[go: up one dir, main page]

CN108650181A - A kind of IP packet strategy matching circuit and method - Google Patents

A kind of IP packet strategy matching circuit and method Download PDF

Info

Publication number
CN108650181A
CN108650181A CN201810361007.4A CN201810361007A CN108650181A CN 108650181 A CN108650181 A CN 108650181A CN 201810361007 A CN201810361007 A CN 201810361007A CN 108650181 A CN108650181 A CN 108650181A
Authority
CN
China
Prior art keywords
strategy
tuple
matching
packet
priority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810361007.4A
Other languages
Chinese (zh)
Inventor
王子彤
姜凯
李朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201810361007.4A priority Critical patent/CN108650181A/en
Publication of CN108650181A publication Critical patent/CN108650181A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2425Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS
    • H04L45/308Route determination based on user's profile, e.g. premium users
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is more particularly directed to a kind of IP packet strategy matching circuit and methods.The IP packet strategy matching circuit and method, including " specific five-tuple " strategy matching module, " range five-tuple " strategy matching module and priority judging module;Distributing policy and IP packet carry out storage with after message response through " specific five-tuple " strategy matching module and " range five-tuple " strategy matching module according to matching result, are exported after carrying out priority judgement via priority judging module.The IP packet strategy matching circuit and method, by the way that the circuits of two kinds of storage mating structures are arranged, the matching of storage and IP packet to " specific five-tuple " strategy and " range five-tuple " strategy is realized, it being capable of simplified strategy set content, circuit resource is saved, system availability is improved;Simultaneously under the premise of ensureing to match accuracy, using statistical information, priority match storage unit is set so that IP packet strategy matching rate greatly promotes.

Description

A kind of IP packet strategy matching circuit and method
Technical field
The present invention relates to network data processing technique, more particularly to a kind of IP packet strategy matching circuit and method.
Background technology
Policybased routing is to carry out message forwarding according to certain strategy, can be met based on source IP address, destination IP location, agreement Field, the even multiple combinations such as the source of TCP, UDP, destination interface carry out routing.When router forwards a data message, Message is filtered according to the rule of configuration first, successful match then carries out message forwarding according to certain forwarding strategy.This Kind rule can be based on standard and extended access list, can also be based on the length of message.
Routing based on strategy provides more stronger to the forwarding of message and storage than conventional routing protocols for network manager Control ability.After tactful item number increases and format parameter complicates, strategy matching method applicability and rate matched will be by To very big influence, while policy store occupied space may also need to increase at any time.
Based on the above situation, the present invention proposes a kind of IP packet strategy matching circuit and method.
Invention content
In order to compensate for the shortcomings of the prior art, the present invention provides a kind of IP packet strategy matching circuit being simple and efficient and Method.
The present invention is achieved through the following technical solutions:
A kind of IP packet strategy matching circuit, it is characterised in that:Including " specific five-tuple " strategy matching module, " five yuan of range Group " strategy matching module and priority judging module;Distributing policy and IP packet through " specific five-tuple " strategy matching module and " range five-tuple " strategy matching module according to matching result carry out storage with message response after, via priority judging module into It is exported after the judgement of row major grade.
" specific five-tuple " the strategy matching module includes address mapping unit, Policy storage unit and strategy matching list Member, for carrying out storage and message response to the strategy for meeting " specific five-tuple " feature;" the range five-tuple " strategy Include address arbitration unit, general strategy storage unit, priority match storage unit and strategy matching unit with module, for pair The strategy for meeting " range five-tuple " feature carries out storage and message response;The priority judging module, for " specific five The output of tuple " strategy matching module and " range five-tuple " strategy matching module carries out priority judgement, and output priority is high Strategy.
It is determining value that " the specific five-tuple " strategy, which refers to the tactful five-tuple of this,.
" the range five-tuple " strategy refer to it is one or more in the tactful five-tuple of this be set to a segment limit, symbol This strategy should all be matched by closing the IP packet of this range and other five-tuple features.
The five-tuple includes source IP address, purpose IP address, protocol number, source port and destination interface.
" range five-tuple " the strategy matching module, including multiple general strategy storage units, with parallel non-duplicate side Formula stores a plurality of strategy issued, i.e., since being deposited the first address of first storage unit, by each storage unit After first address is filled with, continuation is deposited since the second address of first storage unit.
Matching process based on the IP packet strategy matching circuit, it is characterised in that:
(1)When distributing policy, through strategy matching unit judges, if strategy meets " specific five-tuple " feature, enter " specific Five-tuple " strategy matching module;Five-tuple is mapped to a storage address by address mapping unit, and this strategy is stored in In Policy storage unit appropriate address;
When IP packet reaches, " specific five-tuple " matching will be carried out by strategy matching unit, if the strategy symbol that IP packet is found " specific five-tuple " feature is closed, then enters " specific five-tuple " strategy matching module;Five-tuple is mapped by address mapping unit At policy store address, takes out strategy and be sent into priority judging module;
(2)When there is IP packet arrival, while progress " specific five-tuple " matches, " range five-tuple " matching is carried out;From First address starts, and each storage unit is sequentially matched simultaneously, secondary by address until finding corresponding strategy or without strategy It cuts out the final strategy of unit output and priority is sent into priority judging module;
(3)Priority judging module is defeated to " specific five-tuple " strategy matching module and " range five-tuple " strategy matching module Go out and carries out priority judgement, the high strategy of output priority.
Five-tuple is mapped to a storage address by described address map unit using HASH algorithms.
In " range five-tuple " the strategy matching module, strategy matching unit carries out the strategy that each IP packet is found Statistics, the most strategy deposit priority match storage unit of matching in the unit interval;After new IP packet reaches, priority match Storage unit non-empty initially enters priority match storage unit and is matched, and it is single that general strategy storage is entered if not matching Member is matched;After not matching the number arrival upper limit or reaching preset renewal time, priority match memory cell content It will be updated.
The beneficial effects of the invention are as follows:The IP packet strategy matching circuit and method, by the way that two kinds of storage matching knots are arranged The circuit of structure realizes the matching of storage and IP packet to " specific five-tuple " strategy and " range five-tuple " strategy, can Simplified strategy set content saves circuit resource, improves system availability;Simultaneously under the premise of ensureing to match accuracy, Using statistical information, priority match storage unit is set so that IP packet strategy matching rate greatly promotes.
Description of the drawings
Attached drawing 1 is IP packet strategy matching circuit of the present invention and method schematic diagram.
Specific implementation mode
In order to make technical problems, technical solutions and advantages to be solved be more clearly understood, tie below Drawings and examples are closed, the present invention will be described in detail.It should be noted that specific embodiment described herein is only used To explain the present invention, it is not intended to limit the present invention.
The IP packet strategy matching circuit, including " specific five-tuple " strategy matching module, " range five-tuple " strategy With module and priority judging module;Distributing policy and IP packet are through " specific five-tuple " strategy matching module and " five yuan of range Group " strategy matching module carries out storage with after message response according to matching result, and priority is carried out via priority judging module It is exported after judgement.
" specific five-tuple " the strategy matching module includes address mapping unit, Policy storage unit and strategy matching list Member, for carrying out storage and message response to the strategy for meeting " specific five-tuple " feature;" the range five-tuple " strategy Include address arbitration unit, general strategy storage unit, priority match storage unit and strategy matching unit with module, for pair The strategy for meeting " range five-tuple " feature carries out storage and message response;The priority judging module, for " specific five The output of tuple " strategy matching module and " range five-tuple " strategy matching module carries out priority judgement, and output priority is high Strategy.
It is determining value that " the specific five-tuple " strategy, which refers to the tactful five-tuple of this,.
" the range five-tuple " strategy refer to it is one or more in the tactful five-tuple of this be set to a segment limit, symbol This strategy should all be matched by closing the IP packet of this range and other five-tuple features.
The five-tuple includes source IP address, purpose IP address, protocol number, source port and destination interface.
" range five-tuple " the strategy matching module, including multiple general strategy storage units, with parallel non-duplicate side Formula stores a plurality of strategy issued, i.e., since being deposited the first address of first storage unit, by each storage unit After first address is filled with, continuation is deposited since the second address of first storage unit.
Based on the matching process of the IP packet strategy matching circuit, include the following steps:
(1)When distributing policy, through strategy matching unit judges, if strategy meets " specific five-tuple " feature, enter " specific Five-tuple " strategy matching module;Five-tuple is mapped to a storage address by address mapping unit, and this strategy is stored in In Policy storage unit appropriate address;
When IP packet reaches, " specific five-tuple " matching will be carried out by strategy matching unit, if the strategy symbol that IP packet is found " specific five-tuple " feature is closed, then enters " specific five-tuple " strategy matching module;Five-tuple is mapped by address mapping unit At policy store address, takes out strategy and be sent into priority judging module;
(2)When there is IP packet arrival, while progress " specific five-tuple " matches, " range five-tuple " matching is carried out;From First address starts, and each storage unit is sequentially matched simultaneously, secondary by address until finding corresponding strategy or without strategy It cuts out the final strategy of unit output and priority is sent into priority judging module;
(3)Priority judging module is defeated to " specific five-tuple " strategy matching module and " range five-tuple " strategy matching module Go out and carries out priority judgement, the high strategy of output priority.
Five-tuple is mapped to a storage address by described address map unit using HASH algorithms.
In " range five-tuple " the strategy matching module, strategy matching unit carries out the strategy that each IP packet is found Statistics, the most strategy deposit priority match storage unit of matching in the unit interval;After new IP packet reaches, priority match Storage unit non-empty initially enters priority match storage unit and is matched, and it is single that general strategy storage is entered if not matching Member is matched;After not matching the number arrival upper limit or reaching preset renewal time, priority match memory cell content It will be updated.
The technical personnel in the technical field can readily realize the present invention with the above specific embodiments,.But it answers Work as understanding, the present invention is not limited to above-mentioned specific implementation modes.On the basis of the disclosed embodiments, the technical field Technical staff can arbitrarily combine different technical features, to realize different technical solutions.
It is the known technology of those skilled in the art in addition to the technical characteristic described in specification.

Claims (9)

1. a kind of IP packet strategy matching circuit, it is characterised in that:Including " specific five-tuple " strategy matching module, " range five Tuple " strategy matching module and priority judging module;Distributing policy and IP packet pass through " specific five-tuple " strategy matching module After " range five-tuple " strategy matching module carries out storage and message response according to matching result, via priority judging module It is exported after carrying out priority judgement.
2. IP packet strategy matching circuit according to claim 1, it is characterised in that:" the specific five-tuple " strategy Include address mapping unit, Policy storage unit and strategy matching unit with module, for meeting " specific five-tuple " feature Strategy carry out storage and message response;" range five-tuple " the strategy matching module includes address arbitration unit, general plan Slightly storage unit, priority match storage unit and strategy matching unit, for meet the strategy of " range five-tuple " feature into Row storage and message response;The priority judging module, for " specific five-tuple " strategy matching module and " five yuan of range The output of group " strategy matching module carries out priority judgement, the high strategy of output priority.
3. IP packet strategy matching circuit according to claim 2, it is characterised in that:" specific five-tuple " strategy refers to The tactful five-tuple of this is determining value.
4. IP packet strategy matching circuit according to claim 2, it is characterised in that:" range five-tuple " strategy refers to It is one or more in the tactful five-tuple of this to be set to a segment limit, meet this range and the IP reports of other five-tuple features Text should all match this strategy.
5. IP packet strategy matching circuit according to claim 3 or 4, it is characterised in that:The five-tuple includes source IP Address, purpose IP address, protocol number, source port and destination interface.
6. IP packet strategy matching circuit according to claim 2, it is characterised in that:" the range five-tuple " strategy With module, including multiple general strategy storage units, by it is parallel it is non-duplicate in a manner of a plurality of strategy issued is stored, i.e., from The first address of first storage unit starts to have deposited, and after the first address of each storage unit is filled with, continues single from first storage Second address of member starts to deposit.
7. the matching process of the IP packet strategy matching circuit according to claim 1 ~ 6 any one, it is characterised in that:
(1)When distributing policy, through strategy matching unit judges, if strategy meets " specific five-tuple " feature, enter " specific Five-tuple " strategy matching module;Five-tuple is mapped to a storage address by address mapping unit, and this strategy is stored in In Policy storage unit appropriate address;
When IP packet reaches, " specific five-tuple " matching will be carried out by strategy matching unit, if the strategy symbol that IP packet is found " specific five-tuple " feature is closed, then enters " specific five-tuple " strategy matching module;Five-tuple is mapped by address mapping unit At policy store address, takes out strategy and be sent into priority judging module;
(2)When there is IP packet arrival, while progress " specific five-tuple " matches, " range five-tuple " matching is carried out;From First address starts, and each storage unit is sequentially matched simultaneously, secondary by address until finding corresponding strategy or without strategy It cuts out the final strategy of unit output and priority is sent into priority judging module;
(3)Priority judging module is defeated to " specific five-tuple " strategy matching module and " range five-tuple " strategy matching module Go out and carries out priority judgement, the high strategy of output priority.
8. the matching process of IP packet strategy matching circuit according to claim 7, it is characterised in that:Described address maps Five-tuple is mapped to a storage address by unit using HASH algorithms.
9. the matching process of IP packet strategy matching circuit according to claim 7, it is characterised in that:" the range five In tuple " strategy matching module, the strategy that strategy matching unit finds each IP packet counts, matching in the unit interval Most strategy deposit priority match storage units;After new IP packet reaches, priority match storage unit non-empty, first into Enter priority match storage unit to be matched, be matched into general strategy storage unit if not matching;When not matching Last time is counted to up to the upper limit or after reaching preset renewal time, and priority match memory cell content will be updated.
CN201810361007.4A 2018-04-20 2018-04-20 A kind of IP packet strategy matching circuit and method Pending CN108650181A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810361007.4A CN108650181A (en) 2018-04-20 2018-04-20 A kind of IP packet strategy matching circuit and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810361007.4A CN108650181A (en) 2018-04-20 2018-04-20 A kind of IP packet strategy matching circuit and method

Publications (1)

Publication Number Publication Date
CN108650181A true CN108650181A (en) 2018-10-12

Family

ID=63746831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810361007.4A Pending CN108650181A (en) 2018-04-20 2018-04-20 A kind of IP packet strategy matching circuit and method

Country Status (1)

Country Link
CN (1) CN108650181A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444218A (en) * 2020-03-30 2020-07-24 国家计算机网络与信息安全管理中心 Matching method and device of combination rules

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN102316040A (en) * 2011-09-09 2012-01-11 中兴通讯股份有限公司 Access control list finding method and data stream classification device
US9537891B1 (en) * 2011-09-27 2017-01-03 Palo Alto Networks, Inc. Policy enforcement based on dynamically attribute-based matched network objects
CN106878185A (en) * 2017-04-13 2017-06-20 济南浪潮高新科技投资发展有限公司 A packet IP address matching circuit and method
CN106878308A (en) * 2017-02-21 2017-06-20 济南浪潮高新科技投资发展有限公司 A kind of ICMP message matching system and method
CN106936719A (en) * 2017-05-17 2017-07-07 济南浪潮高新科技投资发展有限公司 A kind of IP messages strategy matching method
CN107547432A (en) * 2017-08-28 2018-01-05 新华三信息安全技术有限公司 A kind of flow control methods and device
CN107707485A (en) * 2017-10-23 2018-02-16 济南浪潮高新科技投资发展有限公司 A kind of range type IP message strategy matching circuits and method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN102316040A (en) * 2011-09-09 2012-01-11 中兴通讯股份有限公司 Access control list finding method and data stream classification device
US9537891B1 (en) * 2011-09-27 2017-01-03 Palo Alto Networks, Inc. Policy enforcement based on dynamically attribute-based matched network objects
CN106878308A (en) * 2017-02-21 2017-06-20 济南浪潮高新科技投资发展有限公司 A kind of ICMP message matching system and method
CN106878185A (en) * 2017-04-13 2017-06-20 济南浪潮高新科技投资发展有限公司 A packet IP address matching circuit and method
CN106936719A (en) * 2017-05-17 2017-07-07 济南浪潮高新科技投资发展有限公司 A kind of IP messages strategy matching method
CN107547432A (en) * 2017-08-28 2018-01-05 新华三信息安全技术有限公司 A kind of flow control methods and device
CN107707485A (en) * 2017-10-23 2018-02-16 济南浪潮高新科技投资发展有限公司 A kind of range type IP message strategy matching circuits and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444218A (en) * 2020-03-30 2020-07-24 国家计算机网络与信息安全管理中心 Matching method and device of combination rules
CN111444218B (en) * 2020-03-30 2022-09-30 国家计算机网络与信息安全管理中心 Matching method and device of combination rules

Similar Documents

Publication Publication Date Title
US8259585B1 (en) Dynamic link load balancing
EP3516833B1 (en) Methods, systems, and computer readable media for discarding messages during a congestion event
US8094660B2 (en) VLAN server
US7000055B1 (en) Multi-interface symmetric multiprocessor
KR100834570B1 (en) Real-time state-based packet inspection method and apparatus therefor
EP2552059A1 (en) Packet transfer system, control apparatus, transfer apparatus, method of creating processing rules, and program
US20140219284A1 (en) Method and system for reduction of time variance of packets received from bonded communication links
CN103905311A (en) Flow table matching method and device and switch
CN108566342A (en) Multi-service traffic distribution system and distribution data processing method based on SDN architecture
CN101170517A (en) Method and device for aging control session table
US20240314076A1 (en) Fragmented packet traffic rate limiting method, dpu fragmented packet forwarding method, and electronic device
DE112017003324T5 (en) Adaptive routing technologies using aggregated congestion information
US20150113146A1 (en) Network Management with Network Virtualization based on Modular Quality of Service Control (MQC)
US8897316B2 (en) On-chip packet cut-through
EP1417795B1 (en) Switching node with classification-dependent mac buffer control
CN111901236A (en) Method and system for optimizing openstack cloud network by using dynamic routing
WO2021052382A1 (en) Cloud service bandwidth management and configuration methods and related device
CN108712446A (en) The defence method and device of interest packet flood attack in a kind of content center network
CN116915709A (en) Load balancing method and device, electronic equipment and storage medium
EP4181479A1 (en) Method for identifying flow, and apparatus
US9137158B2 (en) Communication apparatus and communication method
CN108650181A (en) A kind of IP packet strategy matching circuit and method
CN116264522A (en) Private cloud access control method, device, equipment and medium
CN101808031A (en) Trusted improvement method of router
CN104780178B (en) A kind of connection management method for being used to prevent that TCP from attacking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181012

RJ01 Rejection of invention patent application after publication