CN101909077A - A peer-to-peer service identification method, device and access network - Google Patents
A peer-to-peer service identification method, device and access network Download PDFInfo
- Publication number
- CN101909077A CN101909077A CN2010102287370A CN201010228737A CN101909077A CN 101909077 A CN101909077 A CN 101909077A CN 2010102287370 A CN2010102287370 A CN 2010102287370A CN 201010228737 A CN201010228737 A CN 201010228737A CN 101909077 A CN101909077 A CN 101909077A
- Authority
- CN
- China
- Prior art keywords
- tuple
- message
- hash
- aging counter
- information table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 239000000284 extract Substances 0.000 claims abstract description 22
- 230000032683 aging Effects 0.000 claims description 82
- 238000010168 coupling process Methods 0.000 claims description 44
- 230000008878 coupling Effects 0.000 claims description 43
- 238000005859 coupling reaction Methods 0.000 claims description 43
- 230000008569 process Effects 0.000 claims description 41
- 238000000605 extraction Methods 0.000 claims description 15
- 230000003287 optical effect Effects 0.000 claims description 12
- 238000012423 maintenance Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 description 11
- 230000007246 mechanism Effects 0.000 description 7
- 230000006854 communication Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
本发明提供了一种对等业务的识别方法、装置及接入网。其中,所述识别方法包括建立参考五元组信息表;根据预先设置的应用层协议特征值,识别出经过网络设备的P2P对等节点之间的P2P协议报文,并从所述P2P协议报文中提取五元组信息加入到所述参考五元组信息表中;提取经过所述网络设备的待识别报文的第一五元组,并与所述参考五元组信息表中的五元组信息进行匹配,若匹配上,则判断所述待识别报文为P2P报文。本发明能够有效识别出经过网络设备的P2P流量,为后续的流量管理和控制提供支持。
The invention provides a peer-to-peer service identification method, device and access network. Wherein, the identification method includes establishing a reference quintuple information table; identifying the P2P protocol message between the P2P peer nodes passing through the network device according to the preset application layer protocol characteristic value, and identifying the P2P protocol message from the P2P protocol message Extract quintuple information in the text and join in the described reference quintuple information table; Extract the first quintuple of the message to be identified through described network equipment, and with the quintuple in the described reference quintuple information table The tuple information is matched, and if matched, it is determined that the message to be identified is a P2P message. The invention can effectively identify the P2P flow passing through the network equipment, and provide support for subsequent flow management and control.
Description
Technical field
The present invention relates to network traffics detection technique field, be specifically related to professional recognition methods, device and the Access Network of a kind of equity.
Background technology
Equity is professional, promptly end-to-end (P2P, Peer to Peer) client/server (C/S) pattern has in the past been broken in Ye Wu appearance, allowing between any two network nodes can both shared file, transmission information, make the all-network member enjoy the function of freedom, equality, but brought problem also for simultaneously the Bandwidth Management of network.There are data to show, existing various P2P use and have taken more than 50% of bandwidth, become the maximum occupant of the network bandwidth, consequent network congestion, service quality problems such as (QoS) are also used for proper network and the universal great challenge of having brought of key business.
The management of P2P service bandwidth is based on the P2P traffic identification.Be arranged on the requirement that the P2P traffic identification function on the network equipment need satisfy accuracy, real-time and be easy to realize.
A kind of conventional method of P2P traffic identification is to discern the P2P service traffics according to the professional specific port numbers of P2P, and this recognition methods is easy to realize.And existing P 2P uses and mostly to adopt the dynamic port technology, is common business commonly used utilizing protocol communication negotiated ports number or camouflage port numbers between the node during the program running, so the port identification method can not accurately have been discerned existing P2P application.
The widely used P2P business recognition method of another kind of the prior art is based on the feature string of P2P message application layer.This method has high recognition and real-time, but can not discern the P2P business of the P2P data flow being carried out encryption.Also have the method for coming identification services by the transport layer characteristic of analyzing flow in the prior art, they use distinctive characteristic on data packet length, TCP and aspects such as UDP use, inter-packet gap based on P2P.This method generally realizes complexity, and accuracy rate is high and can not requirement of real time.
Summary of the invention
Technical problem to be solved by this invention provides a kind of recognition methods, device and Access Network of P2P business, so that the P2P service traffics are effectively discerned.
For solving the problems of the technologies described above, it is as follows to the invention provides scheme:
The professional recognition methods of a kind of equity comprises:
Foundation is with reference to the five-tuple information table;
According to the application layer protocol characteristic value that sets in advance, identify through the P2P protocol massages between the P2P peer node of the network equipment, and extraction five-tuple information joins described with reference in the five-tuple information table from described P2P protocol massages;
Extract first five-tuple, and mate with reference to the five-tuple information in the five-tuple information table, if on the coupling, judge that then described message to be identified is the P2P message with described through the message to be identified of the described network equipment.
Preferably, in the above-mentioned recognition methods,
Described is a Hash table with reference to the five-tuple information table, and the described five-tuple information of extracting from described agreement P2P message joins with reference in the five-tuple information table being: the five-tuple that extracts described P2P protocol massages; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P protocol massages in the first Hash address of calculating the five-tuple correspondence of described P2P protocol massages, and according to the described first Hash address;
Described and described the coupling with reference to the five-tuple information in the five-tuple information table, be: utilize described hash algorithm to calculate the second corresponding Hash address of described first five-tuple; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Preferably, in the above-mentioned recognition methods, also comprise:
Be the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
The present invention also provides a kind of equity professional recognition device, comprising:
The list item maintenance unit is used for setting up with reference to the five-tuple information table;
The identification extraction unit, be used for according to the application layer protocol characteristic value that sets in advance, identify through the P2P protocol massages between the P2P peer node of the network equipment, and extraction five-tuple information joins described with reference in the five-tuple information table from described P2P protocol massages;
The matching treatment unit extracts first five-tuple through the message to be identified of the described network equipment, and mates with reference to the five-tuple information in the five-tuple information table with described, if on the coupling, judge that then described message to be identified is the P2P message.
Preferably, in the above-mentioned recognition device,
Described is a Hash table with reference to the five-tuple information table;
Described identification extraction unit is further used for extracting the five-tuple of described P2P protocol massages; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P protocol massages in the first Hash address of calculating the five-tuple correspondence of described P2P protocol massages, and according to the described first Hash address;
Described matching treatment unit is further used for utilizing described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Preferably, in the above-mentioned recognition device, also comprise:
The burin-in process unit, be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
The present invention also provides a kind of Access Network, comprises local side apparatus and at least two remote equipments that are connected with described local side apparatus:
Described remote equipment is used for according to the application layer protocol characteristic value that sets in advance, identifies through behind the P2P protocol massages between the P2P peer node of this equipment, in described P2P protocol massages, stamp preset label after up transmission; Receive the five-tuple that described local side apparatus issues and join described with reference in the five-tuple information table; And, extract first five-tuple, and mate with reference to the five-tuple information in the five-tuple information table, if on the coupling, judge that then institute's uplink data messages is the P2P message with described through the uplink data messages of this equipment;
Described local side apparatus is used to receive the P2P protocol massages that carries described preset label that described remote equipment sends, and extracts five-tuple and be handed down to described remote equipment from described P2P protocol massages.
Preferably, in the above-mentioned Access Network:
Described is a Hash table with reference to the five-tuple information table;
Described remote equipment, also be used to utilize predetermined hash algorithm, calculate the first Hash address of the five-tuple correspondence that described local side apparatus issues, and according to the described first Hash address, the five-tuple that described local side apparatus is issued stores first hash table in the described Hash table into; And, utilize described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Preferably, in the above-mentioned Access Network:
Described remote equipment, also be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
Preferably, in the above-mentioned Access Network:
Described remote equipment is an optical network unit ONU, and described local side apparatus is optical line terminal OLT;
Perhaps, described remote equipment is a Digital Subscriber Loop DSL remote equipment, and described local side apparatus is a Digital Subscriber Loop DSL local side apparatus.
From the above as can be seen, the recognition methods of P2P business provided by the invention, device and Access Network, utilize the five-tuple information of the P2P handshake message that has identified, the data message is carried out the five-tuple coupling, thereby can effectively identify the P2P flow through the network equipment, for follow-up traffic management and control provide support.The present invention preferably adopts Hash table to preserve five-tuple information, and uses the Hash lookup mode to improve and search matching speed, has the Real time identification ability to the P2P business.Simultaneously, the present invention also adopts the utilance of aging mechanism raising Hash table, has guaranteed the accuracy of P2P traffic identification.In addition, the present invention is also at the Access Network construction characteristic, the five-tuple abstraction function focused on local side apparatus realize, avoid this function each remote equipment repeat realize and operation, saved system resource, alleviate the processing burden of remote equipment side.The five-tuple information Hash table of each remote equipment is managed and controlled to local side apparatus concentratedly simultaneously, can increase the network management ability of maintenance.
Description of drawings
Fig. 1 is the schematic flow sheet of the recognition methods of the described P2P business of the embodiment of the invention;
Fig. 2 is the storage organization schematic diagram of the Hash table that adopts in the described recognition methods of the embodiment of the invention;
Fig. 3 is the structural representation of the recognition device of the described P2P business of the embodiment of the invention;
Fig. 4 is the application scenarios schematic diagram of the described recognition methods of the embodiment of the invention;
Fig. 5 is the flow chart of the described recognition methods of the embodiment of the invention when concrete the application;
Fig. 6 is the aging flow chart of five-tuple in the embodiment of the invention;
Fig. 7 is the Another Application scene schematic diagram of the described recognition methods of the embodiment of the invention;
Fig. 8 is the described recognition methods of the embodiment of the invention another flow chart when concrete the application.
Embodiment
The P2P agreement that exists in the prior art is varied, but research and analyse by the inventor, finds that the working mechanism of P2P agreement of the prior art is roughly the same, illustrates with BT (BitTorrent) agreement of current main-stream:
Kind of a child node is arranged in the BT agreement, download end system and three kinds of roles of tracker server.Wherein plant child node and be the supplier's end system at certain file, downloading end system is the user terminal system of preparing file in download, and the tracker server is to coordinate to download end system and plant child node, plans as a whole the central server that whole BT downloads relation.Between the end system of BT agreement regulation and being summarized as follows alternately between end system and the Tracker server:
Download end system by BT client software and torrent file, send Tracker GET message to BT Tracker server, purpose is the PEER tabulation of asking for respective file to the BT server, and the PEER in this PEER tabulation comprises initial kind child node and downloaded the end system of finishing.This message is encapsulated in the http agreement.Then, the Tracker server is replied a Tracker RESPONSE message to the BT end system, and this message carries the PEER tabulation by BT server picked at random.The BT end system is received behind the Tracker RESPONSE message node of picked at random some from the PEER tabulation, initiatively sends the Handshake handshake information to the node of selecting.The file fragmentation catalogue that has and lack by the BitField message interaction between this back-end system.After whole file download was finished, end system also can send to the Tracker server and send the protocol massages of finishing announcement.
Below be to be to set up the flow process of communication between two P2P nodes: when P2P peer node and other peer node communicate according to above-mentioned BT agreement, need carry out operations such as port numbers negotiation by 2 handshake procedures and other nodes, handshake message has shown and has been about to a contingent P2P data flow.In the P2P communication process, when certain main frame need be from other main frame shared files, at first obtain current available peer node tabulation from associated server, the node in tabulation sends handshaking information (first handshake procedure) then.Main frame on the node listing is replied a handshake message (second handshake procedure) to the requestor after receiving the request handshake message.Through such 2 handshake procedures, P2P data flow communication between is set up.In the above-mentioned flow process, the five-tuple of the second handshake message by the network equipment and the five-tuple identical (described five-tuple comprises source IP address, purpose IP address, source port number, destination slogan and the protocol type of message) of P2P data flow.P2P software only can adopt the P2P data message and encrypt at present, the P2P handshake message then can not encrypted, therefore the recognition methods of a kind of P2P business provided by the invention, its core concept is to identify handshake message (a kind of P2P message) by the application layer protocol characteristic value, extract its five-tuple information, and then can discern the P2P service traffics according to five-tuple information.Below with reference to accompanying drawing, the present invention is described further by specific embodiment.
Please refer to Fig. 1, the recognition methods of the described P2P business of the embodiment of the invention may further comprise the steps:
In the above-mentioned steps 12, can extract the P2P application layer data (being P2P load) of message,, judge whether this message is the P2P protocol massages by analyzing the protocol characteristic value that P2P load is comprised.Different P2P agreements has different application layer protocol characteristic values usually, P2P protocol massages (as the P2P handshake message) generally includes the application layer protocol characteristic value of protocols having regulation, the P2P data message may be because encrypted, its included application layer protocol characteristic value can't detect usually, so only can identify the P2P message (P2P handshake message) of part in the step 12 usually.When specific implementation, the user can carry out flexible configuration by webmaster to above-mentioned protocol characteristic value as required, and for example, the user can at first list its P2P agreement of paying close attention to, and sets in advance the protocol characteristic value of these P2P agreements then in webmaster.
In the above-mentioned steps 13, described coupling can be with described first five-tuple with mate one by one with reference to each five-tuple in the five-tuple information table: if described first five-tuple be complementary with reference to the arbitrary five-tuple in the five-tuple information table, judge that then described message to be identified is the P2P message, thereby can further described message to be identified be stamped specific identifier, to indicate that it is the P2P message; If described first five-tuple with all do not match with reference to all five-tuples in the five-tuple information table, judge that then described message to be identified is not the P2P message, this moment is process ends directly.
Described with reference to may preserving a large amount of five-tuple information in the five-tuple information table, thus cause the workload of the matching treatment one by one in the step 13 very big, consuming time longer.For improving matching speed in the step 13, present embodiment can utilize a Hash table as described with reference to the five-tuple information table, described in the step 12 extracted five-tuple information and joins with reference in the five-tuple information table being from described P2P message: the five-tuple that extracts described P2P message; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P message in the first Hash address of calculating the five-tuple correspondence of described P2P message, and according to the described first Hash address.Like this, in step 13, just can use the Hash lookup mode to improve recognition speed, have the Real time identification ability.At this moment, in the step 13, described and described the coupling with reference to the five-tuple information in the five-tuple information table, be: utilize described hash algorithm to calculate the second corresponding Hash address of described first five-tuple; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Here, preferred, the calculating of Hash address is adopted and is made five-tuple can be uniformly distributed in the memory hash algorithm of (being used to store Hash table).In order to reduce the generation of conflict, under a hash table, can store the five-tuple more than 2 or 2, thereby in the Hash address of different five-tuples when identical, these five-tuples can both be kept under the same hash table, perhaps, also can adopt other feasible methods to reduce hash-collision.
Consider that network traffics are that handshake message dynamic change and the process network equipment also might be the handshake message first time that main frame sends, therefore present embodiment preferably adopts the aging mechanism of five-tuple, five-tuple is carried out burin-in process: be the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
From the above as can be seen, the five-tuple between the described recognition methods flexible utilization of present embodiment P2P node in the handshake message is accurately discerned the P2P business in the network, and adopts the Hash lookup mode to realize coupling, can satisfy the Real time identification demand; Simultaneously, adopt the cooperation of aging mechanism and matching process, when in network, not having certain P2P flow, the five-tuple of aging this P2P flow correspondence, thus realized with reference to the effective utilization of five-tuple information table and the correct identification of P2P business.
Below the step 12,13 of the described recognition methods of the foregoing description is done more detailed explaining.
Above-mentioned steps 12 specifically can comprise:
Step 121: the application layer protocol characteristic value information of configuration identification handshake message is to the handshake message identification module.
Step 122: the configuration recognition system is started working, and each interface starts.
Step 123: begin according to the P2P protocol massages (as the P2P handshake message) between the application layer feature keyword acquisition P2P peer node, and the P2P protocol massages is submitted to five-tuple extraction process.
Step 124: described five-tuple extraction process is extracted the five-tuple information (comprising source IP address/purpose IP address, source port number/destination slogan, protocol type) of P2P protocol massages, according to the communication process of P2P agreement, this five-tuple information is exactly the five-tuple of the P2P data flow that will produce.
Step 125: calculate its Hash address and store into reference to five-tuple information table (being a Hash table) according to five-tuple.The list item that stores in the Hash table comprises five-tuple, aging counter and other necessary informations, concrete storage organization such as Fig. 2.The length n of Hash address has determined the quantity m of physical storage locations, satisfies m=2
nThe calculating of Hash address is adopted and is made five-tuple can be uniformly distributed in the hash algorithm of memory; In order to reduce the generation of conflict, present embodiment can be stored 2 or more than 2 five-tuple under a hash table, perhaps adopt other feasible methods to reduce hash-collision.
Above-mentioned steps 13 specifically can comprise:
Step 131: each the UNKNOWN TYPE data message through it is obtained in described recognition methods in real time.
Step 132: the five-tuple information of obtaining each data message in real time.In the process of obtaining,, adopt the method that reads IP header length information to come five-tuple is positioned in order to support the IP stem of variable-length.
Step 133: obtain in the process of five-tuple, carry out the calculating of Hash address according to the hash algorithm of choosing.
Step 134: the hash table that reads the correspondence in the Hash table according to the five-tuple Hash address of described UNKNOWN TYPE data message.
Step 135: the five-tuple of each unknown message is mated one by one with following all the five-tuple information of storing of described corresponding hash table.
Step 136: if the match is successful then described UNKNOWN TYPE data message is labeled as the P2P message for five-tuple, on the contrary quite different.This mark can make things convenient for subsequent module that the P2P business is carried out relevant treatment and control.
The burin-in process of the five-tuple in the described recognition methods of the foregoing description specifically comprises:
Step 311: the aging initial time T of configuration-system five-tuple and aging blanking time t.
Step 312: when five-tuple was stored in the Hash table for the first time, described ageing time was set according to system configuration initial value T.
Step 313: the method that ager process increases progressively according to physical address, every t aging blanking time of default, read the five-tuple under the hash table item by item.Whether the ageing time unit of judging five-tuple more than or equal to 1, if more than or equal to 1, and, carry out and subtract 1 operation; Otherwise, the corresponding effectively sign of this five-tuple position is resetted, make this five-tuple invalid.
Step 314: in the matching process of above-mentioned steps 12, if the match is successful (be the UNKNOWN TYPE data message five-tuple coupling certain five-tuple under the hash table that reads), the P2P data flow that this five-tuple correspondence in the network is described remains, this moment, the ageing time with this five-tuple reverted to system configuration initial value T, to restart the ageing process of this five-tuple, guarantee that the five-tuple that exists in the Hash table is corresponding with the P2P data flow in the network.
Based on the recognition methods of above-mentioned P2P business, present embodiment also provides a kind of recognition device of P2P business, and as shown in Figure 3, this recognition device comprises:
The list item maintenance unit is used for setting up with reference to the five-tuple information table;
The identification extraction unit, be used for according to the application layer protocol characteristic value that sets in advance, identify through the P2P protocol massages between the P2P peer node of the network equipment, and extraction five-tuple information joins described with reference in the five-tuple information table from described P2P protocol massages;
The matching treatment unit extracts first five-tuple through the message to be identified of the described network equipment, and mates with reference to the five-tuple information in the five-tuple information table with described, if on the coupling, judge that then described message to be identified is the P2P message.
Preferably, above-mentioned is a Hash table with reference to the five-tuple information table; At this moment,
Described identification extraction unit is further used for extracting the five-tuple of described P2P protocol massages; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P protocol massages in the first Hash address of calculating the five-tuple correspondence of described P2P protocol massages, and according to the described first Hash address;
Described matching treatment unit is further used for utilizing described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Preferably, above-mentioned recognition device also comprises:
The burin-in process unit, be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
The recognition methods of the described P2P business of present embodiment can be applied in the Access Network.For this reason, present embodiment also provides a kind of Access Network, comprises local side apparatus and at least two remote equipments that are connected with described local side apparatus.
Here, described remote equipment is used for according to the application layer protocol characteristic value that sets in advance, identifies through behind the P2P protocol massages between the P2P peer node of this equipment, in described P2P protocol massages, stamp preset label after up transmission; Receive the five-tuple that described local side apparatus issues and join described with reference in the five-tuple information table; And, extract first five-tuple, and mate with reference to the five-tuple information in the five-tuple information table, if on the coupling, judge that then institute's uplink data messages is the P2P message with described through the uplink data messages of this equipment;
Here, described local side apparatus is used to receive the P2P protocol massages that carries described preset label that described remote equipment sends, and extracts five-tuple and be handed down to described remote equipment from described P2P protocol massages.
Preferably, described is a Hash table with reference to the five-tuple information table.At this moment, described remote equipment also is used to utilize predetermined hash algorithm, calculates the first Hash address of the five-tuple correspondence that described local side apparatus issues, and according to the described first Hash address, the five-tuple that described local side apparatus is issued stores first hash table in the described Hash table into; And, utilize described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
Preferably, described remote equipment, also be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
Preferably, described remote equipment is optical network unit (ONU, Optical Net Unit), and described local side apparatus is optical line terminal (OLT, Optical Line Terminal).Perhaps, described remote equipment is Digital Subscriber Loop (DSL) remote equipment, described local side apparatus is Digital Subscriber Loop (DSL, Digital Subscriber Line) local side apparatus, as digital subscriber line access multiplex (DSLAM, Digital Subscriber Line Access Multiplexer).DSL specifically can comprise ADSL (Asymmetric Digital Subscriber Line) (ADSL), rate adaptation Digital Subscriber Loop (RADSL), high-bit-rate digital subscriber line road (HDSL) and very-high-bit-rate digital subscriber loop (VDSL) or the like.
Below by these two concrete application present embodiment is described further.
Use 1:
Present embodiment can be deployed in the single node network equipment shown in Figure 4, and this network equipment one side is connected with network side, and opposite side is connected with user side, and user side includes a plurality of user terminals.In should using, five-tuple extracts and five-tuple Hash table maintenance function is all finished in this network equipment, and the flow process of the recognition methods of described P2P business is as shown in Figure 5 at this moment:
Step 503~506, the network equipment is further with the five-tuple and the Hash table coupling of the data message that obtains: if coupling, the data message that then will comprise this five-tuple is identified as the P2P message, upgrades then in the Hash table and the pairing aging counter of this five-tuple five-tuple that the match is successful; If the match is successful, then do not carry out any operation, finish this matching treatment process.
Can judge for the P2P message whether by said process.
Wherein, when certain P2P data flow disappears in the network, adopt the corresponding invalid five-tuple of aging mechanism deletion in order to improve the Hash table utilance.This aging mechanism is that ager process carries out according to aging counter, and is specific as follows:
Referring to Fig. 2, this aging counter is stored in the Hash table, effectively identifies (it is effectively available that this is designated the corresponding five-tuple of 1 representative, otherwise represent that then corresponding five-tuple lost efficacy) with five-tuple and five-tuple and constitutes a hash table jointly.Aging counter is realized that by a counter counter wherein, the counter initial value is set to init when five-tuple stores Hash table into first, and init supports configurable functionality.
Referring to Fig. 6, the flow process of concrete aging mechanism is:
Step 601~603 judge whether the numerical value of the current aging counter that reads is zero: if equal zero, thereby then the effective identification field of five-tuple is resetted the corresponding five-tuple of deletion; If greater than zero then execution subtracts 1 operation.
Described ager process is lower than coupling identification process to the read-write operation priority of Hash table content.Once successful five-tuple matching process shows that corresponding P2P data flow still is present in the network, and this moment, the coupling process was interrupted the ageing process of ager process to this five-tuple, and the aging counter reset of order is to initial value, to begin a new ageing process.
By above-mentioned coupling identification process and ager process, can guarantee to store in the Hash table be with current network in the corresponding five-tuple of P2P data flow that exists.
Use 2:
Present embodiment can be deployed in as shown in Figure 7 EPON (PON) access net system, five-tuple extraction and five-tuple Hash table maintenance function are respectively at optical line terminal (OLT, Optical line Terminal) and in the optical network unit (ONU, Optical Net Unit) realize.The flow process of the recognition methods of described P2P business is as shown in Figure 8 at this moment:
Step 806 after ONU receives above-mentioned OAM frame, is extracted the five-tuple information that obtains from the OAM frame.
Step 808~811, ONU is further with the five-tuple and the five-tuple information Hash table coupling of the data message that gets access to: if can with arbitrary five-tuple coupling in the Hash table on, the message that then will comprise this five-tuple is identified as P2P and uses, upgrade the aging counter of the five-tuple correspondence that the match is successful in the Hash table then, recover its initial value; Otherwise finish the coupling flow process.
Can be to whether being that P2P uses and judges by said process.Should use network characteristics, the five-tuple abstraction function be focused on OLT realize at PON, avoid this function each ONU repeat realize and operation, save and realize system resource, alleviate the processing burden of ONU side.OLT manages and controls the five-tuple information Hash table of each ONU concentratedly simultaneously, can increase the network management ability of maintenance.Should be with being not limited to the PON Access Network, for example under the DSL access way, the five-tuple abstraction function can be deployed to local side apparatus (as DSLAM), and five-tuple information Hash table maintenance function and coupling recognition function is deployed in the ustomer premises access equipment of DSL.
The above only is embodiments of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. the recognition methods that equity is professional is characterized in that, comprising:
Foundation is with reference to the five-tuple information table;
According to the application layer protocol characteristic value that sets in advance, identify through the P2P protocol massages between the P2P peer node of the network equipment, and extraction five-tuple information joins described with reference in the five-tuple information table from described P2P protocol massages;
Extract first five-tuple, and mate with reference to the five-tuple information in the five-tuple information table, if on the coupling, judge that then described message to be identified is the P2P message with described through the message to be identified of the described network equipment.
2. recognition methods as claimed in claim 1 is characterized in that,
Described is a Hash table with reference to the five-tuple information table, and the described five-tuple information of extracting from described agreement P2P message joins with reference in the five-tuple information table being: the five-tuple that extracts described P2P protocol massages; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P protocol massages in the first Hash address of calculating the five-tuple correspondence of described P2P protocol massages, and according to the described first Hash address;
Described and described the coupling with reference to the five-tuple information in the five-tuple information table, be: utilize described hash algorithm to calculate the second corresponding Hash address of described first five-tuple; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
3. recognition methods as claimed in claim 1 or 2 is characterized in that, also comprises:
Be the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
4. the recognition device that equity is professional is characterized in that, comprising:
The list item maintenance unit is used for setting up with reference to the five-tuple information table;
The identification extraction unit, be used for according to the application layer protocol characteristic value that sets in advance, identify through the P2P protocol massages between the P2P peer node of the network equipment, and extraction five-tuple information joins described with reference in the five-tuple information table from described P2P protocol massages;
The matching treatment unit extracts first five-tuple through the message to be identified of the described network equipment, and mates with reference to the five-tuple information in the five-tuple information table with described, if on the coupling, judge that then described message to be identified is the P2P message.
5. recognition device as claimed in claim 4 is characterized in that,
Described is a Hash table with reference to the five-tuple information table;
Described identification extraction unit is further used for extracting the five-tuple of described P2P protocol massages; Utilize predetermined hash algorithm, in the described Hash table first hash table is stored the five-tuple of described P2P protocol massages in the first Hash address of calculating the five-tuple correspondence of described P2P protocol massages, and according to the described first Hash address;
Described matching treatment unit is further used for utilizing described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
6. as claim 4 or 5 described recognition devices, it is characterized in that, also comprise:
The burin-in process unit, be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
7. an Access Network comprises local side apparatus and at least two remote equipments that are connected with described local side apparatus, it is characterized in that:
Described remote equipment is used for according to the application layer protocol characteristic value that sets in advance, identifies through behind the P2P protocol massages between the P2P peer node of this equipment, in described P2P protocol massages, stamp preset label after up transmission; Receive the five-tuple that described local side apparatus issues and join described with reference in the five-tuple information table; And, extract first five-tuple, and mate with reference to the five-tuple information in the five-tuple information table, if on the coupling, judge that then institute's uplink data messages is the P2P message with described through the uplink data messages of this equipment;
Described local side apparatus is used to receive the P2P protocol massages that carries described preset label that described remote equipment sends, and extracts five-tuple and be handed down to described remote equipment from described P2P protocol massages.
8. Access Network as claimed in claim 7 is characterized in that:
Described is a Hash table with reference to the five-tuple information table;
Described remote equipment, also be used to utilize predetermined hash algorithm, calculate the first Hash address of the five-tuple correspondence that described local side apparatus issues, and according to the described first Hash address, the five-tuple that described local side apparatus is issued stores first hash table in the described Hash table into; And, utilize described hash algorithm to calculate the second Hash address of the described first five-tuple correspondence; According to the described second Hash address, obtain the five-tuple under second corresponding in the described Hash table hash table with the described second Hash address; With described first five-tuple respectively with described second hash table under each five-tuple mate: if the coupling on, then identifying described message to be identified is the P2P message.
9. as claim 7 or 8 described Access Networks, it is characterized in that:
Described remote equipment, also be used to the described aging counter that is provided with and starts a correspondence with reference to each five-tuple in the five-tuple information table respectively, described aging counter has an initial value, utilize described aging counter that five-tuple is carried out burin-in process, wherein, when predetermined value is arrived in described aging counter timing, delete the five-tuple of described aging counter correspondence; And, when judging that described message to be identified is the P2P message, restart the pairing aging counter of five-tuple of described first five-tuple coupling.
10. Access Network as claimed in claim 9 is characterized in that:
Described remote equipment is an optical network unit ONU, and described local side apparatus is optical line terminal OLT;
Perhaps, described remote equipment is a Digital Subscriber Loop DSL remote equipment, and described local side apparatus is a Digital Subscriber Loop DSL local side apparatus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102287370A CN101909077A (en) | 2010-07-09 | 2010-07-09 | A peer-to-peer service identification method, device and access network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102287370A CN101909077A (en) | 2010-07-09 | 2010-07-09 | A peer-to-peer service identification method, device and access network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101909077A true CN101909077A (en) | 2010-12-08 |
Family
ID=43264394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102287370A Pending CN101909077A (en) | 2010-07-09 | 2010-07-09 | A peer-to-peer service identification method, device and access network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101909077A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045257A (en) * | 2010-12-22 | 2011-05-04 | 上海亿煌信息技术有限公司 | Peer-to-peer software (P2P) recognition method based on multi-protocol bidirectional single link |
| CN102195816A (en) * | 2011-05-24 | 2011-09-21 | 北京网康科技有限公司 | Method and equipment for feeding back unidentified flow information |
| CN102404396A (en) * | 2011-11-14 | 2012-04-04 | 北京星网锐捷网络技术有限公司 | P2P traffic identification method, device, equipment and system |
| WO2011157137A3 (en) * | 2011-05-31 | 2012-05-03 | 华为技术有限公司 | Policy control method, apparatus and communication system |
| CN102546363A (en) * | 2010-12-21 | 2012-07-04 | 深圳市恒扬科技有限公司 | Message processing method, device and equipment |
| CN102571946A (en) * | 2011-12-28 | 2012-07-11 | 南京邮电大学 | Realization method of protocol identification and control system based on P2P (peer-to-peer network) |
| CN103023616A (en) * | 2012-12-27 | 2013-04-03 | 北京格林伟迪科技有限公司 | Ethernet frame service identification method and device |
| CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
| CN103457803A (en) * | 2013-09-10 | 2013-12-18 | 杭州华三通信技术有限公司 | Device and method for recognizing P2P flow |
| CN103763154A (en) * | 2014-01-11 | 2014-04-30 | 浪潮电子信息产业股份有限公司 | Network flow detection method |
| CN104813734A (en) * | 2012-08-07 | 2015-07-29 | 英特尔公司 | Methods and arrangements to establish peer-to-peer link |
| CN102045257B (en) * | 2010-12-22 | 2016-11-30 | 电子科技大学 | A kind of P2P software identification method based on the two-way single connection of multi-protocols |
| CN106330584A (en) * | 2015-06-19 | 2017-01-11 | 中国移动通信集团广东有限公司 | A business flow identification method and identification device |
| CN109802924A (en) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | Method and device for identifying encrypted data stream |
| CN111212137A (en) * | 2019-12-31 | 2020-05-29 | 奇安信科技集团股份有限公司 | Method and apparatus for identifying point-to-point data transmission performed by a firewall |
| CN114285805A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | QUIC message filtering method, system, equipment and medium |
| CN116132319A (en) * | 2021-11-15 | 2023-05-16 | 华为技术有限公司 | Method and device for identifying stream |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744573A (en) * | 2005-08-30 | 2006-03-08 | 杭州华为三康技术有限公司 | Identification method of business flow |
| CN101510843A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for real time separation of P2P flow based on NetFlow flow |
| US7624436B2 (en) * | 2005-06-30 | 2009-11-24 | Intel Corporation | Multi-pattern packet content inspection mechanisms employing tagged values |
-
2010
- 2010-07-09 CN CN2010102287370A patent/CN101909077A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7624436B2 (en) * | 2005-06-30 | 2009-11-24 | Intel Corporation | Multi-pattern packet content inspection mechanisms employing tagged values |
| CN1744573A (en) * | 2005-08-30 | 2006-03-08 | 杭州华为三康技术有限公司 | Identification method of business flow |
| CN101510843A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for real time separation of P2P flow based on NetFlow flow |
Non-Patent Citations (1)
| Title |
|---|
| 马东超等: "优化P2P业务传输的新型EPON接入网", 《北京邮电大学学报》 * |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546363A (en) * | 2010-12-21 | 2012-07-04 | 深圳市恒扬科技有限公司 | Message processing method, device and equipment |
| CN102045257B (en) * | 2010-12-22 | 2016-11-30 | 电子科技大学 | A kind of P2P software identification method based on the two-way single connection of multi-protocols |
| CN102045257A (en) * | 2010-12-22 | 2011-05-04 | 上海亿煌信息技术有限公司 | Peer-to-peer software (P2P) recognition method based on multi-protocol bidirectional single link |
| CN102195816A (en) * | 2011-05-24 | 2011-09-21 | 北京网康科技有限公司 | Method and equipment for feeding back unidentified flow information |
| WO2011157137A3 (en) * | 2011-05-31 | 2012-05-03 | 华为技术有限公司 | Policy control method, apparatus and communication system |
| CN102918804A (en) * | 2011-05-31 | 2013-02-06 | 华为技术有限公司 | Strategy control method, device and communication system |
| CN102404396B (en) * | 2011-11-14 | 2014-04-02 | 北京星网锐捷网络技术有限公司 | Method, device and system for identifying peer-to-peer (P2P) flow and equipment |
| CN102404396A (en) * | 2011-11-14 | 2012-04-04 | 北京星网锐捷网络技术有限公司 | P2P traffic identification method, device, equipment and system |
| CN102571946B (en) * | 2011-12-28 | 2015-07-01 | 南京邮电大学 | Realization method of protocol identification and control system based on P2P (peer-to-peer network) |
| CN102571946A (en) * | 2011-12-28 | 2012-07-11 | 南京邮电大学 | Realization method of protocol identification and control system based on P2P (peer-to-peer network) |
| CN104813734B (en) * | 2012-08-07 | 2019-08-06 | 英特尔公司 | Establish the method and arrangement of peer link |
| CN104813734A (en) * | 2012-08-07 | 2015-07-29 | 英特尔公司 | Methods and arrangements to establish peer-to-peer link |
| CN103023616A (en) * | 2012-12-27 | 2013-04-03 | 北京格林伟迪科技有限公司 | Ethernet frame service identification method and device |
| CN103023616B (en) * | 2012-12-27 | 2015-07-08 | 北京格林伟迪科技有限公司 | Ethernet frame service identification method and device |
| CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
| CN103457803B (en) * | 2013-09-10 | 2017-02-08 | 杭州华三通信技术有限公司 | Device and method for recognizing P2P flow |
| CN103457803A (en) * | 2013-09-10 | 2013-12-18 | 杭州华三通信技术有限公司 | Device and method for recognizing P2P flow |
| CN103763154B (en) * | 2014-01-11 | 2018-02-23 | 浪潮电子信息产业股份有限公司 | A kind of network flow detection method |
| CN103763154A (en) * | 2014-01-11 | 2014-04-30 | 浪潮电子信息产业股份有限公司 | Network flow detection method |
| CN106330584A (en) * | 2015-06-19 | 2017-01-11 | 中国移动通信集团广东有限公司 | A business flow identification method and identification device |
| CN106330584B (en) * | 2015-06-19 | 2019-08-13 | 中国移动通信集团广东有限公司 | A kind of recognition methods of Business Stream and identification device |
| CN109802924A (en) * | 2017-11-17 | 2019-05-24 | 华为技术有限公司 | Method and device for identifying encrypted data stream |
| US11706254B2 (en) | 2017-11-17 | 2023-07-18 | Huawei Technologies Co., Ltd. | Method and apparatus for identifying encrypted data stream |
| CN111212137A (en) * | 2019-12-31 | 2020-05-29 | 奇安信科技集团股份有限公司 | Method and apparatus for identifying point-to-point data transmission performed by a firewall |
| CN111212137B (en) * | 2019-12-31 | 2023-01-17 | 奇安信科技集团股份有限公司 | Method and device for identifying peer-to-peer data transmission performed by a firewall |
| CN116132319A (en) * | 2021-11-15 | 2023-05-16 | 华为技术有限公司 | Method and device for identifying stream |
| CN114285805A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | QUIC message filtering method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101909077A (en) | A peer-to-peer service identification method, device and access network | |
| CN104113879B (en) | It is deployed with cloud AC WiFi communication system and communication means | |
| CN102325124B (en) | A kind of application identification Apparatus and method for supporting drainage function | |
| EP3629557B1 (en) | System and method of delivering data that provides service differentiation and monetization in mobile data networks | |
| CN108737476A (en) | Cloud storage system, media data storage method and system | |
| CN102130935A (en) | Data acquisition method and device and network storage method and equipment | |
| US20150127837A1 (en) | Relay apparatus and data transfer method | |
| EP1898594A3 (en) | A method for providing broadband communication services | |
| CN104243477A (en) | Security industry data collecting method and system implemented on basis of XMPP | |
| CN102694674A (en) | Upgrading method in access network, apparatus and access network thereof | |
| CN102438331B (en) | A kind of mobile terminal is by the method and system of surfing Internet with cell phone | |
| JP2008271545A (en) | Optical fiber network system and management method thereof | |
| WO2023000936A1 (en) | Data processing method, function device and readable storage medium | |
| CN101616056A (en) | Break through shunt method, shunting gateway and the network configuration thereof of PPPoE technical limitations | |
| CN101039309B (en) | Link sharing service apparatus and communication method thereof | |
| US9923844B1 (en) | Conveying instant messages via HTTP | |
| CN106330386B (en) | A transmission layer parameter adjustment method and device | |
| US9277014B2 (en) | Handling of auxiliary NAS | |
| WO2012041029A1 (en) | Method and device for server processing service | |
| WO2010124571A1 (en) | Node information acquirement method, client, and server | |
| CN102546331A (en) | Method and device for transmitting service information | |
| CN113746736B (en) | Method, device and communication system for sending and receiving message | |
| US8305918B2 (en) | Method of configuring the quality-of-service profile of a given stream at an access node of a packet communications network | |
| JPWO2017138403A1 (en) | Control device, control method, and storage medium for storing program | |
| CN117135196A (en) | A data transmission method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101208 |