
- the abnormally offline user corresponds to the second attribute of the user table, and the attribute value of the second attribute is the information of the abnormally offline user.
- the first policy is pre-configured on the CP device by the controller or the network administrator.
- the CP device combines the information of the first type of user with the redirection information to obtain the first policy.
- a static user table is configured on the CP device, and the static user table and redirection information are combined to obtain the first policy.
- the CP device generates an abnormal user table, and combines the abnormal user table with redirection information to obtain the first policy.
- the CP device generates the abnormal user table please refer to the corresponding introduction in FIG. 12 and FIG. 13 .
- the CP device sends the reset policy to the UP device, so that the UP device can obtain the policy through communication with the CP device. Therefore, during the packet access process, if the packet matches the information of the user with a fixed IP address, the UP device will be sent to the UP device. The device will perform the action of redirecting the message.
- the UP device receives the first policy from the CP device, and saves the first policy.
- the CP device Since the CP device sends the information of the first type of user to the UP device and instructs the UP device to match the information in the packet with the information of the first type of user, it will check whether the packet comes from a user with a fixed IP address. Tasks are dropped from the CP device to the UP device, thereby reducing the risk of attacking the CP device.
- the CP device also sends redirection parameters to the UP device.
- the redirection parameter includes at least one item of GTP-U tunnel information or Virtual Extensible Local Area Network (Vxlan) tunnel information.
- the Vxlan tunnel information is used to identify that the Vxlan tunnel is carried over the IPv4 protocol.
- the Vxlan tunnel information includes the IPv4 address of the CP device.
- the Vxlan tunnel information is used to identify that the Vxlan tunnel is carried by the IPv6 protocol.
- the Vxlan tunnel information includes the IPv6 address of the CP device.
- the CP device encapsulates the redirection parameters and the first policy in the same control packet, and sends the control packet to the UP device; the UP device receives the control packet and obtains the redirection parameters from the control packet and first strategy.
- the CP device encapsulates the redirection parameter and the first policy in two control packets, one control packet includes the first policy, and the other control packet includes the redirection parameter; the CP device sends the UP The device sends two control packets; the UP device receives the two control packets, obtains redirection parameters from the control packet carrying redirection parameters, and obtains the first policy from the control packet carrying the first policy.
- the timing for sending the redirection parameter and the first policy is not limited. For example, the CP device sends the redirection parameter first and then sends the first policy; for another example, the CP device sends the first policy first and then sends the redirection parameter.
- the CP device By delivering the redirection parameters to the UP device, the CP device enables the UP device to encapsulate the tunnel header according to the redirection parameters delivered by the CP device to redirect packets to the CP device, thereby avoiding the tedious operation of manually configuring the redirection parameters. Reduce the complexity of solution implementation and configuration.
- the CP device also sends the interface index to the UP device.
- the CP device notifies the UP device of the access interface of the user with a fixed IP address in the form of an interface index, so that the UP device can perform access authentication based on whether the interface accessed by the terminal matches the interface index pre-delivered by the CP device.
- the process of access authentication takes the location factor into consideration, thus helping to improve the security of authentication.
- the UP device receives the packet.
- the message is a data message.
- the message includes, but is not limited to, at least one of an IPv4 data message, an IPv6 data message, an ARP message, or an ND message. Packets are also called IP packets.
- the UP device matches the second information included in the packet with the information of the second type of user.
- the second information is the information obtained according to the message when the UP device detects whether the authentication has passed.
- the second information includes, but is not limited to, at least one of an IP address, a MAC address, a VLAN tag, and an interface index (ie, the port number of the port on the UP device that receives the packet).
- the IP address included in the second information is the source IP address.
- the source IP address included in the second information includes at least one of a source IPv6 address or a source IPv4 address.
- the source IPv6 address included in the second information is the address borne by the SA field in the IPv6 basic header.
- the second type of users refers to users who have passed authentication, for example, users who have passed binding authentication.
- the CP device sends the information of the second type of user to the UP device.
- the UP device receives the information of the second type of user, and locally saves the information of the second type of user.
- the UP device queries the stored information of the second type of user.
- the information of the second type of users is stored and transmitted in the form of a table.
- the CP device sends an authentication binding table to the UP device, and the authentication binding table includes the information of the second type of user.
- each entry (or called each entry) of the authentication binding table includes information of a second type of user.
- the UP device receives and saves the authentication binding table.
- the UP device queries the authentication binding table, and matches the second information included in the message with the entry in the authentication binding table. If the second information included in the packet and the information in each entry in the authentication binding table do not satisfy the second matching condition, the following S505 is performed.
- the UP device determines that the second information and the information of the second type of user do not satisfy the second matching condition.
- the second matching condition is used to detect whether the packet comes from the terminal of an authenticated user.
- the UP device determines that the second information included in the packet matches the information of the second type of user. Under different judgment results, the actions performed by the UP device will be different. The following is an example to illustrate the situation a to situation b.
- the second matching condition includes that the source IP address in the packet is the same as the IP address of the first type of user, and the port number of the port receiving the packet on the UP device is the same as the port number corresponding to the first type of user, and The VLAN tag in the packet is the same as the VLAN tag corresponding to the first type of user.
- Case b If the second information included in the packet and the information of the second type of user satisfy the second matching condition, it indicates that the packet is from the terminal of the user that has passed the authentication. Then, if the packet is a data packet, the UP device will forward the data packet; if the packet is an ARP packet, the UP device will process the ARP packet based on the ARP protocol; if the packet is an ND packet In the case of packets, the UP device will process the ND packets based on the ND protocol.
- not satisfying the second matching condition includes various situations.
- not satisfying the second matching condition includes, but is not limited to, the following case (A), case (B), or case (C).
- Case (A) The source IP address in the packet is different from the IP address of the first type of user.
- the UP device matches the first information included in the packet with the information of the first type of user according to the first policy.
- the UP device Since the CP device issues the first policy to the UP device in advance, the UP device will execute S506 and S507 according to the first policy. Specifically, the UP device performs the step of matching the first information included in the packet with the information of the first type of user according to the first type of user information carried in the first policy. In the case that the first information and the information of the first type of user satisfy the first matching condition, the UP device will perform the step of sending a packet to the CP device included in the BNG.
- the first information is information extracted from the packet by the UP device when detecting whether the packet comes from a user with a fixed IP address.
- the first information includes, but is not limited to, at least one of an IP address, a MAC address, a VLAN tag, and an interface index (ie, a port number of a port) on the UP device for receiving the packet.
- the IP address included in the first information is the source IP address.
- the source IP address included in the first information includes at least one of a source IPv6 address or a source IPv4 address.
- the source IPv6 address included in the first information is the address borne by the SA field in the IPv6 basic header.
- the interface index is used to identify the access interface (Access Interface) on the UP device.
- the access interface is an interface accessed by the terminal of the first type of user.
- the VLAN tags are, for example, single-layer VLAN tags (eg, outer VLAN tags or inner VLAN tags) or inner and outer double-layer VLAN tags.
- this embodiment does not limit whether the first information and the second information are the same.
- the second information is the same as the first information.
- the second information and the first information are different.
- the second information and the first information are partially identical and different.
- the CP device sends the information of the first type of user to the UP device.
- the UP device receives the information of the first type of user, and locally saves the information of the first type of user.
- the UP device queries the stored information of the first type of user.
- the user table and the authentication binding table are two separate tables.
- the user table and the authentication binding table belong to the same table.
- the user table includes two attributes corresponding to users with fixed IP addresses and authenticated users, respectively.
- a user with a fixed IP address corresponds to the first attribute of the user table, and the attribute value of the first attribute is the information of the user with the fixed IP address.
- the authenticated user corresponds to the second attribute of the user table, and the attribute value of the second attribute is the information of the authenticated user.
- the UP device sends a packet to the CP device included in the BNG.
- Sending a packet from the UP device to the CP device may also be referred to as the UP device redirecting the packet to the CP device.
- the first matching condition is used to detect whether the packet comes from the terminal of the first type of user.
- the first matching condition is used to detect whether the packet comes from the terminal of a static user.
- the first matching condition is used to detect whether the packet comes from the terminal of the abnormally offline user. It should be understood that this embodiment does not limit whether the first matching condition and the second matching condition are the same.
- the second matching condition is the same as the first matching condition.
- the second matching condition is different from the first matching condition.
- the second matching condition and the first matching condition are partially identical and different.
- the second matching condition is that all three of the IP address, port number and VLAN tag must match.
- the first matching condition is that the IP addresses must match, and whether the port number of the port receiving the packet on the UP device matches the VLAN tag is not limited.
- the UP device determines whether the first information included in the packet and the information of the first type of user satisfy the first matching condition. Under different judgment results, the actions performed by the UP device will be different. The following is an example to illustrate the situation a to situation b.
- satisfying the first matching condition refers to at least matching the IP address, and optionally also matching the port number or VLAN tag of the port on the UP device that receives the packet.
- the first matching condition includes, without limitation, any one of the following conditions (1) to (4).
- the matching method using the conditions (1) to (3) is called the fuzzy matching method.
- a method of matching using the following condition (4) is called a strict matching method.
- the source IP address in the packet is the same as the IP address of the first type of user.
- the source IP address in the packet is the same as the IP address of the first type of user, and the port number on the UP device for receiving the packet is the same as the port number corresponding to the first type of user.
- the source IP address in the packet is the same as the IP address of the first type of user, and the VLAN tag in the packet is the same as the VLAN tag corresponding to the first type of user.
- the source IP address in the packet is the same as the IP address of the first type of user, and the port number of the port receiving the packet on the UP device is the same as the port number corresponding to the first type of user, and the VLAN in the packet is the same
- the tag is the same as the VLAN tag corresponding to the first type of user.
- the first matching condition is determined from a configuration operation. In other words, which information in the used packet is matched with which information of the first type of user is determined by the configuration operation of the controller or the network administrator. For example, if it is preconfigured to enable port number or VLAN tag matching, the UP device uses port number or VLAN tag matching; if it is preconfigured to disable port number or VLAN tag matching, the UP device does not use port number or VLAN tag matching.
- the first matching conditions satisfied in different scenarios are different.
- satisfying the first matching condition is any one of the above-mentioned conditions (1) to (3).
- the first matching condition is satisfied as the above-mentioned condition (4).
- the UP device matches the information in the packet with the static user information when receiving the packet. If the matching is successful, the UP device sends the packet to the CP device. . Since the task of checking whether the packets come from static users is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced. In particular, if a malicious IP packet flow initiates a network attack, since the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from a static user, the risk of the CP device being attacked by the malicious IP packet flow is reduced, and the Cybersecurity of CP devices.
- the UP device matches the information in the packet with the information of the abnormally offline user when receiving the packet. If the matching is successful, the UP device sends the packet to the to the CP device. Since the task of checking whether the packets come from abnormally offline users is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced. In particular, if a malicious IP packet flow initiates a network attack, since the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from an abnormally offline user, the risk of the CP device being attacked by the malicious IP packet flow is reduced. Improve the network security of CP equipment.
- the UP device and the CP device establish a tunnel.
- the starting point of the tunnel is the UP device
- the end point of the tunnel is the CP device.
- the UP device encapsulates the packet into the format corresponding to the tunnel, and sends the encapsulated packet to the CP device, so that the packet is transmitted to the CP device through the tunnel.
- the UP device adds a tunnel header to the packet to obtain the encapsulated packet.
- the encapsulated packet includes a tunnel header and a packet received by the UP device from the terminal.
- the tunnel header is in the outer layer, and the packets received by the UP device from the terminal are in the inner layer.
- the source address field in the tunnel header carries the IP address of the UP device, and the destination address field in the tunnel header carries the IP address of the CP device. Since the outer layer of the packet encapsulates the tunnel header with the destination address of the CP device, the packet will be forwarded to the CP device by the intermediate nodes along the route.
- the packet can be redirected from the original destination node to the CP device.
- the UP device adds not only the tunnel header but also the extension header.
- the encapsulated packet includes the tunnel header, the extension header, and the packet received by the UP device from the terminal.
- the type of tunnel that the UP device uses to redirect packets to the CP device includes various methods. For example, the UP device redirects packets to the CP device through the GTP-U tunnel or Vxlan tunnel.
- mode I is used to illustrate how to send packets through the GTP-U tunnel
- mode II is used to illustrate how to send packets through the Vxlan tunnel.
- the UP device adds a GTP-U header to the packet, and sends the packet with the GTP-U header added.
- the GTP-U header is an example of the tunnel header when the tunnel type is a GTP-U tunnel.
- the UP device not only adds a GTP-U header, but also adds a network service header (NSH), and sends a packet with the GTP-U header and NSH added.
- NSH network service header
- Mode 1 is implemented by using redirection parameters pre-delivered by the CP device.
- the redirection parameter delivered by the CP device to the UP device includes GTP-U tunnel information, and the UP device generates a GTP-U header according to the GTP-U tunnel information, and adds the GTP-U header to the packet.
- the GTP-U tunnel information used by the UP device is not issued by the CP device, but pre-configured on the UP device in advance. This embodiment does not do anything about how the UP device obtains the GTP-U tunnel information. limited.
- the UP device adds a Vxlan header to the packet, and sends the packet with the Vxlan header added.
- the Vxlan header is an example of the tunnel header when the tunnel type is a Vxlan tunnel.
- the UP device not only adds the Vxlan header, but also adds the CU extension header, and sends the message to which the Vxlan header and the CU extension header are added.
- the Vxlan header includes, but is not limited to, a standard Vxlan header, an overlay (Overlay) header extended based on the Vxlan protocol, and the like.
- the Vxlan header refers to a Vxlan Generic Protocol Encapsulation (Vxlan-GPE) header, a Generic Network Virtualization Encapsulation (GENEVE) header, and the like.
- Vxlan-GPE Vxlan Generic Protocol Encapsulation
- GEEVE Generic Network Virtualization Encapsulation
- the CP device adds the Vxlan header and the CU extension header to the packet, and the header overhead is relatively small, thus saving the network resources occupied by the packet transmission and the performance overhead of the device.
- Mode 1 is implemented by using redirection parameters pre-delivered by the CP device.
- the redirection parameter delivered by the CP device to the UP device includes Vxlan tunnel information, and the UP device generates a Vxlan header according to the Vxlan tunnel information, and adds the Vxlan header to the packet.
- the Vxlan tunnel information used by the UP device is not issued by the CP device, but pre-configured on the UP device. This embodiment does not limit how the UP device obtains the Vxlan tunnel information.
- the UP device performs rate limit control when redirecting packets to the CP device.
- the rate threshold for sending packets is preset on the UP device, and it is monitored whether the rate of sending packets is greater than the threshold. The rate of sending packets is controlled to be less than or equal to the rate threshold.
- the CP device receives the packet from the UP device.
- the CP device performs access processing according to the message.
- the CP device generates an authentication request, and the authentication request includes user information, for example, user name and password, and may also include first information or second information.
- the CP device sends an authentication request to the authentication server.
- the authentication server receives the authentication request, and authenticates the user information carried in the authentication request; the authentication server generates an authentication response according to the authentication result, and sends the authentication response to the CP device.
- the CP device receives an authentication response from the authentication server.
- the authentication response sent by the authentication server indicates that the authentication is passed.
- the CP device allows the user to access the network according to the authentication response, and executes the following S510, thereby instructing the UP device to forward packets for the user.
- the CP device will save the second information as the information of the second type of user. For example, the CP device saves the second information in the authentication binding table.
- the authentication response sent by the authentication server indicates that the authentication has not passed.
- the CP device will deny the user access to the network according to the authentication response.
- the CP device sends the second policy to the UP device.
- the second policy is used to indicate that the packet is forwarded under the condition that the first information included in the packet and the information of the first type of user satisfy the first matching condition.
- the second policy is used to indicate that the packet is forwarded under the condition that the second information included in the packet and the information of the second type of user satisfy the second matching condition.
- the matching rules in the second policy include information of users of the first type or information of users of the second type.
- the UP device receives the second policy from the CP device, and saves the second policy.
- the UP device receives the packet.
- the UP device forwards the packet according to the second policy.
- the CP device detects that the terminal of the first type of user is in an offline state.
- the CP device when the CP device detects an interface failure or board failure of the UP device, the CP device performs offline processing on the terminal connected through the interface or the board.
- the CP device sends the third policy to the UP device.
- the third policy is used to instruct to redirect the packet to the CP device under the condition that the first information included in the packet and the information of the first type of user satisfy the first matching condition.
- the third policy is used to instruct to redirect the packet to the CP device under the condition that the second information included in the packet and the information of the second type of user satisfy the second matching condition.
- the matching rule in the third policy includes the information of the first type of user or the information of the second type of user.
- the action identifier in the third policy is used to identify the redirected action.
- the UP device receives the third policy from the CP device, and saves the third policy.
- the UP device receives the packet.
- the UP device sends a packet to the CP device according to the third policy.
- the CP device detects that the configuration information of the first type of user is deleted or the lease of the first type of user expires.
- the CP device sends a deletion request to the UP device, where the deletion request is used to indicate deletion of the information of the first type of user.
- the deletion request sent by the CP device includes various scenarios.
- the CP device detects that the configuration information of the first type of user is deleted. Triggered by the deletion of the configuration information, the CP device generates a deletion request, and sends a deletion request to the UP device, where the deletion request is used to instruct to clear the configuration. Information of the user whose information was deleted. For example, the controller or the network administrator deletes the configuration information of the static user on the CP device, and the CP device generates a deletion request for the static user.
- the CP device starts a timer to determine whether the recorded duration exceeds the lease period of the first type of user; if the CP device detects that the lease period of the first type of user has expired, it is triggered by the deletion of the lease timeout period. , the CP device will generate a deletion request, and send the deletion request to the UP device, where the deletion request is used to instruct to clear the information of the user whose lease has expired.
- lease timeout is also called aging.
- the UP device receives a deletion request from the CP device
- the UP device deletes the information of the first type of user in response to the deletion request.
- the UP device deletes the static user table, thereby completing the action of clearing the static user.
- the UP device deletes the abnormal user table, thereby completing the action of clearing the abnormal IPoE offline users.
- the CPF instructs the UPF to clear the user information with a fixed IP address, thereby releasing the storage space occupied by the user information on the UPF in time when the user information is invalid.
- This embodiment provides a method for preventing a CP device from being attacked in a scenario where the BNG separated by the CU performs access authentication.
- the UP device receives a packet
- the information in the packet is compared with the information in the packet and the user with a fixed IP address.
- the information is matched, and if the matching is successful, the UP device sends the packet to the CP device. Since the task of checking whether a packet comes from a user with a fixed IP address is downgraded from the CP device to the UP device, the resource overhead caused by the CP device checking such packets is avoided, and the load on the CP device is reduced.
- the CP device does not need to perform the task of checking whether the malicious IP packet flow comes from a user with a fixed IP address, thus reducing the vulnerability of the CP device to being attacked by the malicious IP packet flow. risk, and improve the network security of CP equipment.
- the method 600 and the method 700 are exemplified below for implementing the method 500 by using PFCP.
- the method flow described in the method 600 and the method 700 is about how to prepend the security policy on the UP device based on PFCP and execute it.
- the steps of the method 600 and the method 700 are similar to the method 500, please refer to the method 500, and the details in the method 600 and the method 700 will not be repeated.
- the implementation details of the PFCP in the method 600 and the method 700 please refer to the above introduction to the PFCP.
- PFCP PF-CP-UP device
- PDA policy-based policy
- PA actions identified in the policy
- the messages in the PCFP protocol are multiplexed to transmit the information of the interaction between the CP device and the UP device.
- the multiplexed message is, for example, a node message or a session message (Session message) in PFCP.
- the static user table or the IPoE abnormal offline user table is delivered to the UPF by multiplexing the session messages shown in Table 11 below.
- FIG. 26 is a flowchart of a packet processing method 600 provided by an embodiment of the present application.
- the method shown in FIG. 26 is about how to multiplex the session messages in the PFCP to deliver the static user list or the IPoE abnormal offline user list to the UPF.
- each PFCP session corresponds to a static user or an IPoE abnormally offline user.
- the method 600 includes S600 to S690.
- Method 600 involves four stages.
- the first stage is the process before the authentication is passed, and the first stage includes S610 to S630.
- the second stage is the process of passing the certification.
- Stage two includes S640 to S650.
- the third stage is the offline process of the terminal.
- Stage three includes S660 to S670.
- Stage 4 is the process of deleting static user configuration or abnormal IPoE user aging (not going online within the lease period).
- Stage four includes S680 to S690.
- the signaling involved in the method 600 is transmitted by extending the state control interface and the control packet redirection interface in the PFCP. Specifically, in the method 600, various packets exchanged between the CPF and the UPF are transmitted through the state control interface and the control packet redirection interface.
- the PFCP session establishment request is sent from the CPF to the UPF through the state control interface
- the PFCP session establishment response is sent from the UPF to the CPF through the state control interface
- the UPF is sent to the CPF
- the PFCP session editing request in S640 is sent from the CPF to the UPF through the state control interface
- the PFCP session editing response in S650 is sent from the UPF to the CPF through the state control interface
- the PFCP session editing request in S660 is sent through the state control interface It is sent from the CPF to the UPF, and the PFCP session edit response in S670 is sent from the UPF to the CPF through the state control interface
- the PFCP session deletion request in S680 is sent from the CPF to the UPF through the state control interface
- the PFCP session deletion response in S690 passes through the state control interface.
- the interface is sent from the UPF to the CPF.
- the CPF sends a PFCP session establishment request to the UPF.
- the CPF will generate a PFCP session establishment request, and send the PFCP session establishment request to the UPF, thereby informing the UPF to create a session message, so that the UPF redirects the message to the CPF after matching the IP flow of the session message.
- the PFCP session establishment request carries the PDR, and the PDR is the first policy involved in the above method 500 .
- the PDR in the PFCP session establishment request includes PDI and PA.
- PDI includes static user table and abnormal user table.
- CPF multiplexes the PFCP session message such as PFCP session establishment request, and multiplexes the mechanism of PFCP delivering PDR through PFCP session, so as to deliver the information of users with fixed IP addresses and redirection actions to UPF,
- the solution for implementing the security policy on the UPF is more smoothly integrated with the PFCP architecture, which facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of solution implementation and configuration.
- the UPF receives the PFCP session establishment request, generates a PFCP session establishment response, and sends the PFCP session establishment response to the CPF.
- the UPF creates at least one PFCP session. Specifically, the UPF holds a session table. After receiving the information of the first type of users from the CPF, the UPF saves the information of each user in the information of the first type of users into the PFCP session corresponding to the user. For example, the UPF saves the information of each static user in the static user table into the PFCP session corresponding to the static user in the session table. For example, UPF saves the information of each abnormal offline user in the abnormal offline user table to the PFCP session corresponding to the abnormal offline user in the session table.
- the UP device receives the message, and matches the first information included in the message with the information of the first type of user according to the PDA. If the first information and the information of the first type of user in the PDI satisfy the first matching condition, the UP device acts PA according to the packet corresponding to the PDI, and sends a packet to the CP device included in the BNG.
- UPF In the forwarding phase, when UPF receives a message, UPF will extract parameters from the message, and use the parameters of the message to match the static user table and abnormal user table saved in the session message table. When the match is successful, UPF will Packets are redirected to CPF through GTP-U or Vxlan tunnel.
- the parameters of the message used by the UPF include an IPv4 address or an IPv6 address, and optionally a VLAN tag or an interface index corresponding to the access interface. PA is used to indicate redirection to the CP device.
- CPF uses the information of the first type of users as the matching field in the PDI, and uses the redirection action as the PA executed when the PDI is hit.
- the smoother integration facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of implementation and configuration.
- the CPF completes the authentication of the terminal, and the CPF sends a PFCP session editing request to the UPF.
- the CPF After the CPF receives the packet, it performs access processing on the packet. For example, the CPF sends an authentication request to the AAA server, and the AAA server receives the authentication request, performs authentication, and returns an authentication permit (Accept) message to the CPF. After the CPF receives the authentication Accept and determines that the authentication is passed, the CPF generates a PFCP session edit request and sends the PFCP session edit request to the UPF.
- the PFCP session editing request carries a PDR, and the PDR is the second policy involved in the above method 500 . Specifically, the PDR in the PFCP session edit request includes PDI and PA.
- the PDI carried in the PFCP session edit request includes a static user table and an abnormal user table.
- UPF extracts parameters from packets, and uses the parameters of packets to match the static user table and abnormal user table in PDI.
- the parameters of the packets used by UPF include the IPv4 address, IPv6 address, VLAN tag, and the interface index corresponding to the access interface. PA is used to instruct forwarding packets.
- the CPF sends the PFCP session edit request to the UPF, thereby delivering the static user table and the abnormal user table to the UPF.
- the CPF edits the session through the PFCP session edit request, instructs the UPF to match the IP flow of the session and forwards the session.
- the UPF receives the PFCP session editing request, generates a PFCP session editing response, and sends the PFCP session editing response to the CPF. Additionally, UPF updates the sessions in the session table.
- the CPF When detecting the interface failure of the UPF or the single board failure, the CPF performs offline processing on the terminal. The CPF generates a PFCP session edit request and sends the PFCP session edit request to the UPF.
- the PFCP session editing request carries a PDR, and the PDR is the third policy involved in the above method 500 .
- a PFCP session edit request includes a static user table and an exception user table.
- the UPF receives the PFCP session editing request, generates a PFCP session editing response, and sends the PFCP session editing response to the CPF.
- the CPF edits the session through the PFCP session edit message, and instructs the UPF to forward the packet to the CPF after matching the IP flow of the session.
- the CPF detects that the static user configuration is deleted or the IPoE abnormal user aging (not going online within the lease period), the CPF generates a PFCP session deletion request, and sends a PFCP session deletion request to the UPF.
- the UPF receives the PFCP session deletion request, generates a PFCP session deletion response, and sends the PFCP session deletion response to the CPF. And, UPF updates the session.
- the PFCP session deletion request is an example of the deletion request in the above method 500 .
- CPF multiplexes the PFCP session message such as PFCP session deletion request, and reuses the mechanism of PFCP session deletion in PFCP to clear the information of users with fixed IP addresses on the UPF, so that the implementation of the security policy on the UPF is the same as that of the UPF.
- the PFCP architecture is more smoothly integrated, which facilitates the implementation of the communication mechanism in PFCP, thereby reducing the complexity of implementation and configuration.
- the CPF edits the session through the PFCP session deletion request message, instructs the UPF to forward and redirect the packet to the CPF after matching the IP flow of the session.
- Table 19 is an example of the IE carried in the PFCP session edit request.
- Modify PDR IE is the same as Create PDR IE.
- Modify FAR IE is the same as Create FAR IE.
- the PFCP session deletion request does not carry a special IE, and multiplexes the session ID in the message header to instruct the UPF to delete the corresponding session.
- the interface index is carried by extending the new type of IE.
- an IE carrying an interface index is called an interface index (interface index, If-index) IE.
- the IE type of the interface index IE is an extended new IE type. Taking the IE type of the interface index IE as the first IE type as an example, the CPF carries the interface index in the IE with the first IE type, and the CPF sends the IE with the first IE type to the UPF, thereby delivering the interface index.
- the IE with the first IE type is an Embedded IE.
- the Interface Index IE may be transmitted through a PFCP message.
- the CPF carries the IE with the first IE type in the first PFCP message, and the first PFCP message sent by the CPF includes the IE with the first IE type.
- the first PFCP message is a PFCP session establishment request; or the first PFCP message is a PFCP static session establishment request.
- the first IE type is used to identify that the IE includes an interface index. In some embodiments, the value of the first IE type is greater than 32768.
- PFCP stipulates that the value of the IE type from 32768 to 65535 is used as the manufacturer extension part, and a value from 32768 to 65535 can be selected as the value of the first IE type.
- the interface index IE is shown in Table 20 below.
- the NN decimal in the 1st to 2nd bytes in Table 20 is a value greater than 32768.
- 2100 in the 5th to 6th bytes in Table 20 is an example of the manufacturer number in decimal format.
- the interface index (interface index) in the 7th to 10th bytes in Table 20 will be encoded as a 32-bit unsigned integer (Unsigned32 binary integer value).
- the format of the IE in the PFCP message is reused to deliver the interface index to the UPF, so that the security policy implementation scheme on the UPF and the PFCP architecture are more smoothly integrated, reducing the implementation of the scheme. complexity and configuration complexity.
- redirection parameters are carried by extending a new type of IE.
- an IE carrying redirection parameters is called a redirection parameter IE (Redirect Parameters IE).
- the IE type of the redirection parameter IE is an extended new IE type. Taking the IE type of the redirection parameter IE as the second IE type as an example, the CPF carries the redirection parameter in the IE with the second IE type, and the CPF sends the IE with the second IE type to the UPF, thereby delivering the redirection parameter.
- the IE with the second IE type is a grouped IE.
- a new type of IE is extended to carry redirection parameters, thereby multiplexing the format of the IE in the PFCP message to deliver redirection parameters to the UPF, reducing the complexity of solution implementation and configuration.
- the Redirection Parameters IE may be transported through a PFCP message.
- the CPF carries the IE with the second IE type in the first PFCP message, and the first PFCP message sent by the CPF includes the IE with the second IE type.
- the first PFCP message carrying the redirection parameter IE is, for example, a PFCP session establishment request; for another example, the first PFCP message carrying the redirection parameter IE is a PFCP static session establishment request.
- the second IE type is used to identify that the IE includes redirection parameters. In some embodiments, the value of the second IE type is greater than 32768.
- the redirect parameter IE includes at least one IE. Different IEs included in the redirection parameter IE have different IE types. Each IE included in the redirection parameter IE is used to carry information of a tunnel type. For example, one IE included in the redirection parameter IE is used to carry the Vxlan tunnel information, and another IE included in the redirection parameter IE is used to carry the GTP-U tunnel information. Exemplarily, the redirection parameter IE is shown in Table 21. Among them, the NN decimal in the 1st to 2nd bytes in Table 21 is a value greater than 32768. 2100 in the 5th to 6th bytes in Table 21 is an example of the manufacturer number in decimal format.
- Vxlan tunnel information is carried by extending a new type of IE.
- an IE carrying Vxlan tunnel information is called a Vxlan Information IE (Vxlan Info IE).
- the IE type of the Vxlan Information IE is an extended new IE type. Taking the IE type of the Vxlan information IE as the third IE type as an example, the CPF carries the Vxlan tunnel information in the IE with the third IE type, and the CPF sends the IE with the third IE type to the UPF, thereby delivering the Vxlan tunnel information .
- the IE with the third IE type is an Embedded IE.
- the third IE type is used to identify that the IE includes Vxlan tunnel information.
- the Vxlan Information IE is shown in Table 22 below.
- BitV4 in the fifth byte of the Vxlan information IE when the value of BitV4 in the fifth byte of the Vxlan information IE is 1, it indicates that the Vxlan tunnel is over on IPv4, and the mth to (m+3)th bytes carry the IPv4 address of the CPF-terminated Vxlan tunnel.
- BitV6 in the 5th byte of the Vxlan information IE when the value of BitV6 in the 5th byte of the Vxlan information IE is 1, it indicates that the Vxlan tunnel is over IPv6, and the pth to (p+15)th bytes carry the IPv6 address of the CPF-terminated Vxlan tunnel.
- the 5th to 8th bits in the 5th byte of the Vxlan information IE are the alignment fields, which are set to 0. Only one of the two bits BitV4 and BitV6 is set to 1.
- a new type of IE is extended to carry the Vxlan tunnel information, thereby multiplexing the format of the IE in the PFCP message to deliver the Vxlan tunnel information to the UPF, reducing the complexity of solution implementation and configuration.
- This embodiment provides a method for avoiding attacks on a CP device based on PFCP in the scenario where the BNG is separated from the CU for access authentication.
- the session in the PFCP is reused by multiplexing
- the information of static users and abnormal offline users is delivered by message, and the session processing model and the PDR mechanism are reused to implement the redirection strategy, so as to follow the various communication mechanisms provided by PFCP to implement the security strategy implementation on the UPF.
- the solution for implementing the security policy is more smoothly integrated with the PFCP architecture, and the complexity of solution implementation and configuration is reduced.
- the CPF needs to check whether it is a static user or a user who goes offline abnormally when delivering a session to the UPF. If it is a static user or a user who goes offline abnormally through IPoE, the message code is PFCP session edit. If it is not a static user or a user who goes offline abnormally through IPoE, the message code is PFCP session establishment. On the other hand, when the offline process is performed, the CPF also needs to distinguish the message code when delivering the session to the UPF.
- a new message is extended using the PCFP protocol to convey the information of the interaction between the CPF and the UPF.
- Extended messages are, for example, node messages or session messages in PFCP.
- node messages or session messages in PFCP For example, see Table 23 below, in the type value range of session-level messages reserved in PFCP (such as 58-99), apply for a new message type value, and CPF uses the PFCP message of the new message type to deliver static users to UPF Table or IPoE abnormal offline user table.
- FIG. 27 is a flowchart of a packet processing method 700 provided by an embodiment of the present application.
- the method shown in FIG. 27 is about how to extend the new session message of the PFCP to deliver the static user list or the IPoE abnormal offline user list to the UPF.
- each PFCP static session (PFCP Static-Session) corresponds to a configured static user.
- Each PFCP session corresponds to a static user after going online.
- the two sessions of the PFCP static session and the PFCP session are identified by the same session ID. For example, the session ID of both the PFCP static session and the PFCP session is 1.
- the priority (Precedence) value carried in the PFCP static session establishment request is smaller than the priority value carried in the PFCP session establishment. In this way, when matching the same flow, the UPF will preferentially execute the action indicated by the PFCP session establishment according to the priority value.
- the method 700 includes S700 to S790.
- Method 700 involves four stages. Stage 1 is the process before the authentication is passed, and stage 1 includes S710 to S730. The second stage is the process of passing the certification. Stage two includes S740 to S750. The third stage is the offline process of the terminal. Stage three includes S760 to S770. Stage 4 is the process of deleting static user configuration or abnormal IPoE user aging (not going online within the lease period). Stage four includes S780 to S790.
- the method 700 focuses on the difference from the method 600.
- the steps similar to the method 700 and the method 600 please refer to the method 600, and details are not described in the method 700.
- the signaling involved in the method 500 is transmitted by extending the state control interface and the control packet redirection interface in the PFCP.
- various packets that the CPF and UPF interact with are transmitted through the state control interface and the control packet redirection interface.
- the PFCP static session establishment request in S710 is sent from the CPF to the UPF through the state control interface, and the PFCP static session establishment response in S720 is sent from the UPF to the CPF through the state control interface;
- the packet is sent from UPF to CPF through the control packet redirection interface;
- the PFCP session establishment request in S740 is sent from CPF to UPF through the state control interface, and the PFCP session establishment response in S750 is sent from UPF to CPF through the state control interface;
- the PFCP session deletion request is sent from the CPF to the UPF through the state control interface, and the PFCP session deletion response in S770 is sent from the UPF to the CPF through the state control interface;
- the PFCP static session deletion request is sent from the CPF to the CPF through the state control interface.
- UPF, the Deletion Response of the PFCP static session in S790 is sent from the UPF to the CPF through the state control interface.
- the CPF sends a PFCP static session establishment request to the UPF.
- the CPF generates a PFCP static session establishment request, and sends a PFCP static session establishment request to the UPF, thereby informing the UPF to create a session, so that the UPF redirects packets to the CPF after matching the IP flow of the session.
- the PFCP static session establishment request is a PFCP session message.
- the message type of the PFCP static session establishment request is used to indicate the creation of a PFCP session for the first type of user.
- the type value of the message type of the PFCP static session establishment request is 58
- 58 is the session-level message type value reserved in PFCP
- the 58 identifier can be used to create a PFCP session for a static user.
- the PFCP static session establishment request carries the PDR
- the PDR is the first policy involved in the above method 500 .
- the PDR in the PFCP static session establishment request includes PDI and PA.
- the PDI includes the information of the first type of user, so that the UPF uses the information of the first type of user as a parameter for identifying the packet flow, and executes the first policy according to the information of the first type of user.
- PDI includes IPv4 addresses or IPv6 addresses.
- the PDI further includes a VLAN tag or an interface index corresponding to the access interface. PA is used to indicate redirection to CPF.
- the CPF uses the PCFP message of the new message type to deliver the information of the user with the fixed IP address and the redirection action to the UPF, so that after the authentication is passed, the CPF is the one with the fixed IP address.
- Users and other users can uniformly use the PFCP session establishment request to deliver sessions, thus reducing the complexity of CPF for normal terminal access processing.
- the CPF carries the session ID of the session of the first type of user and the priority of the first type of user in the PFCP static session establishment request, and sends it to the UPF.
- the PFCP static session establishment request includes the session ID and priority of the session of the first type of user.
- the UPF receives the PFCP static session establishment request, generates a PFCP static session establishment response, and sends the PFCP static session establishment response to the CPF.
- the UPF creates at least one PFCP session.
- the UP device receives the message, and matches the first information included in the message with the information of the first type of user according to the PDA. If the first information and the information of the first type of user in the PDI satisfy the first matching condition, the UP device acts PA according to the packet corresponding to the PDI, and sends a packet to the CP device included in the BNG.
- the CPF completes the authentication of the terminal, the CPF generates a PFCP session establishment request, and sends the PFCP session establishment request to the UPF.
- the PFCP session establishment request carries the PDR, and the PDR is the second policy involved in the above method 500 .
- the PDR in the PFCP session establishment request includes PDI and PA.
- PDI includes static user table and abnormal user table.
- UPF extracts parameters from packets, and uses the parameters of packets to match the static user table and abnormal user table in PDI.
- the parameters of the packets used by UPF include the IPv4 address, IPv6 address, VLAN tag, and the interface index corresponding to the access interface.
- PA is used to instruct forwarding packets.
- the CPF sends the PFCP session establishment request to the UPF, thereby delivering the static user table and the abnormal user table to the UPF.
- the CPF carries the session ID of the session of the first type of user and the priority of the first type of user in the PFCP session establishment request, and sends it to the UPF.
- the PFCP session establishment request includes the session ID and priority of the session of the first type of user.
- the priority in the PFCP session establishment request is higher than that in the PFCP static session establishment request.
- the session ID in the PFCP session establishment request is the same as the session ID in the PFCP static session establishment request.
- the UPF receives the FCPF session establishment request, generates a PFCP session establishment response, and sends the PFCP session establishment response to the CPF. Additionally, UPF adds sessions to the session table.
- the CPF When detecting the interface failure of the UPF or the single board failure, the CPF performs offline processing on the terminal. The CPF generates a PFCP session deletion request and sends a PFCP session deletion request to the UPF.
- the UPF receives the PFCP session deletion request, generates a PFCP static session deletion response, and sends the PFCP session deletion response to the CPF.
- the PFCP session deletion request includes a session ID, thereby instructing the UPF to delete the PFCP session corresponding to the session ID.
- the CPF detects that the static user configuration has been deleted or that the IPoE abnormal user is aging (not going online within the lease period).
- the CPF generates a PFCP static session deletion request, and sends the PFCP static session deletion request to the UPF.
- the PFCP static session deletion request is a PFCP session message.
- the message type of the PFCP static session deletion request is used to indicate the deletion of the PFCP session of the first type of user.
- the type value of the message type of the PFCP static session establishment request is 60
- 60 is the session-level message type value reserved in PFCP
- 60 can be used to identify the FCPF session of the static user to be deleted.
- the UPF receives the PFCP static session deletion request, generates a PFCP static session deletion response, and sends the PFCP static session deletion response to the CPF. Also, UPF deletes static sessions.
- Table 26 illustrates several types of IEs involved in the PFCP static session establishment response.
- the PFCP static session deletion request multiplexes the session ID in the message header to instruct the UPF to delete the corresponding session.
- the IE carried in the PFCP static session deletion reply message is shown in Table 27, for example.
- the extended grouped IE and Embedded IE in the method 700 are the same as the method 600, please refer to the above-mentioned method 600.
- This embodiment provides a method for avoiding attacks on a CP device based on PFCP in the scenario where the BNG is separated from the CU for access authentication. On the basis of reducing the burden on the CPF and reducing the risk of being attacked on the CPF, a new method is extended in the PFCP.
- Types of session messages deliver the information of static users and abnormal offline users, and reuse the session processing model and PDR mechanism to implement redirection policies, which not only enables the UPF implementation of security policies and the PFCP architecture to be more smoothly integrated It can also avoid the problem of complicated CPF processing because CPF needs to distinguish users with fixed IP addresses from other users when CPF sends a session to UPF after the authentication is passed and when CPF performs offline processing, so the normal service processing process of CPF is simplified. .
- the PFCP session establishment request or the PFCP static session establishment request involved in the method 600 and the method 700 is an example of the PFCP message used when the CPF issues the first policy.
- the CPF carries the first policy in other PFCP messages other than the PFCP session establishment request or the PFCP static session establishment request, and delivers the first policy by sending other PFCP messages to the UPF.
- the type of the PFCP message used when delivering the first policy is not limited.
- the PFCP session deletion request or the PFCP static session deletion request involved in the method 600 and the method 700 is an example of the PFCP message used when the CPF instructs the UPF to delete the information of the user with the fixed IP address.
- the CPF carries the first policy in other PFCP messages other than the PFCP session deletion request or the PFCP static session deletion request, and sends other PFCP messages to the UPF to instruct the UPF to delete the user with the fixed IP address
- This embodiment does not limit the type of the PFCP message used when deleting the information of the user with the fixed IP address.
- the method 600 and the method 700 describe using PFCP to implement the method 500 is an optional way.
- the method 500 is implemented using a communication protocol between C/Us other than PFCP.
- the communication protocol between C/U can be called as Control User Plane Separation (Control User Plane Separation, CUPS) interface protocol or SCi protocol.
- the method 400 , the method 500 , the method 600 , and the method 700 in the embodiments of the present application are described above, and the UP device and the CP device in the embodiments of the present application are described below.
- the UP device and the CP device described below have any of the functions of the UPF or CPF in the above-mentioned methods 400 , 500 , 600 , and 700 , respectively.
- the UP device described below corresponds to the UPF
- the CP device described below corresponds to the CPF.
- FIG. 28 is a schematic structural diagram of a UP device 800 provided by an embodiment of the present application.
- the UP device 800 is located in a communication system in which the UP and the CP are separated.
- the UP device 800 includes: a receiving module 801, which uses to receive messages;
- a matching module 802 configured to match the first information included in the message with the information of a first type of user, and the first type of user has a fixed Internet Protocol IP address;
- the sending module 803 is configured to send the packet to the control plane CP device if the first information and the information of the first type of user satisfy the first matching condition.
- the first type of users includes at least one of static users or abnormal offline users.
- the matching module 802 is further configured to match the second information included in the packet with the information of a second type of user, and the second type of user has passed authentication;
- the UP device further includes: a determination module configured to determine that the second information and the information of the second type of user do not satisfy a second matching condition.
- the sending module 803 is configured to, if the first information and the information of the first type of user in the packet detection information PDI satisfy the first matching condition, send the information to the CP device according to the packet action PA corresponding to the PDI.
- the PA is used to indicate redirection to the CP device.
- the receiving module 801 is further configured to receive a first policy from the CP device, where the first policy is used to indicate that the first information included in the message and the information of the first type of user satisfy the first match Redirect the packet to the CP device if the condition is met.
- the receiving module 801 is configured to receive a first packet forwarding control protocol PFCP message from the CP device, where the packet detection rule PDR carried in the first PFCP message is the first policy; wherein the first PFCP message is A PFCP session establishment request; or, the first PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, where the access interface is an interface accessed by a terminal of the first type of user.
- the interface index is carried in an IE having a first information element IE type, and the first IE type is used to identify that the IE includes the interface index.
- the sending module 803 is configured to add a GTP-U header of the user plane part of the Universal Radio Packet Service Tunneling Protocol to the message, and send the message with the GTP-U header added; or, add a GTP-U header to the message Virtually extend the Vxlan header of the local area network, and send the message with the Vxlan header added.
- the receiving module 801 is further configured to receive a redirection parameter from the CP device, where the redirection parameter includes at least one item of GTP-U tunnel information or Vxlan tunnel information.
- the redirection parameter is carried in an IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- the Vxlan tunnel information is carried in an IE having a third IE type, and the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- the receiving module 801 is further configured to receive a deletion request from the CP device; the UP device further includes: a deletion module, configured to delete the information of the first type of user in response to the deletion request.
- the deletion request is a second PFCP message
- the second PFCP message is a PFCP session deletion request
- the second PFCP message includes a PFCP session message of a second message type, where the second message type is used to instruct to delete the PFCP session of the first type of user.
- the UP device further includes: a discarding module, configured to discard the packet if the first information and the information of the first type of user do not satisfy the first matching condition.
- a discarding module configured to discard the packet if the first information and the information of the first type of user do not satisfy the first matching condition.
- the UP device 800 corresponds to the UPF (UP device) in the above method embodiments, and the modules in the UP device 800 and the other operations and/or functions described above are for implementing the methods 400 , 500 , 600 and 700 respectively.
- the UPF (UP device) of the UPS for details, refer to the above-mentioned method 400 , method 500 , method 600 and method 700 , which are not repeated here for brevity.
- the UP device 800 processes the message, only the division of the above-mentioned functional modules is used for illustration. In practical applications, the above-mentioned functions can be allocated to different functional modules according to the needs, that is, the internal structure of the UP device 800 It is divided into different functional modules to complete all or part of the functions described above.
- the UP device 800 provided in the above-mentioned embodiment belongs to the same concept as the above-mentioned method 400, method 500, method 600 and method 700. For the specific implementation process, please refer to method 400, method 500, method 600 and method 700, which will not be repeated here.
- FIG. 29 is a schematic structural diagram of a CP device 810 provided by an embodiment of the present application.
- the CP device 810 is located in a communication system in which the CP and UP are separated.
- the CP device 810 includes: a sending module 811 for Send a first policy to the user plane UP device, where the first policy is used to indicate that the packet is redirected to the CP device when the first information included in the packet and the information of the first type of user meet the first matching condition , the first type of user has a fixed Internet Protocol IP address;
- a receiving module 812 configured to receive the message from the UP device
- the processing module 813 is configured to perform access processing according to the message.
- the first type of user includes at least one of a static user or an abnormally offline user
- the static user refers to a user with a fixed IP address
- the abnormally offline user refers to an IP address assigned in the communication system. Users who go offline abnormally due to the failure of the communication system during the lease period of the address.
- the sending module 811 is configured to send a first packet forwarding control protocol PFCP message, where the first PFCP message carries the first policy; wherein, the first PFCP message is a PFCP session establishment request; or, the first PFCP message A PFCP message is a PFCP session message including a first message type, where the first message type is used to instruct to create a PFCP session for the first type of user.
- the message is added with a general wireless packet service tunneling protocol user plane part GTP-U header or a virtual extended local area network Vxlan header
- the sending module 811 is also used to send a redirection parameter to the UP device, the redirection parameter Include at least one item of GTP-U tunnel information or Vxlan tunnel information.
- the CP device includes: a detection module configured to detect that the configuration information of the first type of user is deleted or the lease of the first type of user times out;
- the sending module 811 is further configured to send a deletion request to the UP device, where the deletion request is used to indicate deletion of the information of the first type of user.
- the deletion request is a second PFCP message
- the second PFCP message is a PFCP session deletion request
- the second PFCP message includes a PFCP session message of a second message type, where the second message type is used to instruct to delete the PFCP session of the first type of user.
- the first PFCP message includes an interface index, where the interface index is used to identify an access interface on the UP device, and the access interface is an interface accessed by the terminal of the first type of static user or the abnormally offline The interface accessed by the user's terminal.
- the interface index is carried in a grouped IE having a first information element IE type, where the first IE type is used to identify that the IE includes the interface index.
- the redirection parameter is carried in a grouped IE having a second IE type, and the second IE type is used to identify that the IE includes the redirection parameter.
- the Vxlan tunnel information is carried in an embedded IE having a third IE type, where the third IE type is used to identify that the IE includes the Vxlan tunnel information.
- the CP device 810 corresponds to the CPF (CP device) in the above method embodiments, and each module in the CP device 810 and the other operations and/or functions described above are for implementing the methods 400 , 500 , 600 and 700 respectively.
- CPF CPF
- the CP device 810 processes packets, only the division of the above-mentioned functional modules is used for illustration. It is divided into different functional modules to complete all or part of the functions described above.
- the CP device 810 provided in the above-mentioned embodiment belongs to the same concept as the above-mentioned method 400, method 500, method 600 and method 700.
- the specific implementation process please refer to method 400, method 500, method 600 and method 700, which will not be repeated here.
- the hardware structure of the UP device or the CP device is described below.
- the device 900 or the device 1000 introduced below corresponds to the UPF (UP device) or CPF (CP device) in the above-mentioned methods 400 , 500 , 600 and 700 .
- the hardware, modules, and other operations and/or functions in the device 900 or the device 1000 are respectively implemented in order to implement various steps and methods implemented by the UPF (UP device) or CPF (CP device) in the method embodiment.
- each step of the method 400 , the method 500 , the method 600 and the method 700 is completed by an integrated logic circuit of hardware in the processor of the device 900 or the device 1000 or instructions in the form of software.
- the steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
- the software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art.
- the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware, which will not be described in detail here to avoid repetition.
- the device 900 corresponds to the above-mentioned UP device 800 or the CP device 810 , and each functional module in the UP device 800 or the CP device 810 is implemented by the software of the device 900 .
- the functional modules included in the UP device 800 or the CP device 810 are generated after the processor of the device 900 reads the program codes stored in the memory.
- the device 1000 corresponds to the above-mentioned UP device 800 , and each functional module in the UP device 800 is implemented by the software of the device 1000 .
- the functional modules included in the UP device 800 are generated after the processor of the device 1000 reads the program code stored in the memory.
- FIG. 30 shows a schematic structural diagram of a device 900 provided by an exemplary embodiment of the present application.
- the device 900 is configured as a UPF (UP device) or a CPF (CP device).
- the UPF (UP device) or CPF (CP device) in the above method 400 , method 500 , method 600 and method 700 is optionally implemented by the device 900 .
- the device 900 is, for example, a network device, for example, the device 900 is a switch, a router, or the like.
- the device 900 is, for example, a computing device, eg, the device 900 is a host, a server, a personal computer, or the like.
- the device 900 may be implemented by a general bus architecture.
- Device 900 includes at least one processor 901 , communication bus 902 , memory 903 , and at least one communication interface 904 .
- the processor 901 is, for example, a general-purpose central processing unit (central processing unit, CPU), a network processor (network processor, NP), a graphics processor (Graphics Processing Unit, GPU), a neural-network processing unit (neural-network processing units, NPU) ), a data processing unit (Data Processing Unit, DPU), a microprocessor or one or more integrated circuits for implementing the solution of the present application.
- the processor 901 includes an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
- the PLD is, for example, a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
- a communication bus 902 is used to transfer information between the aforementioned components.
- the communication bus 902 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 30, but it does not mean that there is only one bus or one type of bus.
- the memory 903 is, for example, a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, or a random access memory (random access memory, RAM) or a memory device that can store information and instructions.
- Other types of dynamic storage devices such as electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disks storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media, or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other medium accessed by a computer without limitation.
- the memory 903 exists independently, for example, and is connected to the processor 901 through the communication bus 902 .
- the memory 903 may also be integrated with the processor 901 .
- the Communication interface 904 uses any transceiver-like device for communicating with other devices or a communication network.
- the communication interface 904 includes a wired communication interface, and may also include a wireless communication interface.
- the wired communication interface may be, for example, an Ethernet interface.
- the Ethernet interface can be an optical interface, an electrical interface or a combination thereof.
- the wireless communication interface may be a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface or a combination thereof, and the like.
- the processor 901 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 30 .
- the device 900 may include multiple processors, such as the processor 901 and the processor 905 shown in FIG. 30 .
- processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
- the device 900 may further include an output device and an input device.
- the output device communicates with the processor 901 and can display information in a variety of ways.
- the output device may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, a projector, or the like.
- the input device communicates with the processor 901 and can receive user input in a variety of ways.
- the input device may be a mouse, a keyboard, a touch screen device, or a sensor device, or the like.
- the memory 903 is used to store the program code 910 for executing the solutions of the present application, and the processor 901 can execute the program code 910 stored in the memory 903 . That is, the device 900 may implement the packet processing method provided by the method embodiment through the processor 901 and the program code 910 in the memory 903 .
- the device 900 in this embodiment of the present application may correspond to the UPF (UP device) or the CPF (CP device) in the foregoing method embodiments, and the processor 901 and the communication interface 904 in the device 900 may implement the foregoing methods.
- the receiving module 801 and the sending module 803 in the UP device 800 shown in FIG. 28 are equivalent to the communication interface 904 in the device 900;
- the matching module 802 in 800 may be equivalent to the processor 901 in the device 900 .
- the sending module 811 and the receiving module 812 in the CP device 810 shown in FIG. 29 are equivalent to the communication interface 904 in the device 900; the CP device The processing module 813 in 810 may be equivalent to the processor 901 in the device 900 .
- FIG. 31 shows a schematic structural diagram of a device 1000 provided by an exemplary embodiment of the present application.
- the device 1000 is configured as a UPF (UP device).
- the UPF (UP device) in the above method 400 , method 500 , method 600 and method 700 is optionally implemented by the device 1000 .
- the device 1000 is, for example, a network device, for example, the device 1000 is a switch, a router, or the like.
- the device 1000 includes: a main control board 1010 and an interface board 1030 .
- the main control board is also called the main processing unit (MPU) or the route processor card (route processor card).
- the main control board 1010 is used to control and manage various components in the device 1000, including route calculation, device Equipment maintenance, protocol processing functions.
- the main control board 1010 includes: a central processing unit 1011 and a memory 1012 .
- the interface board 1030 is also called a line processing unit (LPU), a line card (line card) or a service board.
- the interface board 1030 is used to provide various service interfaces and realize data packet forwarding.
- the service interface includes, but is not limited to, an Ethernet interface, a POS (Packet over SONET/SDH) interface, etc.
- the Ethernet interface is, for example, a flexible Ethernet service interface (Flexible Ethernet Clients, FlexE Clients).
- the interface board 1030 includes: a central processing unit 1031 , a network processor 1032 , a forwarding table entry memory 1034 and a physical interface card (ph10sical interface card, PIC) 1033 .
- the central processing unit 1031 on the interface board 1030 is used to control and manage the interface board 1030 and communicate with the central processing unit 1011 on the main control board 1010 .
- the network processor 1032 is used to implement packet forwarding processing.
- the form of the network processor 1032 may be a forwarding chip.
- the network processor 1032 is configured to forward the received message based on the forwarding table stored in the forwarding table entry memory 1034. If the destination address of the message is the address of the device 1000, the message is sent to the CPU (eg The central processing unit 1011) processes; if the destination address of the message is not the address of the device 1000, the next hop and outbound interface corresponding to the destination address are found from the forwarding table according to the destination address, and the message is forwarded to the destination The outbound interface corresponding to the address.
- the processing of the uplink packet includes: processing the incoming interface of the packet, and searching the forwarding table; processing of the downlink packet: searching the forwarding table, and so on.
- the physical interface card 1033 is used to realize the interconnection function of the physical layer, the original traffic enters the interface board 1030 through this, and the processed packets are sent from the physical interface card 1033 .
- the physical interface card 1033 is also called a daughter card, which can be installed on the interface board 1030 and is responsible for converting the optoelectronic signal into a message and forwarding the message to the network processor 1032 for processing after checking the validity of the message.
- the central processing unit may also perform the functions of the network processor 1032 , such as implementing software forwarding based on a general-purpose CPU, so that the network processor 1032 is not required in the physical interface card 1033 .
- the device 1000 includes multiple interface boards, for example, the device 1000 further includes an interface board 1040 , and the interface board 1040 includes a central processing unit 1041 , a network processor 1042 , a forwarding table entry storage 1044 and a physical interface card 1043 .
- the interface board 1040 includes a central processing unit 1041 , a network processor 1042 , a forwarding table entry storage 1044 and a physical interface card 1043 .
- the device 1000 further includes a switch fabric board 1020 .
- the switch fabric unit 1020 may also be referred to as a switch fabric unit (switch fabric unit, SFU).
- SFU switch fabric unit
- the switching network board 1020 is used to complete data exchange between the interface boards.
- the interface board 1030 and the interface board 1040 may communicate through the switch fabric board 1020 .
- the main control board 1010 and the interface board 1030 are coupled.
- the main control board 1010 , the interface board 1030 , the interface board 1040 , and the switch fabric board 1020 are connected to the system backplane through a system bus to implement intercommunication.
- an inter-process communication (inter-process communication, IPC) channel is established between the main control board 1010 and the interface board 1030, and the main control board 1010 and the interface board 1030 communicate through the IPC channel.
- IPC inter-process communication
- the device 1000 includes a control plane and a forwarding plane
- the control plane includes the main control board 1010 and the central processing unit 1031
- the forwarding plane includes various components that perform forwarding, such as the forwarding entry memory 1034, the physical interface card 1033 and the network processor 1032.
- the control plane performs functions such as routers, generating forwarding tables, processing signaling and protocol packets, configuring and maintaining device status, etc.
- the control plane delivers the generated forwarding tables to the forwarding plane.
- the network processor 1032 is based on the control plane.
- the delivered forwarding table forwards the packets received by the physical interface card 1033 by looking up the table.
- the forwarding table issued by the control plane may be stored in the forwarding table entry storage 1034 .
- the control plane and forwarding plane may be completely separate and not on the same device.
- the method 400 , the method 500 , the method 600 and the method 700 are briefly described below in conjunction with the device 1000 .
- the UP device receives the packet through the physical interface card 1033, determines that the destination IP address of the packet is the address of the device 1000, and sends the packet to the central processing unit 1031 for processing.
- the central processing unit 1031 accesses the forwarding table entry storage 1034 to obtain the information of the first type of users stored in the forwarding table entry storage 1034 .
- the central processing unit 1031 matches the first information included in the packet with the information of the first type of user.
- the central processing unit 1031 determines that the first information and the information of the first type of user satisfy the first matching condition, and the physical interface card 1033 sends the message to the CP device.
- the receiving module 801 and the sending module 803 in the UP device 800 shown in FIG. 28 are equivalent to the physical interface card 1033 in the device 1000;
- the matching module 802 in the device 800 is equivalent to the network processor 1032 , the central processing unit 1031 or the central processing unit 1011 .
- the operations on the interface board 1040 in this embodiment of the present application are the same as the operations on the interface board 1030, and for brevity, details are not repeated here.
- the device 1000 in this embodiment may correspond to the UP device (UPF) in the above method embodiments, and the main control board 1010, the interface board 1030 and/or 1040 in the device 1000 may implement the above method embodiments
- the functions and/or various steps performed by the UP device (UPF) will not be repeated here.
- main control boards there may be one or more main control boards, and when there are multiple main control boards, they may include the main main control board and the backup main control board.
- a network device may have at least one switching network board, and the switching network board realizes data exchange between multiple interface boards, providing large-capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of network devices in a distributed architecture are greater than those in a centralized architecture.
- the form of the network device can also be that there is only one board, that is, there is no switching network board, and the functions of the interface board and the main control board are integrated on this board.
- the central processing unit on the board can be combined into a central processing unit on this board to perform the functions of the two superimposed, the data exchange and processing capacity of this form of equipment is low (for example, low-end switches or routers and other networks. equipment).
- the specific architecture used depends on the specific networking deployment scenario, and there is no restriction here.
- an embodiment of the present application provides a communication system 1100 , where the communication system 1100 includes: a UP device 1101 and a CP device 1102 .
- the UP device 1101 is the UP device 800 shown in FIG. 28 , the device 900 shown in FIG. 30 , or the device 1000 shown in FIG. 31
- the CP device is the CP device 810 shown in FIG. 29 or Device 900 is shown in FIG. 30 .
- the disclosed systems, devices and methods may be implemented in other manners.
- the device embodiments described above are only illustrative.
- the division of the modules is only a logical function division. In actual implementation, there may be other division methods.
- multiple modules or components may be combined or Integration into another system, or some features can be ignored, or not implemented.
- the shown or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or modules, and may also be electrical, mechanical or other forms of connection.
- modules described as separate components may or may not be physically separated, and the components shown as modules may or may not be physical modules, that is, may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solutions of the embodiments of the present application.
- each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist physically alone, or two or more modules may be integrated into one module.
- the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules.
- the integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may be stored in a computer-readable storage medium.
- the technical solutions of the present application are essentially or part of contributions to the prior art, or all or part of the technical solutions can be embodied in the form of software products, and the computer software products are stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods in the various embodiments of the present application.
- the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
- first and second are used to distinguish the same or similar items with basically the same function and function. It should be understood that there is no logic or sequence between “first” and “second”. There are no restrictions on the number and execution order. It will also be understood that, although the following description uses the terms first, second, etc. to describe various elements, these elements should not be limited by the terms. These terms are only used to distinguish one element from another. For example, first information may be referred to as second information, and, similarly, second information may be referred to as first information, without departing from the scope of various described examples. Both the first information and the second information may be information, and in some cases, may be separate and distinct information.
- the term “if” may be interpreted to mean “when” or “upon” or “in response to determining” or “in response to detecting.”
- the phrases “if it is determined" or “if the [stated condition or event] is detected” can be interpreted to mean “when determining" or “in response to determining... ” or “on detection of [recited condition or event]” or “in response to detection of [recited condition or event]”.
- the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer program instructions.
- the computer program instructions When the computer program instructions are loaded and executed on a computer, the procedures or functions according to the embodiments of the present application are generated in whole or in part.
- the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
- the computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program instructions may be transmitted from a website site, computer, server or data center via Wired or wireless transmission to another website site, computer, server or data center.
- the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes one or more available media integrated.
- the available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, digital video discs (DVDs), or semiconductor media (eg, solid state drives), among others.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供了一种报文处理方法、UP设备及CP设备,属于通信技术领域在CU分离的BNG进行接入认证的场景下避免CP设备受到攻击。该方法中,UP设备在接收到报文时,对报文中的信息与具有固定IP地址的用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于具有固定IP地址的用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于具有固定IP地址的用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险。
Description
本申请要求于2020年06月28日提交的申请号为202010598522.1、发明名称为“报文处理方法、UP设备及CP设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及通信技术领域,特别涉及一种报文处理方法、UP设备及CP设备。
宽带网络网关(Broadband Network Gateway,BNG)是面向宽带网络的接入网关,当终端接入网络时,BNG负责进行认证和互联网协议(Internet Protocol,IP)地址分配,以便将终端接入至宽带网络。BNG的功能分为控制面和转发面。控制面用于提供接入管理、会话管理、认证、授权和计费(Authentication、Authorization、Accounting,AAA)、地址分配、业务策略控制等服务。转发面用于实现终转发处理,包括将接入协议报文上送控制面,将控制面发送给终端的控制报文转发给终端等等。
BNG可以采用控制面和用户面分离(Control PlaneandUser Plane Disaggregated,CU分离)的架构。采用CU分离的架构时,BNG的控制面和转发面会分离来部署在不同的设备上。具体地,CU分离的BNG包括为控制平面(Control Plane,CP)设备和用户平面(User Plane,UP)设备。CP设备主要承担控制面功能,UP设备主要承担转发面功能。
在具有固定IP地址的用户接入的场景下,会在CP设备上预先配置和保存这类具有固定IP地址的用户的信息。当IP报文流触发接入时,UP设备会接收到报文,将报文上送至CP设备。CP设备接收到报文时,会将报文中的信息和预先保存的用户的信息进行匹配,如果匹配成功,则CP设备对报文进行认证处理。
CU分离的BNG采用以上方式进行接入认证时,CP设备被恶意IP报文流攻击的风险很大,影响了CP设备的网络安全。
发明内容
本申请实施例提供了一种报文处理方法、UP设备及CP设备,能够提高CP设备的网络安全。所述技术方案如下:
第一方面,提供了一种报文处理方法,应用于控制平面CP和用户平面UP分离的通信系统包括的UP设备,在该方法中,UP设备接收报文;UP设备对该报文包括的第一信息与第一类用户的信息进行匹配。其中第一类用户具有固定的互联网协议IP地址;若第一信息与第一类用户的信息满足第一匹配条件,UP设备向通信系统包括的CP设备发送该报文。
以上提供了一种CU分离的BNG进行接入认证的场景下避免CP设备受到攻击的方法,通过UP设备在接收到报文时,对报文中的信息与具有固定IP地址的用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于具有固定 IP地址的用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于具有固定IP地址的用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
可选地,该第一类用户包括静态用户。
通过这种可选方式,在静态用户接入的场景下,UP设备通过在接收到报文时,对报文中的信息与静态用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于静态用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于静态用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
可选地,该第一类用户包括异常下线用户。
通过这种可选方式,在异常下线用户接入的场景下,UP设备通过在接收到报文时,对报文中的信息与异常下线用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于异常下线用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于异常下线用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
可选地,该UP设备对该报文包括的第一信息与第一类用户的信息进行匹配之前,该方法还包括:该UP设备对该报文包括的第二信息与第二类用户的信息进行匹配,该第二类用户已通过认证;该UP设备确定该第二信息与该第二类用户的信息不满足第二匹配条件。
可选地,该若该第一信息与该第一类用户的信息满足第一匹配条件,该UP设备向该通信系统包括的CP设备发送该报文,包括:若该第一信息与包检测信息PDI中的该第一类用户的信息满足第一匹配条件,该UP设备按照该PDI对应的包动作PA,向该通信系统包括的CP设备发送该报文,该PA用于指示重定向至该CP设备。
通过这种可选方式,CP通过复用PFCP中处理PFCP会话的机制,将第一类用户的信息作为PDI中的匹配域,将重定向的动作作为命中PDI时执行的PA,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
可选地,该UP设备接收报文之前,该方法还包括:该UP设备从该CP设备接收第一策略,该第一策略用于指示在该报文包括的第一信息与该第一类用户的信息满足该第一匹配条件的情况下将该报文重定向至该CP设备。
可选地,该UP设备从该CP设备接收第一策略,包括:UP设备从该CP设备接收第一包转发控制协议PFCP消息,该第一PFCP消息携带的包检测规则PDR为该第一策略,该第一PFCP消息为PFCP会话建立请求。
通过这种可选方式,CP通过复用了PFCP会话建立请求这种PFCP会话消息,并复用了PFCP中通过PFCP会话下发PDR的机制,以将具有固定IP地址的用户的信息以及重定向的动作下发给UP,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
可选地,该UP设备从该CP设备接收第一策略,包括:该UP设备从该CP设备接收第一包转发控制协议PFCP消息,该第一PFCP消息携带的包检测规则PDR为该第一策略,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
通过这种可选方式,通过扩展了一种新消息类型的PCFP消息,CP使用新消息类型的PCFP消息向UP下发具有固定IP地址的用户的信息以及重定向的动作,使得认证通过后,CP为具有固定IP地址的用户以及其他用户可以统一使用PFCP会话建立请求来下发会话,因此降低了CP对正常终端接入处理的复杂性。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口,该接入接口为该第一类用户的终端接入的接口。
通过这种可选方式,CP通过将具有固定IP地址的用户的接入接口以接口索引的形式通知给UP,使得UP能够利用终端接入的接口与CP预先下发的接口索引是否匹配来进行接入认证,由于终端接入的接口代表着终端的位置,使得接入认证的过程考虑了位置的因素,因此有助于提高认证的安全性。
可选地,该接口索引携带在具有第一信息元素IE类型的IE中,该第一IE类型用于标识IE包括该接口索引。
通过这种可选方式,通过扩展了一种新类型的IE来携带接口索引,从而复用PFCP消息中IE的格式向UP下发接口索引,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,降低方案实施的复杂度和配置的复杂度。
可选地,该UP设备向该通信系统包括的CP设备发送该报文,包括:该UP设备向该报文添加通用无线分组业务隧道协议用户面部分GTP-U头,发送添加有该GTP-U头的该报文;或者,该UP设备向该报文添加虚拟扩展局域网Vxlan头,发送添加有该Vxlan头的该报文。
通过这种可选方式,UP通过使用GTP-U隧道或Vxlan隧道承载需要重定向至CP的报文,隧道头的开销较小,扩展性较好。尤其是,在使用Vxlan-GPE隧道承载需要重定向至CP的报文时,Vxlan头和CU扩展头的开销仅需14字节,报文封装格式简洁,减小了CU之间传输报文占用的带宽以及性能开销。
可选地,该UP设备接收报文之前,该方法还包括:该UP设备从该CP设备接收重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
通过这种可选方式,CP通过将重定向参数下发给UP,使得UP能够依据CP下发的重定向参数封装隧道头以将报文重定向至CP,从而避免人工配置重定向参数的繁琐操作,降低方案实施的复杂度和配置的复杂度。
可选地,该重定向参数携带在具有第二IE类型的IE中,该第二IE类型用于标识IE包括该重定向参数。
通过扩展了一种新类型的IE来携带重定向参数,从而复用PFCP消息中IE的格式向UP下发重定向参数,降低方案实施的复杂度和配置的复杂度。
可选地,该Vxlan隧道信息携带在具有第三IE类型的IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
通过扩展了一种新类型的IE来携带Vxlan隧道信息,从而复用PFCP消息中IE的格式向UP下发Vxlan隧道信息,降低方案实施的复杂度和配置的复杂度。
可选地,该UP设备向该通信系统包括的CP设备发送该报文之后,该方法还包括:该UP设备从该CP设备接收删除请求;该UP设备响应于该删除请求,删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;在静态用户的配置被删除或者异常下线用户租期超时等场景下,CP通过指示UP清除具有固定IP地址的用户信息,从而在用户信息无效时及时释放用户信息在UP上占用的存储空间。
可选地,该第二PFCP消息为PFCP会话删除请求。
CP通过复用了PFCP会话删除请求这种PFCP会话消息,并复用了PFCP中删除PFCP会话的机制,以清除UP上的具有固定IP地址的用户的信息,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
可选地,该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
通过扩展了一种新消息类型的PCFP消息,CP使用新消息类型的PCFP消息指示UP删除用户信息,降低了CP对正常终端接入处理的复杂性。
可选地,该UP设备对该报文包括的第一信息与第一类用户的信息进行匹配之后,该方法还包括:若该第一信息与该第一类用户的信息不满足该第一匹配条件,该UP设备丢弃该报文。
UP通过在报文中的信息与具有固定IP地址的用户的信息匹配失败的情况下丢弃报文,使得匹配失败的报文不会传输至CP,从而避免CP对这类报文进行接入处理造成的性能开销以及处理资源浪费。尤其是,在报文是用于进行网络攻击的恶意报文的情况下,由于恶意报文与第具有固定IP地址的用户的信息不匹配,UP会丢弃恶意报文,使得恶意报文的传输在UP处被阻断,而不会经过UP到达CP,因此避免CP对恶意报文执行接入处理的动作,从而降低了CP受到网络攻击的风险。
第二方面,提供了一种报文处理方法,应用于控制平面CP和用户平面UP分离的通信系统包括的CP设备,在该方法中,该CP设备向该通信系统包括的用户平面UP设备发送第一策略,该第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将该报文重定向至该CP设备,该第一类用户具有固定的互联网协议IP地址;该CP设备从该UP设备接收该报文;该CP设备根据该报文进行接入处理。
可选地,该第一类用户包括静态用户或异常下线用户中的至少一项,该静态用户是指具有固定的IP地址的用户,该异常下线用户是指在该通信系统分配的IP地址的租期内由于该通信系统出现故障而异常下线的用户。
可选地,该发送第一策略,包括:发送第一包转发控制协议PFCP消息,该第一PFCP消息携带有该第一策略;
其中,该第一PFCP消息为PFCP会话建立请求;或者,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
可选地,该报文添加有通用无线分组业务隧道协议用户面部分GTP-U头或虚拟扩展局域网Vxlan头,该CP设备从该UP设备接收该报文之前,该方法还包括:
该CP设备向该UP设备发送重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
可选地,该CP设备根据该报文进行接入处理之后,该方法包括:该CP设备检测到该第一类用户的配置信息被删除或该第一类用户的租期超时;该CP设备向该UP设备发送删除请求,该删除请求用于指示删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;该第二PFCP消息为PFCP会话删除请求;或者,该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口,该接入接口为该第一类静态用户的终端接入的接口或该异常下线用户的终端接入的接口。
可选地,该接口索引携带在具有第一信息元素IE类型的分组IE中,该第一IE类型用于标识IE包括该接口索引。
可选地,该重定向参数携带在具有第二IE类型的分组IE中,该第二IE类型用于标识IE包括该重定向参数。
可选地,该Vxlan隧道信息携带在具有第三IE类型的嵌入式IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
第三方面,提供了一种UP设备,该UP设备位于UP和CP分离的通信系统中,该UP设备包括:
接收模块,用于接收报文;
匹配模块,用于对该报文包括的第一信息与第一类用户的信息进行匹配,该第一类用户具有固定的互联网协议IP地址;
发送模块,用于若该第一信息与该第一类用户的信息满足第一匹配条件,向控制平面CP设备发送该报文。
可选地,该第一类用户包括静态用户或异常下线用户中的至少一项。
可选地,该匹配模块,还用于对该报文包括的第二信息与第二类用户的信息进行匹配,该第二类用户已通过认证;
该UP设备还包括:确定模块,用于确定该第二信息与该第二类用户的信息不满足第二匹配条件。
可选地,该发送模块,用于若该第一信息与包检测信息PDI中的该第一类用户的信息满足第一匹配条件,按照该PDI对应的包动作PA,向该CP设备发送该报文,该PA用于指示重定向至该CP设备。
可选地,该接收模块,还用于从该CP设备接收第一策略,该第一策略用于指示在该报文包括的第一信息与该第一类用户的信息满足该第一匹配条件的情况下将该报文重定向至该CP设备。
可选地,该接收模块,用于从该CP设备接收第一包转发控制协议PFCP消息,该第一PFCP消息携带的包检测规则PDR为该第一策略;其中,该第一PFCP消息为PFCP会话建立请求;或者,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口,该接入接口为该第一类用户的终端接入的接口。
可选地,该接口索引携带在具有第一信息元素IE类型的IE中,该第一IE类型用于标识IE包括该接口索引。
可选地,该发送模块,用于向该报文添加通用无线分组业务隧道协议用户面部分GTP-U头,发送添加有该GTP-U头的该报文;或者,向该报文添加虚拟扩展局域网Vxlan头,发送添加有该Vxlan头的该报文。
可选地,该接收模块,还用于从该CP设备接收重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
可选地,该重定向参数携带在具有第二IE类型的IE中,该第二IE类型用于标识IE包括该重定向参数。
可选地,该Vxlan隧道信息携带在具有第三IE类型的IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
可选地,该接收模块,还用于从该CP设备接收删除请求;该UP设备还包括:删除模块,用于响应于该删除请求,删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;
该第二PFCP消息为PFCP会话删除请求,或者,该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
可选地,该UP设备还包括:丢弃模块,用于若该第一信息与该第一类用户的信息不满足该第一匹配条件,丢弃该报文。
第四方面,提供了一种CP设备,所述CP设备位于CP和UP分离的通信系统中,该CP设备包括:
发送模块,用于向用户平面UP设备发送第一策略,该第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将该报文重定向至该CP设备,该第一类用户具有固定的互联网协议IP地址;
接收模块,用于从该UP设备接收该报文;
处理模块,用于根据该报文进行接入处理。
可选地,该第一类用户包括静态用户或异常下线用户中的至少一项,该静态用户是指具有固定的IP地址的用户,该异常下线用户是指在该通信系统分配的IP地址的租期内由于该通信系统出现故障而异常下线的用户。
可选地,该发送模块,用于发送第一包转发控制协议PFCP消息,该第一PFCP消息携带有该第一策略;其中,该第一PFCP消息为PFCP会话建立请求;或者,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
可选地,该报文添加有通用无线分组业务隧道协议用户面部分GTP-U头或虚拟扩展局域网Vxlan头,该发送模块,还用于向该UP设备发送重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
可选地,该CP设备包括:检测模块,用于检测到该第一类用户的配置信息被删除或该 第一类用户的租期超时;
该发送模块,还用于向该UP设备发送删除请求,该删除请求用于指示删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;
该第二PFCP消息为PFCP会话删除请求;或者,
该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口,该接入接口为该第一类静态用户的终端接入的接口或该异常下线用户的终端接入的接口。
可选地,该接口索引携带在具有第一信息元素IE类型的分组IE中,该第一IE类型用于标识IE包括该接口索引。
可选地,该重定向参数携带在具有第二IE类型的分组IE中,该第二IE类型用于标识IE包括该重定向参数。
可选地,该Vxlan隧道信息携带在具有第三IE类型的嵌入式IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
第五方面,提供了一种UP设备,该UP设备包括处理器和通信接口,该处理器用于执行指令,使得该UP设备执行上述第一方面或第一方面任一种可选方式所提供的报文处理方法,该通信接口用于接收或发送报文。第五方面提供的UP设备的具体细节可参见上述第一方面或第一方面任一种可选方式,此处不再赘述。
第六方面,提供了一种CP设备,该CP设备包括处理器和通信接口,该处理器用于执行指令,使得该CP设备执行上述第二方面或第二方面任一种可选方式所提供的报文处理方法,该通信接口用于接收或发送报文。第六方面提供的CP设备的具体细节可参见上述第二方面或第二方面任一种可选方式,此处不再赘述。
第七方面,提供了一种计算机可读存储介质,该存储介质中存储有至少一条指令,该指令由处理器读取以使UP设备执行上述第一方面或第一方面任一种可选方式所提供的报文处理方法。
第八方面,提供了一种计算机可读存储介质,该存储介质中存储有至少一条指令,该指令由处理器读取以使CP设备执行上述第二方面或第二方面任一种可选方式所提供的报文处理方法。
第九方面,提供了一种计算机程序,该计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。UP设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该UP设备执行上述第一方面或第一方面任一种可选方式所提供的报文处理方法。
第十方面,提供了一种计算机程序,该计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。CP设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该CP设备执行上述第二方面或第二方面任一种可选方式所提供的报文处理方法。
第十一方面,提供了一种芯片,当该芯片在UP设备上运行时,使得UP设备执行上述第一方面或第一方面任一种可选方式所提供的报文处理方法。
第十二方面,提供了一种芯片,当该芯片在CP设备上运行时,使得CP设备执行上述第二方面或第二方面任一种可选方式所提供的报文处理方法。
第十三方面,提供了一种通信系统,该通信系统包括UP设备以及CP设备,该UP设备为上述第三方面、第三方面任一种可选方式或第五方面所提供的UP设备,该CP设备为上述第四方面、第四方面任一种可选方式或第六方面所提供的CP设备。
第十四方面,本申请提供了一种UP设备,该UP设备包括:主控板和接口板。可选地,还包括交换网板。主控板包括:第一处理器和第一存储器。接口板包括:第二处理器、第二存储器和接口卡。主控板和接口板耦合。
第一存储器可以用于存储程序代码,第一处理器用于调用第一存储器中的程序代码执行如下操作:对该报文包括的第一信息与第一类用户的信息进行匹配,该第一类用户具有固定的IP地址。
第二存储器可以用于存储程序代码,第二处理器用于调用第二存储器中的程序代码,触发接口卡执行如下操作:接收报文。若该第一信息与该第一类用户的信息满足第一匹配条件,向CP设备发送该报文。
在一种可能的实现方式中,主控板和接口板之间建立进程间通信协议(inter-process communication,IPC)通道,主控板和接口板之间通过IPC通道进行通信。
图1是本申请实施例提供的一种BNG在网络中的位置的示意图;
图2是本申请实施例提供的一种BNG处理的协议栈的示意图;
图3是本申请实施例提供的一种包含BNG的系统架构图;
图4是本申请实施例提供的一种BNG接入AN设备的示意图;
图5是本申请实施例提供的一种BNG中功能模块的架构图;
图6是本申请实施例提供的一种CU分离的BNG中功能模块的架构图;
图7是本申请实施例提供的一种CU分离的BNG中功能模块的架构图;
图8是本申请实施例提供的一种控制报文重定向接口的示意图;
图9是本申请实施例提供的一种状态控制接口的示意图;
图10是本申请实施例提供的一种静态用户接入的场景示意图;
图11是本申请实施例提供的一种静态用户接入BNG的方法100的流程图;
图12是本申请实施例提供的一种IPoE异常下线用户接入的场景示意图;
图13是本申请实施例提供的一种IPoE终端通过DHCP协议接入和续租的流程图;
图14是本申请实施例提供的一种IPoE异常下线终端接入BNG的方法200的流程图;
图15是本申请实施例提供的一种PFCP在协议栈的位置的示意图;
图16是本申请实施例提供的一种CPF和UPF之间建立多个PFCP联盟的示意图;
图17是本申请实施例提供的一种PFCP联盟与PFCP会话的示意图;
图18是本申请实施例提供的一种UPF处理报文的流程的示意图;
图19是本申请实施例提供的一种PFCP会话的示意图;
图20是本申请实施例提供的一种PDR的示意图;
图21是本申请实施例提供的一种UPF基于PFCP进行会话处理的示意图;
图22是本申请实施例提供的一种网络系统300的架构图;
图23是本申请实施例提供的一种UPF和CPF的功能模块的架构图;
图24是本申请实施例提供的一种报文处理方法400的流程图;
图25是本申请实施例提供的一种报文处理方法500的流程图;
图26是本申请实施例提供的一种报文处理方法600的流程图;
图27是本申请实施例提供的一种报文处理方法700的流程图;
图28是本申请实施例提供的一种UP设备800的结构示意图;
图29是本申请实施例提供的一种CP设备810的结构示意图;
图30是本申请实施例提供的一种设备900的结构示意图;
图31是本申请实施例提供的一种设备1000的结构示意图;
图32是本申请实施例提供的一种通信系统1100的结构示意图。
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。
本申请实施例中术语“CU分离的BNG”泛指控制面和转发面位于不同设备上的BNG。可选地,控制面所在设备与转发面所在设备分布在不同的地点。控制面所在设备与转发面所在设备之间的数量关系例如是一一对应的关系或者是一对多的关系,即,一个控制面所在设备可以用于控制一个转发面所在设备,也可以同时控制多个转发面所在设备。
本申请实施例中“CU分离”可以具有不同的名称。例如,不同标准、同一标准的不同版本、不同厂商、不同应用场景对“CU分离”可以具有不同的称呼。例如,术语CU分离”有时也可以被称为“控制和转发分离”、“转控分离”、“控制面和用户面分离”、“控制和用户分离”等。
本申请实施例中“CU分离的BNG”可以具有不同的名称。例如,不同标准、同一标准的不同版本、不同厂商、不同应用场景对“CU分离的BNG”可以具有不同的称呼。例如,术语“CU分离的BNG”有时也可以被称为“分离的BNG系统(Disaggregated BNG,DBNG)”,相应地,CU分离的BNG中的CP设备可以被称为DBNG-CP,CU分离的BNG中的UP设备可以被称为DBNG-UP。又如,术语“CU分离的BNG”有时也可以被称为“虚拟宽带网络网关(Virtual BNG,vBNG)控制面和用户面分离的系统(Control Plane and User Plane Disaggregated System,CU系统)”,即“vBNG CU系统”,相应地,CU分离的BNG中的CP设备可以被称为vBNG-CP,CU分离的BNG中的UP设备可以被称为vBNG-UP。又如,术语“CU分离的BNG”有时也可以被称为“虚拟宽带远程接入服务器(virtual Broadband Remote Access Server,vBRAS)CU系统”,即“vBRAS CU系统”,相应地,CU分离的BNG中的CP设备可以被称为vBRAS-CP,CU分离的BNG中的UP设备可以被称为vBRAS-UP。本文中“DBNG”、“vBNG CU系统”和“vBRAS CU系统”可互换使用。
本申请实施例中“CP”可以具有不同的名称。例如,不同标准、同一标准的不同版本、不同厂商、不同应用场景对“CP”可以具有不同的称呼。例如,术语“CP”有时也可以被称为“CP功能(CP Function,CPF)”或“CP面”。本文中“CP”、“CPF”和“CP面”可互换使用。术语“CP设备”是指实现了CP功能的任意设备。
本申请实施例中“UP”可以具有不同的名称。例如,不同标准、同一标准的不同版本、不同厂商、不同应用场景对“UP”可以具有不同的称呼。例如,术语“UP”有时也可以被称为“UP功能(UP Function,UPF)”或“UP面”。本文中“UP”、“UPF”和“UP面”可互换使用。术语“UP设备”是指实现了UP功能的任意设备。
下面对BNG进行介绍。
BNG用于承担将用户设备接入宽带网络的功能,是网络中的关键设备。参见附图1,附图1是对BNG在网络中的位置的举例说明,附图1中的BB网关Network Gateway是对BNG的举例说明。
BNG处理的协议栈包括而不限于以太网承载IP协议(Internet Protocol Over Ethernet,IPoE)、以太网承载点到点协议(Point-to-Point Protocol over Ethernet,PPPoE)、802.1ad协议、以太网协议和一些802.3物理层(some 802.3 Phy)协议。例如,参见附图2,附图2是对BNG处理的接入侧协议栈的举例说明。其中,附图2中的a、b、c表示三种并列的形式。换句话说,BNG可以采用a、b、c中任一项所示的协议栈对应的形式封装报文。
BNG主要负责认证以及互联网协议(Internet Protocol,IP)地址分配。认证过程基于远程用户拨号认证服务(Remote Authentication Dial In User Service,Radius)实现。具体地,BNG作为Radius客户端(Radius client),会和Radius服务器(Radius Server)交互完成终端的认证。例如,参见附图3,附图3中的宽带远程接入服务器(Broadband Remote Access Server,BARS)是对BNG的举例说明。BARS的功能与BNG的功能基本相同。附图3中互联网协议第四版(Internet Protocol version 4,IPv4)用户1的终端、IPv4用户2的终端和IPv4用户3的终端与数字用户线路接入复用器(Digital Subscriber Line Access Multiplexer,DSLAM)或者光线路终端(optical line terminal,OLT)网络连接。DSLAM/OLT与BARS连接。BARS与NGN服务器、Radius服务器、动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)服务器和交互式网络电视(IPTV)服务器网络连接。BARS用于为IPv4用户1的终端、IPv4用户2的终端和IPv4用户3的终端分别分配IP地址,并对IPv4用户1的终端、IPv4用户2的终端和IPv4用户3的终端分别进行认证。
BNG包括多个物理端口,不同的物理端口可以接入不同的接入节点(access node,AN)设备。其中,AN设备接入BNG的方式包括而不限于AN设备与BNG直连、AN设备通过汇聚设备与BNG连接等方式。例如,参见附图4,附图4是对BNG提供多个物理端口来接入不同的AN设备的举例说明。其中,一个终端会被标识上唯一的虚拟局域网(Virtual LAN, VLAN)标签(VLAN Tag),终端从BNG的固定物理端口接入。终端接入BNG的物理端口信息、VLAN标签就相当于终端的位置。
参见附图5,附图5是对BNG内部的功能模块的举例说明。附图5中上方的虚框是BNG的控制面。BNG的控制面提供接入管理、会话管理、认证、授权、计费(Authentication、Authorization、Accounting,AAA)、地址分配、业务策略控制等功能。附图5中下方的虚框是BNG的转发面。BNG的转发面用于实现终端的转发处理,包括:将接入协议报文上送控制面,将控制面发送给终端的控制报文转发给终端,将终端上行数据报文做绑定检查(认证通过后,在转发面会生成对应的绑定表)并进行IP转发,服务质量(Quality of Service,QoS)处理、统计等。
在2019年,宽带论坛(Boardband Forum,BBF)开展了虚拟宽带网关控制设备(Virtual Broadband Network Gateway,vBNG)CU系统的架构、协议相关的定义工作。参见附图6,附图6示出了BBF TR-384中定义的CU分离架构的BNG。在CU分离架构的BNG中,将控制面(CPF)从物理BNG中解构出来,部署到数据中心,物理BNG保留转发面功能仍旧部署在原来的位置上。可选地,CU分离的BNG包括多个UPF,例如,附图6所示的CU分离的BNG包括UPF1、UPF2和UPF3这三个UPF。可选地,CU分离架构的BNG中的多个UPF分布在不同的地点。可选地,在CU分离架构的BNG中的多个UPF基于分布式架构协同分担转发任务。
参见附图7,附图7示出了BBF TR-459中定义的vBNG CU系统中控制平面(Control Plane,简称CP,也称控制面)和用户平面(User Plane,简称UP,也称转发面或用户面)之间的三种接口。CPF与UPF之间的三种接口包括管理接口(Management interface,Mi)、控制报文重定向接口(Control Packet Redirection interface,CPRi)、状态控制接口(State Control interface,SCi)。
管理接口采用基于XML的网络配置协议(Netconf)/yang(一种数据建模语言)协议通信。
控制报文重定向接口用于完成协议报文在客户前置设备(Customer Premise Equipment,CPE)和CPF之间的转发。控制报文重定向接口采用GPRS隧道协议用户面部分(GPRS tunneling protocol(GTP)user plane,GTP-u)隧道。参见附图8,附图8是对控制报文重定向接口的功能的举例说明。
状态控制接口采用3GPP TS 29.244中定义的包转发控制协议(Packet Forwarding Control Protocol,PFCP)通信。状态控制接口主要实现UPF上报节点信息上报给CPF、CPF完成终端接入后,将转发控制行为下发给UPF执行、UPF完成统计,上报给CPF的功能。参见附图9,附图9是状态控制接口的功能的举例说明。
以上对CU分离的BNG进行了介绍,本申请实施例提供的报文处理方法能够应用在CU分离的BNG对静态用户或异常下线用户进行接入认证的场景。下面通过场景A和场景B,对这两种场景举例说明。
场景A、静态用户接入的场景。
静态用户是具有固定IP地址的用户。静态用户也称专线用户。固定IP地址也称静态IP地址。具体地,BNG上会预先配置静态用户的IP地址。当静态用户的IPoE终端要接入网络时,IPoE终端会通过预先配置的IP地址,向BNG发送地址解析协议(Address Resolution Protocol,ARP)报文、IPv4数据报文、邻居发现(Neighbor Discovery,ND)报文或互联网协议第六版(Internet Protocol version 6,IPv6)数据报文,BNG接收到报文后,会基于报文中的源IP地址对终端进行认证接入。
例如,参见附图10,附图10示出了静态用户接入的场景。BNG上预先配置了四个静态用户的表项,每个表项保存了一个静态用户的IP地址和静态用户接入的位置信息。其中,位置信息通过IPoE终端在BNG上接入的插槽(slot)ID、卡(card)ID和端口(也称光口或物理口,port)ID表示。静态用户的表项的内容通过“IP地址/接口类型/slot/card/port”的格式表示。例如,附图10所示的四个表项分别包含125.1.3.2 g1/0/0、2012:1234::01 g1/0/0、123.1.1.2 g2/0/0和2003::01 g2/0/0。在125.1.3.2 g1/0/0这个字符串中,125.1.3.2表示静态用户1的IPv4地址是125.1.3.2,g表示静态用户1接入的接口类型是千兆以太网(GigaEthernet,GE),1/0/0表示静态用户1接入的slot ID是1、card ID是0,port ID是0。在2012:1234::01 g1/0/0这个字符串中,2012:1234::01表示静态用户1的IPv6地址是125.1.3.2,g表示静态用户1接入的接口类型是GE,1/0/0表示静态用户1接入的slot ID是1、card ID是0,port ID是0。123.1.1.2 g2/0/0和2003::01 g2/0/0的含义与此同理。附图5中的视频点播服务器和企业网关均是对静态用户的IPoE终端的举例说明。其中,视频点播服务器拥有固定的IP地址125.1.3.2/30和2012:1234::1。视频点播服务器可通过125.1.3.2/30和2012:1234::1中的任一个IP地址触发接入。企业网关拥有固定的IP地址123.1.1.2/30和2003::01。企业网关可通过123.1.1.2/30和2003::01中的任一个IP地址触发接入。
参见附图11,附图11示出了静态用户接入BNG的方法100的流程图。由于静态用户的IPoE终端接入时没有认证协议交互部分,所以通常采用以下S101至S150进行接入认证。
S101、静态用户的IPoE终端发送ARP报文、IPv4数据报文、ND报文或IPv6数据报文。
S110、BNG从入接口接收ARP报文、IPv4数据报文、ND报文或IPv6数据报文,提取报文中的源IP地址。BNG根据源IP地址判断是否已经认证通过。如果没有认证通过,执行以下S120。如果已经认证通过,执行以下S150。
S120、BNG根据报文与本地的静态用户列表匹配。若匹配成功,执行以下S130,再进入认证。若匹配失败,执行以下S140。
S130、BNG进行接入处理。具体地,静态用户的认证采用绑定认证,也就是用终端接入的位置信息(BNG会用IP+Port+VLAN标签来标识终端的位置),BNG将位置信息填充到Radius认证请求报文中,后台的Radius服务器识别出位置信息进行认证和授权。
S140、BNG丢弃ARP报文、IPv4数据报文、ND报文或IPv6数据报文。
S150、BNG对IPv4数据报文或IPv6数据报文进行转发,或,BNG基于协议对ARP报文或ND报文进行处理。
从以上流程可以看出,如果假冒的攻击流进入BNG,BNG需要进行静态用户列表匹配。
场景B、IPoE异常下线用户接入的场景。
异常下线用户(终端)是指IPoE动态获取IP地址的用户,因BNG的链路故障或硬件故障,BNG会中断受影响的IPoE用户的服务,而此时用户并不感知上述故障,在IP地址租期内继续持有IP地址。
场景B也称长租期用户快速恢复上线的场景。例如,参见附图12,附图12示出了IPoE异常下线用户接入的场景。附图12中的IPTV的机顶盒是对IPoE终端的举例说明。具体地, IPTV的机顶盒通过IPoE方式(即基于DHCP协议的方式)接入BNG。由于DHCP协议没有认证过程,因此这类终端也是采用绑定认证的方式接入,具体流程与场景A的静态用户接入流程相同。当BNG检查不到终端或者发生接口故障时,BNG会记录在线IPoE终端异常下线列表。当故障恢复后,BNG会接收IPoE终端的IP流,并匹配IPoE终端异常下线列表,启动快速恢复过程,避免IPoE终端要等待租期超时才能接入造成的时延。
参见附图13,附图13示出了IPoE终端通过DHCP协议接入和续租的流程图。IPoE终端通过DHCP协议获得IP地址和租期。其中,租期默认为三天,租期在部署可以配置地更小,比如,租期可以为2个小时。终端通过DHCP续租确定自己可以继续持有IP地址。其中,DHCP续租的流程可以在租用时间达到1/2租期时触发。
参见附图14,附图14示出了IPoE异常下线终端接入BNG方法200的流程图。方法200包括以下S201至S250。IPoE异常终端接入过程和静态用户接入过程相同,区别在于查的表不同。具体地,以上S220中查的表是静态用户列表,以下S220查的表是异IPoE异常下线终端列表。
S201、IPoE异常下线终端的IPoE终端发送ARP报文、IPv4数据报文、ND报文或IPv6数据报文。
S210、BNG从入接口接收ARP报文、IPv4数据报文、ND报文或IPv6数据报文,提取报文中的源IP地址。BNG根据源IP地址判断是否已经认证通过。如果没有认证通过,执行以下S220。如果已经认证通过,执行以下S250。
S220、BNG根据报文与本地的IPoE异常下线终端列表匹配。若匹配成功,执行以下S230,再进入认证。若匹配失败,执行以下S240。
S230、BNG进行接入处理。具体地,IPoE异常下线终端的认证采用绑定认证,也就是用终端接入的位置信息(BNG会用IP+Port+VLAN标签来标识终端的位置),BNG将位置信息填充到Radius认证请求报文中,后台的Radius服务器识别出位置信息进行认证和授权。
S240、BNG丢弃ARP报文、IPv4数据报文、ND报文或IPv6数据报文。
S250、BNG对IPv4数据报文或IPv6数据报文进行转发,或,BNG基于协议对ARP报文或ND报文进行处理。
由于本申请实施例涉及PFCP的应用,为了便于理解,下面先对本申请实施例涉及的PFCP中的术语相关概念进行介绍。
(1)PFCP
PFCP是一种控制面与用户面之间的通信协议。参见图15,图15是对PFCP在协议栈的位置的举例说明。PFCP承载在用户数据报协议(User Datagram Protocol,UDP)之上,IP层可以是Ipv4或者是Ipv6。PFCP中,把UP称作UPF,把CP称作CPF。PFCP定义在第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)TS 29.244规范中。
(2)PFCP消息中的UDP端口号
PFCP中的请求消息(Request message)中UDP目的端口(UDP Destination port)号是8805,UDP源端口(UDP Source port)号由PFCP消息的发送端本地分配。PFCP中响应消息(Response message)中UDP目的端口号就是请求消息中的源端口号。PFCP中响应消息的UDP源端口号则是对应请求消息的目的端口号。
(3)PFCP联盟(PFCP Association)
当CPF与UPF之间建立一个连接(用一对目的IP和源IP表达),那么这个连接就称为PFCP联盟(内部通过节点区别)。理论上在一对CPF/UPF之间可以建立多个PFCP联盟,各个PFCP联盟之间承载的控制信息相互独立。参见附图16,附图16是对CPF和UPF之间建立多个PFCP联盟的举例说明。附图16中,CPF与两个UPF共建立了三个PFCP联盟。其中,CPF与UPF(A)建立了PFCP Association 1和PFCP Association 2这两个PFCP联盟。CPF与UPF(B)建立了PFCP Association 3这个PFCP联盟。
(4)PFCP会话(PFCP session)
当终端上线后,CPF向UPF下发控制数据,每个终端的信息称为PFCP会话。参见附图17,每个PFCP联盟对应一部分PFCP会话的控制信息。附图17中每个PFCP联盟对应一部分子会话(Sub-Session)的控制信息,那么发送PFCP会话的response message消息时,需要找对应的PFCP会话的请求消息的IP头(IP Header)交换目的IP、源IP封装响应消息的IP头。其中,数据为网络序。
(5)PFCP消息
参见下表1,表1是对PFCP消息格式(PFCP Message Format)的举例说明。PFCP消息包括PFCP消息头(PFCP message header)和信息元素(Information Element,IE)这两个部分。其中,1个PFCP Message至少包括一个PFCP消息头(PFCP message header),可选地还包括IE。1个PFCP Message中IE的数量可以是1个,也可以是多个。
表1
参见下表2,表2是对一个UDP报文中携带多个PFCP消息的举例说明。其中,UDP报文中前面的PFCP消息头中的FO(Follow ON)标识为1。最后一个PFCP消息头r的FO标识为0。
表2
(6)PFCP消息头
参见下表3,表3是对PFCP消息头的通用格式的举例说明。消息头是变长的结构,前4个字节是固定格式,通过Flag字段标识是否携带额外的信息。如表3所示,消息头要求是4字节对齐格式,成员为网络序。
表3
参见下表4,表4是对PFCP消息头中每个字段的含义的举例说明。
表4
其中,PFCP消息头从第5字节开始,填充的内容和第1字节中的Flag顺序相关,从bit1→bit8的顺序出现,对应bit位为1时填充。参见下表5,表5是PFCP节点消息(Node message)的消息头格式的举例说明。
表5
参见下表6,表6是对PFCP会话消息头的格式的举例说明。其中,Flag S=1。SEID是从第5个字节开始的。其中,在消息头中的SEID是远程对等节点的SEID(remote peer’s SEID),也就是指示的是接收方的SEID。
表6
(7)PFCP消息中的IE
IE可以理解为属性。IE具有TLV的封装格式。不同IE之间可以具有嵌套的关系。在不同的上下文中,会对IE是否必选进行约定,例如,IE的分类如下表7所示。
表7
IE是否出现在此业务流程的分类 | 解释 |
Mandatory(M) | 必选项 |
Conditional(C) | 满足某种条件就需要携带 |
Conditional-Optional(CO) | 满足某种条件可以选择携带 |
Optional(O) | 可选择携带 |
按照嵌套方式的不同,IE分为分组IE(grouped IE)和嵌入式IE(embedded IE)。嵌入 式IE是最小单元的属性。一个分组IE可以包含多个嵌入式IE。参见下表8和表9,表8示出了IE的格式,表9示出了IE中每个字段的含义。
表8
表9
消息类型的定义如下表10所示。
表10
在PFCP中,多个PFCP消息可以进行捆绑(PFCP messages bundling)。具体地,在一个UDP报文中,可以携带多个PFCP消息,每个消息头的SN是独立的,这种捆绑的消息如果在传输中丢弃,需要重传的时候,并不一定需要按照上一次的捆绑顺序重传。
(8)PFCP的转发模型
PFCP基于第五代移动通信技术(5th generation mobile networks或5th generation wireless systems、5th-Generation,5G)业务定义了一套抽象的UPF的模型,基于此模型定义了C/U之间的节点消息、会话消息和一系列的IE。例如,参见图18,图18是对UPF处理报文的流程的举例说明。UPF处理报文的流程是通过流匹配的方式进行转发,类似访问控制列表(Access Control Lists,ACL)的原理。参见附图18,报文进入系统后,匹配报文检测规则(Packet Detection Rule,PDR)的规则表,命中后再按照固定的动作(action)执行。UPF处理报文的过程主要涉及PFCP会话以及PDR这两个概念。参见附图19,附图19是对PFCP会话(PFCP Session)的举例说明。SMF通过N4接口的PFCP会话下发流处理策略(Packet Detection Rule,也称包检测规则PDR),UPF执行PDR而实现处理报文的功能。
(9)PDR
PDR用于定义如何匹配报文。每个PDR包含一组“MAR+FAR+QER+URR”。附图18中的MAR表示多访问规则(Multi-Access Rule,一种报文匹配的规则),MAR类似查转发信息库(Forward Information dataBase,FIB)、ACL的过程。PDR中的信息包括入接口(Incoming Interface)、本地的全量隧道端点标识(Local Full Qualified TEID,Local-F-TEID,个对应到隧道终结方式的接入形式,隧道ID)、网络实例(Network Instance,即VRF实例),用户设备(User Equipment,UE)IP(终端的IP地址)、终端媒体访问控制(Media Access Control,Client MAC)地址。
见附图20,附图20是对PDR的举例说明。PDR是流检测信息(Packet Detection Information,PDI)和包动作(Packet Action,PA,也称流动作)的组合,当用户报文匹配上PDI中的匹配域(如UE IP地址),则成功命中该PDR,UPF会执行PDR中的PA。
参见附图21,附图21是对UPF基于PFCP进行会话处理的举例说明。用户面上下行报文进入UPF后,UPF根据匹配上的PDR查找到该报文所属的PFCP会话,在PFCP会话中选择成功匹配的优先级最高的PDR,并执行该PDR的流动作,完成对报文的处理。
PA用于指示UPF对报文执行的处理动作。PA包括转发动作规则(Forwarding Action Rule,FAR)、QoS实施规则(QoS Enforcement Rule,QER)和资源使用报告(Usage Reporting Rule,URR)。
FAR对应于UPF执行的动作。动作包括而不限于丢弃、转发、缓存、通知CPF(Notify the CPF,NOCP)、DUPL(Duplication)和IPMA(IP Multicast Accept)等。例如,转发动作是GTP加解封装。
其中,NOCP标志第1个下行流到达,并缓存。DUPL表示复制报文,应用在合法监听、镜像(Mirror)等场景。IPMA表示加入或离开组播组。FAR是一种转发动作,包括封装方式。FAR类似查转发信息库(Forwarding Information Base,FIB)、ACL之后的行为定义。
资源使用报告(Usage Reporting Rule,URR)用于执行统计上报类动作,例如离线计费上报。URR对应在某个会话上。UPF的资源使用率达到阈值,可以上报CPF,比如:流量配额、某个周期完毕、发生了某种事件。
QER表示服务质量(Quality of Service,QoS)的处理规则,用于进行带宽保证和优先级调度。例如承诺接入速率(Committed Access Rate,Car,通常称作“限速”)或者队列(Queue)处理,镜像(Mirror)、合法监听(Lawful interception,LW)。
参见附图22和附图23,下面介绍本申请实施例提供的系统架构。
参见附图22,本申请实施例提供了一种网络系统300。网络系统300包括:UPF301、CPF302、核心网303、RG304和AN305。UPF301是对下述方法实施例中UP设备的举例说明,CPF302是对下述方法实施例中CP设备的举例说明。UPF301、CPF302、核心网303、RG304和AN305中的不同网元之间通过无线网络或有线网络相连。
附图22中的(1)、(2)和(3)的含义如下。
(1)是指CPF把配置的静态用户表和IPoE异常下线用户表下发给UPF。例如,CPF302中的静态用户管理模块3021获得配置的静态用户表,IPoE异常终端管理模块3022记录IPoE异常下线用户表,CPF302将静态用户表和IPoE异常下线用户表通过状态控制接口下发至UPF中的IP流过滤模块3011。
(2)是指当IP数据流触发接入过程中,会由UPF检查静态用户表和IPoE异常下线用户表。具体地,UPF部署IP流过滤模块3011。当UPF接收到ARP、IPv4数据报文、ND报文或IPv6数据报文时,检查本地的认证绑定表失败后,会先在IP流过滤模块3011进行匹配,匹配成功后,才上送CPF。此外,在IP流过滤模块3011提供上送CPF限速控制。
(3)是指CPF处理IP流触发接入。
具体地,参见附图23,UPF包括IP流过滤模块3011、PFCP模块3012和PFCP会话管理模块3013。
IP流过滤模块3011用于执行IP数据流的过滤。
PFCP模块3012用于接收CPF下发PFCP数据,解析出Session内容后分发给PFCP会话管理模块3013。
PFCP会话管理模块3013用于解析报文,通知IP流过滤模块添加会话、删除会话、更新会话。
CPF包括静态用户管理模块3021、IPoE异常终端管理模块3022、PFCP会话管理模块3023和PFCP模块3024、接入管理模块3024、UPF节点管理模块3025、AAA模块3026。
静态用户管理模块3021用于处理静态用户配置。
IPoE异常终端管理模块3022用于处理IPoE终端的异常下线,生成记录,并通知PFCP会话管理模块3023将其下发给UPF。
PFCP会话管理模块3023用于接收业务层模块通知,向UPF下发静态会话、异常会话列表。
PFCP模块3024用于将会话信息封装为PFCP的格式,发送给对方。
以下通过方法400、方法500、方法600和方法700,示例性介绍基于上文介绍的CU分离的通信系统处理的方法流程,该通信系统可以实现上述BNG的功能。
方法400、方法500、方法600或方法700中的BNG是对通信系统的举例说明。可选地,方法400、方法500、方法600或方法700不是应用在BNG上,而是应用在BNG之外的其他具有CU分离架构的通信系统中,例如应用在CU分离的服务网关(Serving Gateway,S-GW),又如应用在CU分离的分组数据网网关(PDN GateWay,PGW),又如应用在包括移动性管理功能(Access and Mobility Management Function,AMF)网元、会话管理功能(Session Management Function,SMF)网元和AN网元的通信系统中,其中AMF或CPF相当于BNG中的CPF,UPF相当于BNG中的UPF。又如应用在WT-456固定、移动融合的通信系统中的接入网关功能(accessgatewayfunction,AGF)网元中。
下面的方法400、方法500、方法600和方法700是基于同一个构思产生的发明,均关于如何将安全策略从CPF前置至UPF执行。方法400侧重于介绍UPF执行安全策略的流程,方法500侧重于介绍包含报文触发接入、数据转发、离线处理和清除处理等多个阶段的整体流程,方法600和方法700侧重于介绍如何利用PFCP实现方法500。
参见图24,附图24是本申请实施例提供的一种报文处理方法400的流程图。方法400例如由UPF中的IP流过滤模块执行。方法400包括S410至S460。
S410、提取源IP地址、MAC地址、VLAN标签、接口(即UP设备上接收报文的端口)等信息。
S420、判断是否认证通过。如果未认证通过,执行以下S430。如果认证通过,执行以下S460。
S430、判断是否匹配静态用户表或异常下线用户表是否成功。如果匹配成功,则执行以下S440。如果匹配失败,则执行以下S450。
S440、通过隧道重定向报文到CPF。
S450、丢弃报文。
S460、转发IP数据报文,或基于ARP、ND协议等协议处理。
从以上流程可以看出,在S420匹配成功后,才将报文发送至CPF,从而减轻了CPF负担,降低了CPF被攻击的风险。
参见附图25,附图25是本申请实施例提供的一种报文处理方法500的流程图。方法500包括S501至S522。
在一些实施例中,方法500由附图1所示系统架构中的BNG执行,或由具有附图3、附图6、附图7、附图8、附图9、附图22、附图23中任一项所示的CU分离的BNG执行,或由附图10所示静态用户接入场景中的BNG执行,或由附图12所示异常下线用户接入场景中的BNG执行。
可选的,方法500由通用中央处理器(central processing unit,CPU)处理,也可以由CPU和/网络处理器(network processer,NP)共同处理,也可以不用CPU或NP,而使用其他适合用于报文转发的处理器,方法500不做限制。
S501、CP设备向BNG包括的UP设备发送第一策略。
术语“策略”是指包含规则(rule)和动作(action)标识的信息。策略能够指明设备在报文中的信息满足规则的情况下,对报文执行动作标识对应的动作。动作包括而不限于重定向、转发、丢弃、QoS控制、统计上报等。例如,在采用PFCP实现时,策略是PDR,规则是PDI,动作标识是PA。CP设备通过向UP设备下发策略,UP设备在接收到报文时,会按照CP设备预先下发的策略,对报文执行相应的动作。
第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将报文重定向至CP设备。第一策略中的匹配规则包括第一类用户的信息。第一策略中的动作标识用于标识重定向的动作。可选地,第一策略中的动作标识包括CP设备的标识。例如,第一策略包括“Key=IP+MAC+VLAN+接口,action=to CPF”。
第一类用户是指具有固定的互联网协议IP地址的用户。第一类用户的信息包括而不限于IP地址、MAC地址、VLAN标签、接口索引、端口号中的至少一项。在一些实施例中,第一类用户的信息以表的形式保存和传输。例如,第一策略包括用户表。用户表包括第一类用户的信息。例如,用户表的每个表项(或称每个条目)包括一个第一类用户的信息。
在一些实施例中,第一类用户包括静态用户或异常下线用户中的至少一项。用户表包括静态用户表或异常用户表中的至少一项。静态用户表也称静态用户列表。静态用户表包括静态用户的信息。例如,静态用户表中的每个表项包括一个静态用户的信息。异常用户表也称异常用户列表或异常下线用户列表。异常用户表包括异常下线用户的信息。例如,异常用户表中的每个表项包括一个异常下线用户的信息。静态用户以及异常下线用户的解释还请参考上文的介绍。
应理解,本实施例对静态用户表和异常用户表是分离为不同的表还是合并为同一个表不做限定。在一些实施例中,静态用户表和异常用户表是两个单独的表。在一些实施例中,静态用户表和异常用户表属于同一个表。例如,用户表包括两个属性,两个属性分别对应于静态用户和异常下线用户。在一些实施例中,用户表包括用户信息与动作之间的对应关系,通过用户信息对应的动作来标识用户是否已通过认证。例如,如果用户信息对应的动作是“To CPF”,标识用户尚未通过认证;如果用户信息对应的动作是“To CPF”之外的其他动作,标识用户已经通过认证。在另一些实施例中,通过用户表中的其他属性标识用户是否通过认证。
例如,静态用户对应于用户表的第一属性,该第一属性的属性值是静态用户的信息。异常下线用户对应于用户表的第二属性,第二属性的属性值是异常下线用户的信息。
CP设备如何获得第一策略包括多种方式。例如,由控制器或网管人员在CP设备上预先配置第一策略。又如,CP设备对第一类用户的信息与重定向信息进行组合,得到第一策略。例如,CP设备上配置静态用户表,对静态用户表与重定向信息进行组合,得到第一策略。例如,CP设备生成异常用户表,对异常用户表与重定向信息进行组合,得到第一策略。其中,CP设备如何生成异常用户表还请参考附图12和附图13对应的介绍。
CP设备通过将重定的策略下发给UP设备,使得UP设备能够通过与CP设备的通信获得策略,因此在报文接入过程中,若报文匹配上具有固定IP地址的用户的信息,UP设备就会执行重定向报文的动作,
免去了人工配置策略的繁琐操作,降低了配置的复杂度。
S502、UP设备从CP设备接收第一策略,保存第一策略。
由于CP设备将第一类用户的信息下发至UP设备,并指示UP设备对报文中的信息与第 一类用户的信息进行匹配,从而将检查报文是否来自于IP地址固定的用户的任务从CP设备下沉至UP设备,从而降低了CP设备受到攻击的风险。
在一些实施例中,CP设备还向UP设备发送重定向参数。重定向参数包括GTP-U隧道信息或虚拟扩展局域网(Virtual Extensible Local Area Network,Vxlan)隧道信息中的至少一项。在一些实施例中,Vxlan隧道信息用于标识Vxlan隧道通过IPv4协议承载。Vxlan隧道信息包括CP设备的IPv4地址。在另一些实施例中,Vxlan隧道信息用于标识Vxlan隧道通过IPv6协议承载。Vxlan隧道信息包括CP设备的IPv6地址。
应理解,本实施例并不限定重定向参数和第一策略是一起发送还是分开发送。在一些实施例中,CP设备将重定向参数和第一策略封装在同一个控制报文中,向UP设备发送该控制报文;UP设备接收控制报文,从该控制报文获得重定向参数和第一策略。在另一些实施例中,CP设备将重定向参数和第一策略分别封装在两个控制报文中,一个控制报文包括第一策略,另一个控制报文包括重定向参数;CP设备向UP设备发送两个控制报文;UP设备接收两个控制报文,从携带重定向参数的控制报文获得重定向参数,从携带第一策略的控制报文获得第一策略。此外,在重定向参数和第一策略分开发送的情况下,对发送重定向参数和第一策略的时序不做限定。例如,CP设备先发送重定向参数再发送第一策略;又如,CP设备先发送第一策略再发送重定向参数。
CP设备通过将重定向参数下发给UP设备,使得UP设备能够依据CP设备下发的重定向参数封装隧道头以将报文重定向至CP设备,从而避免人工配置重定向参数的繁琐操作,降低方案实施的复杂度和配置的复杂度。
在一些实施例中,CP设备还向UP设备发送接口索引。CP设备通过将具有固定IP地址的用户的接入接口以接口索引的形式通知给UP设备,使得UP设备能够利用终端接入的接口与CP设备预先下发的接口索引是否匹配来进行接入认证,由于终端接入的接口代表着终端的位置,使得接入认证的过程考虑了位置的因素,因此有助于提高认证的安全性。
S503、UP设备接收报文。
例如,报文是数据报文。例如,报文包括而不限于IPv4数据报文、IPv6数据报文、ARP报文或ND报文中的至少一项。报文也称IP数据包。
S504、UP设备对报文包括的第二信息与第二类用户的信息进行匹配。
第二信息是UP设备检测是否已通过认证时根据报文获得的信息。例如,第二信息包括而不限于IP地址、MAC地址、VLAN标签、接口索引(即UP设备上接收报文的端口的端口号)中的至少一项。例如,第二信息包括的IP地址是源IP地址。例如,第二信息包括的源IP地址包括源IPv6地址或源IPv4地址中的至少一项。例如,第二信息包括的源IPv6地址是IPv6基本头中SA字段承载的地址。
第二类用户是指已通过认证的用户,例如是已通过绑定认证的用户。
UP设备如何获得第二类用户的信息包括多种方式。在一些实施例中,CP设备向UP设备发送第二类用户的信息。UP设备接收第二类用户的信息,在本地保存第二类用户的信息。当接收到报文时,UP设备查询保存的第二类用户的信息。
在一些实施例中,第二类用户的信息以表的形式保存和传输。例如,CP设备向UP设备发送认证绑定表,认证绑定表包括第二类用户的信息。例如,认证绑定表的每个表项(或称每个条目)包括一个第二类用户的信息。UP设备接收并保存认证绑定表。当接收到报文时, UP设备查询认证绑定表,对报文包括的第二信息与认证绑定表中的表项进行匹配。若报文包括的第二信息与认证绑定表中每个表项中的信息均不满足第二匹配条件,则执行以下S505。
S505、UP设备确定第二信息与第二类用户的信息不满足第二匹配条件。
第二匹配条件用于检测报文是否来自于已通过认证的用户的终端。UP设备判断报文包括的第二信息与第二类用户的信息进行匹配。在不同的判断结果下,UP设备执行的动作会有所差异,以下通过情况a至情况b举例说明。
情况a、若报文包括的第二信息与第二类用户的信息不满足第二匹配条件,指示报文并非来自于已通过认证的用户的终端,这种情况可称为检查认证绑定表失败,则UP设备执行以下S506。
可选地,第二匹配条件包括报文中的源IP地址与第一类用户的IP地址相同,且UP设备上接收报文的端口的端口号与第一类用户对应的端口号相同,且报文中的VLAN标签与第一类用户对应的VLAN标签相同。
情况b、若报文包括的第二信息与第二类用户的信息满足第二匹配条件,指示报文来自于已通过认证的用户的终端,这种情况可称为检查认证绑定表成功,那么,在报文是数据报文的情况下,UP设备会转发数据报文;在报文是ARP报文的情况下,UP设备会基于ARP协议对ARP报文进行处理;在报文是ND报文的情况下,UP设备会基于ND协议对ND报文进行处理。
不满足第二匹配条件包括多种情况。在一些实施例中,不满足第二匹配条件包括而不限于以下情况(A)、情况(B)或者情况(C)。
情况(A)报文中的源IP地址与第一类用户的IP地址不同。
情况(B)UP设备上接收报文的端口的端口号与第一类用户对应的端口号不同。
情况(C)报文中的VLAN标签与第一类用户对应的VLAN标签不同。
S506、UP设备根据第一策略,对报文包括的第一信息与第一类用户的信息进行匹配。
由于CP设备预先向UP设备下发了第一策略,UP设备会根据第一策略执行S506和S507。具体地,UP设备根据第一策略携带的第一类用户信息,执行对报文包括的第一信息与第一类用户的信息进行匹配的步骤。在第一信息与第一类用户的信息满足第一匹配条件的情况下,UP设备会执行向BNG包括的CP设备发送报文的步骤。
第一信息是UP设备在检测报文是否来自具有固定IP地址的用户时从报文中提取的信息。例如,第一信息包括而不限于IP地址、MAC地址、VLAN标签、UP设备上接收报文的接口索引(即端口的端口号)中的至少一项。例如,第一信息包括的IP地址是源IP地址。例如,第一信息包括的源IP地址包括源IPv6地址或源IPv4地址中的至少一项。例如,第一信息包括的源IPv6地址是IPv6基本头中SA字段承载的地址。
其中,接口索引用于标识UP设备上的接入接口(Access Interface)。接入接口为第一类用户的终端接入的接口。VLAN标签例如是单层VLAN标签(例如外层VLAN标签或者内层VLAN标签)或者内、外双层VLAN标签。
应理解,本实施例对第一信息和第二信息是否相同并不限定。在一些实施例中,第二信息和第一信息相同。在另一些实施例中,第二信息和第一信息不同。在另一些实施例中,第二信息和第一信息部分相同部分不同。
UP设备如何获得第一类用户的信息包括多种方式。在一些实施例中,CP设备向UP设 备发送第一类用户的信息。UP设备接收第一类用户的信息,在本地保存第一类用户的信息。当接收到报文时,UP设备查询保存的第一类用户的信息。
应理解,本实施例对用户表和认证绑定表是分离为不同的表还是合并为同一个表不做限定。在一些实施例中,用户表和认证绑定表是两个单独的表。在一些实施例中,用户表和认证绑定表属于同一个表。例如,用户表包括两个属性,两个属性分别对应于具有固定IP地址的用户和已通过认证用户。例如,具有固定IP地址的用户对应于用户表的第一属性,该第一属性的属性值是具有固定IP地址的用户的信息。已通过认证用户对应于用户表的第二属性,第二属性的属性值是已通过认证用户的信息。
S507、若第一信息与第一类用户的信息满足第一匹配条件,UP设备向BNG包括的CP设备发送报文。
UP设备向CP设备发送报文也可以称为UP设备将报文重定向至CP设备。
第一匹配条件用于检测报文是否来自于第一类用户的终端。例如,第一匹配条件用于检测报文是否来自于静态用户的终端。又如,第一匹配条件用于检测报文是否来自于异常下线用户的终端。应理解,本实施例对第一匹配条件和第二匹配条件是否相同并不限定。在一些实施例中,第二匹配条件和第一匹配条件相同。在另一些实施例中,第二匹配条件和第一匹配条件不同。在另一些实施例中,第二匹配条件和第一匹配条件部分相同部分不同。例如,第二匹配条件是IP地址、端口号和VLAN标签这三者均要匹配。第一匹配条件是IP地址要匹配,不限定UP设备上接收报文的端口的端口号和VLAN标签是否匹配。
UP设备判断报文包括的第一信息与第一类用户的信息是否满足第一匹配条件。在不同的判断结果下,UP设备执行的动作会有所差异,以下通过情况a至情况b举例说明。
情况a、若报文包括的第一信息与第一类用户的信息满足第一匹配条件,指示报文来自于第一类用户的终端,这种情况可称为匹配成功,UP设备会执行S507,从而将报文上送至CP设备。
满足第一匹配条件包括多种情况。在一些实施例中,满足第一匹配条件是指至少匹配IP地址,可选地还匹配UP设备上接收报文的端口的端口号或VLAN标签。例如,第一匹配条件包括而不限于以下条件(1)至条件(4)中的任一项。可选地,使用条件(1)至条件(3)进行匹配的方式称为模糊匹配的方式。使用以下条件(4)进行匹配的方式称为严格匹配的方式。
条件(1)报文中的源IP地址与第一类用户的IP地址相同。
条件(2)报文中的源IP地址与第一类用户的IP地址相同,且UP设备上接收报文的端口号与第一类用户对应的端口号相同。
条件(3)报文中的源IP地址与第一类用户的IP地址相同,且报文中的VLAN标签与第一类用户对应的VLAN标签相同。
条件(4)报文中的源IP地址与第一类用户的IP地址相同,且UP设备上接收报文的端口的端口号与第一类用户对应的端口号相同,且报文中的VLAN标签与第一类用户对应的VLAN标签相同。
在一些实施例中,第一匹配条件根据配置操作确定。换句话说,使用报文中的哪些信息与第一类用户的哪些信息进行匹配由控制器或网管人员的配置操作确定。例如,若预先配置了启用端口号或VLAN标签匹配,则UP设备使用端口号或VLAN标签匹配;若预先配置了 不启用端口号或VLAN标签匹配,则UP设备不使用端口号或VLAN标签匹配。
在一些实施例中,在不同的场景下满足的第一匹配条件有所区别。例如,在静态用户的场景下,满足第一匹配条件是上述条件(1)至条件(3)中的任一项。例如,在异常下线用户的场景下,满足第一匹配条件是上述条件(4)。
在静态用户接入的场景下,UP设备通过在接收到报文时,对报文中的信息与静态用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于静态用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于静态用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
在异常下线用户接入的场景下,UP设备通过在接收到报文时,对报文中的信息与异常下线用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于异常下线用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于异常下线用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
情况b、若报文包括的第一信息与第一类用户的信息不满足第一匹配条件,指示报文并非来自于第一类用户的终端,这种情况可称为匹配失败,UP设备会丢弃报文,而不会将报文发送至CP设备,从而避免CP设备对这类报文进行接入处理造成的性能开销以及处理资源浪费。尤其是,在报文是用于进行网络攻击的恶意报文的情况下,由于恶意报文包括的信息与第一类用户的信息不匹配,UP设备会丢弃恶意报文,使得恶意报文的传输在UP设备处被阻断,而不会经过UP设备到达CP设备,因此避免CP设备对恶意报文执行接入处理的动作,从而降低了CP设备受到网络攻击的风险。
UP设备如何将报文重定向至CP设备包括多种方式。在一些实施例中,UP设备和CP设备建立了隧道。隧道的起点是UP设备,隧道的终点是CP设备。UP设备将报文封装为该隧道对应的格式,向CP设备发送封装后的报文,使得报文通过隧道传输至CP设备。
在使用隧道的情况下,UP设备如何封装报文具有多种实现方式。例如,UP设备向报文添加隧道头,得到封装后的报文。其中,封装后的报文包含隧道头以及UP设备从终端接收的报文。隧道头位于外层,UP设备从终端接收的报文位于内层。隧道头中的源地址字段携带UP设备的IP地址,隧道头中的目的地址字段携带CP设备的IP地址。由于报文的外层封装了目的地址为CP设备的隧道头,使得报文会被沿途经过的中间节点路由转发至CP设备,因此报文能够从原始的目的节点重定向至CP设备。可选地,UP设备不仅添加隧道头,还添加扩展头。在这种方式下,封装后的报文包含隧道头、扩展头以及UP设备从终端接收的报文。
UP设备通过哪种类型的隧道将报文重定向至CP设备包括多种方式。例如,UP设备通过GTP-U隧道或Vxlan隧道,将报文重定向至CP设备。以下,通过方式I对如何通过GTP-U隧道发送报文举例说明,通过方式II对如何通过Vxlan隧道发送报文举例说明。
方式I、UP设备向报文添加GTP-U头,发送添加有GTP-U头的报文。
GTP-U头是对隧道类型为GTP-U隧道的情况下隧道头的举例说明。在一些实施例中,UP设备不仅添加GTP-U头,还添加网络服务报头(network service header,NSH),发送添 加有GTP-U头和NSH的报文。
在一些实施例中,方式I是利用CP设备预先下发的重定向参数实现的。具体地,CP设备向UP设备下发的重定向参数包括GTP-U隧道信息,UP设备根据该GTP-U隧道信息,生成GTP-U头,向报文添加GTP-U头。在另一些实施例中,UP设备使用的GTP-U隧道信息不是CP设备下发的,而是预先在UP设备上预先配置的,本实施例对UP设备如何获得GTP-U隧道信息并不做限定。
方式II、UP设备向报文添加Vxlan头,发送添加有Vxlan头的报文。
Vxlan头是对隧道类型为Vxlan隧道的情况下隧道头的举例说明。在一些实施例中,UP设备不仅添加Vxlan头,还添加CU扩展头,发送添加有Vxlan头和CU扩展头的报文。
其中,Vxlan头包括而不限于标准的Vxlan头、基于Vxlan协议扩展的覆盖(Overlay)头等。例如,Vxlan头是指基于Vxlan通用协议(Vxlan Generic Protocol Encapsulation,Vxlan-GPE)头、通用网络虚拟化封装(Generic Network Virtualization Encapsulation,GENEVE)头等。在使用Vxlan-GPE的情况下,CP设备向报文添加Vxlan头和CU扩展头,报头开销相对较小,从而节省了报文传输占用的网络资源以及设备的性能开销。
在一些实施例中,方式I是利用CP设备预先下发的重定向参数实现的。具体地,CP设备向UP设备下发的重定向参数包括Vxlan隧道信息,UP设备根据该Vxlan隧道信息,生成Vxlan头,向报文添加Vxlan头。在另一些实施例中,UP设备使用的Vxlan隧道信息不是CP设备下发的,而是预先在UP设备上预先配置的,本实施例对UP设备如何获得Vxlan隧道信息并不做限定。
在一些实施例中,UP设备在将报文重定向至CP设备时进行限速控制。例如,UP设备上预先设定发送报文的速率阈值,监控发送报文的速率是否大于速率阈值,若发送报文的速率大于速率阈值,则通过队列等方式缓存待发送的报文,从而将发送报文的速率控制在小于或等于速率阈值。
S508、CP设备从UP设备接收报文。
S509、CP设备根据报文进行接入处理。
例如,CP设备生成认证请求,认证请求包括用户的信息,用户的信息例如包括用户名和密码,此外还可以包括第一信息或第二信息。CP设备向认证服务器发送认证请求。认证服务器接收认证请求,对认证请求携带的用户的信息进行认证;认证服务器根据认证结果生成认证响应,向CP设备发送认证响应。CP设备从认证服务器接收认证响应。
在认证结果为通过认证的情况下,认证服务器发送的认证响应表示通过认证。CP设备根据认证响应会允许用户接入网络,执行以下S510,从而指示UP设备为用户转发报文。此外,CP设备会将第二信息作为第二类用户的信息保存。例如,CP设备将第二信息保存至认证绑定表中。
在认证结果为通过认证的情况下,认证服务器发送的认证响应表示未通过认证。CP设备根据认证响应会拒绝用户接入网络。
S510、CP设备向UP设备发送第二策略。
第二策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下转发报文。或者,第二策略用于指示在报文包括的第二信息与第二类用户的信息满足第二匹配条件的情况下转发报文。第二策略中的匹配规则包括第一类用户的信息或第二类用户的 信息。第二策略中的动作标识用于标识转发的动作。例如,第二策略包括“Key=IP+MAC+VLAN+接口,action=forward”。
S511、UP设备从CP设备接收第二策略,保存第二策略。
S512、UP设备接收报文。
S513、UP设备根据第二策略,转发报文。
S514、CP设备检测到第一类用户的终端处于离线状态。
例如,CP设备检测到UP设备出现接口故障或单板故障,CP设备对通过该接口或该单板接入的终端进行离线处理。
S515、CP设备向UP设备发送第三策略。
第三策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将报文重定向至CP设备。或者,第三策略用于指示在报文包括的第二信息与第二类用户的信息满足第二匹配条件的情况下将报文重定向至CP设备。第三策略中的匹配规则包括第一类用户的信息或第二类用户的信息。第三策略中的动作标识用于标识重定向的动作。例如,第三策略包括“Key=IP+MAC+VLAN+接口,action=to CPF”。
S516、UP设备从CP设备接收第三策略,保存第三策略。
S517、UP设备接收报文。
S518、UP设备根据第三策略,向CP设备发送报文。
S519、CP设备检测到第一类用户的配置信息被删除或第一类用户的租期超时。
S520、CP设备向UP设备发送删除请求,删除请求用于指示删除第一类用户的信息。
CP设备发送删除请求包括多种场景。在一些实施例中,CP设备检测到第一类用户的配置信息被删除,在配置信息被删除的触发下,CP设备生成删除请求,向UP设备发送删除请求,该删除请求用于指示清除配置信息被删除的用户的信息。例如,控制器或者网管人员删除了CP设备上静态用户的配置信息,CP设备为该静态用户生成删除请求。在另一些实施例中,CP设备启动定时器,判断记录的时长是否超过第一类用户的租期;如果CP设备检测到第一类用户的租期超时,在租期超时被删除的触发下,CP设备会生成删除请求,向UP设备发送删除请求,该删除请求用于指示清除租期超时的用户的信息。其中,租期超时也称老化。
S521、UP设备从CP设备接收删除请求;
S522、UP设备响应于删除请求,删除第一类用户的信息。
例如,UP设备删除静态用户表,从而完成清除静态用户的动作。例如,UP设备删除异常用户表,从而完成清除IPoE异常下线用户的动作。在静态用户的配置被删除或者异常下线用户租期超时等场景下,CPF通过指示UPF清除具有固定IP地址的用户信息,从而在用户信息无效时及时释放用户信息在UPF上占用的存储空间。
本实施例提供了一种CU分离的BNG进行接入认证的场景下避免CP设备受到攻击的方法,通过UP设备在接收到报文时,对报文中的信息与具有固定IP地址的用户的信息进行匹配,在匹配成功的情况下,UP设备将报文上送至CP设备。由于将检查报文是否来自于具有固定IP地址的用户的任务从CP设备下沉至UP设备,避免了CP设备检查这类报文带来的资源开销,减轻了CP设备的负载。尤其是,如果恶意IP报文流发起网络攻击,由于CP设备无需为恶意IP报文流执行检查是否来自于具有固定IP地址的用户的任务,因此降低了CP设备受到恶意IP报文流攻击的风险,提高了CP设备的网络安全。
以下通过方法600和方法700,对采用PFCP来实现方法500举例说明。换句话说,方法600和方法700描述的方法流程关于如何基于PFCP将安全策略前置在UP设备上执行。应理解,方法600和方法700与方法500同理的步骤还请参见方法500,在方法600和方法700中不做赘述。此外,方法600和方法700中关于PFCP的实现细节还请参考上文对PFCP的介绍。
以下方法600和方法700的表述方式采用了PFCP中的一些术语。例如,以下方法600和方法700中将CP设备称为CPF,将UP设备称为UPF,将策略称为PDA,将策略中的规则称为PDI,将策略中标识的动作称为PA。
以下方法600中,会复用PCFP协议中的消息以传递CP设备与UP设备交互的信息。复用的消息例如是PFCP中的节点消息或会话消息(Session消息)。以下方法600中,通过复用下表11所示的会话消息,向UPF下发静态用户表或IPoE异常下线用户表。
表11
参见附图26,附图26是本申请实施例提供的一种报文处理方法600的流程图。附图26所示的方法关于如何复用PFCP中的会话消息向UPF下发静态用户表或IPoE异常下线用户表。可选地,每个PFCP会话对应一个静态用户或IPoE异常下线用户。
示例性地,方法600包括S600至S690。方法600涉及四个阶段。阶段一为认证通过前的流程,阶段一包括S610至S630。阶段二为认证通过的流程。阶段二包括S640至S650。阶段三为终端离线的流程。阶段三包括S660至S670。阶段四为删除静态用户配置或IPoE异常用户老化(租期内没上线)的流程。阶段四包括S680至S690。
在一些实施例中,通过对PFCP中状态控制接口以及控制报文重定向接口进行扩展以传输方法600涉及的信令。具体地,方法600中CPF与UPF交互的各种报文是通过状态控制接口以及控制报文重定向接口传输的。S610中PFCP会话建立请求通过状态控制接口从CPF下发至UPF,S620中PFCP会话建立应答通过状态控制接口从UPF上送至CPF;S630中触发接入的报文通过控制报文重定向接口从UPF上送至CPF;S640中PFCP会话编辑请求通过状态控制接口从CPF下发至UPF,S650中PFCP会话编辑应答通过状态控制接口从UPF上送至CPF;S660中PFCP会话编辑请求通过状态控制接口从CPF下发至UPF,S670中PFCP会话编辑应答通过状态控制接口从UPF上送至CPF;S680中PFCP会话删除请求通过状态控制接口从CPF下发至UPF,S690中PFCP会话删除应答通过状态控制接口从UPF上送至CPF。
S600、在CPF上配置静态用户表;或者,由CPF产生IPoE异常下线用户表。
S610、CPF向UPF发送PFCP会话建立请求。
具体地,CPF会生成PFCP会话建立请求,向UPF发送PFCP会话建立请求,从而通知UPF创建会话消息,以便UPF匹配该会话消息的IP流之后将报文重定向到CPF。其中,PFCP会话建立请求携带PDR,PDR为上述方法500涉及的第一策略。PFCP会话建立请求中的PDR 包括PDI和PA。PDI包括静态用户表和异常用户表。PFCP会话建立请求(PFCP session establishment request)的内容包含“Key=IP+MAC+VLAN+接口,action=to CPF”。其中,“Key=IP+MAC+VLAN+接口”的含义是匹配的关键值包括报文的源IP地址、报文的源MAC地址、报文的VLAN标签(单层或者双层)和接收报文的接口(或端口)。“action=to CPF”的含义是动作为上送至CPF。“action=to CPF”是PFCP中定义的转发动作中的一种。
CPF通过复用了PFCP会话建立请求这种PFCP会话消息,并复用了PFCP中通过PFCP会话下发PDR的机制,以将具有固定IP地址的用户的信息以及重定向的动作下发给UPF,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
S620、UPF接收PFCP会话建立请求,生成PFCP会话建立应答,向CPF发送PFCP会话建立应答。
此外,UPF创建至少一个PFCP会话。具体地,UPF保存有会话表。UPF从CPF接收第一类用户的信息后,将第一类用户的信息中每个用户的信息保存至该用户对应的PFCP会话中。例如,UPF将静态用户表中每个静态用户的信息保存至会话表中静态用户对应的PFCP会话中。例如,UPF将异常下线用户表中每个异常下线用户的信息保存至会话表中异常下线用户对应的PFCP会话中。
S630、UP设备接收报文,根据PDA,对报文包括的第一信息与第一类用户的信息进行匹配。若第一信息与PDI中的第一类用户的信息满足第一匹配条件,UP设备按照PDI对应的包动作PA,向BNG包括的CP设备发送报文。
在转发阶段,当UPF接收到报文时,UPF会从报文中提取参数,使用报文的参数与会话消息表中保存的静态用户表和异常用户表进行匹配,当匹配成功时,UPF将报文通过GTP-U或者Vxlan隧道重定向到CPF。其中,UPF使用的报文的参数包括IPv4地址或IPv6地址,可选地还包括VLAN标签或接入接口对应的接口索引。PA用于指示重定向至CP设备。
CPF通过复用PFCP中处理PFCP会话的机制,将第一类用户的信息作为PDI中的匹配域,将重定向的动作作为命中PDI时执行的PA,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
S640、CPF完成终端的认证,CPF向UPF发送PFCP会话编辑请求。
CPF接收到报文后,会对报文进行接入处理。例如,CPF向AAA服务器发送认证请求,AAA服务器接收认证请求,进行认证,向CPF返回认证允许(Accept)消息。CPF接收到认证Accept后,确定通过认证,则CPF会生成PFCP会话编辑请求,向UPF发送PFCP会话编辑请求。其中,PFCP会话编辑请求携带PDR,PDR为上述方法500涉及的第二策略。具体地,PFCP会话编辑请求中的PDR包括PDI和PA。
PFCP会话编辑请求携带的PDI包括静态用户表和异常用户表。UPF在转发阶段,会从报文中提取参数,使用报文的参数与PDI中的静态用户表和异常用户表匹配。UPF使用的报文的参数包括IPv4地址、IPv6地址、VLAN标签和接入接口对应的接口索引。PA用于指示转发报文。CPF通过向UPF发送PFCP会话编辑请求,从而将静态用户表和异常用户表下发至UPF。PFCP会话编辑请求包括“Key=IP+MAC+VLAN+接口,action=forward”。CPF通过PFCP会话编辑请求编辑会话,指示UPF匹配该会话的IP流之后进行转发。
其中,“Key=IP+MAC+VLAN+接口”的含义是匹配的关键值包括报文的源IP地址、报文的源MAC地址、报文的VLAN标签(单层或者双层)和接收报文的接口(或端口)。“action=forward”的含义是动作为转发。“action=forward”是PFCP中定义的转发动作中的一种。
S650、UPF接收PFCP会话编辑请求,生成PFCP会话编辑应答,向CPF发送PFCP会话编辑应答。此外,UPF会更新会话表中的会话。
S660、当检测到UPF的接口故障或单板故障,CPF对终端进行离线处理。CPF生成PFCP会话编辑请求,向UPF发送PFCP会话编辑请求。
其中,PFCP会话编辑请求携带PDR,PDR为上述方法500涉及的第三策略。例如,PFCP会话编辑请求包括静态用户表和异常用户表。PFCP会话编辑请求包括“Key=IP+MAC+VLAN+接口,action=to CPF”。
S670、UPF接收PFCP会话编辑请求,生成PFCP会话编辑应答,向CPF发送PFCP会话编辑应答。
通过上述S660和S670,CPF通过PFCP会话编辑消息编辑会话,指示UPF匹配该会话的IP流之后做转发将报文重定向到CPF。
S680、CPF检测到静态用户配置的被删除或IPoE异常用户老化(租期内没上线),CPF生成PFCP会话删除请求,向UPF发送PFCP会话删除请求。
S690、UPF接收PFCP会话删除请求,生成PFCP会话删除应答,向CPF发送PFCP会话删除应答。并且,UPF会更新会话。
PFCP会话删除请求是对上述方法500中删除请求的举例说明。CPF通过复用了PFCP会话删除请求这种PFCP会话消息,并复用了PFCP中删除PFCP会话的机制,以清除UPF上的具有固定IP地址的用户的信息,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,便于沿用PFCP中的通信机制实施方案,从而降低方案实施的复杂度和配置的复杂度。
通过执行S680和S690,CPF通过PFCP会话删除请求消息编辑会话,指示UPF匹配该会话的IP流之后做转发将报文重定向到CPF。
以下,对上述方法600中PFCP会话建立请求携带的IE进行介绍。
参见下表12,表12示出了方法600涉及IE的表格中使用的标识符的含义。
表12
IE是否出现在方法600的分类 | 解释 |
Mandatory(M) | 必选项 |
Conditional(C) | 满足某种条件就需要携带 |
Conditional-Optional(CO) | 满足某种条件可以选择携带 |
Optional(O) | 可选择携带 |
参见下表13,表13对方法600涉及的几种类型IE进行了举例说明。
表13
参见下表14,表14是对Create PDR IE的举例说明。
表14
参见下表15,表15是对PDI IE的举例说明。
表15
参见下表16,表16是对Create Traffic Endpoint IE的举例说明。
表16
参见下表17,表17是对Create FAR IE的内容的举例说明。
表17
参见下表18,表18是对PFCP会话建立应答中携带的IE的举例说明。
表18
IE | P | 条件/注释 | IE类型 |
Node ID | M | UPF的设备号 | Node ID |
Cause | M | 处理的结果 | Cause |
参见下表19,表19是对PFCP会话编辑请求中携带的IE的举例说明。
表19
此外,Modify PDR IE的内容与Create PDR IE相同。Modify FAR IE的内容与Create FAR IE相同。PFCP会话删除请求不携带特殊IE,复用消息头中的会话ID,指示UPF删除对应的会话。
在一些实施例中,通过扩展新类型的IE携带接口索引。例如,携带接口索引的IE称为接口索引(interface index,If-index)IE。接口索引IE的IE类型是扩展的新的IE类型。以接口索引IE的IE类型记为第一IE类型为例,CPF将接口索引携带在具有第一IE类型的IE中,CPF向UPF发送具有第一IE类型的IE,从而下发接口索引。在一些实施例中,该具有第一IE类型的IE是Embedded IE。
接口索引IE可通过PFCP消息传输。例如,CPF将具有第一IE类型的IE携带在第一PFCP消息,CPF发送的第一PFCP消息包括该具有第一IE类型的IE。其中,第一PFCP消息为PFCP会话建立请求;或者第一PFCP消息为PFCP静态会话建立请求。第一IE类型用于标识IE包括接口索引。在一些实施例中,第一IE类型的值大于32768。具体地,PFCP规定,将32768至65535这段IE类型的值作为厂家扩展部分,可以从32768至65535中选择一个值,作为第一IE类型的值。示例性地,接口索引IE如以下表20所示。其中,表20中第1至第2个字节中的NN十进制是大于32768的值。表20中第5至第6个字节中的2100是对十进制格式的厂家号的举例说明。表20中第7至第10个字节中的接口索引(interface index)会编码为32位无符号整数(Unsigned32 binary integer value)。
表20
通过扩展了一种新类型的IE来携带接口索引,从而复用PFCP消息中IE的格式向UPF下发接口索引,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,降低方案实施的复杂度和配置的复杂度。
在一些实施例中,通过扩展新类型的IE携带重定向参数。例如,携带重定向参数的IE称为重定向参数IE(Redirect Parameters IE)。重定向参数IE的IE类型是扩展的新的IE类型。以重定向参数IE的IE类型记为第二IE类型为例,CPF将重定向参数携带在具有第二IE类型的IE中,CPF向UPF发送具有第二IE类型的IE,从而下发重定向参数。在一些实施例中,该具有第二IE类型的IE是分组IE(grouped IE)。
通过扩展了一种新类型的IE来携带重定向参数,从而复用PFCP消息中IE的格式向UPF下发重定向参数,降低方案实施的复杂度和配置的复杂度。
重定向参数IE可通过PFCP消息传输。例如,CPF将具有第二IE类型的IE携带在第一PFCP消息,CPF发送的第一PFCP消息包括该具有第二IE类型的IE。其中,携带重定向参数IE的第一PFCP消息例如为PFCP会话建立请求;又如,携带重定向参数IE的第一PFCP消息为PFCP静态会话建立请求。第二IE类型用于标识IE包括重定向参数。在一些实施例中,第二IE类型的值大于32768。
在一些实施例中,重定向参数IE包括至少一个IE。重定向参数IE包括的不同IE具有不同的IE类型。重定向参数IE包括的每个IE用于携带一种隧道类型的信息。例如,重定向 参数IE包括的一个IE用于携带Vxlan隧道信息,重定向参数IE包括的另外一个IE用于携带GTP-U隧道信息。示例性地,重定向参数IE如表21所示。其中,表21中第1至第2个字节中的NN十进制是大于32768的值。表21中第5至第6个字节中的2100是对十进制格式的厂家号的举例说明。
表21
在一些实施例中,通过扩展新类型的IE携带Vxlan隧道信息。例如,携带Vxlan隧道信息的IE称为Vxlan信息IE(Vxlan Info IE)。Vxlan信息IE的IE类型是扩展的新的IE类型。以Vxlan信息IE的IE类型记为第三IE类型为例,CPF将Vxlan隧道信息携带在具有第三IE类型的IE中,CPF向UPF发送具有第三IE类型的IE,从而下发Vxlan隧道信息。在一些实施例中,该具有第三IE类型的IE是Embedded IE。其中,第三IE类型用于标识IE包括Vxlan隧道信息。例如,Vxlan信息IE如以下表22所示。
表22
其中,Vxlan信息IE的第5个字节中BitV4的取值为1时,标识Vxlan隧道over在IPv4上,此时第m至第(m+3)字节携带CPF终结Vxlan隧道的IPv4地址。Vxlan信息IE的第5个字节中BitV6的取值为1时,标识Vxlan隧道over在IPv6上,此时第p至第(p+15)字节携带CPF终结Vxlan隧道的IPv6地址。Vxlan信息IE的第5个字节中第5个比特至第8个比特是对齐字段,设置为0。BitV4和BitV6这两个比特位中只有1个比特位是置位为1的。
通过扩展了一种新类型的IE来携带Vxlan隧道信息,从而复用PFCP消息中IE的格式向UPF下发Vxlan隧道信息,降低方案实施的复杂度和配置的复杂度。
本实施例提供了一种CU分离的BNG进行接入认证的场景下基于PFCP避免CP设备受到攻击的方法,在减轻CPF负担并降低CPF被攻击的风险的基础上,通过复用PFCP中的会话消息下发静态用户以及异常下线用户的信息,复用会话处理模型和PDR的机制来执行重定向的策略,从而沿用PFCP提供的各种通信机制实施UPF上执行安全策略的方案,使得UPF上执行安全策略的方案与PFCP架构更平滑地融合起来,并且降低方案实施的复杂度和配置的复杂度。
在以上方法600中,由于复用已有的PFCP会话消息,会增加正常终端接入处理的复杂性。一方面,认证通过后,CPF向UPF下发会话需要检查是否是静态用户或者IPoE异常下线用户。如果是静态用户或者IPoE异常下线用户,则消息码是PFCP会话编辑。如果不是静态用户,也不是IPoE异常下线用户,消息码是PFCP会话建立。另一方面,在进行下线处理时,CPF向UPF下发会话也需要区分消息码。
有鉴于此,可以考虑单独扩充静态会话(Static-Session)消息,以便简化正常的业务处理,具体参见下述方法700。
以下方法700中,利用PCFP协议扩展了新的消息以传递CPF与UPF交互的信息。扩展的消息例如是PFCP中的节点消息或会话消息。例如,参见下表23,在PFCP中预留的会话级消息的类型值范围(如58-99)中,申请新的消息类型值,CPF使用新的消息类型的PFCP消息向UPF下发静态用户表或IPoE异常下线用户表。
表23
以上表23中,58、59、60和61是扩展的新的消息类型的举例说明。
参见附图27,附图27是本申请实施例提供的一种报文处理方法700的流程图。附图27所示的方法关于如何扩展PFCP的新的会话消息向UPF下发静态用户表或IPoE异常下线用户表。可选地,每个PFCP静态会话(PFCP Static-Session)对应一个配置的静态用户。每个PFCP会话对应一个上线后的静态用户。此外,PFCP静态会话和PFCP会话2个会话采用相同的会话ID标识。例如,PFCP静态会话和PFCP会话2个会话的会话ID都是1。例如,PFCP静态会话建立请求携带的优先级(Precedence)值小于PFCP会话建立中携带的优先级值。这样,UPF在匹配相同流时,会根据优先级值,优先执行PFCP会话建立指示的动作。
示例性地,方法700包括S700至S790。方法700涉及四个阶段。阶段一为认证通过前的流程,阶段一包括S710至S730。阶段二为认证通过的流程。阶段二包括S740至S750。阶段三为终端离线的流程。阶段三包括S760至S770。阶段四为删除静态用户配置或IPoE异常用户老化(租期内没上线)的流程。阶段四包括S780至S790。
应理解,方法700侧重描述与方法600的区别之处,方法700与方法600同理的步骤还请参见方法600,在方法700中不做赘述。
通过对PFCP中状态控制接口以及控制报文重定向接口进行扩展以传输方法500涉及的信令。换句话说,方法500中CPF与UPF交互的各种报文是通过状态控制接口以及控制报文重定向接口传输的。例如,在以下方法700中,S710中PFCP静态会话建立请求通过状态控制接口从CPF下发至UPF,S720中PFCP静态会话建立应答通过状态控制接口从UPF上送 至CPF;S730中触发接入的报文通过控制报文重定向接口从UPF上送至CPF;S740中PFCP会话建立请求通过状态控制接口从CPF下发至UPF,S750中PFCP会话建立应答通过状态控制接口从UPF上送至CPF;S760中PFCP会话删除请求通过状态控制接口从CPF下发至UPF,S770中PFCP会话删除应答通过状态控制接口从UPF上送至CPF;S780中PFCP静态会话删除请求通过状态控制接口从CPF下发至UPF,S790中PFCP静态会话Deletion Response通过状态控制接口从UPF上送至CPF。
S700、在CPF上配置静态用户表;或者,由CPF产生IPoE异常下线用户表。
S710、CPF向UPF发送PFCP静态会话建立请求。
具体地,CPF会生成PFCP静态会话建立请求,向UPF发送PFCP静态会话建立请求,从而通知UPF创建会话,以便UPF匹配该会话的IP流之后将报文重定向到CPF。
其中,PFCP静态会话建立请求是一种PFCP会话消息。PFCP静态会话建立请求的消息类型用于指示为第一类用户创建PFCP会话。例如,参见上表23,PFCP静态会话建立请求的消息类型的类型值是58,58是PFCP中预留的会话级消息类型值,可以使用58标识为静态用户创建PFCP会话。PFCP静态会话建立请求携带PDR,PDR为上述方法500涉及的第一策略。PFCP静态会话建立请求中的PDR包括PDI和PA。PDI包括第一类用户的信息,以使UPF将第一类用户的信息作为识别报文流的参数,依据第一类用户的信息执行第一策略。PDI包括IPv4地址或IPv6地址。可选地,PDI还包括VLAN标签或接入接口对应的接口索引。PA用于指示重定向至CPF。
通过扩展了一种新消息类型的PCFP消息,CPF使用新消息类型的PCFP消息向UPF下发具有固定IP地址的用户的信息以及重定向的动作,使得认证通过后,CPF为具有固定IP地址的用户以及其他用户可以统一使用PFCP会话建立请求来下发会话,因此降低了CPF对正常终端接入处理的复杂性。
在一些实施例中,CPF将第一类用户的会话的会话ID以及第一类用户的优先级携带在PFCP静态会话建立请求中,发送至UPF。PFCP静态会话建立请求包括第一类用户的会话的会话ID以及优先级。UPF从PFCP静态会话建立请求获得第一类用户的会话的会话ID以及优先级,创建具有该会话ID以及该优先级的会话。例如,PFCP静态会话建立请求包括ID=1且优先级=1,则UPF创建ID为1且优先级=1的会话。
S720、UPF接收PFCP静态会话建立请求,生成PFCP静态会话建立应答,向CPF发送PFCP静态会话建立应答。
此外,UPF创建至少一个PFCP会话。
S730、UP设备接收报文,根据PDA,对报文包括的第一信息与第一类用户的信息进行匹配。若第一信息与PDI中的第一类用户的信息满足第一匹配条件,则UP设备按照PDI对应的包动作PA,向BNG包括的CP设备发送报文。
具体地,UPF接收到报文时,使用源IP、接口等信息匹配Session(ID=1,优先级=1)表,若匹配PDR成功,将报文通过GTP-U或者Vxlan隧道重定向到CPF。
S740、CPF完成终端的认证,CPF生成PFCP会话建立请求,向UPF发送PFCP会话建立请求。
其中,PFCP会话建立请求携带PDR,PDR为上述方法500涉及的第二策略。具体地,PFCP会话建立请求中的PDR包括PDI和PA。PDI包括静态用户表和异常用户表。UPF在转 发阶段,会从报文中提取参数,使用报文的参数与PDI中的静态用户表和异常用户表匹配。UPF使用的报文的参数包括IPv4地址、IPv6地址、VLAN标签和接入接口对应的接口索引。PA用于指示转发报文。CPF通过向UPF发送PFCP会话建立请求,从而将静态用户表和异常用户表下发至UPF。PFCP会话建立请求包括“Key=IP+MAC+VLAN+接口,action=forward”。CPF通过PFCP会话建立请求指示UPF匹配该会话的IP流之后进行转发。
在一些实施例中,CPF将第一类用户的会话的会话ID以及第一类用户的优先级携带在PFCP会话建立请求中,发送至UPF。PFCP会话建立请求包括第一类用户的会话的会话ID以及优先级。PFCP会话建立请求中的优先级大于PFCP静态会话建立请求中的优先级。PFCP会话建立请求中的会话ID和PFCP静态会话建立请求中的会话ID相同。UPF从PFCP会话建立请求获得第一类用户的会话的会话ID以及优先级,创建具有该会话ID以及该优先级的会话。例如,PFCP会话建立请求包括ID=1且优先级=2,则UPF创建ID为1且优先级=2的Session。
S750、UPF接收FCPF会话建立请求,生成PFCP会话建立应答,向CPF发送PFCP会话建立应答。此外,UPF会在会话表中添加会话。
S760、当检测到UPF的接口故障或单板故障,CPF对终端进行离线处理。CPF生成PFCP会话删除请求,向UPF发送PFCP会话删除请求。
S770、UPF接收PFCP会话删除请求,生成PFCP静态会话删除应答,向CPF发送PFCP会话删除应答。
在一些实施例中,PFCP会话删除请求包括会话ID,从而指示UPF删除会话ID对应的PFCP会话。例如PFCP会话删除请求包括ID=1,UPF根据PFCP会话删除请求,会删除会话ID为1的PFCP会话。
S780、CPF检测到静态用户配置的被删除或IPoE异常用户老化(租期内没上线),CPF生成PFCP静态会话删除请求,向UPF发送PFCP静态会话删除请求。
PFCP静态会话删除请求是一种PFCP会话消息。PFCP静态会话删除请求的消息类型用于指示删除第一类用户的PFCP会话。例如,参见上表23,PFCP静态会话建立请求的消息类型的类型值是60,60是PFCP中预留的会话级消息类型值,可以使用60标识删除静态用户的FCPF会话。
S790、UPF接收PFCP静态会话删除请求,生成PFCP静态会话删除应答,向CPF发送PFCP静态会话删除应答。并且,UPF会删除静态会话。
以下,对上述方法700中PFCP静态会话建立请求携带的IE进行介绍。
参见下表24,表24示出了方法700涉及IE的表格中使用的标识符的含义。
表24
IE是否出现在方法700的分类 | 解释 |
Mandatory(M) | 必选项 |
Conditional(C) | 满足某种条件就需要携带 |
Conditional-Optional(CO) | 满足某种条件可以选择携带 |
Optional(O) | 可选择携带 |
参见下表25,表25对方法700涉及的几种类型IE进行了举例说明。
表25
参见下表26,表26对PFCP静态会话建立应答涉及的几种类型IE进行了举例说明。
表26
IE | P | 条件/注释 | IE类型 |
Node ID | M | UPF的设备号 | Node ID |
Cause | M | 处理的结果 | Cause |
此外,PFCP静态会话删除请求复用消息头中的会话ID,指示UPF删除对应的会话。PFCP静态会话删除应答消息中携带的IE例如下表27所示。
表27
IE | P | 条件/注释 | IE类型 |
Node ID | M | UPF的设备号 | Node ID |
Cause | M | 处理的结果 | Cause |
此外,方法700中扩展的grouped IE和Embedded IE与方法600相同,还请参考上述方法600。
本实施例提供了一种CU分离的BNG进行接入认证的场景下基于PFCP避免CP设备受到攻击的方法,在减轻CPF负担并降低CPF被攻击的风险的基础上,通过在PFCP中扩展了新类型的会话消息下发静态用户以及异常下线用户的信息,并复用会话处理模型和PDR的机制来执行重定向的策略,不仅能令UPF上执行安全策略的方案与PFCP架构更平滑地融合,还能避免认证通过后CPF向UPF下发会话以及CPF进行下线处理时,由于CPF需要区分具有固定IP的用户与其他用户而导致CPF处理复杂的问题,因此简化了CPF正常的业务处理过程。
方法600和方法700涉及的PFCP会话建立请求或PFCP静态会话建立请求是对CPF下发第一策略时采用的PFCP消息的举例说明。在另一些实施例中,CPF将第一策略携带在PFCP会话建立请求或PFCP静态会话建立请求之外的其他PFCP消息中,通过向UPF发送其他PFCP消息来下发第一策略,本实施例对下发第一策略时使用的PFCP消息的类型不做限定。
方法600和方法700涉及的PFCP会话删除请求或PFCP静态会话删除请求是对CPF指示UPF删除具有固定IP地址的用户的信息时采用的PFCP消息的举例说明。在另一些实施例中,CPF将第一策略携带在PFCP会话删除请求或PFCP静态会话删除请求之外的其他PFCP消息中,通过向UPF发送其他PFCP消息,来指示UPF删除具有固定IP地址的用户的信息,本实施例对删除具有固定IP地址的用户的信息时使用的PFCP消息的类型不做限定。
方法600和方法700描述的采用PFCP来实现方法500是一种可选方式。在另一些实施例中,采用PFCP之外的其他C/U之间的通信协议实现方法500。C/U之间的通信协议可以称为控制用户面分离(Control User Plane Separation,CUPS)接口协议或SCi协议。
以上介绍了本申请实施例的方法400、方法500、方法600和方法700,以下介绍本申请实施例的UP设备和CP设备。
以下介绍的UP设备和CP设备分别具有上述方法400、方法500、方法600和方法700中UPF或CPF的任意功能。以下介绍的UP设备对应于UPF,以下介绍的CP设备对应于CPF。
附图28是本申请实施例提供的一种UP设备800的结构示意图,该UP设备800位于UP和CP分离的通信系统中,如附图28所示,UP设备800包括:接收模块801,用于接收报文;
匹配模块802,用于对该报文包括的第一信息与第一类用户的信息进行匹配,该第一类用户具有固定的互联网协议IP地址;
发送模块803,用于若该第一信息与该第一类用户的信息满足第一匹配条件,向控制平面CP设备发送该报文。
可选地,该第一类用户包括静态用户或异常下线用户中的至少一项。
可选地,该匹配模块802,还用于对该报文包括的第二信息与第二类用户的信息进行匹配,该第二类用户已通过认证;
该UP设备还包括:确定模块,用于确定该第二信息与该第二类用户的信息不满足第二匹配条件。
可选地,该发送模块803,用于若该第一信息与包检测信息PDI中的该第一类用户的信息满足第一匹配条件,按照该PDI对应的包动作PA,向该CP设备发送该报文,该PA用于指示重定向至该CP设备。
可选地,该接收模块801,还用于从该CP设备接收第一策略,该第一策略用于指示在该报文包括的第一信息与该第一类用户的信息满足该第一匹配条件的情况下将该报文重定向至该CP设备。
可选地,该接收模块801,用于从该CP设备接收第一包转发控制协议PFCP消息,该第一PFCP消息携带的包检测规则PDR为该第一策略;其中,该第一PFCP消息为PFCP会话建立请求;或者,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口, 该接入接口为该第一类用户的终端接入的接口。
可选地,该接口索引携带在具有第一信息元素IE类型的IE中,该第一IE类型用于标识IE包括该接口索引。
可选地,该发送模块803,用于向该报文添加通用无线分组业务隧道协议用户面部分GTP-U头,发送添加有该GTP-U头的该报文;或者,向该报文添加虚拟扩展局域网Vxlan头,发送添加有该Vxlan头的该报文。
可选地,该接收模块801,还用于从该CP设备接收重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
可选地,该重定向参数携带在具有第二IE类型的IE中,该第二IE类型用于标识IE包括该重定向参数。
可选地,该Vxlan隧道信息携带在具有第三IE类型的IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
可选地,该接收模块801,还用于从该CP设备接收删除请求;该UP设备还包括:删除模块,用于响应于该删除请求,删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;
该第二PFCP消息为PFCP会话删除请求;或者,
该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
可选地,该UP设备还包括:丢弃模块,用于若该第一信息与该第一类用户的信息不满足该第一匹配条件,丢弃该报文。
应理解,UP设备800对应于上述方法实施例中的UPF(UP设备),UP设备800中的各模块和上述其他操作和/或功能分别为了实现方法400、方法500、方法600和方法700中的UPF(UP设备)所实施的各种步骤和方法,具体细节可参见上述方法400、方法500、方法600和方法700,为了简洁,在此不再赘述。
应理解,UP设备800在处理报文时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将UP设备800的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的UP设备800与上述方法400、方法500、方法600和方法700属于同一构思,其具体实现过程详见方法400、方法500、方法600和方法700,这里不再赘述。
附图29是本申请实施例提供的一种CP设备810的结构示意图,CP设备810位于CP和UP分离的通信系统中,如附图29所示,CP设备810包括:发送模块811,用于向用户平面UP设备发送第一策略,该第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将该报文重定向至该CP设备,该第一类用户具有固定的互联网协议IP地址;
接收模块812,用于从该UP设备接收该报文;
处理模块813,用于根据该报文进行接入处理。
可选地,该第一类用户包括静态用户或异常下线用户中的至少一项,该静态用户是指具有固定的IP地址的用户,该异常下线用户是指在该通信系统分配的IP地址的租期内由于该 通信系统出现故障而异常下线的用户。
可选地,该发送模块811,用于发送第一包转发控制协议PFCP消息,该第一PFCP消息携带有该第一策略;其中,该第一PFCP消息为PFCP会话建立请求;或者,该第一PFCP消息为包括第一消息类型的PFCP会话消息,该第一消息类型用于指示为该第一类用户创建PFCP会话。
可选地,该报文添加有通用无线分组业务隧道协议用户面部分GTP-U头或虚拟扩展局域网Vxlan头,该发送模块811,还用于向该UP设备发送重定向参数,该重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
可选地,该CP设备包括:检测模块,用于检测到该第一类用户的配置信息被删除或该第一类用户的租期超时;
该发送模块811,还用于向该UP设备发送删除请求,该删除请求用于指示删除该第一类用户的信息。
可选地,该删除请求为第二PFCP消息;
该第二PFCP消息为PFCP会话删除请求;或者,
该第二PFCP消息包括第二消息类型的PFCP会话消息,该第二消息类型用于指示删除该第一类用户的PFCP会话。
可选地,该第一PFCP消息包括接口索引,该接口索引用于标识该UP设备上的接入接口,该接入接口为该第一类静态用户的终端接入的接口或该异常下线用户的终端接入的接口。
可选地,该接口索引携带在具有第一信息元素IE类型的分组IE中,该第一IE类型用于标识IE包括该接口索引。
可选地,该重定向参数携带在具有第二IE类型的分组IE中,该第二IE类型用于标识IE包括该重定向参数。
可选地,该Vxlan隧道信息携带在具有第三IE类型的嵌入式IE中,该第三IE类型用于标识IE包括该Vxlan隧道信息。
应理解,CP设备810对应于上述方法实施例中的CPF(CP设备),CP设备810中的各模块和上述其他操作和/或功能分别为了实现方法400、方法500、方法600和方法700中的CPF(CP设备)所实施的各种步骤和方法,具体细节可参见上述方法400、方法500、方法600和方法700,为了简洁,在此不再赘述。
应理解,CP设备810在处理报文时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将CP设备810的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的CP设备810与上述方法400、方法500、方法600和方法700属于同一构思,其具体实现过程详见方法400、方法500、方法600和方法700,这里不再赘述。
下面对UP设备或CP设备的硬件结构进行介绍。
以下介绍的设备900或设备1000对应于上述方法400、方法500、方法600和方法700中的UPF(UP设备)或CPF(CP设备)。设备900或设备1000中的各硬件、模块和上述其他操作和/或功能分别为了实现方法实施例中UPF(UP设备)或CPF(CP设备)所实施的各种步骤和方法,关于设备900或设备1000如何处理报文的详细流程,具体细节可参见上述方 法400、方法500、方法600和方法700,为了简洁,在此不再赘述。其中,方法400、方法500、方法600和方法700的各步骤通过设备900或设备1000处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤,为避免重复,这里不再详细描述。
设备900对应于上述UP设备800或CP设备810,UP设备800或CP设备810中的每个功能模块采用设备900的软件实现。换句话说,UP设备800或CP设备810包括的功能模块为设备900的处理器读取存储器中存储的程序代码后生成的。
设备1000对应于上述UP设备800,UP设备800中的每个功能模块采用设备1000的软件实现。换句话说,UP设备800包括的功能模块为设备1000的处理器读取存储器中存储的程序代码后生成的。
参见附图30,附图30示出了本申请一个示例性实施例提供的设备900的结构示意图。可选地,该设备900配置为UPF(UP设备)或CPF(CP设备)。换句话说,上述方法400、方法500、方法600和方法700中的UPF(UP设备)或CPF(CP设备)可选地通过设备900实现。
该设备900例如是网络设备,比如说设备900是交换机、路由器等。或者,该设备900例如是计算设备,比如说设备900是主机、服务器或个人计算机等。该设备900可以由一般性的总线体系结构来实现。
设备900包括至少一个处理器901、通信总线902、存储器903以及至少一个通信接口904。
处理器901例如是通用中央处理器(central processing unit,CPU)、网络处理器(network processer,NP)、图形处理器(Graphics Processing Unit,GPU)、神经网络处理器(neural-network processing units,NPU)、数据处理单元(DataProcessing Unit,DPU)、微处理器或者一个或多个用于实现本申请方案的集成电路。例如,处理器901包括专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。PLD例如是复杂可编程逻辑器件(complex programmable logic device,CPLD)、现场可编程逻辑门阵列(field-programmable gate array,FPGA)、通用阵列逻辑(generic array logic,GAL)或其任意组合。
通信总线902用于在上述组件之间传送信息。通信总线902可以分为地址总线、数据总线、控制总线等。为便于表示,附图30中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
存储器903例如是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,又如是随机存取存储器(random access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备,又如是电可擦可编程只读存储器(electrically erasable programmable read-only Memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据 结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器903例如是独立存在,并通过通信总线902与处理器901相连接。存储器903也可以和处理器901集成在一起。
通信接口904使用任何收发器一类的装置,用于与其它设备或通信网络通信。通信接口904包括有线通信接口,还可以包括无线通信接口。其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为无线局域网(wireless local area networks,WLAN)接口,蜂窝网络通信接口或其组合等。
在具体实现中,作为一种实施例,处理器901可以包括一个或多个CPU,如附图30中所示的CPU0和CPU1。
在具体实现中,作为一种实施例,设备900可以包括多个处理器,如附图30中所示的处理器901和处理器905。这些处理器中的每一个可以是一个单核处理器(single-CPU),也可以是一个多核处理器(multi-CPU)。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(如计算机程序指令)的处理核。
在具体实现中,作为一种实施例,设备900还可以包括输出设备和输入设备。输出设备和处理器901通信,可以以多种方式来显示信息。例如,输出设备可以是液晶显示器(liquid crystal display,LCD)、发光二级管(light emitting diode,LED)显示设备、阴极射线管(cathode ray tube,CRT)显示设备或投影仪(projector)等。输入设备和处理器901通信,可以以多种方式接收用户的输入。例如,输入设备可以是鼠标、键盘、触摸屏设备或传感设备等。
在一些实施例中,存储器903用于存储执行本申请方案的程序代码910,处理器901可以执行存储器903中存储的程序代码910。也即是,设备900可以通过处理器901以及存储器903中的程序代码910,来实现方法实施例提供的报文处理方法。
本申请实施例的设备900可对应于上述各个方法实施例中的UPF(UP设备)或CPF(CP设备),并且,该设备900中的处理器901、通信接口904等可以实现上述各个方法实施例中的UPF(UP设备)或CPF(CP设备)所具有的功能和/或所实施的各种步骤和方法。为了简洁,在此不再赘述。
在UP设备(UPF)采用设备900实现的情况下,在一些实施例中,附图28所示的UP设备800中的接收模块801、发送模块803相当于设备900中的通信接口904;UP设备800中的匹配模块802可以相当于设备900中的处理器901。
在CP设备(CPF)采用设备900实现的情况下,在一些实施例中,附图29所示的CP设备810中的发送模块811、接收模块812相当于设备900中的通信接口904;CP设备810中的处理模块813可以相当于设备900中的处理器901。
参见附图31,附图31示出了本申请一个示例性实施例提供的设备1000的结构示意图,可选地,该设备1000配置为UPF(UP设备)。换句话说,上述方法400、方法500、方法600和方法700中的UPF(UP设备)可选地通过设备1000实现。
该设备1000例如是网络设备,比如说设备1000是交换机、路由器等。设备1000包括:主控板1010和接口板1030。
主控板也称为主处理单元(main processing unit,MPU)或路由处理卡(route processor card),主控板1010用于对设备1000中各个组件的控制和管理,包括路由计算、设备管理、设备维 护、协议处理功能。主控板1010包括:中央处理器1011和存储器1012。
接口板1030也称为线路接口单元卡(line processing unit,LPU)、线卡(line card)或业务板。接口板1030用于提供各种业务接口并实现数据包的转发。业务接口包括而不限于以太网接口、POS(Packet over SONET/SDH)接口等,以太网接口例如是灵活以太网业务接口(Flexible EthernetClients,FlexE Clients)。接口板1030包括:中央处理器1031、网络处理器1032、转发表项存储器1034和物理接口卡(ph10sical interface card,PIC)1033。
接口板1030上的中央处理器1031用于对接口板1030进行控制管理并与主控板1010上的中央处理器1011进行通信。
网络处理器1032用于实现报文的转发处理。网络处理器1032的形态可以是转发芯片。具体而言,网络处理器1032用于基于转发表项存储器1034保存的转发表转发接收到的报文,如果报文的目的地址为设备1000的地址,则将该报文上送至CPU(如中央处理器1011)处理;如果报文的目的地址不是设备1000的地址,则根据该目的地址从转发表中查找到该目的地址对应的下一跳和出接口,将该报文转发到该目的地址对应的出接口。其中,上行报文的处理包括:报文入接口的处理,转发表查找;下行报文的处理:转发表查找等等。
物理接口卡1033用于实现物理层的对接功能,原始的流量由此进入接口板1030,以及处理后的报文从该物理接口卡1033发出。物理接口卡1033也称为子卡,可安装在接口板1030上,负责将光电信号转换为报文并对报文进行合法性检查后转发给网络处理器1032处理。在一些实施例中,中央处理器也可执行网络处理器1032的功能,比如基于通用CPU实现软件转发,从而物理接口卡1033中不需要网络处理器1032。
可选地,设备1000包括多个接口板,例如设备1000还包括接口板1040,接口板1040包括:中央处理器1041、网络处理器1042、转发表项存储器1044和物理接口卡1043。
可选地,设备1000还包括交换网板1020。交换网板1020也可以称为交换网板单元(switch fabric unit,SFU)。在网络设备有多个接口板1030的情况下,交换网板1020用于完成各接口板之间的数据交换。例如,接口板1030和接口板1040之间可以通过交换网板1020通信。
主控板1010和接口板1030耦合。例如。主控板1010、接口板1030和接口板1040,以及交换网板1020之间通过系统总线与系统背板相连实现互通。在一种可能的实现方式中,主控板1010和接口板1030之间建立进程间通信协议(inter-process communication,IPC)通道,主控板1010和接口板1030之间通过IPC通道进行通信。
在逻辑上,设备1000包括控制面和转发面,控制面包括主控板1010和中央处理器1031,转发面包括执行转发的各个组件,比如转发表项存储器1034、物理接口卡1033和网络处理器1032。控制面执行路由器、生成转发表、处理信令和协议报文、配置与维护设备的状态等功能,控制面将生成的转发表下发给转发面,在转发面,网络处理器1032基于控制面下发的转发表对物理接口卡1033收到的报文查表转发。控制面下发的转发表可以保存在转发表项存储器1034中。在有些实施例中,控制面和转发面可以完全分离,不在同一设备上。
下面结合设备1000对方法400、方法500、方法600和方法700简要说明。
UP设备通过物理接口卡1033接收报文,确定该报文的目的IP地址为设备1000的地址,则将报文上送至中央处理器1031进行处理。该中央处理器1031访问转发表项存储器1034,得到转发表项存储器1034上保存的第一类用户的信息。中央处理器1031对该报文包括的第一信息与第一类用户的信息进行匹配。该中央处理器1031确定该第一信息与该第一类用户的 信息满足第一匹配条件,物理接口卡1033向CP设备发送该报文。
在UP设备(UPF)采用设备1000实现的情况下,在一些实施例中,附图28所示的UP设备800中的接收模块801、发送模块803相当于设备1000中的物理接口卡1033;UP设备800中的匹配模块802相当于网络处理器1032、中央处理器1031或中央处理器1011。
应理解,本申请实施例中接口板1040上的操作与接口板1030的操作一致,为了简洁,不再赘述。应理解,本实施例的设备1000可对应于上述各个方法实施例中的UP设备(UPF),该设备1000中的主控板1010、接口板1030和/或1040可以实现上述各个方法实施例中的UP设备(UPF)所具有的功能和/或所实施的各种步骤,为了简洁,在此不再赘述。
值得说明的是,主控板可能有一块或多块,有多块的时候可以包括主用主控板和备用主控板。接口板可能有一块或多块,网络设备的数据处理能力越强,提供的接口板越多。接口板上的物理接口卡也可以有一块或多块。交换网板可能没有,也可能有一块或多块,有多块的时候可以共同实现负荷分担冗余备份。在集中式转发架构下,网络设备可以不需要交换网板,接口板承担整个系统的业务数据的处理功能。在分布式转发架构下,网络设备可以有至少一块交换网板,通过交换网板实现多块接口板之间的数据交换,提供大容量的数据交换和处理能力。所以,分布式架构的网络设备的数据接入和处理能力要大于集中式架构的设备。可选地,网络设备的形态也可以是只有一块板卡,即没有交换网板,接口板和主控板的功能集成在该一块板卡上,此时接口板上的中央处理器和主控板上的中央处理器在该一块板卡上可以合并为一个中央处理器,执行两者叠加后的功能,这种形态设备的数据交换和处理能力较低(例如,低端交换机或路由器等网络设备)。具体采用哪种架构,取决于具体的组网部署场景,此处不做任何限定。
参见附图32,本申请实施例提供了一种通信系统1100,该通信系统1100包括:UP设备1101和CP设备1102。可选的,UP设备1101为如附图28所示的UP设备800、附图30所示的设备900或附图31所示的设备1000,CP设备为如附图29该的CP设备810或附图30所示的设备900。
本领域普通技术人员可以意识到,结合本文中所公开的实施例中描述的各方法步骤和模块,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各实施例的步骤及组成。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、设备和模块的具体工作过程,可以参见前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、设备和方法,可以通过其它的方式实现。例如,以上所描述的设备实施例仅仅是示意性的,例如,该模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、设备或模块的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。
该作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本申请实施例方案的目的。
另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以是两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例中方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
本申请中术语“第一”“第二”等字样用于对作用和功能基本相同的相同项或相似项进行区分,应理解,“第一”、“第二”之间不具有逻辑或时序上的依赖关系,也不对数量和执行顺序进行限定。还应理解,尽管以下描述使用术语第一、第二等来描述各种元素,但这些元素不应受术语的限制。这些术语只是用于将一元素与另一元素区别分开。例如,在不脱离各种所述示例的范围的情况下,第一信息可以被称为第二信息,并且类似地,第二信息可以被称为第一信息。第一信息和第二信息都可以是信息,并且在某些情况下,可以是单独且不同的信息。
本申请中术语“至少一个”的含义是指一个或多个,本申请中术语“多个”的含义是指两个或两个以上。本文中术语“系统”和“网络”经常可互换使用。
还应理解,术语“若”可被解释为意指“当...时”(“when”或“upon”)或“响应于确定”或“响应于检测到”。类似地,根据上下文,短语“若确定...”或“若检测到[所陈述的条件或事件]”可被解释为意指“在确定...时”或“响应于确定...”或“在检测到[所陈述的条件或事件]时”或“响应于检测到[所陈述的条件或事件]”。
以上描述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。该计算机程序产品包括一个或多个计算机程序指令。在计算机上加载和执行该计算机程序指令时,全部或部分地产生按照本申请实施例中的流程或功能。该计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。该计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,该计算机程序指令可以从一个网站站点、计算机、服务器或数据中心通过有线或无线方式向另一个网站站点、计算机、服务器或数据中心进行传输。该计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。该可用介质可以是 磁性介质(例如软盘、硬盘、磁带)、光介质(例如,数字视频光盘(digital video disc,DVD)、或者半导体介质(例如固态硬盘)等。
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,该程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。
以上描述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。
Claims (26)
- 一种报文处理方法,其特征在于,应用于控制平面CP和用户平面UP分离的通信系统包括的UP设备,所述方法包括:所述UP设备接收报文;所述UP设备对所述报文包括的第一信息与第一类用户的信息进行匹配,所述第一类用户具有固定的互联网协议IP地址;若所述第一信息与所述第一类用户的信息满足第一匹配条件,所述UP设备向所述通信系统包括的CP设备发送所述报文。
- 根据权利要求1所述的方法,其特征在于,所述第一类用户包括静态用户或异常下线用户中的至少一项。
- 根据权利要求1所述的方法,其特征在于,所述UP设备对所述报文包括的第一信息与第一类用户的信息进行匹配之前,所述方法还包括:所述UP设备对所述报文包括的第二信息与第二类用户的信息进行匹配,所述第二类用户已通过认证;所述UP设备确定所述第二信息与所述第二类用户的信息不满足第二匹配条件。
- 根据权利要求1所述的方法,其特征在于,所述若所述第一信息与所述第一类用户的信息满足第一匹配条件,所述UP设备向所述通信系统包括的CP设备发送所述报文,包括:若所述第一信息与包检测信息PDI中的所述第一类用户的信息满足第一匹配条件,所述UP设备按照所述PDI对应的包动作PA,向所述通信系统包括的CP设备发送所述报文,所述PA用于指示重定向至所述CP设备。
- 根据权利要求1所述的方法,其特征在于,所述UP设备接收报文之前,所述方法还包括:所述UP设备从所述CP设备接收第一策略,所述第一策略用于指示在所述报文包括的第一信息与所述第一类用户的信息满足所述第一匹配条件的情况下将所述报文重定向至所述CP设备。
- 根据权利要求5所述的方法,其特征在于,所述UP设备从所述CP设备接收第一策略,包括:所述UP设备从所述CP设备接收第一包转发控制协议PFCP消息,所述第一PFCP消息携带的包检测规则PDR为所述第一策略;其中,所述第一PFCP消息为PFCP会话建立请求;或者,所述第一PFCP消息为包括第一消息类型的PFCP会话消息,所述第一消息类型用于指示为所述第一类用户创建PFCP会话。
- 根据权利要求6所述的方法,其特征在于,所述第一PFCP消息包括接口索引,所述接口索引用于标识所述UP设备上的接入接口,所述接入接口为所述第一类用户的终端接入的接口。
- 根据权利要求7所述的方法,其特征在于,所述接口索引携带在具有第一信息元素IE类型的IE中,所述第一IE类型用于标识IE包括所述接口索引。
- 根据权利要求1所述的方法,其特征在于,所述UP设备向所述通信系统包括的CP设备发送所述报文,包括:所述UP设备向所述报文添加通用无线分组业务隧道协议用户面部分GTP-U头,发送添加有所述GTP-U头的所述报文;或者,所述UP设备向所述报文添加虚拟扩展局域网Vxlan头,发送添加有所述Vxlan头的所述报文。
- 根据权利要求9所述的方法,其特征在于,所述UP设备接收报文之前,所述方法还包括:所述UP设备从所述CP设备接收重定向参数,所述重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
- 根据权利要求10所述的方法,其特征在于,所述重定向参数携带在具有第二IE类型的IE中,所述第二IE类型用于标识IE包括所述重定向参数。
- 根据权利要求11所述的方法,其特征在于,所述Vxlan隧道信息携带在具有第三IE类型的IE中,所述第三IE类型用于标识IE包括所述Vxlan隧道信息。
- 根据权利要求1所述的方法,其特征在于,所述UP设备向所述通信系统包括的CP设备发送所述报文之后,所述方法还包括:所述UP设备从所述CP设备接收删除请求;所述UP设备响应于所述删除请求,删除所述第一类用户的信息。
- 根据权利要求13所述的方法,其特征在于,所述删除请求为第二PFCP消息;所述第二PFCP消息为PFCP会话删除请求,或者,所述第二PFCP消息包括第二消息类型的PFCP会话消息,所述第二消息类型用于指示删除所述第一类用户的PFCP会话。
- 根据权利要求1所述的方法,其特征在于,所述UP设备对所述报文包括的第一信息与第一类用户的信息进行匹配之后,所述方法还包括:若所述第一信息与所述第一类用户的信息不满足所述第一匹配条件,所述UP设备丢弃所述报文。
- 一种报文处理方法,其特征在于,应用于控制平面CP和用户平面UP分离的通信系统包括的CP设备,所述方法包括:所述CP设备向所述通信系统包括的用户平面UP设备发送第一策略,所述第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将所述报文重定向至所述CP设备,所述第一类用户具有固定的互联网协议IP地址;所述CP设备从所述UP设备接收所述报文;所述CP设备根据所述报文进行接入处理。
- 根据权利要求16所述的方法,其特征在于,所述第一类用户包括静态用户或异常下线用户中的至少一项,所述静态用户是指具有固定的IP地址的用户,所述异常下线用户是指在所述通信系统分配的IP地址的租期内由于所述通信系统出现故障而异常下线的用户。
- 根据权利要求16所述的方法,其特征在于,所述发送第一策略,包括:发送第一包转发控制协议PFCP消息,所述第一PFCP消息携带有所述第一策略;其中,所述第一PFCP消息为PFCP会话建立请求,或者,所述第一PFCP消息为包括第一消息类型的PFCP会话消息,所述第一消息类型用于指示为所述第一类用户创建PFCP会话。
- 根据权利要求16所述的方法,其特征在于,所述报文添加有通用无线分组业务隧道协议用户面部分GTP-U头或虚拟扩展局域网Vxlan头,所述CP设备从所述UP设备接收所述报文之前,所述方法还包括:所述CP设备向所述UP设备发送重定向参数,所述重定向参数包括GTP-U隧道信息或Vxlan隧道信息中的至少一项。
- 根据权利要求16所述的方法,其特征在于,所述CP设备根据所述报文进行接入处理之后,所述方法包括:所述CP设备检测到所述第一类用户的配置信息被删除或所述第一类用户的租期超时;所述CP设备向所述UP设备发送删除请求,所述删除请求用于指示删除所述第一类用户的信息。
- 根据权利要求20所述的方法,其特征在于,所述删除请求为第二PFCP消息;所述第二PFCP消息为PFCP会话删除请求,或者,所述第二PFCP消息包括第二消息类型的PFCP会话消息,所述第二消息类型用于指示删除所述第一类用户的PFCP会话。
- 一种用户平面UP设备,所述UP设备位于UP和控制平面CP分离的通信系统中,其特征在于,所述UP设备包括:接收模块,用于接收报文;匹配模块,用于对所述报文包括的第一信息与第一类用户的信息进行匹配,所述第一类 用户具有固定的互联网协议IP地址;发送模块,用于若所述第一信息与所述第一类用户的信息满足第一匹配条件,向控制平面CP设备发送所述报文。
- 一种控制平面CP设备,所述CP设备位于CP和用户平面UP分离的通信系统中,其特征在于,所述CP设备包括:发送模块,用于向用户平面UP设备发送第一策略,所述第一策略用于指示在报文包括的第一信息与第一类用户的信息满足第一匹配条件的情况下将所述报文重定向至所述CP设备,所述第一类用户具有固定的互联网协议IP地址;接收模块,用于从所述UP设备接收所述报文;处理模块,用于根据所述报文进行接入处理。
- 一种通信系统,其特征在于,所述通信系统包括如权利要求22所述的UP设备以及如权利要求23所述的CP设备。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条指令,所述指令由处理器读取以使用户平面UP设备执行如权利要求1至权利要求15中任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条指令,所述指令由处理器读取以使控制平面CP设备执行如权利要求16至权利要求21中任一项所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP21831553.9A EP4164148A4 (en) | 2020-06-28 | 2021-06-21 | MESSAGE PROCESSING METHOD, UP DEVICE AND CP DEVICE |
US18/146,790 US20230139272A1 (en) | 2020-06-28 | 2022-12-27 | Packet Processing Method, UP Device, and CP Device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010598522.1A CN113852588B (zh) | 2020-06-28 | 2020-06-28 | 报文处理方法,up设备和cp设备,通信系统和介质 |
CN202010598522.1 | 2020-06-28 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/146,790 Continuation US20230139272A1 (en) | 2020-06-28 | 2022-12-27 | Packet Processing Method, UP Device, and CP Device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022001735A1 true WO2022001735A1 (zh) | 2022-01-06 |
Family
ID=78972121
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/101332 WO2022001735A1 (zh) | 2020-06-28 | 2021-06-21 | 报文处理方法、up设备及cp设备 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20230139272A1 (zh) |
EP (1) | EP4164148A4 (zh) |
CN (2) | CN113852588B (zh) |
WO (1) | WO2022001735A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114710810A (zh) * | 2022-05-31 | 2022-07-05 | 新华三技术有限公司 | 一种数据传输方法、装置及系统 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230094059A1 (en) * | 2020-01-28 | 2023-03-30 | Nippon Telegraph And Telephone Corporation | Transfer apparatus, data processing method and program |
CN115051970B (zh) * | 2022-05-13 | 2024-09-13 | 中国电信股份有限公司 | 一种控制用户上线的方法、装置、转发面网元及介质 |
US20240039762A1 (en) * | 2022-07-26 | 2024-02-01 | Nokia Solutions And Networks Oy | Combined pfcp session model for network access by residential gateways |
CN115766625B (zh) * | 2022-09-07 | 2024-08-09 | 迈普通信技术股份有限公司 | 接口资源同步方法、装置及分布式交换机 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107743095A (zh) * | 2017-11-30 | 2018-02-27 | 新华三技术有限公司 | 报文转发方法和装置 |
CN108123865A (zh) * | 2017-12-21 | 2018-06-05 | 新华三技术有限公司 | 报文处理方法及装置 |
US20200201827A1 (en) * | 2018-12-20 | 2020-06-25 | Peter Chacko | Universal file virtualization with disaggregated control plane, security plane and decentralized data plane |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI651979B (zh) * | 2016-07-07 | 2019-02-21 | 財團法人工業技術研究院 | 無線接取網路之服務區分方法、無線網路系統及無線接取網路存取點 |
CN107707435B (zh) * | 2017-09-14 | 2020-11-20 | 新华三技术有限公司 | 一种报文处理方法和装置 |
US10805240B2 (en) * | 2017-09-29 | 2020-10-13 | Arista Networks, Inc. | System and method of processing network data |
-
2020
- 2020-06-28 CN CN202010598522.1A patent/CN113852588B/zh active Active
- 2020-06-28 CN CN202310315981.8A patent/CN116633585A/zh active Pending
-
2021
- 2021-06-21 WO PCT/CN2021/101332 patent/WO2022001735A1/zh unknown
- 2021-06-21 EP EP21831553.9A patent/EP4164148A4/en active Pending
-
2022
- 2022-12-27 US US18/146,790 patent/US20230139272A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107743095A (zh) * | 2017-11-30 | 2018-02-27 | 新华三技术有限公司 | 报文转发方法和装置 |
CN108123865A (zh) * | 2017-12-21 | 2018-06-05 | 新华三技术有限公司 | 报文处理方法及装置 |
US20200201827A1 (en) * | 2018-12-20 | 2020-06-25 | Peter Chacko | Universal file virtualization with disaggregated control plane, security plane and decentralized data plane |
Non-Patent Citations (2)
Title |
---|
3GPP TS 29.244 |
See also references of EP4164148A4 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114710810A (zh) * | 2022-05-31 | 2022-07-05 | 新华三技术有限公司 | 一种数据传输方法、装置及系统 |
Also Published As
Publication number | Publication date |
---|---|
CN116633585A (zh) | 2023-08-22 |
EP4164148A4 (en) | 2023-12-13 |
CN113852588A (zh) | 2021-12-28 |
CN113852588B (zh) | 2023-03-10 |
US20230139272A1 (en) | 2023-05-04 |
EP4164148A1 (en) | 2023-04-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022001735A1 (zh) | 报文处理方法、up设备及cp设备 | |
WO2021207922A1 (zh) | 报文传输方法、装置及系统 | |
US9497661B2 (en) | Implementing EPC in a cloud computer with openflow data plane | |
JP6092873B2 (ja) | OpenFlowデータ及び制御プレーンでのクラウドコンピュータにおける3Gパケットコアの実装 | |
US8555352B2 (en) | Controlling access nodes with network transport devices within wireless mobile networks | |
CN109889443B (zh) | 云计算系统和在云计算系统中实现演进分组核心(epc)的控制平面的方法 | |
EP1739914B1 (en) | Method, apparatus, edge router and system for providing a guarantee of the quality of service (qos) | |
WO2019033920A1 (zh) | 网络侧对远端用户设备的识别和控制方法以及设备 | |
US9083656B2 (en) | Service communication method and system for access network apparatus | |
US8681779B2 (en) | Triple play subscriber and policy management system and method of providing same | |
US20160127149A1 (en) | Method for implementing gre tunnel, access device and aggregation gateway | |
WO2008080314A1 (fr) | Procédé, moteur de retransmission et dispositif de communication pour la commande d'accès aux messages | |
WO2007124679A1 (fr) | Procédé et système de communication en réseau | |
WO2008058477A1 (fr) | Procédé, appareil et système de gestion d'informations de localisation | |
WO2023011149A1 (zh) | 一种基于第6版互联网协议的段路由SRv6的通信方法 | |
US20240267324A1 (en) | Packet forwarding method and apparatus | |
US20230122810A1 (en) | Communication Method, UP Device, and CP Device | |
WO2022033157A1 (zh) | 网络攻击的防御方法、cp设备及up设备 | |
CN115665095A (zh) | 报文处理方法、装置、系统及计算机可读存储介质 | |
WO2023036135A1 (zh) | 消息收发方法、信息获取及收发方法、及相关设备 | |
WO2023279992A1 (zh) | 报文处理方法、装置、系统及计算机可读存储介质 | |
JP5853758B2 (ja) | 通信装置及び帯域制御方法 | |
KR20220095548A (ko) | AFDX와 AeroRing 변환 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2021831553 Country of ref document: EP Effective date: 20230103 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |