WO2024087638A1 - 一种数据包的处理方法以及相关装置 - Google Patents
一种数据包的处理方法以及相关装置 Download PDFInfo
- Publication number
- WO2024087638A1 WO2024087638A1 PCT/CN2023/098501 CN2023098501W WO2024087638A1 WO 2024087638 A1 WO2024087638 A1 WO 2024087638A1 CN 2023098501 W CN2023098501 W CN 2023098501W WO 2024087638 A1 WO2024087638 A1 WO 2024087638A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data packet
- identification information
- dscp field
- rule
- server
- Prior art date
Links
- 238000003672 processing method Methods 0.000 title abstract description 7
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000012545 processing Methods 0.000 claims description 74
- 230000006399 behavior Effects 0.000 claims description 68
- 238000004590 computer program Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 abstract description 8
- HRULVFRXEOZUMJ-UHFFFAOYSA-K potassium;disodium;2-(4-chloro-2-methylphenoxy)propanoate;methyl-dioxido-oxo-$l^{5}-arsane Chemical compound [Na+].[Na+].[K+].C[As]([O-])([O-])=O.[O-]C(=O)C(C)OC1=CC=C(Cl)C=C1C HRULVFRXEOZUMJ-UHFFFAOYSA-K 0.000 abstract 4
- 238000010586 diagram Methods 0.000 description 24
- 238000004891 communication Methods 0.000 description 21
- 238000005516 engineering process Methods 0.000 description 21
- 238000007726 management method Methods 0.000 description 14
- 230000009286 beneficial effect Effects 0.000 description 10
- 230000003287 optical effect Effects 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 2
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- the present application relates to the field of network security technology, and in particular to a data packet processing method and related devices.
- IP Internet Protocol
- the source IP address and/or destination IP address in the data packet may be converted during the transmission path, for example, if a device in the network uses virtualization technology, when the device sends a data packet to other devices, the real source IP address of the data packet will be converted into a proxy IP address through the hypervisor layer.
- the security device in the network cannot obtain the real source IP address of the data packet, and thus cannot match the security policy based on the real source IP address, resulting in the failure of the security policy deployed on the security device, and further unable to make an accurate decision to allow or prohibit the access behavior corresponding to the data packet.
- the present application provides a data packet processing method and related apparatus, which additionally introduces the operation of writing first identification information into the DSCP field of the data packet. Since the value in the DSCP field of the data packet generally does not change during the transmission process of the data packet, all devices in the network can obtain the real first identification information from the DSCP field, and then can accurately make a decision to allow or prohibit the access behavior corresponding to the data packet with the help of the first identification information, thereby improving the security of the network.
- the first aspect of the present application provides a method for processing a data packet, which can be applied to the field of network security technology.
- the aforementioned method may include: when the destination address of a first data packet points to a first object, a first device writes identification information in a differentiated services code point DSCP field of the first data packet; wherein the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet.
- the first device sends a first data packet, and correspondingly, a second device obtains the first data packet; wherein the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device that manages the aforementioned server, and the aforementioned server pointed to by the destination address of the first data packet corresponds to the first object.
- the second device obtains identification information from the DSCP field of the first data packet, and allows or prohibits access behavior corresponding to the first data packet based on the aforementioned identification information.
- the first object may include any of the following: a type of business, a name of a network area, a type of user, or other types of objects.
- a type of business i.e., web services
- the first object includes a type of business (i.e., web services).
- an office park is prohibited from accessing a data center in the network; the first object includes the name of another network area (i.e., data center), etc.
- the “first data The destination address of the packet points to the first object” and “the server pointed to by the destination address of the first data packet corresponds to the first object” can both be understood as the server located at the destination address can provide service 1.
- the first object is network area 1 (that is, an example of the name of a network area)
- the destination address of the first data packet points to the first object can be understood as the destination address is included in the address range covered by network area 1
- the server pointed to by the destination address of the first data packet corresponds to the first object can be understood as the server located at the destination address belongs to network area 1.
- the destination address of the first data packet points to the first object can be understood as the address range occupied by the user of type 1 includes the target address
- the server pointed to by the destination address of the first data packet corresponds to the first object can be understood as the server located at the destination address is used by the user of type 1.
- an operation of writing the first identification information in the DSCP field of the data packet is additionally introduced. Since the value in the DSCP field of the data packet generally does not change during the transmission process of the data packet, all devices in the network can obtain the real first identification information from the DSCP field, and then can make an accurate decision to allow or prohibit the access behavior corresponding to the data packet with the help of the first identification information, thereby improving the security of the network; the DSCP field is a field that already exists in the data packet, and choosing to write the identification information in the DSCP field does not require making too much change in the existing technology, which is conducive to reducing the computer resources consumed to implement this solution; and various devices in the network have the ability to interpret the control information of the data packet. Without upgrading the capabilities of the devices in the network, the identification information can be obtained from the DSCP field of the data packet, and then the present solution can be executed to further reduce the computer resources consumed to implement this solution.
- the device generating the first data packet performs the operation of "writing the first identification information into the DSCP field", which improves the convenience of this solution.
- the switch connected to the device generating the first data packet is generally connected to multiple devices generating the first data packet.
- the aforementioned switch performs the operation of "writing the first identification information into the DSCP field", and compared with sending the first rule to multiple devices generating the first data packet, it only needs to send the first rule to one switch, which reduces the computer resources consumed by the step of "sending the first rule to the first device".
- the access behavior corresponding to the first data packet is allowed to be executed according to the information carried in the DSCP field of the first data packet, thereby avoiding processing the aforementioned data packet based on the value of the DSCP field in the data packet that is not the first object pointed to by the destination address, which is conducive to further improving the accuracy of the processing result of the access behavior corresponding to the data packet.
- the security device When the first data packet reaches the security device connected to the server pointed to by the destination address of the first data packet, it is determined whether the access behavior corresponding to the first data packet is allowed to be executed according to the information carried in the DSCP field of the first data packet, that is, the operation of allowing or prohibiting the first data packet to pass is performed by an independent security device, which reduces the burden of the server pointed to by the destination address of the first data packet and improves the security of the server pointed to by the destination address of the first data packet; and generally a security device is used to control whether the data packet is allowed to enter multiple devices, and the second rule is deployed on the security device, which is conducive to reducing the computer resources consumed by the process of "deploying the second rule".
- the DSCP field in the first data packet has 8 bits, and the aforementioned 8 bits may include bits 0 to 7.
- the first device may use 6 bits of the aforementioned 8 bits to perform a filling operation of the first identification information; illustratively, the first identification information may occupy any one or more bits from bits 0 to 5 of the DSCP field.
- the first device writes identification information into a DSCP field of the first data packet, including: the first device writes identification information into the DSCP field of the first data packet through a hypervisor layer.
- the Hypervisor layer in the first device compared with the virtual machine or container in the first device, the Hypervisor layer in the first device requires higher management authority.
- the probability of the Hypervisor layer in the first device being successfully attacked by hackers is smaller, that is, the Hypervisor layer in the first device has a higher security.
- Performing the write operation of the first identification information through the Hypervisor layer in the first device is beneficial to improving the security of the aforementioned operation, that is, reducing the probability of an illegal data packet carrying the first identification information, thereby reducing the probability of an illegal data packet successfully accessing the second device, which is beneficial to improving the security of the network.
- the first device writes identification information in the DSCP field of the first data packet, including: a first instance in the first device writes first sub-identification information to a first field in the DSCP field, the first instance being an instance corresponding to the second object; illustratively, the instance may be a virtual machine, a container, or other forms, etc.
- the Hypervisor layer in the first device writes second sub-identification information to a second field in the DSCP field, the identification information including the first sub-identification information and the second sub-identification information; for example, the first field and the second field may be different bits in the DSCP field.
- the first instance can be an instance corresponding to the second object in multiple examples deployed on the first device.
- the second object is service 2 (that is, an example of a type of service)
- the first instance corresponds to the second object can be understood as the first instance being an instance on the first device for providing service 2.
- the second object is a user of type 2
- the first instance corresponds to the second object can be understood as the first instance on the first device being used by a user of type 2.
- the second object is network area 2 (that is, an example of the name of a network area)
- the first instance corresponds to the second object can be understood as the address of the first instance being included in the address range covered by network area 2.
- the first instance and the Hypervisor layer in the first device jointly perform the writing operation of the first identification information, so that the "writing operation of the first identification information" can be managed at a finer-grained perspective to avoid the first identification information being carried in the data packets sent by the instances corresponding to other objects on the first device, thereby further reducing the probability of illegal data packets successfully accessing the second device, so as to further improve the security of the network.
- the first device writes the first identification information in the DSCP field of the first data packet, including: the first device writes the first identification information in the DSCP field of the first data packet through an instance.
- each instance in the first device can write the first identification information in the DSCP field of the first data packet; in another implementation, the first instance in the first device can write the first identification information in the DSCP field of the first data packet, and the first instance is an instance corresponding to the second object among multiple instances deployed by the first device.
- another implementation scheme for writing the first identification information into the DSCP field of the first data packet is provided, thereby improving the implementation flexibility of the scheme; if only the first instance writes the first identification information into the DSCP field of the first data packet, it is possible to avoid that the data packets sent by instances corresponding to other objects on the first device also carry the first identification information, thereby further reducing the probability of illegal data packets successfully accessing the second device, thereby further improving the security of the network.
- the method before the first device writes identification information in the DSCP field of the first data packet, the method further includes: the first device receives a first rule sent by a third device, the first rule indicating that when the destination address of the sent data packet points to the first object, the identification information is written in the DSCP field of the sent data packet.
- the method before the second device allows or prohibits access behavior corresponding to the first data packet based on the identification information, the method further includes: the second device receives a second rule sent by the third device, the second rule indicating that when the DSCP field of the data packet acquired by the second device carries identification information, Allow or deny access to the data packets.
- the third device sends the first rule and the second rule to the first device and the second device respectively, which is conducive to the unified issuance of rules to multiple devices in the network by other control devices, and is conducive to avoiding conflicts among rules in different devices in the network, so as to further improve the security of the network.
- the second aspect of the application provides a method for processing a data packet, which can be applied to the field of network security technology.
- the method includes: when the destination address of the first data packet points to the first object, the first device writes identification information in the differentiated services code point DSCP field of the first data packet, and the identification information is used to indicate that the second device allows or prohibits the access behavior corresponding to the first data packet; the first device sends the first data packet.
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet;
- the second device is the server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and the server corresponds to the first object.
- the first device can also execute the steps executed by the first device in the first aspect.
- the meanings of the terms in the second aspect and various possible implementations of the second aspect and the beneficial effects brought about can be found in the description of the first aspect and various possible implementations of the first aspect, and will not be repeated here.
- the third aspect of the present application provides a data packet processing method, which can be applied to the field of network security technology.
- the method includes: a second device obtains a first data packet, wherein the second device is a server pointed to by a destination address of the first data packet, or the second device is a security device that manages the server; the second device obtains identification information from a differentiated services code point DSCP field of the first data packet; the second device allows or prohibits access behavior corresponding to the first data packet according to the identification information.
- the second device can also execute the steps executed by the second device in the first aspect.
- the meanings of the terms in the third aspect and various possible implementations of the third aspect and the beneficial effects brought about can be found in the description of the first aspect and various possible implementations of the first aspect, and will not be repeated here.
- the fourth aspect of the present application provides a data packet processing method, which can be applied to the field of network security technology.
- the method includes: a third device sends a first rule to a first device in the network, the first rule indicates that when the destination address of the sent data packet points to the first object, the identification information is written in the differentiated services code point DSCP field of the sent data packet; the third device sends a second rule to a second device corresponding to the first object in the network, the second rule indicates that when the DSCP field of the obtained data packet carries the identification information, the access behavior corresponding to the obtained data packet is allowed or prohibited.
- the third device sends the first rule to the first device in the network, including: the third device sends the first rule to a hypervisor layer of the first device.
- the fifth aspect of the present application provides a data packet processing system, which can be applied to the field of network security technology.
- the data packet processing system includes a filling module in a first device and a sending module in the first device, and the data packet processing system also includes an acquisition module in a second device and a processing module in the second device.
- the filling module is used to write identification information in the Differentiated Services Code Point DSCP field of the first data packet when the destination address of the first data packet points to the first object;
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet;
- the sending module is used to send the first data packet;
- the acquisition module is used to acquire the first data packet, the second device is the server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and the server corresponds to the first object;
- the acquisition module is also used to acquire identification information from the DSCP field of the first data packet;
- the processing module is used According to the identification information, the access behavior corresponding to the first data packet is permitted or prohibited.
- each module in the data packet processing system can also execute the steps performed by the first device and the second device in the first aspect.
- the meanings of the terms in the fifth aspect and various possible implementation methods of the fifth aspect and the beneficial effects brought about can be found in the description of the first aspect and various possible implementation methods of the first aspect, and will not be repeated here.
- the sixth aspect of the present application provides a data packet processing device, which can be applied to the field of network security technology.
- the data packet processing device is applied to a first device, and the aforementioned device includes: a filling module, which is used to write identification information in the differentiated service code point DSCP field of the first data packet when the destination address of the first data packet points to the first object, and the identification information is used to indicate that the second device allows or prohibits the access behavior corresponding to the first data packet; a sending module, which is used to send the first data packet; wherein the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet; the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and the server corresponds to the first object.
- each module in the data packet processing system can also execute the steps performed by the first device in the first aspect.
- the meanings of the terms in the sixth aspect and various possible implementation methods of the sixth aspect and the beneficial effects brought about can be found in the description of the first aspect and various possible implementation methods of the first aspect, and will not be repeated here.
- the seventh aspect of the present application provides a data packet processing device, which can be applied to the field of network security technology.
- the data packet processing device is applied to a second device, and the aforementioned device includes: an acquisition module, which is used to acquire a first data packet, wherein the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device for managing the server; the acquisition module is also used to acquire identification information from the differentiated services code point DSCP field of the first data packet; and the processing module is used to allow or prohibit the access behavior corresponding to the first data packet according to the identification information.
- each module in the data packet processing system can also execute the steps performed by the second device in the first aspect.
- the meanings of the terms in the seventh aspect and various possible implementation methods of the seventh aspect and the beneficial effects brought about can be found in the description of the first aspect and various possible implementation methods of the first aspect, and will not be repeated here.
- the eighth aspect of the present application provides a data packet processing device, which can be applied to the field of network security technology.
- the data packet processing device is applied in a third device.
- the data packet processing device includes: a sending module, which is used to send a first rule to a first device in the network, and the first rule indicates that when the destination address of the data packet sent by the first device points to the first object, the identification information is written in the differentiated service code point DSCP field of the sent data packet;
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet;
- the sending module is also used to send a second rule to a second device in the network, and the second rule indicates that when the DSCP field of the acquired data packet carries identification information, the access behavior corresponding to the acquired data packet is allowed or prohibited;
- the second device is the server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and
- the data packet processing device can also execute the steps performed by the third device in the third aspect.
- the meanings of the nouns in the eighth aspect and various possible implementation methods of the eighth aspect and the beneficial effects brought about can be found in the description of the third aspect and various possible implementation methods of the third aspect, and will not be repeated here.
- the present application provides a device, including a processor and a memory.
- the memory is used to store program codes
- the processor is used to call the program codes in the memory so that the device executes the methods in the above aspects.
- the tenth aspect of the present application provides a computer-readable storage medium storing instructions, which, when executed on a computer, enable the computer to execute the methods in the above-mentioned aspects.
- the eleventh aspect of the present application provides a computer program product, which, when executed on a computer, enables the computer to execute the methods in the above-mentioned aspects.
- the present application provides a chip, comprising one or more processors. Some or all of the processors are used to read and execute computer instructions stored in a memory to execute the methods in the above-mentioned various aspects.
- the chip also includes a memory.
- the chip also includes a communication interface, and the processor is connected to the communication interface.
- the communication interface is used to receive data and/or information to be processed, the processor obtains data and/or information from the communication interface, processes the data and/or information, and outputs the processing results through the communication interface.
- the communication interface is an input/output interface or a bus interface.
- the method provided in the present application is implemented by a chip, or by multiple chips in collaboration.
- FIG1 is a schematic diagram of a network deployment scenario provided in an embodiment of the present application.
- FIG2 is another schematic diagram of a network deployment scenario provided in an embodiment of the present application.
- FIG3 is a flow chart of a method for processing a data packet provided in an embodiment of the present application.
- FIG4 is a schematic diagram of configuring a first rule and a second rule for a third device according to an embodiment of the present application
- FIG5 is a schematic diagram of the position of a first device provided in an embodiment of the present application.
- FIG6 is a schematic diagram of the position of a first device provided in an embodiment of the present application.
- FIG7 is another schematic flow chart of a method for processing a data packet provided in an embodiment of the present application.
- FIG8a is a schematic diagram of a scenario in which a security policy fails according to an embodiment of the present application.
- FIG8b is a schematic diagram of a method for processing a data packet provided in an embodiment of the present application.
- FIG9 is a schematic diagram of a structure of a data packet processing system provided in an embodiment of the present application.
- FIG10 is a schematic diagram of a structure of a data packet processing device provided in an embodiment of the present application.
- FIG11 is another schematic diagram of the structure of a data packet processing device provided in an embodiment of the present application.
- FIG12 is another schematic diagram of the structure of a data packet processing device provided in an embodiment of the present application.
- FIG. 13 is a schematic diagram of the structure of a device provided in an embodiment of the present application.
- the present application can be applied to various scenarios in which data packets are transmitted in the network; for example, during the transmission of data packets in the network, the source IP address and/or destination IP address carried in the data packet may be converted, resulting in the security device in the network being unable to obtain the real IP address of the data packet, and the security policy deployed in the security device is usually based on the IP five-tuple setting, that is, the security policy indicates which source IP addresses of data packets are allowed or prohibited from accessing the destination IP address. If the security device in the network cannot obtain the real IP address and cannot match the security policy based on the real IP address, the security policy configured in the security device will become invalid, and the access behavior corresponding to the data packet cannot be accurately executed. Make a decision to allow or prohibit.
- the real source IP address of the data packet will be converted into a proxy IP address through the hypervisor layer, resulting in the security device in the network being unable to obtain the real source IP address corresponding to the data packet, and thus unable to accurately make a decision to allow or prohibit the access behavior corresponding to the data packet.
- Figure 1 is a schematic diagram of a network deployment scenario provided by an embodiment of the present application.
- IP1 is prohibited from accessing IP3 in the network, and IP2 is allowed to access IP3.
- the security policy 1 set on the security device in the network may include: prohibiting the data packet with source IP address IP1 and destination address IP3 from passing.
- IP1 in data packet 1 is converted into proxy IP1. Then, when data packet 1 passes through the security device, since the source IP address obtained by the security device from data packet 1 is proxy IP1 and the destination IP address is IP3, security policy 1 is not hit, so data packet 1 is allowed to pass.
- IP2 in data packet 2 is converted into proxy IP2. Then, when data packet 2 passes through the security device, the security device obtains the source IP address of proxy IP2 and the destination IP address of IP3 from data packet 2, and does not hit security policy 1, so data packet 2 is allowed to pass.
- the setting goal of security policy 1 is to prohibit data packet 1 from passing through and allow data packet 2 to pass through.
- the security device made the wrong decision of "allowing data packet 1 to pass through”. It should be understood that the example in Figure 1 is only for the convenience of understanding this solution and is not used to limit this solution.
- the access source accesses other target resources through source network address translation (SNAT) technology
- SNAT source network address translation
- the source IP address of the data packet will also be converted during the transmission path, causing the subsequent security devices to be unable to identify the actual source IP address corresponding to the data packet, and thus unable to accurately make a decision to allow or prohibit the access behavior corresponding to the data packet.
- SNAT source network address translation
- Figure 2 is another schematic diagram of the network deployment scenario provided by the embodiment of the present application.
- service 1 and service 2 are deployed in the same local area network
- the IP address of service 1 is IP4 of the private network
- the IP address of service 2 is IP5 of the private network.
- the source IP addresses of the data packets sent by service 1 and service 2 are converted based on the SNAT technology, so that the data packets sent by service 1 and service 2 are accessed through the same external network IP (for example, external network IP6 in Figure 2), and the source IP addresses of the data packets sent by service 1 and service 2 are both the aforementioned external network IP.
- external network IP for example, external network IP6 in Figure 2
- the present application provides a method for processing data packets.
- Figure 3 is a flow chart of the method for processing data packets provided in the present application embodiment.
- the provided method for processing a data packet may include steps 301 to 306.
- a third device sends a first rule to a first device in a network.
- the first rule indicates that when a destination address of a sent data packet points to a first object, first identification information is written in a differentiated services code point DSCP field of the sent data packet.
- a first rule can be sent to one or more first devices corresponding to the second object in the network.
- the first rule indicates that when the destination address of a sent data packet points to the first object, first identification information is written in the differentiated services code point (DSCP) field of the sent data packet.
- DSCP differentiated services code point
- the third device can be a network management device or a network device in the network (for example, a message forwarding device or a firewall), or the third device can also be a virtualized device.
- the specific configuration can be flexibly determined based on the actual application scenario and is not limited here.
- the first object or the second object may include any of the following: a type of business, the name of a network area, a type of user, or other types of objects.
- a type of business i.e., the name of a network area
- a type of user i.e., Internet users
- the first object includes a type of business (i.e., web services).
- Internet users are prohibited from accessing database services in the network; the second object includes a type of user (i.e., Internet users), and the first object includes a type of business (i.e., database services).
- web services are allowed to access database services in the network; the second object includes a type of business (i.e., web services), and the first object includes another type of business (i.e., database services).
- the second object includes the name of a network area (i.e., office park), and the first object includes the name of another network area (i.e., data center).
- the office park is prohibited from accessing the data center in the network; then the second object includes the name of a network area (i.e., the office park), the first object includes the name of another network area (i.e., the data center), and so on.
- the access behavior of the second object to the first object represents the access behavior between businesses, networks, users, or between users, businesses and networks.
- the specific manifestations of the first object and the second object can be determined based on the actual situation in the network and are not limited here.
- the destination address of the data packet can be a destination IP address, a destination port, a destination media access control (MAC) address, or a combination of the foregoing information.
- MAC media access control
- the first object can be a type of service, a name of a network area, or a type of user
- service 1 i.e., an example of a type of service
- the destination address of the sent data packet points to the first object can be understood as the device located at the destination address can provide service 1.
- network area 1 i.e., an example of the name of a network area
- the destination address of the sent data packet points to the first object can be understood as the destination address is included in the address range covered by network area 1.
- the first object is a user of type 1
- the destination address of the sent data packet points to the first object can be understood as the address range occupied by the user of type 1 includes the destination address.
- the first data packet may include control information and data.
- the control information of the first data packet may also be referred to as a header of the first data packet.
- the data of the first data packet may also be referred to as a payload of the first data packet.
- the control information of the first data packet includes a DSCP field.
- the third device may perform step 301 in a variety of ways.
- the third device may directly send a third data packet carrying the first rule to the first device.
- the first device may obtain the third data packet from the third data packet.
- the first rule is used to indicate that when the destination address of a data packet sent by the first device (hereinafter referred to as a "first data packet" for convenience of description) points to a first object, first identification information corresponding to the first object is written in the DSCP field of the first data packet.
- the data carried by the third data packet also includes a first address set corresponding to the first object, that is, when the destination address of the first data packet belongs to the first address set, it represents that the destination address of the first data packet points to the first object.
- the data carried by the third data packet may also not include the first address set corresponding to the first object, but the first device has been pre-configured with the first address set, and the specific implementation method can be flexibly determined in combination with the actual application scenario.
- the first device may include a hypervisor layer and at least one instance, and the third device may also send the first rule to the hypervisor layer and/or the first instance in the first device.
- the "instance" may be specifically expressed as a virtual machine, a container, or other forms.
- the third device may send a first rule to the Hypervisor layer in the first device, where the first rule indicates that when the destination address of a first data packet sent by the first device points to a first object, the Hypervisor layer of the first device writes the first identification information in the DSCP field of the first data packet, that is, the Hypervisor layer of the first device independently performs the operation of "writing the first identification information in the DSCP field".
- the third device can use the existing functions in the neutron component of the cloud computing management platform (openstack) to execute the step of "sending the first rule to the Hypervisor layer in the first device" to reduce the computer resource overhead caused by the step of "sending the first rule to the Hypervisor layer in the first device".
- an L3-agent process can be deployed in the Hypervisor layer of the first device to communicate with the neutron component of openstack.
- the third device requests the neutron component of openstack to add the first rule to the Hypervisor layer of the first device by calling an interface; the neutron component of openstack can send the first rule to the L3-agent process in the Hypervisor layer of the first device.
- the first rule can be sent down to the pre-routing (PREROUTING) chain of the mangle table of the Hypervisor layer of the first device.
- one or more instances are deployed on the third device, and the first instance of the one or more instances corresponds to the second object.
- the third device can send a first rule to the first instance in the first device, and the first rule indicates that when the destination address of the first data packet sent by the first device points to the first object, the first instance of the first device writes the first identification information in the DSCP field of the first data packet, that is, the first instance of the first device independently performs the operation of "writing the first identification information in the DSCP field".
- the second object can be a type of service, a name of a network area, or a type of user
- service 2 i.e., an example of a type of service
- the first instance corresponds to the second object can be understood as an instance located on the first device where the first instance is used to provide service 2.
- the second object is a user of type 2
- the first instance corresponds to the second object can be understood as the first instance on the first device being used by a user of type 2.
- the second object is network area 2 (i.e., an example of the name of a network area)
- the first instance corresponds to the second object can be understood as the address of the first instance being included in the address range covered by network area 2.
- the third device can use the existing functions in the cloud computing management platform to perform the step of "sending the first rule to the first instance in the first device” to reduce the computer resource overhead caused by the step of "sending the first rule to the first instance in the first device".
- the first instance of the first device can be deployed with an agent
- the third device requests the neutron component of openstack to add a first rule to the first instance of the first device by calling an interface; the neutron component of openstack can send the first rule to the agent process in the first instance of the first device.
- one or more instances are deployed on the third device, and the third device can send a first rule to each instance in the first device.
- the first rule indicates that when the destination address of a first data packet sent by the first device points to a first object, the instance of the first device writes the first identification information in the DSCP field of the first data packet, that is, each instance in the first device independently performs the operation of "writing the first identification information in the DSCP field".
- the third device may send a first sub-rule to the first instance of the first device and send a second sub-rule to the Hypervisor layer of the first device, wherein the first rule includes the first sub-rule and the second sub-rule.
- the first sub-rule indicates that when the destination address of the first data packet sent by the first device points to the first object, the first instance of the first device writes the first sub-identification information into the first field of the DSCP field of the first data packet;
- the second sub-rule indicates that when the destination address of the first data packet points to the first object, the Hypervisor layer of the first device writes the second sub-identification information into the second field of the DSCP field of the first data packet, and the first identification information includes the first sub-identification information and the second sub-identification information;
- the first field and the second field are different bits in the DSCP field, that is, the first instance of the first device and the Hypervisor layer jointly perform the operation of "writing the first identification information into the DSCP field".
- the first identification information corresponding to different first objects may be different.
- the first identification information corresponding to the web service may be af11; when the first object is a database service, the first identification information corresponding to the database service may be af12. It should be understood that the examples here are only for the convenience of understanding this solution, and the specific first identification information used is not limited here.
- the value written by the first device to the DSCP field is a binary value.
- the first identification information carried in the first rule may not be expressed in binary.
- the first identification information in a non-binary form may be mapped to the first identification information in a binary form.
- Table 1 shows multiple non-binary first identification information, and also shows the binary first identification information corresponding to each non-binary first identification information. It should be understood that the examples in Table 1 are only for the convenience of understanding this solution and are not used to limit this solution.
- the third device sends a second rule to a second device corresponding to the first object in the network, where the second rule indicates that when the DSCP field of the acquired data packet carries the first identification information, the second device is allowed or prohibited to communicate with the acquired data packet.
- the access behavior corresponding to the data packet is not limited to the data packet.
- a second rule can also be sent to the second device corresponding to the first object in the network.
- the second rule indicates that when the DSCP field of the data packet obtained by the second device (hereinafter referred to as the "second data packet" for convenience of description) carries the first identification information, the access behavior corresponding to the obtained data packet is allowed or prohibited.
- the second rule may indicate that when the DSCP field of the second data packet carries the first identification information, the access behavior corresponding to the acquired data packet is allowed. If the third device determines that the second object is prohibited from accessing the first object, the second rule may indicate that when the DSCP field of the second data packet carries the first identification information, the access behavior corresponding to the acquired data packet is prohibited.
- the second rule may also contain constraints on other optional items, and the aforementioned optional items may include any one or more of the following of the second data packet: adopted protocol type, source IP address, source port, destination IP address, destination port or other optional items, etc.
- Constraints on optional items may include a value range for each optional item.
- the protocol type includes, but is not limited to, Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or other types of protocols, which are not exhaustive here.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the source port and the destination port each include at least one port, and illustratively, the port may be 80, 90 or other ports, which are not exhaustive here.
- the second rule may include: discarding data packets whose source IP address is 100.64.0.0/11 and whose DSCP field value is not cs4.
- the constraint on the DSCP value in the second rule i.e., "the DSCP value is cs4"
- the constraint on the source IP address i.e., "the source IP address is 100.64.0.0/11”
- the second data packet must hit the second rule, and then based on the second rule and the value in the DSCP field of the second data packet, it is determined whether to discard the second data packet.
- the third device may perform step 302 in a variety of ways.
- the third device may directly send a fourth data packet carrying the second rule to the second device.
- the second device may obtain the second rule from the fourth data packet.
- the second rule carried in the fourth data packet sent by the third device to the second device may include: rule deny ip source 100.64.0.0 0.31.255.255 destination 100.125.0.0 0.0.255.255 dscpcs1.
- the meaning of the aforementioned second rule may include: discarding the source IP address of 100.64.0.0/11, the destination IP address of 100.125.0.0/16 and D For packets whose SCP field value is cs1, that is, when the source IP address of the obtained packet is 100.64.0.0/11, the destination IP address is 100.125.0.0/16 and the value of the DSCP field is cs1, the access behavior corresponding to the packet is prohibited.
- DSCP field value is a required item in the second rule
- source IP address is a required item in the second rule
- destination IP address is both optional items in the second rule. It should be understood that the above examples are only for the convenience of understanding this solution and are not used to limit this solution.
- the second device may include a hypervisor layer, and the third device may also send the second rule to the Hypervisor layer in the second device.
- the specific implementation method of "the third device sends the second rule to the Hypervisor layer in the second device” can refer to the above description of "the third device sends the first rule to the Hypervisor layer in the first device", which will not be repeated here.
- the second rule sent by the third device to the PREROUTING chain of the mangle table of the Hypervisor layer in the second device may include: iptables-t mangle-A PREROUTING-m dscp! --dscp cs4-s100.64.0.0/11-j DROP.
- the meaning of the aforementioned second rule includes: in the PREROUTING chain of the mangle table, a rule for discarding packets whose source IP address is 100.64.0.0/11 and whose DSCP field value is not cs4 is configured, that is, when the source IP address of the acquired packet is 100.64.0.0/11 and the value of the DSCP field is cs4, the access behavior corresponding to the packet is allowed.
- DSCP field value is a mandatory item in the rule
- source IP address is an optional item in the rule. It should be understood that the aforementioned example is only for the convenience of understanding this solution and is not used to limit this solution.
- Figure 4 is a schematic diagram of the first rule and the second rule configured on the third device provided in an embodiment of the present application, wherein IP1 occupied by the application (application, APP) that tenants are prohibited from using in the network from accessing IP3 used to provide management services, and IP2 used to provide service (service) 2 is allowed to access IP3 used to provide management services, and both management services and service2 are services provided in the network.
- IP1 occupied by the application application, APP
- IP2 used to provide service (service) 2 is allowed to access IP3 used to provide management services
- both management services and service2 are services provided in the network.
- the third device can add a first rule to the PREROUTING chain of the mangle table of the Hypervisor layer of the first device by requesting the neutron component of openstack: when the destination IP address of the data packet sent by the first device is IP3, write af11 in the DSCP field of the data packet.
- the third device can also directly configure a second rule in the PREROUTING chain of the mangle table of the Hypervisor layer of the second device: discard data packets whose DSCP field value is not af11.
- the first device When the first device sends the first data packet, if the destination IP address of the first data packet is IP3, the first device will write af11 to the DSCP field through the Hypervisor layer; when the first data packet sent by the first device arrives at the second device, since the DSCP field of the first data packet carries af11, the second device allows the access of the first data packet.
- the fourth device When the device where the application (APP) used by the tenant is located (hereinafter referred to as the "fourth device" for the convenience of description) sends a data packet, since the first rule is not configured in the fourth device, the value in the DSCP field of the data packet sent by the fourth device is 000000; when the data packet sent by the fourth device arrives at the second device, since the DSCP field of the aforementioned data packet does not carry af11, the second device prohibits the access of the aforementioned data packet. It should be understood that the example in Figure 4 is only for the convenience of understanding this solution and is not used to limit this solution.
- other devices send rules to the first device and the second device, which is conducive to the unified issuance of rules to multiple devices in the network by other control devices, and is conducive to avoiding conflicts among rules in different devices in the network, so as to further improve the security of the network.
- the first device When the destination address of the first data packet points to the first object, the first device writes first identification information in the DSCP field of the first data packet, where the first identification information is used to instruct the second device corresponding to the first object to allow or prohibit access behavior corresponding to the first data packet.
- the third device deploys the first rule in the first device corresponding to the second object
- the first device wants to send a first data packet (that is, send any data packet)
- it can judge whether the destination address of the first data packet points to the first object according to the instruction of the first rule. If the judgment result is yes, the first identification information corresponding to the first object can be written in the DSCP field of the first data packet; wherein the first identification information is used to indicate whether the second device corresponding to the first object allows or prohibits the access behavior corresponding to the first data packet.
- the DSCP field in the first data packet has 8 bits, and the aforementioned 8 bits may include bits 0 to 1.
- the first device may use 6 bits of the aforementioned 8 bits to perform the filling operation of the first identification information; illustratively, the first identification information may occupy any one or more bits from the 0th bit to the 5th bit of the DSCP field.
- the first device corresponding to the second object may be a device that generates the first data packet, or the first device corresponding to the second object may also be a switch that is most connected to the device that generates the first data packet.
- the first device corresponding to the second object is the device that generates the first data packet; illustratively, since the second object can be a type of service, a name of a network area, or a type of user, when the second object is service 3 (i.e., an example of a type of service), "the first device corresponding to the second object” can be understood as the device that can provide service 3 is the first device. Alternatively, when the second object is network area 3 (i.e., an example of a name of a network area), "the first device corresponding to the second object” can be understood as the device within the address range covered by network area 3 is the first device. Alternatively, when the second object is a user of type 3, "the first device corresponding to the second object” can be understood as the device within the address range occupied by the user of type 3 is the first device.
- service 3 i.e., an example of a type of service
- the first device corresponding to the second object can be understood as the device that can provide service 3 is the first
- the first device corresponding to the second object is the switch that is most connected to the device that generates the first data packet; illustratively, in the case where the second object is service 3 (i.e., an example of a type of service), the "first device corresponding to the second object" can be understood as the switch that is most connected to the device that can provide service 3, and there is a communication connection between the device that can provide service 3 and the switch.
- the "first device corresponding to the second object” can be understood as the switch that is located outside the network area 3 and is most connected to the network area 3, and the devices in the network area 3 are communicatively connected to the switch.
- the "first device corresponding to the second object” can be understood as the switch that is located outside the address range occupied by the user of type 3 and is most connected to the address range occupied by the user of type 3, and the devices occupied by the user of type 3 are communicatively connected to the switch.
- Figure 5 is a schematic diagram of the position of the first device provided in an embodiment of the present application.
- any device for providing service 1 can be regarded as A1, and two devices for providing service 1 are communicatively connected to a switch, wherein the first device can select A1 or A2, A1 is a device for generating a first data packet, and A2 is the switch most connected to the device generating the first data packet.
- A1 is a device for generating a first data packet
- A2 is the switch most connected to the device generating the first data packet.
- the device generating the first data packet since the device needs to write data into the control information of the first data packet when generating the first data packet, the device generating the first data packet performs the operation of "writing the first identification information into the DSCP field", thereby improving the convenience of the present solution.
- the switch connected to the device generating the first data packet is generally connected to multiple devices generating the first data packet.
- the aforementioned switch performs the operation of "writing the first identification information into the DSCP field", compared to sending the first rule to multiple devices generating the first data packet, it only needs to send the first rule to one switch, thereby reducing the computer resources consumed by the step of "sending the first rule to the first device".
- the first device may perform "writing the first identification information into the DSCP field of the first data packet" in a variety of ways.
- a Hypervisor layer and at least one instance may be deployed in the first device.
- the first device may write the first identification information into the DSCP field of the first data packet through the Hypervisor layer and/or the first instance.
- the meanings of the terms in the aforementioned steps may refer to the description in the aforementioned steps and are not mentioned here. I will elaborate on this.
- the Hypervisor layer in the first device can write all the first identification information into the DSCP field of the first data packet.
- the Hypervisor layer in the first device requires higher management authority, and correspondingly, the probability of the Hypervisor layer in the first device being successfully attacked by hackers is smaller, that is, the Hypervisor layer in the first device has a higher security.
- Performing the writing operation of the first identification information through the Hypervisor layer in the first device is conducive to improving the security of the aforementioned operation, that is, reducing the probability of carrying the first identification information in an illegal data packet, thereby reducing the probability of an illegal data packet successfully accessing the second device, which is conducive to improving the security of the network.
- a first instance in a first device writes first sub-identification information to a first field in a DSCP field, and the first instance is an instance corresponding to a second object among multiple instances deployed by the first device; a hypervisor layer in the first device writes second sub-identification information to a second field in the DSCP field, and the identification information includes the first sub-identification information and the second sub-identification information.
- the first field and the second field are different bits in the DSCP field.
- the first device when the first device is a device that generates a first data packet, different instances may correspond to different objects. For example, different instances on the first device are used to provide different types of services, or different instances on the first device are occupied by different types of users, etc.
- the first instance and the Hypervisor layer in the first device jointly perform the writing operation of the first identification information, so that the "writing operation of the first identification information" can be managed at a finer-grained perspective to avoid the first identification information being carried in the data packets sent by the instances corresponding to other objects on the first device, thereby further reducing the probability of illegal data packets successfully accessing the second device, so as to further improve the security of the network.
- the first device writes the first identification information in the DSCP field of the first data packet through an instance.
- each instance in the first device can write the first identification information in the DSCP field of the first data packet; in another implementation, the first instance in the first device can write the first identification information in the DSCP field of the first data packet, and the first instance is an instance corresponding to the second object among multiple instances deployed by the first device.
- another implementation scheme for writing the first identification information into the DSCP field of the first data packet is provided, which improves the implementation flexibility of the present scheme; if only the first instance writes the first identification information in the DSCP field of the first data packet, it can be avoided that the data packets sent by the instances corresponding to other objects on the first device also carry the first identification information, thereby further reducing the probability of illegal data packets successfully accessing the second device, so as to further improve the security of the network.
- the first device may not write the first identification information into the DSCP field through the Hypervisor layer and/or the instance, but may write the first identification information into the DSCP field of the first data packet through the operating system.
- the first device sends a first data packet to the second device.
- the first device can send a first data packet to the second device through the network, and correspondingly, the second device can obtain the first data packet.
- the second device obtains the first identification information from the DSCP field of the first data packet.
- the second device after obtaining the first data packet, can read information from the DSCP field of the first data packet.
- the second device can obtain the first identification information corresponding to the first object from the DSCP field of the first data packet; or the second device can also obtain the second identification information from the DSCP field of the first data packet.
- the second identification information may be 000000; for another example, if identification information corresponding to other third objects is written into the DSCP field of the first data packet, the second identification information may also represent the identification information corresponding to the third object; for another example, if information is randomly written into the DSCP field of the first data packet by an illegal device, the second identification information may also represent the aforementioned randomly written information, etc.
- the second device corresponding to the first object may be a server pointed to by the destination address of the first data packet, and/or the second device corresponding to the first object may be a security device that manages the aforementioned server, or may be understood as a security device directly connected to the aforementioned service; the aforementioned server corresponds to the first object.
- a security device in a network refers to a device in which a security policy is deployed in the network, and the aforementioned security device may include any one or more of the following: a firewall, or a network device for forwarding messages, etc.
- the first object can be a type of service, a name of a network area, or a type of user
- the first object is service 4 (i.e., an example of a type of service)
- "the server pointed to by the destination address of the first data packet corresponds to the first object” can be understood as the server located at the destination address can provide service 4.
- the first object is network area 4 (i.e., an example of the name of a network area)
- the server pointed to by the destination address of the first data packet corresponds to the first object can be understood as the server located at the destination address belongs to network area 4.
- the first object is a user of type 4
- the server pointed to by the destination address of the first data packet corresponds to the first object can be understood as the server located at the destination address is used by a user of type 1.
- Figure 6 is a schematic diagram of the location of the first device provided in an embodiment of the present application.
- the Web server used to provide network (Web) services is regarded as B1, and the Web server is located in the network area of the "data center".
- the security device closest to the Web server is a firewall used to control whether data packets are allowed to enter the data center.
- the second device can be selected as B1 or B2.
- the address of B1 is the destination address of the first data packet
- B2 is a security device in the network that is directly connected to the destination address of the first data packet.
- the second device allows or prohibits an access behavior corresponding to the first data packet according to the first identification information.
- the second device after reading information from the DSCP field of the first data packet, the second device can determine whether to allow access behavior corresponding to the first data packet based on the read information and the second rule, and then execute permission or prohibition of access behavior corresponding to the first data packet.
- the second device may perform the step of "determining whether to allow access behavior corresponding to the first data packet based on the read information and the second rule" in a variety of ways. In one implementation, if virtualization technology is used in the second device, the second device may determine whether to allow access behavior corresponding to the first data packet based on the information read from the DSCP field of the first data packet and the second rule through the Hypervisor layer.
- the second rule indicates that when the DSCP field of the acquired data packet carries the first identification information, the access behavior corresponding to the acquired data packet is allowed, and if the Hypervisor layer of the second device obtains the first identification information from the DSCP field of the first data packet, it is determined to allow the access behavior corresponding to the first data packet. If the Hypervisor layer of the second device obtains the second identification information from the DSCP field of the first data packet, it is determined to allow the access behavior corresponding to the first data packet.
- the second rule indicates that when the DSCP field of the acquired data packet carries the first identification information
- the Hypervisor layer of the second device obtains the first identification information from the DSCP field of the first data packet, it is determined to prohibit the access behavior corresponding to the first data packet. If the Hypervisor layer of the second device obtains the second identification information from the DSCP field of the first data packet, it is determined to allow the access behavior corresponding to the first data packet.
- Figure 7 is another flow chart of the method for processing data packets provided in an embodiment of the present application.
- Figure 7 can be understood in conjunction with Figure 4 above.
- the third device configures the first rule to the Hypervisor layer of the first device (i.e., the device for providing service2) through the neutron component of openstack, and configures the second rule to the Hypervisor layer of the second device for providing management services, as shown in Figure 7, when the device for providing service2 sends a data packet, when the destination IP address of the sent data packet is IP3, the DSCP field of the data packet will carry af11, and the second device determines the access behavior of allowing the aforementioned data packet according to the second rule.
- the second device allows or prohibits the access behavior corresponding to the first data packet
- the second device is the server pointed to by the destination address of the first data packet. If the second device allows the access behavior corresponding to the first data packet, the second device reads the data carried in the first data packet and executes the instruction corresponding to the first data packet. If the second device prohibits the access behavior corresponding to the first data packet, the second device can perform packet loss processing on the first data packet.
- the second device is a security device connected to the server pointed to by the destination address of the first data packet
- the second device may allow the first data packet to pass through. If the second device prohibits the access behavior corresponding to the first data packet, the second device may prohibit the first data packet from passing through and perform packet loss processing on the first data packet.
- the destination address of the first data packet when the destination address of the first data packet is reached, it is determined whether the access behavior corresponding to the first data packet is allowed to be executed based on the information carried in the DSCP field of the first data packet, thereby avoiding processing the aforementioned data packet based on the value of the DSCP field in the data packet that is not the first object pointed to by the destination address, which is beneficial to further improve the accuracy of the processing results of the access behavior corresponding to the data packet.
- the access behavior corresponding to the first data packet is allowed to be executed according to the information carried in the DSCP field of the first data packet, that is, an independent security device executes the operation of allowing or prohibiting the first data packet to pass, which reduces the burden on the server pointed to by the destination address of the first data packet and improves the security of the server pointed to by the destination address of the first data packet; and generally a security device is used to control whether the data packet is allowed to enter multiple devices, and deploying the second rule on the security device is conducive to reducing the computer resources consumed by the process of "deploying the second rule".
- This solution additionally introduces the operation of writing the first identification information into the DSCP field of the data packet. Since the value in the DSCP field of the data packet generally does not change during the transmission process of the data packet, all devices in the network can obtain the real first identification information from the DSCP field, and then can use the first identification information to accurately identify the data packet. The corresponding access behavior is allowed or prohibited, thereby improving the security of the network; in addition, the DSCP field is a field that already exists in the data packet. Choosing to write identification information in the DSCP field does not require making too much change in the existing technology, which is conducive to reducing the computer resources consumed to implement this solution; and various devices in the network have the ability to interpret the control information of the data packet. Without upgrading the capabilities of the devices in the network, the identification information can be obtained from the DSCP field of the data packet, and then the present solution is executed to further reduce the computer resources consumed to implement this solution.
- Figure 8a is a schematic diagram of a scenario in which the security policy provided in the embodiment of the present application fails
- Figure 8b is a schematic diagram of a method for processing data packets provided in the embodiment of the present application.
- Resource users are allowed to access management services in the network, and ordinary tenants are prohibited from accessing management services.
- any one or more security devices in the network can be configured with security policy 2, which may include: prohibiting data packets with source IP address IP1 from accessing IP3, and allowing data packets with source IP address IP7 to access IP3.
- Hypervisor layer of the devices where common tenants and resource tenants are located will convert the source IP addresses sent out, the security devices in the network cannot obtain the real source IP addresses of the data packets, making the security policies configured on the security devices invalid.
- the data packet processing method provided by the present application can be used to configure the first rule in the Hypervisor layer of the device where the resource tenant is located: when the destination IP of the data packet is IP3, write af11 in the DSCP field of the data packet; configure the second rule in the Hypervisor layer of the device used to provide management services: discard the data packet whose value in the DSCP field is not af11. Since the first rule is not configured in the device where the ordinary tenant is located, when the destination IP of the data packet sent by the device where the ordinary tenant is located is IP3, the DSCP field of the data packet carries 000000. When the aforementioned data packet reaches the device used to provide management services, the device used to provide management services can determine to discard the aforementioned data packet according to the second rule.
- the device for providing management services can determine the access behavior allowing the aforementioned data packet according to the second rule. It should be understood that the examples in Figures 8a and 8b are only for the convenience of understanding this solution and are not used to limit this solution.
- FIG. 9 is a structural diagram of a data packet processing system provided by an embodiment of the present application.
- a data packet processing system 900 includes a filling module 901 in a first device and a sending module 902 in the first device, and the data packet processing system also includes an acquisition module 903 in a second device and a processing module in the second device.
- the filling module 901 is used to write identification information in the differentiated service code point DSCP field of the first data packet when the destination address of the first data packet points to the first object;
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet;
- the sending module 902 is used to send the first data packet;
- the acquisition module 903 is used to acquire the first data packet, the second device is the server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and the server corresponds to the first object;
- the acquisition module 903 is also used to acquire identification information from the DSCP field of the first data packet;
- the processing module 904 is used to allow or prohibit the access behavior corresponding to the first data packet according to the identification information.
- filling module 901 is specifically used to fill in the DSCP value of the first data packet through the hypervisor layer. Enter identification information in the field.
- the filling module 901 is specifically used to: write first sub-identification information to a first field in the DSCP field through a first instance, where the first instance is an instance corresponding to the second object; write second sub-identification information to a second field in the DSCP field through a Hypervisor layer, where the identification information includes the first sub-identification information and the second sub-identification information.
- the filling module 901 is specifically configured to write identification information into the DSCP field of the first data packet through an example.
- the data packet processing system 900 further includes: a first receiving module in the first device, used to receive a first rule sent by the third device, the first rule indicating that when the destination address of the sent data packet points to the first object, identification information is written in the DSCP field of the sent data packet.
- the data packet processing system 900 further includes: a second receiving module in the second device, used to receive a second rule sent by the third device, the second rule indicating that when the DSCP field of the acquired data packet carries identification information, access behavior corresponding to the acquired data packet is allowed or prohibited.
- FIG 10 is a structural diagram of a data packet processing device provided in an embodiment of the present application.
- the data packet processing device 1000 is applied to a first device, and the data packet processing device 1000 includes: a filling module 1001, which is used to write identification information in the differentiated services code point DSCP field of the first data packet when the destination address of the first data packet points to the first object, and the identification information is used to indicate that the second device allows or prohibits the access behavior corresponding to the first data packet; a sending module 1002, which is used to send the first data packet.
- a filling module 1001 which is used to write identification information in the differentiated services code point DSCP field of the first data packet when the destination address of the first data packet points to the first object, and the identification information is used to indicate that the second device allows or prohibits the access behavior corresponding to the first data packet
- a sending module 1002 which is used to send the first data packet.
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet; the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server, and the server corresponds to the first object.
- the filling module 1001 is specifically configured to write identification information into the DSCP field of the first data packet through the hypervisor layer.
- FIG 11 is another structural schematic diagram of a data packet processing device provided in an embodiment of the present application.
- the data packet processing device 1100 is applied to the second device, and the data packet processing device 1100 includes: an acquisition module 1101, which is used to acquire a first data packet, wherein the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device for managing the server; the acquisition module 1101 is also used to acquire identification information from the differentiated services code point DSCP field of the first data packet; and the processing module 1102 is used to allow or prohibit access behavior corresponding to the first data packet according to the identification information.
- an acquisition module 1101 which is used to acquire a first data packet, wherein the second device is a server pointed to by the destination address of the first data packet, or the second device is a security device for managing the server
- the acquisition module 1101 is also used to acquire identification information from the differentiated services code point DSCP field of the first data packet
- the processing module 1102 is used to allow or prohibit access behavior
- the first data packet originates from a first device, and the identification information in the first data packet is obtained through a hypervisor layer in the first device.
- FIG 12 is another structural schematic diagram of a data packet processing device provided in an embodiment of the present application.
- the data packet processing device 1200 is applied to a third device, and the data packet processing device 1200 includes: a sending module 1201, which is used to send a first rule to a first device in the network, and the first rule indicates that when the destination address of the data packet sent by the first device points to the first object, the identification information is written in the differentiated service code point DSCP field of the sent data packet;
- the first device is a device that generates the first data packet, or the first device is a switch connected to the device that generates the first data packet;
- the sending module 1201 is also used to send a second rule to a second device in the network, and the second rule indicates that when the DSCP field of the acquired data packet carries identification information, the access behavior corresponding to the acquired data packet is allowed or prohibited;
- the second device is the server pointed to by the destination address of the first data packet, or the second device is a security device that manages the server
- the sending module 1201 is specifically configured to send the first rule to the hypervisor layer of the first device. but.
- the embodiment of the present application further provides a device, please refer to Figure 13, which is a schematic diagram of a structure of the device provided by the embodiment of the present application.
- the device 1300 is equipped with a processing device for any of the data packets in Figures 10 to 13.
- the device 1300 is implemented by a general bus architecture.
- the device 1300 includes at least one processor 1301 , a communication bus 1302 , a memory 1303 , and at least one communication interface 1304 .
- the processor 1301 is a general-purpose CPU, NP, microprocessor, or one or more integrated circuits for implementing the solution of the present application, such as an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- ASIC application-specific integrated circuit
- PLD programmable logic device
- the above-mentioned PLD is a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
- the communication bus 1302 is used to transmit information between the above components.
- the communication bus 1302 is divided into an address bus, a data bus, a control bus, etc. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.
- the memory 1303 is a read-only memory (ROM) or other types of static storage devices that can store static information and instructions.
- the memory 1303 is a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions.
- the memory 1303 is an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.
- the memory 1303 exists independently and is connected to the processor 1301 through the communication bus 1302.
- the memory 1303 and the processor 1301 are integrated together.
- the communication interface 1304 uses any transceiver-like device for communicating with other devices or communication networks.
- the communication interface 1304 includes a wired communication interface.
- the communication interface 1304 also includes a wireless communication interface.
- the wired communication interface is, for example, an Ethernet interface.
- the Ethernet interface is an optical interface, an electrical interface or a combination thereof.
- the wireless communication interface is a wireless local area network (WLAN) interface, a cellular network communication interface or a combination thereof, etc.
- WLAN wireless local area network
- the processor 1301 includes one or more CPUs, such as CPU0 and CPU1 shown in FIG. 13 .
- device 1300 includes multiple processors, such as processor 1301 and processor 1305 shown in Figure 13. Each of these processors is a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- the processor here refers to one or more devices, circuits, and/or processing cores for processing data (such as computer program instructions).
- the memory 1303 is used to store the program code 1313 for executing the solution of the present application, and the processor 1301 Execute the program code 1313 stored in the memory 1303. That is, the device 1300 implements the above method embodiment through the processor 1301 and the program code 1313 in the memory 1303.
- A refers to B, which means that A is the same as B or A is a simple variant of B.
- first and second in the description and claims of the embodiments of the present application are used to distinguish different objects, rather than to describe the specific order of the objects, and cannot be understood as indicating or implying relative importance.
- first speed-limited channel and the second speed-limited channel are used to distinguish different speed-limited channels, rather than to describe the specific order of the speed-limited channels, and cannot be understood as the first speed-limited channel being more important than the second speed-limited channel.
- the above embodiments can be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software When implemented by software, it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions.
- the computer program instructions When the computer program instructions are loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part.
- the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
- the computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
- the computer instructions can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.
- the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated.
- the available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid state drive (SSD)), etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
本申请公开了一种数据包的处理方法,涉及网络安全技术领域。方法包括:当第一数据包的目的地址指向第一对象时,第一设备在第一数据包的DSCP字段中写入标识信息后,发送第一数据包;第一设备为生成第一数据包的设备,或者为与生成第一数据包的设备连接的交换机。第二设备获取第一数据包后,根据第一数据包的DSCP字段中的标识信息,允许或禁止与第一数据包对应的访问行为;第二设备为第一数据包的目的地址指向的服务器,或者为管理该服务器的安全设备。由于DSCP字段中的值在数据包的传输过程一般不会发生改变,则第二设备能够从DSCP字段中获取到真实的标识信息,进而能够准确的对该数据包所对应的访问行为作出允许或禁止的决策,提高了网络的安全性。
Description
本申请要求于2022年10月27日提交中国专利局、申请号为202211330218.4、发明名称为“多租户虚拟网络染色DSCP解决地址重叠四层隔离方法及设备”,以及于2023年02月16日提交中国专利局、申请号为CN202310125731.8、发明名称为“一种数据包的处理方法及相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及网络安全技术领域,尤其涉及一种数据包的处理方法及相关装置。
近年来,网络安全问题日益突出。为了保证网络的安全性,安全设备(例如,防火墙)被部署以阻止外部攻击。网络管理员通常基于互联网协议(Internet Protocol,IP)五元组在网络中的安全设备中部署安全策略,以使得网络中的安全设备根据数据包中携带的IP地址识别需要禁止或者允许通过的数据包。
但是,由于数据包在传输路径中可能会出现对数据包中的源IP地址和/或目的IP地址进行转换,例如,若网络中的某个设备采用虚拟化技术,则该设备向其他设备发送数据包时,会通过管理程序(Hypervisor)层将该数据包的真实的源IP地址转换为代理IP地址,则该数据包在网络中传输时,网络中的安全设备无法得到该数据包的真实的源IP地址,从而无法基于真实的源IP地址与安全策略匹配,导致安全设备上部署的安全策略失效,进而无法准确的对该数据包所对应的访问行为作出允许或禁止的决策。
发明内容
本申请提供了一种数据包的处理方法和相关装置,额外引入了在数据包的DSCP字段中写入第一标识信息这一操作,由于数据包的DSCP字段中的值在数据包的传输过程一般不会发生改变,则网络中的设备均能够从DSCP字段中获取到真实的第一标识信息,进而能够借助该第一标识信息,准确的对该数据包所对应的访问行为作出允许或禁止的决策,提高了网络的安全性。
本申请第一方面提供一种数据包的处理方法,可以应用于网络安全技术领域。前述方法可以包括:当第一数据包的目的地址指向第一对象时,第一设备在第一数据包的区分服务代码点DSCP字段中写入标识信息;其中,第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机。第一设备发送第一数据包,对应的,第二设备获取第一数据包;其中,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理前述服务器的安全设备,第一数据包的目的地址指向的前述服务器与第一对象对应。第二设备从第一数据包的DSCP字段中获取标识信息,并根据前述标识信息,允许或禁止与第一数据包对应的访问行为。
示例性地,第一对象可以包括如下任一项:一种类型的业务、一个网络区域的名称、一种类型的用户或者其他类型的对象等。例如,网络中允许互联网用户访问web服务;则第一对象包括一种类型的业务(即,web服务)。又例如,网络中禁止办公园区访问数据中心;则第一对象包括另一个网络区域的名称(即,数据中心)等。
示例性地,在第一对象为业务1(也即一种类型的业务的示例)的情况下,“第一数据
包的目的地址指向第一对象”和“第一数据包的目的地址指向的服务器与第一对象对应”均可以理解为位于该目的地址的服务器能够提供业务1。或者,在第一对象为网络区域1(也即一个网络区域的名称的示例)的情况下,“第一数据包的目的地址指向第一对象”可以理解为该目的地址包含于网络区域1覆盖的地址范围内,“第一数据包的目的地址指向的服务器与第一对象对应”可以理解为位于该目的地址的服务器归属于网络区域1。或者,在第一对象为类型1的用户的情况下,“第一数据包的目的地址指向第一对象”可以理解为类型1的用户占用的地址范围内包括该目标地址,“第一数据包的目的地址指向的服务器与第一对象对应”可以理解为位于该目的地址的服务器被类型1的用户使用。
本实现方式中,额外引入了在数据包的DSCP字段中写入第一标识信息这一操作,由于数据包的DSCP字段中的值在数据包的传输过程一般不会发生改变,则网络中的设备均能够从DSCP字段中获取到真实的第一标识信息,进而能够借助该第一标识信息,准确的对该数据包所对应的访问行为作出允许或禁止的决策,提高了网络的安全性;DSCP字段为数据包中已经存在的字段,选择在DSCP字段中写入标识信息,不需要在已有技术上做太大的改变,有利于降低为实现本方案所消耗的计算机资源;且网络中的各种设备均具有解读数据包的控制信息的能力,在不对网络中设备的能力进行升级的前提下,就能够从数据包的DSCP字段中获取到标识信息,进而执行本方案,以进一步降低为实现本方案所消耗的计算机资源。
由于设备在生成第一数据包时就需要向第一数据包的控制信息中写入数据,由生成第一数据包的设备执行“向DSCP字段中写入第一标识信息”这一操作,提高了本方案的便利性。与生成第一数据包的设备连接的交换机一般与多个生成第一数据包的设备连接,由前述交换机执行“向DSCP字段中写入第一标识信息”这一操作,则相比于向多个生成第一数据包的设备发送第一规则,仅需要向一个交换机发送第一规则,降低了“向第一设备发送第一规则”这一步所消耗的计算机资源。
在到达第一数据包的目的地址时,才根据第一数据包的DSCP字段中携带的信息确定是否允许执行与第一数据包对应的访问行为,避免了基于目的地址指向的不是第一对象的数据包中DSCP字段的值,对前述数据包进行处理,有利于进一步提高对数据包所对应的访问行为做出的处理结果的准确率。在第一数据包到达与第一数据包的目的地址指向的服务器所连接的安全设备时,就根据第一数据包的DSCP字段中携带的信息确定是否允许执行与第一数据包对应的访问行为,也即由独立的安全设备来执行允许或禁止第一数据包通过的操作,减轻了第一数据包的目的地址指向的服务器的负担,提高了第一数据包的目的地址指向的服务器的安全度;且一般一个安全设备用于管控是否允许数据包进入多个设备,在安全设备上部署第二规则,有利于降低“部署第二规则”这一过程所消耗的计算机资源。
在一种实现方式中,第一数据包中的DSCP字段有8个比特位,前述8个比特位可以包括第0位至第7位。可选地,第一设备可以使用前述8个比特位中的6个比特位,来执行第一标识信息的填写操作;示例性地,该第一标识信息可以占用DSCP字段的第0位至第5位中的任意一个或多个比特位。
在一种实现方式中,第一设备在第一数据包的DSCP字段中写入标识信息,包括:第一设备通过管理程序Hypervisor层在第一数据包的DSCP字段中写入标识信息。
本实现方式中,相对于第一设备中的虚拟机或容器等,第一设备中的Hypervisor层需要更高的管理权限,对应的,第一设备中的Hypervisor层被黑客攻击成功的概率更小,也即第一设备中的Hypervisor层的安全度更高,通过第一设备中的Hypervisor层执行第一标识信息的写入操作,有利于提高前述操作的安全度,也即降低非法数据包中携带第一标识信息的概率,从而降低非法数据包成功访问第二设备的概率,有利于提高网络的安全度。
在一种实现方式中,第一设备在第一数据包的DSCP字段中写入标识信息,包括:第一设备中的第一实例向DSCP字段中的第一字段写入第一子标识信息,第一实例为与第二对象对应的实例;示例性地,实例具体可以表现为虚拟机、容器或其他形态等。第一设备中的Hypervisor层向DSCP字段中的第二字段写入第二子标识信息,标识信息包括第一子标识信息和第二子标识信息;例如,第一字段和第二字段可以为DSCP字段中不同的比特位。
可选地,若网络中已经确定是否允许第二对象访问第一对象,第一实例可以为第一设备部署的多个示例中与第二对象对应的实例。示例性地,在第二对象为业务2(也即一种类型的业务的示例)的情况下,“第一实例与第二对象对应”可以理解为第一实例为第一设备上用于提供业务2的实例。或者,在第二对象为类型2的用户的情况下,“第一实例与第二对象对应”可以理解为第一设备上的第一实例的被类型2的用户使用。或者,在第二对象为网络区域2(也即一个网络区域的名称的示例)的情况下,“第一实例与第二对象对应”可以理解为该第一实例的地址包含于网络区域2覆盖的地址范围内。
本实现方式中,由于第一设备中可能会部署有多个实例,不同的实例有可能会对应不同的对象,例如第一设备上不同的实例用于提供不同类型的业务,或第一设备上不同的实例被不同类型的用户占用等等,则由第一设备中的第一实例和Hypervisor层共同执行第一标识信息的写入操作,从而可以在更细粒度的角度管理“第一标识信息的写入操作”,以避免第一设备上与其他对象对应的实例发出的数据包中也携带第一标识信息,从而进一步降低非法数据包成功访问第二设备的概率,以进一步提高网络的安全度。
在一种实现方式中,第一设备在第一数据包的DSCP字段中写入第一标识信息,包括:第一设备通过实例在第一数据包的DSCP字段中写入第一标识信息。示例性地,在一种实现方式中,第一设备中的每个实例均可以在第一数据包的DSCP字段中写入第一标识信息;在另一种实现方式中,第一设备中的第一实例可以在第一数据包的DSCP字段中写入第一标识信息,第一实例为第一设备部署的多个实例中与第二对象对应的实例。
本实现方式中,提供了向第一数据包的DSCP字段中写入第一标识信息的又一种实现方案,提高了本方案的实现灵活性;若仅由第一实例在第一数据包的DSCP字段中写入第一标识信息,则可以避免第一设备上与其他对象对应的实例发出的数据包中也携带第一标识信息,从而进一步降低非法数据包成功访问第二设备的概率,以进一步提高网络的安全度。
在一种实现方式中,第一设备在第一数据包的DSCP字段中写入标识信息之前,方法还包括:第一设备接收第三设备发送的第一规则,第一规则指示当发送的数据包的目的地址指向第一对象时,在发送的数据包的DSCP字段中写入标识信息。在第二设备根据标识信息,允许或禁止与第一数据包对应的访问行为之前,方法还包括:第二设备接收前述第三设备发送的第二规则,第二规则指示当第二设备获取到的数据包的DSCP字段中携带标识信息时,
允许或禁止与获取到的数据包对应的访问行为。
本实现方式中,由第三设备分别向第一设备和第二设备发送第一规则和第二规则,也即有利于实现由其他的控制设备统一的对网络中的多个设备下发规则,有利于避免网络中不同设备中的规则出现冲突,以进一步提高网络的安全性。
申请第二方面提供一种数据包的处理方法,可以应用于网络安全技术领域。方法包括:当第一数据包的目的地址指向第一对象时,第一设备在第一数据包的区分服务代码点DSCP字段中写入标识信息,标识信息用于指示第二设备允许或禁止与第一数据包对应的访问行为;第一设备发送第一数据包。其中,第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应。
在第二方面中,第一设备还可以执行第一方面中第一设备执行的步骤,第二方面以及第二方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第三方面提供一种数据包的处理方法,可以应用于网络安全技术领域。方法包括:第二设备获取第一数据包,其中,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备;第二设备从第一数据包的区分服务代码点DSCP字段中获取标识信息;第二设备根据标识信息,允许或禁止与第一数据包对应的访问行为。
在第三方面中,第二设备还可以执行第一方面中第二设备执行的步骤,第三方面以及第三方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第四方面提供一种数据包的处理方法,可以应用于网络安全技术领域。方法包括:第三设备向网络中的第一设备发送第一规则,第一规则指示当发送的数据包的目的地址指向第一对象时,在发送的数据包的区分服务代码点DSCP字段中写入标识信息;第三设备向网络中与第一对象对应的第二设备发送第二规则,第二规则指示当获取到的数据包的DSCP字段中携带标识信息时,允许或禁止与获取到的数据包对应的访问行为。
在一种实现方式中,第三设备向网络中的第一设备发送第一规则,包括:第三设备向第一设备的管理程序Hypervisor层发送第一规则。
第三方面以及第三方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第五方面提供一种数据包的处理系统,可以应用于网络安全技术领域。数据包的处理系统包括第一设备中的填写模块和第一设备中的发送模块,数据包的处理系统还包括第二设备中的获取模块和第二设备中的处理模块。其中,填写模块,用于当第一数据包的目的地址指向第一对象时,在第一数据包的区分服务代码点DSCP字段中写入标识信息;第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;发送模块,用于发送第一数据包;获取模块,用于获取第一数据包,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应;获取模块,还用于从第一数据包的DSCP字段中获取标识信息;处理模块,用于
根据标识信息,允许或禁止与第一数据包对应的访问行为。
在第五方面中,数据包的处理系统中的各个模块还可以执行第一方面中第一设备和第二设备执行的步骤,第五方面以及第五方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第六方面提供一种数据包的处理装置,可以应用于网络安全技术领域。该数据包的处理装置应用于第一设备中,前述装置包括:填写模块,用于当第一数据包的目的地址指向第一对象时,在第一数据包的区分服务代码点DSCP字段中写入标识信息,标识信息用于指示第二设备允许或禁止与第一数据包对应的访问行为;发送模块,用于发送第一数据包;其中,第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应。
在第六方面中,数据包的处理系统中的各个模块还可以执行第一方面中第一设备执行的步骤,第六方面以及第六方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第七方面提供一种数据包的处理装置,可以应用于网络安全技术领域。该数据包的处理装置应用于第二设备中,前述装置包括:获取模块,用于获取第一数据包,其中,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备;获取模块,还用于从第一数据包的区分服务代码点DSCP字段中获取标识信息;处理模块,用于根据标识信息,允许或禁止与第一数据包对应的访问行为。
在第七方面中,数据包的处理系统中的各个模块还可以执行第一方面中第二设备执行的步骤,第七方面以及第七方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第一方面以及第一方面的各种可能实现方式中的描述,此处不做赘述。
本申请第八方面提供一种数据包的处理装置,可以应用于网络安全技术领域。该数据包的处理装置应用于第三设备中。数据包的处理装置包括:发送模块,用于向网络中的第一设备发送第一规则,第一规则指示当第一设备发送的数据包的目的地址指向第一对象时,在发送的数据包的区分服务代码点DSCP字段中写入标识信息;第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;发送模块,还用于向网络中的第二设备发送第二规则,第二规则指示当获取到的数据包的DSCP字段中携带标识信息时,允许或禁止与获取到的数据包对应的访问行为;第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应。
在第八方面中,数据包的处理装置还可以执行第三方面中第三设备执行的步骤,第八方面以及第八方面的各种可能实现方式中名词的含义、所带来的有益效果均可以参阅第三方面以及第三方面的各种可能实现方式中的描述,此处不做赘述。
本申请第九方面提供一种设备,包括处理器和存储器。存储器用于存储程序代码,处理器用于调用存储器中的程序代码以使得设备执行如上述各个方面中的方法。
本申请第十方面提供一种计算机可读存储介质,存储有指令,当指令在计算机上运行时,使得计算机执行如上述各个方面中的方法。
本申请第十一方面提供一种计算机程序产品,当其在计算机上运行时,使得计算机执行如上述各个方面中的方法。
本申请第十二方面提供一种芯片,包括一个或多个处理器。处理器中的部分或全部用于读取并执行存储器中存储的计算机指令,以执行上述各个方面中的方法。可选地,芯片还包括存储器。可选地,芯片还包括通信接口,处理器与通信接口连接。通信接口用于接收需要处理的数据和/或信息,处理器从通信接口获取数据和/或信息,并对数据和/或信息进行处理,并通过通信接口输出处理结果。可选地,通信接口是输入输出接口或者总线接口。本申请提供的方法由一个芯片实现,或者由多个芯片协同实现。
图1为本申请实施例提供的网络部署场景的一种示意图;
图2为本申请实施例提供的网络部署场景的另一种示意图;
图3为本申请实施例提供的数据包的处理方法的一种流程示意图;
图4为本申请实施例提供的第三设备配置第一规则和第二规则的一种示意图;
图5为本申请实施例提供的第一设备的位置的一种示意图;
图6为本申请实施例提供的第一设备的位置的一种示意图;
图7为本申请实施例提供的数据包的处理方法的另一种流程示意图;
图8a为本申请实施例提供的安全策略失效的一种场景示意图;
图8b为本申请实施例提供的数据包的处理方法的一种示意图;
图9为本申请实施例提供的数据包的处理系统的一种结构示意图;
图10为本申请实施例提供的数据包的处理装置的一种结构示意图;
图11为本申请实施例提供的数据包的处理装置的另一种结构示意图;
图12为本申请实施例提供的数据包的处理装置的另一种结构示意图;
图13为本申请实施例提供的设备的一种结构示意图。
下面结合附图,对本申请的实施例进行描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。本领域普通技术人员可知,随着技术发展和新场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
本申请的说明书和权利要求书及附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。
在这里专用的词“示例性”意为“用作例子、实施例或说明性”。这里作为“示例性”所说明的任何实施例不必解释为优于或好于其它实施例。
本申请可以应用于数据包在网络中传输的各种场景中;示例性地,数据包在网络中传输的过程中,可能会数据包中携带的源IP地址和/或目的IP地址进行转换,导致网络中的安全设备无法得到该数据包的真实的IP地址,而安全设备中部署的安全策略通常基于IP五元组设置,也即安全策略指示允许或禁止来自于哪些源IP地址的数据包对目的IP地址的访问。若网络中的安全设备无法得到真实的IP地址,无法基于真实的IP地址与安全策略匹配,则会导致安全设备中配置的安全策略失效,进而无法准确的对该数据包所对应的访问行为作
出允许或禁止的决策。
例如,若网络中的某个设备采用虚拟化技术,则该设备向其他设备发送数据包时,会通过管理程序(Hypervisor)层将该数据包的真实的源IP地址转换为代理IP地址,导致网络中的安全设备无法得到与该数据包对应的真实的源IP地址,进而无法准确的对该数据包所对应的访问行为作出允许或禁止的决策。
为了更直观地理解本方案,请参阅图1,图1为本申请实施例提供的网络部署场景的一种示意图。如图1所示,网络中禁止IP1访问IP3,且允许IP2访问IP3,则网络中的安全设备上设置的安全策略1可以包括:禁止源IP地址为IP1且目的地址为IP3的数据包通过。
当源IP地址为IP1且目的地址为IP3的数据包1经过虚拟化层的处理后,数据包1中的IP1被转换成了代理IP1,则当数据包1经过安全设备时,由于安全设备从数据包1中获取到的源IP地址为代理IP1且目标IP地址为IP3,没有命中安全策略1,因此允许数据包1通过。
当源IP地址为IP2且目的地址为IP3的数据包2经过虚拟化层的处理后,数据包2中的IP2被转换成了代理IP2,则当数据包2经过安全设备时,安全设备从数据包2中获取到的源IP地址为代理IP2且目标IP地址为IP3,也没有命中安全策略1,因此允许数据包2通过。
安全策略1的设置目标是禁止数据包1通过,且允许数据包2通过,但由于“通过虚拟化层对源IP地址进行转换”这一操作,导致安全设备做出了“允许数据包1通过”这一错误的决策,应理解,图1中的示例仅为方便理解本方案,不用于限定本方案。
又例如,若访问源通过源网络地址转换(source network address translation,SNAT)技术访问其他目标资源时,数据包在传输路径中也会出现对数据包的源IP地址的转换,导致后续经过的安全设备无法与该数据包对应的真实的源IP地址,进而无法准确的对该数据包所对应的访问行为作出允许或禁止的决策。
为了更直观地理解本方案,请参阅图2,图2为本申请实施例提供的网络部署场景的另一种示意图。如图2所示,业务1和业务2部署于同一局域网中,业务1的IP地址为私有网络的IP4,业务2的IP地址为私有网络的IP5,基于SNAT技术对业务1和业务2发出的数据包的源IP地址进行转换,以使得业务1和业务2发出的数据包均通过同一个外网IP(例如图2中的外网IP6)接入网络,则业务1和业务2发出的数据包的源IP地址均为前述外网IP。
若网络想要禁止业务1发出的数据包3访问IP3,且想业务2发出的数据包4访问IP3,由于网络中的安全设备无法得到私有网络的IP4(也即数据包3的真实的源IP地址)和私有网络的IP5(也即数据包4的真实的源IP地址),因此无法区分数据包3和数据包4,导致安全设备无法准确的对数据包3和数据包4做出决策,应理解,图2中的示例仅为方便理解本方案,不用于限定本方案。
需要说明的是,在数据包在网络中传输的其他场景中,也有可能通过其他技术对数据包中的源IP地址和/或目的IP地址进行转换,此处不进行穷举。
由于数据包在网络中传输的多种场景中,可能会出现对数据包的源IP地址和/或目的IP地址进行转换,导致网络中的安全设备无法准确的对数据包所对应的访问行为作出允许或禁止的决策。为了解决前述问题,本申请提供了一种数据包的处理方法,具体的,请参阅图3,图3为本申请实施例提供的数据包的处理方法的一种流程示意图,本申请实施例
提供的数据包的处理方法可以包括步骤301-步骤306。
301、第三设备向网络中的第一设备发送第一规则,第一规则指示当发送的数据包的目的地址指向第一对象时,在发送的数据包的区分服务代码点DSCP字段中写入第一标识信息。
本申请实施例中,在第三设备已经确定网络中允许或禁止第二对象对第一对象的访问行为之后,可以向网络中与第二对象对应的一个或多个第一设备发送第一规则,第一规则指示当发送的数据包的目的地址指向第一对象时,在发送的数据包的区分服务代码点(differentiated services code point,DSCP)字段中写入第一标识信息。
示例性地,第三设备可以为网管设备或者是网络中的某个网络设备(例如,报文转发设备或防火墙)等,又或者第三设备也可以为虚拟化设备,具体可以结合实际应用场景灵活确定,此处不做限定。
示例性地,第一对象或第二对象可以包括如下任一项:一种类型的业务、一个网络区域的名称、一种类型的用户或者其他类型的对象等。例如,网络中允许互联网用户访问web服务;则第二对象包括一种类型的用户(即,互联网用户),第一对象包括一种类型的业务(即,web服务)。又例如,网络中禁止互联网用户访问数据库服务;则第二对象包括一种类型的用户(即,互联网用户),第一对象包括一种类型的业务(即,数据库服务)。又例如,网络中允许web服务访问数据库服务;则第二对象包括一个一种类型的业务(即,web服务),第一对象包括另一个一种类型的业务(即,数据库服务)。又例如,网络中禁止办公园区访问数据中心;则第二对象包括一个网络区域的名称(即,办公园区),第一对象包括另一个网络区域的名称(即,数据中心)。又例如,网络中禁止办公园区访问数据中心;则第二对象包括一个网络区域的名称(即,办公园区),第一对象包括另一个网络区域的名称(即,数据中心)等等,第二对象对第一对象的访问行为代表了业务间、网络间、用户间,或者用户、业务和网络相互间的访问行为,第一对象和第二对象的具体表现形式可以结合网络中的实际情况确定,此处不做限定。
示例性地,数据包的目的地址可以为目的IP地址、目的端口、目的媒体存取控制(media access control,MAC)地址或者前述信息的组合。
示例性地,由于第一对象可以为一种类型的业务、一个网络区域的名称或者一种类型的用户,则在第一对象为业务1(也即一种类型的业务的示例)的情况下,“发送的数据包的目的地址指向第一对象”可以理解为位于该目的地址的设备能够提供业务1。或者,在第一对象为网络区域1(也即一个网络区域的名称的示例)的情况下,“发送的数据包的目的地址指向第一对象”可以理解为该目的地址包含于网络区域1覆盖的地址范围内。或者,在第一对象为类型1的用户的情况下,“发送的数据包的目的地址指向第一对象”可以理解为类型1的用户占用的地址范围内包括该目标地址。
第一数据包可以包括控制信息和数据,第一数据包的控制信息也可以称为第一数据包的头(header),第一数据包的数据也可以称为第一数据包的负载(payload),第一数据包的控制信息包括DSCP字段。
第三设备可以采用多种方式执行步骤301,在一种实现方式中,第三设备可以直接向第一设备发送携带有第一规则的第三数据包,对应的,第一设备能够从第三数据包中获取
到第一规则。第一规则用于指示:当第一设备发送的数据包(为方便描述,后续称为“第一数据包”)的目的地址指向第一对象时,在第一数据包的DSCP字段中写入与第一对象对应的第一标识信息。
可选地,第三数据包携带的数据还包括与第一对象对应的第一地址集合,也即当第一数据包的目的地址属于第一地址集合时,代表第一数据包的目的地址指向第一对象。或者,第三数据包携带的数据也可以不包括与第一对象对应的第一地址集合,而是第一设备中已经预先配置有该第一地址集合,具体实现方式可以结合实际应用场景灵活确定。
在另一种实现方式中,若第一设备中采用了虚拟化技术,则第一设备可以包括管理程序(Hypervisor)层和至少一个实例,第三设备还可以向第一设备中的Hypervisor层和/或第一实例发送第一规则。示例性地,“实例”具体可以表现为虚拟机、容器或其他形态等。
具体的,在一种情况中,第三设备可以向第一设备中的Hypervisor层发送第一规则,第一规则指示当第一设备发送的第一数据包的目的地址指向第一对象时,第一设备的Hypervisor层在第一数据包的DSCP字段中写入该第一标识信息,也即由第一设备的Hypervisor层独立执行“DSCP字段中写入第一标识信息”这一操作。
示例性地,第三设备可以借助云计算管理平台(openstack)的中子(neutron)组件中已有的功能,执行“向第一设备中的Hypervisor层发送第一规则”这一步骤,以降低“向第一设备中的Hypervisor层发送第一规则”这一步骤所带来的计算机资源的开销。具体的,第一设备的Hypervisor层中可以部署有L3-代理(agent)进程,用于与openstack的neutron组件通信。第三设备通过调用接口的方式请求openstack的neutron组件向第一设备的Hypervisor层中增加第一规则;openstack的neutron组件可以向第一设备的Hypervisor层中的L3-agent进程发送该第一规则,示例性地,可以将第一规则下发到第一设备的Hypervisor层的碾压(mangle)表的预路由(PREROUTING)链中。
在另一种情况中,第三设备上部署有一个或多个实例,该一个或多个实例中的第一实例与第二对象对应,第三设备可以向第一设备中的第一实例发送第一规则,第一规则指示当第一设备发送的第一数据包的目的地址指向第一对象时,第一设备的第一实例在第一数据包的DSCP字段中写入该第一标识信息,也即由第一设备的第一实例独立执行“DSCP字段中写入第一标识信息”这一操作。
示例性地,由于第二对象可以为一种类型的业务、一个网络区域的名称或者一种类型的用户,则在第二对象为业务2(也即一种类型的业务的示例)的情况下,“第一实例与第二对象对应”可以理解为位于第一实例为第一设备上用于提供业务2的实例。或者,在第二对象为类型2的用户的情况下,“第一实例与第二对象对应”可以理解为第一设备上的第一实例的被类型2的用户使用。或者,在第二对象为网络区域2(也即一个网络区域的名称的示例)的情况下,“第一实例与第二对象对应”可以理解为该第一实例的地址包含于网络区域2覆盖的地址范围内。
示例性地,第三设备可以借助云计算管理平台(中已有的功能,执行“向第一设备中的第一实例发送第一规则”这一步骤,以降低“向第一设备中的第一实例发送第一规则”这一步骤所带来的计算机资源的开销。具体的,第一设备的第一实例中可以部署有代理
(agent)进程,用于与openstack的neutron组件通信。第三设备通过调用接口的方式请求openstack的neutron组件向第一设备的第一实例中增加第一规则;openstack的neutron组件可以向第一设备的第一实例中的agent进程发送该第一规则。
在另一种情况中,第三设备上部署有一个或多个实例,第三设备可以向第一设备中的每个实例发送第一规则,第一规则指示当第一设备发送的第一数据包的目的地址指向第一对象时,第一设备的实例在第一数据包的DSCP字段中写入该第一标识信息,也即由第一设备中的每个实例独立执行“DSCP字段中写入第一标识信息”这一操作。
在另一种情况中,第三设备可以向第一设备的第一实例发送第一子规则,向第一设备的Hypervisor层发送第二子规则,第一规则包括第一子规则和第二子规则。其中,第一子规则指示当第一设备发送的第一数据包的目的地址指向第一对象时,第一设备的第一实例在第一数据包的DSCP字段的第一字段写入第一子标识信息;第二子规则指示当第一数据包的目的地址指向第一对象时,第一设备的Hypervisor层在第一数据包的DSCP字段的第二字段写入第二子标识信息,第一标识信息包括第一子标识信息和第二子标识信息;示例性地,第一字段和第二字段为DSCP字段中不同的比特位,也即由第一设备的第一实例和Hypervisor层共同执行“DSCP字段中写入第一标识信息”这一操作。
可选地,由于网络中可能会存在不同的第一对象,不同的第一对象所对应的第一标识信息可以不同。示例性地,当第一对象为web服务时,与web服务对应的第一标识信息可以为af11;当第一对象为数据库服务时,与数据库服务对应的第一标识信息可以为af12,应理解,此处举例仅为方便理解本方案,具体采用哪些第一标识信息,此处不做限定。
第一设备向DSCP字段中写入的值为2进制的值,可选地,第一规则中的携带的第一标识信息可以不采用2进制的表达方法,则第一设备在向DSCP字段中写入第一标识信息时,可以将非2进制形式的第一标识信息映射成2进制形式的第一标识信息。为进一步理解本方案,如下通过表1对多个非2进制形式的第一标识信息映射成2进制形式的第一标识信息进行举例。
表1
表1中示出了多个非2进制形式的第一标识信息,也示出了每个非2进制形式的第一标识信息所对应的2进制形式的第一标识信息,应理解,表1中的示例仅为方便理解本方案,不用于限定本方案。
302、第三设备向该网络中与第一对象对应的第二设备发送第二规则,第二规则指示第二设备在获取到的数据包的DSCP字段中携带该第一标识信息时,允许或禁止与获取到的数
据包对应的访问行为。
本申请实施例中,在第三设备已经确定网络中允许或禁止第二对象对第一对象的访问行为之后,还可以向网络中与第一对象对应的第二设备发送第二规则,第二规则指示当第二设备获取到的数据包(为方便描述,后续称为“第二数据包”)的DSCP字段中携带该第一标识信息时,允许或禁止与获取到的数据包对应的访问行为。
示例性地,若第三设备确定允许第二对象访问第一对象,则第二规则可以指示当第二数据包的DSCP字段中携带该第一标识信息时,允许与获取到的数据包对应的访问行为。若第三设备确定禁止第二对象访问第一对象,则第二规则可以指示当第二数据包的DSCP字段中携带该第一标识信息时,禁止与获取到的数据包对应的访问行为。
可选地,第二规则中还可以存在对其他可选项的约束条件,前述可选项可以包括第二数据包的如下任一种或多种:采用的协议类型、源IP地址、源端口、目的IP地址、目的端口或其他可选项等。“可选项的约束条件”可以包括每种可选项的取值范围。
例如,协议类型包括但不限于传输控制协议(Transmission Control Protocol,TCP)、用户数据包协议(User Datagram Protocol,UDP)或其他类型的协议等,此处不做穷举。源端口和目的端口均包括至少一个端口,示例性地,端口可以为80、90或其他端口等,此处不做穷举。
示例性地,第二规则可以包括:丢弃源IP地址是100.64.0.0/11并且DSCP字段的值不是cs4的数据包,该第二规则中对DSCP值的约束条件(也即“DSCP值是cs4”)是必选项,对源IP地址的约束条件(也即“源IP地址是100.64.0.0/11”)是可选项,则无论第二数据包的源IP地址是否为100.64.0.0/11,由于第二数据包中一定会存在DSCP字段,则第二数据包一定会命中第二规则,进而基于第二规则和第二数据包的DSCP字段中的值,确定是否丢弃第二数据包,应理解,此处举例仅为方便理解本方案,不用于限定本方案。
第三设备可以采用多种方式执行步骤302,在一种实现方式中,第三设备可以直接向第二设备发送携带有第二规则的第四数据包,对应的,第二设备能够从第四数据包中获取到第二规则。
例如,第三设备向第二设备发送的第四数据包中携带的第二规则可以包括:rule deny ip source 100.64.0.0 0.31.255.255 destination 100.125.0.0 0.0.255.255 dscpcs1,前述第二规则的含义可以包括:丢弃源IP地址为100.64.0.0/11,目标IP地址为100.125.0.0/16并且DSCP字段的值为cs1的数据包,也即当获取到的数据包的源IP地址为100.64.0.0/11,目标IP地址为100.125.0.0/16并且DSCP字段的值为cs1时,禁止该数据包所对应的访问行为,需要说明的是,“DSCP字段的值”是第二规则中必选项,“源IP地址”和“目的IP地址”均为第二规则中的可选项,应理解,前述示例仅为方便理解本方案,不用于限定本方案。
在另一种实现方式中,若第二设备中采用了虚拟化技术,则第二设备可以包括管理程序(Hypervisor)层,第三设备还可以向第二设备中的Hypervisor层发送第二规则,“第三设备向第二设备中的Hypervisor层发送第二规则”的具体实现方式可以参阅上述对“第三设备向第一设备中的Hypervisor层发送第一规则”的描述,此处不作赘述。
例如,第三设备向第二设备中Hypervisor层的mangle表的PREROUTING链中发送的第二规则可以包括:iptables-t mangle-A PREROUTING-m dscp!--dscp cs4-s100.64.0.0/11-j DROP,前述第二规则的含义包括:在mangle表的PREROUTING链中,配置丢弃源IP地址是100.64.0.0/11并且DSCP字段的值不是cs4的数据包的规则,也即当获取到的数据包的源IP地址为100.64.0.0/11且DSCP字段的值为cs4时,允许该数据包所对应的访问行为,需要说明的是,“DSCP字段的值”是规则中必选项,“源IP地址”为规则中的可选项,应理解,前述示例仅为方便理解本方案,不用于限定本方案。
为更直观地理解本方案,请参阅图4,图4为本申请实施例提供的第三设备配置第一规则和第二规则的一种示意图,其中,网络中禁止租户使用的应用程序(application,APP)所占用的IP1访问用于提供管理服务的IP3,允许用于提供服务(service)2的IP2访问用于提供管理服务的IP3,管理服务和service2均属于网络中提供的业务。
如图4所示,第三设备可以通过请求openstack的neutron组件向第一设备的Hypervisor层的mangle表的PREROUTING链中增加第一规则:当第一设备发送的数据包的目的IP地址为IP3时,在数据包的DSCP字段中写入af11。第三设备还可以直接向第二设备的Hypervisor层的mangle表的PREROUTING链中配置第二规则:丢弃DSCP字段的值不是af11的数据包。
在第一设备发送第一数据包时,若发送的第一数据包的目的IP地址为IP3,第一设备会通过Hypervisor层向DSCP字段中写入af11;当第一设备发出的第一数据包到达第二设备时,由于第一数据包的DSCP字段中携带有af11,则第二设备允许第一数据包的访问行为。
在租户使用的应用程序(application,APP)所在设备(为方便描述,后续称为“第四设备”)发送数据包时,由于第四设备中未配置第一规则,则第四设备发送的数据包的DSCP字段中的值为000000;当第四设备发送的数据包到达第二设备时,由于前述数据包的DSCP字段中未携带af11,则第二设备禁止前述数据包的访问行为,应理解,图4中的示例仅为方便理解本方案,不用于限定本方案。
本申请实施例中,由其他的设备向第一设备和第二设备发送规则,也即有利于实现由其他的控制设备统一的对网络中的多个设备下发规则,有利于避免网络中不同设备中的规则出现冲突,以进一步提高网络的安全性。
303、当第一数据包的目的地址指向第一对象时,第一设备在第一数据包的DSCP字段中写入第一标识信息,该第一标识信息用于指示与第一对象对应的第二设备允许或禁止与第一数据包对应的访问行为。
本申请实施例中,在第三设备向与第二对象对应的第一设备中部署了第一规则之后,当第一设备想要发送第一数据包(也即发送任意一个数据包)时,可以根据第一规则的指示,判断第一数据包的目的地址是否指向第一对象,若判断结果为是,则可以在第一数据包的DSCP字段中写入与第一对象对应的该第一标识信息;其中,该第一标识信息用于指示与第一对象对应的第二设备允许或禁止与第一数据包对应的访问行为。
其中,第一数据包中的DSCP字段有8个比特位,前述8个比特位可以包括第0位至第
7位。可选地,第一设备可以使用前述8个比特位中的6个比特位,来执行第一标识信息的填写操作;示例性地,该第一标识信息可以占用DSCP字段的第0位至第5位中的任意一个或多个比特位。
可选地,与第二对象对应的第一设备可以为生成该第一数据包的设备,或者,与第二对象对应的第一设备也可以为与生成第一数据包的设备最连接的交换机。
在一种情况中,与第二对象对应的第一设备为生成该第一数据包的设备;示例性地,由于第二对象可以为一种类型的业务、一个网络区域的名称或者一种类型的用户,则在第二对象为业务3(也即一种类型的业务的示例)的情况下,“与第二对象对应的第一设备”可以理解为能够提供业务3的设备为第一设备。或者,在第二对象为网络区域3(也即一个网络区域的名称的示例)的情况下,“与第二对象对应的第一设备”可以理解为网络区域3覆盖的地址范围内的设备为第一设备。或者,在第二对象为类型3的用户的情况下,“与第二对象对应的第一设备”可以理解为类型3的用户占用的地址范围内的设备为第一设备。
在另一种情况中,若与第二对象对应的第一设备为与生成第一数据包的设备最连接的交换机;示例性地,在第二对象为业务3(也即一种类型的业务的示例)的情况下,“与第二对象对应的第一设备”可以理解为与能够提供业务3的设备最连接的交换机,能够提供业务3的设备与该交换机之间存在通信连接。或者,在第二对象为网络区域3(也即一个网络区域的名称的示例)的情况下,“与第二对象对应的第一设备”可以理解为位于该网络区域3之外,且与该网络区域3最连接的交换机,网络区域3内的设备与该交换机通信连接。或者,在第二对象为类型3的用户的情况下,“与第二对象对应的第一设备”可以理解为位于该类型3的用户占用的地址范围之外,且与类型3的用户占用的地址范围最连接的交换机,类型3的用户占用的设备与该交换机通信连接。
为更直观地理解本方案,请参阅图5,图5为本申请实施例提供的第一设备的位置的一种示意图,如5所示,任意一个用于提供业务1的设备均可以被视为A1,两个用于提供业务1的设备与一个交换机通信连接,其中,第一设备可以选用A1或A2,A1为生成第一数据包的设备,A2为与生成第一数据包的设备最连接的交换机,应理解,图5中的示例仅为方便理解本方案,不用于限定本方案。
本申请实施例中,由于设备在生成第一数据包时就需要向第一数据包的控制信息中写入数据,由生成第一数据包的设备执行“向DSCP字段中写入第一标识信息”这一操作,提高了本方案的便利性。与生成第一数据包的设备连接的交换机一般与多个生成第一数据包的设备连接,由前述交换机执行“向DSCP字段中写入第一标识信息”这一操作,则相比于向多个生成第一数据包的设备发送第一规则,仅需要向一个交换机发送第一规则,降低了“向第一设备发送第一规则”这一步所消耗的计算机资源。
第一设备可以通过多种方式执行“第一数据包的DSCP字段中写入第一标识信息”,在一种实现方式中,若第一设备中采用虚拟化技术,则第一设备中可以部署有Hypervisor层和至少一个实例,则第一设备可以通过Hypervisor层和/或第一实例,在第一数据包的DSCP字段中写入第一标识信息,前述步骤中的名词的含义可以参阅上述步骤中的描述,此处不
再赘述。
在一种情况中,第一设备中的Hypervisor层可以将全部的第一标识信息写入第一数据包的DSCP字段中。本申请实施例中,相对于第一设备中的实例,第一设备中的Hypervisor层需要更高的管理权限,对应的,第一设备中的Hypervisor层被黑客攻击成功的概率更小,也即第一设备中的Hypervisor层的安全度更高,通过第一设备中的Hypervisor层执行第一标识信息的写入操作,有利于提高前述操作的安全度,也即降低非法数据包中携带第一标识信息的概率,从而降低非法数据包成功访问第二设备的概率,有利于提高网络的安全度。
在另一种情况中,第一设备中的第一实例向DSCP字段中的第一字段写入第一子标识信息,第一实例为第一设备部署的多个实例中与第二对象对应的实例;第一设备中的Hypervisor层向DSCP字段中的第二字段写入第二子标识信息,标识信息包括第一子标识信息和第二子标识信息。示例性地,第一字段和第二字段为DSCP字段中不同的比特位。
本申请实施例中,由于第一设备中可能会部署有多个实例,在第一设备为生成第一数据包的设备的情况下,不同的实例有可能会对应不同的对象,例如第一设备上不同的实例用于提供不同类型的业务,或第一设备上不同的实例被不同类型的用户占用等等,则由第一设备中的第一实例和Hypervisor层共同执行第一标识信息的写入操作,从而可以在更细粒度的角度管理“第一标识信息的写入操作”,以避免第一设备上与其他对象对应的实例发出的数据包中也携带第一标识信息,从而进一步降低非法数据包成功访问第二设备的概率,以进一步提高网络的安全度。
在另一种情况中,第一设备通过实例在第一数据包的DSCP字段中写入第一标识信息。示例性地,在一种实现方式中,第一设备中的每个实例均可以在第一数据包的DSCP字段中写入第一标识信息;在另一种实现方式中,第一设备中的第一实例可以在第一数据包的DSCP字段中写入第一标识信息,第一实例为第一设备部署的多个实例中与第二对象对应的实例。
本申请实施例中,提供了向第一数据包的DSCP字段中写入第一标识信息的又一种实现方案,提高了本方案的实现灵活性;若仅由第一实例在第一数据包的DSCP字段中写入第一标识信息,则可以避免第一设备上与其他对象对应的实例发出的数据包中也携带第一标识信息,从而进一步降低非法数据包成功访问第二设备的概率,以进一步提高网络的安全度。
在另一种实现方式中,第一设备也可以不通过Hypervisor层和/或实例,向DSCP字段中写入第一标识信息,第一设备可以通过操作系统向第一数据包的DSCP字段中写入第一标识信息。
304、第一设备向第二设备发送第一数据包。
本申请实施例中,第一设备可以通过网络向第二设备发送第一数据包,对应的,第二设备能够获取到第一数据包。
305、第二设备从第一数据包的DSCP字段中获取该第一标识信息。
本申请实施例中,第二设备在获取到第一数据包之后,可以从第一数据包的DSCP字段中读取信息。可选地,第二设备可以从第一数据包的DSCP字段中获取到与第一对象对应的第一标识信息;或者,第二设备也可以从第一数据包的DSCP字段中获取到第二标识信息。
例如,若第一数据包的DSCP字段中未被写入信息,则第二标识信息可以为000000;又例如,若第一数据包的DSCP字段中被写入与其他的第三对象对应的标识信息,则第二标识信息也可以表现与第三对象对应的标识信息;又例如,若第一数据包的DSCP中被非法设备随机写入信息,则第二标识信息也可以表现前述随机写入的信息等。
可选地,与第一对象对应的第二设备可以为第一数据包的目的地址指向的服务器,和/或,与第一对象对应的第二设备可以为管理前述服务器的安全设备,也可以理解为前述服务所直接连接的安全设备;前述服务器与第一对象对应。网络中的安全设备指的是网络中部署有安全策略的设备,前述安全设备可以包括如下任一项或多项:防火墙、或用于转发报文的网络设备等。
示例性地,由于第一对象可以为一种类型的业务、一个网络区域的名称或者一种类型的用户,则在第一对象为业务4(也即一种类型的业务的示例)的情况下,“第一数据包的目的地址指向的服务器与第一对象对应”可以理解为位于该目的地址的服务器能够提供业务4。或者,在第一对象为网络区域4(也即一个网络区域的名称的示例)的情况下,“第一数据包的目的地址指向的服务器与第一对象对应”可以理解为位于该目的地址的服务器归属于网络区域4。或者,在第一对象为类型4的用户的情况下,“第一数据包的目的地址指向的服务器与第一对象对应”可以理解为位于该目的地址的服务器被类型1的用户使用。
为更直观地理解本方案,请参阅图6,图6为本申请实施例提供的第一设备的位置的一种示意图,如图6所示,用于提供网络(Web)服务的Web服务器被视为B1,Web服务器位于“数据中心”这一网络区域中,与Web服务器最近的一个安全设备为用于管控是否允许数据包进入数据中心的防火墙,第二设备可以选用B1或B2,B1的地址为第一数据包的目的地址,B2为网络中与第一数据包的目的地址直接连接的一个安全设备,应理解,图6中的示例仅为方便理解本方案,不用于限定本方案。
306、第二设备根据该第一标识信息,允许或禁止与第一数据包对应的访问行为。
本申请实施例中,第二设备在从第一数据包的DSCP字段中读取到信息之后,可以根据读取到的信息和第二规则,确定是否允许与第一数据包对应的访问行为,进而执行允许或禁止与第一数据包对应的访问行为。
第二设备可以通过多种方式执行“根据读取到的信息和第二规则,确定是否允许与第一数据包对应的访问行为”这一步骤,在一种实现方式中,若第二设备中采用了虚拟化技术,则第二设备可以通过Hypervisor层,根据从第一数据包的DSCP字段中读取到的信息和第二规则,确定是否允许与第一数据包对应的访问行为。
在一种情况中,第二规则指示当获取到的数据包的DSCP字段中携带该第一标识信息时,允许与获取到的数据包对应的访问行为,若第二设备的Hypervisor层从第一数据包的DSCP字段中获取到的是第一标识信息,则确定允许与第一数据包对应的访问行为。若第二设备的Hypervisor层从第一数据包的DSCP字段中获取到的是第二标识信息,则确定允许与第一数据包对应的访问行为。
在另一种情况中,第二规则指示当获取到的数据包的DSCP字段中携带该第一标识信息
时,禁止与获取到的数据包对应的访问行为,若第二设备的Hypervisor层从第一数据包的DSCP字段中获取到的是第一标识信息,则确定禁止与第一数据包对应的访问行为。若第二设备的Hypervisor层从第一数据包的DSCP字段中获取到的是第二标识信息,则确定允许与第一数据包对应的访问行为。
为更直观地理解本方案,请参阅图7,图7为本申请实施例提供的数据包的处理方法的另一种流程示意图,图7可以结合上述图4进行理解,在第三设备通过openstack的neutron组件向第一设备(也即用于提供service2的设备)的Hypervisor层配置了第一规则,向用于提供管理服务的第二设备的Hypervisor层配置了第二规则之后,如图7所示,在用于提供service2的设备发送数据包时,当发送的数据包的目的IP地址为IP3时,该数据包的DSCP字段中会携带有af11,则第二设备根据第二规则确定允许前述数据包的访问行为。
在普通租户使用的IP地址为IP1的设备发送数据包时,由于前述设备中未配置第一规则,则前述设备发送的数据包的DSCP字段中的值为000000;当前述数据包到达第二设备时,由于前述数据包的DSCP字段中未携带af11,则第二设备根据第二规则确定禁止前述数据包的访问行为,应理解,图7中的示例仅为方便理解本方案,不用于限定本方案。
针对“第二设备允许或禁止与第一数据包对应的访问行为”的具体实现方式,在一种情况中,若第二设备为第一数据包的目的地址指向的服务器。若第二设备允许与第一数据包对应的访问行为,则第二设备读取第一数据包中携带的数据,并执行与第一数据包对应的指令。若第二设备禁止与第一数据包对应的访问行为,则第二设备可以对第一数据包进行丢包处理。
在另一种情况中,若第二设备为与第一数据包的目的地址指向的服务器所连接的安全设备。若第二设备允许与第一数据包对应的访问行为,则第二设备可以允许第一数据包通过。若第二设备禁止与第一数据包对应的访问行为,则第二设备可以禁止第一数据包通过,并对第一数据包进行丢包处理。
本申请实施例中,在到达第一数据包的目的地址时,才根据第一数据包的DSCP字段中携带的信息确定是否允许执行与第一数据包对应的访问行为,避免了基于目的地址指向的不是第一对象的数据包中DSCP字段的值,对前述数据包进行处理,有利于进一步提高对数据包所对应的访问行为做出的处理结果的准确率。
在第一数据包到达与第一数据包的目的地址指向的服务器所连接的安全设备时,就根据第一数据包的DSCP字段中携带的信息确定是否允许执行与第一数据包对应的访问行为,也即由独立的安全设备来执行允许或禁止第一数据包通过的操作,减轻了第一数据包的目的地址指向的服务器的负担,提高了第一数据包的目的地址指向的服务器的安全度;且一般一个安全设备用于管控是否允许数据包进入多个设备,在安全设备上部署第二规则,有利于降低“部署第二规则”这一过程所消耗的计算机资源。
本方案中额外引入了在数据包的DSCP字段中写入第一标识信息这一操作,由于数据包的DSCP字段中的值在数据包的传输过程一般不会发生改变,则网络中的设备均能够从DSCP字段中获取到真实的第一标识信息,进而能够借助该第一标识信息,准确的对该数据包所
对应的访问行为作出允许或禁止的决策,提高了网络的安全性;此外,DSCP字段为数据包中已经存在的字段,选择在DSCP字段中写入标识信息,不需要在已有技术上做太大的改变,有利于降低为实现本方案所消耗的计算机资源;且网络中的各种设备均具有解读数据包的控制信息的能力,在不对网络中设备的能力进行升级的前提下,就能够从数据包的DSCP字段中获取到标识信息,进而执行本方案,以进一步降低为实现本方案所消耗的计算机资源。
可选地,在图1至图7示出的实施例的基础上,为进一步理解本方案,以下结合图8a和图8b示出了本申请中的一个具体实施例,图8a为本申请实施例提供的安全策略失效的一种场景示意图,图8b为本申请实施例提供的数据包的处理方法的一种示意图,先参阅图8a,网络中允许资源用户访问管理服务,且禁止普通租户访问管理服务,也即网络中任意一个或多个安全设备(例如图8a中的防火墙1和防火墙2)上可以配置安全策略2可以包括:禁止源IP地址为IP1的数据包访问IP3,允许源IP地址为IP7的数据包访问IP3。
由于普通租户和资源租户所在的设备的Hypervisor层均会对发送出去的源IP地址进行转换,导致网络中的安全设备无法获取到数据包的真实的源IP地址,导致安全设备上配置的安全策略失效。
再参阅图8b,可以利用本申请提供的数据包的处理方法向资源租户所在设备的Hypervisor层中配置第一规则:当数据包的目的IP为IP3时,在数据包的DSCP字段中写入af11;向用于提供管理服务的设备的Hypervisor层中配置第二规则:丢弃DSCP字段中的值不是af11的数据包。由于普通租户所在设备中未配置第一规则,则当普通租户所在设备发送的数据包的目的IP为IP3时,数据包的DSCP字段中携带的为000000,当前述数据包到达用于提供管理服务的设备时,用于提供管理服务的设备可以根据第二规则,确定丢弃前述数据包。
由于资源租户所在设备中配置有第一规则,则当资源租户所在设备发送的数据包的目的IP为IP3时,数据包的DSCP字段中携带的为af11,当前述数据包到达用于提供管理服务的设备时,用于提供管理服务的设备可以根据第二规则,确定允许前述数据包的访问行为,应理解,图8a和图8b中的示例仅为方便理解本方案,不用于限定本方案。
在图1至图8b示出的实施例的基础上,请参阅图9,图9为本申请实施例提供的数据包的处理系统的一种结构示意图。如图9所示,数据包的处理系统900包括第一设备中的填写模块901和第一设备中的发送模块902,数据包的处理系统还包括第二设备中的获取模块903和第二设备中的处理模块。其中,填写模块901,用于当第一数据包的目的地址指向第一对象时,在第一数据包的区分服务代码点DSCP字段中写入标识信息;第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;发送模块902,用于发送第一数据包;获取模块903,用于获取第一数据包,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应;获取模块903,还用于从第一数据包的DSCP字段中获取标识信息;处理模块904,用于根据标识信息,允许或禁止与第一数据包对应的访问行为。
可选的,填写模块901,具体用于通过管理程序Hypervisor层在第一数据包的DSCP
字段中写入标识信息。
可选的,填写模块901,具体用于:通过第一实例向DSCP字段中的第一字段写入第一子标识信息,第一实例为实例与第二对象对应的实例;通过Hypervisor层向DSCP字段中的第二字段写入第二子标识信息,标识信息包括第一子标识信息和第二子标识信息。
可选的,填写模块901,具体用于通过实例在第一数据包的DSCP字段中写入标识信息。
可选的,数据包的处理系统900还包括:第一设备中的第一接收模块,用于接收第三设备发送的第一规则,第一规则指示当发送的数据包的目的地址指向第一对象时,在发送的数据包的DSCP字段中写入标识信息。数据包的处理系统900还包括:第二设备中的第二接收模块,用于接收第三设备发送的第二规则,第二规则指示当获取到的数据包的DSCP字段中携带标识信息时,允许或禁止与获取到的数据包对应的访问行为。
请参阅图10,图10为本申请实施例提供的数据包的处理装置的一种结构示意图。数据包的处理装置1000应用于第一设备中,数据包处理装置1000包括:填写模块1001,用于当第一数据包的目的地址指向第一对象时,在第一数据包的区分服务代码点DSCP字段中写入标识信息,标识信息用于指示第二设备允许或禁止与第一数据包对应的访问行为;发送模块1002,用于发送第一数据包。其中,第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应。
可选的,填写模块1001,具体用于通过管理程序Hypervisor层在第一数据包的DSCP字段中写入标识信息。
请参阅图11,图11为本申请实施例提供的数据包的处理装置的另一种结构示意图。数据包的处理装置1100应用于第二设备中,数据包处理装置1100包括:获取模块1101,用于获取第一数据包,其中,第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备;获取模块1101,还用于从第一数据包的区分服务代码点DSCP字段中获取标识信息;处理模块1102,用于根据标识信息,允许或禁止与第一数据包对应的访问行为。
可选的,第一数据包来源于第一设备,第一数据包中的标识信息通过第一设备中的管理程序Hypervisor层得到。
请参阅图12,图12为本申请实施例提供的数据包的处理装置的另一种结构示意图。数据包的处理装置1200应用于第三设备中,数据包处理装置1200包括:发送模块1201,用于向网络中的第一设备发送第一规则,第一规则指示当第一设备发送的数据包的目的地址指向第一对象时,在发送的数据包的区分服务代码点DSCP字段中写入标识信息;第一设备为生成第一数据包的设备,或者第一设备为与生成第一数据包的设备连接的交换机;发送模块1201,还用于向网络中的第二设备发送第二规则,第二规则指示当获取到的数据包的DSCP字段中携带标识信息时,允许或禁止与获取到的数据包对应的访问行为;第二设备为第一数据包的目的地址指向的服务器,或者第二设备为管理服务器的安全设备,服务器与第一对象对应。
可选的,发送模块1201,具体用于向第一设备的管理程序Hypervisor层发送第一规
则。
本申请实施例还提供了一种设备,请参阅图13,图13为本申请实施例提供的设备的一种结构示意图。设备1300搭载有上述图10至图13中任意的一个数据包的处理装置。设备1300由一般性的总线体系结构来实现。
设备1300包括至少一个处理器1301、通信总线1302、存储器1303以及至少一个通信接口1304。
可选地,处理器1301是一个通用CPU、NP、微处理器、或者是一个或多个用于实现本申请方案的集成电路,例如,专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。
通信总线1302用于在上述组件之间传送信息。通信总线1302分为地址总线、数据总线、控制总线等。为便于表示,图中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
可选地,存储器1303是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备。可替换的,存储器1303是随机存取存储器(random access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备。可替换的,存储器1303是电可擦可编程只读存储器(electrically erasable programmable read-only Memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。可选地,存储器1303是独立存在的,并通过通信总线1302与处理器1301相连接。可选地,存储器1303和处理器1301集成在一起。
通信接口1304使用任何收发器一类的装置,用于与其它设备或通信网络通信。通信接口1304包括有线通信接口。可选地,通信接口1304还包括无线通信接口。其中,有线通信接口例如为以太网接口。以太网接口是光接口,电接口或其组合。无线通信接口为无线局域网(wireless local area networks,WLAN)接口,蜂窝网络通信接口或其组合等。
在具体实现中,作为一种实施例,处理器1301包括一个或多个CPU,如图13中所示的CPU0和CPU1。
在具体实现中,作为一种实施例,设备1300包括多个处理器,如图13中所示的处理器1301和处理器1305。这些处理器中的每一个是一个单核处理器(single-CPU),或者是一个多核处理器(multi-CPU)。这里的处理器指一个或多个设备、电路、和/或用于处理数据(如计算机程序指令)的处理核。
在一些实施例中,存储器1303用于存储执行本申请方案的程序代码1313,处理器1301
执行存储器1303中存储的程序代码1313。也就是说,设备1300通过处理器1301以及存储器1303中的程序代码1313,来实现上述的方法实施例。
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分可互相参考,每个实施例重点说明的都是与其他实施例的不同之处。
A参考B,指的是A与B相同或者A为B的简单变形。
本申请实施例的说明书和权利要求书中的术语“第一”和“第二”等是用于区别不同的对象,而不是用于描述对象的特定顺序,也不能理解为指示或暗示相对重要性。例如,第一限速通道和第二限速通道用于区别不同的限速通道,而不是用于描述限速通道的特定顺序,也不能理解为第一限速通道比第二限速通道更重要。
本申请实施例,除非另有说明,“至少一个”的含义是指一个或多个,“多个”的含义是指两个或两个以上。
上述实施例可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例描述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(Digital Subscriber Line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。
Claims (25)
- 一种数据包的处理方法,其特征在于,所述方法包括:当第一数据包的目的地址指向第一对象时,第一设备在所述第一数据包的区分服务代码点DSCP字段中写入标识信息;所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述第一设备发送所述第一数据包;所述第二设备获取所述第一数据包,所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应;所述第二设备从所述第一数据包的所述DSCP字段中获取所述标识信息;所述第二设备根据所述标识信息,允许或禁止与所述第一数据包对应的访问行为。
- 根据权利要求1所述的方法,其特征在于,所述第一设备在所述第一数据包的DSCP字段中写入标识信息,包括:所述第一设备通过管理程序Hypervisor层在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 根据权利要求1所述的方法,其特征在于,所述第一设备在所述第一数据包的DSCP字段中写入标识信息,包括:所述第一设备中的第一实例向所述DSCP字段中的第一字段写入第一子标识信息,所述第一实例为与第二对象对应的实例;所述第一设备中的Hypervisor层向所述DSCP字段中的第二字段写入第二子标识信息,所述标识信息包括所述第一子标识信息和所述第二子标识信息。
- 根据权利要求1所述的方法,其特征在于,所述第一设备在所述第一数据包的DSCP字段中写入标识信息,包括:所述第一设备通过实例在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 根据权利要求1至4任一项所述的方法,其特征在于,在所述第一设备在所述第一数据包的DSCP字段中写入标识信息之前,所述方法还包括:所述第一设备接收第三设备发送的第一规则,所述第一规则指示当所述第一设备发送的数据包的目的地址指向所述第一对象时,在所述发送的数据包的DSCP字段中写入所述标识信息;在所述第二设备根据所述标识信息,允许或禁止与所述第一数据包对应的访问行为之前,所述方法还包括:所述第二设备接收所述第三设备发送的第二规则,所述第二规则指示当所述第二设备获取到的数据包的DSCP字段中携带所述标识信息时,允许或禁止与所述获取到的数据包对应的访问行为。
- 一种数据包的处理方法,其特征在于,所述方法包括:当第一数据包的目的地址指向第一对象时,第一设备在所述第一数据包的区分服务代码点DSCP字段中写入标识信息,所述标识信息用于指示第二设备允许或禁止与所述第一数据包对应的访问行为;所述第一设备发送所述第一数据包;其中,所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应。
- 根据权利要求6所述的方法,其特征在于,所述第一设备在所述第一数据包的DSCP字段中写入标识信息,包括:所述第一设备通过管理程序Hypervisor层在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 一种数据包的处理方法,其特征在于,所述方法包括:第二设备获取第一数据包,其中,所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备;所述第二设备从所述第一数据包的区分服务代码点DSCP字段中获取标识信息;所述第二设备根据所述标识信息,允许或禁止与所述第一数据包对应的访问行为。
- 根据权利要求8所述的方法,其特征在于,所述第一数据包来源于第一设备,所述第一数据包中的所述标识信息通过所述第一设备中的管理程序Hypervisor层得到。
- 一种数据包的处理方法,其特征在于,所述方法包括:第三设备向网络中的第一设备发送第一规则,所述第一规则指示当所述第一设备发送的数据包的目的地址指向第一对象时,在所述发送的数据包的区分服务代码点DSCP字段中写入标识信息;所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述第三设备向所述网络中的第二设备发送第二规则,所述第二规则指示当获取到的数据包的DSCP字段中携带所述标识信息时,允许或禁止与所述获取到的数据包对应的访问行为;所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应。
- 根据权利要求10所述的方法,其特征在于,所述第三设备向网络中的第一设备发送第一规则,包括:所述第三设备向所述第一设备的管理程序Hypervisor层发送所述第一规则。
- 一种数据包的处理系统,其特征在于,所述数据包的处理系统包括第一设备中的填写模块和所述第一设备中的发送模块,所述数据包的处理系统还包括第二设备中的获取模块和所述第二设备中的处理模块;其中,所述填写模块,用于当第一数据包的目的地址指向第一对象时,在所述第一数据包的区分服务代码点DSCP字段中写入标识信息;所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述发送模块,用于发送所述第一数据包;所述获取模块,用于获取所述第一数据包,所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应;所述获取模块,还用于从所述第一数据包的所述DSCP字段中获取所述标识信息;所述处理模块,用于根据所述标识信息,允许或禁止与所述第一数据包对应的访问行为。
- 根据权利要求12所述的系统,其特征在于,所述填写模块,具体用于通过管理程序Hypervisor层在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 根据权利要求12所述的系统,其特征在于,所述填写模块,具体用于:通过第一实例向所述DSCP字段中的第一字段写入第一子标识信息,所述第一实例为实例与第二对象对应的实例;通过Hypervisor层向所述DSCP字段中的第二字段写入第二子标识信息,所述标识信息包括所述第一子标识信息和所述第二子标识信息。
- 根据权利要求12所述的系统,其特征在于,所述填写模块,具体用于通过实例在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 根据权利要求12至15任一项所述的系统,其特征在于,所述数据包的处理系统还包括:所述第一设备中的第一接收模块,用于接收第三设备发送的第一规则,所述第一规则指示当发送的数据包的目的地址指向所述第一对象时,在所述发送的数据包的DSCP字段中写入所述标识信息;所述数据包的处理系统还包括:所述第二设备中的第二接收模块,用于接收所述第三设备发送的第二规则,所述第二规则指示当获取到的数据包的DSCP字段中携带所述标识信息时,允许或禁止与所述获取到的数据包对应的访问行为。
- 一种数据包的处理装置,其特征在于,所述装置应用于第一设备中,所述装置包括:填写模块,用于当第一数据包的目的地址指向第一对象时,在所述第一数据包的区分服务代码点DSCP字段中写入标识信息,所述标识信息用于指示第二设备允许或禁止与所述第一数据包对应的访问行为;发送模块,用于发送所述第一数据包;其中,所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应。
- 根据权利要求17所述的装置,其特征在于,所述填写模块,具体用于通过管理程序Hypervisor层在所述第一数据包的所述DSCP字段中写入所述标识信息。
- 一种数据包的处理装置,其特征在于,所述装置应用于第二设备中,所述装置包括:获取模块,用于获取第一数据包,其中,所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备;所述获取模块,还用于从所述第一数据包的区分服务代码点DSCP字段中获取标识信息;处理模块,用于根据所述标识信息,允许或禁止与所述第一数据包对应的访问行为。
- 根据权利要求19所述的装置,其特征在于,所述第一数据包来源于第一设备,所述第一数据包中的所述标识信息通过所述第一设备中的管理程序Hypervisor层得到。
- 一种数据包的处理装置,其特征在于,所述装置应用于第三设备中,所述装置包括:发送模块,用于向网络中的第一设备发送第一规则,所述第一规则指示当所述第一设备发送的数据包的目的地址指向第一对象时,在所述发送的数据包的区分服务代码点DSCP字段中写入标识信息;所述第一设备为生成所述第一数据包的设备,或者所述第一设备为与所述生成所述第一数据包的设备连接的交换机;所述发送模块,还用于向所述网络中的第二设备发送第二规则,所述第二规则指示当获取到的数据包的DSCP字段中携带所述标识信息时,允许或禁止与所述获取到的数据包对应的访问行为;所述第二设备为所述第一数据包的目的地址指向的服务器,或者所述第二设备为管理所述服务器的安全设备,所述服务器与所述第一对象对应。
- 根据权利要求21所述的装置,其特征在于,所述发送模块,具体用于向所述第一设备的管理程序Hypervisor层发送所述第一规则。
- 一种设备,包括处理器和存储器,所述存储器用于存储程序代码,所述处理器用于调用所述存储器中的程序代码以使得所述设备执行如权利要求1-11任一项所述的方法。
- 一种计算机可读存储介质,存储有指令,当所述指令在计算机上运行时,使得计算机执行如权利要求1-11任一项所述的方法。
- 一种计算机程序产品,其特征在于,包括程序代码,当计算机运行所述计算机程序产品时,使得所述计算机执行如权利要求1-11任一项所述的方法。
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211330218.4 | 2022-10-27 | ||
CN202211330218 | 2022-10-27 | ||
CN202310125731.8A CN117997579A (zh) | 2022-10-27 | 2023-02-16 | 一种数据包的处理方法及相关装置 |
CN202310125731.8 | 2023-02-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024087638A1 true WO2024087638A1 (zh) | 2024-05-02 |
Family
ID=90829868
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/098501 WO2024087638A1 (zh) | 2022-10-27 | 2023-06-06 | 一种数据包的处理方法以及相关装置 |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2024087638A1 (zh) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102264145A (zh) * | 2010-05-31 | 2011-11-30 | 中国移动通信集团公司 | 一种业务调度方法、装置及系统 |
CN104219768A (zh) * | 2014-08-29 | 2014-12-17 | 大唐移动通信设备有限公司 | 一种用户业务差异化服务管理方法及装置 |
US20180367499A1 (en) * | 2017-06-15 | 2018-12-20 | Nicira, Inc. | Network-address-to-identifier translation in virtualized computing environments |
CN112437127A (zh) * | 2020-11-10 | 2021-03-02 | 新华三大数据技术有限公司 | 报文处理方法、装置以及负载均衡器和服务器 |
CN113922987A (zh) * | 2021-07-12 | 2022-01-11 | 北京宇创瑞联信息技术有限公司 | 数据安全传输方法、设备和系统 |
CN114041276A (zh) * | 2019-04-30 | 2022-02-11 | 帕洛阿尔托网络股份有限公司 | 屏蔽外部源地址的网络架构的安全策略实施和可见性 |
CN114630300A (zh) * | 2020-12-11 | 2022-06-14 | 华为技术有限公司 | 传输数据的方法和通信装置 |
-
2023
- 2023-06-06 WO PCT/CN2023/098501 patent/WO2024087638A1/zh unknown
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102264145A (zh) * | 2010-05-31 | 2011-11-30 | 中国移动通信集团公司 | 一种业务调度方法、装置及系统 |
CN104219768A (zh) * | 2014-08-29 | 2014-12-17 | 大唐移动通信设备有限公司 | 一种用户业务差异化服务管理方法及装置 |
US20180367499A1 (en) * | 2017-06-15 | 2018-12-20 | Nicira, Inc. | Network-address-to-identifier translation in virtualized computing environments |
CN114041276A (zh) * | 2019-04-30 | 2022-02-11 | 帕洛阿尔托网络股份有限公司 | 屏蔽外部源地址的网络架构的安全策略实施和可见性 |
CN112437127A (zh) * | 2020-11-10 | 2021-03-02 | 新华三大数据技术有限公司 | 报文处理方法、装置以及负载均衡器和服务器 |
CN114630300A (zh) * | 2020-12-11 | 2022-06-14 | 华为技术有限公司 | 传输数据的方法和通信装置 |
CN113922987A (zh) * | 2021-07-12 | 2022-01-11 | 北京宇创瑞联信息技术有限公司 | 数据安全传输方法、设备和系统 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11102079B2 (en) | Cross-regional virtual network peering | |
US20230283595A1 (en) | Dynamic proxy response from application container | |
EP2727297B1 (en) | Variable-based forwarding path construction for packet processing within a network device | |
US8194667B2 (en) | Method and system for inheritance of network interface card capabilities | |
US7733795B2 (en) | Virtual network testing and deployment using network stack instances and containers | |
US8005022B2 (en) | Host operating system bypass for packets destined for a virtual machine | |
US9331998B2 (en) | Dynamic secured network in a cloud environment | |
US7693044B2 (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
US8625448B2 (en) | Method and system for validating network traffic classification in a blade server | |
US20070168563A1 (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
US20090328073A1 (en) | Method and system for low-overhead data transfer | |
CN114025021B (zh) | 一种跨Kubernetes集群的通信方法、系统、介质和电子设备 | |
US20060294584A1 (en) | Auto-Configuration of Network Services Required to Support Operation of Dependent Network Services | |
US11956221B2 (en) | Encrypted data packet forwarding | |
US8447880B2 (en) | Network stack instance architecture with selection of transport layers | |
CN114826969B (zh) | 网络连通性检查方法、装置、设备及存储介质 | |
US11296981B2 (en) | Serverless packet processing service with configurable exception paths | |
US8817664B2 (en) | Network edge switch configuration based on connection profile | |
US10419357B1 (en) | Systems and methods for supporting path maximum transmission unit discovery by maintaining metadata integrity across proprietary and native network stacks within network devices | |
WO2024087638A1 (zh) | 一种数据包的处理方法以及相关装置 | |
US9147172B2 (en) | Source configuration based on connection profile | |
CN117997579A (zh) | 一种数据包的处理方法及相关装置 | |
US12101244B1 (en) | Layer 7 network security for container workloads | |
Di Giovanna | Designing an ebpf-based disaggregated network provider for kubernetes | |
US20240031365A1 (en) | Application identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23881229 Country of ref document: EP Kind code of ref document: A1 |