[go: up one dir, main page]

CN102123072B - The implementation method of Packet Classification process, network and terminal - Google Patents

The implementation method of Packet Classification process, network and terminal Download PDF

Info

Publication number
CN102123072B
CN102123072B CN201010001627.0A CN201010001627A CN102123072B CN 102123072 B CN102123072 B CN 102123072B CN 201010001627 A CN201010001627 A CN 201010001627A CN 102123072 B CN102123072 B CN 102123072B
Authority
CN
China
Prior art keywords
data message
network
message
net
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010001627.0A
Other languages
Chinese (zh)
Other versions
CN102123072A (en
Inventor
张世伟
符涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010001627.0A priority Critical patent/CN102123072B/en
Priority to PCT/CN2010/076022 priority patent/WO2011082584A1/en
Publication of CN102123072A publication Critical patent/CN102123072A/en
Application granted granted Critical
Publication of CN102123072B publication Critical patent/CN102123072B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of implementation method of Packet Classification process, network and terminal, the implementation method of this Packet Classification process is based on data message being carried out to the real-time performance processed of classifying, this implementation method comprises the processing method of the data message that end-on is received, this processing method comprises: terminal receives data message, carries the classification information representing message source classification in the heading of described data message; Described terminal carries out differentiated treatment according to described classification information to described data message.The implementation method of Packet Classification process of the present invention, network and terminal can improve internet security.

Description

The implementation method of Packet Classification process, network and terminal
Technical field
The present invention relates to field of data communication, particularly relate to a kind of implementation method of Packet Classification process, network and terminal.
Background technology
Existing the Internet is based on IP technique construction, the opening of IP network facilitates the prosperity of the Internet, also a large amount of safety problems is brought, node in the Internet is by multiple organization managements of multiple country, some node is trusty, also may be fly-by-night, user in network may receive the data message of trusted node, also the data message of trustless node may be received, under the prior art, which data message IP user cannot tell is that trusted node is sent, which data message is that insincere node is sent, differentiating and processing cannot be carried out, thus be that insincere node pretends to be trusted node accesses network to leave attack space, seriously reduce the fail safe of network.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of implementation method of Packet Classification process, network and terminal, to improve internet security.
For solving above technical problem, the invention provides a kind of implementation method of Packet Classification process, described method is based on carrying out the real-time performance processed of classifying to data message, this implementation method comprises the processing method of the data message that end-on is received, and this processing method comprises:
Terminal receives data message, carries the classification information representing message source classification in the heading of described data message;
Described terminal carries out differentiated treatment according to described classification information to described data message.
Further, the classification information in the heading of described data message is that intermediate node is determined and the head that joins message according to the classification of described message source.
Further, described intermediate node is the access device that responsible message source termination enters, and described access device is to the processing method of the initial data message that message source sends, and this processing method comprises:
Described access device receives the initial data message that described message source sends;
Described access device processes initial data message, is included in the classification information increasing in heading and represent this message source classification;
Described access device forwards the data message after this process;
Wherein, described message source classification sends to described access device by certificate server in the access authentication procedure of described message source.
Further, when described Packet Classification process network and outer net carry out intercommunication, described intermediate node refers to the intercommunication service node of connection data message classification process network and outer net, and the processing method of the external network data message of intercommunication service node (ISN) comprises:
Described ISN receives the outer network data message that outer net sends to Packet Classification process network;
Described ISN determines the classification information of described data message source in described Packet Classification process network according to the source of described data message, and described outer network data message is converted to intranet data message, comprise the original classification information increasing classification information according to the classification information determined or revise in heading in heading;
Described ISN is by inside for described intranet data message net routing forwarding.
Further, the processing method of described ISN to interior network data message comprises:
Described ISN receives the intranet data message that described Packet Classification process network sends to outer net;
Described intranet data message is converted to outer network data message by described ISN, comprises the trusted situation according to outer net, amendment or the classification information of deleting in data message head;
Described ISN is by described intranet data message routing forwarding in described Packet Classification process network.
Further, when the described data message that described end-on is received carries out differentiated treatment, according to described message source classification, and in conjunction with this terminal self attributes with the confidentiality of service application, the processing method to described data message is determined.
Further, Packet Classification process network is Internet network or identify label and locator separation network (SILSN).
Further, described classification information is carried by IPV6 amplifying message head.
Further, described classification information is carried by destination option head (DestinationOptionsheader) of IPV6 amplifying message head, the front two of the option type (OptionType) of described destination option head (DestinationOptionsheader) is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
Further, described classification information comprises the source identity type (SIDT) determined according to terminal type and/or the trust degree (CG) determined according to trusted end-user degree of appointing, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
Further, the heading of described data message also comprise relam identifier (DID) and/or the terminal determined according to territory, terminal place territory in identifier.
For solving above technical problem, present invention also offers a kind of terminal, described terminal realizes based on communication network, and described terminal comprises:
Receiver module, for receiving data message, carries the classification information representing message source classification in the heading of described data message;
Message source classification determination module, is connected with described receiver module, for according to the classification information determination message source classification in data message;
Data message processing module, is connected with described message source classification determination module, for carrying out differentiated treatment according to described message source classification to described data message.
Further, when described data message processing module carries out differentiated treatment to the described data message received, according to described message source classification, and in conjunction with this terminal self attributes with the confidentiality of service application, the processing method to described data message is determined.
Further, described classification information is carried by IPV6 amplifying message head.
Further, described classification information is carried by destination option head (DestinationOptionsheader) of IPV6 amplifying message head, the front two of the option type (OptionType) of described destination option head (DestinationOptionsheader) is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
Further, described classification information comprises the source identity type (SIDT) determined according to terminal type and/or the trust degree (CG) determined according to trusted end-user degree of appointing, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
For solving above technical problem, present invention also offers a kind of network of Packet Classification process, described network comprises:
Terminal, for transceiving data message, carries the classification information representing message source classification in the heading of the data message wherein received; Also for carrying out differentiated treatment according to the classification information in the data message received to the data message received;
Intermediate node, is connected with described terminal by network, for receiving and forwarding data packets, and in the heading of the data message received, adds the classification information of described message source before forwarding according to the classification of message source.
Further, described intermediate node is the access device realizing the access of described terminal, described network also comprises the certificate server be connected with described access device, described server is used for carrying out user identity identification and certification to terminal, and the classification of terminal is notified the access device at described terminal place in verification process; The classification information of described correspondence is increased in the heading of the data message that described access device sends in this terminal according to the terminal class obtained from certificate server.
Further, described intermediate node is the intercommunication service node (ISN) between described network and outer net, and described ISN comprises:
Receiver module, sends to the outer network data message of Packet Classification process network for receiving outer net;
Classification information determination module, is connected with described receiver module, for determining the classification information of the message source of outer network data message at described Packet Classification process network;
Data message modular converter, be connected with described classification information determination module, for the intranet data message be converted to by described outer network data message, comprise the original classification information increasing classification information according to the classification information determined or revise in heading in heading;
Data message forwarding module, is connected with described data message modular converter, for by the intranet data message routing forwarding in described Packet Classification process network after the conversion of described data message modular converter.
Further,
The receiver module of described ISN, also sends to the intranet data message of other networks for receiving Packet Classification process network;
The classification information determination module of described ISN, also for the trusted situation according to outer net, determines the classification information of message source at described outer net of described intranet data message;
The data message modular converter of described ISN, also for described intranet data message is converted to outer network data message, comprises according to the classification information in the classification information deletion determined or amendment heading;
The data message forwarding module of described ISN, also for by the outer network data message after the conversion of described data message modular converter to described outer net routing forwarding.
Further, when the described data message that described end-on is received carries out differentiated treatment, according to described message source classification, and in conjunction with this terminal self attributes with the confidentiality of service application, the processing method to described data message is determined.
Further, described classification information is carried by IPV6 amplifying message head.
Further, described classification information is carried by destination option head (DestinationOptionsheader) of IPV6 amplifying message head, the front two of the option type (OptionType) of described destination option head (DestinationOptionsheader) is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
Further, described classification information comprises the source identity type (SIDT) determined according to terminal type and/or the trust degree (CG) determined according to trusted end-user degree of appointing, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
Further, the heading of described data message also comprise relam identifier (DID) and/or the terminal determined according to territory, terminal place territory in identifier.
The present invention utilizes the classification information of the expression message source classification of carrying at heading, the terminal making to receive this message can distinguish the outer user of net and the interior user of net and/or trusted users and insincere user according to classification information in heading, the fail safe of such user and upper-layer service can carry out differentiating and processing according to classification, both the demand that interconnects that user carries out required for general service had been met, also P network users can be made to identify insincere user and to carry out respective handling, thus while raising networking flexibility, also ensure that the fail safe of network very well.
Accompanying drawing explanation
Fig. 1 is the method schematic diagram of terminal log of the present invention according to message classification process;
Fig. 2 is the processing method schematic diagram of access device of the present invention to data message;
Fig. 3 is the processing method schematic diagram of the external network data message of intercommunication service node of the present invention;
Fig. 4 is the processing method schematic diagram of the external network data message of intercommunication service node of the present invention;
Fig. 5 is the network architecture diagram that a kind of identify label is separated with station location marker;
Fig. 6 is the handling process that access service node ASN increases source identity type;
Fig. 7 is the determination methods that access device ASN arranges source identity type;
Fig. 8 is the flow chart of message between intercommunication service node ISN process net;
Fig. 9 is the determination methods that intercommunication service node ISN arranges the source identity type of outer network data message;
Figure 10 is the schematic diagram of the data message that terminal is sent according to other users of classification information process that destination extension header carries.
Embodiment
The main thought of the implementation method of Packet Classification process of the present invention, network, terminal utilizes the heading of data message to carry the classification information representing message source classification, makes the terminal receiving data message can carry out differentiated treatment according to classification information to data message.
The present invention is mainly used in the network having and manage authority independently, and have access control apparatus on border, as the network of an operator, or enterprise network, or single Autonomous Domain etc., this network and other networks have obvious border, and edge device is responsible for adding or deleting the said classification information of the present invention, for convenience, the network that this is had an ability of managing independently by us is called P net.
When P net and other networks are as the Internet intercommunication, in net, user will receive the message of message and the outer trustless user of net netting interior trusted user simultaneously, for the needs of user security and upper-layer service, the user requiring P to net can identify separate sources and/or the reliability rating of these data messages.In order to distinguish source and/or the reliability rating of these messages, need the border at P net, as the control measure that access node and intermediate node take some new, the data message entered in the network of P net is made to carry classification information, such terminal equipment just according to the classification information of carrying in data message, can take different processing modes to the user of separate sources or different reliability rating.
As shown in Figure 1, the implementation method of Packet Classification process of the present invention, described method is based on carrying out Packet Classification process network (P net) realization processed of classifying to data message, this implementation method comprises the processing method of the data message that end-on is received, and this processing method comprises:
Step 101: terminal receives data message, carries the classification information representing message source classification in the heading of described data message;
Step 102: described terminal carries out differentiated treatment according to described classification information to described data message.
When described P network termination carries out differentiated treatment to the described data message received, according to described message source classification, and in conjunction with this terminal self attributes with the confidentiality of service application, determine the processing method to described data message.Such as, for more secret server category terminal, the external user can refusing not trusted is accessed, and avoids confidential information to reveal.In addition, some are had to the BBS forum servers of political sensitivity, some function restrictions can be carried out to the network bar users of not easily tracing to the source, browse forum's content as only allowed but do not allow to issue new post etc., thus ensure the order of BBS forum, avoid lawless person to utilize BBS forum to issue fallacious message.
The said classification information of the present invention is determined and the head that joins message according to message source by intermediate node (as P nets interior access device or the intercommunication service node between P net and outer net) after message source sends initial data message, comprises source identity type and/or trust degree:
1: source identity type
Source identity type is that intermediate node is determined according to the type of message source, comprising:
1, domestic consumer trusty in net
2, group user in net
3, network bar users in net
When P net and outer net interconnecting, except above 3 kinds, message source type information also comprises:
4, the outer homogeneous network user trusty of net
5, the outer heterogeneous network user trusty (as IPV6 source address authenticated user) of net
6, the outer fly-by-night network user of net.
The inner user of P net, when receiving the data message that other users of being forwarded by intermediate node send, just according to source identity type, can distinguish the source of message.
2, trust degree
Trust degree is that intermediate node is determined according to the trusted degree of message source or trusted grade, two (as: completely credible and completely insincere) or multiple trust degree can be divided into, carry out differentiated treatment by the P network users receiving data message according to trust degree.
In addition, in order to realize reviewing message source, can also carry relam identifier in the heading of data message, or carry relam identifier and intra domain user identifier simultaneously, wherein territory mentioned here can be group, Internet bar or network.
The said intermediate node of the present invention refers to net interior access device or interworking between network service node, illustrates respectively below:
As shown in Figure 2, the processing method of access device to the data message that message source sends comprises:
Step 201: described access device receives the initial data message that described message source sends;
Step 202: described access device processes initial data message, is included in the classification information increasing in heading and represent this message source classification;
Wherein, described message source classification sends to described access device by certificate server in the access authentication procedure of described message source.
Access device increases different classification information according to different source terminal classifications, as netted group user, the interior network bar users of net etc. in interior trusted user, net.
Step 203: described access device forwards the data message after this process;
When P net is similar with other or heterogeneous network intercommunication time, processed by intercommunication service node (ISN) heading to the data message of across a network, comprise to the process of the data message mailing to outer net and to the process of data message of mailing to content, as shown in Figure 3, the processing method of ISN to the outer network data message mailing to Intranet comprises:
Step 301:ISN receives the outer network data message that outer net sends to Intranet;
Step 302:ISN determines the classification information of described data message source in Intranet according to the source of described data message, and described outer network data message is converted to intranet data message, comprise the original classification information increasing classification information according to the classification information determined or revise in heading in heading;
Step 303:ISN is by inside for described intranet data message net routing forwarding.
As shown in Figure 4, the processing method of ISN to the data message sending outer net comprises:
Step 401:ISN receives the intranet data message that Intranet sends to outer net;
Intranet data message is converted to outer network data message by step 402:ISN, comprises the trusted situation according to outer net, amendment or the classification information of deleting in data message head;
Intranet data message routing after conversion is forwarded to outer net by step 403:ISN.
Classification information of the present invention is carried by IPV4 or IPV6 heading, particularly, can realize by increasing or define new heading option in IPV4 or IPV6 heading, in order to change available data message protocol as few as possible, the present invention preferably utilizes the amplifying message head of IPV6 data message to carry the said type information of the present invention.
In order to distinguish the source of data message, need the classification information of carrying user in IPV6 message, the mechanism of more perfect source of carrying in data message identified category information is not yet had in current IPV6 agreement, classification information cannot be encapsulated in IPV6 message and transmit, the user netted to make P can identify the data message received and derive from which type of user, need to expand IPV6 agreement, make the classification information of carrying sender in data message.
Below the extension header of existing IPV6 data message is described:
The IPV6 heading shown in table 1 is defined, for carrying additional Internet information in IPV6 agreement (RFC2460):
Table 1
RFC2460 proposes to add IPV6 amplifying message head between the heading of IPV6 and upper-layer protocol head.6 kinds of amplifying message heads are defined in RFC2460, hop-by-hop options header (Hop-by-HopOptionsheader) respectively, route head (Routingheader), fragment header (Fragmentheader), authentication header (Authenticationheader), ESP encapsulation header (EncapsulatingSecurityPayloadheader), destination option head (DestinationOptionsheader).
RFC2460 defines protocol number to often kind of extension header, and if hop-by-hop options header is 0, destination option head is 60.When Internet application needs to use IPV6 message extension header to carry out transmission of information, only need the next heading (NextHeader) in table 1 to be set to corresponding protocol number.Such as, if when needing to adopt destination option head to transmit data in message, only need the next heading (NextHeader) in table 1 to be set to 60.
Various IPV6 extension header can in certain sequence and deposit, and as shown in table 2, being and then route head after IPV6 head, is subsequently destination option head, is finally TCP message head.
Table 2
IPv6 head (IPv6header) next heading (Next Header)=route (Routing) Route head (Routing header) next heading (Next Header)=destination option (Destination Options) Destination option head (Destination Options header) next heading (Next Header)=TCP TCP message head (TCP header)+data (data)
In 6 kinds of extension header of IPV6 definition, the information that destination option head checks for destination node for carrying those.The message format of destination option head is as shown in table 3 below:
Table 3
Wherein, NextHeader represents Next protocol header type, and HdrExtLen represents the length of this destination option extension head, in units of 8 bytes, does not comprise first character joint.
In RFC2460, option (Options) is made up of option type (OptionType), option (OptDataLen) and option data further.And first 3 of option type are all specified, wherein first, second defines the node of this IPV6 data message of process, the action taked when not being familiar with this this label:
00-skips this option and continues process heading
01-abandons this message.
10-abandons this message, sends ICMP
11-abandons this message, when not being multicast address, sends ICMP
In addition, RFC2460 has following regulation to the 3rd of option type (OptionType) the, if option data can affect route, is then set to 1, otherwise is set to 0.
For the OptionType of 8, except above front three, only have 5 optional, namely actual only have 32 numbering spaces, and current RFC has defined a kind of destination option for mobile IP protocol, be called home address option (TheHomeAddressoption), its numerical value definition 0xC9, its low 5 is 00111, occupies sequence number 9.
Option is in units of byte, and describe the physical length of option data, the embodiment of described method is generally set to 12.
Due to the information that destination option head checks for destination node for carrying those, and the classification information in data message involved in the present invention is for terminal use, therefore the present invention preferably adopts destination option head to expand.
Below the concrete grammar that the present invention utilizes the destination option head of IPV6 to carry classification information (comprising source identity type, trust degree) and tracing information (relam identifier and intra domain user identifier) is described, as shown in table 4:
In table, the implication of next heading (NextHeader) and heading extension length (HdrExtLen) is same as above, is not repeating at this, and the destination extension header option increasing newly the present invention below or newly define is described:
1, option type (OptionType):
Option type OptionType in the option head of destination has 8:
For high 2, the present invention does not do particular provisions, according to circumstances can be arranged by node processing equipment, such as, when requiring higher occasion, as police network to safe class, this option can be set to 01, that is, if the node processing this data message is not familiar with this data format, by whole packet loss.For the node of general type, can 00 be set to, even if node is not familiar with this option like this, still can the whole data message of normal process, thus improve the compatibility of system, at utmost utilize existing equipment;
For the 3rd, because of in the present invention, intermediate node can process this option, and option data can affect route, is therefore set to 1;
For low 5, any one can choosing in other 31 sequence numbers except the sequence number 00111 of home address option is expanded, as low 5 are selected 11111 to expand.
The option type of so new expansion can have two alternative numerical value:
One is 00111111, namely 0X3F, and representative, when destination node is not familiar with this option, should abandon this data message.
One is 01111111, namely 0X9F, represents when destination node is not familiar with this option, the still remainder of normal process data message.
The invention provides a kind of method of carrying the mark of sender's classification in IPV6 data message, by carrying the classification of sender in data message, it is that trusted node or non-trusted node send that terminal use just can identify the data message received very easily, thus enough can carry out differentiating and processing to the data message of separate sources and different reliability rating.More precisely, the invention provides a kind of method that extension header at IPV6 heading carries user source address sort, the method is applicable to adopt IPV6 to transmit and the network needing to distinguish message source.
2, source identity type
For source identity type (SourceIDType is called for short SIDT) distributes the space of a byte, the numerical value of each source identity type is defined as follows:
Domestic consumer trusty in 0X00 net.
Group user in 0X01 net
Network bar users in 0X02 net.
0X03 ~ 0X0F retains
The outer homogeneous network user trusty of 0X80 net.
The outer heterogeneous network user trusty of 0X81 net.
The outer fly-by-night network user of 0X82 net.
0X83 ~ 0X8F retains
3, trust degree
For trust degree (CredibilityGrade, be called for short CG) distribute the space of a byte, trust degree is divided into complete trusted and any two trust degrees completely insincere, if this source address is completely trustless, should 0 be set to, if this source address is completely credible, should 255 be set to.
4, relam identifier
Relam identifier (DomainIdentification is called for short DID) is the information in territory, message source place, and for it distributes 48, this has different effects under being identified at different source identity type:
If source identity type is the MAC Address that in net, domestic consumer trusty: DID can be used for representing mark place, source, also can not possess any implication, when not possessing implication, DID should be set to 0.
If source identity type represents group number for netting interior group user: DID, effectively inner an operator, such as China Telecom using Legend Company as a group user, can give 48 group numbering 0X00000000F001.
If source identity type represents Internet bar number for netting interior network bar users: DID, effectively nationwide
If source identity type identifies for outer P net (homogeneous network) user: the DID trusty of net represents homogeneous network.
If source identity type identifies for outer other networks (heterogeneous network) user: the DID trusty of net represents heterogeneous network.
If source identity type is other network users incredible: DID is meaningless.
5, intra domain user identifier
Intra domain user identifier (DomainUserIdentification, DUI) represents the numbering of user in this territory, for it distributes 32, under different source identity type, has not same-action:
If source identity type is domestic consumer trusty in net: meaningless.
If source identity type is group user in net: represent user's sequence number in group.
If source identity type is network bar users in net: represent network bar users sequence number.
If source identity type is homogeneous network user trusty outside net: the numbering representing this network oneself
If source identity type is heterogeneous network user trusty outside net: the numbering representing this network oneself
If source identity type is the outer incredible external network user of net: meaningless
Source address type, DID and DUI relation are as shown in table 5 below:
Table 5
Source identity type DID (48) DUI (32)
Domestic consumer trusty in net Can MAC Address be represented, or meaningless (being entirely set to 0) Meaningless
Group user in net Group number Customs Assigned Number in group
Network bar users in net Internet bar number Customs Assigned Number in Internet bar
The outer homogeneous network user trusty of net Homogeneous network identifies User is in the numbering of this network
The outer believable heterogeneous network user of net Heterogeneous network identifies User is in the numbering of this network
Incredible external network user Meaningless Meaningless
It is worthy of note; below an example is just given; the method for expressing of classification information in real network; the division methods of source identity type and/or trust degree and distributing order are not necessarily in strict accordance with describing above, as long as the terminal receiving data message in P net can carry out differentiated treatment according to classification information all belong to the scope of protection of the invention.
Based on the definition of above each several part, provide example below in conjunction with destination extension header under application example just various situation:
Application example 1
Following table 6 is destination extension header of the data message of the Wang Nei domestic consumer transmission that P network termination receives:
Table 6
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x3F represents if destination node is not familiar with this option, can normal process data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=0 represents that this packet source is that a Ge Wangnei domestic consumer sends.
CG=255, represents that this user is completely credible.
DID=0, represent and do not use DID, that is DID field is meaningless.
DUI=0, represent and do not use DUI, that is DDI field is meaningless.
Application example 2
Following table 7 is the destination extension header signals of the data message that in the net that receives of P network termination, group user sends:
Table 7
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x3F represents if destination node is not familiar with this option, can normal process data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=1 represents that this packet source is that in a net, group user sends.
CG=255, represents that this user is completely credible.
DID=0x000000A1, represents that the user sending this packet comes from the group user that group number is 101.
DUI=0x55667788, the user indicating this packet is the Customs Assigned Number in group is 0x55667788.
Application example 3
Following table 8 is the destination extension header signals of the data message that in the net that receives of P network termination, network bar users sends:
Table 8
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x3F represents if destination node is not familiar with this option, can normal process data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=2 represents that this packet source is that in a net, network bar users sends.
CG=1, represents that this user is not too credible, is similar to insincere.
DID=0x99F8AABBCCDD, represents that the user sending this packet comes from the network bar users that Internet bar number is=0x99F8AABBCCDD.
DUI=0x00000005, the user indicating this packet is the Customs Assigned Number in Internet bar is 5.
Application example 4
Following table 9 is destination extension header signals of the data message of the outer homogeneous network user transmission trusty of net that P network termination receives:
Table 9
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x9F represents if destination node is not familiar with this option, should abandon this data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=0x80 represents that this packet source is that an outer homogeneous network user trusty of net sends.
CG=10, represent that this user is credible, but degree of belief is not high.
DID=0xA0, represent the user sending this packet be come from outside trusted network sequence number be 100 network send, the numbering of DID only and single P net that self is relevant, need not global Unified number.
DUI=0x11, the user indicating this packet is that the user being numbered 17 in external network trusty sends.
Application example 5
Following table 10 is destination extension header signals of the data message of the outer heterogeneous network user transmission trusty of net that P network termination receives:
Table 10
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x9F represents if destination node is not familiar with this option, should abandon this data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=0x81 represents that this packet source is that an outer heterogeneous network user trusty of net sends.
CG=30, represents the trust degree of this user.
DID=3, represent the user sending this packet be come from outside heterogeneous network sequence number trusty be 3 network send, the numbering of DID is the numbering that P net self distribution, need not global Unified number.
DUI=0x1234, the user indicating this packet is that the user being numbered 0x1234 in external network trusty sends.
Application example 6
Following table 11 is destination extension header signals of the data message of the outer fly-by-night network user's transmission of net that P network termination receives:
Table 11
Wherein:
HdrExtLen=1 represents has 8 byte lengths after option, and this length is fixing substantially.
OptionType=0x9F represents if destination node is not familiar with this option, should abandon this data message.
OptDataLen=12 represents that option is 12 bytes.
Source-IDType=0x82 represents that this packet source is that the outer fly-by-night network user of net sends.
CG=0, represents that this user's is completely insincere.
DID=0, represents and does not use DID.
DUI=0, represents and does not use DUI.
The inventive method can realize based on Internet network or identify label and locator separation network (SILSN), below with SILSN for realizing the basis of P net, be described with reference to the accompanying drawings the specific embodiment of the present invention.
Fig. 5 is the network architecture that a kind of identify label is separated with station location marker, this network is a kind of identify label and station location marker separated network, comprise access service node (AccessServiceNode, ASN), user terminal (UserEquipment, UE), identity position register (Identification & LocationRegister, ILR), certificate server, interconnect service node ISN (InterworkingServiceNode) etc.Wherein, ASN is used for access user terminal, is responsible for the access realizing user terminal, and bears the function such as charging and switching; ILR bears the position registering functional of user, and certificate server bears user identity identification and authentication function, and ISN user and external user interconnect.The identification identifier of each user terminal existence anduniquess, namely accesses mark (AccessIdentification, AID).
For convenience of description, hereafter by this User Identity and locator separation network referred to as P1 net, wherein UE1 and UE3 is P1 net Intranet user, and UE2 is external user, UE3 can receive the data message of the UE1 coming from P1 net Intranet, also can receive the data message of the UE2 coming from outer net.The present invention helps Intranet user UE3 to distinguish the message of these separate sources and different degree of belief, and processes respectively.
In Fig. 5, ASN1 and ASN2 is access device, is used for identification identifier AID1 and AID3 of access user terminal equipment UE 1, UE3, UE1 and UE3 respectively existence anduniquess.ISN1, for the treatment of coming from the outer user of net as the data message of UE2, carries out format conversion to the data message outside P1 net Intranet.
ASN process
Fig. 6 gives the ASN of P1 net to the handling process of the message interpolation source identity type that Intranet user sends:
When user UE access network, first will carry out certification through ASN to certificate server, certificate server, by after certification, returns source identity type.ASN preserves the source identity type of this user, when subsequent user sends data message, adds corresponding IPV6 destination extension header option in message user sent.
Step 601, user terminal UE initiates access request to ASN;
Step 602, ASN initiates the verification process to UE to certificate server;
601 and 602 may exist repeatedly interacting message, with mutual certification.
Step 603, after certification is passed through, certificate server returns the source identity type of this user to ASN;
Step 604, ASN preserves the source identity type of this user, so that subsequent examination uses;
Step 605, ASN notifies that UE certification is passed through, and allows access;
Step 606, UE starts to send data message;
Step 607, ASN is that the IPV6 that UE sends increases corresponding source address identity type expansion.
In previous step, 603,604,607 is the committed steps realizing source identity type inspection.
Fig. 7 is that the ASN of P1 net identifies prolate-headed method to the IPV6 data message increase source that Intranet user sends, and this figure is equivalent to the refinement of step 607.
ASN is extraction source mark in data message, judges that user is domestic consumer, group user or network bar users, adds different destination extension header options in the IPV6 heading of the data message these users sent respectively:
701ASN receives the data message that Intranet user is sent, and extracts source mark wherein, then searches the source identity type that this source mark is corresponding;
This source identity type is that ASN obtains from certificate server.
702 ~ 703, if data message comes from Wang Nei domestic consumer, be 0 by source identity type (SIDT) assignment;
704 ~ 705, if data message comes from group user in net, be 1 by source identity type (SIDT) assignment;
706 ~ 707, if data message comes from network bar users in net, be 2 by source identity type (SIDT) assignment;
708 ~ 709, if data message comes from other types user, be xxx (i.e. the undefined type of the present invention) by source identity type (SIDT) assignment;
The down hop of data message to destination sends by 710.
ISN process
Fig. 8 is the schematic diagram that the ISN of P1 net processes the carrying out coming from outer net and intranet data message.
In the present invention, ISN needs to do following work:
1, distinguish the message source of the data message from outer net, different destination extension header options is identified respectively to outer net trusty similar P network users, outer net foreign peoples trusted user, the trustless user of outer net.
2, to the partial data message that user in net sends to the outer user of net, also need the trusted situation according to outer net, revise or delete IPV6 destination extension header option.
Step 801, external user sends a data message to ISN;
Step 802, ISN originates according to data message, determines that this message source is homogeneous network user trusty, or heterogeneous network user trusty, or other network users fly-by-night, to the destination extension header option that often kind of situation is added respectively in data message or amendment is corresponding;
Step 803, the data message after conversion is sent to ASN by ISN, is transmitted to actual Intranet user by ASN;
Step 804, Intranet user is the data message of external user via ASN to ISN sending destination location;
Step 805, ISN is according to the trusted situation of the network at destination address place, or amendment destination extension header option (for homogeneous network trusty, and heterogeneous network trusty), or delete destination extension header option (for fly-by-night network).
Step 806, the data message after conversion is sent to outer net by ISN.
Such as:
Mail to the data message of homogeneous network trusty to user in net, change source identity type into 0x80, DID is set to the network number of present networks, and DUI is set to 0.
Mail to the data message of heterogeneous network trusty to user in net, change source identity type into 0x81, DID is set to the network number of present networks, and DUI is set to 0.
The data message of fly-by-night outer net is mail to user in net, deletes the source mark expansion in the extension header of IPV6 destination.
Fig. 9 is the detail flowchart that ISN replaces the destination extension header option coming from outer network data message or revises, after ISN receives the data message coming from outer net, judge that the network of originating is P net network trusty, or heterogeneous network trusty, or incredible network, respectively the source identity type in these data messages of originating is set to 0x80,0x81,0x82 etc.:
901ISN receives the data message that external user is sent, and according to the attribute carrying out source network, starts interpolation source mark flow process;
902 ~ 903, if data message comes from outer net homogeneous network user trusty, source identity type is set to 0x80;
904 ~ 905, if data message comes from foreign peoples's class network user trusty, source identity type is set to 0x81;
906 ~ 907, if data message comes from other network users fly-by-night, source identity type is set to 0x82;
908 ~ 909, if data message comes from the present invention other users undefined, source identity type is set to reserved XX;
The down hop of data message to destination sends by 910.
Figure 10 is an embody rule scene of the present invention, the example of process of carrying out during the different classes of information received for P1 network users classifying.Because P1 net network has carried out exhaustive division to different message source, thus the user in P1 net network just very clearly can know which data message comes from external user, which is from Intranet user, which data message is trusty, degree trusty how, then, according to these classification information, when carrying out business, classification process is taked:
When the checking of employing said method with after distinguishing source address type, user terminal in P net is when receiving the data message of above-mentioned several types identifier, classification process can be carried out according to source identity type, such as, for more secret server category terminal, can the source of refusing be designated 0x82 user's (external user of not trusted) access, avoid confidential information to reveal.In addition, some are had to the BBS forum servers of political sensitivity, some function restrictions can be carried out to the network bar users of not easily tracing to the source, browse forum's content as only allowed but do not allow to issue new post etc., thus ensure the order of BBS forum, avoid lawless person to utilize BBS forum to issue fallacious message.
Step 1001, P1 network users receives a data message, and according to the attribute of user and the confidentiality of service application, analyze this business and allow which class user to use, 802 ~ 804 realize example for corresponding strategy:
Step 1002, when this network users is the secret private network users such as public security net, can limit the data message that this network users does not process any external user, therefore can only accept source identity type is 0,1 data message such as grade; When this this network users is a group user, then can only receive the data message that source identity type is 1, the data message of other network bar users (2) and external user (0x80 ~ 0x82), will be prevented from;
Step 1003, when this network users is a server of group user, only can accept the data message that source identity type is 1 (group user), does not accept the message in other sources.
Step 1004, when this network users be one relate to the BBS server of political sensitivity time, to the user of network bar users and outer net, only allow to browse BBS information, do not allow amendment and issue BBS information, to avoid the attack coming from external user.
It is worthy of note; although the network that embodiment is above separated with station location marker for this identify label of P1 illustrates; but be also applicable to other networks based on IPV6, other IPV6 extension header using this method to provide are to carry out the method for tag slot, source divisional processing also in protection scope of the present invention.
It should be noted that; above based in each embodiment of P1 network; be illustrated mainly for the interpolation of source identity type (SIDT) this classification information and amendment; trust degree (CG) and not being described in detail in above content for the relam identifier (DID) of reviewing and intra domain user identifier (DUI); it is conceivable that; SIDT is replaced with CG; or increase CG and/or DID, DUI for reviewing and all can be used as replacement implementation of the present invention, do not affect protection scope of the present invention.
For realizing above method, present invention also offers a kind of network of Packet Classification process, described network comprises:
Terminal, for transceiving data message, carries the classification information representing message source classification in the heading of the data message wherein received; Also for carrying out differentiated treatment according to the classification information in the data message received to the data message received;
When the described data message that described end-on is received carries out differentiated treatment, according to described message source classification, and in conjunction with this terminal self attributes with the confidentiality of service application, determine the processing method to described data message.
Intermediate node, is connected with described terminal by network, for receiving and forwarding data packets, and in the heading of the data message received, adds the classification information of described message source before forwarding according to the classification of message source.
Intermediate node can be realize the access device of described terminal access or the intercommunication service node (ISN) between described network and outer net.
When intermediate node is access device, described network also comprises the certificate server be connected with described access device, described server is used for carrying out user identity identification and certification to terminal, and the classification of terminal is notified the access device at described terminal place in verification process; The classification information of described correspondence is increased in the heading of the data message that described access device sends in this terminal according to the terminal class obtained from certificate server.
When described intermediate node is intercommunication service node (ISN) between described network and outer net, described ISN comprises:
Receiver module, sends to the outer network data message of Packet Classification process network for receiving outer net; The intranet data message of other networks is also sent to for receiving Packet Classification process network;
Classification information determination module, is connected with described receiver module, for determining the classification information of the message source of outer network data message at described Packet Classification process network; Also for the trusted situation according to outer net, determine the classification information of message source at described outer net of described intranet data message;
Data message modular converter, be connected with described classification information determination module, for the intranet data message be converted to by described outer network data message, comprise the original classification information increasing classification information according to the classification information determined or revise in heading in heading; Also for described intranet data message is converted to outer network data message, comprise according to the classification information in the classification information deletion determined or amendment heading;
Data message forwarding module, is connected with described data message modular converter, for by the intranet data message routing forwarding in described Packet Classification process network after the conversion of described data message modular converter; Also for by the outer network data message after the conversion of described data message modular converter to described outer net routing forwarding.
Described classification information is carried by IPV6 amplifying message head, preferably described classification information is carried by destination option head (DestinationOptionsheader) of IPV6 amplifying message head, the front two of the option type (OptionType) of described destination option head (DestinationOptionsheader) is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
Described classification information comprises the source identity type (SIDT) determined according to terminal type and/or the trust degree (CG) determined according to trusted end-user degree of appointing, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
For the ease of reviewing, identifier in the territory that the heading of described data message also comprises relam identifier (DID) and/or the terminal determined according to territory, terminal place.
In addition, present invention also offers a kind of terminal, concrete function is identical with above description, no longer reviews at this.
Can find out, the present invention utilizes the classification information of the expression message source classification of carrying at heading, the terminal making to receive this message can distinguish the outer user of net and the interior user of net and/or trusted users and insincere user according to classification information in heading, the fail safe of such user and upper-layer service can carry out differentiating and processing according to classification, both the demand that interconnects that user carries out required for general service had been met, also P network users can be made to identify insincere user and to carry out respective handling, thus while raising networking flexibility, also ensure that the fail safe of network very well.Such as, for the business of high secret, only can allow to trust user's access, for the business of lower security grade, can suitably allow the user of the low reliability ratings such as outer net to access.

Claims (23)

1. an implementation method for Packet Classification process, is characterized in that, described method is based on carrying out the real-time performance processed of classifying to data message, this implementation method comprises the processing method of the data message that end-on is received, and this processing method comprises:
Terminal receives data message, carries the classification information representing message source classification in the heading of described data message;
Described classification information is used for indicating described message source and belongs to user in the outer user of net or net, and/or, the trust degree of described message source;
Described terminal carries out differentiated treatment according to described classification information to described data message;
Described classification information is carried by the destination option head of IPV6 amplifying message head.
2. implementation method as claimed in claim 1, it is characterized in that, the classification information in the heading of described data message is that intermediate node is determined and the head that joins message according to the classification of described message source.
3. implementation method as claimed in claim 2, it is characterized in that: described intermediate node is the access device that responsible message source termination enters, the processing method of described access device to the initial data message that message source sends comprises:
Described access device receives the initial data message that described message source sends;
Described access device processes initial data message, is included in the classification information increasing in heading and represent this message source classification;
Described access device forwards the data message after this process;
Wherein, described message source classification sends to described access device by certificate server in the access authentication procedure of described message source.
4. implementation method as claimed in claim 2, it is characterized in that: when Packet Classification process network and outer net carry out intercommunication, described intermediate node refers to the intercommunication service node of connection data message classification process network and outer net, and the processing method of the external network data message of intercommunication service node ISN comprises:
Described ISN receives the outer network data message that outer net sends to Packet Classification process network;
Described ISN determines the classification information of data message source in described Packet Classification process network according to the source of described data message, and described outer network data message is converted to intranet data message, comprise the original classification information increasing classification information according to the classification information determined or revise in heading in heading;
Described ISN is by inside for described intranet data message net routing forwarding.
5. implementation method as claimed in claim 4, is characterized in that: the processing method of described ISN to interior network data message comprises:
Described ISN receives the intranet data message that described Packet Classification process network sends to outer net;
Described intranet data message is converted to outer network data message by described ISN, comprises the trusted situation according to outer net, amendment or the classification information of deleting in data message head;
Described ISN by conversion after described intranet data message in described Packet Classification process network routing forwarding to outer net.
6. the implementation method according to any one of claim 1 to 5, it is characterized in that: when the described data message that described end-on is received carries out differentiated treatment, according to described message source classification, and in conjunction with the confidentiality of this terminal self attributes and service application, determine the processing method to described data message.
7. the implementation method according to any one of claim 1 to 5, is characterized in that, Packet Classification process network is Internet network or identify label and locator separation network SILSN.
8. the implementation method according to any one of claim 1 to 5, it is characterized in that: described classification information is carried by the destination option head DestinationOptionsheader of IPV6 amplifying message head, the front two of the option type OptionType of described destination option head DestinationOptionsheader is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
9. the implementation method according to any one of claim 1 to 5, it is characterized in that: described classification information comprises the source identity type SIDT determined according to source type and/or the trust degree CG determined according to source trust degree, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
10. implementation method as claimed in claim 9, is characterized in that: identifier in the territory that the heading of described data message also comprises relam identifier DID and/or the source determined according to territory, source place.
The terminal of 11. 1 kinds of Packet Classification process, is characterized in that, described terminal realizes based on communication network, and described terminal comprises:
Receiver module, for receiving data message, carries the classification information representing message source classification in the heading of described data message;
Described classification information is used for indicating described message source and belongs to user in the outer user of net or net, and/or, the trust degree of described message source; Message source classification determination module, is connected with described receiver module, for according to the classification information determination message source classification in data message;
Data message processing module, is connected with described message source classification determination module, for carrying out differentiated treatment according to described message source classification to described data message;
Described classification information by IPV6 amplifying message head destination option head carry.
12. terminals as claimed in claim 11, it is characterized in that: when described data message processing module carries out differentiated treatment to the described data message received, according to described message source classification, and in conjunction with the confidentiality of this terminal self attributes and service application, determine the processing method to described data message.
13. terminals as claimed in claim 11, it is characterized in that: described classification information is carried by the destination option head DestinationOptionsheader of IPV6 amplifying message head, the front two of the option type OptionType of described destination option head DestinationOptionsheader is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
14. terminals as claimed in claim 11, it is characterized in that: described classification information comprises the source identity type SIDT determined according to source type and/or the trust degree CG determined according to source trust degree, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
The network of 15. 1 kinds of Packet Classification process, is characterized in that: described network comprises: terminal, for transceiving data message, carries the classification information representing message source classification in the heading of the data message wherein received; Also for carrying out differentiated treatment according to the classification information in the data message received to the data message received;
Intermediate node, is connected with described terminal by network, for receiving and forwarding data packets, and in the heading of the data message received, adds the classification information of described message source before forwarding according to the classification of message source;
Described classification information is used for indicating described message source and belongs to user in the outer user of net or net, and/or, the trust degree of described message source;
Described classification information is carried by the destination option head of IPV6;
For the 3rd of option type, be set to 1;
Low 5 for option type, any one choosing in other 31 sequence numbers except the sequence number 00111 of home address option is expanded.
16. networks as claimed in claim 15, it is characterized in that: described intermediate node is the access device realizing the access of described terminal, described network also comprises the certificate server be connected with described access device, described server is used for carrying out user identity identification and certification to terminal, and the classification of terminal is notified the access device at described terminal place in verification process; Corresponding classification information is increased in the heading of the data message that described access device sends in this terminal according to the terminal class obtained from certificate server.
17. networks as claimed in claim 15, is characterized in that: described intermediate node is the intercommunication service node ISN between described network and outer net, and described ISN comprises:
Receiver module, sends to the outer network data message of Packet Classification process network for receiving outer net;
Classification information determination module, is connected with described receiver module, for determining the classification information of the message source of outer network data message at described Packet Classification process network;
Data message modular converter, is connected with described classification information determination module, for described outer network data message is converted to intranet data message, increases the original classification information in classification information or amendment heading according to the classification information determined in heading;
Data message forwarding module, is connected with described data message modular converter, for by the intranet data message routing forwarding in described Packet Classification process network after the conversion of described data message modular converter.
18. networks as claimed in claim 17, is characterized in that:
The receiver module of described ISN, also sends to the intranet data message of outer net for receiving Packet Classification process network;
The classification information determination module of described ISN, also for the trusted situation according to outer net, determines the classification information of message source at described outer net of described intranet data message;
The data message modular converter of described ISN, also for described intranet data message is converted to outer network data message, comprises according to the classification information in the classification information deletion determined or amendment heading;
The data message forwarding module of described ISN, also for by the outer network data message after the conversion of described data message modular converter to described outer net routing forwarding.
19. networks according to any one of claim 15 to 18, it is characterized in that: when the described data message that described end-on is received carries out differentiated treatment, according to described message source classification, and in conjunction with the confidentiality of this terminal self attributes and service application, determine the processing method to described data message.
20. networks according to any one of claim 15 to 18, is characterized in that: described classification information is carried by IPV6 amplifying message head.
21. networks according to any one of claim 15 to 18, it is characterized in that: described classification information is carried by the destination option head DestinationOptionsheader of IPV6 amplifying message head, the front two of the option type OptionType of described destination option head DestinationOptionsheader is 00 or 01, when representing that destination node is not familiar with this option normal process data message remainder or abandon this data message.
22. networks according to any one of claim 15 to 18, it is characterized in that: described classification information comprises the source identity type SIDT determined according to source type and/or the trust degree CG determined according to source trust degree, wherein said source identity type comprise following at least one: network bar users, the outer homogeneous network user trusty of net, the outer heterogeneous network user trusty of net, the outer fly-by-night network user of net in group user, net in trusted user, net in net.
23. networks according to any one of claim 15 to 18, is characterized in that: identifier in the territory that the destination amplifying message head of described data message also comprises relam identifier DID and/or the source determined according to territory, source place.
CN201010001627.0A 2010-01-11 2010-01-11 The implementation method of Packet Classification process, network and terminal Expired - Fee Related CN102123072B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010001627.0A CN102123072B (en) 2010-01-11 2010-01-11 The implementation method of Packet Classification process, network and terminal
PCT/CN2010/076022 WO2011082584A1 (en) 2010-01-11 2010-08-16 Implementing method, network and terminal for processing data packet classification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010001627.0A CN102123072B (en) 2010-01-11 2010-01-11 The implementation method of Packet Classification process, network and terminal

Publications (2)

Publication Number Publication Date
CN102123072A CN102123072A (en) 2011-07-13
CN102123072B true CN102123072B (en) 2016-03-02

Family

ID=44251530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010001627.0A Expired - Fee Related CN102123072B (en) 2010-01-11 2010-01-11 The implementation method of Packet Classification process, network and terminal

Country Status (2)

Country Link
CN (1) CN102123072B (en)
WO (1) WO2011082584A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447637B (en) * 2012-01-09 2014-07-30 福建星网锐捷网络有限公司 Message processing method, system and network apparatus
CN103701837B (en) * 2012-09-27 2018-04-10 中兴通讯股份有限公司 A kind of point-to-point protocol dial on demand method and home gateway
CN103685284A (en) * 2013-12-18 2014-03-26 上海普华诚信软件技术有限公司 Data interception and conversion method and system
CN104735101B (en) * 2013-12-19 2019-11-26 中兴通讯股份有限公司 Shared processing, sharing method and the device of Internet resources, system
CN105991464B (en) * 2015-04-20 2018-12-25 杭州迪普科技股份有限公司 Shunt method, master control borad, interface board and the gateway of network flow
CN115834090A (en) * 2021-09-15 2023-03-21 华为技术有限公司 Communication method and device
CN119628845A (en) * 2023-09-12 2025-03-14 中兴通讯股份有限公司 Message processing, verification method, node, message processing system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764152A (en) * 2004-10-21 2006-04-26 中兴通讯股份有限公司 Point-to-point communication method on Ethernet
CN1867152A (en) * 2006-06-01 2006-11-22 东南大学 Mobile Internet content supervising device and its supervising method
CN101547127A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Identification method of inside and outside network messages

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8862866B2 (en) * 2003-07-07 2014-10-14 Certicom Corp. Method and apparatus for providing an adaptable security level in an electronic communication
CN100563146C (en) * 2005-04-30 2009-11-25 华为技术有限公司 A Time Division Multiplexing Data Transmission Method Based on Packet Switching

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764152A (en) * 2004-10-21 2006-04-26 中兴通讯股份有限公司 Point-to-point communication method on Ethernet
CN1867152A (en) * 2006-06-01 2006-11-22 东南大学 Mobile Internet content supervising device and its supervising method
CN101547127A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Identification method of inside and outside network messages

Also Published As

Publication number Publication date
CN102123072A (en) 2011-07-13
WO2011082584A1 (en) 2011-07-14

Similar Documents

Publication Publication Date Title
CN102123072B (en) The implementation method of Packet Classification process, network and terminal
CN102045314B (en) The method of anonymous communication, register method, information transceiving method and system
US8116308B2 (en) System and method for providing improved packet traceability
US8661292B2 (en) Network communication at unaddressed network devices
CN101047618B (en) Method and system for acquiring network route information
KR20150079236A (en) Virtual private network gateway and method for secure communication thereof
WO2011044808A1 (en) Method and system for tracing anonymous communication
CN102123071B (en) The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes
CN105429841A (en) NNI PING realization method and device
CN102984043B (en) The retransmission method and device of multicast traffic stream
CN100399767C (en) Method for accessing IP public network by virtual switch system
WO2016070633A1 (en) Network log generation method and device
CN106302351A (en) Collect to access and control the method for list, Apparatus and system
WO2011041964A1 (en) Method, network system and network access node for network device management
CN103001966A (en) Processing and identifying method and device for private network IP
CN109547281B (en) Tor network tracing method
CN102487344B (en) Method and system for monitoring identity and position separating network
CN102957755B (en) A kind of address resolution method, device and information transferring method
CN101527681B (en) Method for processing uplink message, device and system thereof
CN102882797B (en) Batch deletes the method and PE of VPNv4 or VPNv6 routes
CN106506718B (en) IVI transition method and network system based on the pure IPv6 network of multiple NAT
CN101309154A (en) Message sending method, sending device and transmission system
CN116846862A (en) SRv6 message processing method and device, communication equipment and storage medium
US10476784B2 (en) Underlay overlay correlation for visibility and debugging
CN105959425B (en) Communication means, system and its intercommunication terminal and core switch of intelligent residential district

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160302

Termination date: 20190111