CN105939401A - Method and device for processing message - Google Patents

Method and device for processing message Download PDF

Info

Publication number
CN105939401A
CN105939401A CN201610072814.5A CN201610072814A CN105939401A CN 105939401 A CN105939401 A CN 105939401A CN 201610072814 A CN201610072814 A CN 201610072814A CN 105939401 A CN105939401 A CN 105939401A
Authority
CN
China
Prior art keywords
message
session
state
labelling
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610072814.5A
Other languages
Chinese (zh)
Other versions
CN105939401B (en
Inventor
汪少杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610072814.5A priority Critical patent/CN105939401B/en
Publication of CN105939401A publication Critical patent/CN105939401A/en
Application granted granted Critical
Publication of CN105939401B publication Critical patent/CN105939401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for processing a message. The method comprises the steps of obtaining a signal mark of a session corresponding to a data message when sending the data message; and if the signal mark indicates that a terminal authentication state corresponding to the session changes, sending a state notification message which corresponds to the session and is used for notifying the terminal authentication state to a safety linkage device, so as to enable the safety linkage device to process the data message of the session based on the terminal authentication state. By applying the embodiment, the safety linkage device still can identify safety of a message sending terminal in an NAT (Network Address Translation) framework.

Description

Process the method and device of message
Technical field
The application relates to network communication technology field, particularly relates to process the method and device of message.
Background technology
Along with the development of network technology, the safe and reliable problem of terminal becomes increasingly conspicuous, such as, and some terminals Antivirus software, virus base of not upgrading, abuse software etc. are not installed.When there is safety problem in terminal self, Once this terminal accesses enterprise network, it will have influence on the normal use of enterprise network.Therefore, relevant skill In art, in order to ensure the safety of the associated server in enterprise network, can by with security linkage network equipment Coordinate, the terminal attempting accessing enterprise network is carried out safety detection, at the base ensureing terminal security On plinth, then the message sending terminal carries out forward process, if terminal itself dangerous, then safety Interlocking equipment can directly abandon its message sent, to cut off enterprise network in time and to have potential safety hazard Connection between terminal.Terminal whether safety can be represented by certification, such as, by certification with whether Terminal be security terminal.
In prior art, security linkage network equipment, can be by the source IP of this message for the message received It is which terminal sends that Address Recognition goes out this message, then according to the authentication state of this terminal, determines and is No this message that continues with, such as determines how this message of forwarding according to the security strategy preset.But, Nowadays NAT (Network Address Translation, network address translation) technology is the most commonly used In the networking mode of enterprise network, the message that different terminals sends to enterprise's associated server is passing through Identical source IP address will be had after the conversion of NAT address, then, security linkage network equipment will be unable to pass through It is which terminal is sent that the source IP address of message identifies this message, also cannot determine this message of transmission Terminal whether be security terminal, thus cannot know and how process this message.If taking to add in messages Adding the mode auxiliary security interlocking equipment identification terminal of terminal iidentification field, not only processing procedure is relatively complicated, And this field is it would be possible to affect the security linkage network equipment identification to message, causes processing mistakenly message, The safety of enterprise network is threatened.
Summary of the invention
In view of this, the application provides a kind of method and device processing message, it is therefore an objective to make safe Dynamic equipment remains able to identify the Terminal security sending message in NAT framework.
Specifically, the application is achieved by the following technical solution:
First aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
When sending datagram, obtain the signal labelling of the session corresponding with described data message;
If described signal labelling represents described session, corresponding terminal authentication state changes, then to safety Interlocking equipment sends the state notifying message corresponding with described session, and described state notifying message is for by institute State terminal authentication state notifying extremely described security linkage network equipment, so that described security linkage network equipment is according to institute State the data message of session described in terminal authentication state processing.
In one embodiment, the signal labelling of the session that described acquisition is corresponding with described data message, including:
Obtaining overall signal's labelling of counterpart terminal, described overall signal labelling is used for representing described terminal pair The terminal authentication state whether having session in the session answered changes;
If described overall signal labelling represents that there is terminal authentication state occurs the session of change, then continue to obtain Take the signal labelling of the session corresponding with described data message.
In one embodiment, described method also includes:
When the signal labelling that all sessions are corresponding all represents that terminal authentication state does not occurs change, by described Overall signal's labelling is changed to the first mark value, and described first mark value represents and there is not terminal authentication state There is the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling Value, described second mark value represents that there is terminal authentication state occurs the session of change.
In one embodiment, the described state notifying report corresponding with described session to security linkage network equipment transmission Literary composition, including:
Construct the state notifying message corresponding with described session, and send described state to security linkage network equipment Notice message, described state notifying message carried terminal authentication state labelling and signal message labelling, described Terminal authentication status indication is used for representing whether terminal passes through certification, and described signal message labelling is used for making peace The state notifying message that full interlocking equipment receives according to described signal message marker recognition.
In one embodiment, the described state notifying report corresponding with described session to security linkage network equipment transmission Literary composition, including:
If the terminal authentication state after Bian Geng is by authentication state, then replicate described data message, and to Security linkage network equipment sends the data message of described duplication.
In one embodiment, if described signal labelling represents the terminal authentication state that described session is corresponding Change, then send the state notifying message corresponding with described session to security linkage network equipment, including:
When described signal labelling represents that terminal authentication state occurs change, and the value of described signal labelling is N, then send, to security linkage network equipment, the state notifying message that n times are corresponding with described session, and N is the least In the natural number of 1;
Often send, to security linkage network equipment, the state notifying message that the most described session is corresponding, by described session Corresponding signal mark value subtracts 1, until being 0.
Second aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
When receiving the state notifying message that terminal sends, according to described state notifying message accounting The terminal authentication state that the place session of state notifying message is corresponding;
According to described terminal authentication state, the data message of the described session that processing terminal sends.
The third aspect according to the embodiment of the present application, it is provided that process the device of message, may include that
Acquiring unit, for when sending datagram, obtains the session corresponding with described data message Signal labelling;
Transmitting element, for representing, at described signal labelling, the terminal authentication state generation that described session is corresponding During change, sending the state notifying message corresponding with described session to security linkage network equipment, described state is led to Know message for by described terminal authentication state notifying to described security linkage network equipment so that described safety Interlocking equipment is according to the data message of session described in described terminal authentication state processing.
In one embodiment, described acquiring unit includes:
First obtains subelement, and for obtaining overall signal's labelling of counterpart terminal, described overall signal marks Note is for representing that the terminal authentication state whether having session in the session that described terminal is corresponding changes;
Second obtains subelement, for representing that there is terminal authentication state occurs at described overall signal labelling During the session changed, continue to obtain the signal labelling of the session corresponding with described data message.
In one embodiment, described device also includes:
Change indexing unit, for all representing terminal authentication state not when the signal labelling that all sessions are corresponding When there is change, described overall signal labelling being changed to the first mark value, described first mark value represents There is not terminal authentication state and the session of change occurs;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling Value, described second mark value represents that there is terminal authentication state occurs the session of change.
In one embodiment, described transmitting element includes:
Structure sends subelement, for the state notifying message that structure is corresponding with described session, and to safety Interlocking equipment sends described state notifying message, described state notifying message carried terminal authentication state labelling With signal message labelling, described terminal authentication status indication is used for representing whether terminal passes through certification, described The state that signal message labelling receives according to described signal message marker recognition for making security linkage network equipment Notice message.
In one embodiment, described transmitting element includes:
Replicate and send subelement, for terminal authentication state after change be by authentication state time, answer Make described data message, and send the data message of described duplication to security linkage network equipment.
In one embodiment, described transmitting element includes:
Send subelement, be used for when described signal labelling represents that terminal authentication state occurs change, and institute The value stating signal labelling is N, then send the n times state corresponding with described session to security linkage network equipment and lead to Knowing message, N is the natural number not less than 1;
Update subelement, for often sending, to security linkage network equipment, the state notifying that the most described session is corresponding Message, subtracts 1 by signal mark value corresponding for described session, until being 0.
Fourth aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
Record unit, for when receiving the state notifying message that terminal sends, leads to according to described state Know the terminal authentication state that state notifying message place session described in message accounting is corresponding;
Processing unit, for according to described terminal authentication state, the number of the described session that processing terminal sends According to message.
The present embodiment processes the method for message, by sending state notifying message, by each session of terminal Corresponding terminal authentication state notifying is to security linkage network equipment so that security linkage network equipment can be according to terminal Authentication state processes the data message of each session.The application of this mode so that in NAT framework, Even if the IP address of different terminals is identical through NAT translated addresses, but the difference meeting of different terminals Words, at the session information behind NAT address, such as IP address and port numbers are different, safety Interlocking equipment passes through recording conversation information, and records the terminal authentication state that each session is corresponding, actually Also achieve the effect of the session identification to different terminals, and by the terminal authentication state of recording conversation Identify the authentication state that different terminals is corresponding, send out so that remain able to identification in NAT framework Deliver newspaper literary composition Terminal security, it is to avoid unsafe terminal access enterprise network, the safety of enterprise network is caused Threaten.
Additionally, the present embodiment is to use state notifying message when the state of notice, this message is independently of end Message outside the data message that end sends, uses state notifying message to perform the shape to security linkage network equipment State notifies, can reach to notify the purpose of the SOT state of termination, but also will not change legacy data message Dynamic and impact, it is convenient to implement, and effect is more preferable, it is to avoid the mistake that the former data message of amendment is likely to result in.
Accompanying drawing explanation
Fig. 1 shows that a kind of the embodiment of the present application realization processes the application scenarios schematic diagram of the method for message.
Fig. 2 is an embodiment flow chart according to the method processing message shown in an exemplary embodiment.
Fig. 3 is another embodiment flow process according to the method processing message shown in an exemplary embodiment Figure.
Fig. 4 shows that another kind of the embodiment of the present application realization processes the Organization Chart of the method for message.
Fig. 5 A is another embodiment stream according to the method processing message shown in an exemplary embodiment Cheng Tu.
Fig. 5 B shows the structure chart of a kind of state notifying message in the embodiment of the present application.
Fig. 6 is a kind of hardware structure diagram that the application processes the device place equipment of message.
Fig. 7 is the embodiment block diagram that the application processes the device of message.
Fig. 8 is another embodiment block diagram that the application processes the device of message.
Fig. 9 is another embodiment block diagram that the application processes the device of message.
Figure 10 is another embodiment block diagram that the application processes the device of message.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following When description relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous Key element.Embodiment described in following exemplary embodiment does not represent the institute consistent with the application There is embodiment.On the contrary, they only with as appended claims describes in detail, the one of the application The example of the apparatus and method that a little aspects are consistent.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting The application." a kind of " of singulative used in the application and appended claims, " institute State " and " being somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.Also should Work as understanding, term "and/or" used herein refer to and comprise one or more be associated list item Any or all possible combination of purpose.
Although should be appreciated that may use term first, second, third, etc. various to describe in the application Information, but these information should not necessarily be limited by these terms.These terms only be used for by same type of information that This distinguishes.Such as, in the case of without departing from the application scope, the first information can also be referred to as Two information, similarly, the second information can also be referred to as the first information.Depend on linguistic context, as in this institute Use word " if " can be construed to " and ... ... time " or " when ... ... time " or " response In determining ".
NAT framework is a kind of networking mode commonly used in current enterprise network, sees the example of Fig. 1, Figure 1 show the application scenarios schematic diagram that a kind of the embodiment of the present application realization processes the method for message, should Application scenarios applies NAT framework.Wherein, terminal 11 and terminal 12 are respectively positioned on private network Intranet In, and be connected with NAT device 13 respectively, enterprise servers 15 are positioned in enterprise network, safety interaction Equipment 14 is between private network Intranet and enterprise network.When terminal 11 or terminal 12 are to enterprise servers During 15 transmission message, this message transmissions to NAT device 14, by NAT device 14 by the source of this message IP changes address, and afterwards, this message will be transmitted to security linkage network equipment 14, security linkage network equipment This message can be identified, with really by 14 by performing the method processing message in the embodiment of the present application Surely send the safety of the terminal of this message, process this message according to recognition result, to avoid not by recognizing The dangerous terminal of card accesses enterprise network, threatens the safety of enterprise network.
It is understood that terminal 11 and terminal 12 in Fig. 1 only illustrate as a example by computer, real Terminal in the application of border can be panel computer, mobile phone etc. other possess the terminal of network resource accession function.
As a example by the application scenarios shown in Fig. 1, terminal 11 therein or terminal 12 can perform Fig. 2 Shown flow process, this Fig. 2 is a reality according to the method processing message shown in an exemplary embodiment Execute example flow chart, may include that
Step S201: when sending datagram, obtains the signal labelling of the session corresponding with data message.
Step S202: corresponding terminal authentication state changes if described signal labelling represents described session, Then send the state notifying message corresponding with described session, described state notifying message to security linkage network equipment For by described terminal authentication state notifying to described security linkage network equipment, so that described safety interaction sets The standby data message according to session described in described terminal authentication state processing.
As a example by the application scenarios shown in Fig. 1, security linkage network equipment 14 therein can perform Fig. 3 Shown flow process, this Fig. 3 is another of the method according to the process message shown in an exemplary embodiment Embodiment flow chart, may include that
Step S301: when receiving the state notifying message that terminal sends, according to described state notifying report Literary composition records the terminal authentication state that described state notifying message place session is corresponding.
Step S302: according to described terminal authentication state, the data message of the session that processing terminal sends.
Following Fig. 4, it is shown that a kind of the embodiment of the present application realization processes the Organization Chart of the method for message, This Fig. 4, based on the application scenarios figure shown in Fig. 1, performs with terminal 11 and security linkage network equipment 14 As a example by the application processes the method for message, this Fig. 4 includes terminal 11 and security linkage network equipment 14, eventually The session tokens of all sessions and corresponding signal labelling is preserved, on security linkage network equipment 14 on end 11 Preserve session tokens and corresponding terminal authentication state, about in terminal 11 and security linkage network equipment 14 The detailed description of the information preserved can be found in described below, is first not detailed at this.
The method processing message to illustrate in greater detail the application how to realize, in conjunction with the frame shown in Fig. 4 Composition, is described in detail the flow process shown in Fig. 2 and Fig. 3.
In the embodiment of the present application, terminal can obtain the authentication state of oneself, such as, permissible in terminal 11 Pre-set terminal authentication status indication, represent terminal authentication state, terminal authentication by this labelling State can include not authenticated and pass through certification, is security terminal by the terminal of certification.This terminal Authentication state labelling can be stored on the fixed position of internal memory, such as, takies two byte of memorys.Eventually End authentication state labelling can be such as " 00 " or " 11 ", and " 00 " represents that terminal is not by recognizing Card, " 11 " represent that terminal, by certification, is not limited to this representation in being certainly embodied as.
The quantity that can there is multiple session, i.e. session in terminal 11 can be with more than one.The application's In example, terminal authentication status indication described above can be an overall authentication state labelling, i.e. Terminal authentication state corresponding to all sessions can be consistent, such as, when terminal is by certification, and institute The terminal authentication status indication having session corresponding is all " 11 ", and Subsequent secure interlocking equipment gets terminal During by certification, it is believed that the data message of all sessions of this terminal is all safe;When terminal not During by certification, the terminal authentication status indication of all sessions is all " 00 ", Subsequent secure interlocking equipment Get terminal not authenticated time, it is believed that the data message of all sessions of this terminal is all uneasy Complete, thus directly abandon.
Terminal 11 can see the example of table 1 below with preserving session state labelling mapping table, this table 1 A kind of example for session status labelling mapping table.This session status labelling mapping table includes terminal 11 The session tokens of upper all sessions, this session tokens can uniquely represent a session;Each session is equal A corresponding signal labelling, this signal labelling is for representing whether terminal authentication state corresponding to session occurs Change, such as, terminal authentication state never goes through certification and is changed to by certification.Such as, session tokens Source IP address, source port number, purpose IP address, destination slogan can be included, by these information One session of unique expression;This signal labelling can be 0 or 1 with value, and presets, and works as signal post The value of note is when being 0, represents that terminal authentication state corresponding to session changes, when the value of signal labelling When being 1, represent that terminal authentication state corresponding to session changes.
Table 1
Session tokens (SID:session identify) Signal labelling (TTS:time to signal)
10.0.1.1:11->30.0.0.2:80 0
10.0.1.1:12->30.0.0.2:80 1
As above table 1, signal post corresponding to each session is designated as " 0 " or " 1 ", can understand as follows: Such as, when the authentication state of terminal changes, such as, not authenticated it is changed to by certification, Or it is not authenticated by being changed to by certification, then in above-mentioned table 1, all sessions of this terminal are corresponding Signal labelling will be changed to " 1 ", i.e. represents that the terminal authentication state of all sessions all changes, that , each session can notify the up-to-date authentication state of once safety this terminal of interlocking equipment again;When Session is after security linkage network equipment notice authentication state, and the signal labelling of this session rechanges as " 0 ".Again For example, it is assumed that this terminal adds a new session, then the signal labelling that this new session is corresponding is permissible It is set to " 1 ", i.e. represents and can notify that security linkage network equipment goes to record the terminal authentication that this new session is corresponding State (certainly, the terminal authentication state corresponding with other sessions is identical), and other notified The signal labelling of the session of authentication state remains as " 0 ", because terminal authentication state notifying being crossed peace Full interlocking equipment, need not be notified of again.
Concrete, may refer to step S201, when terminal 11 sends datagram, can obtain with The signal labelling of this data message respective session.For example, it is possible to according to the source IP carried in this data message The session status exemplified by above-mentioned table 1 searched in address, source port number, purpose IP address, destination slogan Labelling mapping table, determines the session tokens of the session corresponding with this data message, then obtains this session mark The signal labelling that note is corresponding.Such as, the source IP address that carries in this data message, source port number, purpose IP address, destination slogan be respectively 10.0.1.1,12,30.0.0.2,80, it is investigated according to this 4 item number Looking for table 1, the signal post that can obtain session corresponding to this data message is designated as 1.
If the signal labelling of session represents described session, corresponding terminal authentication state changes, such as Described in above-mentioned example, signal labelling corresponding for session 10.0.1.1:12-> 30.0.0.2:80 is 1, and representing should The terminal authentication state of session there occurs change, and such as, this session is probably newly-built session, and currently Terminal authentication state is by certification.Then in step S202, terminal 11 is to security linkage network equipment 14 Sending the state notifying message corresponding with described session, described state notifying message is for by after described change Up-to-date terminal authentication state notifying to described security linkage network equipment 14 so that described security linkage network equipment 14 according to the data message of session described in described terminal authentication state processing.Such as, can be by session 10.0.1.1:12-> corresponding for 30.0.0.2:80 terminal authentication state notifying is to security linkage network equipment 14 so that This security linkage network equipment is according to this terminal authentication state processing subsequent session 10.0.1.1:12-> 30.0.0.2:80 In data message.
Security linkage network equipment 14, will be according to described when receiving the state notifying message that terminal 11 sends The terminal authentication state that state notifying message place session described in state notifying message accounting is corresponding.The application In embodiment, can be with preserving session state control table in security linkage network equipment 14, this session status control table Corresponding relation including session tokens Yu terminal authentication state.That is, security linkage network equipment 14 can record end The terminal authentication state that all sessions on end are corresponding.
Seeing the example of table 2 below, this table 2 is a kind of example of session status control table:
Table 2
Session tokens (SID:session identify) Terminal authentication state
10.0.1.1:11->30.0.0.2:80 00
10.0.1.1:12->30.0.0.2:80 00
As above table 2, for example, it is possible to represent that terminal has passed through certification with " 00 ", example in table 2 Two sessions in some terminal, terminal authentication state corresponding to the two session can be identical, Such as, terminal has passed through certification.In other scene, if the authentication state of terminal is not pass through Certification, then can represent with " 11 " in table 2.
In step s 302, security linkage network equipment 14, can be according to respectively after record terminal authentication state The terminal authentication state of individual session, the data message of the described session that processing terminal sends.
For example, it is assumed that security linkage network equipment 14 have received a data message, security linkage network equipment 14 Can believe according to the source IP address of data message, source port number, purpose IP address, destination slogan etc. Breath, searches above-mentioned table 2, obtains the session that this data message is corresponding, and can be somebody's turn to do by table 2 The terminal authentication state that session is corresponding.
Such as, if in table 2, the terminal authentication state of data message place session is the most logical for representing terminal When crossing certification, this terminal is security terminal, the safe plan that security linkage network equipment 14 can preserve according to self Slightly continue to forward the data message of this session;When terminal authentication state is not authenticated, this terminal is Dangerous terminal, the data message of this session can be blocked, thus avoid this not by security linkage network equipment 14 The safety of enterprise network is threatened by the terminal of safety.
The present embodiment processes the method for message, by sending state notifying message, by each session of terminal Corresponding terminal authentication state notifying is to security linkage network equipment so that security linkage network equipment can be according to terminal Authentication state processes the data message of each session.The application of this mode so that in NAT framework, Even if the IP address of different terminals is identical through NAT translated addresses, but the difference meeting of different terminals Words, at the session information behind NAT address, such as IP address and port numbers are different, safety Interlocking equipment passes through recording conversation information, and records the terminal authentication state that each session is corresponding, actually Also achieve the effect of the session identification to different terminals, and by the terminal authentication state of recording conversation Identify the authentication state that different terminals is corresponding, send out so that remain able to identification in NAT framework Deliver newspaper literary composition Terminal security, it is to avoid unsafe terminal access enterprise network, the safety of enterprise network is caused Threaten.
Additionally, the present embodiment is to use state notifying message when the state of notice, this message is independently of end Message outside the data message that end sends, uses state notifying message to perform the shape to security linkage network equipment State notifies, can reach to notify the purpose of the SOT state of termination, but also will not change legacy data message Dynamic and impact, it is convenient to implement, and effect is more preferable, it is to avoid the mistake that the former data message of amendment is likely to result in.
On the basis of the process message shown in above-mentioned Fig. 2 and Fig. 3, in order to more efficiently confirm that terminal is recognized Whether card state changes, it is also possible to arrange overall signal's labelling, for representing all sessions of terminal In whether have the terminal authentication state of session to change.Following Fig. 5 A, is according to an exemplary enforcement Another embodiment flow chart of the method processing message exemplified, may include that
Step S501: terminal, when sending datagram, obtains corresponding overall signal's labelling.
In the present embodiment, terminal can be provided with overall signal's labelling, for representing all sessions of terminal In whether have the terminal authentication state of session to change.Such as, this overall signal's labelling be " 0 " or " 1 ", " 0 " represents that there is not terminal authentication state occurs the session of change, " 1 " expression to there is terminal There is the session of change in authentication state.As a example by the session status labelling mapping table shown in above-mentioned table 1, table There is signal post in 1 and be designated as the session of 1, i.e. there is terminal authentication state and the session of change occurs, then, Now overall signal is labeled as " 1 ";If all of signal labelling is 0 in session status labelling mapping table, I.e. represent that the terminal authentication state of all sessions changes, then overall signal is labeled as " 0 ".
According to foregoing description, in the present embodiment, can be according to signal labelling in session status labelling mapping table Value safeguard overall signal's labelling.Such as, equal when all signal labellings in session status labelling mapping table When being changed to 0, overall signal's labelling can be changed to 0, " 0 " the first mark value should be properly termed as, In all sessions represent this terminal, there is not terminal authentication state the session of change occurs.The most such as, When terminal authentication state occurs change, (such as, terminal authentication state never goes through certification and is changed to pass through Certification), according to foregoing description, the signal labelling of all sessions in this terminal also will be changed to 1, thus, Overall signal's labelling also can be changed to 1, " 1 " the second mark value should be properly termed as.The most such as, when When producing new session in terminal, the signal post of this new session is designated as 1, then can be by overall signal's labelling Rechange is 1.Thus, by safeguarding overall signal's labelling so that overall signal's labelling represents exactly Whether there is the session that terminal authentication state changes.
Step S502: if described overall signal labelling represents that there is terminal authentication state occurs the session of change, Then terminal continues to obtain the signal labelling of the session corresponding with described data message.
When being determined that by overall signal's labelling there is terminal authentication state occurs the session changed, terminal 11 Can further confirm that whether the terminal authentication state of the session that this data message is corresponding changes, i.e. continue How the continuous signal labelling obtaining the session corresponding with this data message, in this step, obtain this signal post Note may refer to the associated description in above-described embodiment step S201, and in this not go into detail.
Additionally, in the present embodiment, when being determined that by overall signal's labelling there is not terminal authentication state occurs During the session of change, then terminal 11 can directly determine the terminal authentication shape of session that this data message is corresponding State changes, then the signal post that can perform to obtain session corresponding to this data message again is recorded a demerit Journey, thus whether the terminal authentication state accelerating the session confirming that data message is corresponding there is the speed of change Degree.
Step S503: corresponding terminal authentication state changes if described signal labelling represents described session, The state notifying message that then terminal constructions is corresponding with described session, and send described shape to security linkage network equipment State notice message.
Described in above-described embodiment, when signal labelling represents that terminal authentication state corresponding to this session there occurs During change, terminal sends the state notifying message corresponding with this session to security linkage network equipment, for becoming Up-to-date terminal authentication state notifying after more is to security linkage network equipment.
In one optional implementation of embodiment, terminal can construct a state notifying message, should State notifying message carries signal message labelling and terminal authentication status indication, wherein, signal message labelling In order to represent that this message is state notifying message so that security linkage network equipment can root when receiving message Go out received for state notifying message according to this signal message marker recognition.Such as, following Fig. 5 B Shown in, it is shown that the structure chart of a kind of state notifying message in the embodiment of the present application.
The form of the state notifying message shown in Fig. 5 B based on UDP message format, signal message labelling and Terminal authentication status indication is positioned in the data field of this state notifying message.
Additionally, by described in above example, when the signal post of session is designated as 1, terminal can be to safety Interlocking equipment send a session state notifying message after, can in session status labelling mapping table, The signal labelling of this session is changed to 0, in order to represent the state notifying report that need not again send this session Wen Liao.If due to some abnormal conditions, this state notifying message does not arrives security linkage network equipment, then, Security linkage network equipment does not receives state notifying message, then cannot record the terminal authentication shape that this session is corresponding State.In order to avoid the generation of this situation as far as possible, reduce state notifying message and the most normally arrive safety interaction The probability of equipment, can repeatedly send state notifying message.Specifically, signal post can be set and be designated as 0 Time, represent that terminal authentication state does not changes, and when signal labelling is not 0, represent that terminal authentication state is sent out Change more, such as, when newly generated session in terminal, the signal post of this new session is designated as N, and (N is big In the natural number of 1), when after the state notifying message sending once this new session, signal labelling is subtracted 1, If now signal labelling is not the most 0, then retransmit once the state notifying message of this new session, until should Signal post is designated as 0.Such as, N is 5, then, as described above, terminal can send 5 times altogether should The state notifying message of new session.
Step S504: security linkage network equipment is when receiving the state notifying message that terminal sends, according to institute State the terminal authentication state that state notifying message place session described in state notifying message accounting is corresponding.
Security linkage network equipment when receiving this state notifying message, the terminal authentication state of recording conversation Execution process may refer to the associated description in above-described embodiment, and in this not go into detail.
Step S505: security linkage network equipment is according to described terminal authentication state, and it is described that processing terminal sends The data message of session.
The description of this step may refer to the associated description of above-mentioned steps S301 and step S302, at this not Repeat again.
Additionally, in the embodiment of the present application, state notifying message can use in above-mentioned example and construct one Comprise the message of terminal authentication state, it is also possible to be other modes, such as, when execution of step S502, When determining that terminal authentication state occurs change by the signal labelling got, continue the end after confirming change Whether end authentication state is by certification, the most then can be replicated data message to be sent, The data message of duplication and former data message are sent in the lump to security linkage network equipment, or in the default time Successively send to security linkage network equipment in interval.In this case, the data message of duplication is equivalent to shape State notice message.
If this state notifying message is the data message replicated, then security linkage network equipment is simultaneously, or in advance If time interval in, in such as 1 second, receive two identical data messages, i.e. state notifying report During civilian and former data message, then it is believed that the terminal authentication state of session corresponding to this data message is logical Cross certification, then security linkage network equipment can continue to forward this data message according to the security strategy self preserved; If in the same time, or in the time interval preset, receive only a data message, then can recognize Terminal authentication state for session corresponding to this data message is not authenticated, then security linkage network equipment can To abandon this data message.
The present embodiment processes the method for message, can accelerate to determine the terminal of session by overall signal's labelling Whether authentication state there is the speed of change, after the terminal authentication state determining session changes, also Terminal can be controlled by the value of signal labelling and repeatedly send state notifying message to security linkage network equipment, by In repeatedly sending state notifying message so that security linkage network equipment leads to because abnormal conditions cannot receive state Know that the probability of message reduces, so that security linkage network equipment can be according to the state notifying message received The terminal authentication state of recording conversation, according to the data message of this terminal authentication each session of state processing. The application of this mode so that in NAT framework, remains able to identify the terminal security sending message Property, it is to avoid unsafe terminal accesses enterprise network, threatens the safety of enterprise network.
Additionally, the state notifying message that the present embodiment uses when the state of notice can be terminal neotectonics Message, it is also possible to be the data message of terminal duplication, no matter this state notifying message uses which kind of side above-mentioned Formula, this message is all independently of the message outside the data message that terminal sends, and uses state notifying message Perform state notifying to security linkage network equipment, can reach to notify the purpose of the SOT state of termination, but also not Can be modified legacy data message and affect, it is convenient to implement, and effect is more preferable, it is to avoid the former number of amendment The mistake being likely to result according to message.
Corresponding with the embodiment of the method for aforementioned processing message, present invention also provides the dress processing message The embodiment put.
The application processes the embodiment of the device of message and can apply respectively in terminal and security linkage network equipment, Can also apply on other equipment, the application is without limitation.Device embodiment can pass through software Realize, it is also possible to realize by the way of hardware or software and hardware combining.As a example by implemented in software, as Device on one logical meaning, is that the processor by its place equipment is by right in nonvolatile memory The computer program instructions answered reads and runs formation in internal memory.For hardware view, such as Fig. 6 institute Show, process a kind of hardware structure diagram of the device place equipment of message for the application, shown in Fig. 6 Outside processor 61, internal memory 63, network interface 62 and nonvolatile memory 64, in embodiment The equipment at device place is generally according to the actual functional capability of this equipment, it is also possible to include other hardware, to this not Repeat again.
Refer to Fig. 7, process an embodiment block diagram of the device of message for the application, may include that Acquiring unit 71, transmitting element 72.
Wherein, acquiring unit 71, may be used for when sending datagram, obtain and described data message The signal labelling of corresponding session;
Transmitting element 72, may be used for representing, at described signal labelling, the terminal authentication shape that described session is corresponding When state occurs change, send the state notifying message corresponding with described session to security linkage network equipment, described State notifying message is used for described terminal authentication state notifying to described security linkage network equipment, so that institute State the security linkage network equipment data message according to session described in described terminal authentication state processing.
Refer to Fig. 8, process another embodiment block diagram of the device of message for the application, such as Fig. 8 institute Showing, on the basis of the device processing message shown in above-mentioned Fig. 7, described acquiring unit 71 may include that First obtains subelement 711, second obtains subelement 712.
Wherein, described first obtains subelement 711, may be used for obtaining overall signal's mark of counterpart terminal Note, described overall signal labelling is for representing whether have the terminal of session to recognize in the session that described terminal is corresponding Card state changes;
Described second obtains subelement 712, may be used for representing at described overall signal labelling and there is terminal When authentication state occurs the session of change, continue to obtain the signal post of the session corresponding with described data message Note.
Described device can also include: change indexing unit 73.
Described change indexing unit 73, may be used for the signal labelling when all sessions are corresponding and all represents terminal When authentication state does not occurs change, described overall signal labelling is changed to the first mark value, described first Mark value represents that there is not terminal authentication state occurs the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling Value, described second mark value represents that there is terminal authentication state occurs the session of change.
Described transmitting element 72 may include that structure sends subelement 721, sends subelement 722, more New subelement 723.
Wherein, described structure sends subelement 721, may be used for constructing the state corresponding with described session Notice message, and send described state notifying message to security linkage network equipment, described state notifying message is taken Tape terminal authentication state labelling and signal message labelling, described terminal authentication status indication is used for representing terminal Whether by certification, described signal message labelling is used for making security linkage network equipment according to described signal message mark Note identifies the state notifying message received.
Described transmission subelement 722, may be used for when described signal labelling represents that terminal authentication state occurs During change, and the value of described signal labelling is N, then send n times and described session to security linkage network equipment Corresponding state notifying message, N is the natural number not less than 1;
Described renewal subelement 723, may be used for often sending the most described session pair to security linkage network equipment The state notifying message answered, subtracts 1 by signal mark value corresponding for described session, until being 0.
Refer to Fig. 9, process another embodiment block diagram of the device of message for the application, as it is shown in figure 9, On the basis of the device processing message shown in above-mentioned Fig. 7, with the dress processing message shown in above-mentioned Fig. 8 Putting difference to exist, described transmitting element 72 does not include constructor unit 721, and it is single to include replicating transmission Unit 724.
Described duplication sends subelement 724, for terminal authentication state after change be by authentication state time, Replicate described data message, and send the data message of described duplication to security linkage network equipment.
Refer to Figure 10, process another embodiment block diagram of the device of message for the application, note can be included Record unit 101, processing unit 102.
Wherein, described record unit 101, may be used for when receiving the state notifying message that terminal sends, According to the terminal authentication state that state notifying message place session described in described state notifying message accounting is corresponding;
Described processing unit 102, may be used for according to described terminal authentication state, and it is described that processing terminal sends The data message of session.
In said apparatus, the function of unit and the process that realizes of effect specifically refer in said method corresponding Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part ginseng See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically, The wherein said unit illustrated as separating component can be or may not be physically separate, makees The parts shown for unit can be or may not be physical location, i.e. may be located at a place, Or can also be distributed on multiple NE.Can select according to the actual needs part therein or The whole module of person realizes the purpose of the application scheme.Those of ordinary skill in the art are not paying creativeness In the case of work, i.e. it is appreciated that and implements.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all at this Within the spirit of application and principle, any modification, equivalent substitution and improvement etc. done, should be included in Within the scope of the application protection.

Claims (14)

1. the method processing message, it is characterised in that described method includes:
When sending datagram, obtain the signal labelling of the session corresponding with described data message;
If described signal labelling represents described session, corresponding terminal authentication state changes, then to safety Interlocking equipment sends the state notifying message corresponding with described session, and described state notifying message is for by institute State terminal authentication state notifying extremely described security linkage network equipment, so that described security linkage network equipment is according to institute State the data message of session described in terminal authentication state processing.
Method the most according to claim 1, it is characterised in that described acquisition and described data message The signal labelling of corresponding session, including:
Obtaining overall signal's labelling of counterpart terminal, described overall signal labelling is used for representing described terminal pair The terminal authentication state whether having session in the session answered changes;
If described overall signal labelling represents that there is terminal authentication state occurs the session of change, then continue to obtain Take the signal labelling of the session corresponding with described data message.
Method the most according to claim 2, it is characterised in that described method also includes:
When the signal labelling that all sessions are corresponding all represents that terminal authentication state does not occurs change, by described Overall signal's labelling is changed to the first mark value, and described first mark value represents and there is not terminal authentication state There is the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling Value, described second mark value represents that there is terminal authentication state occurs the session of change.
Method the most according to claim 1, it is characterised in that described to security linkage network equipment transmission The state notifying message corresponding with described session, including:
Construct the state notifying message corresponding with described session, and send described state to security linkage network equipment Notice message, described state notifying message carried terminal authentication state labelling and signal message labelling, described Terminal authentication status indication is used for representing whether terminal passes through certification, and described signal message labelling is used for making peace The state notifying message that full interlocking equipment receives according to described signal message marker recognition.
Method the most according to claim 1, it is characterised in that described to security linkage network equipment transmission The state notifying message corresponding with described session, including:
If the terminal authentication state after Bian Geng is by authentication state, then replicate described data message, and to Security linkage network equipment sends the data message of described duplication.
Method the most according to claim 1, it is characterised in that if described signal labelling represents Terminal authentication state corresponding to described session changes, then send and described session to security linkage network equipment Corresponding state notifying message, including:
When described signal labelling represents that terminal authentication state occurs change, and the value of described signal labelling is N, then send, to security linkage network equipment, the state notifying message that n times are corresponding with described session, and N is the least In the natural number of 1;
Often send, to security linkage network equipment, the state notifying message that the most described session is corresponding, by described session Corresponding signal mark value subtracts 1, until being 0.
7. the method processing message, it is characterised in that described method includes:
When receiving the state notifying message that terminal sends, according to described state notifying message accounting The terminal authentication state that the place session of state notifying message is corresponding;
According to described terminal authentication state, the data message of the described session that processing terminal sends.
8. the device processing message, it is characterised in that described device includes:
Acquiring unit, for when sending datagram, obtains the session corresponding with described data message Signal labelling;
Transmitting element, for representing, at described signal labelling, the terminal authentication state generation that described session is corresponding During change, sending the state notifying message corresponding with described session to security linkage network equipment, described state is led to Know message for by described terminal authentication state notifying to described security linkage network equipment so that described safety Interlocking equipment is according to the data message of session described in described terminal authentication state processing.
Device the most according to claim 8, it is characterised in that described acquiring unit includes:
First obtains subelement, and for obtaining overall signal's labelling of counterpart terminal, described overall signal marks Note is for representing that the terminal authentication state whether having session in the session that described terminal is corresponding changes;
Second obtains subelement, for representing that there is terminal authentication state occurs at described overall signal labelling During the session changed, continue to obtain the signal labelling of the session corresponding with described data message.
Device the most according to claim 9, it is characterised in that described device also includes:
Change indexing unit, for all representing terminal authentication state not when the signal labelling that all sessions are corresponding When there is change, described overall signal labelling being changed to the first mark value, described first mark value represents There is not terminal authentication state and the session of change occurs;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling Value, described second mark value represents that there is terminal authentication state occurs the session of change.
11. devices according to claim 8, it is characterised in that described transmitting element includes:
Structure sends subelement, for the state notifying message that structure is corresponding with described session, and to safety Interlocking equipment sends described state notifying message, described state notifying message carried terminal authentication state labelling With signal message labelling, described terminal authentication status indication is used for representing whether terminal passes through certification, described The state that signal message labelling receives according to described signal message marker recognition for making security linkage network equipment Notice message.
12. devices according to claim 8, it is characterised in that described transmitting element includes:
Replicate and send subelement, for terminal authentication state after change be by authentication state time, answer Make described data message, and send the data message of described duplication to security linkage network equipment.
13. devices according to claim 8, it is characterised in that described transmitting element includes:
Send subelement, be used for when described signal labelling represents that terminal authentication state occurs change, and institute The value stating signal labelling is N, then send the n times state corresponding with described session to security linkage network equipment and lead to Knowing message, N is the natural number not less than 1;
Update subelement, for often sending, to security linkage network equipment, the state notifying that the most described session is corresponding Message, subtracts 1 by signal mark value corresponding for described session, until being 0.
14. 1 kinds of devices processing message, it is characterised in that described device includes:
Record unit, for when receiving the state notifying message that terminal sends, leads to according to described state Know the terminal authentication state that state notifying message place session described in message accounting is corresponding;
Processing unit, for according to described terminal authentication state, the number of the described session that processing terminal sends According to message.
CN201610072814.5A 2016-02-02 2016-02-02 Handle the method and device of message Active CN105939401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610072814.5A CN105939401B (en) 2016-02-02 2016-02-02 Handle the method and device of message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610072814.5A CN105939401B (en) 2016-02-02 2016-02-02 Handle the method and device of message

Publications (2)

Publication Number Publication Date
CN105939401A true CN105939401A (en) 2016-09-14
CN105939401B CN105939401B (en) 2019-11-08

Family

ID=57152912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610072814.5A Active CN105939401B (en) 2016-02-02 2016-02-02 Handle the method and device of message

Country Status (1)

Country Link
CN (1) CN105939401B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872446A (en) * 2016-09-28 2018-04-03 腾讯科技(深圳)有限公司 A kind of management method, device and the server of the account number that communicates
CN114221814A (en) * 2021-12-16 2022-03-22 上海市共进通信技术有限公司 System, method, device, processor and computer readable storage medium for realizing terminal equipment safe opening of special service

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716869A (en) * 2004-06-30 2006-01-04 联想(北京)有限公司 Network safety equipment synchronizing method under cluster mode
CN1753364A (en) * 2005-10-26 2006-03-29 杭州华为三康技术有限公司 Method of controlling network access and its system
CN101188851A (en) * 2006-11-17 2008-05-28 中兴通讯股份有限公司 Access control method for mobile terminal
CN101631078A (en) * 2009-08-24 2010-01-20 杭州华三通信技术有限公司 Message control method and access equipment in endpoint admission defense
CN104618522A (en) * 2014-12-22 2015-05-13 迈普通信技术股份有限公司 Automatic updating method for IP address of terminal and Ethernet access device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716869A (en) * 2004-06-30 2006-01-04 联想(北京)有限公司 Network safety equipment synchronizing method under cluster mode
CN1753364A (en) * 2005-10-26 2006-03-29 杭州华为三康技术有限公司 Method of controlling network access and its system
CN101188851A (en) * 2006-11-17 2008-05-28 中兴通讯股份有限公司 Access control method for mobile terminal
CN101631078A (en) * 2009-08-24 2010-01-20 杭州华三通信技术有限公司 Message control method and access equipment in endpoint admission defense
CN104618522A (en) * 2014-12-22 2015-05-13 迈普通信技术股份有限公司 Automatic updating method for IP address of terminal and Ethernet access device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872446A (en) * 2016-09-28 2018-04-03 腾讯科技(深圳)有限公司 A kind of management method, device and the server of the account number that communicates
CN107872446B (en) * 2016-09-28 2020-07-24 腾讯科技(深圳)有限公司 Communication account management method and device and server
CN114221814A (en) * 2021-12-16 2022-03-22 上海市共进通信技术有限公司 System, method, device, processor and computer readable storage medium for realizing terminal equipment safe opening of special service
CN114221814B (en) * 2021-12-16 2023-10-27 上海市共进通信技术有限公司 System, method, device, processor and computer readable storage medium for realizing terminal equipment safety starting special service

Also Published As

Publication number Publication date
CN105939401B (en) 2019-11-08

Similar Documents

Publication Publication Date Title
US8200798B2 (en) Address security in a routed access network
CN104901955B (en) A kind of method for early warning, device and processing server
CN112347485B (en) Processing method for acquiring loopholes and automatically penetrating multiple engines
CN106034104A (en) Verification method, verification device and verification system for network application accessing
CN105939326A (en) Message processing method and device
CN102227115B (en) Method and device for limiting user access
CN105939239A (en) Data transmission method and device of virtual network interface card
CN104935551B (en) A kind of webpage tamper protective device and method
CN109067784A (en) The method and apparatus of anti-fraud in a kind of VXLAN
CN106060097B (en) A kind of management system and management method of information security contest
CN105959282A (en) Protection method and device for DHCP attack
CN106506726A (en) A kind of method of verification DNS real users
CN108092976A (en) Device-fingerprint building method and device
CN107995321A (en) A kind of VPN client acts on behalf of the method and device of DNS
CN104410642B (en) Equipment access cognitive method based on ARP protocol
CN108574673A (en) ARP message aggression detection method and device applied to gateway
CN109413017A (en) A kind of method and system managing isomery firewall
CN105939401A (en) Method and device for processing message
CN110912898A (en) Method and device for disguising equipment assets, electronic equipment and storage medium
US9678772B2 (en) System, method, and computer-readable medium
CN104683497B (en) A kind of community network addressing of address method and device
CN114070624B (en) Message monitoring method, device, electronic equipment and medium
CN115883574A (en) Access equipment identification method and device in industrial control network
CN109587134A (en) Method, apparatus, equipment and the medium of the safety certification of interface bus
CN104243254B (en) A kind of PPPoE cut-in methods and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant