[go: up one dir, main page]

WO2008131665A1 - Procédé d'interception légale, système de communication, routeur et passerelle d'interception - Google Patents

Procédé d'interception légale, système de communication, routeur et passerelle d'interception Download PDF

Info

Publication number
WO2008131665A1
WO2008131665A1 PCT/CN2008/070539 CN2008070539W WO2008131665A1 WO 2008131665 A1 WO2008131665 A1 WO 2008131665A1 CN 2008070539 W CN2008070539 W CN 2008070539W WO 2008131665 A1 WO2008131665 A1 WO 2008131665A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
interception
label switching
monitoring
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070539
Other languages
English (en)
Chinese (zh)
Inventor
Zhuoming Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008131665A1 publication Critical patent/WO2008131665A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • the present invention relates to the field of communication technologies, and in particular, to a lawful interception method, a communication system, a router, and a interception gateway.
  • Lawful interception refers to the activities of the law enforcement agency to monitor the communication service of a specific target user within the scope of legal authorization. According to national laws and regulations, all operating communication networks must enable the national security agencies, judicial investigation agencies, police stations and other law enforcement agencies to conduct lawful interception of specific target users. The carrier's communication network equipment needs to provide an interface for legitimate interception.
  • the interception gateway is a function that must be provided at the required time according to national laws and regulations. In some countries, these functions are integrated into the legal enforcement agency domain where the monitoring center is located.
  • FIG. 1 it is a network structure diagram of an existing lawful interception system.
  • the interception access point (IAP) function is integrated in the ingress router LER1 of the user access backbone network, and the interception gateway 11 can set the interception target parameter to the IAP in the ingress router LER1, for example, the login user name of the target 12 is monitored. IP address, protocol type, port number, etc.
  • the ingress router LER1 filters all traffic flowing through it. For some specific services, it needs to go deep into the packet for deep filtering. If the filtered data matches the interception target parameter, the ingress router LER1 copies the IP packet, and transmits the copied IP packet to the Transmission Control Protocol (TCP) while the original IP packet is normally delivered.
  • TCP Transmission Control Protocol
  • the IP address of the listening gateway 11 is used as the destination address of the re-encapsulated packet. If the network is carried on the MPLS network, the ingress router is re-based. The destination IP address of the encapsulated text, mapping the interception data to the destination address of the interception gateway 11. The corresponding forwarding equivalence class is forwarded to the access router LER2 connected to the interception gateway 11 through the label switching path. After receiving the interception data, the access router LER2 sends the interception data to the interception gateway 11 according to the destination address of the interception data. After receiving the interception data, the interception gateway 11 performs necessary processing, and then transmits the monitor data to the interception center 10.
  • UDP User Datagram Protocol
  • FIG. 2 is a structural diagram of a unit of a conventional label switching router for processing a lawful intercepting portion.
  • the existing label switching router processes a legal listening data portion including a monitoring target management unit 21, a monitoring trigger unit 22, a monitoring copy unit 23, and a monitoring processing unit 24. And transmitting unit 25.
  • the monitoring target management unit 21 is configured to receive the monitoring command and set the monitoring target parameter to the monitoring triggering unit 22; the monitoring triggering unit 22 is configured to filter the received data, and send the filtered monitoring data to the monitoring and copying unit 23 to monitor
  • the copying unit 23 is configured to copy the listening data, forward the original listening data according to the normal process, and send the copied monitoring data to the monitoring processing unit 24, and the monitoring processing unit 24 is configured to encapsulate the monitoring data and encapsulate the data in the TCP or UDP message.
  • the sending unit 25 And sending the encapsulated interception data to the sending unit 25 by using the IP address of the intercepting gateway as the destination IP address, and the sending unit 25 maps the intercepting data to the address of the intercepting gateway according to the destination address encapsulated by the intercepting processing unit 24 for the intercepting data.
  • the corresponding forwarding equivalence class is sent to the transport network by forwarding the label switching path corresponding to the equivalence class.
  • the ingress router often provides services for many users, and the data traffic is very large.
  • the filtered listener data needs to be repackaged.
  • the IP address of the address to the listening gateway is complicated, and it takes up more ingress router resources.
  • Embodiments of the present invention provide a lawful interception method, a communication system, a router, and a snooping gateway, which can reduce the complexity of the ingress router performing a lawful interception function.
  • An embodiment of the present invention provides a method for lawful interception, including:
  • the border label switching router as the interception access point receives the interception data and obtains a monitor flag corresponding to the interception data;
  • Embodiments of the present invention provide a communication system, the system comprising:
  • a border label switching router as a listening access point, configured to receive the monitoring data, and obtain a monitoring flag corresponding to the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag; and compare the monitoring data by the forwarding
  • the label switching path corresponding to the class is sent to the intercepting gateway; the destination address of the forwarding equivalence class is the intercepting gateway;
  • the intercepting gateway is configured to receive the intercepting data from the label switching path, where the intercepting data includes a flag that the last hop label switching router encapsulates for the listening data.
  • An embodiment of the present invention provides a label switching router, including:
  • a receiving unit configured to receive monitoring data
  • An obtaining unit configured to acquire a listening flag corresponding to the intercepting data and a forwarding equivalence class corresponding to the monitoring flag;
  • a sending unit configured to send the intercepting data according to a label switching path corresponding to the forwarding equivalence class determined by the acquiring unit.
  • An embodiment of the present invention provides a monitoring gateway, including:
  • a label switching unit configured to establish a label switching path with the border label switching router
  • a monitoring data receiving unit configured to receive the monitoring data by using the label switching path
  • a data processing unit configured to receive the monitoring received by the monitoring data receiving unit The data is processed.
  • Figure 1 is a network architecture diagram of an existing lawful interception system.
  • FIG. 2 is a structural diagram of a unit of a conventional border label switching router processing a lawful interception portion.
  • FIG. 3 is a schematic diagram of networking of a lawful interception system in an embodiment of the present invention.
  • FIG. 4 is a schematic flow chart of a lawful interception method in an embodiment of the present invention.
  • FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention.
  • Figure 6 is a block diagram showing the structure of a router in the embodiment of the present invention.
  • FIG. 7 is a structural diagram of a unit of another router in the embodiment of the present invention.
  • FIG. 8 is a structural diagram of a unit of a monitoring gateway in an embodiment of the present invention.
  • FIG. 9 is a structural diagram of a unit of a listening gateway according to another embodiment of the present invention. detailed description
  • MPLS Multi-Protocol Label Switch
  • the fundamental idea of MPLS is to move the router to the edge of the network, put a fast and simple switching device in the network center, integrate the basic technology of label switching and forwarding data and network layer routing, and implement a routing request for one connection request. Secondary exchange.
  • the Label Switching Router groups data streams according to certain policies. This subset of packets is called Forwarding Equivalence Class (FEC).
  • FEC Forwarding Equivalence Class
  • the existing criteria for dividing FEC are generally based on data.
  • the network layer destination address is used, and each forwarding equivalence class is assigned a unique tag value. This process is called tag allocation.
  • the router performs the same processing on the packet data of the same forwarding equivalence class, for example, to the same next hop router; the label switching router distributes the binding information of the tag value and the forwarding equivalence class to the upstream and downstream label switching routers. This process is called tag distribution. Through tag distribution, the entire MPLS network establishes an interconnected label switched path.
  • Each label switching router maintains two tables, one for forwarding the mapping table between the equivalence class and the tag, and the other for the forwarding table.
  • the simplified format of the forwarding table is:
  • the label switching router retrieves the forwarding table according to the marking information carried by the packet header, that is, looks up the entry in the forwarding table whose entry label is equal to the label carried by the packet, and after retrieving, the packet header is The originally carried tag pops up, and the egress tag corresponding to the entry tag in the forwarding table is pushed into the packet as a new tag, and the packet is forwarded to the corresponding output port and sent to the next hop address.
  • the process of popping the original markup and pushing in the new mark is called markup. Through this process, the entire packet is switched to the corresponding output port according to the marked of the packet.
  • the embodiment of the present invention provides a lawful interception party according to the basic principle of MPLS technology. Laws, communication systems, routers, and listening gateways to reduce the complexity of the ingress router performing lawful interception.
  • FIG. 3 is a schematic diagram of networking of a lawful interception system according to an embodiment of the present invention, where user T is a monitoring target, user C is a communication peer of user T, and LER1 and LER2 are border label switching routers, wherein LER1 is a listening access point.
  • the LIG is a monitoring gateway located at the boundary of the core network (ie, MPLS network), and has a label switching path with LER1 and LER2.
  • LSR1, LSR2 and LSR3 are label switching routers carrying the MPLS network.
  • FIG. 4 is a schematic flowchart of a lawful interception method according to an embodiment of the present invention, which is described in conjunction with FIG. 3.
  • the embodiment of the present invention requires that all the communication traffic of the user T be monitored.
  • the steps of the lawful interception method in this embodiment include:
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
  • the LER1 uses the data structure to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is LIG.
  • the interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
  • the LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
  • the LER1 receives the interception command, adds the IP address of the source IP address to the IP address, the destination IP address, and the filtering parameter of the IP address of the destination IP address and the source IP address to the access control list, and access control. Set the listener flag in the list;
  • the LER1 receives the uplink and downlink data, filters the flow data through the access control list, filters the data to the interception data, and directly reads the monitoring flag corresponding to the monitoring data in the access control list, or sends a command to the unit that manages the access control list.
  • the message returns the interception flag by the unit that manages the access control list, and copies the interception data, one of which is forwarded according to the normal process, and the other reads the corresponding forwarding equivalence class in the two-dimensional or multi-dimensional table according to the interception flag. Or sending a command to the unit managing the aforementioned two-dimensional or multi-dimensional table, and returning the corresponding forwarding equivalence class by the unit managing the aforementioned two-dimensional or multi-dimensional table;
  • the LER1 intercepts the data by using a label corresponding to the forwarding equivalence class whose destination address is LIG. Change the path and send the monitoring data to the LIG;
  • the LIG receives the monitoring data, processes the monitoring data, and distributes it to the monitoring center.
  • the interception flag may also be a pointer to the forwarding equivalence class whose destination address is LIG, so that the forwarding equivalence class whose destination address is LIG pointed to by the pointer can be obtained by listening to the flag.
  • the ingress router ie, the border label switching router
  • the interception data is sent to the lawful interception gateway through the label switching path corresponding to the forwarding equivalence class.
  • This solution simplifies the process of processing the interception data by the ingress router, reduces the burden on the network device for legitimate interception processing, and reduces the complexity of the system.
  • the network device only adds the monitoring processing flow in the original forwarding processing flow, and the monitoring processing flow and the standard forwarding processing flow are consistent in the processing action, and it is no longer necessary to design a special monitoring triggering and processing part for the network device, especially Avoid designing specialized hardware parts for the listening function.
  • FIG. 5 is a schematic flow chart of a lawful interception method according to another embodiment of the present invention, which is described in conjunction with FIG. 3.
  • the embodiment of the present invention requires that all communication traffic of the user T be monitored.
  • the processing of the uplink traffic and the downlink traffic in the embodiment of the present invention is separately described.
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a label for the forwarding equivalence class, and establishes a label switching path corresponding to the forwarding equivalence class by using a label allocation and a label distribution process;
  • the interception flag may be a special identifier, and the mapping is established by using a two-dimensional or multi-dimensional table and the forwarding equivalence class;
  • the LIG sends a interception command to the border router LER1, and requests to listen to all communication traffic of the user T.
  • the LER1 receives the interception command, as shown in FIG. 5, the IP address whose source IP address is T, The destination IP address is arbitrary, and the filtering parameters of the IP address of the destination IP address and the source IP address are added to the access control list, and the interception flag is set in the access control list;
  • the LER1 receives the uplink data, filters the uplink data through the access control list, obtains the interception flag, and uses the mapping relationship between the monitored monitoring data and the forwarding equivalence class to the destination address LIG according to the intercepted flag.
  • the corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
  • the LER1 sends the interception data to the LIG through the label switching path corresponding to the forwarding equivalence class whose destination address is LIG.
  • the LIG copies the monitoring data, and the IP address of the user C according to the destination address of the monitoring data, selects the label switching path between the LIG and the LER2, and sends the monitoring data to the LER2, and the other
  • the analysis is processed and distributed to each monitoring center.
  • LER2 After receiving the interception data, LER2 sends the interception data to user C according to the destination IP address of the intercepted data.
  • LER1 establishes a forwarding equivalence class whose destination address is LIG, allocates a tag for the forwarding equivalence class, and establishes a tag switching path corresponding to the forwarding equivalence class by using a tag allocation and a tag distribution process;
  • LER1 establishes a mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG;
  • the LIG sends a listening command to the border router LER1, and requests to listen to all communication traffic of the user T;
  • the LER1 receives the interception command. As shown in Figure 5, the IP address of the source IP address, the destination IP address, and the IP address of the destination IP address and the source IP address are added to the access control list. And set the listener flag in the access control list;
  • the LER1 receives the downlink data, filters the downlink data through the access control list, obtains the interception flag, and displays the intercepted flag according to the mapping relationship between the interception flag and the forwarding equivalence class to the destination address LIG.
  • the corresponding interception data is mapped to the forwarding equivalence class whose destination address is LIG;
  • the LER1 will listen to the data through the label switching path corresponding to the forwarding equivalence class of the LIG, and send the intercepting data to the LIG; 7. After receiving the monitoring data, the LIG copies the monitoring data, and selects a label switching path between the LIG and the LER1 according to the destination address of the monitoring data, that is, the IP address of the user T, and the LIG adds the monitoring data sent to the LER1. Special tag, send the monitoring data to LER1, and the other one is analyzed and distributed to each monitoring center;
  • the LER1 After receiving the data sent by the LIG, the LER1 first detects whether the data carries the special tag. If the special tag is detected, the intercepted data is directly sent to the user ⁇ according to the destination IP address of the intercepted data.
  • a multi-protocol label switching virtual private network technology can be used to establish a virtual private network between LER1 and LIG
  • a multi-protocol label switching virtual private network uses a label stack technology, at the innermost layer of the label stack (ie, the bottom of the stack) ) is a mark distributed within the scope of the virtual private network, called the bottom mark, and the outer layer is the mark distributed throughout the network, used to forward along the mark exchange path in the network.
  • the identification information of the virtual private network is included in the bottom of the stack.
  • the special flag added by the LIG to the interception data may be the bottom mark of the virtual private network between the LIG and the LER1.
  • the manner of obtaining the monitoring flag and determining the corresponding forwarding equivalence class according to the monitoring flag may refer to the previous embodiment.
  • the monitoring gateway completes the replication of the target traffic, which further simplifies the function of the monitoring access point of the network device.
  • the process of performing the lawful interception by the router is basically the same as the process of forwarding the normal data traffic, and can be integrated into the normal data traffic processing process, so that the router can be utilized.
  • the advantages of high-performance dedicated hardware enable high-speed processing, eliminating the need to implement complex monitoring traffic replication and packet delivery processing. This greatly reduces the processing burden of network devices such as routers performing lawful interception and ensures service processing performance.
  • the border label switching router pre-establishes a label forwarding path to the intercepting gateway through the label distribution and determines a forwarding equivalence class using the label forwarding path, because the border label switching router maps the listening flag and the forwarding equivalence class, so
  • the monitoring target traffic is sent to the label forwarding path, and the monitoring gateway must pass through the monitoring gateway in the process of forwarding in the MPLS network, so that the border router no longer needs to use a special mechanism to ensure that the monitoring traffic is reliably delivered to the monitoring center, thereby further simplifying the network.
  • the processing mechanism of the device's lawful interception improves the reliability of the interception data transmission.
  • the program can be completed by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
  • An embodiment of the present invention provides a communication system, including a border label switching router and a monitoring gateway as a listening access point, where
  • a border label switching router as a listening access point, configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, and copy the monitoring data; determine a corresponding forwarding equivalence class according to the monitoring flag, and the destination address of the forwarding equivalence class is
  • the monitoring gateway sends the intercepted data to the intercepting gateway through the label switching path corresponding to the forwarding equivalence class, and forwards the original monitoring data according to a normal process; and the monitoring gateway is configured to receive the monitoring data from the label switching path.
  • the monitoring data includes a flag of the last hop label switching router for intercepting the data packet, processing the monitoring data, and transmitting the processed monitoring result to the monitoring center.
  • the border label switching router which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a listening gateway, allocate a label for the forwarding equivalence class, and establish the forwarding equivalence class corresponding by the label distribution process. Labeling the path, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
  • An embodiment of the present invention provides another communication system including a border label switching router and a listening gateway as a listening access point, wherein
  • a border label switching router which is used as a monitoring access point, is configured to receive the monitoring data, obtain a monitoring flag corresponding to the monitoring data, determine a corresponding forwarding equivalence class according to the monitoring flag, and exchange the monitoring data through the label corresponding to the forwarding equivalence class.
  • the path is sent to the listening gateway;
  • a monitoring gateway configured to establish a label switching path between the border label switching routers, and receive the monitoring data from the label switching path, where the monitoring data includes a label that is encapsulated by the last hop label switching router for listening data, and the monitoring is copied.
  • Data, one of the interception data is sent to the border label switching router through the label switching path corresponding to the destination address of the monitoring data, and another listening data is processed and sent to the monitoring center, if the border label switching router is used as a monitor
  • the border of the access point is marked as a switching router, and the intercepting gateway is further configured to add a special flag to the sent intercepting data.
  • the border label switching router which is a listening access point, is further configured to establish a forwarding equivalence class whose destination address is a intercepting gateway, assign a label to the forwarding equivalence class, and establish the Forwarding the label switching path corresponding to the equivalence class, and establishing a mapping relationship between the interception flag and the forwarding equivalence class of the interception gateway.
  • the border label switching router as the intercepting access point is further configured to detect whether the intercepting data sent by the intercepting gateway carries the special tag, and if the data carries the special tag, the intercepting data is in accordance with a normal process. Forward.
  • the specific implementation of obtaining the interception flag and determining the corresponding forwarding equivalence class according to the interception flag may refer to the above method embodiment.
  • the system of the embodiment of the present invention only needs to include a monitoring processing flow in the forwarding processing flow of the original network device, and the monitoring processing flow and the standard forwarding processing flow are consistent in processing actions, and no need to design for the network device.
  • the special monitoring triggering and processing part in particular, avoids the need to design a special hardware part for the listening function, so that the network device can perform the legal monitoring function complexity.
  • FIG. 6 is a structural diagram of a unit for legally listening to a relevant part of a router according to an embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
  • the path establishing unit 61 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
  • the mapping unit 62 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
  • the receiving unit 63 is configured to receive the monitoring data, and send the monitoring data to the copying unit 64;
  • the copying unit 64 is configured to copy the monitoring data, one of which is forwarded according to a normal process, and the other is sent to the sending unit 65;
  • the obtaining unit 66 is configured to obtain a monitoring flag corresponding to the monitoring data, and obtain a forwarding equivalence class corresponding to the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit, where the destination address of the forwarding equivalence class is a legal listening gateway ;
  • the sending unit 65 is configured to send the interception data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 66.
  • the specific implementation manners of the obtaining unit 66 and the mapping unit 62 in this embodiment may refer to the description in the method embodiment.
  • the router in the embodiment of the present invention establishes a forwarding equivalence class of the lawful interception gateway by establishing a destination address, a label switching path corresponding to the forwarding equivalence class, and a mapping relationship between the interception flag and the forwarding equivalence class, and setting the interception flag in the access control list, filtering the flow data through the access control list, thereby
  • the forwarding equivalence class corresponding to the interception flag may be obtained according to the interception flag in the access control list, and the interception data is sent to the legal interception gateway by using the label exchange path corresponding to the forwarding equivalence class.
  • the overhead of re-encapsulating TCP or UDP packets for the interception data in the prior art is avoided, and the overhead of performing fragmentation on the border label switching router and performing fragment reassembly on the interception gateway is avoided.
  • FIG. 7 is a structural diagram of a unit of another router legally listening to a relevant part in the embodiment of the present invention. As shown in FIG. 6, the router has a label switching function, including:
  • the path establishing unit 71 is configured to establish a forwarding equivalence class whose destination address is a lawful interception gateway, allocate a label for the forwarding equivalence class, and establish a label switching path corresponding to the forwarding equivalence class by using label distribution;
  • the mapping unit 72 is configured to establish a mapping relationship between the interception flag and the forwarding equivalence class whose destination address is a lawful interception gateway;
  • the receiving unit 73 is configured to receive the monitoring data, and send the monitoring data to the sending unit 75.
  • the acquiring unit 76 is configured to acquire the monitoring flag corresponding to the monitoring data, and obtain the monitoring flag according to the monitoring flag and the mapping relationship established by the mapping unit 72.
  • Forwarding equivalence class, the destination address of the forwarding equivalence class is a lawful interception gateway;
  • the sending unit 75 is configured to send the monitoring data according to the label switching path corresponding to the forwarding equivalence class determined by the obtaining unit 76.
  • the receiving unit 73 may further include a special tag detecting module 731 and a forwarding unit 732, and the special tag detecting module 731 is configured to detect whether the intercepting data sent by the legal intercepting gateway has a special tag added by the legal intercepting gateway for the monitoring data, if the monitoring The data detection has the special flag, and the forwarding unit 732 forwards the data according to the normal flow.
  • the special tag detecting module 731 is configured to detect whether the intercepting data sent by the legal intercepting gateway has a special tag added by the legal intercepting gateway for the monitoring data, if the monitoring The data detection has the special flag, and the forwarding unit 732 forwards the data according to the normal flow.
  • FIG. 8 is a structural diagram of a unit of a monitoring gateway according to an embodiment of the present invention. As shown in FIG. 8, the monitoring gateway includes:
  • a label switching unit 81 configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class;
  • the monitoring data receiving unit 82 is configured to receive the monitoring data through the label switching path, and send the monitoring data to the data processing unit 83;
  • the data processing unit 83 is configured to process the monitoring data received by the monitoring data receiving unit 82.
  • FIG. 9 is a structural diagram of a unit of a monitoring gateway according to another embodiment of the present invention. As shown in FIG. 9, the monitoring gateway includes:
  • a label switching unit 91 configured to establish a forwarding equivalence class to the border label switching router and a label switching path corresponding to the forwarding equivalence class;
  • the monitoring data receiving unit 92 is configured to receive the monitoring data through the label switching path.
  • the monitoring data copying unit 94 is configured to copy the monitoring data received by the monitoring data receiving unit 92, and send a piece of monitoring data to the data processing unit 93. Another listening data is sent to the monitoring data transmitting unit 95;
  • a data processing unit 93 configured to process the interception data
  • the monitoring data sending unit 95 is configured to send the monitoring data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
  • the snoop data transmitting unit 95 may further include a special tag adding module 951 and a forwarding unit 952 for adding a special tag to the snoop data transmitted to the border tag switching router as the snooping access point, the forwarding The unit 952 is configured to send the intercept data to the border label switching router by using a label switching path corresponding to the destination address of the listening data.
  • the intercepting gateway of the embodiment of the present invention receives the interception data from the label switching path by establishing a label switching path to the border label switching router, thereby avoiding the overhead of re-entering TCP or UDP packet encapsulation data in the prior art. This avoids the overhead of performing fragment reassembly on the listening gateway.

Landscapes

  • Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé d'interception légale et un système de communication de celui-ci, un routeur de commutation d'étiquettes et une passerelle d'interception. Le procédé d'interception légale comprend les étapes suivantes : un routeur de commutation d'étiquettes limite reçoit des données d'interception en tant que point d'accès d'interception, et obtient une identification d'interception correspondant aux données d'interception ; détermine la classe d'équivalence de réacheminement correspondante selon l'identification d'interception, dans laquelle l'adresse de destination de la classe d'équivalence de réacheminement est la passerelle d'interception ; envoie les données d'interception à la passerelle d'interception sur un trajet de commutation d'étiquettes correspondant à la classe d'équivalence de réacheminement.
PCT/CN2008/070539 2007-04-28 2008-03-20 Procédé d'interception légale, système de communication, routeur et passerelle d'interception Ceased WO2008131665A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100741687A CN101296270B (zh) 2007-04-28 2007-04-28 合法监听的方法、通信系统、路由器以及监听网关
CN200710074168.7 2007-04-28

Publications (1)

Publication Number Publication Date
WO2008131665A1 true WO2008131665A1 (fr) 2008-11-06

Family

ID=39925202

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070539 Ceased WO2008131665A1 (fr) 2007-04-28 2008-03-20 Procédé d'interception légale, système de communication, routeur et passerelle d'interception

Country Status (2)

Country Link
CN (1) CN101296270B (fr)
WO (1) WO2008131665A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333101A (zh) * 2011-10-31 2012-01-25 杭州华三通信技术有限公司 合法监听实现方法及设备
CN106375266A (zh) * 2015-07-22 2017-02-01 中兴通讯股份有限公司 业务监听控制方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440166A (zh) * 2002-02-04 2003-09-03 松下电器产业株式会社 用于分组丢失区分的方法和实体
US20060018255A1 (en) * 2004-07-26 2006-01-26 Avaya Technology Corp. Defining a static path through a communications network to provide wiretap law compliance
CN1953406A (zh) * 2005-10-19 2007-04-25 株式会社Ntt都科摩 接入混合网的方法和网关设备、无线终端以及通信系统

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719788A (zh) * 2004-07-07 2006-01-11 中兴通讯股份有限公司 软交换监听的呼叫控制及业务监听方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1440166A (zh) * 2002-02-04 2003-09-03 松下电器产业株式会社 用于分组丢失区分的方法和实体
US20060018255A1 (en) * 2004-07-26 2006-01-26 Avaya Technology Corp. Defining a static path through a communications network to provide wiretap law compliance
CN1953406A (zh) * 2005-10-19 2007-04-25 株式会社Ntt都科摩 接入混合网的方法和网关设备、无线终端以及通信系统

Also Published As

Publication number Publication date
CN101296270B (zh) 2010-10-20
CN101296270A (zh) 2008-10-29

Similar Documents

Publication Publication Date Title
CN113169937B (zh) 用户数据业务处理的方法、装置、网络节点及介质
CN101399749B (zh) 一种报文过滤的方法、系统和设备
EP1715628B1 (fr) Procede servant a mettre en oeuvre un service a diffusion selective
EP1942617B1 (fr) Procédé, dispositif et système Ethernet supportant un acheminement multidiffusion à source spécifique
WO2015010307A1 (fr) Procédé d'attribution de trajet de service, routeur et entité d'exécution de service
CN102075537B (zh) 一种实现虚拟机间数据传输的方法和系统
WO2019033920A1 (fr) Procédé et dispositif permettant à un côté réseau d'identifier et de commander un équipement utilisateur distant
WO2012106869A1 (fr) Procédé de traitement de messages et dispositif associé
RU2660635C2 (ru) Способ и устройство для управления цепочкой услуги потока услуги
WO2010063242A1 (fr) Procédé, dispositif et système de réseau de synchronisation d’horloge
WO2016107379A1 (fr) Procédé et appareil d'envoi de paquets
WO2011044808A1 (fr) Procédé et système de suivi de communication anonyme
WO2020259420A1 (fr) Procédé de génération d'entrée de table de transfert de multidiffusion, et passerelle d'accès
CN101179449B (zh) 一种ip网络中的监听系统、设备及方法
CN103326882A (zh) 一种视频监控网络管理方法及装置
CN117501671A (zh) 使用路由来源授权(ROA)进行边界网关协议(BGP)FlowSpec发起授权
KR20070097485A (ko) 패킷 데이터 네트워크에서 액세스 베어러 관련 정보를제공하는 방법 및 시스템
JP2005295457A (ja) P2pトラフィック対応ルータ及びそれを用いたp2pトラフィック情報共有システム
WO2015165249A1 (fr) Procédé et dispositif d'établissement de chemin de services
WO2025214307A1 (fr) Procédé de communication, dispositif de réseau, support de stockage, et produit-programme informatique
CN105591967B (zh) 一种数据传输方法和装置
CN102833126B (zh) 优先合法拦截会话
CN102710495A (zh) 一种监控网络用户主机建立路由信息的方法及装置
WO2008131665A1 (fr) Procédé d'interception légale, système de communication, routeur et passerelle d'interception
WO2025180331A1 (fr) Procédé et appareil de traitement d'informations, dispositif, support de stockage et produit-programme informatique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08715275

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08715275

Country of ref document: EP

Kind code of ref document: A1