CN114827044A - Message processing method, device and network equipment - Google Patents
Message processing method, device and network equipment Download PDFInfo
- Publication number
- CN114827044A CN114827044A CN202210454424.XA CN202210454424A CN114827044A CN 114827044 A CN114827044 A CN 114827044A CN 202210454424 A CN202210454424 A CN 202210454424A CN 114827044 A CN114827044 A CN 114827044A
- Authority
- CN
- China
- Prior art keywords
- message
- network
- application
- network message
- session table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 74
- 238000000034 method Methods 0.000 claims description 49
- 238000011217 control strategy Methods 0.000 claims description 22
- 230000009471 action Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a message processing method, a message processing device and network equipment. The CPU receives a network message of the data stream sent by the forwarding chip; carrying out application identification processing on the data flow according to data in the network message; if the data stream is identified to have the corresponding application based on the network message, generating a session table entry according to the message characteristics of the network message; and sending the session table entry to the forwarding chip so that the forwarding chip forwards the new network message according to the session table entry after receiving the new network message. Therefore, after application identification, all messages do not need to be sent to a CPU for processing, and are directly forwarded by the forwarding chip, so that the forwarding speed of the messages in the network equipment is improved, and meanwhile, the application can be effectively identified and the processing performance of the network equipment can be improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a network device for processing a packet.
Background
With the continuous development of internet technology, new era networks have new requirements on network security, and traffic forwarding control based on users and applications. Aiming at the characteristics of new-age networks, firewalls increasingly require the recognition capability of users and applications to ensure that the control of flow is more precise and visible. Traditional network applications are equal to ports, and application-based flow control is desired to be implemented by directly enabling or disabling ports. In a new network, most applications are concentrated on a few ports, application programs are more and more web-based, and specific applications cannot be identified through simple ports. Therefore, the need to identify applications based on traffic content is becoming more stringent. When the gateway device forwards the packet, the method includes two modes of software forwarding and hardware forwarding, and when the software forwarding is performed, a Central Processing Unit (CPU) can perform fine Processing on the flow to realize richer functions; when forwarding is performed based on hardware, a message is processed and forwarded by a hardware logic chip (also called forwarding chip) such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit), which has a higher forwarding speed, but the message cannot be further identified by the hardware logic chip. Therefore, to realize the function of identifying the application based on the traffic content, the message of each data stream must be uploaded to the CPU, and the CPU further identifies the message content, however, once the data stream is uploaded to the CPU, software forwarding is subsequently required, which greatly reduces the performance of the gateway device.
Therefore, how to improve the forwarding speed of the packet in the network device when performing application identification, and at the same time, effectively identifying the application and improving the processing performance of the network device is one of the considerable technical problems.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a network device for processing a packet, so as to improve the forwarding speed of the packet in the network device, and effectively identify an application and improve the processing performance of the network device when performing application identification.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a message processing method is provided, which is applied to a CPU in a network device, where the network device further includes a forwarding chip; the method comprises the following steps:
receiving a network message of the data stream sent by the forwarding chip;
carrying out application identification processing on the data flow according to data in the network message;
if the data stream is identified to have the corresponding application based on the network message, generating a session table entry according to the message characteristics of the network message;
and sending the session table entry to the forwarding chip so that the forwarding chip forwards the new network message according to the session table entry after receiving the new network message.
According to a second aspect of the present application, a message processing method is provided, which is applied to a forwarding chip in a network device, where the network device further includes a CPU;
sending the received network message of the data stream to the CPU;
receiving a session table item issued by the CPU, wherein the session table item is generated according to the message characteristics of the network message when the CPU identifies that the data stream has a corresponding application based on the network message;
receiving a new network message of the data flow;
and forwarding the new network message according to the session table entry.
According to a third aspect of the present application, there is provided a message processing apparatus, which is disposed in a central processing unit CPU in a network device, where the network device further includes a forwarding chip; the apparatus, comprising:
the receiving module is used for receiving the network message of the data stream sent by the forwarding chip;
the identification module is used for carrying out application identification processing on the data flow according to data in the network message;
the generation module is used for generating a session table entry according to the message characteristics of the network message if the identification module identifies that the data stream has the corresponding application based on the network message;
and the sending module is used for sending the session table items to the forwarding chip so that the forwarding chip forwards the new network message according to the session table items after receiving the new network message.
According to a fourth aspect of the present application, there is provided a packet processing apparatus, disposed in a forwarding chip in a network device, where the network device further includes a central processing unit CPU, the apparatus including:
the first receiving module is used for receiving a network message of a data stream;
the sending module is used for sending the network message to the CPU;
a second receiving module, configured to receive a session entry issued by the CPU, where the session entry is generated according to a packet feature of the network packet when the CPU identifies that the data stream has a corresponding application based on the network packet;
the first receiving module is configured to receive a new network packet of the data flow;
and the forwarding module is used for forwarding the new network message according to the session table entry.
According to a fifth aspect of the present application, a network device is provided, which includes a central processing unit CPU and a forwarding chip, where the CPU is configured to execute the message processing method provided by the first aspect, and the forwarding chip is configured to execute the message processing method provided by the second aspect.
According to a sixth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a central processing unit CPU, causes the processor to perform the method as provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
in the message processing method, the message processing device and the network equipment provided by the embodiment of the application, after receiving the network message of the data stream sent by the forwarding chip, the CPU performs application identification processing on the data stream according to the data in the network message; when the data stream is identified to have the corresponding application based on the network message, generating a session table entry according to the message characteristics of the network message; and then, the session table entry is issued to the forwarding chip, so that the forwarding chip can forward the new network message according to the session table entry after receiving the new network message. Therefore, the forwarding chip does not need to send all network messages of the data stream to the CPU one by one for application identification processing, and only needs to directly execute message forwarding operation on new subsequently received network messages based on the session table entry after the forwarding chip receives the session table entry, so that the forwarding rate of the messages is greatly improved on the basis of identifying the application, and meanwhile, the processing performance of the network equipment is also improved.
Drawings
Fig. 1 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another message processing method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another message processing apparatus according to an embodiment of the present application;
fig. 5 is a schematic diagram of a hardware structure of a network device implementing a message processing method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes the message processing method provided in the present application in detail.
Referring to fig. 1, fig. 1 is a flowchart of a message processing method provided in the present application, where the method is applied to a CPU in a network device, and the network device further includes a forwarding chip. When the CPU in the network device implements the message processing method, the method may include the following steps:
s101, receiving a network message of the data stream sent by the forwarding chip.
In this step, since the forwarding chip itself does not have the application identification capability, in order to identify whether the received data volume has an application, the forwarding chip needs to send the received network message of each data stream to the CPU, so that the CPU performs application identification based on the received network message.
S102, carrying out application identification processing on the data stream according to the data in the network message.
In this step, in order to avoid the problem that the CPU processing pressure is large because all messages of the same data stream are uploaded to the CPU, and the forwarding performance of the messages is affected because the CPU needs to perform application identification on each received message, the present application proposes that, after receiving each data stream from the outside, the forwarding chip continuously transmits the network message of the data stream to the CPU before the CPU does not issue the session table, so that, after receiving the network message, the CPU performs application identification processing according to the data in the network message. When the application identification is performed, a specific matching manner may be performed by using a currently provided application identification manner, for example, data in the network packet may be, but is not limited to, a domain name, and the like, where based on the above, the CPU may identify whether the domain name in the network packet is an application domain name of a preconfigured application, and when the domain name is the application domain name of the preconfigured application, it is determined that the application is identified, that is, there is a corresponding application in a data stream to which the network packet belongs. For example, in a network packet exchanged between the client and the server, except for a three-way handshake packet of the TCP, an application domain name of an application to be accessed may be carried in a first clienthello-type network packet performing SSL negotiation, for example, www.baidu.com.
S103, if the data stream is identified to have the corresponding application based on the network message, generating a session table according to the message characteristics of the network message.
In this step, when the data stream is identified to have the corresponding application based on the received network packet, it indicates that the application has been identified, and further indicates that the forwarding rate of the packet is affected without requiring the CPU to identify the subsequent network packets one by one. Specifically, the message characteristics in the network message may be written into the session entry.
And S104, sending the session table entry to the forwarding chip so that the forwarding chip forwards the new network message according to the session table entry after receiving the new network message.
In this step, in order to implement normal forwarding of the network packet of each data stream and improve forwarding performance, the CPU sends the generated session table entry to the forwarding chip. Therefore, when the forwarding chip receives a new network message, the forwarding chip can forward the new network message according to the session table entry.
By implementing the message processing method provided by the application, after receiving the network message of the data stream sent by the forwarding chip, the CPU performs application identification processing on the data stream according to the data in the network message; when the data stream is identified to have the corresponding application based on the network message, generating a session table entry according to the message characteristics of the network message; and then, the session table entry is issued to the forwarding chip, so that the forwarding chip can forward the new network message according to the session table entry after receiving the new network message. Therefore, the forwarding chip does not need to send all network messages of the data stream to the CPU one by one for application identification processing, and only needs to directly execute message forwarding operation on new subsequently received network messages based on the session table entry after receiving the session table entry, so that the forwarding rate of the messages is greatly improved on the basis of identifying the application, and the processing performance of the network equipment is also improved.
Optionally, before generating a session entry according to the packet feature of the network packet, the method further includes: inquiring the application control strategy of the corresponding application; and confirming that the application control strategy is to allow the data stream corresponding to the application to pass through.
On this basis, the message processing method provided in this embodiment further includes: and forwarding the network message when the data flow corresponding to the application is allowed to be released.
Specifically, when an application is identified based on step S103, the application control policy corresponding to the identified application may be queried, and then it is determined whether the application control policy is a data flow that allows to release access to the application, and when the execution action of the application control policy is to allow release, the network packet is forwarded to the outside. And when the application control strategy is the prohibition of forwarding, discarding the network message.
It should be noted that the network device stores the application control policy of each application in advance, and the application control policy of each application can be dynamically updated.
On this basis, the session table entry only includes the message feature of the network message, and the message feature is the same as the message feature of the subsequent network message of the data stream, so that after the forwarding chip subsequently receives a new network message, the message feature in the new network message is matched with the session table entry, when the forwarding chip successfully matches the session table entry, it indicates that the new network message hits the session table entry, and the forwarding chip directly forwards the new network message to the outside without reporting to the CPU for application identification processing, thereby increasing the message forwarding speed of the network message.
Optionally, the message processing method provided in this embodiment further includes: and if the application of the data stream is not identified based on the network message and the number of the network messages used for identifying the data stream reaches the set number corresponding to the message protocol of the network message, discarding the network message of the data stream.
Specifically, when the application is not identified based on the received network packet, the number of network packets received in an accumulated manner based on the CPU under the data stream may be determined, that is, the number of network packets used in the application identification of the data stream is determined, and then it is determined whether the number reaches a set number corresponding to a packet protocol used by the network packet, and when the number reaches the set number, it indicates that the data stream does not have a corresponding application, and then the subsequent packets do not need to be subjected to the application identification processing. At this point, the CPU may discard the network packet. Further, taking an example that the client accesses the server through the security device as an example, in the interaction process between the client and the server, the client generally receives ack message to confirm that the other side receives the message, and therefore, when the CPU discards the network message, the client cannot receive the ack message, the client automatically terminates the message sending of the data stream, so that the forwarding chip cannot receive the network message of the data stream, and thus, the message forwarding speed is improved to a certain extent.
In addition, if the application of the data stream is not identified based on the network message, and the number of the network messages used for identifying the data stream does not reach the set number corresponding to the message protocol of the network message, the receiving and forwarding chip is waited to send the network message of the data stream.
Specifically, when the data stream is not identified to have an application based on the received network packet, it may be determined whether data of the network packet used for application identification of the data stream reaches a set number corresponding to a network packet protocol, and when the data does not reach the set number, it indicates that the number of the network packets currently used for identification of the application is small, and at this time, it may continue to wait for receiving a next network packet of the data stream from the forwarding chip. Therefore, the accuracy of application identification is improved to a certain extent, and the forwarding speed of the message is not influenced temporarily because the number of the messages for application identification is less.
It should be noted that the set number corresponding to different message protocols is different, for example, if the protocol to which the received network message belongs to the http or https protocol, the set number may be but is not limited to 5, that is, in general, the CPU may identify that the data stream does not have an upper application by using 5 network messages, and may represent that the data stream does not have an upper application and belongs to a pure http or https traffic; when the message protocol of the network message belongs to the tcp or udp protocol, the set number may be, but is not limited to, 48 to 50, that is, the CPU may not recognize that the data stream to which the CPU belongs exists by using 48 network messages, and thus it can be determined that the data stream does not exist in the upper layer application, and the data stream belongs to pure tcp or udp traffic. Furthermore, it can be shown that when the number of applications of the data stream is not identified after the number of applications exceeds the set number, it can be confirmed that the application is identified without deep identification of the packet, and it can be confirmed that the subsequent network packet is not sent to the CPU for software processing, and can be directly forwarded by the forwarding chip through hardware logic; similarly, when the application is identified, once the application is confirmed not to be changed, subsequent network messages do not need to be uploaded to a CPU (central processing unit) for software processing, the subsequent network messages can be directly forwarded by a forwarding chip through hardware logic, the subsequent network messages do not need to be uploaded to software for processing, the forwarding chip is particularly suitable for scenes with more video streams, and the forwarding performance of the messages of the video streams can be greatly improved.
Optionally, based on the foregoing embodiment, in this embodiment, the step S103 of generating the session entry according to the message feature of the network message may be further performed according to the following method: inquiring the application control strategy of the corresponding application; and generating the session table entry according to the message characteristics and the application control strategy.
On this basis, the message forwarding method provided in this embodiment further includes: and when the application control strategy is confirmed to be the data flow which allows the application to be released, forwarding the network message.
Specifically, when the execution action of the application control policy of the application identified by the network device is permission to release, the CPU may directly forward the network packet to the outside; if the identified application control strategy of the application is forbidden to be released, the CPU can directly discard the network message.
Specifically, after the corresponding application is identified, the application control policy corresponding to the identified application may be queried according to the application control policy of each application configured in advance, and then, when a session entry is generated, the session entry is generated according to the message characteristics of the network message and the queried application control policy, that is, the message characteristics of the network message and the queried application control policy are written into the session entry, and then the session entry is sent to the forwarding chip. Thus, when the forwarding chip receives the session table item, when a new network message is subsequently received, the message characteristics in the new network message are extracted, then the message characteristics are used for matching the session table item, when the matching is successful, the application control strategy is extracted from the session table item, and then the forwarding operation of the new network message is executed based on the application control strategy, for example, if the execution action included in the application control strategy is release, the forwarding chip can directly forward the new network message to the outside and does not transmit the new network message to the CPU to execute the application identification processing flow; if the execution action included in the application control strategy is release prohibition, the forwarding chip can directly discard the new network message without reporting to the CPU or forwarding processing, so that the forwarding speed of the network message is saved.
Optionally, the message characteristics may include, but are not limited to, quintuple information, and on this basis, step S102 may be performed according to the following method: and generating the session table entry according to the quintuple information.
Specifically, quintuple information included between network packets of the same data stream is consistent, and therefore, after a session table entry generated based on the quintuple information is issued to the forwarding chip, the forwarding chip can more quickly and accurately match whether a new network packet subsequently received can hit the session table entry, and perform forwarding processing based on the session table entry.
Optionally, the message characteristics may include, but are not limited to, quintuple information, and the like. The quintuple information may include but is not limited to an incoming interface, an outgoing interface, a source IP address and a destination IP address,
based on any of the above embodiments, in this embodiment, step S104 may be performed according to the following procedure: and issuing the session table entry to the forwarding chip through a driving interface. Specifically, the forwarding chip and the CPU may communicate through a driving interface, so that the CPU may forward the session table entry through the driving interface when sending the session table entry to the forwarding chip.
Based on the same inventive concept, this embodiment further provides a message processing method, which is applied to a forwarding chip in a network device, where the network device further includes a CPU, and the forwarding chip can execute the message processing method according to the flow shown in fig. 2, and includes the following steps:
s201, sending the received network message of the data stream to a CPU.
In this step, since the forwarding chip itself does not have the software identification function, the received network packet of the data stream needs to be forwarded to the CPU capable of performing application identification, so that the CPU performs application identification processing on the network packet received from the forwarding chip.
S202, receiving a session table item issued by the CPU, wherein the session table item is generated according to the message characteristics of the network message when the CPU identifies that the data stream has a corresponding application based on the network message.
In this step, when the CPU recognizes that the data stream has the corresponding application, the session table entry is generated according to the network packet and is sent to the forwarding chip, and thus the forwarding chip receives the session table entry sent by the CPU.
It should be noted that, the CPU may refer to the execution process corresponding to the CPU for identifying whether the data stream has the application flow and the flow for generating the session table entry based on the network packet, and details are not described here.
It should be noted that the forwarding chip may receive a session entry issued by the CPU through a driving interface between the forwarding chip and the forwarding chip, where the session entry includes a message characteristic of a network message sent to the CPU on the forwarding chip.
S203, receiving a new network message of the data flow.
S204, forwarding the new network message according to the session table entry.
In this step, the forwarding chip continuously receives new network messages, when receiving new network messages, extracts message features from the new network messages, then matches session table entries by using the extracted message features, and when matching is successful, can execute forwarding operations of the new network messages according to the session table entries.
The forwarding chip sends the received network message of the data stream to the CPU by implementing a message processing method at the forwarding chip side; receiving a session table item issued by the CPU, wherein the session table item is generated according to the message characteristics of the network message when the CPU identifies that the data stream has a corresponding application based on the network message; receiving a new network message of the data flow; and forwarding the new network message according to the session table entry. Therefore, the forwarding chip does not need to send the network messages of each data stream to the CPU one by one for application identification processing, and the CPU in the network equipment does not need to perform identification matching work on all the messages in each data stream one by one, so that the message processing pressure of the CPU is greatly reduced, and the message forwarding speed is improved.
It should be noted that the forwarding chip may receive multiple data streams at the same time, and accordingly, the forwarding chip may send network messages of each data stream to the CPU, and accordingly, when the CPU recognizes that multiple data streams have corresponding applications, the CPU may also send a corresponding number of session entries, and the forwarding chip may store all received session entries in the session entry list, so that after receiving a network message, the forwarding chip may match the session entry list by using message features in the network message, and then perform forwarding processing on the network message according to the matched session entries.
It should be noted that the message processing method provided in this embodiment further includes: for each data stream, after the forwarding chip processes the last network packet of the data stream according to the flow shown in fig. 2, the session entry corresponding to the local data stream is deleted. For example, the session entry corresponding to the message feature of the data flow may be deleted from the session entry list.
In one embodiment, the session table entry is generated when the CPU confirms that the application control policy of the corresponding application is to allow the data stream corresponding to the application to be released; step S204 may be performed according to the following procedure: if the new network message hits the session table item, forwarding the new network message; and if the new network message does not hit the session table item, discarding the new network message.
Specifically, when the CPU recognizes that the data flow to which the network packet belongs has a corresponding application, and determines that the execution action of the application control policy of the corresponding application is to allow the data flow to be released, the CPU generates a session entry according to the packet feature of the network packet, and does not generate a session entry if the application is not recognized. Therefore, after the forwarding chip receives the session table entry, if a new network message is subsequently received, the message feature in the new network message is used to match the session table entry, and when the matching is successful, the message feature indicates that the session table entry is hit, at this time, the forwarding chip can directly forward the new network message to the outside, and does not need to send the new network message to the CPU for application identification processing, so that the forwarding processing of the network message is improved.
If the session entry is not matched and other session entries are not matched, then it may be further determined, and if the data stream does not belong to a new data stream and the network message of the data stream has been previously sent to the CPU for processing, then the network message of the data stream may be continuously sent to the CPU for processing at this time, so as to execute the process shown in fig. 1; if the data flow is a new data flow, the network message of the data flow also needs to be sent to the CPU for processing, so as to execute the flow shown in fig. 1.
In another embodiment, the session table entry includes an application control policy of the corresponding application; on this basis, step S204 may be performed according to the following procedure: if the new network message hits the session table entry, if the application control strategy is to allow the data stream corresponding to the application to be released, forwarding the new network message; and if the application control strategy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
Specifically, after receiving a new network packet, the network device may extract packet features from the new network packet, then match the session table entry with the packet features, and if the matching is successful, execute a forwarding operation of the new network packet based on an application control policy in the session table entry. For example, if the execution action of the application control policy in the session entry is allowed to be released, the network device may directly forward the new network packet to the outside without being sent to the CPU, thereby increasing the forwarding speed of the packet; and when the execution action of the application control policy is release prohibition, the network device may discard the new network packet, thereby improving the processing performance of the CPU for processing the network packet.
Optionally, the message feature includes quintuple information; on this basis, it can be confirmed that the new network packet hits the session entry according to the following method: and if the quintuple information of the new network message is consistent with the quintuple information in the session table entry, confirming that the new network message hits the session table entry.
In order to better understand the message processing method provided in any embodiment of the present application, taking an example that a data stream sent to a network device is an http data stream, a forwarding chip receives 1 st to 4 th network messages of the http data stream, and respectively reports the network messages to a CPU, and the CPU may not identify an application based on the received network messages at this time, and after the forwarding chip sends a 5 th network message of the http data stream to the CPU, the CPU identifies that the data stream belongs to the http data stream based on data in the 5 th network message, and then the CPU generates a session entry according to message characteristics of the network message and sends the session entry to the forwarding chip. Therefore, when receiving a new network message, the forwarding chip extracts the message characteristics from the new network message, and if the message characteristics hit the session table entry, the forwarding chip directly forwards the new network message outwards, so that the message does not need to be sent to a CPU for application identification processing, and the forwarding speed of the message is further improved.
Therefore, by means of software cooperative processing based on the forwarding chip (hardware logic chip) and the CPU, the forwarding performance of the message and the service processing performance of the network equipment are greatly improved, the performance of the network equipment is greatly improved when the application is identified, and the high-throughput low-delay deployment requirement of a large-scale network outlet is met.
It should be noted that the network device may be, but is not limited to, a network security device, and the like, and the network security device may be, but is not limited to, a firewall, a security gateway, and the like.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method on the CPU side. The implementation of the message processing apparatus may refer to the description of the CPU on the message processing method, which is not discussed herein.
Referring to fig. 3, fig. 3 is a message processing apparatus provided in an exemplary embodiment of the present application, and the message processing apparatus is disposed in a central processing unit CPU of a network device, where the network device further includes a forwarding chip; the apparatus, comprising:
a receiving module 301, configured to receive a network packet of a data stream sent by the forwarding chip;
an identifying module 302, configured to perform application identification processing on the data stream according to data in the network message;
a generating module 303, configured to generate a session entry according to a packet feature of the network packet if the identifying module identifies that the data stream has a corresponding application based on the network packet;
a sending module 304, configured to send the session table to the forwarding chip, so that after the forwarding chip receives a new network packet, the forwarding chip forwards the new network packet according to the session table.
Optionally, based on the foregoing embodiment, the message processing apparatus provided in this embodiment further includes:
a discarding module (not shown in the figure), configured to discard the network packet of the data flow if the application of the data flow is not identified based on the network packet, and the number of network packets used for identifying the data flow reaches a set number corresponding to a packet protocol of the network packet.
Optionally, based on any one of the foregoing embodiments, the message processing apparatus provided in this embodiment further includes:
a query module (not shown in the figure), configured to query the application control policy of the corresponding application before the generation module 303 generates a session table according to the message feature of the network message;
a determining module (not shown in the figure) configured to confirm that the application control policy is to allow the data stream corresponding to the application to be released;
on this basis, the message processing apparatus provided in this embodiment further includes:
a forwarding module (not shown in the figure), configured to forward the network packet when the determining module determines that the data flow corresponding to the application is allowed to be released.
Optionally, the generating module 303 is further configured to query an application control policy of the corresponding application; generating the session table item according to the message characteristics and the application control strategy;
on this basis, the message processing apparatus provided in this embodiment further includes:
a forwarding module (not shown in the figure), configured to forward the network packet when it is determined that the application control policy is to allow the data flow corresponding to the application to be released.
Optionally, the message feature includes quintuple information; the generating module 303 is specifically configured to generate the session entry according to the five-tuple information.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method on the forwarding chip side. The implementation of the message processing apparatus may refer to the description of the forwarding chip on the message processing method, which is not discussed herein one by one.
Referring to fig. 4, fig. 4 is a message processing apparatus provided in a forwarding chip in a network device according to an exemplary embodiment of the present application, where the network device further includes a central processing unit CPU, and the apparatus includes:
a first receiving module 401, configured to receive a network packet of a data flow;
a sending module 402, configured to send the network packet to the CPU;
a second receiving module 403, configured to receive a session entry issued by the CPU, where the session entry is generated according to a message feature of the network message when the CPU identifies that the data stream has a corresponding application based on the network message;
the first receiving module 401 is configured to receive a new network packet of the data flow;
a forwarding module 404, configured to forward the new network packet according to the session entry.
Optionally, the session entry is generated when the CPU determines that the application control policy of the corresponding application is to allow passing of the data stream corresponding to the application; the forwarding module 404 is specifically configured to forward the new network packet if the new network packet hits the session entry; and if the new network message does not hit the session table item, discarding the new network message.
Optionally, the session table entry includes an application control policy of the corresponding application; the forwarding module 404 is specifically configured to forward the new network packet if the new network packet hits the session entry, and if the application control policy is to allow the data flow corresponding to the application to be released; and if the application control strategy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
Optionally, the message feature includes quintuple information; the forwarding module 404 is specifically configured to confirm that the new network packet hits the session entry according to the following method: and if the quintuple information of the new network message is consistent with the quintuple information in the session table entry, confirming that the new network message hits the session table entry.
Based on the same inventive concept, an embodiment of the present application provides a network device, as shown in fig. 5, the network device includes a Central Processing Unit (CPU)500, a forwarding chip 501 and a machine-readable storage medium 502, where the machine-readable storage medium 502 stores a computer program that can be executed by the CPU500, the CPU500 is prompted by the computer program to execute the message processing method provided in any embodiment of the CPU side of the present application, and the forwarding chip 501 is used to execute the message processing method provided in any embodiment of the forwarding chip side of the present application. In addition, the network device further includes a communication interface 503 and a communication bus 504, wherein the CPU500, the forwarding chip 501, the communication interface 503, and the machine-readable storage medium 502 are communicated with each other through the communication bus 504.
The communication bus mentioned in the network device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the network device and other devices.
The machine-readable storage medium 502 may be a Memory, which may include a Random Access Memory (RAM), a DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory), and a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The forwarding chip may be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
As for the embodiments of the network device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and actions of each unit/module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (12)
1. A message processing method is characterized in that the method is applied to a CPU in network equipment, and the network equipment also comprises a forwarding chip; the method comprises the following steps:
receiving a network message of the data stream sent by the forwarding chip;
carrying out application identification processing on the data flow according to data in the network message;
if the data stream is identified to have the corresponding application based on the network message, generating a session table entry according to the message characteristics of the network message;
and sending the session table entry to the forwarding chip so that the forwarding chip forwards the new network message according to the session table entry after receiving the new network message.
2. The method of claim 1,
and if the data flow is not identified to have application based on the network message and the number of the network messages used for identifying the data flow reaches the set number corresponding to the message protocol of the network messages, discarding the network messages of the data flow.
3. The method of claim 1, further comprising, before generating a session entry according to packet characteristics of the network packet:
inquiring the application control strategy of the corresponding application;
confirming that the application control strategy is that the data stream corresponding to the application is allowed to be released;
the method further comprises the following steps:
and forwarding the network message when the data flow corresponding to the application is allowed to be released.
4. The method of claim 1, wherein generating a session entry according to the packet characteristics of the network packet comprises:
inquiring the application control strategy of the corresponding application;
generating the session table item according to the message characteristics and the application control strategy;
the method further comprises the following steps:
and when the application control strategy is confirmed to be the data flow which allows the application to be released, forwarding the network message.
5. The method of claim 1, wherein the message characteristics include five tuple information;
generating a session table entry according to the message characteristics of the network message, including:
and generating the session table entry according to the quintuple information.
6. A message processing method is characterized in that the message processing method is applied to a forwarding chip in network equipment, and the network equipment also comprises a CPU; the method comprises the following steps:
sending the received network message of the data stream to the CPU;
receiving a session table item issued by the CPU, wherein the session table item is generated according to the message characteristics of the network message when the CPU identifies that the data stream has a corresponding application based on the network message;
receiving a new network message of the data flow;
and forwarding the new network message according to the session table entry.
7. The method of claim 6, wherein the session table entry is generated by the CPU when the application control policy of the corresponding application is determined to allow the data flow corresponding to the application to be released;
forwarding the new network packet according to the session table entry, including:
if the new network message hits the session table item, forwarding the new network message;
and if the new network message does not hit the session table item, discarding the new network message.
8. The method of claim 6, wherein the session table entry comprises an application control policy of the corresponding application;
forwarding the new network packet according to the session table entry, including:
if the new network message hits the session table entry, if the application control strategy is to allow the data stream corresponding to the application to be released, forwarding the new network message;
and if the application control strategy is that the data flow corresponding to the application is not allowed to be released, discarding the new network message.
9. The method according to claim 7 or 8, wherein the message characteristics comprise five tuple information;
confirming that the new network message hits the session table entry according to the following method:
and if the quintuple information of the new network message is consistent with the quintuple information in the session table entry, confirming that the new network message hits the session table entry.
10. A message processing device is characterized in that the message processing device is arranged in a Central Processing Unit (CPU) in network equipment, and the network equipment further comprises a forwarding chip; the apparatus, comprising:
the receiving module is used for receiving the network message of the data stream sent by the forwarding chip;
the identification module is used for carrying out application identification processing on the data flow according to data in the network message;
the generation module is used for generating a session table entry according to the message characteristics of the network message if the identification module identifies that the data stream has the corresponding application based on the network message;
and the sending module is used for sending the session table items to the forwarding chip so that the forwarding chip forwards the new network message according to the session table items after receiving the new network message.
11. A message processing apparatus, which is disposed in a forwarding chip in a network device, where the network device further includes a central processing unit CPU, the apparatus comprising:
the first receiving module is used for receiving a network message of a data stream;
the sending module is used for sending the network message to the CPU;
a second receiving module, configured to receive a session entry issued by the CPU, where the session entry is generated according to a message feature of the network message when the CPU identifies that the data stream has a corresponding application based on the network message;
the first receiving module is configured to receive a new network packet of the data flow;
and the forwarding module is used for forwarding the new network message according to the session table entry.
12. A network device, comprising a central processing unit CPU and a forwarding chip, wherein the CPU is configured to execute the message processing method according to any one of claims 1 to 5, and the forwarding chip is configured to execute the message processing method according to any one of claims 6 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454424.XA CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454424.XA CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114827044A true CN114827044A (en) | 2022-07-29 |
| CN114827044B CN114827044B (en) | 2023-12-26 |
Family
ID=82508826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210454424.XA Active CN114827044B (en) | 2022-04-27 | 2022-04-27 | Message processing method, device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114827044B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140173709A1 (en) * | 2011-12-16 | 2014-06-19 | Avigdor Eldar | Secure user attestation and authentication to a remote server |
| WO2014177097A1 (en) * | 2013-08-16 | 2014-11-06 | 中兴通讯股份有限公司 | Flow table entry generation method and corresponding device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN105939397A (en) * | 2015-08-13 | 2016-09-14 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN108234323A (en) * | 2017-12-08 | 2018-06-29 | 中国电子科技集团公司第三十研究所 | A kind of safely controllable performance is up to the network processes and retransmission method of linear speed |
| CN111131539A (en) * | 2019-12-23 | 2020-05-08 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN112333097A (en) * | 2020-09-29 | 2021-02-05 | 新华三信息安全技术有限公司 | Message forwarding method and device and gateway equipment |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
| CN114189905A (en) * | 2020-09-15 | 2022-03-15 | 华为技术有限公司 | Message processing method and related equipment |
-
2022
- 2022-04-27 CN CN202210454424.XA patent/CN114827044B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140173709A1 (en) * | 2011-12-16 | 2014-06-19 | Avigdor Eldar | Secure user attestation and authentication to a remote server |
| WO2014177097A1 (en) * | 2013-08-16 | 2014-11-06 | 中兴通讯股份有限公司 | Flow table entry generation method and corresponding device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN105939397A (en) * | 2015-08-13 | 2016-09-14 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN108234323A (en) * | 2017-12-08 | 2018-06-29 | 中国电子科技集团公司第三十研究所 | A kind of safely controllable performance is up to the network processes and retransmission method of linear speed |
| CN111131539A (en) * | 2019-12-23 | 2020-05-08 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN114189905A (en) * | 2020-09-15 | 2022-03-15 | 华为技术有限公司 | Message processing method and related equipment |
| CN112333097A (en) * | 2020-09-29 | 2021-02-05 | 新华三信息安全技术有限公司 | Message forwarding method and device and gateway equipment |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| M. REZA HOSEINYFARAHABADY; ALI JANNESARI; ZAHIR TARI; JAVID TAHERI; ALBERT Y. ZOMAYA: "Dynamic Control of CPU Cap Allocations in Stream Processing and Data-Flow Platforms", 《2019 IEEE 18TH INTERNATIONAL SYMPOSIUM ON NETWORK COMPUTING AND APPLICATIONS (NCA)》 * |
| 陈绍黔;王湘新;幸雪初;肖晨阳;梁剑;: "基于国产龙芯CPU的高性能防火墙转发性能的研究与实现", 《电脑知识与技术》, no. 20 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114827044B (en) | 2023-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9749226B2 (en) | Flow-based network switching system | |
| US7630368B2 (en) | Virtual network interface card loopback fastpath | |
| CN106973013B (en) | Method and apparatus for internet protocol based content router | |
| EP2139187B1 (en) | Method, communication system and device for ARP packet processing | |
| US7636305B1 (en) | Method and apparatus for monitoring network traffic | |
| US20180241664A1 (en) | Flow routing system | |
| WO2018133454A1 (en) | Method for controlling remote service access path, and relevant apparatus | |
| US10375193B2 (en) | Source IP address transparency systems and methods | |
| JP2020113924A (en) | Monitoring program, programmable device, and monitoring method | |
| WO2014101758A1 (en) | Method, apparatus and device for detecting e-mail bomb | |
| US8320249B2 (en) | Method and system for controlling network access on a per-flow basis | |
| JP2007259446A (en) | Method and apparatus for improving security while transmitting data packet | |
| WO2015014196A1 (en) | Method, device and system for determining content acquisition path and processing request | |
| CN101227287B (en) | Data message processing method and data message processing equipment | |
| WO2010139237A1 (en) | Method and device for deep packet inspection | |
| WO2007045144A1 (en) | Methods for peer-to-peer application message identifying and operating realization and their corresponding devices | |
| US11838197B2 (en) | Methods and system for securing a SDN controller from denial of service attack | |
| WO2005004410A1 (en) | A method controlling retransmission of a data message in a routing device | |
| CN114793199B (en) | Message processing method, device and network equipment | |
| WO2024156236A1 (en) | Slow attack identification method and apparatus, electronic device and storage medium | |
| CN110224932B (en) | Method and system for rapidly forwarding data | |
| US7826447B1 (en) | Preventing denial-of-service attacks employing broadcast packets | |
| JP2015164295A (en) | Information transmission system, information communication apparatus, information transmission apparatus, and program | |
| CN114827044A (en) | Message processing method, device and network equipment | |
| US20100238930A1 (en) | Router and method of forwarding ipv6 packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |