[go: up one dir, main page]

CN101355585B - System and method for protecting information of distributed architecture data communication equipment - Google Patents

System and method for protecting information of distributed architecture data communication equipment Download PDF

Info

Publication number
CN101355585B
CN101355585B CN2008102105854A CN200810210585A CN101355585B CN 101355585 B CN101355585 B CN 101355585B CN 2008102105854 A CN2008102105854 A CN 2008102105854A CN 200810210585 A CN200810210585 A CN 200810210585A CN 101355585 B CN101355585 B CN 101355585B
Authority
CN
China
Prior art keywords
message
protocol
clear text
module
unit cpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008102105854A
Other languages
Chinese (zh)
Other versions
CN101355585A (en
Inventor
刘宗颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2008102105854A priority Critical patent/CN101355585B/en
Publication of CN101355585A publication Critical patent/CN101355585A/en
Application granted granted Critical
Publication of CN101355585B publication Critical patent/CN101355585B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种分布式架构数据通信设备的消息保护系统及方法,以有效保护分布式架构数据通信设备的CPU。该方法中,业务处理单元收到报文之后分析出需要CPU处理的待处理报文;对所述待处理报文进行协议分析,获得所述待处理报文的协议类型;获得系统主控单元CPU和缓存的利用率;根据所述系统主控单元CPU和缓存的利用率,对所述待处理报文中需要系统主控单元CPU处理的报文进行服务质量限速处理;根据所述待处理报文的协议类型,对所述待处理报文进行处理。本发明控制各业务处理单元消息上送主控CPU的速率,避免了因为消息的处理造成CPU的繁忙对其它正常业务的影响。

Figure 200810210585

The invention discloses a message protection system and method of a data communication device with a distributed architecture, so as to effectively protect the CPU of the data communication device with a distributed architecture. In the method, after receiving the message, the service processing unit analyzes the message to be processed that needs to be processed by the CPU; performs protocol analysis on the message to be processed, and obtains the protocol type of the message to be processed; obtains the system main control unit CPU and cache utilization; according to the utilization of the system main control unit CPU and cache, perform quality of service speed limit processing on the messages that need to be processed by the system main control unit CPU among the messages to be processed; The protocol type of the processing message is used to process the message to be processed. The invention controls the rate at which messages of each service processing unit are sent to the main control CPU, and avoids the influence of busy CPU caused by message processing on other normal services.

Figure 200810210585

Description

一种分布式架构数据通信设备的消息保护系统及方法 A message protection system and method for data communication equipment with distributed architecture

技术领域technical field

本发明涉及分布式架构的数据通信设备,具体地说,是涉及一种分布式架构数据通信设备的消息保护系统及方法。The present invention relates to a data communication device with a distributed architecture, in particular to a message protection system and method for a data communication device with a distributed architecture.

背景技术Background technique

随着互联网的发展和壮大,各种各样的互联网设备相继出现。在网络的汇聚层和核心层,为了缓解巨大业务量对设备性能的要求,分布式架构设备的应用已经得到了普及。With the development and growth of the Internet, various Internet devices have emerged one after another. In the aggregation layer and core layer of the network, in order to alleviate the requirements of huge traffic on device performance, the application of distributed architecture devices has been popularized.

如图1所示,分布式架构主要由系统主控单元110、若干业务处理单元120、系统主控单元110和业务处理单元120之间及各业务处理单元120之间的数据通道130组成,各业务处理单元120都能独立完成某种业务的处理,而系统资源的统一调度管理由系统主控单元110完成,其中:As shown in Figure 1, the distributed architecture is mainly composed of a system main control unit 110, several business processing units 120, data channels 130 between the system main control unit 110 and business processing units 120 and between business processing units 120, each The service processing unit 120 can independently complete the processing of certain services, and the unified scheduling and management of system resources is completed by the system main control unit 110, wherein:

系统主控单元110,负责管理和维护整个设备,并对系统资源进行统一调度,对简单网络管理协议(simple network management protocol,缩写为SNMP)等协议的各种消息的最后处理及响应均是在这里完成的;The system main control unit 110 is responsible for managing and maintaining the entire device, and uniformly scheduling system resources. The final processing and response to various messages of simple network management protocol (simple network management protocol, abbreviated as SNMP) and other protocols are all in the done here;

业务处理单元120,负责接收数据并根据数据内容进行诸如转发、上送给业务处理单元中央处理器(CPU)或者丢弃等处理;The service processing unit 120 is responsible for receiving data and performing processing such as forwarding, sending to the service processing unit central processing unit (CPU) or discarding according to the data content;

数据通道130:主要负责系统主控单元110和业务处理单元120以及各业务处理单元120之间的消息、数据交换等,根据分布式系统设备不同而各有区别,比如可以根据实际情况分为多个处理单元,如业务处理单元120之间的数据交换可以由专门的交换单元来处理等等。Data channel 130: mainly responsible for the message and data exchange between the system main control unit 110 and the business processing unit 120, and between each business processing unit 120. It is different according to the distributed system equipment. For example, it can be divided into multiple channels according to the actual situation. Each processing unit, for example, the data exchange between the service processing unit 120 can be handled by a dedicated switching unit and so on.

为了更好地管理网络中的各种设备,开发了各种各样的网络协议,如使用网络时间协议(network time protocol,缩写为NTP)同步网络里各设备的时间、使用SNMP实现网络设备的远程集中管理等等。In order to better manage various devices in the network, various network protocols have been developed, such as using the network time protocol (network time protocol, abbreviated as NTP) to synchronize the time of each device in the network, and using SNMP to implement network device Remote centralized management and more.

然而随着网络设备和网络协议的不断涌现,利用网络协议针对网络设备的攻击也不断出现,如最常见的“拒绝服务”(Denial of Service,缩写为DOS)攻击(一种通过发送大量模拟协议报文来占用被攻击设备的CPU资源,使其它正常业务受到影响甚至中断的方法)等等。针对这些攻击,网络采取了一些保护措施,如包限速功能,在业务处理单元上限制各种协议包上送CPU处理的速度,从而达到保护CPU的目的。However, with the continuous emergence of network devices and network protocols, attacks against network devices using network protocols are also emerging, such as the most common "Denial of Service" (Denial of Service, abbreviated as DOS) attack (a kind of attack by sending a large number of simulated protocol message to occupy the CPU resources of the attacked device, so that other normal services are affected or even interrupted) and so on. In response to these attacks, the network has adopted some protective measures, such as the packet rate limit function, which limits the speed at which various protocol packets are sent to the CPU for processing on the business processing unit, so as to achieve the purpose of protecting the CPU.

针对集中式的设备,现阶段采用的技术能比较有效地实现对CPU的保护。但是在分布式环境中,各业务处理单元尽管得到了保护,但是从业务处理单元CPU到系统主控单元CPU却没有任何保护措施,而是直接上送。存在某些协议(如SNMP、NTP等),在业务处理单元处理后需要上送给系统主控单元进行进一步处理,在这个过程中,存在以下问题:For centralized equipment, the technology adopted at this stage can effectively protect the CPU. However, in a distributed environment, although each service processing unit is protected, there is no protection measure from the service processing unit CPU to the system main control unit CPU, but is directly uploaded. There are certain protocols (such as SNMP, NTP, etc.), which need to be sent to the system main control unit for further processing after being processed by the business processing unit. In this process, the following problems exist:

因为各业务处理单元CPU只要判断是否为SNMP或者NTP等协议报文,是则上送给系统主控单元CPU进一步处理,这样各业务处理单元CPU利用率可能还很低,但是系统主控单元的CPU可能已经不堪重负。以SNMP协议为例:现在SNMP管理器(manager)一端常用的一种由很多个读取下一个请求(GetNextRequest)消息组合而成的读取批量请求(GetBulkRequest)消息,当GetBulkRequest中请求的管理对象在代理(agent)的管理信息库(MIB)中不存在,系统主控单元仍然需要完整地检索整个MIB库后,才能确定需要查找的MIB文件不存在。由于一个数据包内携带多个请求消息,这将导致主控CPU利用率居高不下,甚至停止响应其它正常请求如telnet和console口等。Because the CPU of each service processing unit only needs to judge whether it is a protocol message such as SNMP or NTP, and if it is, it will send it to the CPU of the system main control unit for further processing, so the CPU utilization of each service processing unit may still be very low, but the system main control unit The CPU may have been overwhelmed. Take the SNMP protocol as an example: a read batch request (GetBulkRequest) message that is commonly used at the SNMP manager (manager) side is composed of many read next request (GetNextRequest) messages. When the management object requested in GetBulkRequest If it does not exist in the management information base (MIB) of the agent (agent), the main control unit of the system still needs to completely search the entire MIB library before it can determine that the MIB file to be searched does not exist. Since one data packet carries multiple request messages, this will cause the CPU utilization rate of the main control to remain high, and even stop responding to other normal requests such as telnet and console ports.

发明内容Contents of the invention

本发明所要解决的技术问题是在于需要提供一种分布式架构数据通信设备的消息保护系统及相应的保护方法,以有效保护分布式架构数据通信设备的CPU。The technical problem to be solved by the present invention is to provide a message protection system and a corresponding protection method for data communication equipment with a distributed architecture, so as to effectively protect the CPU of the data communication equipment with a distributed architecture.

为了解决上述技术问题,本发明首先提供了一种分布式架构数据通信设备的消息保护系统,包括转发模块、协议分析模块、内部服务质量模块、管理模块及协议处理模块,其中:In order to solve the above technical problems, the present invention firstly provides a message protection system for data communication equipment with a distributed architecture, including a forwarding module, a protocol analysis module, an internal quality of service module, a management module and a protocol processing module, wherein:

所述转发模块,位于所述分布式架构数据通信设备的业务处理单元上,用于接收并上送需要CPU处理的待处理报文;The forwarding module is located on the service processing unit of the distributed architecture data communication device, and is used to receive and send the pending messages that need to be processed by the CPU;

所述协议分析模块,与所述转发模块相连,用于对所述待处理报文进行协议分析,获得所述待处理报文的协议类型;The protocol analysis module is connected to the forwarding module, and is used to analyze the protocol of the message to be processed, and obtain the protocol type of the message to be processed;

所述管理模块,用于获取所述系统主控单元CPU和缓存的利用率;The management module is configured to acquire the utilization ratios of the system main control unit CPU and cache;

所述内部服务质量模块,与所述协议分析模块及管理模块相连,用于向所述协议处理模块转发所述待处理报文,并根据所述系统主控单元CPU和缓存的利用率,对所述待处理报文中需要系统主控单元CPU处理的报文进行服务质量限速处理;及The internal quality of service module is connected to the protocol analysis module and the management module, and is used to forward the message to be processed to the protocol processing module, and according to the utilization rate of the system main control unit CPU and cache, Among the messages to be processed, the messages that need to be processed by the CPU of the system main control unit are subjected to quality of service and speed limit processing; and

所述协议处理模块,与所述内部服务质量模块相连,用于根据所述待处理报文的协议类型,对所述待处理报文进行处理。The protocol processing module is connected to the internal quality of service module, and is used to process the message to be processed according to the protocol type of the message to be processed.

如上所述的系统中,所述转发模块,可以进一步与所述协议处理模块相连,用于反馈所述协议处理模块处理所述待处理报文后的响应。In the above system, the forwarding module may be further connected to the protocol processing module, for feeding back a response from the protocol processing module after processing the message to be processed.

如上所述的系统中,所述内部服务质量模块,可以根据所述系统主控单元CPU和缓存的利用率,利用服务质量的约定访问速率原理,对所述需要系统主控单元CPU处理的报文进行服务质量限速处理。In the above-mentioned system, the internal quality of service module may, according to the utilization rate of the system main control unit CPU and cache, use the agreed access rate principle of quality of service to process the report that needs to be processed by the system main control unit CPU The document performs quality of service rate limit processing.

进一步地,所述内部服务质量模块,可以根据所述系统主控单元CPU的性能及所述数据通信设备可能面对的突发业务流对所述系统主控单元CPU占用综合权衡后,设置承诺访问速率和顺从突发量的值,根据所述承诺访问速率和顺从突发量的值,对所述需要系统主控单元CPU进行处理的报文进行服务质量限速处理。Further, the internal quality of service module can set a commitment after comprehensively weighing the CPU occupation of the system main control unit according to the performance of the system main control unit CPU and the burst traffic that the data communication device may face. The value of the access rate and compliance burst, according to the value of the committed access rate and compliance burst, perform quality of service and speed limit processing on the message that needs to be processed by the CPU of the main control unit of the system.

为了解决上述技术问题,本发明还提供了一种分布式架构数据通信设备的消息保护方法,包括步骤:In order to solve the above technical problems, the present invention also provides a message protection method for a data communication device with a distributed architecture, comprising steps:

分布式架构数据通信设备的业务处理单元收到报文之后,分析出需要CPU处理的待处理报文;After receiving the message, the business processing unit of the distributed architecture data communication device analyzes the pending message that needs to be processed by the CPU;

对所述待处理报文进行协议分析,获得所述待处理报文的协议类型;Perform protocol analysis on the message to be processed to obtain the protocol type of the message to be processed;

获得所述分布式架构数据通信设备的系统主控单元CPU和缓存的利用率;Obtain the utilization ratios of the system main control unit CPU and cache of the distributed architecture data communication device;

根据所述系统主控单元CPU和缓存的利用率,对所述待处理报文中需要系统主控单元CPU处理的报文进行服务质量限速处理;及According to the utilization rate of the system main control unit CPU and cache, perform quality of service and speed limit processing on the messages to be processed that need to be processed by the system main control unit CPU; and

根据所述待处理报文的协议类型,对所述待处理报文进行处理。Process the message to be processed according to the protocol type of the message to be processed.

如上所述的方法中,所述待处理报文,可以包括广播包、协议包、目的地址为设备本身、或者已经标识需要上送的报文。In the method described above, the message to be processed may include a broadcast packet, a protocol packet, a destination address of the device itself, or a message that has been identified and needs to be sent.

进一步地,所述待处理报文可以包括简单网络管理协议报文或者网络时间协议报文。Further, the message to be processed may include a simple network management protocol message or a network time protocol message.

如上所述的方法中,可以根据所述系统主控单元CPU和缓存的利用率,利用服务质量的约定访问速率原理,对所述需要系统主控单元CPU处理的报文进行服务质量限速处理。In the above-mentioned method, according to the utilization rate of the system main control unit CPU and the cache, the agreed access rate principle of the quality of service can be used to perform quality of service speed limit processing on the messages that need to be processed by the system main control unit CPU .

进一步地,可以根据所述系统主控单元CPU的性能及所述数据通信设备可能面对的突发业务流对所述系统主控单元CPU占用综合权衡后,设置承诺访问速率和顺从突发量的值,根据所述承诺访问速率和顺从突发量的值,对所述需要系统主控单元CPU处理的报文进行服务质量限速处理。Further, the committed access rate and compliance burst can be set after comprehensively weighing the occupation of the CPU of the system main control unit according to the performance of the system main control unit CPU and the burst traffic flow that the data communication device may face , according to the value of the committed access rate and the compliant burst amount, perform quality of service and speed limit processing on the packets that need to be processed by the CPU of the system main control unit.

如上所述的方法中,对所述待处理报文进行处理时,可以进一步对所述待处理报文进行正确性检查及版本匹配。In the above method, when processing the message to be processed, correctness checking and version matching may be further performed on the message to be processed.

与现有技术相比,本发明提供了一种在分布式架构的设备中基于服务质量(QOS)的消息保护机制,结合各业务处理单元上针对各种协议报文的限速,从而控制各业务处理单元消息上送主控CPU的速率。对业务处理单元CPU和主控CPU进行保护后,避免了因为消息的处理造成CPU的繁忙对其它正常业务的影响。Compared with the prior art, the present invention provides a message protection mechanism based on quality of service (QOS) in distributed architecture equipment, combined with the speed limit for various protocol messages on each business processing unit, thereby controlling each Rate at which service processing units send messages to the master CPU. After the service processing unit CPU and the main control CPU are protected, the influence of the busy CPU on other normal services due to message processing is avoided.

附图说明Description of drawings

图1为分布式架构的框架示意图。Figure 1 is a schematic diagram of the framework of the distributed architecture.

图2为本发明系统实施例的组成示意图。Fig. 2 is a schematic composition diagram of a system embodiment of the present invention.

图3为本发明方法实施例的流程示意图。Fig. 3 is a schematic flow chart of a method embodiment of the present invention.

具体实施方式Detailed ways

以下将结合附图及实施例来详细说明本发明的实施方式,借此对本发明如何应用技术手段来解决技术问题,并达成技术效果的实现过程能充分理解并据以实施。The implementation of the present invention will be described in detail below in conjunction with the accompanying drawings and examples, so as to fully understand and implement the process of how to apply technical means to solve technical problems and achieve technical effects in the present invention.

图2示出了本发明基于内部服务质量(QOS)流控的消息保护系统一实施例的组成意图,该系统实施例包括:转发模块210、协议分析模块220、管理模块230、内部QOS模块240及协议处理模块250,其中:Fig. 2 shows the composition diagram of an embodiment of the message protection system based on internal quality of service (QOS) flow control in the present invention, the system embodiment includes: forwarding module 210, protocol analysis module 220, management module 230, internal QOS module 240 And the protocol processing module 250, wherein:

转发模块210,位于各业务处理单元上,用于接收并处理本业务处理单元接收的报文。如果为能够正常转发的正确的报文,则查找转发表、路由表后根据查询结果转发,丢弃错误的报文;如果报文为广播包、协议包,或者报文的目的地址为设备本身,或者其它业务已经标识需要上送CPU处理的待处理报文,则先上送给业务处理单元CPU进行处理;如果业务处理单元CPU不能处理则进一步上送给系统主控单元CPU进行处理(如SNMP);The forwarding module 210 is located on each service processing unit, and is used for receiving and processing the message received by the service processing unit. If it is a correct message that can be forwarded normally, search the forwarding table and routing table and forward it according to the query results, and discard the wrong message; if the message is a broadcast packet or protocol packet, or the destination address of the message is the device itself, Or other services have identified the pending messages that need to be sent to the CPU for processing, then first send them to the service processing unit CPU for processing; if the service processing unit CPU cannot process them, then further send them to the system main control unit CPU for processing (such as SNMP );

协议分析模块220,与转发模块210相连,用于对转发模块210上送的待处理报文进行分析及预处理,分析该待处理报文的协议类型;如用户数据报协议(UDP)端口号为161或162的报文,发送给协议处理模块250进行SNMP协议的处理;协议分析模块220主要工作在各个业务处理单元上;Protocol analysis module 220, is connected with forwarding module 210, is used for analyzing and preprocessing the message to be processed that forwarding module 210 sends, and analyzes the protocol type of this message to be processed; Such as User Datagram Protocol (UDP) port number Be the message of 161 or 162, send to the protocol processing module 250 to carry out the processing of SNMP agreement; Protocol analysis module 220 mainly works on each business processing unit;

管理模块230,与内部QOS模块240相连,主要用于对系统主控单元CPU和缓存进行监控管理,以便系统实时掌握系统主控单元CPU和缓存的利用率,根据系统终端单元CPU和缓存的利用率,辅助内部QOS模块240完成对报文的QOS限速处理;The management module 230 is connected with the internal QOS module 240, and is mainly used for monitoring and managing the system main control unit CPU and cache, so that the system can grasp the utilization rate of the system main control unit CPU and cache in real time, according to the utilization rate of the system terminal unit CPU and cache rate, assisting the internal QOS module 240 to complete the QOS speed limit processing of the message;

内部QOS模块240,工作在各个业务处理单元CPU到系统主控单元CPU之间,与协议分析模块220及管理模块230相连,主要用于根据管理模块230获取的系统主控单元CPU和缓存的利用率,对需要上送给系统主控单元CPU的报文进行QOS限速处理;在分布式架构中,协议分析模块220完成对报文的分析后,如果是业务处理单元不能处理的协议报文,则需要进一步上送系统主控单元CPU处理,通过该QOS模块230的限速作用,限制了从业务处理单元CPU上送到系统主控单元CPU报文的速率;The internal QOS module 240 works between each business processing unit CPU and the system main control unit CPU, and is connected with the protocol analysis module 220 and the management module 230, and is mainly used for utilizing the system main control unit CPU and cache acquired by the management module 230 rate, and perform QOS rate-limiting processing on messages that need to be sent to the CPU of the main control unit of the system; in a distributed architecture, after the protocol analysis module 220 finishes analyzing the messages, if the protocol , it needs to be further sent to the system main control unit CPU for processing, through the speed limiting effect of the QOS module 230, the speed of sending the system main control unit CPU message from the service processing unit CPU is limited;

协议处理模块250,与内部QOS模块240相连,首先对报文进行正确性检查及版本匹配,对于正确的待处理报文则进行相应处理,如果需要进行响应,则产生相应响应发送给发送请求的设备,比如对于SNMP报文,完成SNMP agent的任务,在正确性检查及版本匹配通过之后,根据SNMP manager发送的SNMP请求(request)消息进行处理,并根据处理结果反馈SNMP响应(response),通过转发模块210反馈给发送SNMP request消息的SNMPmanager,或者主动向SNMP manager发送SNMP陷阱(trap)消息。The protocol processing module 250 is connected with the internal QOS module 240. At first, the message is checked for correctness and version matching, and the correct message to be processed is processed accordingly. If a response is required, a corresponding response is generated and sent to the sender of the request. For example, for SNMP messages, the device completes the task of SNMP agent. After the correctness check and version matching pass, it processes according to the SNMP request (request) message sent by the SNMP manager, and feeds back the SNMP response (response) according to the processing result. The forwarding module 210 feeds back to the SNMPmanager that sends the SNMP request message, or actively sends the SNMP trap (trap) message to the SNMP manager.

上述内容虽然以SNMP协议报文为例对本发明的技术方案进行说明,但是本发明并不局限于SNMP协议的待处理报文,其应包括所有需要进行类似处理的协议报文如NTP协议报文等等。Although the foregoing content takes the SNMP protocol message as an example to illustrate the technical solution of the present invention, the present invention is not limited to the message to be processed of the SNMP protocol, and it should include all protocol messages that need to be similarly processed such as the NTP protocol message etc.

结合图1和图2,图3示出了本发明方法一实施例的流程图,该实施例包括如下步骤:In conjunction with Fig. 1 and Fig. 2, Fig. 3 shows the flowchart of an embodiment of the method of the present invention, and this embodiment comprises the following steps:

步骤310,业务处理单元120上的转发模块210从端口接收到报文之后,对报文进行分析,如果为需要正常转发的报文则查找转发表、路由表,并根据查找的转发结果和路由结果进行转发或丢弃,如果为需要进一步处理的报文,如广播包、协议包,或者报文的目的地址为设备本身,或者其它业务已经标识需要上送CPU处理的待处理报文,则经由协议分析模块220上送给业务处理单元CPU进行处理;Step 310, after the forwarding module 210 on the service processing unit 120 receives the message from the port, it analyzes the message, and if it is a message that needs to be forwarded normally, it searches the forwarding table and the routing table, and according to the forwarding result and route of the search The result is forwarded or discarded. If it is a message that needs further processing, such as a broadcast packet, a protocol packet, or the destination address of the message is the device itself, or other services have identified a pending message that needs to be sent to the CPU for processing, then it will be processed via The protocol analysis module 220 sends it to the business processing unit CPU for processing;

步骤320,协议分析模块220接收转发模块210转发的待处理报文后,分析出待处理报文的协议类型,并根据预先定义好的处理方式对数据进行处理(如以太网中可以根据目的MAC、IP地址、源、目的端口号将不同的报文发给不同的处理单元);比如协议分析模块220分析出转发模块210转发的为UDP报文,且端口号为161和162时,则转发模块210转发的为SNMP协议报文,需要经内部QOS模块240上送给协议处理模块250进行相应的处理;对于业务处理单元CPU不能处理的报文,需要系统主控单元CPU进行处理,此部分报文经由协议分析模块220转发给内部QOS模块240;Step 320, after the protocol analysis module 220 receives the message to be processed forwarded by the forwarding module 210, it analyzes the protocol type of the message to be processed, and processes the data according to a pre-defined processing mode (such as in Ethernet, it can be processed according to the destination MAC , IP address, source, destination port number will send different messages to different processing units); For example, the protocol analysis module 220 analyzes that what the forwarding module 210 forwards is a UDP message, and when the port numbers are 161 and 162, then forward What the module 210 forwards is the SNMP protocol message, which needs to be sent to the protocol processing module 250 through the internal QOS module 240 for corresponding processing; for the message that the service processing unit CPU cannot process, it needs to be processed by the system main control unit CPU, and this part The message is forwarded to the internal QOS module 240 via the protocol analysis module 220;

步骤330,内部QOS模块240利用QOS的约定访问速率(CommittedAccess Rate,缩写为CAR)原理对上送系统主控单元CPU的报文进行限速处理,可选用的一种限速方式比如根据CPU的性能及设备可能面对的突发业务流对CPU占用综合权衡后设置承诺访问速率(Committed Information Rate,缩写为CIR)和顺从突发量(或称令牌桶大小)(Conformed burst size,缩写为CBS)的值,以SNMP协议报文为例,其操作方式为:Step 330, internal QOS module 240 utilizes the agreed access rate (CommittedAccess Rate, abbreviated as CAR) principle of QOS to carry out speed limit processing to the message that sends system main control unit CPU, and a kind of speed limit mode that can be selected is for example according to CPU's The performance and the sudden business flow that the device may face are comprehensively weighed against the CPU occupation, and then the Committed Information Rate (CIR for short) and the Conformed burst size (CIR for short) (Conformed burst size, short for CIR) are set. CBS) value, taking the SNMP protocol message as an example, its operation method is:

步骤3a,设定一个CIR及CBS桶,并按CIR向CBS桶中放入令牌;同时如果有SNMP协议报文经过,则CBS桶中令牌相应减少;具体每个报文对应多少令牌可以根据实际情况进行设置;Step 3a, set a CIR and CBS bucket, and put tokens into the CBS bucket according to the CIR; at the same time, if there are SNMP protocol messages passing through, the tokens in the CBS bucket will be reduced accordingly; specifically how many tokens each message corresponds to It can be set according to the actual situation;

步骤3b,当CBS桶中还有令牌时,内部QOS模块240将SNMP协议报文直接上送给系统主控单元CPU;Step 3b, when there is token in the CBS bucket, the internal QOS module 240 directly sends the SNMP protocol message to the system main control unit CPU;

步骤3c,当CBS桶中没有令牌时,内部QOS模块240调用管理模块230检查当前系统主控单元CPU的利用率,当系统主控单元CPU的利用率较小(小于某个预设的阀值M)时,内部QOS模块240可以通过向CBS桶中一次性注入一定数量(T)的令牌,以保证SNMP协议包的正常上送,如果当前系统主控单元CPU的利用率较高(大于等于阈值M),则调用管理模块230查看当前系统主控单元的缓存,如果还有足够的缓存,则内部QOS模块240将SNMP协议包缓存起来,等待CBS桶中有令牌时再上送给系统主控单元CPU处理,如果系统主控单元缓存不足,则内部QOS模块240丢弃协议报文;Step 3c, when there is no token in the CBS bucket, the internal QOS module 240 invokes the management module 230 to check the utilization rate of the current system main control unit CPU, and when the utilization rate of the system main control unit CPU is small (less than a certain preset threshold value M), the internal QOS module 240 can pass a certain amount of (T) tokens into the CBS bucket to ensure the normal delivery of SNMP protocol packets, if the utilization rate of the current system main control unit CPU is higher ( greater than or equal to threshold M), then call management module 230 to check the cache of the current system main control unit, if there is enough cache, then the internal QOS module 240 caches the SNMP protocol packet, and waits for it to be sent when there is a token in the CBS bucket Give the system main control unit CPU processing, if the system main control unit cache is insufficient, then the internal QOS module 240 discards the protocol message;

步骤340,协议处理模块250接收到内部QOS模块240转发的待处理报文后,对该报文进行合法性检查,如果检查失败则直接丢弃报文,如果合法性检查通过,则根据待处理报文的协议类型对待处理报文进行处理,如果需要则根据处理结果产生一个相应的响应(response),通过调用转发模块210发送给相应请求(request)的服务器。Step 340, after the protocol processing module 250 receives the message to be processed forwarded by the internal QOS module 240, it checks the validity of the message, if the check fails, it directly discards the message, and if the legality check passes, then according to the message to be processed According to the protocol type of the text, the message to be processed is processed, and if necessary, a corresponding response (response) is generated according to the processing result, and is sent to the server corresponding to the request (request) by calling the forwarding module 210.

本发明针对分布式架构系统,在各个业务处理单元和主控之间设置QOS限速,缓解了多个业务处理单元同时上送给主控出现主控CPU繁忙从而影响一些其它重要业务。本发明以SNMP为例,但并不局限于SNMP协议消息,所有分布式系统中需要从业务处理单元上送主控的其它协议消息的限速处理,都在前述本发明的思想范围内。The invention aims at the distributed framework system, and sets the QOS speed limit between each service processing unit and the main control, which alleviates the influence of some other important services due to the busyness of the main control CPU when multiple service processing units send to the main control at the same time. The present invention takes SNMP as an example, but it is not limited to SNMP protocol messages. The rate-limiting processing of other protocol messages that need to be sent from the service processing unit to the master in all distributed systems is within the scope of the present invention.

虽然本发明所揭露的实施方式如上,但所述的内容只是为了便于理解本发明而采用的实施方式,并非用以限定本发明。任何本发明所属技术领域内的技术人员,在不脱离本发明所揭露的精神和范围的前提下,可以在实施的形式上及细节上作任何的修改与变化,但本发明的专利保护范围,仍须以所附的权利要求书所界定的范围为准。Although the embodiments disclosed in the present invention are as above, the described content is only an embodiment adopted for the convenience of understanding the present invention, and is not intended to limit the present invention. Anyone skilled in the technical field to which the present invention belongs can make any modifications and changes in the form and details of the implementation without departing from the spirit and scope disclosed by the present invention, but the patent protection scope of the present invention, The scope defined by the appended claims must still prevail.

Claims (10)

1. the message protection systems of a distributed architecture data communication equipment is characterized in that, comprises forwarding module, protocol-analysis model, internal services quality module, administration module and protocol process module, wherein:
Described forwarding module is positioned on the Service Processing Unit of described distributed architecture data communication equipment, be used to receive and on send the clear text that needs CPU to handle;
Described protocol-analysis model links to each other with described forwarding module, is used for described clear text is carried out protocal analysis, obtains the protocol type of described clear text;
Described administration module is used to obtain the utilance of system master unit CPU and buffer memory;
Described internal services quality module, link to each other with described protocol-analysis model and administration module, be used for transmitting described clear text to described protocol process module, and, the message that needs system master unit CPU to handle in the described clear text is carried out the service quality speed limit handle according to the utilance of described system master unit CPU and buffer memory; And
Described protocol process module links to each other with described internal services quality module, is used for the protocol type according to described clear text, and described clear text is handled.
2. the system as claimed in claim 1 is characterized in that:
Described forwarding module further links to each other with described protocol process module, is used to feed back the response after described protocol process module is handled described clear text.
3. the system as claimed in claim 1 is characterized in that:
Described internal services quality module according to the utilance of described system master unit CPU and buffer memory, utilizes the agreement access rate principle of service quality, the message that needs system master unit CPU to handle in the described clear text is carried out the service quality speed limit handle.
4. system as claimed in claim 2 is characterized in that:
Described internal services quality module, after the burst service stream that may face according to performance and the described data communications equipment of described system master unit CPU takies comprehensive balance to described system master unit CPU, committed access rate and the value of being obedient to the burst amount are set, according to described committed access rate and the value of being obedient to the burst amount, the described message that needs system master unit CPU to handle is carried out the service quality speed limit handle.
5. the message protection method of a distributed architecture data communication equipment is characterized in that, comprises step:
The Service Processing Unit of distributed architecture data communication equipment is received after the message, analyzes the clear text that needs CPU to handle;
Described clear text is carried out protocal analysis, obtain the protocol type of described clear text;
Obtain the system master unit CPU of described distributed architecture data communication equipment and the sharp frequency of buffer memory;
According to the utilance of described system master unit CPU and buffer memory, the message that needs system master unit CPU to handle in the described clear text is carried out the service quality speed limit handle; And
According to the protocol type of described clear text, described clear text is handled.
6. method as claimed in claim 5 is characterized in that:
Described clear text comprises that broadcast packet, protocol package, destination address are equipment itself or have identified the message that send on the needs.
7. method as claimed in claim 6 is characterized in that:
Described clear text comprises Simple Network Management Protocol message or NTP (Network Time Protocol) message.
8. method as claimed in claim 5 is characterized in that:
According to the utilance of described system master unit CPU and buffer memory, utilize the agreement access rate principle of service quality, the described message that needs system master unit CPU to handle is carried out the service quality speed limit handle.
9. method as claimed in claim 8 is characterized in that:
After the burst service stream that may face according to performance and the described data communications equipment of described system master unit CPU takies comprehensive balance to described system master unit CPU, committed access rate and the value of being obedient to the burst amount are set, according to described committed access rate and the value of being obedient to the burst amount, the described message that needs system master unit CPU to handle is carried out the service quality speed limit handle.
10. method as claimed in claim 5 is characterized in that, when described clear text is handled, further described clear text is carried out correctness inspection and version match.
CN2008102105854A 2008-09-02 2008-09-02 System and method for protecting information of distributed architecture data communication equipment Expired - Fee Related CN101355585B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102105854A CN101355585B (en) 2008-09-02 2008-09-02 System and method for protecting information of distributed architecture data communication equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102105854A CN101355585B (en) 2008-09-02 2008-09-02 System and method for protecting information of distributed architecture data communication equipment

Publications (2)

Publication Number Publication Date
CN101355585A CN101355585A (en) 2009-01-28
CN101355585B true CN101355585B (en) 2011-05-11

Family

ID=40308173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102105854A Expired - Fee Related CN101355585B (en) 2008-09-02 2008-09-02 System and method for protecting information of distributed architecture data communication equipment

Country Status (1)

Country Link
CN (1) CN101355585B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164083B (en) * 2011-04-18 2016-02-10 中兴通讯股份有限公司 The method for refreshing of token bucket and device
CN102821423B (en) * 2011-06-09 2018-03-16 青岛裕华电子科技有限公司 Message method of reseptance and device
CN103812687B (en) * 2012-11-15 2017-12-15 华为技术有限公司 The means of defence and equipment of processor
CN105978774B (en) * 2016-07-14 2019-06-07 杭州迪普科技股份有限公司 A kind of method and apparatus of access authentication
CN106254266B (en) * 2016-08-17 2020-02-04 中国联合网络通信集团有限公司 Message processing method and network equipment
CN106911557B (en) * 2017-01-17 2020-12-01 腾讯科技(深圳)有限公司 Message transmission method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1753510A (en) * 2004-09-23 2006-03-29 华为技术有限公司 Wireless network architecture and method for implementing data transmission by applying wireless network architecture
CN101110972A (en) * 2006-07-18 2008-01-23 华为技术有限公司 SIP message distribution and processing method and system in distributed architecture

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1753510A (en) * 2004-09-23 2006-03-29 华为技术有限公司 Wireless network architecture and method for implementing data transmission by applying wireless network architecture
CN101110972A (en) * 2006-07-18 2008-01-23 华为技术有限公司 SIP message distribution and processing method and system in distributed architecture

Also Published As

Publication number Publication date
CN101355585A (en) 2009-01-28

Similar Documents

Publication Publication Date Title
WO2021207922A1 (en) Packet transmission method, device, and system
US20130094363A1 (en) Method, network device, and network system for processing data service
US9356844B2 (en) Efficient application recognition in network traffic
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
CN109428782B (en) Network monitoring method and equipment
CN101355585B (en) System and method for protecting information of distributed architecture data communication equipment
JP2022532731A (en) Avoiding congestion in slice-based networks
US11102273B2 (en) Uplink performance management
CN106330742B (en) Flow control method and network controller
US20230300051A1 (en) In-band Edge-to-Edge Round-Trip Time Measurement
EP3982600A1 (en) Qos policy method, device, and computing device for service configuration
CN112637090B (en) Dynamic multilevel flow control method based on programmable switching chip
CN111431811A (en) A message transmission control method, device and network device
CN107404446A (en) A kind of method and device for handling fragment message
CN102984031B (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
WO2022028342A1 (en) Method for processing congestion flow and device
CN101309219B (en) Traffic limitation method and apparatus of slicing message
CN112532468B (en) Network measurement system, method, device and storage medium
US8537676B1 (en) Rate limiting for DTCP message transport
CN112291076A (en) Packet loss location method, device and system, and computer storage medium
CN117201434B (en) Ethernet data interaction method and system
CN103139085A (en) Method for implementation of multicast service in network, access device and system
EP4250668A1 (en) Traffic table sending method and related apparatus
CN115484193A (en) Method, system, storage medium and device for monitoring and analyzing network packet loss flow
CN116016391A (en) A kind of message forwarding method and system based on NAT gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110511