CN115103038B - Matching method and device based on tunnel message - Google Patents
Matching method and device based on tunnel message Download PDFInfo
- Publication number
- CN115103038B CN115103038B CN202210695134.4A CN202210695134A CN115103038B CN 115103038 B CN115103038 B CN 115103038B CN 202210695134 A CN202210695134 A CN 202210695134A CN 115103038 B CN115103038 B CN 115103038B
- Authority
- CN
- China
- Prior art keywords
- tunnel
- message
- layer
- service data
- innermost
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of tunnel messages and provides a matching method and device based on tunnel messages. Arranging fields in the protocol header contents of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings; generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis; and obtaining the feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, and otherwise, the corresponding tunnel message is judged to be a missed tunnel message. The invention adds a new matching mode to detect the data message more comprehensively, and has better guarantee on the analysis and the safety of the data message.
Description
[ technical field ] A method for producing a semiconductor device
The present invention relates to the technical field of tunnel messages, and in particular, to a matching method and apparatus based on a tunnel message.
[ background ] A method for producing a semiconductor device
Tunneling is a method of establishing a virtual link between networks by using the infrastructure of the internet to transfer data, and by establishing a tunnel, it is possible to implement functions of forcing data to a specific address, hiding a private network address, transferring a non-IP data packet over an IP network, and providing data security support. The current processing of the tunnel message is to match the outermost layer or the innermost layer of the tunnel, and only the inner layer or the outer layer of the tunnel message can be matched through switch control, and the data message is not matched at the same time or the data message matching is ensured as long as the data message is matched with any one of the inner layer and the outer layer of the tunnel. With the strict complexity of network security, some special devices have stricter requirements on message detection, and some requirements require that the inner layer and the outer layer of a tunnel message are matched at the same time or that the inner layer and the outer layer are matched with any layer, the message is considered to be hit.
In view of the above, overcoming the drawbacks of the prior art is an urgent problem in the art.
[ summary of the invention ]
The invention aims to solve the technical problem that the existing inner layer or outer layer of the tunnel has low matching analysis efficiency.
The technical problem to be further solved by the present invention is that in the prior art, the use modes of the inner layer tunnel and the outer layer tunnel provided by the tunnel message and the possible intermediate layer tunnel are not flexible, which results in a problem of low processing efficiency in a complex service scenario.
The invention adopts the following technical scheme:
in a first aspect, the present invention provides a matching method based on a tunnel packet, which is implemented by converting into a feature code rule, and the method includes:
arranging fields in the protocol header content of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings;
generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis;
and obtaining the feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, and otherwise, the corresponding tunnel message is judged to be a missed tunnel message.
Preferably, the tunnel packet identification basis is quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
Preferably, before converting the fields in the header contents of the protocol at the innermost layer and the outermost layer of the tunnel into 16-ary character strings after arranging the fields according to a preset sequence, the method further includes:
analyzing the first tunnel of the innermost layer according to the network state, wherein the first tunnel cannot be passed through, and obtaining a second alternative tunnel according to analysis and calculation;
determining service data originally set to be transmitted through a first tunnel of an innermost layer which cannot be accessed currently, packaging the second tunnel into a tunnel of the innermost layer when data packets are packaged on subsequent data of the service data, and packaging the first tunnel into a tunnel of an outermost layer;
a hit strategy is formulated, and the situation that the matching simultaneously contains the respective quintuple information and/or the triplet information of the first tunnel and the second tunnel is regarded as hit is judged;
wherein the tunnel historically disposed at the innermost layer is designated for use as the highest priority selected tunnel.
Preferably, the method further comprises:
the hit strategy is synchronously sent to a service data request end;
and the service data request end acquires the service data from the destination address of the second tunnel after partially acquiring the service data from the destination address of the first tunnel according to the repackaged tunnel information.
Preferably, the hit tunnel message represents that the service data request end needs to obtain the remaining content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the service data sent historically from the destination end of the first tunnel of the outermost layer; and only if the matching information which is simultaneously satisfied that the innermost tunnel and the outermost tunnel jointly constitute is the same, the tunnel object which needs to be obtained by the service data concatenation is corresponded.
Preferably, the tunnel packet further includes one or more intermediate layer tunnels, each layer tunnel is configured with a tunnel health indicator, and the tunnel health indicator is carried in a reserved field of the header, and the method further includes:
monitoring each tunnel involved in the tunnel message, and updating a tunnel health index value in the tunnel message according to a monitoring result;
and if the tunnel proportion of the tunnel health index value used by the tunnel message does not reach the standard exceeds 7 percent of the total number of the tunnel health index value used by the tunnel message from the innermost tunnel to the outermost tunnel, the reassignment of the tunnel message from the innermost tunnel to the outermost tunnel is triggered.
Preferably, the tunnel health indicator is represented by 1 bit, and includes: a normal state and a fault state.
In a second aspect, the present invention further provides a matching apparatus based on a tunnel packet, which is used to implement the matching method based on the tunnel packet in the first aspect, and the apparatus includes:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executable by the processor for performing the tunneling packet-based matching method of the first aspect.
In a third aspect, the present invention further provides a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions are executed by one or more processors, and are configured to perform the matching method based on tunneling packet according to the first aspect.
The invention can detect the tunnel message more flexibly and more completely, increases two modes of inner and outer matching of the tunnel message and inner or outer matching of the tunnel message, increases a new matching mode, can detect the data message more comprehensively, and has better guarantee on data message analysis and safety.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a matching method based on a tunnel packet according to an embodiment of the present invention;
fig. 5 is a schematic diagram of program code and 16-ary translation based on tunnel messages according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a matching device based on a tunnel packet according to an embodiment of the present invention.
[ detailed description ] A
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In the description of the present invention, the terms "inner", "outer", "longitudinal", "lateral", "upper", "lower", "top", "bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, and are for convenience only to describe the present invention without requiring the present invention to be necessarily constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1:
in step 201, fields in the header contents of the innermost layer and/or the outermost layer of the tunnel are arranged according to a preset sequence and then converted into a 16-ary character string.
In step 202, a corresponding mask is generated for the contents of the protocol header of the innermost layer and/or the outermost layer of the tunnel as the basis for tunnel packet identification.
In step 203, the feature code of the tunnel is obtained through the logical and operation of the mask and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, it is determined that the tunnel message is a hit tunnel message, otherwise, it is determined that the corresponding tunnel message is a miss tunnel message.
The embodiment of the invention can detect the tunnel message more flexibly and more completely, increases two modes of inner and outer matching of the tunnel message and inner or outer matching of the tunnel message, increases a new matching mode, can detect the data message more comprehensively, and has better guarantee on data message analysis and safety.
In this embodiment of the present invention, the identification basis of the tunnel packet is quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
The identification basis for the tunnel message can also be mac address information.
Next, the data length provided by the corresponding tunnel packet in the case of including different tunnels will be described from the MAC layer and the VLAN layer (i.e., the five-tuple information).
IPinIP example
Firstly, a mac layer may appear in a tunnel message in the current network; 1 layer mac, mac in mac 2 layer mac, where the 1 layer mac is 12 bytes and the 2 layer mac is 12+4 (4 bytes total for type and lower layer protocol identifier) +12=28 bytes;
second, 2 bytes (next layer protocol identification);
thirdly, the tunnel message in the current network may have a vlan layer where a mac layer may appear; carrying 1-layer vlan, qinQ 2-layer vlan and QinQ messages, and then encapsulating the 1-layer vlan into 3-layer vlan (no vlan0+ byte, one-layer vlan +4byte, two-layer vlan + 8byte and 3-layer vlan +12 byte);
fourth, possible tunnel IP combinations, ipv4inipv4, ipv4inipv6, ipv6inipv4, ipv6inipv6;
aiming at the tunnel message with the outer IP of V4, the tunnel mark is in the 10 th byte;
aiming at the tunnel message with the outer IP of v6, the tunnel mark is in the 20 th byte;
for a tunnel with an outer layer of V4, the possible tunnel identification positions are:
"1 layer mac 0 layer vlan 12byte +2byte + 10byte-tunnel identification position (i.e., v4 or v6 expressed in the embodiment of the present invention);
1 layer mac 1 layer vlan 12byte +2byte +4byte + 10byte-tunnel mark position;
1 layer of mac 2 layer of vlan 12byte +2byte +4byte + 10byte-tunnel mark position;
1 layer of mac3 layer of vlan 12byte +2byte +4byte + 10byte-tunnel mark position;
2 layers of mac 0 layer vlan 28byte +2byte + 10byte-tunnel identification position;
2 layers of mac 1 layers of vlan 28byte +2byte +4byte +10byte as tunnel mark positions;
2 layers of mac 2 layers of vlan 28byte +2byte +4byte + 10byte-tunnel identification positions;
2 layers of mac3 layers of vlan 28byte +2byte +4byte + 10byte-tunnel identification position;
for a tunnel with an outer layer of V6, the possible tunnel identification positions are:
1 layer mac 0 layer vlan 12byte +2byte + 20byte-tunnel mark position;
1 layer mac 1 layer vlan 12byte +2byte +4byte + 20byte-tunnel mark position;
1 layer of mac 2 layer of vlan 12byte +2byte +4byte + 20byte-tunnel mark position;
1 layer of mac3 layer of vlan 12byte +2byte +4byte + 20byte-tunnel mark position;
2 layers of mac 0 layers of vlan 28byte +2byte + 20byte-tunnel mark positions;
2 layers of mac 1 layers of vlan 28byte +2byte +4byte + 20byte-tunnel identification position;
2 layers of mac 2 layers of vlan 28byte +2byte +4byte + 20byte-tunnel mark positions;
2 layers of mac3 layers of vlan 28byte +2byte +4byte + 20byte-tunnel identification position.
The tunnel identifier is 04, and the lower layer tunnel is v4;
if the tunnel identifier is 06, the lower layer tunnel is v6;
when data is searched, the type of the tunnel message can be judged only by searching the position where the tunnel mark is likely to appear without searching the full message. Similarly, the other tunnel message identification positions define the tunnel position according to the message characteristics. It is sufficient to only find the location where the tunnel identification may occur.
In the prior art, in the use of a tunnel, an inner tunnel and an outer tunnel are actually used as an alternative relationship, and in a scenario where a network is relatively simple in practical application, a tunnel message only includes a layer of tunnel information as a transmission basis, and in such a scenario, for a case where a tunnel interrupt occurs during a transmission process, it is not easy for a service data request end to quickly locate and trace back according to tunnel message data, whereas in a preferred embodiment of the present invention, an improved scheme for using the inner tunnel and the outer tunnel in a cooperation manner is proposed for such a simple network scenario, before converting fields in header contents of innermost and outermost protocol headers of the tunnel into a 16-ary character string after arranging the fields according to a preset sequence, as shown in fig. 2, the method further includes:
in step 301, the first tunnel in the innermost layer is analyzed according to the network status, and a candidate second tunnel is obtained according to the analysis calculation.
In step 302, service data originally set to be transmitted through the first tunnel of the innermost layer that cannot be currently accessed is determined, and when data packet packing is performed on subsequent data of the service data, the second tunnel is packed as the tunnel of the innermost layer, and the first tunnel is packed as the tunnel of the outermost layer.
In step 303, a hit policy is formulated, and it is determined that the matching of the five tuple information and/or the triple information of the first tunnel and the second tunnel is a hit.
Wherein the tunnel historically disposed at the innermost layer is designated for use as the highest priority selected tunnel.
The process based on steps 301 to 303 of the present invention is lack of flexibility in the use modes of the inner layer tunnel and the outer layer tunnel provided by the tunnel message and the possible intermediate layer tunnel, which causes the problem of low processing efficiency in a complex service scene.
As shown in fig. 3, after step 303, the following method steps are also typically involved:
in step 304, the hit policy is synchronously sent to the service data request end.
In step 305, the service data request end, according to the repackaged tunnel information, after partially acquiring the service data from the destination address of the first tunnel, further subsequent service data is acquired from the destination of the second tunnel.
At this time, the hit tunnel message represents that the service data request end needs to obtain the rest content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the service data sent historically from the destination end of the first tunnel of the outermost layer; and only if the matching information which is simultaneously satisfied that the innermost tunnel and the outermost tunnel jointly constitute is the same, the tunnel object which needs to be obtained by the service data concatenation is corresponded.
In addition to the extended schemes such as step 301 to step 303 that are generated depending on the special application scenarios that can be proposed by the present invention, another feasible implementation manner is proposed by combining the embodiments of the present invention, where the application scenarios are exactly opposite to the application scenarios of step 301 to step 303, and in the method described below, the application scenarios are that the network link environment is relatively diversified, and a variety of scenarios for tunnel selection can be provided, that is, the tunnel packet further includes one or more middle layer tunnels, each layer of tunnel is configured with a tunnel health index, and the tunnel health index is carried in a reserved field of the header, as shown in fig. 4, the method further includes:
in step 401, each tunnel involved in the tunnel message is monitored, and the tunnel health index value in the tunnel message is updated according to the monitoring result.
In step 402, if the ratio of tunnels used by the tunnel message currently and having a tunnel health index value not meeting the standard exceeds 7 of the total number of the tunnels from the innermost tunnel to the outermost tunnel, reassignment of the tunnel message from the innermost tunnel to the outermost tunnel is triggered.
Wherein the tunnel health indicator is represented by 1 bit, comprising: a normal state and a fault state.
The method can maintain the safety and the effectiveness of the tunnel message currently transmitted, and is extremely suitable for scenes with extremely high transmission effectiveness requirements.
Example 2:
the embodiment of the present invention continues the method content of embodiment 1, and explains the implementation of the method content of steps 201 to 203 by combining the example tunnel message content shown in fig. 5.
As shown in fig. 5, the outer SIP + DIP corresponds to the frame: SIP is 10.0.0.1 (conversion 16 is 0a00 01); DIP is 172.0.0.1 (conversion 16 is ac00 01), and the next layer Protocol corresponds to IP Protocol 4in the frame (corresponding 16 is 04, shown in the figure as Internet Protocol Version 4).
The corresponding frame content of the inner SIP + DIP is as follows: SIP 11.12.13.1 (convert 16 binary to 0b 0c 0d 01); DIP is 11.12.13.254 (converted to 0b 0c 0dfe in 16-system), the frame corresponds to port number Sport1024 (converted to 0400 in 16-system), dport 1024 (converted to 0400 in 16-system), and the frame corresponds to protocol number udp 17 (converted to 11 in 16-system).
The first medial and lateral scheme: setting the matching start position of the feature code rule as three-layer matching (starting from three-layer head, starting from the outer layer 4500 xxxx), converting the message into the feature code rule according to the message, namely, the 16-system feature code rule, and only needing to focus on the information related to the inner and outer quintuple groups. By way of example:
the rule content is as follows:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
a mask field:
0000000000000000000000fffffffffffffffff0000000000000000ff0000ffffffffffffffffffffffff
specification of the rules: the mask field is 0, no matter what value the rule content is, f is all concerned, matching must be performed according to 16-system character strings, the content of the unapproved field can be written into 0 or other 16-system, because no care is taken, any value is not meaningful, the rule is the inner and outer layer eight-tuple information all concerned content, and according to the rule requirement, selective care can be taken, if only care is taken about the outer layer SIP and the inner layer DIP, the corresponding rule and mask are as follows:
the rule content is as follows:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
a mask field:
0000000000000000000000ffffffff0000000000000000000000000000000000000000fffffff00000000
when the rule is searched, the characteristic code rule can be matched internally and externally, the tunnel message is hit, otherwise, the tunnel message is not hit.
The first internal or external implementation scheme is as follows: as with the internal and external ideas, the method also converts the rules into the 16-system feature codes for matching. Only two feature code rules need to be issued. Continuing with the above message example, the matching start position starts from the three-layer header:
and (3) outer rule content: 000000000000000a000001ac000001
Outer care field: 0000000000000000000 fffffffffffffffffff
Content of inner layer rules:
00000000000000000000000a000001ac00000140000000000000000118a7b0b0c0d010b0c0dfe 04000400
inner layer care field:
0000000000000000000000000000000000000000000000000000000ff000000000000ffffffffffffffff
when the rules are searched, the internal or external switch of the tunnel message is opened, the tunnel message is considered to be hit as long as any one feature code rule is matched, and otherwise, the tunnel message is not hit.
The second implementation scheme comprises the following steps: and issuing two quintuple rules which respectively correspond to the inner quintuple information and the outer quintuple information of the tunnel message. Continuing with the above message example:
the outer layer rule is: the triple information has SIP of 10.0.0.1DIP of 172.0.0.1, and the lower layer protocol corresponding to the black frame is IP protocol 4
The inner layer rule is as follows: quintuple information, SIP 11.12.13.1, DIP 11.12.13.254, sport1024, dport 1024, protocol number udp 17
Two rules can be issued according to the rule requirements and are respectively used for matching the inner layer and the outer layer of the tunnel message. After the tunnel message is started, the external switch and the secondary search switch are started, when the external layer of the tunnel message is hit, the rule corresponding to the internal layer information is continuously searched, only when the two rules are hit simultaneously, the tunnel message is considered to be hit, otherwise, the tunnel message is not hit.
The second implementation scheme is internal or external: and when the tunnel message hits the outer layer rule, the tunnel message is not searched, the tunnel message is directly considered to be hit, when the tunnel message outer layer information is not hit by the relevant rule, the inner layer quintuple rule is continuously searched, if the inner layer quintuple rule is hit, the tunnel message is considered to be hit, otherwise, the tunnel message is not hit.
Example 3:
fig. 6 is a schematic diagram of an architecture of a matching apparatus based on a tunnel packet according to an embodiment of the present invention. The matching device based on the tunnel message of the embodiment includes one or more processors 21 and a memory 22. In fig. 6, one processor 21 is taken as an example.
The processor 21 and the memory 22 may be connected by a bus or other means, such as the bus connection in fig. 6.
The memory 22, which is a non-volatile computer-readable storage medium, can be used to store a non-volatile software program and a non-volatile computer-executable program, such as the matching method based on tunneling messages in embodiment 1. Processor 21 executes the tunneling message-based matching method by executing non-volatile software programs and instructions stored in memory 22.
The memory 22 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, which may be connected to the processor 21 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules are stored in the memory 22 and, when executed by the one or more processors 21, perform the tunneling message-based matching method of embodiment 1, for example, perform the steps shown in fig. 1 to 4 described above.
It should be noted that, for the information interaction, execution process and other contents between the modules and units in the apparatus and system, the specific contents may refer to the description in the embodiment of the method of the present invention because the same concept is used as the embodiment of the processing method of the present invention, and are not described herein again.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic or optical disk, and the like.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
Claims (5)
1. A matching method based on tunnel message is characterized in that the matching method is realized by converting into a feature code rule, and the method comprises the following steps:
arranging fields in the protocol header contents of the innermost layer and/or the outermost layer of the tunnel according to a preset sequence and converting the fields into 16-system character strings;
generating a corresponding mask for the header content of the protocol of the innermost layer and/or the outermost layer of the tunnel as a tunnel message identification basis;
obtaining a feature code of the tunnel through the logic and operation of the mask code and the character string, wherein when the feature code of the tunnel message is matched with the feature code of the corresponding tunnel, the tunnel message is judged to be a hit tunnel message, otherwise, the corresponding tunnel message is judged to be a missed tunnel message;
the tunnel message further includes one or more intermediate layer tunnels, each layer tunnel is configured with a tunnel health indicator, and the tunnel health indicator is carried in a reserved field of the header, and the method further includes:
monitoring each tunnel involved in the tunnel message, and updating a tunnel health index value in the tunnel message according to a monitoring result;
if the tunnel proportion of the tunnel health index value used by the tunnel message does not reach the standard exceeds 7 percent of the total number of the tunnel used by the tunnel message from the innermost tunnel to the outermost tunnel, the reassignment of the tunnel message from the innermost tunnel to the outermost tunnel is triggered;
the hit tunnel message represents that the service data request end needs to obtain the rest content of the service data from the second tunnel of the innermost layer of the current tunnel message while obtaining the historically-sent service data from the destination end of the first tunnel of the outermost layer; and only if the matching information formed by the innermost tunnel and the outermost tunnel is the same, the tunnel object which needs to be obtained by service data concatenation is obtained correspondingly.
2. The tunneling-message-based matching method according to claim 1, wherein the tunnel health indicator is represented by 1 bit, and comprises: a normal state and a fault state.
3. The matching method according to claim 1, wherein the tunnel packet identification is based on quintuple information and/or triplet information, specifically:
the five-tuple information comprises a source IP address SIP, a source port Sport, a destination IP address DIP, a destination port Dport and a protocol number; the triplet information includes a source IP address SIP, a destination IP address DIP and a protocol number.
4. The matching method based on tunneling messages according to claim 1, further comprising:
analyzing the first tunnel of the innermost layer according to the network state, wherein the first tunnel cannot be passed through, and obtaining a second alternative tunnel according to analysis and calculation;
determining service data originally set to be transmitted through a first tunnel of an innermost layer which cannot be communicated at present, and when data packets are packed for subsequent data of the service data, packing a second tunnel into the tunnel of the innermost layer and packing the first tunnel into a tunnel of an outermost layer;
a hit strategy is formulated, and the condition that the matching simultaneously contains the respective quintuple information and/or the triplet information of the first tunnel and the second tunnel is regarded as hit is judged;
wherein, the tunnel which is correspondingly arranged at the innermost layer historically is designated as the highest priority selected tunnel for use;
the hit strategy is synchronously sent to a service data request end;
and the service data request end acquires the service data from the destination address of the second tunnel after partially acquiring the service data from the destination address of the first tunnel according to the repackaged tunnel information.
5. A matching device based on tunnel packets, the device comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to perform the tunneling message-based matching method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210695134.4A CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210695134.4A CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
| CN202111634158.0A CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111634158.0A Division CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115103038A CN115103038A (en) | 2022-09-23 |
| CN115103038B true CN115103038B (en) | 2023-02-03 |
Family
ID=81016815
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111634158.0A Active CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
| CN202210695134.4A Active CN115103038B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111634158.0A Active CN114338851B (en) | 2021-12-29 | 2021-12-29 | Matching method and device based on tunnel message |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN114338851B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002243B (en) * | 2022-08-02 | 2022-11-01 | 上海秉匠信息科技有限公司 | Data processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425971A (en) * | 2008-12-02 | 2009-05-06 | 中兴通讯股份有限公司 | T-MPLS path layer tunnel switching method |
| CN101707588A (en) * | 2009-09-25 | 2010-05-12 | 曙光信息产业(北京)有限公司 | Method and device for processing messages on basis of rule set |
| CN104301184A (en) * | 2014-10-31 | 2015-01-21 | 北京百度网讯科技有限公司 | Link health checking method and device |
| CN111262772A (en) * | 2014-06-25 | 2020-06-09 | 柏思科技有限公司 | Method and system for tunneling and receiving data for eligible packets |
| CN112685612A (en) * | 2020-12-31 | 2021-04-20 | 武汉思普崚技术有限公司 | Feature code searching and matching method, device and storage medium |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624611B (en) * | 2011-12-31 | 2015-01-21 | 华为数字技术(成都)有限公司 | Method, device, processor and network equipment for message dispersion |
| CN106992915B (en) * | 2016-01-21 | 2020-11-03 | 中兴通讯股份有限公司 | Message de-encapsulation processing and data writing method and device |
| CN106878184B (en) * | 2017-02-28 | 2020-02-11 | 新华三技术有限公司 | Data message transmission method and device |
| CN108600021B (en) * | 2018-04-28 | 2021-06-18 | 盛科网络(苏州)有限公司 | Tunnel packaging chip implementation method and device capable of being flexibly programmed and configured |
| CN109039916B (en) * | 2018-09-13 | 2021-08-06 | 迈普通信技术股份有限公司 | Message forwarding method, device and storage medium |
| CN114938317A (en) * | 2019-06-10 | 2022-08-23 | 华为技术有限公司 | Error code notification method and related equipment |
| CN111404776A (en) * | 2020-03-11 | 2020-07-10 | 深圳市东晟数据有限公司 | System and method for realizing depth data filtering and shunting by open hardware |
| CN111770049B (en) * | 2020-05-09 | 2022-06-03 | 优刻得科技股份有限公司 | Global cache variable and message information storage method and device |
| CN112491901B (en) * | 2020-11-30 | 2023-03-24 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
| CN113452594B (en) * | 2021-06-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Inner layer message matching method and device of tunnel message |
-
2021
- 2021-12-29 CN CN202111634158.0A patent/CN114338851B/en active Active
- 2021-12-29 CN CN202210695134.4A patent/CN115103038B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425971A (en) * | 2008-12-02 | 2009-05-06 | 中兴通讯股份有限公司 | T-MPLS path layer tunnel switching method |
| CN101707588A (en) * | 2009-09-25 | 2010-05-12 | 曙光信息产业(北京)有限公司 | Method and device for processing messages on basis of rule set |
| CN111262772A (en) * | 2014-06-25 | 2020-06-09 | 柏思科技有限公司 | Method and system for tunneling and receiving data for eligible packets |
| CN104301184A (en) * | 2014-10-31 | 2015-01-21 | 北京百度网讯科技有限公司 | Link health checking method and device |
| CN112685612A (en) * | 2020-12-31 | 2021-04-20 | 武汉思普崚技术有限公司 | Feature code searching and matching method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338851B (en) | 2022-08-19 |
| CN115103038A (en) | 2022-09-23 |
| CN114338851A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735221B2 (en) | Flexible processor of a port extender device | |
| CN111953604B (en) | Method and device for providing business service for business flow | |
| CN108259291B (en) | VXLAN message processing method, device and system | |
| TWI683587B (en) | Apparatus and method for uniquely enumerating paths in a parse tree | |
| CN102238083B (en) | For the system and method for adapted packet process streamline | |
| CN101421991B (en) | Hardware filtering support for denial-of-service attacks | |
| CN107426077B (en) | Method and equipment for realizing intercommunication between physical network and virtual network | |
| US11729300B2 (en) | Generating programmatically defined fields of metadata for network packets | |
| US10097458B2 (en) | Network control method, network system, apparatus, and program | |
| US20120281714A1 (en) | Packet processing accelerator and method thereof | |
| CN113328915B (en) | Associated network measuring method based on SRv6 | |
| CN101483595B (en) | Data forwarding method and system based on T-MPLS network | |
| CN106936655A (en) | Chain circuit detecting method, device and the network equipment, controller | |
| ES2226958T3 (en) | METHOD AND SYSTEM FOR CLASSIFICATION OF SECTIONS AND PROTOCOLS. | |
| CN115103038B (en) | Matching method and device based on tunnel message | |
| CN111935081B (en) | Data packet desensitization method and device | |
| WO2022042503A1 (en) | Message transmission method, apparatus, and system | |
| CN110166361B (en) | Message forwarding method and device | |
| CN102263700B (en) | Method, device and system for sending and receiving messages | |
| JP6437694B2 (en) | Packet forwarding | |
| US7653070B2 (en) | Method and system for supporting efficient and cache-friendly TCP session lookup operations based on canonicalization tags | |
| CN112436998B (en) | Data transmission method and electronic equipment | |
| CN109450792B (en) | Data message packaging method and device | |
| CN114697160A (en) | Tunnel message processing method and device | |
| CN113055268A (en) | Method, device, equipment and medium for tunnel traffic load balancing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |