[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110958334A - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN110958334A
CN110958334A CN201911171934.0A CN201911171934A CN110958334A CN 110958334 A CN110958334 A CN 110958334A CN 201911171934 A CN201911171934 A CN 201911171934A CN 110958334 A CN110958334 A CN 110958334A
Authority
CN
China
Prior art keywords
ipv6 address
mapping
user role
address
ipv6
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911171934.0A
Other languages
Chinese (zh)
Other versions
CN110958334B (en
Inventor
刘洪玉
赵海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Semiconductor Technology Co Ltd
Original Assignee
New H3C Semiconductor Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Semiconductor Technology Co Ltd filed Critical New H3C Semiconductor Technology Co Ltd
Priority to CN201911171934.0A priority Critical patent/CN110958334B/en
Publication of CN110958334A publication Critical patent/CN110958334A/en
Application granted granted Critical
Publication of CN110958334B publication Critical patent/CN110958334B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message processing method and device, and relates to the field of communication. The method and the device have the advantages that the IPv6 address of the data message and the user role corresponding to the IPv6 address are obtained, the IPv6 address and the user role are mapped, the mapping identifier of the IPv6 address is generated, the data message is forwarded according to the mapping identifier and the matching strategy of the access control list ACL, and occupied switch hardware resources can be reduced when the ACL strategy is executed according to the ACL list.

Description

Message processing method and device
Technical Field
The present application relates to the field of communications. In particular, the present invention relates to a method and an apparatus for processing a packet.
Background
With the development of Internet technology, the available IP addresses in Internet Protocol Version 4 (IPv 4) are becoming insufficient, and the Internet is faced with the problem of IP address exhaustion. The popularization of Internet Protocol Version 6 (IPv 6) upgrades the IP address from the original 32 bits to 128 bits, which can double the number of IP addresses.
The switch can realize the stateless firewall function of the network through an Access Control List (ACL), so that users in various roles can realize isolation or mutual Access, and the safe operation of the network is effectively ensured. The ACL may implement an inter-access policy through an IP + Port (Port) + Protocol (Protocol).
When an IPv6 address is introduced into a switch, the IP address in IPv6 is upgraded from 32 bits to 128 bits relative to the IP address in IPv4, which results in that when the switch executes a corresponding policy on a data packet through an ACL, a large amount of switch hardware resources are consumed, and the scalability of switch service is greatly limited.
Disclosure of Invention
In view of this, the present application provides a message processing method and apparatus, which are used to alleviate the problem that when IPv6 is introduced into a switch, an IP address in IPv6 is upgraded from 32 bits to 128 bits relative to an IP address in IPv4, so that when the switch executes a corresponding policy on a data message through an ACL, a large amount of switch hardware resources are consumed.
In a first aspect, the present application provides a method for processing a packet, including:
acquiring an IPv6 address of the data message and a user role corresponding to the IPv6 address;
mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address;
and forwarding the data message according to the mapping identifier and the matching strategy of the access control list ACL.
Optionally, the obtaining of the user role corresponding to the IPv6 address includes:
acquiring a network segment corresponding to an IPv6 address, and determining the corresponding relation between the network segment and a user role;
and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining of the user role corresponding to the IPv6 address includes:
and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
Optionally, after the IPv6 address is mapped with the user role and the mapping identifier of the IPv6 address is generated, the method further includes:
acquiring an address resolution mapping table of an IPv6 address;
and writing the mapping identification corresponding to the IPv6 address into an address resolution mapping table of the IPv6 address.
Optionally, the obtaining an IPv6 address of the data packet includes:
and acquiring the source IPv6 address and/or the destination IPv6 address of the data message.
In a second aspect, the present application provides a packet processing apparatus, including: the device comprises an acquisition module, a generation module and a control module; the acquisition module is used for acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address; the generation module is used for mapping the IPv6 address and the user role and generating a mapping identifier of the IPv6 address; and the control module is used for forwarding the data message according to the mapping identifier and the matching strategy of the access control list ACL.
Optionally, the obtaining module is specifically configured to obtain a network segment corresponding to the IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining module is specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine a user role corresponding to the IPv6 address.
Optionally, the apparatus further comprises: and the writing module is used for acquiring the address resolution mapping table of the IPv6 address and writing the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address after the generating module maps the IPv6 address with the user role and generates the mapping identifier of the IPv6 address.
Optionally, the obtaining module is specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
In a third aspect, the present application further provides an electronic device, including: a processor, a storage medium and a bus, the storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating via the bus when the electronic device is operating, the processor executing the machine-readable instructions to perform the method according to the first aspect.
In a fourth aspect, the present application also provides a storage medium having a computer program stored thereon, the computer program, when executed by a processor, performing the method according to the first aspect.
Therefore, the IPv6 address and the user role are mapped by acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address, the mapping identifier of the IPv6 address is generated, the data message is forwarded according to the mapping identifier and the matching strategy of the access control list ACL, and the occupied hardware resources of the switch when the ACL strategy is executed according to the ACL list can be reduced.
For example, when the message processing method is applied to a switch with IPV6, the problem that the switch consumes a large amount of switch hardware resources when the switch executes a corresponding policy on a data message through an ACL due to the fact that the IP address in IPV6 is upgraded from 32 bits to 128 bits with respect to the IP address in IPV4 can be effectively alleviated, and the scalability of the switch service can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 shows a schematic flow chart of a message processing method provided in an embodiment of the present application;
fig. 2 is another schematic flow chart illustrating a message processing method according to an embodiment of the present application;
FIG. 3 illustrates a diagram of generation of mapping identifiers in one embodiment;
FIG. 4 is a schematic diagram illustrating the generation of mapping identifiers in another embodiment;
fig. 5 is a schematic structural diagram illustrating a message processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram illustrating a message processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating another structure of a message processing apparatus according to an embodiment of the present application;
fig. 8 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The embodiment of the present application provides a message processing method, which may be applied to a switch, a router, a firewall device, and the like, and is not limited in this application. Taking the switch as an example, the message processing method can execute a corresponding ACL policy on the data message received by the switch to allow or reject the message to pass, thereby achieving the purpose of controlling the message flow.
Fig. 1 shows a flowchart of a message processing method according to an embodiment of the present application.
As shown in fig. 1, the message processing method may include:
s101, acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address.
Taking the switch as an example, the switch may be disposed between a plurality of network nodes, and forward the data packet of the previous node to the next node. For example, the two-layer switch may establish a MAC Address table according to a source Media Access Control Address (MAC) Address in the received data packet, and then may look up a destination MAC Address of the data packet in the MAC Address table. When finding out the corresponding destination MAC address, the data message can be forwarded to the corresponding port; when the corresponding destination MAC address cannot be found, the data packet may be broadcast to other ports except the source port.
Before the data message is forwarded by the switch, the switch can execute an ACL policy on the data message according to each matching rule in the ACL table so as to control the transmission of the data message. For example, the switch may obtain the IPv6 address of the data packet, and execute a corresponding ACL policy for the IPv6 address of the data packet, and determine whether to Permit (Permit) or Deny (Deny) forwarding of the data packet. The obtained IPv6 address of the data packet may include a source IPv6 address and/or a destination IPv6 address.
Fig. 2 is another schematic flow chart of the message processing method according to the embodiment of the present application.
Optionally, as shown in fig. 2, in an embodiment, the obtaining of the user role corresponding to the IPv6 address may include:
s201, obtaining a network segment corresponding to the IPv6 address, and determining the corresponding relation between the network segment and the user role.
Taking the campus network as an example, the campus network may include multiple IPv6 addresses corresponding to different users, and multiple IPv6 addresses may forward data packets through the switch. After the switch receives the data message, the network segment corresponding to the IPv6 address of the data message can be determined. The network segments in the campus network may correspond to user roles one to one, for example, as shown in table 1 below:
TABLE 1
Network segment User roles
Network segment 1 Character 1
Network segment 2 Character 2
Network segment 3 Character 3
In table 1, each network segment may include a plurality of IPv6 addresses, for example, network segment 1 may include IP1, IP2, IP3, and so on. The number of IPv6 addresses included in each network segment is not limited by the present application.
And determining the network segment corresponding to the IPv6 address of the obtained data message, and further obtaining the corresponding relation between the network segment corresponding to the IPv6 address of the data message and the user role.
Taking the example shown in table 1, assuming that the network segment corresponding to the IPv6 address of a certain data packet is network segment 1, it can be determined that the corresponding relationship between the network segment corresponding to the IPv6 address of the data packet and the user role is "network segment 1-role 1".
S202, obtaining the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
As described above, after obtaining the correspondence between the network segment corresponding to the IPv6 address of the data packet and the user role, the user role corresponding to the IPv6 address of the data packet may be obtained based on the correspondence.
Also, taking the above table 1 as an example, assuming that the corresponding relationship between the network segment corresponding to the IPv6 address of a certain data packet and the user role is "network segment 1-role 1", it can be determined that the user role corresponding to the IPv6 address of the data packet is "role 1".
That is, in this embodiment, the user role may be used to represent the network segment where the IPv6 address of the data packet is located.
In another embodiment, the obtaining of the user role corresponding to the IPv6 address may include: and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
The user equipment refers to a network device used by a user corresponding to the IPv6 address, such as: server, computer, panel computer etc. preset rule can refer to: and determining the user role of the user according to the user type to which the user corresponding to the user equipment belongs. Also taking campus networks as an example, in a certain campus network, the user types may include: research and development personnel, marketers, financial personnel, etc.; suppose that: if the research personnel is the role 1, the market personnel is the role 2, and the financial personnel is the role 3, after the IPv6 address is obtained, the user equipment corresponding to the IPv6 address may be authenticated based on the IPv6 address, the user type to which the user corresponding to the user equipment belongs is determined, and then the user role corresponding to the IPv6 address is determined based on the user type to which the user belongs. For example, if it is determined that a user device corresponding to a certain IPv6 address belongs to a developer, it may be determined that the user role corresponding to the IPv6 address is role 1.
S102, mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address.
The mapping identifier may correspond to a role identifier of a user role one to one. Correspondingly, the mapping the IPv6 address with the user role to generate the mapping identifier of the IPv6 address may refer to: and acquiring the role identification of the user role as the mapping identification of the IPv6 address. For example, when mapping the IPv6 address with role 1, the generated mapping identifier may be "1"; when mapping the IPv6 address with role 2, the generated mapping identifier may be "2" or the like.
S103, forwarding the data message according to the mapping identifier and the matching strategy of the ACL list.
Optionally, when the ACL policies in the ACL list are configured in advance, the ACL policies may be configured as the inter-access policies between different user roles based on the mapping identifier. Correspondingly, after the mapping identifier of the IPv6 address is generated, the corresponding ACL policy may be executed according to the ACL list based on the mapping identifier of the IPv6 address, and the data packet may be forwarded.
Taking the example of executing the ACL policy for the destination IPv6 address "IP 1", the ACL matching rule may be: the data message with the destination IPv6 address being IP1 is executed as Deny, namely, the data message with the IPv6 address being IP1 is rejected to pass through. Assuming that the mapping identifier of the IP1 is mapping identifier 1, when the ACL policy is configured in advance, the data packet whose destination IPv6 address is IP1 in the ACL matching rule may be modified to "the data packet corresponding to mapping identifier 1 is modified to" Deny ". Then, based on the mapping identifier 1, the corresponding ACL policy may be executed, and the data packet may be matched with the data packet corresponding to the ACL matching rule "mapping identifier 1" as Deny ", so as to refuse to forward the data packet to the network device corresponding to the IP 1.
Optionally, when the ACL policy is executed on the data packet, the corresponding ACL policy may be executed based on the mapping identifier corresponding to the source IPv6 address, or the corresponding ACL policy may be executed based on the mapping identifier corresponding to the destination IPv6 address, or the corresponding ACL policy may be executed based on both the source IPv6 address and the destination IPv6 address, which is not limited herein.
FIG. 3 illustrates a diagram of generation of mapping identifiers in one embodiment.
Optionally, as shown in fig. 3, in the above embodiment in which the network segment determines the corresponding user role according to the IPv6 address, the correspondence between the network segment and the user role may be statically specified in advance (that is, the table 1 may be obtained by statically specifying in advance). For example, as shown in fig. 3, the user roles corresponding to all IPv6 addresses in the network segment where the IP1 is located may be designated as role 1, and the user roles corresponding to all IPv6 addresses in the network segment where the IP2 is located may be designated as role 2. Assuming that the ACL policy is configured as "data packet sent by role 1 to role 2, pass is rejected", for data packet with source IPv6 address being IP1 and destination IPv6 address being IP2, mapping identifier 1 corresponding to IP1 and mapping identifier 2 corresponding to IP2 may be generated, respectively, and then the ACL policy "data packet sent by role 1 to role 2, pass is rejected" is executed based on mapping identifier 1 and mapping identifier 2. In this embodiment, when there are multiple IPv6 addresses in a network segment, the relationship between IPv6 addresses and mapping identifiers is a many-to-one relationship.
Alternatively, in other embodiments, the relationship between the IPv6 addresses and the user roles may be directly specified, for example, one user role may be corresponding to each IPv6 address, or one user role may be corresponding to a plurality of IPv6 addresses, and the specific specifying manner may be set arbitrarily, in which case, the relationship between the IPv6 addresses and the mapping identifiers may be a one-to-one relationship or a many-to-one relationship.
Fig. 4 shows a schematic diagram of generation of mapping identifiers in another embodiment.
Optionally, as shown in fig. 4, in another embodiment of authenticating the user equipment corresponding to the IPv6 address according to the preset rule and determining the user role corresponding to the IPv6 address, as described in the campus network example, the user role corresponding to each IPv6 address may be determined by authenticating the IPv6 address according to the user type corresponding to each IPv6 address, and when the users corresponding to multiple user equipments are all the same user type, the relationship between the IPv6 address and the mapping identifier is also a many-to-one relationship. For example, as shown in fig. 3, the mapping identifier obtained by authenticating the user with IPv6 having IP1, IP2, IP3, and IP4 may be mapping identifier 1, and the mapping identifier obtained by authenticating the user with IPv6 having IP5, IP6, IP7, and IP8 may be mapping identifier 2. It should be noted that, when the ACL policies of role 1 to role 2 are configured in advance, the ACL policies of mapping identifier 1 to mapping identifier 2 may be configured, which is not described herein again.
Or, in other embodiments, similar to the foregoing statically specified embodiment, the preset rule may be that each IPv6 address corresponds to a user role, at this time, the mapping identifier determined according to the IPv6 address is unique, and the relationship between the IPv6 address and the mapping identifier is a one-to-one relationship.
The present application is not limited to the specific manner of mapping the IPv6 address and the user role to generate the mapping identifier of the IPv6 address.
No matter which embodiment is adopted, since the number of the user roles is much smaller than the total number of IPv6 addresses, all the user roles can be represented by the mapping id with smaller bit width relative to the IPv6 address, such as: for the switch introduced with the IPV6 address, the IPV6 address occupies 256 bits, and the mapping identifier may occupy a bit width smaller than 256 bits, such as 12 bits or 24 bits.
When the corresponding ACL policy is executed on the data packet, the switch hardware resources need to be occupied. For example, the switch hardware resource may be a Ternary Content Addressable Memory (TCAM) resource, each ACL lookup may access a TCAM register, and the TCAM may complete a search of an ACL table up to several hundred bits per statement in a short time. When the corresponding ACL strategy is executed on the data message based on the mapping identification with smaller bit width, the occupied switch hardware resource can be smaller than that when the ACL strategy is executed based on the IPv6 address with larger bit width. For example, fewer TCAM resources may be occupied.
In this way, in the embodiment of the present application, the IPv6 address and the user role are mapped by obtaining the IPv6 address of the data packet and the user role corresponding to the IPv6 address, so as to generate the mapping identifier of the IPv6 address, and forward the data packet according to the mapping identifier and the matching policy of the access control list ACL, so that the switch hardware resources occupied when the ACL policy is executed according to the ACL list can be reduced.
For example, when the message processing method is applied to a switch with IPV6, the problem that the switch consumes a large amount of switch hardware resources when the switch executes a corresponding policy on a data message through an ACL due to the fact that the IP address in IPV6 is upgraded from 32 bits to 128 bits with respect to the IP address in IPV4 can be effectively alleviated, and the scalability of the switch service can be improved.
Optionally, in some embodiments, the ACL policy executed on the mask corresponding to the IPv6 address may be implemented by mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address, or by mapping the mask corresponding to the IPv6 address and the user role to generate a mapping identifier of the mask corresponding to the IPv6 address, which has the same principle as that of generating the mapping identifier according to the IPv6 address, and is not described herein again.
Optionally, after the IPv6 address is mapped with the user role and the mapping identifier of the IPv6 address is generated, a mapping relationship between the IPv6 address and the mapping identifier may also be established, and when a data packet is subsequently received, the mapping identifier corresponding to the IPv6 address of the data packet may be directly queried based on the mapping relationship, and a corresponding ACL policy is executed based on the mapping identifier obtained by the query.
For example, in one embodiment, the mapping relationship between the IPv6 address and the mapping identifier may be as shown in table 2 below:
TABLE 2
IPv6 address Mapping identification
IP1 Mapping identifier 1
IP2 Mapping identity 2
IPn Mapping identifier m
In Table 1, n is equal to or greater than m, and n and m are each an integer greater than 0.
When n is equal to m, the IP 1-IPn are in one-to-one correspondence with the mapping identifier 1-the mapping identifier m, and each IPv6 address corresponds to one mapping identifier; when n is larger than m, different IPv6 addresses may correspond to different mapping identifications and may also correspond to the same mapping identification. For example, IP1 corresponds to mapping id 1, IP2, IP3, and IP4 correspond to mapping id 2, IPn corresponds to mapping id m, and so on.
Optionally, in the mapping relationship between the IPv6 address and the mapping identifier, the bit width of the mapping identifier may be a bit width size supportable by a chip for executing the ACL policy.
For example, in a broadcast (BroadCom) chip, the supportable bit width size may be 12 bits. When the switch uses the BroadCom chip to execute the ACL policy, the bit width of the mapping identifier in the mapping relationship may be 12 bits. It should be noted that the size of bytes that can be supported by different chips is different, and when other chips are used, the size may not be 12 bytes.
Continuing to take the BroadCom chip as an example, the mapping identifier may be a Segment tag identity identifier (SGTID), the BroadCom chip may support at least 1000 SGTID numbers, and the mapping identifier corresponding to the IPv6 address may be: SGT1, SGT2, SGT3 … SGTm, and the like. It should be noted that the number of SGTID numbers that different BroadCom chips with different specifications can support may be different, and the specific number of SGTID numbers may not be limited.
Fig. 5 is a schematic flowchart illustrating a message processing method according to an embodiment of the present application.
Optionally, as shown in fig. 5, in some embodiments, establishing a mapping relationship between an IPv6 address and a mapping identifier may include:
s501, obtaining an address resolution mapping table of the IPv6 address.
S502, writing the mapping identification corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
The Address Resolution mapping table may be an Address Resolution Protocol (ARP) table, where ARP is a Protocol that resolves an IPv6 Address into an ethernet MAC Address. When the exchanger analyzes the target MAC address through the ARP protocol, the IP address and the MAC address mapping relation table item are added in the ARP table of the exchanger for the subsequent forwarding of the data message to the same destination. Therefore, the ARP table already contains information of IPv6 addresses. Therefore, when the mapping relation between the IPv6 address and the mapping identifier is established, only the mapping identifier corresponding to the IPv6 address needs to be written into the ARP table and corresponds to the IPv6 address.
Correspondingly, when a certain data message is received, the ARP table written with the mapping identifier can be queried according to the IPv6 address of the data message, so as to obtain the mapping identifier corresponding to the IPv6 address of the data message, and execute a corresponding ACL policy.
Alternatively, after writing the mapping identifier corresponding to the IPv6 address into the ARP table, a portion of the ARP table used for representing the mapping relationship between the IPv6 address and the mapping identifier may be as follows:
ARP table
Figure BDA0002287909080000141
Wherein, the definitions of n and m are the same as those in the previous embodiment, and are not described herein again.
Based on the message processing method described in the foregoing embodiment, an embodiment of the present application further provides a message processing apparatus, and fig. 6 shows a schematic structural diagram of the message processing apparatus provided in the embodiment of the present application.
As shown in fig. 6, the message processing apparatus may include: the device comprises an acquisition module 11, a generation module 12 and a control module 13; the obtaining module 11 may be configured to obtain an IPv6 address of the data packet and a user role corresponding to the IPv6 address; the generating module 12 may be configured to map the IPv6 address with the user role, and generate a mapping identifier of the IPv6 address; the control module 13 may be configured to forward the data message according to the mapping identifier and the matching policy of the access control list ACL.
Optionally, the obtaining module 11 may be specifically configured to obtain a network segment corresponding to an IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining module 11 may be specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine a user role corresponding to the IPv6 address.
Fig. 7 is a schematic diagram illustrating another structure of a message processing apparatus according to an embodiment of the present application.
Optionally, as shown in fig. 7, the message processing apparatus may further include: the writing module 14 is configured to, after the generating module 12 maps the IPv6 address with the user role and generates a mapping identifier of the IPv6 address, obtain an address resolution mapping table of the IPv6 address, and write the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
Optionally, the obtaining module 11 may be specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
The embodiment of the present application further provides an electronic device, where the electronic device may be a switch, a router, a firewall device, or may also be a data processing chip integrated in the switch, the router, and the firewall device, and this application is not limited thereto.
Fig. 8 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
As shown in fig. 8, the electronic device may include: the message processing system comprises a processor 100, a storage medium 200 and a bus (not labeled), wherein the storage medium 200 stores machine-readable instructions executable by the processor 100, when the electronic device runs, the processor 100 communicates with the storage medium 200 through the bus, and the processor 100 executes the machine-readable instructions to execute the message processing method in the foregoing method embodiment. The specific implementation and technical effects are similar, and are not described herein again.
The embodiment of the application also provides a storage medium, and the storage medium can be a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk and the like. The storage medium has stored thereon a computer program which, when executed by the processor, performs the message processing method as described in the preceding method embodiment. The specific implementation and technical effects are similar, and are not described herein again.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A message processing method is characterized by comprising the following steps:
acquiring an IPv6 address of the data message and a user role corresponding to the IPv6 address;
mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address;
and forwarding the data message according to the mapping identifier and a matching strategy of an Access Control List (ACL).
2. The method of claim 1, wherein the obtaining the user role corresponding to the IPv6 address comprises:
acquiring a network segment corresponding to the IPv6 address, and determining the corresponding relation between the network segment and a user role;
and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
3. The method of claim 1, wherein the obtaining the user role corresponding to the IPv6 address comprises:
and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
4. The method according to any of claims 1-3, wherein after the mapping the IPv6 address with the user role and generating the mapping identifier of the IPv6 address, the method further comprises:
acquiring an address resolution mapping table of the IPv6 address;
and writing the mapping identification corresponding to the IPv6 address into an address resolution mapping table of the IPv6 address.
5. The method according to any of claims 1-3, wherein obtaining the IPv6 address of the datagram comprises:
and acquiring the source IPv6 address and/or the destination IPv6 address of the data message.
6. A message processing apparatus, comprising:
the acquisition module is used for acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address;
the generating module is used for mapping the IPv6 address and the user role and generating a mapping identifier of the IPv6 address;
and the control module is used for forwarding the data message according to the mapping identifier and a matching strategy of an Access Control List (ACL).
7. The apparatus according to claim 6, wherein the obtaining module is specifically configured to obtain a network segment corresponding to the IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
8. The apparatus of claim 6, wherein the obtaining module is specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine the user role corresponding to the IPv6 address.
9. The apparatus according to any one of claims 6-8, further comprising: a writing module, configured to obtain an address resolution mapping table of the IPv6 address after the generating module maps the IPv6 address with the user role and generates the mapping identifier of the IPv6 address, and write the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
10. The apparatus according to any of claims 6-8, wherein the obtaining module is specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
CN201911171934.0A 2019-11-25 2019-11-25 Message processing method and device Active CN110958334B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911171934.0A CN110958334B (en) 2019-11-25 2019-11-25 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911171934.0A CN110958334B (en) 2019-11-25 2019-11-25 Message processing method and device

Publications (2)

Publication Number Publication Date
CN110958334A true CN110958334A (en) 2020-04-03
CN110958334B CN110958334B (en) 2022-08-09

Family

ID=69978589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911171934.0A Active CN110958334B (en) 2019-11-25 2019-11-25 Message processing method and device

Country Status (1)

Country Link
CN (1) CN110958334B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111628939A (en) * 2020-05-20 2020-09-04 新华三信息安全技术有限公司 Flow classification processing method and device
CN112738113A (en) * 2020-12-31 2021-04-30 清华大学 Organization information label generation method and message transmission method
CN115514579A (en) * 2022-11-09 2022-12-23 北京连星科技有限公司 Method and system for realizing service identification based on IPv6 address mapping flow label

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055573A1 (en) * 2003-09-10 2005-03-10 Smith Michael R. Method and apparatus for providing network security using role-based access control
US20060031925A1 (en) * 2004-08-05 2006-02-09 Alcatel Access control method and apparatus
US20060090208A1 (en) * 2004-10-21 2006-04-27 Smith Michael R Method and system for generating user group identifiers
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization
CN102263679A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Source role information processing method and forwarding chip
US20130329738A1 (en) * 2011-02-21 2013-12-12 Nec Corporation Communication system, data base, control apparatus, communication method, and program
CN107332812A (en) * 2016-04-29 2017-11-07 新华三技术有限公司 The implementation method and device of NS software
CN107707477A (en) * 2017-09-28 2018-02-16 杭州迪普科技股份有限公司 The processing method and processing device of message, computer-readable recording medium
CN109327395A (en) * 2018-11-30 2019-02-12 新华三信息安全技术有限公司 A kind of message processing method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055573A1 (en) * 2003-09-10 2005-03-10 Smith Michael R. Method and apparatus for providing network security using role-based access control
CN1823514A (en) * 2003-09-10 2006-08-23 思科技术公司 Method and apparatus for providing network security using role-based access control
US20060031925A1 (en) * 2004-08-05 2006-02-09 Alcatel Access control method and apparatus
US20060090208A1 (en) * 2004-10-21 2006-04-27 Smith Michael R Method and system for generating user group identifiers
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization
CN102263679A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Source role information processing method and forwarding chip
US20130329738A1 (en) * 2011-02-21 2013-12-12 Nec Corporation Communication system, data base, control apparatus, communication method, and program
CN107332812A (en) * 2016-04-29 2017-11-07 新华三技术有限公司 The implementation method and device of NS software
CN107707477A (en) * 2017-09-28 2018-02-16 杭州迪普科技股份有限公司 The processing method and processing device of message, computer-readable recording medium
CN109327395A (en) * 2018-11-30 2019-02-12 新华三信息安全技术有限公司 A kind of message processing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汪文勇等: "下一代互联网实名访问机制研究", 《电子科技大学学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111628939A (en) * 2020-05-20 2020-09-04 新华三信息安全技术有限公司 Flow classification processing method and device
CN111628939B (en) * 2020-05-20 2023-06-13 新华三信息安全技术有限公司 Stream classification processing method and device
CN112738113A (en) * 2020-12-31 2021-04-30 清华大学 Organization information label generation method and message transmission method
CN115514579A (en) * 2022-11-09 2022-12-23 北京连星科技有限公司 Method and system for realizing service identification based on IPv6 address mapping flow label

Also Published As

Publication number Publication date
CN110958334B (en) 2022-08-09

Similar Documents

Publication Publication Date Title
US5815664A (en) Address reporting device and method for detecting authorized and unauthorized addresses in a network environment
US20190116220A1 (en) Neighbor Discovery for IPV6 Switching Systems
US8937955B2 (en) System and method for scaling IPv6 addresses in a network environment
US20060098644A1 (en) Translating native medium access control (MAC) addresses to hierarchical MAC addresses and their use
US20070016637A1 (en) Bitmap network masks
CN110958334B (en) Message processing method and device
JP2011040928A (en) Network system, packet forwarding apparatus, packet forwarding method, and computer program
Schwabe et al. Using MAC addresses as efficient routing labels in data centers
CN107580079B (en) Message transmission method and device
CN116547953A (en) Implementing inter-segment traffic policies by a network fabric control plane
US7724728B2 (en) Policy-based processing of packets
US10873564B2 (en) Cloud-based device manager based on message queues
US20160359801A1 (en) Method of and a Processing Device Handling a Protocol Address in a Network
US20160028628A1 (en) Communication system, control apparatus, address allocation method, and program
US11240200B1 (en) Time-dependent network addressing
US7844731B1 (en) Systems and methods for address spacing in a firewall cluster
CN116684869B (en) IPv 6-based park wireless network trusted access method, system and medium
US11902158B2 (en) System and method for forwarding packets in a hierarchical network architecture using variable length addresses
US20130077530A1 (en) Scaling IPv6 on Multiple Devices Virtual Switching System with Port or Device Level Aggregation
US9712541B1 (en) Host-to-host communication in a multilevel secure network
US20060215649A1 (en) Network address converting apparatus using SSW tree
CN113691650B (en) IPv4/IPv6 stateless segmented safety mapping method and control system
CN105450527B (en) The method and device for handling message, sending information, receiving information
CN107547687B (en) Message transmission method and device
CN114301680B (en) Security policy matching method and device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant