CN1545285A - Method of access control list or security policy database - Google Patents
Method of access control list or security policy database Download PDFInfo
- Publication number
- CN1545285A CN1545285A CNA2003101035809A CN200310103580A CN1545285A CN 1545285 A CN1545285 A CN 1545285A CN A2003101035809 A CNA2003101035809 A CN A2003101035809A CN 200310103580 A CN200310103580 A CN 200310103580A CN 1545285 A CN1545285 A CN 1545285A
- Authority
- CN
- China
- Prior art keywords
- mask
- rule
- access control
- leaf
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012360 testing method Methods 0.000 claims description 37
- 230000008878 coupling Effects 0.000 claims description 13
- 238000010168 coupling process Methods 0.000 claims description 13
- 238000005859 coupling reaction Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 8
- 230000015572 biosynthetic process Effects 0.000 claims description 4
- 230000009977 dual effect Effects 0.000 claims 1
- 239000002699 waste material Substances 0.000 abstract description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 6
- 238000012217 deletion Methods 0.000 description 5
- 230000037430 deletion Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000001914 filtration Methods 0.000 description 5
- 230000004224 protection Effects 0.000 description 5
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 238000005755 formation reaction Methods 0.000 description 3
- RZVAJINKPMORJF-UHFFFAOYSA-N Acetaminophen Chemical compound CC(=O)NC1=CC=C(O)C=C1 RZVAJINKPMORJF-UHFFFAOYSA-N 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an access control table and safety policy database method in data communication field, including: 1, initializing a Radix tree of access control table or safety policy database; 2, constructing clauses and subclauses of a rule; 3, inserting the rule in the Radix tree; 4, repeating the steps 2 and 3, in order to insert all the rules in the Radix tree, and forming the complete access control table or safety policy database; 5, searching matching rules. It overcomes the existing techniques' disadvantages of being unable to automatically sequence rules without artificial control, slow rule searching speed, serious system resources waste, low efficiency, etc, and can automatically sequence rules, enhance searching efficiency and save system resources.
Description
Technical field:
The present invention relates to the information security technology in the areas of information technology, concretely, relate to the method that realizes Access Control List (ACL) or Security Policy Database in the IP network.
Background technology:
At computer network; in the Internet Internet or Intranet Intranet; a lot of mechanisms and enterprise all utilize the private network of fire compartment wall or virtual private networks (Virtual Private Network-VPN) technical protection self; prevent the malicious attack of external network; wherein; as a topmost class fire compartment wall, the fail safe of packet filter firewall mainly based on to the bag the IP address and the verification of port numbers.In fact, all information all are to transmit with the form of bag on the internet, have comprised transmit leg and recipient's information such as IP address in the packets of information.Packet filter firewall is with the transmit leg IP address in all packets of information of passing through, recipient IP address, upper-layer protocol, TCP (TransmissionControl Protocol, transmission control protocol, transport layer protocol a kind ofly) or UDP (UserDatagram Protocol, User Datagram Protoco (UDP), transport layer protocol a kind of) port, ICMP (Internet Control Message Protocol, the Internet Internet Control Message Protocol, being used to control the IP agreement) information such as type reads, and according to predefined filtering rule (filtering rule of all settings is called as Access Control List (ACL), Access Control List-ACL) filtering information bag.Those against regulation packets of information can be filtered out by packet filter firewall, thereby guarantee the safety of network system.IP Security Protocol (being the IPsec agreement) is used for providing protections such as confidentiality, integrality, preventing playback attack to the IP bag; be a kind of in the VPN technologies; before using IPsec, some security strategies must be set, promptly set the protection of those IP bags being taked what form.The selection logic of security strategy generally includes source IP address, purpose IP address, upper-layer protocol type and port numbers etc.As can be seen, Access Control List (ACL) and security strategy are very similar, and just Access Control List (ACL) only abandons usually and passes through two kinds of operations, and security strategy also has the protection of IP bag application safety except these two kinds of operations.
Existing most of Access Control List (ACL) and security strategy method all are to organize with the form of unidirectional or doubly linked list.Zu Zhi software or equipment have the firewall software ipchains of RedHat Linux company and the IPsec security policy manager among iptables, the IPv6 protocol stack sofeware KAME, the ACL of CISCO company pix firewall by this way.Generally speaking, all rules all are to become a table according to certain priority arrangement, each packet can at first be compared with article one rule, if coupling, then packet is carried out respective handling according to the regulation of strategy, otherwise continuation is compared with the second rule, and is last up to what show by that analogy.Therefore this mode efficient when carrying out rule match is lower, if particularly can not find occurrence or matched rule to be in the last of table, needs the whole table of traversal.Because when carrying out the inquiry of packet filtering or security strategy, need all carry out this query manipulation to each IP bag, therefore very big when showing, reach several thousand when above as rule, this operation is very consuming time, have a strong impact on the throughput of network, in fact this chained list organizational form is not suitable for the situation of large-scale rule list.In addition, another shortcoming of this table is, order of priority needs artificial control, such as when certain IP bag mates simultaneously with clauses and subclauses that include the host address and a network address, may need the clauses and subclauses that comprise host address are come the front, but when clauses and subclauses were a lot, management was got up very difficult.
Chinese patent application 02117607.8 " method of automatic sequential arranging access control list rule and application thereof " has proposed a kind of method of automatic sequential arranging access control list rule.This method calculates the ordinal position that acl rule is arranged in ACL automatically according to the principle of ordering of default, and acl rule is configured among the ACL according to the ordinal position that calculates.Though the method that this patent proposes has solved the problem of ordering, must after having disposed strictly all rules, carry out certain operation and finish ordering work, be not to add fashionable automatic ordering.
In fact, this rule searching and route querying have similarity, and just route querying is only inquired about with purpose IP address, and rule searching is also inquired about with source IP address, protocol type, port numbers etc., and the condition of searching is more.Route query method is a lot, as G.R.Wright and W.R.Stevens nineteen ninety-five Addison-Wesley Publishing Company " TCP/IPIllustrated; vol.2; " in introduced Radix and set this special binary tree, in Net/3, FreeBSD and most of high-end router, be used to organize routing table.Radix tree method is all regarded the address of searching as bit sequence with the address in the tree, and search procedure center-stage from the address bit sequence begins, and compares with node bit-by-bit in the tree.The value of a corresponding bit guides search procedure to search for to left subtree or right subtree, repeats this process up to searching corresponding route entry.Sklower, K.1991. " A Tree-Based Packet Routing Table forBerkeley Unix " Proceedings of the 1991 Winter USENIX Conference, pp.93-99, Dallas, Tex. the Radix tree method that provides and the comparative structure of Net/1 hash table show, more fast again with Radix tree method structure testing tree than Net/1 hash table, fast three times of search speed.But prior art does not adopt in control tabulation visit, visit for security strategy, though the IPsec in the (SuSE) Linux OS realizes software FreeS/WAN and has used the organizational form of Radix tree as Security Policy Database, but the selection logic of strategy has only comprised source IP address and purpose IP address, and is complete inadequately on the function.
Summary of the invention:
The objective of the invention is to overcome exist in the prior art can't be automatically to Access Control List (ACL) rule entries sort, shortcomings such as rule searching speed is slow, system resource waste is serious, inefficiency, a kind ofly can sort, improve search efficiency, the Access Control List (ACL) of saving system resource and the method for Security Policy Database to rule automatically in the hope of proposing.
For achieving the above object, the present invention proposes the method for a kind of Access Control List (ACL) and Security Policy Database, it is characterized in that, may further comprise the steps:
One, the Radix tree to Access Control List (ACL) or Security Policy Database carries out initialization;
1. determine the length of each leaf key assignments in the Radix tree;
2. initialization rule Radix tree generates three root nodes;
3. initialization mask Radix tree generates three root nodes;
Two, formation rule clauses and subclauses
1. source and destination IP address, upper-layer protocol value, the source and destination port numbers of rule are set, and address and port all sort with network bytes;
2. the mask of the source and destination IP address of rule, the mask of upper-layer protocol, the mask of source and destination port numbers are set, and the mask of address and port also is the network preface;
3. be provided with the rule processing mode, include but not limited to abandon, allow by or safe and secret processing;
4. the various data of above setting are formed a complete rule;
Three, rule is inserted the Radix tree
1. source and destination address, upper-layer protocol and the port numbers of rule and mask are set to a continuous Bit String, become regular bit string and mask bit string;
2., then new mask is inserted in the mask Radix tree if the mask bit string does not exist in mask Radix tree;
3. new regulation is inserted in the regular Radix tree, promptly in tree, inserts inner node and two nodes of leaf;
4. if had the leaf identical with the regular bit string in the regular Radix tree, but the mask difference then also is inserted into this rule that is called repeat key in the Radix tree;
Four, repeat second step and the 3rd step, strictly all rules is inserted in the Radix tree, form whole Access Control List (ACL) or Security Policy Database;
Five, searching matching rules
1. the source and destination port of source and destination IP address, upper-layer protocol type, TCP or the UDP that IP is wrapped or type and the code of ICMP extract according to the network preface, form a continuous Bit String, are called key for searching;
2. from the summit of Radix tree, search for downwards, if the value of the bit that sets at certain inner node in the key for searching is 0, then continue search, otherwise continue search until certain leaf place stops along right branch along left branch according to the value of key for searching;
3. the key for searching Bit String corresponding relatively with leaf, if the key assignments of leaf is identical then return, otherwise continuation;
4. all the elements that key for searching comprised address, port and upper-layer protocol and the mask of leaf correspondence byte-by-byte with, the result who obtains again with the key assignments of leaf relatively, if identical then return, otherwise continue;
5. move up along tree, each mobile one deck, if the inside node that runs into contains mask, then key for searching and this mask are carried out logic and operation, obtain a new key assignments, then with this key assignments as new key for searching, in the inside node that contains this mask is the subtree on summit, carry out another time and search, see and whether can find the leaf of coupling, if can not find, then trace-back process continues along moving on the tree, up to the summit that arrives tree; If in whole trace-back process, all can not find the leaf of coupling, then do not wrap the rule of coupling in the specification tree with this IP.
Adopt the method for the invention, compared with prior art, solved the inquiry velocity that exists in the Access Control List (ACL) of present use linear list tissue or the Security Policy Database slow, must artificial shortcoming to rule compositor.The condition that is provided with of each rule comprises the five-tuple that source and destination IP address, upper-layer protocol, source and destination port constitute, and port also can be provided with scope.Because each search rule does not need to compare one by one, but according to the condition direct search location of IP bag, so search time phase difference seldom under average search time and the worst case.By being 1.8G at CPU, in save as on the computer of 1G and test, when 5000 and 10,000 rules being set data are filtered, very little to the influence of throughput.For 64 bytes be surrounded by some influences for a short time, but for almost not influence of the bag more than 512 bytes.And use technology in the past very big to the influence of throughput, comparatively speaking, the advantage of the method for the invention is fairly obvious.
Description of drawings:
Fig. 1 is the flow chart of the method for the invention.
Fig. 2 is a Radix tree key assignments structure comparison diagram in Radix routing table key assignments structure and the method for the invention.
Fig. 3 is the organization chart of a certain rule.
Fig. 4 is the Radix tree schematic diagram that includes 4 rules.
Fig. 5 is the flow chart that increases rule.
Fig. 6 is the flow chart of deletion rule.
Fig. 7 is a Radix tree schematic diagram after the initialization rule.
Fig. 8 is the Radix tree schematic diagram that increases after regular 1.
Fig. 9 is the access control policy figure that comprises two rules.
Embodiment:
Be described in further detail below in conjunction with the enforcement of accompanying drawing technical scheme:
Proposed by the invention is a kind of method that realizes Access Control List (ACL) or Security Policy Database based on the Radix tree, each rule or tactful selection logic comprise source and destination IP address, upper-layer protocol type, source and destination port numbers, the problem of solved the small scale of watch in the prior art, seek rate is slow and rule must artificial ordering.The IP address of rule can be the host address or the network address among the present invention, and port numbers can be that the value of certain setting also can be one section span in addition.
Fig. 2 is the comparison diagram of key assignments structure during the key assignments structure of the leaf that uses of Radix routing table is set with this paper rule Radix.The key assignments of routing table includes only purpose IP address as can be seen, and the key assignments content of filtering rule herein is abundanter.Wherein length is made as 17, and family and type can be made as 0, because in fact these two values are not used.Should be noted that be that first bit of key assignments is designated as the 0th bit, therefore, first bit of source address is the 32nd bit.
Fig. 3 is the institutional framework of a rule.Wherein leaf structure and internal junction dot structure are used for determining the position of rule in the Radix tree; The content of the structure of condition and condition mask shown in the latter half among Fig. 1; And processing mode has been stipulated the concrete treatment measures to the IP bag that mates this rule, as abandon, allow by, with the cryptographic algorithm protection etc.
Fig. 4 is the Radix tree example that includes 4 rules.The corner frame table shows inner node, and Rounded Box is represented leaf.Complete 0 and complete 1 leaf and summit add when being initialization.Content in other 4 leaves is the rule condition of setting and the mask of condition.And the value of 4 inner node internal representations except that the summit is meant the test bit positional value.Be used for guiding the direction of inquiry.To indicate 50 inside node for example, two leaves below it just in time are on the position of the 50th bit different (position of first bit of source address is 32) as can be seen, left branch be 0 (0-00000000 binary system), right branch be 1 (33-00110011 binary system).
Fig. 5 is the flow chart that increases rule.In inserting procedure of rule, key assignments with leaf in the rule, just compare with the key assignments of its immediate leaf in the Bit String of formations such as address and port and the tree, find different bit positions takes place, the value of this position also is the test bit value of inner node, has determined leaf and the position of inner node in tree by this value.The mask chained list and the mask chained list type of Radix routing table of rule Radix tree, substantially by continuous more than 1 the front that is positioned at table, few rule arrangement that is positioned at the back.The function of mask chained list is to search fast direction for recalling to inquire about to provide.In addition, test bit value and its mask chained list of inner node also have certain relation, if an inner node has the mask chained list, the index value of its first mask entry is got and is just subtracted 1 back less than the test bit value of this node so, but greater than the test bit value of this inside node father node.What adjustment mask chained list was followed is exactly this rule.
Fig. 6 is the flow chart of deletion rule.Wherein adjust the mask chained list and also follow the illustrated rule in front.In addition, deletion rule just strips down the leaf and the inner node of rule from tree.When certain leaf of deletion, if its father node (inner node) is not the inside node that inserts with it, promptly do not belong to same rule, also must be with current parent's node and the inside node exchange of together inserting with leaf, and then with leaf with the internal junction point deletion that together inserts, this situation can often occur.
Particularly, the method for Access Control List (ACL) of the present invention and Security Policy Database may further comprise the steps: (as shown in Figure 1)
One, the Radix tree to Access Control List (ACL) or Security Policy Database carries out initialization;
1, determining the length of each leaf key assignments in the Radix tree, is the length summation of source IP address, purpose IP address, upper-layer protocol type, source and destination port numbers generally speaking, i.e. 17 bytes.Terms such as the leaf here, inner node, key assignments are identical with the notion of corresponding term in the Radix routing table, and the data structure of use is also identical, and concrete implication can be referring to the related content in " TCP/IP Illustrated, vol.2 ";
2, initialization rule Radix tree generates three root nodes, and wherein the test bit positional value on summit is 32, because source address is since the 32nd bit, there is the supplementary of 4 bytes the front of source address.The key assignments of high order end leaf is complete 0, and the key assignments of low order end leaf is complete 1;
3, initialization mask Radix tree, similar with regular Radix tree, just the test bit positional value on summit is 0.
Two, formation rule clauses and subclauses
1, source and destination IP address, upper-layer protocol value, the source and destination port numbers of rule are set, and address and port all are with the network bytes preface, and just big endian mode is preserved.If agreement is ICMP, source port number and destination slogan become type and code;
2, the mask of the source and destination IP address of rule, the mask of upper-layer protocol, the mask of source and destination port numbers are set, the mask of address and port also is the network preface.The mask of upper-layer protocol has two values, and one is 0, represents that this rule ignores the upper-layer protocol value, and another is 255, and expression upper-layer protocol value must be the value of setting in the step 1.And the mask of port can have multiple choices, but similar with the mask of IP address, and just it is two byte longs in difference, optionally for example is worth, and port value is ignored in 0.0,255.255,255.192 etc., 0 expression; 255.255 the expression port value must with step 1 in set identical; Other values cooperate with port value, are used for realizing the control to port range, and for example the source port value in the step 1 is made as 64, and mask is made as 255.192, represents that this rule is used for limiting the packet that source port is 64~127 scopes, the explanation in table 1 of other situations;
3, the processing mode of rule is set, as abandon, allow by or some safe and secret processing, as encrypting and authentication etc.;
4, the various data of above setting are formed a complete rule.
Table 1
| Sequence number | The value of port mask | The mask scope is provided with example | |||
| The decimal system | Hexadecimal | The port range size | Scope | The port value that should set | |
| ????1 | ????255.254 | ????FFFE | ????2 | ????2~3 | ????2 |
| ????2 | ????255.252 | ????FFFC | ????4 | ????8~11 | ????8 |
| ????3 | ????255.248 | ????FFF8 | ????8 | ????32~39 | ????32 |
| ????4 | ????255.240 | ????FFF0 | ????16 | ????64~79 | ????64 |
| ????5 | ????255.224 | ????FFE0 | ????32 | ????32~63 | ????32 |
| ????6 | ????255.192 | ????FFC0 | ????64 | ????128~192 | ????128 |
| ????7 | ????255.128 | ????FF80 | ????128 | ????128~255 | ????128 |
| ????8 | ????255.0 | ????FF00 | ????256 | ????0~255 | ????0 |
| ????9 | ????254.0 | ????FE00 | ????512 | ????2048~2559 | ????2048 |
| ????10 | ????252.0 | ????FC00 | ????1024 | ????16384~17407 | ????16384 |
| ????11 | ????248.0 | ????F800 | ????2048 | ????2048~4095 | ????2048 |
| ????12 | ????240.0 | ????F000 | ????4096 | ????4096~8191 | ????4096 |
| ????13 | ????224.0 | ????E000 | ????8192 | ????8192~16383 | ????8192 |
| ????14 | ????192.0 | ????C000 | ????16384 | ????32768~49151 | ????32762 |
| ????15 | ????128.0 | ????8000 | ????32768 | ????32768~65535 | ????32768 |
Three, rule is inserted the Radix tree
1, regard source and destination address, upper-layer protocol and the port numbers of rule as a continuous Bit String, similarly, mask also can be regarded a continuous Bit String as;
If 2 mask bit strings do not exist in mask Radix tree, then new mask is inserted in the mask Radix tree, the process of insertion illustrates in the accompanying drawings;
3, new regulation being inserted in the regular Radix tree, is exactly to have inserted two nodes in tree specifically, and one is inner node, and one is leaf.Inner node has comprised the bit position value of using when searching, and leaf has then comprised information such as regular address and mask;
If had the leaf identical with the regular bit string in the 4 regular Radix trees, but the mask difference then also is inserted into this rule that is called repeat key in the Radix tree;
5, also comprised a mask chained list in the regular Radix tree, when search is recalled, used.The mask chained list is used jointly by inner node and leaf.Therefore owing to inserted new node in the tree, so this mask chained list may need to adjust, as increases new mask entry, if do not need adjustment not skip this step.
This step and general to insert the process of a route to the RADIX routing table similar, wherein the key assignments of leaf is not simple purpose IP address, has also comprised source IP address, upper-layer protocol, port numbers.Mask is also complicated in addition, also discontinuous situation can appear, for example: 255.255.255.0255.255.255.0 0 255.255 255 (these values have been represented the mask of source IP address, purpose IP address, source port, destination interface and upper-layer protocol successively), but the computational methods routing table of the index value of mask is identical, i.e. the positional value of first 0 bit appearance.
Four, repeat second and three steps, strictly all rules is inserted into the Radix tree, form whole Access Control List (ACL) or Security Policy Database, strictly all rules can insert with any order;
Five, searching matching rules
1, the source and destination port of source and destination IP address, upper-layer protocol type, TCP or the UDP that IP is wrapped or type and the code of ICMP extract by the network preface, form a continuous Bit String, are called key for searching;
2, from the summit of tree, search for downwards, if the value of the bit that sets at certain inner node in the key for searching is 0, then continue search, otherwise continue search until certain leaf place stops along right branch along left branch according to the value of key for searching;
3, compare the key for searching Bit String corresponding with leaf, promptly whether the key assignments of leaf is identical, if this IP bag of identical explanation rule corresponding with this leaf is complementary, promptly address, upper-layer protocol and mask all fit like a glove with rule, return, otherwise continue;
4, all the elements that key for searching comprised address, port and upper-layer protocol and the mask of leaf correspondence byte-by-byte with, the result who obtains again with the key assignments of leaf relatively, if corresponding rule has been found in identical explanation, the address that is the IP bag belongs to the network address that rule is set, perhaps port belongs within the scope of setting, return, otherwise continue;
5, Yan Shu moves up, each mobile one deck.If the inside node that runs into contains mask, then key for searching and this mask are carried out logic and operation, obtain a new key assignments, then with this key assignments as new key for searching, in the inside node that contains this mask is the subtree on summit, carry out another time and search, see the leaf that whether can find coupling.If can not find, then trace-back process continues along moving on the tree, up to the summit that arrives tree.If in whole trace-back process, all can not find the leaf of coupling, then do not wrap the rule of coupling in the specification tree with this IP.
Under regard to and insert rule and do an explanation for example, need suppose two rules of insertion, its concrete data are as follows:
Source address destination address source port destination interface protocol processes mode
1. 192.168.1.1 192.168.2.0 0 23 17 abandons
255.255.25?5.255???255.255.255.0??0???????255.255????255
2. 192.168.1.1 192.168.2.0 0 21 17 encrypts
255.255.255.255????255.255.255.0??0???????255.255????255
Concrete inserting step is as follows:
1. initialization rule Radix sets, and the tree after the initialization sees accompanying drawing 6;
2. generate two rules, the value of leaf and internal junction dot structure is empty in the rule, rule condition and mask thereof are set as top data, regard as a continuous Bit String such as rule condition, similarly, all masks also are considered as a Bit String, and Bit String is preserved in big endian mode, and for example the hexadecimal of 192.168.1.1 192.168.2.0 0 23 17 from the low byte to the high byte is C0 A8 01 01 C0 A8 02 00 00 017 11;
3. insert rule 1
1) because this rule comprises mask, and therefore mask Radix tree insert this mask in the tree for empty, the index value of mask for-89 (the 88th bit of mask is 0 ,-88-1=-89);
2) summit from the Radix tree begins test order condition Bit String, at first tests the 32nd bit, just the 1st of source address the bit, be found to be 1 (binary system of 192 correspondences is 11000000), therefore the right branch along tree continues test, but the right branch of tree is a leaf, therefore stops test;
3) key assignments (complete 1) and the regular bit string of comparison leaf can find that they are the 34th bit place difference (192 binary system is that 11000000, the 32 and 33 bits are that 1,34 bit is 0);
4) the test bit value with inner node in the rule is changed to 34, the key assignments of leaf and mask are changed to condition Bit String and mask bit string, and with in leaf and the inner node insertion tree, inner node is positioned at the right branch on summit, the leaf of rule is the left branch of inner node, because it is 0 at the 34th bit, and complete 1 leaf has become the right branch of inner node
5) because 34 less than 88 (mask index get on the occasion of and subtract 1) therefore do not need to increase mask entry, increases Radix tree after the rule 1 referring to accompanying drawing 7;
4. insert rule 2
1) rule 2 also comprises mask, and identical with rule 1, finds that through inquiry in mask Radix tree this mask exists, and therefore inserts the step of mask and skips, and the mask index value still is-89;
2) summit from the Radix tree begins test order condition Bit String, at first tests the 32nd bit, is found to be 1, therefore the right branch along tree continues test, tests the 34th bit for the second time, is found to be 0, continue test along left branch,, stop test because left branch is a leaf;
3) relatively key assignments of leaf (condition of rule 1) and regular bit string, can find they the 118th bit place difference (23 binary system be 00010111,21 binary system be 00010101,21 the 118th bit be 0,23 be 1);
4) the test bit value with inner node in the rule is changed to 118, the key assignments of leaf and mask are changed to condition Bit String and mask bit string, and both are inserted in the tree, inner node is positioned at the left branch that the test bit value is 34 inside node, leaf is the left branch of inner node, because it is 0 at the 118th bit, the leaf of rule 1 has become the right branch of inner node;
5) because inner node test bit value is 118, greater than 88 (mask index get on the occasion of and subtract 1), therefore need increase new mask entry to the mask chained list, the mask of mask entry is exactly the mask of rule 2, and inner node and leaf all point to this mask entry, and the Radix that increases after regular 2 sets referring to accompanying drawing 8.
For rule searching, further illustrate again below, with the access control policy table (referring to accompanying drawing 8) that comprises two rules in the earlier examples, carry out rule query at the packet of following condition:
Source address destination address source port destination interface agreement
1.?192.168.1.1????192.168.2.1????1000????23????????17
2.?192.168.1.1????192.168.2.2????2000????21????????17
3.?192.168.1.1????192.168.2.3????3000????23????????6
Concrete query steps is as follows:
1, the source and destination IP address of IP bag, upper-layer protocol type, source and destination port or extract by the network preface form continuous Bit String, i.e. a key for searching;
2, wrap 1 rule searching at IP
1) summit from the Radix tree begins to test forming key for searching by IP bag 1, at first tests the 32nd bit, is found to be 1, continue test along right branch, then test the 118th bit, be found to be 1, also continue test, yet current this right branch is a leaf, so stop downward search along right branch;
2) from first byte of source address, compare the key assignments and the key for searching of leaf, find last byte difference of destination address, the rule of coupling fully is described not, need to continue to inquire about;
3) with the mask of leaf and key for searching with, with the result be: 192.168.1.1192.168.2.0 0 23 17, relatively this Bit String and key assignments once more, the result is identical, and the rule that finds coupling be described, this rule be the rule 2 of insertion before.
3. wrap 2 rule searching at IP
The process of inquiry and IP bag 1 are similar substantially, the rule 1 that IP bag 2 rules that find are inserted before being.
4. wrap 3 rule searching at IP
1) summit from the Radix tree begins to test forming key for searching by IP bag 2, at first tests the 32nd bit, is found to be 1, continue test along right branch, then test the 118th bit, be found to be 1, also continue test, yet current this right branch is a leaf, so stop downward search along right branch;
2) from first byte of source address, compare the key assignments and the key for searching of leaf, find last byte difference of destination address, the rule of coupling fully is described not, need to continue to inquire about;
3) with the mask of leaf and key for searching with, with the result be: 192.168.1.1192.168.2.0 0 23 6, relatively this Bit String and key assignments once more, a result in the end byte finds both differences, therefore needs upwards recall inquiry along tree;
4) at first upwards dating back to test bit is 118 inside node, and find that the mask chained list that this inner node points to is not sky, therefore mask in the mask entry (just rule 1 and 2 mask) and key for searching are found from step 2 different bytes begin with, what obtain is 00 236, with this Bit String is new key for searching, is that the summit of tree is searched for once more with inner node;
5) at first test the 118th bit, be found to be 1, find right branch, once more with leaf relatively, but the value of leaf correspondence is 00 23 17, difference, in addition, the mask entry that inner node 118 points to has only one, therefore in the end of recalling of this inside node;
6) be 34 inside node upwards dating back to the test bit value, but should do not have the mask chained list by the inside node, so continue upwards to recall one deck, can arrive the summit of tree, and the summit does not have the mask chained list yet, so search end, illustrating does not have corresponding rule.
Claims (14)
1, the method for a kind of Access Control List (ACL) and Security Policy Database is characterized in that, may further comprise the steps:
The first step: the Radix tree to Access Control List (ACL) or Security Policy Database carries out initialization;
Second step: formation rule clauses and subclauses;
The 3rd step: rule is inserted the Radix tree;
The 4th step: repeat second step and the 3rd step, strictly all rules is inserted in the Radix tree, form whole Access Control List (ACL) or Security Policy Database;
The 5th step: searching matching rules.
2, the method for Access Control List (ACL) according to claim 1 and Security Policy Database is characterized in that, the described first step further may further comprise the steps:
(1) determines the length of each leaf key assignments in the Radix tree;
(2) initialization rule Radix tree generates three root nodes;
(3) initialization mask Radix tree generates three root nodes.
3, the method for Access Control List (ACL) according to claim 2 and Security Policy Database, it is characterized in that, described step (1) middle period subkey length is the length summation of source IP address, purpose IP address, upper-layer protocol type, source and destination port numbers, i.e. 17 bytes.
4, the method for Access Control List (ACL) according to claim 2 and Security Policy Database is characterized in that, in (2) three root nodes of described step, the key assignments of high order end leaf is complete 0, and the key assignments of low order end leaf is complete 1.
5, the method for Access Control List (ACL) according to claim 2 and Security Policy Database is characterized in that, the test bit positional value on three root node summits in the described step (3) is 0.
6, the method for Access Control List (ACL) according to claim 1 and Security Policy Database is characterized in that, described second step further may further comprise the steps:
(1) regular source and destination IP address, upper-layer protocol value, source and destination port numbers are set, address and port all sort with network bytes;
(2) mask of the source and destination IP address of rule, the mask of upper-layer protocol, the mask of source and destination port numbers are set, the mask of address and port is the network preface;
(3) be provided with the rule processing mode, include but not limited to abandon, allow by or safe and secret processing;
(4) the various data of above setting are formed a complete rule.
7, the method for Access Control List (ACL) according to claim 6 and Security Policy Database is characterized in that, in the described step (1), if the agreement that rule adopts is the ICMP agreement, and corresponding type and the code of changing to of source port number then with the destination slogan.
8, the method for Access Control List (ACL) according to claim 6 and Security Policy Database, it is characterized in that, in the described step (2), the mask of upper-layer protocol has two values, one is 0, represent that this rule ignores the upper-layer protocol value, another is 255, and expression upper-layer protocol value must be the value of setting in the step (1).
9, the method for Access Control List (ACL) according to claim 6 and Security Policy Database is characterized in that, the safe and secret processing in the described step (3) comprises encrypts and the authentication dual mode.
10, the method for Access Control List (ACL) according to claim 1 and Security Policy Database is characterized in that, described the 3rd step further may further comprise the steps:
(1) source and destination address, upper-layer protocol and the port numbers of rule and mask are set to a continuous Bit String, become regular bit string and mask bit string;
(2), then new mask is inserted in the mask Radix tree if the mask bit string does not exist in mask Radix tree;
(3) new regulation is inserted in the regular Radix tree, promptly in tree, inserts inner node and two nodes of leaf;
(4) if had the leaf identical with the regular bit string in the regular Radix tree, but the mask difference then also is inserted into this rule that is called repeat key in the Radix tree.
11, the method for Access Control List (ACL) according to claim 10 and Security Policy Database is characterized in that, the inside node in the described step (3) comprises the bit position value of using when searching, and leaf comprises the address and the mask information of rule.
12, the method for Access Control List (ACL) according to claim 10 and Security Policy Database is characterized in that, as increases new mask entry, then also need comprise a mask chained list in regular Radix tree, uses when search is recalled.
13, the method for Access Control List (ACL) according to claim 1 and Security Policy Database is characterized in that, in described the 4th step, strictly all rules can insert with any order.
14, the method for Access Control List (ACL) according to claim 1 and Security Policy Database is characterized in that, described the 5th step further may further comprise the steps:
(1) the source and destination port of source and destination IP address, upper-layer protocol type, TCP or the UDP that IP is wrapped or type and the code of ICMP extract according to the network preface, form a continuous Bit String, are called key for searching;
(2) from the summit of Radix tree, search for downwards, if the value of the bit that sets at certain inner node in the key for searching is 0, then continue search, otherwise continue search until certain leaf place stops along right branch along left branch according to the value of key for searching;
(3) the key for searching Bit String corresponding relatively with leaf, if the key assignments of leaf is identical then return, otherwise continuation;
(4) all the elements that key for searching comprised address, port and upper-layer protocol and the mask of leaf correspondence byte-by-byte with, the result who obtains again with the key assignments of leaf relatively, if identical then return, otherwise continue;
(5) move up along tree, each mobile one deck, if the inside node that runs into contains mask, then key for searching and this mask are carried out logic and operation, obtain a new key assignments, then with this key assignments as new key for searching, in the inside node that contains this mask is the subtree on summit, carry out another time and search, see and whether can find the leaf of coupling, if can not find, then trace-back process continues along moving on the tree, up to the summit that arrives tree; If in whole trace-back process, all can not find the leaf of coupling, then do not wrap the rule of coupling in the specification tree with this IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101035809A CN100417150C (en) | 2003-11-11 | 2003-11-11 | Method of access control list or security policy database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101035809A CN100417150C (en) | 2003-11-11 | 2003-11-11 | Method of access control list or security policy database |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1545285A true CN1545285A (en) | 2004-11-10 |
| CN100417150C CN100417150C (en) | 2008-09-03 |
Family
ID=34333323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101035809A Expired - Lifetime CN100417150C (en) | 2003-11-11 | 2003-11-11 | Method of access control list or security policy database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100417150C (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100393071C (en) * | 2005-06-30 | 2008-06-04 | 杭州华三通信技术有限公司 | Method for configuring access control list and its application |
| CN100433009C (en) * | 2005-11-24 | 2008-11-12 | 华为技术有限公司 | Method for managing and maintaining tatic range matching table |
| CN1897564B (en) * | 2005-07-11 | 2010-04-14 | 中兴通讯股份有限公司 | Strategic routing matching method based on recursive-flow category algorithm |
| CN1859384B (en) * | 2005-12-29 | 2011-02-02 | 华为技术有限公司 | Method for controlling user's message passing through network isolation device |
| CN101515874B (en) * | 2008-02-21 | 2011-07-27 | 卓望数码技术(深圳)有限公司 | Access control method and access control system for network server |
| CN101091369B (en) * | 2004-12-22 | 2012-11-14 | 艾利森电话股份有限公司 | Means and method for control of personal data |
| CN104361296A (en) * | 2014-11-14 | 2015-02-18 | 武汉烽火网络有限责任公司 | Parallel lookup method for high-capacity access control list |
| CN105187436A (en) * | 2015-09-25 | 2015-12-23 | 中国航天科工集团第二研究院七〇六所 | Packet filtering host network control method based on hash table |
| CN109587117A (en) * | 2018-11-09 | 2019-04-05 | 杭州安恒信息技术股份有限公司 | A kind of anti-replay-attack method of the whole network udp port scanning |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
| CN116132187A (en) * | 2023-02-23 | 2023-05-16 | 北京京航计算通讯研究所 | Data packet filtering method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5860011A (en) * | 1996-02-29 | 1999-01-12 | Parasoft Corporation | Method and system for automatically checking computer source code quality based on rules |
| US6493706B1 (en) * | 1999-10-26 | 2002-12-10 | Cisco Technology, Inc. | Arrangement for enhancing weighted element searches in dynamically balanced trees |
| JP3591426B2 (en) * | 2000-05-30 | 2004-11-17 | 日本電信電話株式会社 | Method and apparatus for searching for associative information using a plurality of addresses including a prefix |
| AU2002314508A1 (en) * | 2001-06-26 | 2003-01-08 | Allot Communications Ltd. | Method for filter selection and array matching |
-
2003
- 2003-11-11 CN CNB2003101035809A patent/CN100417150C/en not_active Expired - Lifetime
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101091369B (en) * | 2004-12-22 | 2012-11-14 | 艾利森电话股份有限公司 | Means and method for control of personal data |
| CN100393071C (en) * | 2005-06-30 | 2008-06-04 | 杭州华三通信技术有限公司 | Method for configuring access control list and its application |
| CN1897564B (en) * | 2005-07-11 | 2010-04-14 | 中兴通讯股份有限公司 | Strategic routing matching method based on recursive-flow category algorithm |
| CN100433009C (en) * | 2005-11-24 | 2008-11-12 | 华为技术有限公司 | Method for managing and maintaining tatic range matching table |
| CN1859384B (en) * | 2005-12-29 | 2011-02-02 | 华为技术有限公司 | Method for controlling user's message passing through network isolation device |
| CN101515874B (en) * | 2008-02-21 | 2011-07-27 | 卓望数码技术(深圳)有限公司 | Access control method and access control system for network server |
| CN104361296B (en) * | 2014-11-14 | 2017-03-15 | 武汉烽火网络有限责任公司 | A kind of lookup method of parallel Large Copacity accesses control list |
| CN104361296A (en) * | 2014-11-14 | 2015-02-18 | 武汉烽火网络有限责任公司 | Parallel lookup method for high-capacity access control list |
| CN105187436A (en) * | 2015-09-25 | 2015-12-23 | 中国航天科工集团第二研究院七〇六所 | Packet filtering host network control method based on hash table |
| CN105187436B (en) * | 2015-09-25 | 2019-03-08 | 中国航天科工集团第二研究院七〇六所 | A kind of packet filtering mainframe network control method based on hash table |
| CN109587117A (en) * | 2018-11-09 | 2019-04-05 | 杭州安恒信息技术股份有限公司 | A kind of anti-replay-attack method of the whole network udp port scanning |
| CN109587117B (en) * | 2018-11-09 | 2021-03-30 | 杭州安恒信息技术股份有限公司 | Replay attack prevention method for whole network UDP port scanning |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
| CN109617927B (en) * | 2019-01-30 | 2021-04-16 | 新华三信息安全技术有限公司 | Method and device for matching security policy |
| CN116132187A (en) * | 2023-02-23 | 2023-05-16 | 北京京航计算通讯研究所 | Data packet filtering method and system |
| CN116132187B (en) * | 2023-02-23 | 2024-05-14 | 北京京航计算通讯研究所 | Data packet filtering method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100417150C (en) | 2008-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101345759B (en) | Internet protocol security matching values in an associative memory | |
| US7389532B2 (en) | Method for indexing a plurality of policy filters | |
| US8397285B2 (en) | Multi-pattern packet content inspection mechanisms employing tagged values | |
| CN1545285A (en) | Method of access control list or security policy database | |
| US7957387B2 (en) | Packet classification | |
| EP1832037B1 (en) | Template access control lists | |
| US10229139B2 (en) | Incremental update heuristics | |
| US20130036102A1 (en) | Incremental update | |
| US20140279850A1 (en) | Batch incremental update | |
| US20130218853A1 (en) | Rule Modification in Decision Trees | |
| CN101035062A (en) | Rule update method for three-folded content addressable memory message classification | |
| CN1863142A (en) | Method for providing different service quality tactics to data stream | |
| CN1874218A (en) | Method, system and equipment for license management | |
| US7251651B2 (en) | Packet classification | |
| CN101030947A (en) | Method and apparatus for transmitting message | |
| CN1913527A (en) | Apparatus and methods for processing filter rules | |
| CN1750538A (en) | Method for discovering and controlling of producing flow based on P2P high speed unloading software | |
| CN101035061A (en) | Segmented coded expansion method for realizing the match of the three-folded content addressable memory range | |
| CN101039253A (en) | Method for realizing prefix extension of range matching of ternary content addressable memory | |
| CN1516386A (en) | Network communication safe processor and its data processing method | |
| CN101047649A (en) | Method and equipment for transmitting data flow | |
| CN1815997A (en) | Group classifying method based on regular collection division for use in internet | |
| CN1791021A (en) | Intrusion detecting system and network apparatus linking system and method | |
| US8179902B2 (en) | Method and system for automatic generation of route distinguishers for virtual private networks | |
| CN1604564A (en) | Policy tree based packet filtering and management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20080903 |