CN113411341A - Data processing method, device and equipment and readable storage medium - Google Patents
Data processing method, device and equipment and readable storage medium Download PDFInfo
- Publication number
- CN113411341A CN113411341A CN202110705999.XA CN202110705999A CN113411341A CN 113411341 A CN113411341 A CN 113411341A CN 202110705999 A CN202110705999 A CN 202110705999A CN 113411341 A CN113411341 A CN 113411341A
- Authority
- CN
- China
- Prior art keywords
- packet
- fragment
- flow information
- data processing
- packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 28
- 239000012634 fragment Substances 0.000 claims abstract description 247
- 238000000034 method Methods 0.000 claims abstract description 30
- 238000004590 computer program Methods 0.000 claims description 9
- 230000014759 maintenance of location Effects 0.000 claims description 4
- 238000004064 recycling Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 6
- 230000000694 effects Effects 0.000 abstract description 6
- 238000013467 fragmentation Methods 0.000 abstract description 6
- 238000006062 fragmentation reaction Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 8
- 238000011084 recovery Methods 0.000 description 5
- 238000004883 computer application Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9014—Indexing; Data structures therefor; Storage structures hash tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses a data processing method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: receiving a packet of a data packet; judging whether the divided packet is a first packet; if yes, storing the first piece of packet flow information in the packet dividing into a Hash chain table; if not, acquiring first fragment packet flow information corresponding to the fragment packets from the hash chain table; processing the packet packets by using a security processing strategy corresponding to the first packet flow information; the security processing policy is a security policy in the IPSec protocol. According to the method, the matched safety processing strategy can be determined directly based on the first packet streaming information without waiting for all the packet fragments and recombining the packet fragments, the time for waiting the packet fragments is saved, the packet fragments are recombined, and the packet fragments are recombined and then are subjected to the fragmentation processing step, so that the effect of immediate processing after the packet fragments are received can be realized, the processing efficiency of the packet fragments can be improved, the packet loss rate can be reduced, and the reliability of data transmission can be ensured.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a data processing method, apparatus, device, and readable storage medium.
Background
The IPSec protocol is a whole set of architecture that implements network data security at the IP layer, and data flow implements protection of IP packets by matching the rules of the security policy SP. The rules of the security policy SP consist of five tuples (source IP, destination IP, source port, destination port, protocol). When the TCP/UDP packet is not fragmented, the complete quintuple information is provided, and the data protection can be realized by directly matching the security policy SP.
When the TCP/UDP packet is a fragment packet, only the first fragment packet has complete quintuple information, and the rest fragment packets do not have complete quintuple information, so that the security policy SP cannot be matched. After receiving all the part of the packets, the protocol stack recombines the fragmented packets, then matches the security policy SP, and finally encrypts the data packet fragments. However, the data packet consumes more time during the process of reassembly and fragmentation in the protocol stack, which may affect the transmission delay of the data packet, and even may result in a high packet loss rate.
In summary, how to effectively accelerate the packet-splitting processing efficiency of the protocol stack is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a data processing method, a data processing device, data processing equipment and a readable storage medium, wherein the data processing method, the data processing device, the data processing equipment and the readable storage medium are used for storing stream information of a first packet, and can safely process the rest of fragmented packets based on the stream information of the first packet without waiting for the fragmented packets, reconstructing the fragmented packets and reconstructing the fragmented packets, and can improve the efficiency of processing the fragmented packets of a protocol stack.
In order to solve the technical problems, the invention provides the following technical scheme:
a method of data processing, comprising:
receiving a packet of a data packet;
judging whether the fragment packet is a first packet;
if yes, storing the first piece of packet flow information in the fragment packets into a hash chain table;
if not, acquiring the first fragment packet flow information corresponding to the fragment packet from the hash chain table;
processing the fragment packets by using a security processing strategy corresponding to the first packet streaming information; the security processing policy is a security policy in an IPSec protocol.
Preferably, the determining whether the fragment packet is a first fragment packet includes:
acquiring a fragment identifier of the fragment packet header;
if the fragment identification is a first fragment identification, determining that the fragment packet is a first fragment packet;
and if the fragment identifier is the middle fragment identifier or the last fragment identifier, determining that the fragment packet is a slave fragment packet.
Preferably, the obtaining, from the hash chain table, the first packet flow information corresponding to the fragmented packet includes:
and acquiring the first packet flow information from the hash chain table by using the flow information of the packet.
Preferably, storing the flow information of the first packet in the packet fragment into a hash chain table includes:
determining keywords by using the first packet streaming information;
storing the key, the total length of the data packet, the receiving length of the fragment packet, the flow node matching time and a flow node pointer in a flow node;
and storing the stream nodes to a hash chain table.
Preferably, storing the key at the flow node comprises:
and if the keywords of different fragment packets are mapped to the same position of the hash table in the same way, performing chaining operation on the keywords by adopting a zipper method.
Preferably, the method further comprises the following steps:
and utilizing a hash chain table to store the maximum value and/or the flow node retention time, and recycling the flow node.
Preferably, the processing the fragment packet by using the security processing policy corresponding to the first packet flow information includes:
restoring a source port and a destination port corresponding to the fragment packet by using the first packet flow information;
determining the security processing policy using the source port and the destination port;
and processing the fragment packet according to the security processing strategy.
A data processing apparatus comprising:
the fragment receiving and sending module is used for receiving fragment packets of the data packets;
the judging module is used for judging whether the fragment packet is a first packet;
the flow information storage module is used for storing the flow information of the first piece of packet in the fragment packet into a hash chain table if the fragment packet is the first piece of packet;
a flow information obtaining module, configured to obtain, if the fragment packet is not a first packet, flow information of the first packet corresponding to the fragment packet from the hash chain table;
the fragment packet security processing module is used for processing the fragment packet by using a security processing strategy corresponding to the first packet streaming information; the security processing policy is a security policy in an IPSec protocol.
A data processing apparatus comprising:
a memory for storing a computer program;
a processor for implementing the steps of the data processing method when executing the computer program.
A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned data processing method.
The method provided by the embodiment of the invention is applied to receive the fragment packets of the data packet; judging whether the divided packet is a first packet; if yes, storing the first piece of packet flow information in the packet dividing into a Hash chain table; if not, acquiring first fragment packet flow information corresponding to the fragment packets from the hash chain table; processing the packet packets by using a security processing strategy corresponding to the first packet flow information; the security processing policy is a security policy in the IPSec protocol.
In the method, when the received fragment packet is the first packet, the first packet flow information of the fragment packet is directly matched with a security processing strategy and is directly subjected to security processing without waiting for the rest of fragments, and meanwhile, the first packet flow information is stored in a hash chain table. When the received fragment packet is not the first fragment packet, the first fragment packet flow information corresponding to the fragment packet is acquired from the hash chain table, the security processing strategy matched with the fragment packet can be quickly determined, other residual fragments do not need to be waited, the fragment packet does not need to be recombined with the first fragment packet, and the fragment packet can be directly processed based on the security processing strategy. Therefore, in the method, when the fragment packets are processed based on the IPSec protocol, the matched safety processing strategy can be determined directly based on the first packet streaming information without waiting for all the fragment packets and recombining the fragment packets, the time for waiting the fragment packets, the step of recombining the fragment packets and the step of recombining the fragment packets after recombining the fragment packets are omitted, the effect of immediate processing after receiving the fragment packets can be realized, the processing efficiency of the fragment packets can be accelerated, the packet loss rate can be reduced, and the reliability of data transmission can be ensured.
Accordingly, embodiments of the present invention further provide a data processing apparatus, a device and a readable storage medium corresponding to the data processing method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a data processing method;
FIG. 2 is a schematic diagram of a hash chain storage structure of flow information according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a structure of a stream information storage according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a slave slice packet processing according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating an embodiment of a data processing method according to the present invention;
FIG. 6 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart of a data processing method according to an embodiment of the present invention, which can solve the problem of low efficiency of matching a security policy for a fragmented data stream. The method comprises the following steps:
s101, receiving the fragment packets of the data packet.
It should be noted that the data packet may be a UDP data packet or a TCP data packet.
The fragmented packet may be a first fragmented packet of a complete packet or a second fragmented packet of a complete packet.
S102, judging whether the fragment package is the first package.
Since the flow information in the first slice packet includes the complete quintuple information, the flow information in the second slice packet does not include the complete quintuple information. Therefore, whether the fragment packet is the first packet can be judged by reading the stream information of the fragment packet. Specifically, the determination process may include:
step one, acquiring flow information of a fragment package;
step two, judging whether the stream information has complete quintuple information or not;
step three, if yes, determining the fragment package as a first fragment package;
and step four, if not, determining that the fragment packet is a slave fragment packet.
Wherein the complete quintuple comprises: source IP, destination IP, source port, destination port, protocol information. When the TCP/UDP data packet is a fragment packet, only the first fragment packet has complete quintuple information, and the rest fragment packets (slave fragment packets) only have source IP, destination IP and protocol information.
Of course, in addition to using the five-tuple information in the stream information to determine the fragment packet, it is also possible to determine whether the fragment packet is the first packet according to the fragment identifier of the header of the fragment packet. The specific judgment process comprises the following steps:
step one, acquiring a fragment identifier of a fragment packet head;
step two, if the fragment mark is the first fragment mark, determining the fragment package as a first fragment package;
and step three, if the fragment identifier is the middle fragment identifier or the last fragment identifier, determining that the fragment packet is a slave fragment packet.
Specifically, the state of the fragmentation packet can be determined according to two fields, i.e., IP _ MF and IP _ OFFSET, of the header of the fragmentation packet, where the fragmentation packet identifier is defined as follows:
first slice fragmentation, wherein IP _ MF is 1, and IP _ OFFSET is 0;
the intermediate packet dividing module divides the packet into 1 part and 1 part, namely IP _ MF and 1 part;
and finally, dividing the packet into packets, wherein the IP _ MF is equal to 0, and the IP _ OFFSET is equal to 1.
After the judgment result of the fragmented packet is obtained, the subsequent processing operation can be executed based on the judgment result. Specifically, if the determination result is yes, the operation of step S103 is executed; if the judgment result is no, the operation of step S104 is executed.
S103, storing the first piece of packet flow information in the packet dividing into a hash chain table.
After the received fragment packet is determined to be the first fragment packet, in order to facilitate processing of the remaining fragment packets corresponding to the fragment packet, the flow information of the first fragment packet in the fragment packet can be stored in the hash chain table.
The specific storage process comprises the following steps:
step one, determining keywords by using first-packet streaming information;
step two, storing keywords, the total length of the data packet, the receiving length of the fragment packet, the flow node matching time and a flow node pointer in the flow node;
and step three, storing the stream nodes in a hash chain table.
For convenience of description, the above three steps will be described in combination.
Particularly, if the keywords of different fragment packets are mapped to the same position of the hash table in the same way, the zipper method is adopted to carry out chaining operation on the keywords. Referring to fig. 2, fig. 2 is a schematic diagram illustrating a hash chain storage structure of flow information according to an embodiment of the present invention. That is, the flow information of the first packet is stored by using a hash chain table, the hash chain table is composed of a hash table and a plurality of chain tables, and the length of the hash table can be defined as n + 1. The source IP, the destination IP, the protocol number, and the ID information of the fragment packets may be specifically used as KEYs (KEY), and if different fragment packet KEYs are mapped to the same position of the hash table in the same way, the zipper method is used to perform chaining operation on the elements.
Definition of the flow information storage node (i.e., the flow node) as shown in fig. 3, it can be seen that the flow node stores a KEY (KEY) of the hash table, port information of the data flow, a total length of the data packet, a reception length of the fragmented packet, a flow node matching time, and a flow node pointer.
And S104, acquiring the first fragment packet flow information corresponding to the fragment packet from the Hash chain table.
If the fragment packet is received and is not the first fragment packet, the first fragment packet flow information corresponding to the fragment packet can be obtained from the hash chain table. Specifically, the first packet flow information is obtained from the hash chain table by using the flow information of the packet. That is, since the flow information of the slave fragmented packet overlaps and coincides with the flow information of the corresponding first fragmented packet, the flow information of the corresponding first fragmented packet can be obtained from the hash chain table based on the flow information of the slave fragmented packet.
Specifically, the ID information of the same fragment packet is unique, so that by storing the flow information of the first fragment packet, the remaining fragment packets can search the flow information of the first fragment packet according to the source IP, the destination IP, the protocol number, and the ID information, thereby rapidly recovering the source port and the destination port information.
And S105, processing the packet packets by using the security processing strategy corresponding to the first packet flow information.
The security processing policy is a security policy in the IPSec protocol.
After the first packet flow information corresponding to the fragment packet is obtained, according to the IPSec protocol, the corresponding security processing strategy can be quickly determined based on the first packet flow information, and the fragment packet is processed based on the security processing strategy. The security processing policy may specifically include: discard, forward directly (bypass IPSec) to IPSec processing. The IPSec can encrypt only the data packet, authenticate only the data packet, or implement both, but whether encrypting or authenticating the data packet, the IPSec has two working modes, one is a tunnel mode, and the other is a transmission mode.
The specific implementation process can include:
restoring a source port and a destination port corresponding to a fragment packet by using first packet flow information;
step two, determining a security processing strategy by utilizing the source port and the destination port;
and step three, processing the packet packets according to a security processing strategy.
For convenience of description, the above three steps will be described in combination.
The remaining fragment packets (i.e., slave fragment packets), except for the first fragment packet, do not have source port and destination port information. The source port and the destination port can be searched from the hash chain table of the data stream according to the source IP, the destination IP, the protocol and the KEY KEY of the hash operation of the ID number of the data stream. The remaining fragmented packets include a middle fragment and a last fragment, and the total length information of the complete packet is included in the last fragment.
The processing procedure of the remaining fragment packets, as shown in fig. 4, completes the restoration of the state of the remaining fragment packets according to the following steps:
And 3, calculating the receiving total length recv _ len of the fragment packets, and deleting the stream nodes from the hash chain table if the fragment packets have received the last fragment and the receiving total length recv _ len of the fragment packets is more than or equal to the total length total _ len of the fragment packets.
The method provided by the embodiment of the invention is applied to receive the fragment packets of the data packet; judging whether the divided packet is a first packet; if yes, storing the first piece of packet flow information in the packet dividing into a Hash chain table; if not, acquiring first fragment packet flow information corresponding to the fragment packets from the hash chain table; processing the packet packets by using a security processing strategy corresponding to the first packet flow information; the security processing policy is a security policy in the IPSec protocol.
In the method, when the received fragment packet is the first packet, the first packet flow information of the fragment packet is directly matched with a security processing strategy and is directly subjected to security processing without waiting for the rest of fragments, and meanwhile, the first packet flow information is stored in a hash chain table. When the received fragment packet is not the first fragment packet, the first fragment packet flow information corresponding to the fragment packet is acquired from the hash chain table, the security processing strategy matched with the fragment packet can be quickly determined, other residual fragments do not need to be waited, the fragment packet does not need to be recombined with the first fragment packet, and the fragment packet can be directly processed based on the security processing strategy. Therefore, in the method, when the fragment packets are processed based on the IPSec protocol, the matched safety processing strategy can be determined directly based on the first packet streaming information without waiting for all the fragment packets and recombining the fragment packets, the time for waiting the fragment packets, the step of recombining the fragment packets and the step of recombining the fragment packets after recombining the fragment packets are omitted, the effect of immediate processing after receiving the fragment packets can be realized, the processing efficiency of the fragment packets can be accelerated, the packet loss rate can be reduced, and the reliability of data transmission can be ensured.
It should be noted that, based on the above embodiments, the embodiments of the present invention also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
Preferably, to avoid occupying too much storage data, and the too long hash chain table may also cause time consuming to obtain the first packet flow information during the packet splitting process. Therefore, on the basis of the above embodiment, the hash chain table is effectively maintained, and the flow nodes need to be recycled. Specifically, the stream node can be recycled by storing the maximum value and/or the stream node retention time by using the hash chain table.
For the timing of the recovery process, specific reference may be made to fig. 5. The hash chain table may be set to store a maximum value of MAX _ NODE, and the holding TIME of the stream NODE is HOLD _ TIME. The specific recovery processing method includes, but is not limited to, realizing the recovery of the stream nodes in the following ways, and ensuring that invalid stream nodes are released quickly:
mode 1: checking the length of the data packet: the last fragment of the fragment packet is received, and the receiving length of the fragment packet held in the stream node is greater than the total length of the fragment packet, i.e., recv _ len > -total _ len, at which time the corresponding stream node is immediately deleted from the hash chain table.
Mode 2: flow node matching time checking: starting a timer in the data stream connection state tracking module, checking whether the matching TIME use _ TIME of the current TIME cur _ TIME and the stream node is greater than the HOLD TIME HOLD _ TIME, and when (cur _ TIME-use _ TIME) > (HOLD _ TIME), forcibly deleting the corresponding stream node from the hash chain table at this TIME. Wherein the HOLD TIME HOLD _ TIME may be set to six hundred hertz (corresponding to the packet loss TIME).
In practical application, one recovery mode can be selected optionally, and the three modes can also be combined for use.
The invalid stream node information is quickly and efficiently recovered by combining three modes of data packet length check, stream node matching time check and stream node total number check.
Corresponding to the above method embodiments, the embodiments of the present invention further provide a data processing apparatus, and the data processing apparatus described below and the data processing method described above may be referred to in correspondence with each other.
Referring to fig. 6, the apparatus includes the following modules:
a fragmented packet receiving and sending module 101, configured to receive fragmented packets of a data packet;
the judging module 102 is configured to judge whether the fragment packet is a first fragment packet;
the flow information storage module 103 is configured to store the flow information of the first packet in the fragment packet into the hash chain table if the fragment packet is the first packet;
a flow information obtaining module 104, configured to obtain, if the fragment packet is not the first packet, flow information of the first packet corresponding to the fragment packet from the hash chain table;
a fragment packet security processing module 105, configured to process a fragment packet by using a security processing policy corresponding to the first packet flow information; the security processing policy is a security policy in the IPSec protocol.
The device provided by the embodiment of the invention is applied to receive the fragment packets of the data packet; judging whether the divided packet is a first packet; if yes, storing the first piece of packet flow information in the packet dividing into a Hash chain table; if not, acquiring first fragment packet flow information corresponding to the fragment packets from the hash chain table; processing the packet packets by using a security processing strategy corresponding to the first packet flow information; the security processing policy is a security policy in the IPSec protocol.
In the device, when the received fragment packet is the first packet, the first packet flow information of the fragment packet is directly matched with a security processing strategy and is directly subjected to security processing without waiting for the rest of fragments, and meanwhile, the first packet flow information is stored in the Hash chain table. When the received fragment packet is not the first fragment packet, the first fragment packet flow information corresponding to the fragment packet is acquired from the hash chain table, the security processing strategy matched with the fragment packet can be quickly determined, other residual fragments do not need to be waited, the fragment packet does not need to be recombined with the first fragment packet, and the fragment packet can be directly processed based on the security processing strategy. Therefore, in the device, when the fragment packets are processed based on the IPSec protocol, the matched safety processing strategy can be determined directly based on the first packet streaming information without waiting for all the fragment packets and recombining the fragment packets, the time for waiting the fragment packets is saved, the fragment packets are recombined and the fragment re-grouping processing step after the fragment packets are recombined is omitted, the effect of immediate processing after the fragment packets are received can be realized, the fragment packet processing efficiency can be accelerated, the packet loss rate can be reduced, and the reliability of data transmission is ensured.
In a specific embodiment of the present invention, the determining module 102 is specifically configured to obtain a fragment identifier of a header of a fragment packet; if the fragment mark is the first fragment mark, determining that the fragment package is the first fragment package; and if the fragment identifier is the middle fragment identifier or the last fragment identifier, determining that the fragment packet is a slave fragment packet.
In an embodiment of the present invention, the flow information obtaining module 104 is specifically configured to obtain the first packet flow information from the hash chain table by using the flow information of the packet.
In an embodiment of the present invention, the stream information storage module 103 is specifically configured to determine a keyword by using the first packet stream information; storing keywords, the total length of the data packet, the receiving length of the fragment packet, the flow node matching time and a flow node pointer at a flow node; and storing the stream nodes to the hash chain table.
In a specific embodiment of the present invention, the flow information storage module 103 is specifically configured to perform chaining operation on the keyword by using a zipper method if different fragment packet keywords are mapped to the same position of the hash table in the same way.
In a specific embodiment of the present invention, the flow information storage module 103 is further configured to perform a recovery process on the flow node by using a hash chain table to store a maximum value and/or a flow node retention time.
In a specific embodiment of the present invention, the fragment packet security processing module 105 is specifically configured to restore a source port and a destination port corresponding to a fragment packet by using first packet streaming information; determining a security processing policy by using the source port and the destination port; and processing the packet packets according to the security processing strategy.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a data processing device, and a data processing device described below and a data processing method described above may be referred to in correspondence with each other.
Referring to fig. 7, the data processing apparatus includes:
a memory 332 for storing a computer program;
a processor 322 for implementing the steps of the data processing method of the above-described method embodiments when executing the computer program.
Specifically, referring to fig. 8, a specific structural diagram of a data processing apparatus provided in this embodiment is shown, where the data processing apparatus may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where one or more computer applications 342 or data 344 are stored in the memory 332. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the data processing device 301.
The data processing apparatus 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps in the data processing method described above may be implemented by the structure of a data processing apparatus.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a readable storage medium, and a readable storage medium described below and a data processing method described above may be referred to in correspondence with each other.
A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the data processing method of the above-mentioned method embodiment.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Claims (10)
1. A data processing method, comprising:
receiving a packet of a data packet;
judging whether the fragment packet is a first packet;
if yes, storing the first piece of packet flow information in the fragment packets into a hash chain table;
if not, acquiring the first fragment packet flow information corresponding to the fragment packet from the hash chain table;
processing the fragment packets by using a security processing strategy corresponding to the first packet streaming information; the security processing policy is a security policy in an IPSec protocol.
2. The data processing method of claim 1, wherein determining whether the fragment packet is a first fragment packet comprises:
acquiring a fragment identifier of the fragment packet header;
if the fragment identification is a first fragment identification, determining that the fragment packet is a first fragment packet;
and if the fragment identifier is the middle fragment identifier or the last fragment identifier, determining that the fragment packet is a slave fragment packet.
3. The data processing method according to claim 1, wherein obtaining, from the hash chain table, first fragment packet flow information corresponding to the fragment packet comprises:
and acquiring the first packet flow information from the hash chain table by using the flow information of the packet.
4. The data processing method of claim 1, wherein storing the flow information of the first packet in the packet fragment into a hash chain table comprises:
determining keywords by using the first packet streaming information;
storing the key, the total length of the data packet, the receiving length of the fragment packet, the flow node matching time and a flow node pointer in a flow node;
and storing the stream nodes to a hash chain table.
5. The data processing method of claim 4, wherein storing the key at a streaming node comprises:
and if the keywords of different fragment packets are mapped to the same position of the hash table in the same way, performing chaining operation on the keywords by adopting a zipper method.
6. The data processing method of claim 4, further comprising:
and utilizing a hash chain table to store the maximum value and/or the flow node retention time, and recycling the flow node.
7. The data processing method according to claim 1, wherein the processing the fragment packet by using the security processing policy corresponding to the first packet flow information comprises:
restoring a source port and a destination port corresponding to the fragment packet by using the first packet flow information;
determining the security processing policy using the source port and the destination port;
and processing the fragment packet according to the security processing strategy.
8. A data processing apparatus, comprising:
the fragment receiving and sending module is used for receiving fragment packets of the data packets;
the judging module is used for judging whether the fragment packet is a first packet;
the flow information storage module is used for storing the flow information of the first piece of packet in the fragment packet into a hash chain table if the fragment packet is the first piece of packet;
a flow information obtaining module, configured to obtain, if the fragment packet is not a first packet, flow information of the first packet corresponding to the fragment packet from the hash chain table;
the fragment packet security processing module is used for processing the fragment packet by using a security processing strategy corresponding to the first packet streaming information; the security processing policy is a security policy in an IPSec protocol.
9. A data processing apparatus, characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the data processing method according to any one of claims 1 to 7 when executing the computer program.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the data processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110705999.XA CN113411341A (en) | 2021-06-24 | 2021-06-24 | Data processing method, device and equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110705999.XA CN113411341A (en) | 2021-06-24 | 2021-06-24 | Data processing method, device and equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113411341A true CN113411341A (en) | 2021-09-17 |
Family
ID=77683104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110705999.XA Pending CN113411341A (en) | 2021-06-24 | 2021-06-24 | Data processing method, device and equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113411341A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113660295A (en) * | 2021-10-20 | 2021-11-16 | 深圳市龙信信息技术有限公司 | Message processing device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| US20100268966A1 (en) * | 2009-04-20 | 2010-10-21 | Wesley Leggette | Efficient and secure data storage utilizing a dispersed data storage system |
| CN104579948A (en) * | 2013-10-29 | 2015-04-29 | 国家计算机网络与信息安全管理中心 | Method and device for fragmenting message |
| CN109618020A (en) * | 2018-12-25 | 2019-04-12 | 北京物芯科技有限责任公司 | A kind of method for network address translation and device of fragment message |
| US20200104269A1 (en) * | 2018-09-28 | 2020-04-02 | Solarflare Communications, Inc. | Network interface device and host processing device |
| CN111786905A (en) * | 2020-06-30 | 2020-10-16 | 北京天融信网络安全技术有限公司 | Message reassembly method and apparatus, processor, storage medium, and network device |
-
2021
- 2021-06-24 CN CN202110705999.XA patent/CN113411341A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| US20100268966A1 (en) * | 2009-04-20 | 2010-10-21 | Wesley Leggette | Efficient and secure data storage utilizing a dispersed data storage system |
| CN104579948A (en) * | 2013-10-29 | 2015-04-29 | 国家计算机网络与信息安全管理中心 | Method and device for fragmenting message |
| US20200104269A1 (en) * | 2018-09-28 | 2020-04-02 | Solarflare Communications, Inc. | Network interface device and host processing device |
| CN109618020A (en) * | 2018-12-25 | 2019-04-12 | 北京物芯科技有限责任公司 | A kind of method for network address translation and device of fragment message |
| CN111786905A (en) * | 2020-06-30 | 2020-10-16 | 北京天融信网络安全技术有限公司 | Message reassembly method and apparatus, processor, storage medium, and network device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113660295A (en) * | 2021-10-20 | 2021-11-16 | 深圳市龙信信息技术有限公司 | Message processing device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10862871B2 (en) | Hardware-accelerated payload filtering in secure communication | |
| Snoeren et al. | Hash-based IP traceback | |
| KR100834570B1 (en) | Realtime stateful packet inspection method and apparatus for thereof | |
| EP1614250B1 (en) | Transparent ipsec processing inline between a framer and a network component | |
| US8484361B1 (en) | Tuning of SSL session caches based on SSL session IDS | |
| US20120099597A1 (en) | Method and device for detecting a packet | |
| US7139679B1 (en) | Method and apparatus for cryptographic protection from denial of service attacks | |
| CN112182630A (en) | Symmetric searchable encryption method, device, equipment and medium | |
| CN115242561B (en) | Method, device and medium for fragment processing after IPSec transmission mode overrun packet | |
| EP2916516A1 (en) | Packet processing method and apparatus | |
| CN114301632B (en) | IPsec data processing method, terminal and storage medium | |
| CN113411341A (en) | Data processing method, device and equipment and readable storage medium | |
| CN113810337A (en) | Method, device and storage medium for network message duplicate removal | |
| CN114338510B (en) | Data forwarding method and system for controlling and forwarding separation | |
| KR101880705B1 (en) | System for collecting device information using internet and method thereof | |
| JP4263718B2 (en) | Communication processing apparatus and communication processing method | |
| CN112436998B (en) | Data transmission method and electronic equipment | |
| WO2010121249A2 (en) | Methods, systems, and computer readable media for performing flow compilation packet processing | |
| CN114006955B (en) | Data processing method, device, equipment and readable storage medium | |
| CN114978676A (en) | Data packet encryption and decryption method and system based on cooperation of FPGA and eBPF | |
| Su et al. | Privacy preserving IP traceback | |
| CN111683036A (en) | Data storage method and device and message identification method and device | |
| CN106789023B (en) | DH algorithm negotiation method and device based on IKEv2 | |
| US11252265B2 (en) | Packet communication system and method | |
| CN115277050B (en) | Data transmission method, data receiving method and network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210917 |