[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101651613B - Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method - Google Patents

Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method Download PDF

Info

Publication number
CN101651613B
CN101651613B CN2009100237942A CN200910023794A CN101651613B CN 101651613 B CN101651613 B CN 101651613B CN 2009100237942 A CN2009100237942 A CN 2009100237942A CN 200910023794 A CN200910023794 A CN 200910023794A CN 101651613 B CN101651613 B CN 101651613B
Authority
CN
China
Prior art keywords
policy
strategy
space
network
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100237942A
Other languages
Chinese (zh)
Other versions
CN101651613A (en
Inventor
邱智亮
史琰
周谦
鲍民权
刘焕峰
姚明旿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN2009100237942A priority Critical patent/CN101651613B/en
Publication of CN101651613A publication Critical patent/CN101651613A/en
Application granted granted Critical
Publication of CN101651613B publication Critical patent/CN101651613B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种支持策略空间动态扩展的接纳控制系统及其控制方法,主要解决现有接纳控制方法不能随着新用户业务出现,网络状态变化动态扩展策略空间及安全性可靠性差的问题。其系统包括:用户业务信息提取模块、网络信息提取模块、策略库和接纳控制模块。其控制方法包括:从信息流和网络中提取流信息和网络运行状态信息,并从该信息中提取策略空间属性值;生成策略空间属性矢量和策略空间结构;将策略空间属性矢量与策略空间结构比较,检查二者是否一致,如果一致,匹配策略输出结果,同时若策略得到更新将新策略存储进策略库,如果不一致,改变属性值或改变策略属性以动态扩展策略空间,重复此步骤。本发明可用于军事通信网和IP交换网。

The invention discloses an admission control system supporting dynamic expansion of policy space and a control method thereof, which mainly solves the problems that the existing admission control method cannot dynamically expand the policy space with the emergence of new user services, network status changes, and has poor security and reliability. Its system includes: user business information extraction module, network information extraction module, policy library and admission control module. Its control method includes: extracting flow information and network operation status information from information flow and network, and extracting strategy space attribute value from the information; generating strategy space attribute vector and strategy space structure; combining strategy space attribute vector with strategy space structure Compare and check whether the two are consistent. If they are consistent, match the policy output results. At the same time, if the policy is updated, store the new policy in the policy library. If not, change the attribute value or change the policy attribute to dynamically expand the policy space. Repeat this step. The invention can be used in military communication network and IP switching network.

Description

The acceptance control system and the control method thereof of support policy space dynamic expansion
Technical field
The invention belongs to communication technical field, relate to the packet switching network management control method, specifically a kind of acceptance controlling method, its support policy space dynamic expansion can be used for grouping switching networks such as military communication network and IP switching network.
Background technology
Any computing environment comprises the internet, and its resource is always limited, and each task all has the resource requirement with its service quality (QoS) demand tight association.Admitting the basic purpose of control is under the prerequisite of guaranteeing the access QoS of survice, shares by dynamic resource, reaches high as far as possible network resource utilization.
The main at present acceptance controlling method that adopts based on strategy, it should consider traditional QoS information, such as the request of transmit leg and the available resources of network, consider that again network manager and ISP wish the control strategy that the network operating position is carried out, admit control such as carrying out according to user's identity, to the requirement of bandwidth, consideration, date and statistics and charging or the like factor to safety.This tactful acceptance controlling method all is to admit control according to static policies.If network state changes, or when having new user's new business to occur, original strategy is invalid, needs keeper's strategy that upgrades in time, has bigger management complexity.
The military communication network is the network of a complicated isomery, and high to fail safe and reliability requirement.The military communication network not only should be able to transmit information such as situation of battlefield, order, weapon control timely and effectively, and need provide access security and the service reliability that meets its application requirements for scout, commander and operation person.Present tactful acceptance controlling method does not consider that in bigger policy space the information such as user cipher device grade, QoS, the visit moment and access point of extracting are configured strategy, thereby satisfy access security and reliability requirement; And present acceptance controlling method uses static policies to admit control, do not take into full account the dynamic characteristic of network environment, such as network state variation, new user's new business appearance etc., not only can't satisfy extensive and various user's request, and cause the service security reliability can not dynamically adapt to the variation of network.
Summary of the invention
The objective of the invention is to overcome the shortcoming of above-mentioned prior art, particularity at Military Application in the military communication network, the acceptance control system and the control method thereof of a kind of support policy space dynamic expansion are proposed, dynamically to adapt to the variation of network, satisfy the requirement of military communication network better, improve the fail safe and the reliability of communication service.
The object of the present invention is achieved like this:
One, term explanation
QoS:Quality Of Service, service quality.
XML:eXtended Markup Language, extend markup language.
DTD:Document Type Definition, DTD.
DES:Data Encryption Standard, data encryption standard.
Two, the acceptance control system of the support policy space dynamic expansion of the present invention's proposition comprises:
The user service information extraction module is used to distinguish the information flow of different user, and extraction and user and professional relevant information from packet;
Network information extraction module is used for from the Link State and the routing iinformation of each port reception, and in the packet queue time delay and Loss Rate information of this node, obtains network state information;
Policy library is used to store the database of admission control scheme;
Admit control module, be used to realize the dynamic generation of admission control scheme,, finish the admittance control decision of customer service according to the admission control scheme in the policy library;
The user service information extraction module is used for extracting user profile and business information according to user data packets;
There have been tactful described user and business information in described user service information extraction module and the policy library one-way interaction policy library;
There has been tactful described network state information in described network state information extraction module and the policy library one-way interaction policy library;
Described admittance control module respectively with the user service information extraction module, network state information extraction module one-way interaction upgrades user service information and latest network state information, the admission control scheme that will dynamically generate is preserved into policy library simultaneously, and the existing strategy in the usage policy storehouse is finished the judgement of admitting control.
Three, realize the acceptance controlling method of support policy of the present invention space dynamic expansion, comprise the steps:
(1) from information flow and network, extracts stream information and network operation state information respectively, wherein stream information comprises user identity, priority, demand for security, access point, access way, type of service, quality of service requirement and reliability, and network operation state information comprises the failure conditions of node and link, the intrinsic variation tendency of variation, network congestion and network of route;
(2) according to the policy space attribute, fetch strategy space attribute value from stream information and network operation state information;
(3) generate a policy space property vector automatically according to the policy space property value;
(4) from policy library, extract XML strategy and automatic generation strategy space structure;
(5) policy space property vector and policy space structure are compared, whether undefined property value and vector be consistent with the attribute in the structure in the structure of whether having living space in the inspection vector, if consistent, enter step (6), otherwise enter step (7);
(6) strategy of coupling extraction, with the condition value of policy space property value as strategy, if satisfy certain tactful condition, then carry out the operation of this policy definition, the result that output allows new stream to insert or the new stream of refusal inserts is if strategy has obtained upgrading then new policy store has been advanced policy library simultaneously;
(7) change policy space property value or change policy attribute, and check whether the policy space after the expansion conflicts, if conflict then extending space does not again have conflict up to policy space enters step (5) then with the dynamic expansion policy space.
The present invention compared with prior art has following advantage:
(1) the present invention is because stream information and the network operation state information extracted not only comprise traditional QoS information, as the failure conditions of quality of service requirement, node and link, the variation and the network congestion of route, also comprise user identity, level of security, business characteristic, the visit moment and access node security information widely.Thereby can in the military communication network, realize more reliable, safer admittance control.
(2) among the present invention owing to adopt XML language compilation strategy, utilize the strategy of distinctive cross-platform, interdepartmental system information interaction of XML and interoperability advantage definition, can be with the admittance control procedure on overall visual angle coordination heterogeneous network and the node, not only can strengthen network and realize the ability of application end, and help to promote utilization efficiency of network resources to the end target.
(3) the present invention is owing to introduced the notion of policy space, and the dynamic expansion in support policy space, promptly when the network state variation, when new user's new business occurs, policy space property vector and policy space structure are inconsistent, to change property value this moment or change policy attribute with the dynamic expansion policy space, make the user not only can revise admission control scheme according to application need within the specific limits, and can be, thereby the access of controlling call and supervising the network more neatly effectively according to external change dynamic expansion policy space.
(4) the present invention is owing to adopt the policy control mechanism of self-management, and the collision problem that brings after the resolution policy spatial spread reduces the complexity that the network manager implementation strategy is managed greatly effectively.
Description of drawings
Fig. 1 is an acceptance control system structured flowchart of the present invention;
Fig. 2 is the admittance control module inner function module figure in the control system of the present invention;
Fig. 3 is a tactful acceptance controlling method flow chart of the present invention;
Fig. 4 is the policy space self-management controlling mechanism sub-process figure in the control method of the present invention.
Embodiment:
Be described in detail below in conjunction with the background technology of drawings and Examples content of the present invention and institute's foundation thereof:
One, tactful acceptance control system
With reference to Fig. 1, acceptance control system of the present invention comprises: user service information extraction module 11, network information extraction module 12, policy library 13 and admittance control module 14.Wherein user service information extraction module 11 and network information extraction module 12 be all with policy library 13 with admit 14 unidirectional connections of control module, and policy library 13 and admittance 14 two-way connections of control module.
Described user service information extraction module 11 is extraction and user and professional relevant information from packet, comprise user identity, priority, demand for security, access point, access way, type of service, quality of service requirement and reliability, and from policy library 13, obtain the user service information association attributes, filter out useful property value according to attribute then and pass to admittance control module 14.
Link State and routing iinformation that described network information extraction module 12 receives from each port, and in the packet queue time delay and Loss Rate information of this node, obtain network state information, comprise the failure conditions of node and link, the intrinsic variation tendency of variation, network congestion and network of route, and from policy library 13, obtain network information attribute, filter out useful property value according to attribute then and pass to admittance control module 14.
Described policy library 13 is preserved admission control scheme, and with admit control module 14 two-way interactives, and respectively customer service association attributes and network information attribute are passed to user service information extraction module 11 and network information extraction module 12 during initialization.
Described admittance control module 14 is extracted the XML strategy from policy library 13, the generation strategy space structure, simultaneously according to the automatic generation strategy space attribute of receiving of property value, whether comparative structure and attribute consistent needing to determine whether the dynamic expansion policy space, and the admission control scheme that will dynamically generate is preserved into policy library 13 simultaneously.Afterwards, finish the admittance control decision of customer service according to the result of matching strategy.The concrete structure of this module as shown in Figure 2, it comprises that policy library access submodule 251, strategy matching submodule 252, policy space expansion submodule 253, policy conflict check submodule 254 and admit output sub-module 255 as a result.Wherein: policy library access submodule 251 extracts the XML strategy from policy library 13, and automatic generation strategy space structure also passes to strategy matching submodule 252; Strategy matching submodule 252 is according to the automatic generation strategy space attribute of the state attribute value vector of user service information extraction module 11 and 12 transmission of network information extraction module, and with the policy space structure relatively, if unanimity then will admit the control result to pass to admit as a result output sub-module 255 to allow new stream to insert or the new stream of refusal inserts the result with output, if it is inconsistent then strategy is passed to policy space expansion submodule 253 with the dynamic expansion policy space, and the strategy that will expand after upgrading passes to policy library access submodule 251, and policy library access submodule 251 is stored into policy library 13 to updating strategy again; Strategy after policy space expansion submodule 253 dynamic expansion policy spaces also will be expanded passes to policy conflict and checks submodule 254, policy conflict checks whether the policy space after the submodule 254 inspection expansions conflicts, if conflict prompting policy space expansion submodule 253 is the expanding policy space again, pass to strategy matching submodule 252 until the strategy that the space inspection after the expansion is errorless after will upgrading again.
Two, tactful acceptance controlling method
With reference to Fig. 3, strategy of the present invention admits controlled step as follows:
Step 1 is extracted stream information and network operation state information respectively from information flow and network.
Stream information comprises: user identity, priority, demand for security, access point, access way, type of service, quality of service requirement and reliability; Network operation state information comprises: the failure conditions of node and link, the variation of route, network congestion and the intrinsic variation tendency of network.
Stream information and the network operation state information that can see extraction thus not only comprise traditional QoS information, also comprise user identity, level of security, business characteristic, the visit moment and access node security information widely, therefore can in the military communication network, realize more reliable, safer admittance control.
Step 2, according to the policy space attribute, fetch strategy space attribute value from stream information and network operation state information.
So-called strategy is meant the set of a series of rules according to the definition of IETF.When network environment satisfies the condition of rule, the corresponding operating of executing rule definition then.The rule condition of strategy specifically is to be made of policy attribute, and according to user class, two attributes of role are formulated such as a strategy, and another strategy is then formulated according to the access time attribute.Strategy file generally comprises a lot of bar strategies, so the union of the attribute of all strategies has constituted the attribute of strategy file in the strategy file.If strategy file only comprises above-mentioned two strategies, then the attribute of this strategy file just comprises three attributes: user class, role and access time.
Tactful notion is expanded the notion that can arrive policy space.Attribute is with regard to the one dimension in relative strategy space in the strategy file.Equally, the number correspondence of attribute the dimension of policy space.Suppose that strategy file has n attribute, then the set of the point determined of this n attribute variable is exactly a n dimension policy space.Wherein every strategy can be regarded a subclass of policy space as, and each dimension is an attribute of policy space.
Strategy of the present invention is write by XML.Utilize the strategy of distinctive cross-platform, interdepartmental system information interaction of XML language and interoperability advantage definition, can be with the admittance control procedure on overall visual angle coordination heterogeneous network and the node, not only can strengthen network and realize the ability of application end, and help to promote utilization efficiency of network resources to the end target.
The policy space attribute comprises customer service attribute and network operation status attribute.The customer service attribute more is reflection user and business information, such as user role, and user gradation, type of service etc., and network operation status attribute more is the running status of reflection network, and such as congested, bandwidth etc.
Step 3 generates a policy space property vector automatically according to the policy space property value.
The occurrence of policy space attribute is the policy space property value, as the height of user role, in, low, 1,2,3 of user gradation is respectively the property value of user role attribute and user gradation attribute.
Policy space property vector here is the vector that is made of policy space all properties value, with K1, K2 ..., Kn ... } expression, wherein Kn represents n bar property value.
Step 4 is extracted XML strategy and automatic generation strategy space structure from policy library.
Admit control module to extract wherein tactful can the analysis automatically and obtain policy space structure as shown in table 1 by the access strategy storehouse.
Table 1 policy space structure
Policy space is described Attribute 1 (K1) Attribute 2 (K2) ... Attribute n (Kn) ...
Strategy 1 K1(1) K2(1) ... Kn(1) ...
Strategy 2 K1(2) K2(2) ... Kn(2) ...
... ... ... ... ... ...
Strategy m K1(m) K2(m) ... Kn(m) ...
... ... ... ... ... ...
As seen from Table 1, every strategy be the corresponding policy space property vector of each row K1 (m), K2 (m) ..., Kn (m) ... }, n property value of Kn (m) expression m bar strategy wherein.
Step 5 compares policy space property vector and policy space structure, and whether undefined property value and vector be consistent with the attribute in the structure in the structure of whether having living space in the inspection vector, if consistent, enter step 6, otherwise enter step 7.
Policy space property vector and policy space structure are compared, whether the property value in the inspection policy space attribute vector all defined in the policy space structure, and also whether the attribute in the inspection policy space attribute vector is consistent with the attribute that defines in the policy space structure.
When not having new user's new business appearance or network state not to change, the policy space property vector is consistent with the policy space structure, and enter step 6 this moment, otherwise enter step 7.
Step 6, the strategy that coupling is extracted, with the condition value of policy space property value as strategy, if this property value satisfies certain tactful condition, then carry out the operation of this policy definition, the result that output allows new stream to insert or the new stream of refusal inserts is if strategy has obtained upgrading then new policy store has been advanced policy library simultaneously.
Step 7 changes the policy space property value or changes the policy space attribute with the dynamic expansion policy space, and checks whether the policy space after the expansion conflicts, if conflict then extending space again enters step 5 after policy space does not have conflict.
When a new stream bursts arrived, user service information extraction module and network information extraction module may find that this stream is not running into before and defining, so store its correlation behavior information.Because only the arrival of a stream is not enough to determine new all information of stream, user service information extraction module and network information extraction module extract correlation attribute value according to the local policy attribute.The policy space structure of admitting control module to receive that property value generation property vector and access strategy storehouse generate compares, this moment is because all changes of the local user traffic attribute of user service information extraction module and network information extraction module and local network running status attribute, comparative result is consistent certainly, will mate according to former strategy.
But,,, obviously can not adapt to the variation requirement if also admit control according to old strategy when this is similar when newly flowing to get more and more.At this moment, along with similar new stream increases, user service information extraction module and network information extraction module can be determined new stream information gradually, automatically increase or revise the local policy attribute and obtain its value according to the new stream information of determining, pass to then and admit control module and the new policy space property vector of generation automatically.Policy space structure and the property vector of admitting control module access strategy storehouse to obtain compare, obviously because the still old strategy of storing in the policy library, therefore the policy space structure that forms also is old, and the two is inconsistent relatively certainly, and this just impels the dynamic expansion of policy space.
Above-mentioned analysis as can be known, whether policy space needs expansion to depend on property vector and policy space structure relatively property value and attribute, consequently unanimity not.
The policy space dynamic expansion can be divided into strategy expansion and spatial spread.If the property value that has in the policy space property vector did not define in the policy space structure, then needing to increase property value also dynamically increases or the modification strategy, is strategy and expands.The strategy expansion is the expansion of low degree, and only revise strategy and get final product this moment; If the attribute that defines in attribute in the discovery strategy space attribute vector and the policy space structure is inconsistent, then needing to increase the policy space attribute also dynamically increases or the modification strategy, is spatial spread.Spatial spread is the expansion of high level, needs to change the policy space dimension this moment.
When expansion strategy, at first user service information extraction module and the analysis of network information extraction module and determined new stream increases or changes the local policy property value then automatically.Admit control module to receive the policy space structure comparison that property value generates property vector automatically and obtains with the access strategy storehouse, find that some property value in the vector does not define in policy space, only need in table 1, to increase automatically delegation this moment, promptly increase a strategy, and value that should the strategy attribute is new value.Afterwards, the policy space structure has obtained renewal, and strategy has also obtained upgrading and returning to policy library.Now property vector is consistent with policy space structure after the dynamic expansion, admits control again.
During spatial spread, at first user service information extraction module and the analysis of network information extraction module and determined new stream increases or changes the local policy attribute then automatically.Admit control module to receive the policy space structure comparison that property value generates property vector automatically and obtains with the access strategy storehouse, find that some attribute in the vector does not define in policy space, only needing this moment increases by row automatically in table 1, promptly increased an attribute.Afterwards, the policy space structure has obtained renewal, and strategy has also obtained upgrading and returning to policy library.Now property vector is consistent with policy space structure after the dynamic expansion, admits control again.
As seen the strategy expansion is whether need to change policy space attribute, i.e. space dimensionality with the main distinction of spatial spread.
After the policy space dynamic expansion, will admit control, and the control result is admitted in output with the strategy after upgrading.But may cause the conflict between each the bar strategy in the policy space after the policy space expansion,, the present invention proposes policy space self-management controlling mechanism,, comprise syntax check and semantic test as Fig. 4 for fear of this situation, wherein:
Syntax check detects, and is to check whether symbol or other syntax error that can not discern is arranged, if check out syntax error, then policy space is expanded again and carried out syntax check again, otherwise enters next step semantic test;
Semantic test is that other strategy in each bar strategy and the strategy file is compared, and specifically comprises following content:
1. bound inspection, within the range of permission whether the value of checking some attribute.
2. relation is checked, checks whether the value of any two attributes satisfies the relation that is determined by particular technology.Such as, two parameters of certain bar policing rule are respectively to adopt cryptographic algorithm and corresponding key length, if the former is DES, then the latter can only be one of 64 or 128 liang of numerical value.
3. consistency check guarantees that any two strategies do not clash in the system.For fear of the conflict between policing rule, policing rule can have priority, and when two strategies satisfy condition simultaneously, the strategy that priority is high will mate execution.
4. mastery inspection, whether have " unreachable " strategy, promptly because the definition of other strategies causes it to be performed never if checking.Consider the checked strategy of certain bar, it is a subclass in the policy space, is a zone of marking in the multidimensional policy space.Investigate other strategies then successively, overlapping and priority is higher than checked strategy if other certain bar strategies and checked strategy are at the multidimensional policy space, just deducts overlapping areas from be examined the corresponding area of space of strategy.Checking at last to finish, is that sky just illustrates that checked strategy carries out never if be examined the corresponding area of space of strategy, can delete.
By semantic test, if wrong, then policy space is expanded again and is entered the syntax check step, otherwise policy space is expanded successfully.
The policy control mechanism of above-mentioned self-management has solved the problems of bringing after the policy space expansion such as conflict effectively, has guaranteed that the policy space expansion is without fear of an attack from the rear.
After policy space is expanded successfully, enter step 5, policy space structure after policy space property vector and the expansion is compared, whether undefined property value and vector be consistent with the attribute in the structure in the structure of whether having living space in the inspection vector, if it is consistent, enter step 6, otherwise enter step 7.
More than be the acceptance control system and the control method thereof of support policy space dynamic expansion, use system and method for the present invention, not only considered professional qos parameter, and user identity, level of security, business characteristic, the visit moment, access node etc. more accurately information write and admit in the strategy, the fail safe and the reliability that insert have been satisfied better, simultaneously along with network state changes, new user's new business appearance etc., the mechanism of policy space dynamic expansion can satisfy extensive and various customer service demand better.

Claims (8)

1.一种支持策略空间动态扩展的接纳控制系统,包括:1. An admission control system that supports dynamic expansion of policy space, including: 用户业务信息提取模块,用于区分不同用户的信息流,并从数据分组中提取与用户和业务相关的信息;The user business information extraction module is used to distinguish the information flow of different users, and extract information related to users and services from data packets; 网络信息提取模块,用于从各个端口接收的链路状态和路由信息,及本节点的分组排队时延和丢失率信息中,获得网络状态信息;The network information extraction module is used to obtain the network state information from the link state and routing information received by each port, and the packet queuing delay and loss rate information of the node; 策略库,用于存储接纳控制策略;Policy library, used to store admission control policies; 接纳控制模块,用于实现接纳控制策略的动态生成,根据策略库中的接纳控制策略,完成用户业务的接纳控制决策;该接纳控制模块包括:The admission control module is used to realize the dynamic generation of the admission control strategy, and complete the admission control decision of the user service according to the admission control strategy in the policy library; the admission control module includes: 策略库存取子模块,用于从策略库中提取策略以及存储更新后策略进策略库,该策略库存取子模块与策略匹配子模块双向交互传递策略;The strategy library access submodule is used to extract the strategy from the strategy library and store the updated strategy into the strategy library. The strategy library access submodule and the policy matching submodule bidirectionally interact and transmit the strategy; 策略匹配子模块,用于将用户业务信息提取模块和网络信息提取模块输入的状态属性值匹配策略库存取子模块得到的策略,如果一致则将接纳控制结果传递给接纳结果输出子模块以输出允许新流接入或拒绝新流接入结果,如果不一致则将策略传递给策略空间扩展子模块以动态扩展空间,并且当策略经过动态扩展更新后,将更新后的策略传递给策略库存取子模块,所述的策略匹配子模块与策略空间扩展子模块双向交互扩展策略;The policy matching sub-module is used to match the status attribute value input by the user service information extraction module and the network information extraction module with the policy obtained by the policy library access sub-module, and if they are consistent, pass the admission control result to the admission result output sub-module to output permission If the result of new flow access or rejection of new flow access is inconsistent, the policy is passed to the policy space expansion sub-module to dynamically expand the space, and when the policy is dynamically expanded and updated, the updated policy is passed to the policy library access sub-module , the policy matching sub-module and the policy space expansion sub-module bidirectionally interact to expand the strategy; 策略空间扩展子模块,用于动态扩展策略空间;Policy space expansion sub-module, used to dynamically expand the policy space; 策略冲突检查子模块,用于检查扩展后的策略空间是否冲突,如果冲突提示策略空间扩展子模块重新扩展,该策略冲突检查子模块与策略空间扩展子模块双向交互策略空间,检查策略空间扩展后是否冲突;The policy conflict checking sub-module is used to check whether the expanded policy space conflicts. If the conflict prompts the policy space expansion sub-module to re-expand, the policy conflict checking sub-module and the policy space expansion sub-module bidirectionally interact with the policy space. After checking the policy space expansion Is there a conflict; 接纳结果输出子模块,用于输出从策略匹配子模块得到的接纳结果,该接纳结果输出子模块与策略匹配子模块单向连接;The admission result output sub-module is used to output the admission result obtained from the policy matching sub-module, and the admission result output sub-module is unidirectionally connected with the policy matching sub-module; 所述的用户业务信息提取模块从策略库获取策略库中已存在策略所描述的用户和业务信息,其中,用户业务信息提取模块与策略库单向连接;The user service information extraction module acquires user and service information described by existing policies in the policy library from the policy library, wherein the user service information extraction module is connected to the policy library in one direction; 所述的网络信息提取模块从策略库获取策略库中已存在策略所描述的网络状态信息,其中,网络信息提取模块与策略库单向连接;The network information extraction module obtains the network status information described by existing policies in the policy library from the policy library, wherein the network information extraction module is connected to the policy library in one direction; 所述的接纳控制模块分别从用户业务信息提取模块、网络信息提取模块获取更新的用户和业务信息以及最新的网络状态信息,同时将动态生成的接纳控制策略保存入策略库,并使用策略库中的已有策略完成接纳控制的判决,其中接纳控制模块分别与用户业务信息提取模块和网络信息提取模块单向连接。The admission control module obtains updated user and service information and the latest network status information from the user service information extraction module and the network information extraction module respectively, and simultaneously saves the dynamically generated admission control strategy into the strategy library, and uses the policy library The existing strategy completes the decision of admission control, wherein the admission control module is connected to the user service information extraction module and the network information extraction module in one direction. 2.根据权利要求1所述的接纳控制系统,其中用户和业务相关的信息,包括用户身份、优先级、安全需求、接入点、接入方式、业务类型、服务质量要求和可靠性。2. The admission control system according to claim 1, wherein the information related to users and services includes user identities, priorities, security requirements, access points, access methods, service types, service quality requirements and reliability. 3.根据权利要求1所述的接纳控制系统,其中网络状态信息,包括节点和链路的失效情况、路由的变化、网络拥塞情况和网络固有的变化趋势。3. The admission control system according to claim 1, wherein the network status information includes node and link failure conditions, route changes, network congestion conditions and inherent network change trends. 4.一种支持策略空间动态扩展的接纳控制方法,包括如下步骤:4. An admission control method supporting dynamic expansion of policy space, comprising the following steps: (1)分别从信息流和网络中提取流信息和网络运行状态信息,其中流信息包括:用户身份、优先级、安全需求、接入点、接入方式、业务类型、服务质量要求和可靠性;网络运行状态信息包括:节点和链路的失效情况、路由的变化、网络拥塞情况和网络固有的变化趋势;(1) Extract flow information and network operation status information from information flow and network respectively, where flow information includes: user identity, priority, security requirements, access point, access mode, business type, service quality requirements and reliability ;Network operation status information includes: failure of nodes and links, routing changes, network congestion and inherent network change trends; (2)根据策略空间属性,从流信息和网络运行状态信息中提取策略空间属性值;(2) According to the policy space attribute, extract the policy space attribute value from the flow information and the network operation state information; (3)根据策略空间属性值自动生成一条策略空间属性矢量;(3) Automatically generate a strategy space attribute vector according to the strategy space attribute value; (4)从策略库中提取XML策略并自动生成策略空间结构;(4) Extract the XML strategy from the strategy library and automatically generate the strategy space structure; (5)将策略空间属性矢量与策略空间结构进行比较,检查矢量中是否有空间结构中未定义的属性值以及矢量与结构中的属性是否一致,如果没有未定义的属性值且属性一致,进入步骤(7),否则进入步骤(6);(5) Compare the strategy space attribute vector with the strategy space structure, check whether there are undefined attribute values in the vector and whether the attributes in the vector and the structure are consistent, if there is no undefined attribute value and the attributes are consistent, enter Step (7), otherwise enter step (6); (6)改变策略空间属性值或改变策略属性以动态扩展策略空间,并检查扩展后的策略空间是否冲突,如果冲突则重新扩展空间,直到策略空间无冲突,然后进入步骤(5);(6) Change the strategy space attribute value or change the strategy attribute to dynamically expand the strategy space, and check whether the expanded strategy space conflicts, if there is a conflict, re-expand the space until there is no conflict in the strategy space, and then enter step (5); (7)匹配提取的策略,将策略空间属性值作为策略的条件值,如果满足某策略的条件,则执行该策略定义的操作,输出允许新流接入或拒绝新流接入的结果,同时如果策略得到了更新则将新的策略存储进策略库。(7) Match the extracted strategy, use the attribute value of the strategy space as the condition value of the strategy, if the condition of a certain strategy is satisfied, then execute the operation defined by the strategy, and output the result of allowing new flow access or denying new flow access, and at the same time If the policy has been updated, the new policy is stored in the policy repository. 5.根据权利要求4所述的支持策略空间动态扩展的接纳控制方法,其中步骤(2)所述的策略空间属性,包括用户业务属性和网络运行状态属性,它们分别由用户业务信息提取模块和网络信息提取模块解析得到。5. the admission control method supporting policy space dynamic expansion according to claim 4, wherein the policy space attributes described in step (2) include user service attributes and network operation status attributes, which are respectively extracted by user service information module and The network information extraction module parses and obtains it. 6.根据权利要求4所述的支持策略空间动态扩展的接纳控制方法,其中步骤(3)所述的策略空间属性矢量,是由策略空间所有属性值构成的矢量。6. The admission control method supporting dynamic expansion of policy space according to claim 4, wherein the policy space attribute vector in step (3) is a vector composed of all attribute values of the policy space. 7.根据权利要求4所述的支持策略空间动态扩展的接纳控制方法,其中步骤(6)所述的改变属性值或改变策略属性,是在策略空间结构里增加一条策略或在策略空间结构里增加一条属性。7. The admission control method supporting the dynamic expansion of policy space according to claim 4, wherein changing the attribute value or changing the policy attribute described in step (6) is adding a policy in the policy space structure or adding a policy in the policy space structure Add an attribute. 8.根据权利要求4所述的支持策略空间动态扩展的接纳控制方法,其中步骤(6)所述的检查扩展后的策略空间是否冲突,按如下步骤进行:8. The admission control method supporting the dynamic expansion of the policy space according to claim 4, wherein whether the policy space after checking the expanded policy space conflicts described in step (6) is carried out according to the following steps: (a)检查语法是否有错误,如有错误则策略空间重新扩展并进入步骤(a),否则进入步骤(b);(a) Check whether there is any error in the syntax, if there is an error, then re-expand the policy space and enter step (a), otherwise enter step (b); (b)检查语义是否有错误,如有错误则策略空间重新扩展并进入步骤(a),否则策略空间扩展成功。(b) Check whether there is any error in the semantics, if there is an error, then re-expand the policy space and enter step (a), otherwise the policy space expansion is successful.
CN2009100237942A 2009-09-04 2009-09-04 Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method Expired - Fee Related CN101651613B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100237942A CN101651613B (en) 2009-09-04 2009-09-04 Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100237942A CN101651613B (en) 2009-09-04 2009-09-04 Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method

Publications (2)

Publication Number Publication Date
CN101651613A CN101651613A (en) 2010-02-17
CN101651613B true CN101651613B (en) 2011-08-24

Family

ID=41673733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100237942A Expired - Fee Related CN101651613B (en) 2009-09-04 2009-09-04 Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method

Country Status (1)

Country Link
CN (1) CN101651613B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104850634A (en) * 2015-05-22 2015-08-19 中国联合网络通信集团有限公司 Data storage node adjustment method and system
CN109155764A (en) * 2016-04-05 2019-01-04 诺基亚技术有限公司 For the end-to-end QoS in 5G system/QoE management method and apparatus

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1892687A (en) * 2005-06-28 2007-01-10 国际商业机器公司 Policy based automation rule selection control system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1892687A (en) * 2005-06-28 2007-01-10 国际商业机器公司 Policy based automation rule selection control system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
史琰等.《区分服务网络中确保业务端到端时延的接纳控制算法研究》.《电子与信息学报》.2006,第28卷(第5期),774-779. *
尹青等.《基于XML的组安全策略描述》.《计算机科学》.2003,第30卷(第5期),150-152. *

Also Published As

Publication number Publication date
CN101651613A (en) 2010-02-17

Similar Documents

Publication Publication Date Title
CN110033243B (en) Main chain evidence storing method, system and storage medium based on block chain intelligent contract
US20210036857A1 (en) Sending cross-chain authenticatable messages
US11356282B2 (en) Sending cross-chain authenticatable messages
CN104243496B (en) A kind of cross-domain TSM Security Agent method and system of software defined network
US20070291791A1 (en) Dynamic reconfigurable embedded compression common operating environment
CN104202183B (en) The method and apparatus that a kind of solution SDN stream ranks configuration conformance updates
Ghaffari et al. Leader election using loneliness detection
CN111512332B (en) A topology construction method and system satisfying partition tolerance under consortium chain consensus
CN101651613B (en) Admission Control System Supporting Dynamic Expansion of Policy Space and Its Control Method
Hermant et al. A protocol and correctness proofs for real-time high-performance broadcast networks
CN104125146B (en) A kind of method for processing business and device
CN118283100A (en) Micro-service system for realizing elastic deployment and deployment method
Liu et al. A declarative perspective on adaptive manet routing
Feng et al. Load shedding and distributed resource control of stream processing networks
CN107181747A (en) A kind of Handle resolution systems comprising top mode
Turau et al. A new analysis of a self-stabilizing maximum weight matching algorithm with approximation ratio 2
Ghassemi et al. Model checking mobile ad hoc networks
CN105991713B (en) Update processing method and device
CN108055232A (en) A kind of high speed lightweight mimicry virtual net construction method
Lilienthal et al. Flow-level models for multipath routing
Elsayed et al. On the impact of network delays on Time-to-Live caching
Bogineni et al. Collisionless media access protocols for high-speed communication in optically interconnected parallel computers
Chen et al. A semantic unit for timed automata based modeling languages
Zhang et al. Strategies for efficient syntactical and semantic web services
Huang et al. Secure collaboration between consortiums in permissioned blockchains

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110824

Termination date: 20150904

EXPY Termination of patent right or utility model