CN115622718B - Transmission processing method, device and equipment - Google Patents
Transmission processing method, device and equipmentInfo
- Publication number
- CN115622718B CN115622718B CN202110783070.9A CN202110783070A CN115622718B CN 115622718 B CN115622718 B CN 115622718B CN 202110783070 A CN202110783070 A CN 202110783070A CN 115622718 B CN115622718 B CN 115622718B
- Authority
- CN
- China
- Prior art keywords
- address
- channel
- data packet
- srv
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a transmission processing method, a transmission processing device and transmission processing equipment, and relates to the technical field of communication. The method is executed by network equipment and comprises the steps of analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy, establishing a second channel according to the target address, and transmitting the second data packet through the second channel under the condition that the received second data packet misses the session table but the second data packet hits the second channel, wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission special channels. The scheme of the invention solves the problem that SRv return traffic cannot pass through the state firewall for detection.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a transmission processing method, apparatus, and device.
Background
Often adopt the firewall to divide the security domain to realize the security protection in the network, when the firewall defaults to block the traffic access among the security domain, the traffic needs to cross the trust domain, need to dispose the security policy on the firewall to allow the traffic to pass through. Some scenarios are to achieve security protection for an internal network, where a firewall allows the internal network to actively access an external network, but does not allow the external network to actively access the internal network. The internal network accesses the backhaul traffic of the external network and achieves secure forwarding by hitting the session table of the state firewall.
In SRv network, when external network is required to be accessed across firewall, for example, CPE accesses Internet through Bras, terminal accesses Internet through 5G network boundary firewall, etc., the five-tuple information when the flow accessing external network passes firewall to establish session table is not identical with five-tuple information when the return flow passes firewall, the return flow cannot hit firewall session, and is blocked by firewall.
Disclosure of Invention
The invention aims to provide a transmission processing method, a transmission processing device and transmission processing equipment, which are used for solving the problem that backhaul traffic cannot pass through a state firewall for detection.
To achieve the above object, an embodiment of the present invention provides a transmission processing method, which is executed by a network device, including:
analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy;
Establishing a second channel according to the target address;
transmitting the second data packet through the second channel in the event that the received second data packet misses the session table, but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
Optionally, the parsing the destination address in the first data packet includes:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Optionally, the establishing a second channel according to the target address includes:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
Optionally, the establishing a second channel according to the target address includes:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
Optionally, the establishing a second channel according to the target address includes:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
Optionally, the searching the first address according to the field information of the node address includes:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
Optionally, the searching the first address according to the field information of the node address includes:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
To achieve the above object, an embodiment of the present invention provides a network device, including a transceiver and a processor, where the processor is configured to:
analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy;
Establishing a second channel according to the target address;
transmitting the second data packet through the second channel in the event that the received second data packet misses the session table, but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
Optionally, the processor is further configured to:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Optionally, the processor is further configured to:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
Optionally, the processor is further configured to:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
Optionally, the processor is further configured to:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
Optionally, the processor is further configured to:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
Optionally, the processor is further configured to:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
To achieve the above object, an embodiment of the present invention provides a transmission processing apparatus including:
The analysis module is used for analyzing a target address in the first data packet under the condition that the received first data packet misses the session table and the first channel but the first data packet hits the security policy;
the processing module is used for establishing a second channel according to the target address;
The transmission module is used for transmitting the second data packet through the second channel when the received second data packet does not hit the session table but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
Optionally, the parsing module is further configured to:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Optionally, the processing module includes:
A determining submodule, configured to determine a last hop address of the first data packet transmission according to the node address;
And the first processing submodule is used for establishing a channel between the source address and the last hop address as the second channel.
Optionally, the processing module includes:
And the second processing submodule is used for establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
Optionally, the processing module includes:
the searching sub-module is used for searching the first address according to the field information of the node address;
and the third processing sub-module is used for establishing a channel between the source address and the first address as the second channel.
Optionally, the searching submodule includes:
The first searching unit is used for searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
And the first processing unit is used for taking the second address as the first address.
Optionally, the searching submodule includes:
the second searching unit is used for searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
the second processing unit is used for acquiring a fourth address according to target information in the field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
And the third processing unit is used for taking the fourth address as the first address.
To achieve the above object, an embodiment of the present invention provides a network device, including a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor, where the processor implements the transmission processing method as described above when executing the program or instructions.
To achieve the above object, an embodiment of the present invention provides a readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps in the transmission processing method as described above.
The technical scheme of the invention has the following beneficial effects:
In the method of the embodiment of the invention, when the received first data packet misses the session table and the first channel, but the first data packet hits the security policy, the second channel is established according to the target address by analyzing the target address in the first data packet, so that when the received second data packet misses the session table, but the second data packet hits the security policy and the second channel, the second data packet is transmitted through the second channel. Here, the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data packet, and the first channel and the second channel are channels dedicated for SRv data transmission, so that not only can the security protection be performed based on SRv addresses, but also the backhaul traffic can be smoothly transmitted in the channels dedicated for SRv data transmission.
Drawings
Fig. 1 is a flowchart of a transmission processing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a transmission application of the method according to the embodiment of the present invention;
FIG. 3 is a second schematic diagram of a transmission application of the method according to the embodiment of the present invention;
FIG. 4 is one of the field diagrams of SRv ID;
FIG. 5 is a third embodiment of a transmission application of the method of the present invention;
FIG. 6 is a second field diagram of SRv ID;
FIG. 7 is a fourth embodiment of a transmission application of the method of the present invention;
Fig. 8 is a block diagram of a network device according to an embodiment of the present invention;
FIG. 9 is a block diagram of a device corresponding to the method of FIG. 1;
Fig. 10 is a block diagram of a network device according to another embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
In addition, the terms "system" and "network" are often used interchangeably herein.
In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B may be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may also determine B from a and/or other information.
As shown in fig. 1, a transmission processing method according to an embodiment of the present invention is executed by a network device, and includes:
Step 101, analyzing a target address in a first data packet under the condition that a received first data packet misses a session table and a first channel, but the first data packet hits a security policy;
102, establishing a second channel according to the target address;
step 103, in a case that the received second data packet does not hit the session table, but the second data packet hits the second channel, transmitting the second data packet through the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
According to the above steps, the network device will analyze the destination address in the first data packet and establish the second channel according to the destination address when the received first data packet misses the session table and the first channel, but the first data packet hits the security policy, so that when the received second data packet misses the session table, but the second data packet hits the second channel, the second data packet is transmitted through the second channel. Here, the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data packet, and the first channel and the second channel are channels dedicated for SRv data transmission, so that not only can the security protection be performed based on SRv addresses, but also the backhaul traffic can be smoothly transmitted in the channels dedicated for SRv data transmission.
It should be appreciated that in this embodiment, the network device builds a firewall between the internal network and the external network. The network equipment is configured with a session table and a security policy to realize security processing and forwarding. The session table may include five tuple information of source IP address, destination IP address, source port, destination port, protocol type. Thus, the packet hits in the session table, i.e., in the session quintuple. The data packet hits the security policy, i.e. the data packet meets the requirement of the security policy, and the data packet hits SRv data transmission dedicated channel, i.e. the receiving and transmitting address of the data packet matches the address of SRv data transmission dedicated channel.
Optionally, in this embodiment, for the received first data packet, it is queried whether the session table is hit, if not, whether the security policy is hit, and whether the first channel is hit are further queried. The method can firstly inquire whether the security policy is hit or not, and can also firstly inquire whether the special data transmission channel SRv is hit or not.
If the first data packet hits the session table, the security processing and forwarding of the first data packet are directly performed, if the first data packet does not hit the session table but hits the security policy and the first channel, the session is established, so that the security processing and forwarding of the first data packet are performed, and if the first data packet does not hit the session table but does not hit the security policy and the first channel, the first data packet is discarded.
In addition, after the second channel is established, if the second data packet hits the session table, the security processing and forwarding of the second data packet are directly performed, and if the second data packet does not hit the session table, the security policy and the second channel are also missed, the second data packet is discarded.
In this embodiment, if the first packet is the first packet (forward traffic or reverse traffic), the first packet misses the session table. Wherein reverse traffic may also be referred to as backhaul traffic.
It should also be appreciated that in this embodiment, the first data packet is a forward traffic header packet and the second data packet may be a forward traffic trailer packet, a reverse traffic header packet, or a reverse traffic trailer packet.
Taking SRv forward flow first packet without hitting session table and first channel, but hitting security policy as an example, resolving target address in SRv forward flow first packet, establishing second channel based on the target address, then establishing session according to second channel, and completing other security processing and forwarding. SRv6 the subsequent packets of forward traffic hit the session table and the forwarding is completed. And the corresponding SRv reverse flow first packet does not hit the session table, but hits the security policy and the second channel, so that the session can be established according to the second channel, and other security processing and forwarding can be completed. SRv6 the subsequent packets of reverse flow hit the session table to complete forwarding.
Optionally, in step 101, the parsing the destination address in the first data packet includes:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Thus, the second channel is established based on the source address of SRv messages in the first packet and the node address in the SRv segment list.
Optionally, the establishing a second channel according to the target address includes:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
Here, the last hop address is the address of the last hop in the SRv segment list, so the second channel established is the channel between the source address and the address of the last hop in the SRv segment list.
For example, as shown in fig. 2, the network device (such as a firewall) obtains, through parsing, a source address (node 1 address) a 1:1 of the forward traffic header packet SRv for the received SRv forward traffic header packet, and a last hop address (node 3 address) a 3:1 in the segment list. Therefore, a channel between A1:1 and A3:1 can be established as SRv data transmission dedicated channel. SRv6 reverse flow packets pass through the network device, and a session can be established for further processing as the source address (node 3 address) A3:1, destination address (node 1 address) A1:1 of the SRv reverse flow packets hit the established SRv data transmission dedicated channel. SRv6 reverse traffic candidate packets then hit session forwarding directly.
Of course, if the destination address of the SRv reverse traffic packet is not SRv6 last hop address but is node2 address, it is determined whether the established SRv data transmission dedicated channel is hit based on the last hop address of the SRv reverse traffic packet.
Optionally, the establishing a second channel according to the target address includes:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
In this way, a path between the node in the SRv forwarding path and the source address will be established, which can allow the node in the SRv forwarding path to send reverse traffic to the source node.
For example, as shown in fig. 3, the network device (such as a firewall) obtains SRv a source address (node 1 address) a 1:1 of the received SRv forward traffic header packet, and a node address in the segment list, a node2 address a 2:1, a server3 address a 3:1, and a server4 address a 4:1 by parsing. Thus, the channel between A1::1 and each node address may be established as SRv data transfer dedicated channel SRv data transfer dedicated channel 1 (channel between A1::1 and A2:: 1), SRv data transfer dedicated channel 2 (channel between A1::1 and A3:: 1), SRv data transfer dedicated channel 3 (channel between A1::1 and A4:: 1). Thus, when SRv reverse traffic packets from node2, source address A2:1 matches the destination address in SRv data transfer specific channel 1, final destination address A1:1 matches the source address in SRv data transfer specific channel 1, hits SRv data transfer specific channel 1, and subsequently establishes a session to enter the firewall next process flow. When SRv reverse flow packets from Sever3, the source address A3:1 matches the destination address in SRv data transfer dedicated channel 2, the final destination address A1:1 matches the source address in SRv data transfer dedicated channel 2, hits SRv data transfer dedicated channel 2, and subsequently establishes a session to enter the firewall next process flow. SRv6 reverse traffic packets from Sever4, source address A4:1 matches the destination address in SRv data transfer specific channel 3, final destination address A1:1 matches the source address in SRv data transfer specific channel 3, hit SRv data transfer specific channel 3, and subsequently establish a session to go to firewall next process flow.
Optionally, the establishing a second channel according to the target address includes:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
That is, it is necessary to find a first address using field information of a node address and then establish a channel between a source address and the first address.
In this embodiment, on the one hand, the first identifier is defined by extending a field of the node address in the SRv segment list, such as a arguments field in the SRv ID, to indicate that the node address carrying the first identifier is the first address. Therefore, optionally, the searching the first address according to the field information of the node address includes:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
That is, a dedicated channel for data transmission is established SRv by looking up the node address carrying the first identifier, i.e., the second address, with the second address as the first address.
As shown in fig. 4, assuming that the first identifier is indicated by the arguments field low 4bit value "a" in the SRv ID, the network device receives SRv forward traffic first packet, parses SRv the address in the segment list of 6, and establishes SRv a data transmission dedicated channel only for the SRv address with the arguments field low 4bit "a".
As shown in fig. 5, the network device (such as a firewall) obtains SRv forward traffic first packet source address (node 1 address) A1::1 and node address: node2 address A2::1, server3 address A3::: a and server4 address A4::: a in the segment list by parsing the received SRv forward traffic first packet. Thus, a channel between A1::1 and server3 address A3:: a, server4 address A4:: a, respectively, may be established as SRv data transfer dedicated channel SRv data transfer dedicated channel 1 (a channel between A1::1 and A3:: a), SRv data transfer dedicated channel 2 (a channel between A1::1 and A4:: a). Thus, when SRv reverse traffic packets from Sever3, the source address A3:a matches the destination address in SRv data transfer specific channel 1, the final destination address A1:1 matches the source address in SRv data transfer specific channel 1, SRv data transfer specific channel 1 is hit, and the subsequent session establishment proceeds to the firewall next process flow. SRv6 reverse traffic packets from Sever4, source address A4:: a matches the destination address in SRv data transfer specific channel 2, final destination address A1::1 matches the source address in SRv data transfer specific channel 2, hit SRv data transfer specific channel 2, and subsequently establish a session to go to the firewall next process flow.
In this embodiment, on the other hand, SRv ID in SRv a segment list may use the Function field to define a forwarding Function in the network, so SRv ID cannot directly represent the device address to establish a channel. Therefore, optionally, the searching the first address according to the field information of the node address includes:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
That is, the third address is a node address carrying the second identifier by searching the field information, and then the fourth address is obtained from the target information in the field information of the third address, so that the fourth address is used as the first address to establish SRv data transmission dedicated channel.
Here, the second identifier may also be understood as identifying that the current address is to establish a channel based on the Locator, the fourth address is the content of the Locator field in the field information of the third address, and the target information is the length indicating the Locator.
It is assumed that the second flag is indicated by a low 4bit value "b" of arguments field and the low 11-bit4 of Arguments field indicates the target information, as shown in fig. 6. After receiving SRv forward flow first packet and analyzing the address in SRv6 message segment list, the network device determines the address with the lower 4bit of arguments field being "b", then determines the length of the Locator by the lower 11-bit4 of Arguments field in the address, finally obtains fourth address from the content of the Locator field, and establishes SRv data transmission dedicated channel.
As shown in fig. 7, the network device (such as a firewall) obtains SRv a source address (node 1 address) A1::40b of the received SRv a forward traffic header packet by parsing, and node addresses in the segment list A2::: 1, A3::: 20b. Namely, the lower 4 bits of A1:40b is "b", the Locator A1::64 "is obtained according to the length of" 40", the lower 4 bits of A3:20b is" b ", and the Locator A3:32" is obtained according to the length of "20". Finally, a channel between the Locator 'A1:/64' and the Locator 'A3:/32' is established as a SRv data transmission dedicated channel. Thus, SRv is a reverse flow first packet, the source address A3:1 is matched with the destination address Locator 'A3:32' in the SRv data transmission special channel, the final destination address A1:1 is matched with the source address Locator 'A1::64' in the SRv data transmission special channel, and the established SRv data transmission special channel is hit, so that a session can be established to enter the next processing flow of the firewall.
In summary, the network device will analyze the destination address in the first data packet and establish the second channel according to the destination address when the received first data packet misses the session table and the first channel, but the first data packet hits the security policy, so as to transmit the second data packet through the second channel when the received second data packet misses the session table, but the second data packet hits the security policy and the second channel. Here, the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data packet, and the first channel and the second channel are channels dedicated for SRv data transmission, so that not only can the security protection be performed based on SRv addresses, but also the backhaul traffic can be smoothly transmitted in the channels dedicated for SRv data transmission.
As shown in fig. 8, a network device 800 according to an embodiment of the present invention includes a transceiver 820 and a processor 810, where the processor 810 is configured to:
analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy;
Establishing a second channel according to the target address;
transmitting the second data packet through the second channel in the event that the received second data packet misses the session table, but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
Wherein the transceiver 820 is configured to receive a first data packet and a second data packet.
Optionally, the processor is further configured to:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Optionally, the processor is further configured to:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
Optionally, the processor is further configured to:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
Optionally, the processor is further configured to:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
Optionally, the processor is further configured to:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
Optionally, the processor is further configured to:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
The network device analyzes a target address in the first data packet and establishes a second channel according to the target address when the received first data packet misses the session table and the first channel, but the first data packet hits the security policy, so that when the received second data packet misses the session table, but the second data packet hits the security policy and the second channel, the second data packet is transmitted through the second channel. Here, the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data packet, and the first channel and the second channel are channels dedicated for SRv data transmission, so that not only can the security protection be performed based on SRv addresses, but also the backhaul traffic can be smoothly transmitted in the channels dedicated for SRv data transmission.
It should be noted that, the network device can execute the transmission processing method of the above embodiment, and the implementation manner of the above method embodiment is applicable to the network device, so that the same technical effects can be achieved.
As shown in fig. 9, a transmission processing apparatus according to an embodiment of the present invention includes:
a parsing module 910, configured to parse a destination address in a received first data packet when the received first data packet misses a session table and a first channel, but the first data packet hits a security policy;
A processing module 920, configured to establish a second channel according to the target address;
A transmitting module 930, configured to transmit the second data packet through the second channel when the received second data packet misses the session table but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
Optionally, the parsing module is further configured to:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
Optionally, the processing module includes:
A determining submodule, configured to determine a last hop address of the first data packet transmission according to the node address;
And the first processing submodule is used for establishing a channel between the source address and the last hop address as the second channel.
Optionally, the processing module includes:
And the second processing submodule is used for establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
Optionally, the processing module includes:
the searching sub-module is used for searching the first address according to the field information of the node address;
and the third processing sub-module is used for establishing a channel between the source address and the first address as the second channel.
Optionally, the searching submodule includes:
The first searching unit is used for searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
And the first processing unit is used for taking the second address as the first address.
Optionally, the searching submodule includes:
the second searching unit is used for searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
the second processing unit is used for acquiring a fourth address according to target information in the field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
And the third processing unit is used for taking the fourth address as the first address.
The device will analyze the target address in the first data packet and establish the second channel according to the target address when the received first data packet misses the session table and the first channel, but the first data packet hits the security policy, so as to transmit the second data packet through the second channel when the received second data packet misses the session table, but the second data packet hits the security policy and the second channel. Here, the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data packet, and the first channel and the second channel are channels dedicated for SRv data transmission, so that not only can the security protection be performed based on SRv addresses, but also the backhaul traffic can be smoothly transmitted in the channels dedicated for SRv data transmission.
It should be noted that, the apparatus can execute the transmission processing method of the above embodiment, and the implementation manner of the above method embodiment is applicable to the apparatus, and the same technical effects can be achieved.
The network device according to another embodiment of the present invention, as shown in fig. 10, includes a transceiver 1010, a processor 1000, a memory 1020, and a program or an instruction stored in the memory 1020 and capable of running on the processor 1000, where the processor 1000 implements the above transmission processing method when executing the program or the instruction.
The transceiver 1010 is configured to receive and transmit data under the control of the processor 1000.
Wherein in fig. 10, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by the processor 1000 and various circuits of the memory, represented by the memory 1020, are chained together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1010 may be a number of elements, i.e., including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 may store data used by the processor 1000 in performing operations.
The readable storage medium of the embodiment of the present invention stores a program or an instruction, which when executed by a processor, implements the steps in the transmission processing method described above, and can achieve the same technical effects, and is not described herein again for avoiding repetition.
Wherein the processor is a processor in the network device described in the foregoing embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk or an optical disk.
It is further noted that the network devices described in this specification include, but are not limited to, gateways, routers, etc., and that many of the functional components described are referred to as modules in order to more particularly emphasize their implementation independence.
In an embodiment of the invention, the modules may be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different bits which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Likewise, operational data may be identified within modules and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.
Where a module may be implemented in software, taking into account the level of existing hardware technology, a module may be implemented in software, and one skilled in the art may, without regard to cost, build corresponding hardware circuitry, including conventional Very Large Scale Integration (VLSI) circuits or gate arrays, and existing semiconductors such as logic chips, transistors, or other discrete components, to achieve the corresponding functions. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
The exemplary embodiments described above are described with reference to the drawings, many different forms and embodiments are possible without departing from the spirit and teachings of the present invention, and therefore, the present invention should not be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this disclosure will be thorough and complete, and will convey the scope of the invention to those skilled in the art. In the drawings, the size of the elements and relative sizes may be exaggerated for clarity. The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Unless otherwise indicated, a range of values includes the upper and lower limits of the range and any subranges therebetween.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (17)
1. A transmission processing method, performed by a network device, comprising:
analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy;
Establishing a second channel according to the target address;
transmitting the second data packet through the second channel in the event that the received second data packet misses the session table, but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
2. The method of claim 1, wherein said resolving the destination address in the first data packet comprises:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
3. The method of claim 2, wherein said establishing a second channel based on said destination address comprises:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
4. The method of claim 2, wherein said establishing a second channel based on said destination address comprises:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
5. The method of claim 2, wherein said establishing a second channel based on said destination address comprises:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
6. The method of claim 5, wherein the searching for the first address based on the field information of the node address comprises:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
7. The method of claim 5, wherein the searching for the first address based on the field information of the node address comprises:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
8. A network device comprising a transceiver and a processor, the processor configured to:
analyzing a target address in a first data packet under the condition that the received first data packet misses a session table and a first channel but the first data packet hits a security policy;
Establishing a second channel according to the target address;
transmitting the second data packet through the second channel in the event that the received second data packet misses the session table, but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
9. The network device of claim 8, wherein the processor is further configured to:
and resolving the source address of the SRv message in the first data packet and the node address in the SRv message segment list to obtain the target address.
10. The network device of claim 9, wherein the processor is further configured to:
determining the last hop address of the first data packet transmission according to the node address;
and establishing a channel between the source address and the last hop address as the second channel.
11. The network device of claim 9, wherein the processor is further configured to:
And establishing a channel between the source address and each node address as the second channel according to the source address and the node address.
12. The network device of claim 9, wherein the processor is further configured to:
searching a first address according to the field information of the node address;
and establishing a channel between the source address and the first address as the second channel.
13. The network device of claim 12, wherein the processor is further configured to:
searching a second address carrying a first identifier in the field information, wherein the first identifier is used for indicating that the current address is SRv data transmission special channel address;
the second address is taken as the first address.
14. The network device of claim 12, wherein the processor is further configured to:
Searching a third address carrying a second identifier in the field information, wherein the second identifier is used for indicating that the field information carries SRv data transmission special channel addresses;
acquiring a fourth address according to target information in field information of the third address, wherein the target information is used for indicating the position of address information carried in the field information;
The fourth address is taken as the first address.
15. A transmission processing apparatus, comprising:
The analysis module is used for analyzing a target address in the first data packet under the condition that the received first data packet misses the session table and the first channel but the first data packet hits the security policy;
the processing module is used for establishing a second channel according to the target address;
The transmission module is used for transmitting the second data packet through the second channel when the received second data packet does not hit the session table but the second data packet hits the second channel;
Wherein the first data packet is SRv data packets, the second data packet is SRv data packets associated with the first data, and the first channel and the second channel are SRv data transmission dedicated channels.
16. A network device comprising a transceiver, a processor, a memory and a program or instructions stored on the memory and executable on the processor, characterized in that the processor implements the transmission processing method according to any of claims 1-7 when executing the program or instructions.
17. A readable storage medium having stored thereon a program or instructions which when executed by a processor performs the steps in the transmission process according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110783070.9A CN115622718B (en) | 2021-07-12 | 2021-07-12 | Transmission processing method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110783070.9A CN115622718B (en) | 2021-07-12 | 2021-07-12 | Transmission processing method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115622718A CN115622718A (en) | 2023-01-17 |
| CN115622718B true CN115622718B (en) | 2025-09-12 |
Family
ID=84855286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110783070.9A Active CN115622718B (en) | 2021-07-12 | 2021-07-12 | Transmission processing method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115622718B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935014A (en) * | 2020-10-19 | 2020-11-13 | 网络通信与安全紫金山实验室 | Message forwarding method and device based on SRv6 network, storage medium and electronic equipment |
| CN112953831A (en) * | 2021-01-22 | 2021-06-11 | 新华三大数据技术有限公司 | Message forwarding method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3861684B1 (en) * | 2018-10-05 | 2024-04-03 | Cisco Technology, Inc. | Cross-domain control plane collaboration for end-to-end srv6 sla constrained service delivery |
| US11165681B2 (en) * | 2019-09-27 | 2021-11-02 | Juniper Networks, Inc. | Inter-autonomous system trace route message |
| CN111901317B (en) * | 2020-07-15 | 2022-05-17 | 中盈优创资讯科技有限公司 | Access control policy processing method, system and equipment |
-
2021
- 2021-07-12 CN CN202110783070.9A patent/CN115622718B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935014A (en) * | 2020-10-19 | 2020-11-13 | 网络通信与安全紫金山实验室 | Message forwarding method and device based on SRv6 network, storage medium and electronic equipment |
| CN112953831A (en) * | 2021-01-22 | 2021-06-11 | 新华三大数据技术有限公司 | Message forwarding method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115622718A (en) | 2023-01-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8073936B2 (en) | Providing support for responding to location protocol queries within a network node | |
| JP3717836B2 (en) | Dynamic load balancer | |
| US8705362B2 (en) | Systems, methods, and apparatus for detecting a pattern within a data packet | |
| EP2100406B1 (en) | Method and apparatus for implementing multicast routing | |
| CN107078963B (en) | Route tracing in virtual extensible local area networks | |
| US10505846B2 (en) | Resilient segment routing service hunting with TCP session stickiness | |
| US12095660B2 (en) | Method for multi-segment flow specifications | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| CN103916294A (en) | Identification method and device for protocol type | |
| US20080107109A1 (en) | Method and Apparatus for Managing Multicast Traffic in a Network at the Data Link or Level 2 Layer | |
| CN109547342B (en) | Strategy routing issuing method and network node | |
| US20030182440A1 (en) | Network processor with high-speed transceiver | |
| CN103220255A (en) | Method and device for realizing unicast reverse path forwarding (URPF) examination | |
| US11522792B2 (en) | Method for discovering forwarding path and related device thereof | |
| US20100238930A1 (en) | Router and method of forwarding ipv6 packets | |
| US20240283740A1 (en) | Recursive bitstring structure addressing | |
| US7688821B2 (en) | Method and apparatus for distributing data packets by using multi-network address translation | |
| CN115622718B (en) | Transmission processing method, device and equipment | |
| CN1921489A (en) | Secure communication equipment for processing send data packets | |
| CN114024725A (en) | An inter-container communication method, system, electronic device and storage medium | |
| CN116938666B (en) | A data processing method and related equipment | |
| US9282061B1 (en) | Systems and methods for handling ARP messages in modular network devices | |
| US7522601B1 (en) | Filtered router alert hop-by-hop option | |
| JP6801075B2 (en) | How to get path information for data packets and devices | |
| WO2023078144A1 (en) | Message processing method, apparatus and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |