WO2011026345A1 - Système d'inspection de paquets en profondeur et procédé de traitement de paquets - Google Patents

Système d'inspection de paquets en profondeur et procédé de traitement de paquets Download PDF

Info

Publication number
WO2011026345A1
WO2011026345A1 PCT/CN2010/072882 CN2010072882W WO2011026345A1 WO 2011026345 A1 WO2011026345 A1 WO 2011026345A1 CN 2010072882 W CN2010072882 W CN 2010072882W WO 2011026345 A1 WO2011026345 A1 WO 2011026345A1
Authority
WO
WIPO (PCT)
Prior art keywords
control
policy
module
control policy
detection result
Prior art date
Application number
PCT/CN2010/072882
Other languages
English (en)
Chinese (zh)
Inventor
宋晓丽
杨波
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011026345A1 publication Critical patent/WO2011026345A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic
    • H04L47/805QOS or priority aware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/78Architectures of resource allocation
    • H04L47/781Centralised allocation of resources

Definitions

  • the present invention relates to the field of data communication, and in particular to an in-depth message detection system and a method for processing a deep message that can be simultaneously applied to an NGN (Next Generation Network) and a non-NGN environment.
  • NGN Next Generation Network
  • DPI Deep Packet Inspection
  • DPI equipment With business data flow identification and business data flow control capabilities, working in the transport layer to application layer (layer 2 to layer 7) of the OSI (Open System Interconnect) model, with high data stream processing capability, capable of network
  • the services carried are identified and traffic management, and can be deployed on the backbone network, the metropolitan area network, and the network equipment inside the enterprise network.
  • the Resource Access Control Facility (RACF) in the NGN environment is based on the QoS (Quality of Service) control of the transmission resources in the NGN based on the transport layer authentication information, the service level, the network policy, and the traffic priority.
  • QoS Quality of Service
  • specific strategies include bandwidth reservation, bandwidth allocation, packet filtering, traffic shaping, and priority service processing.
  • UE User equipment
  • the object of the present invention is to provide a deep message detection system and a message processing method, which can
  • the present invention provides a deep packet detection system, including a management unit, a control unit, and an execution unit, where the execution unit includes a detection module and a policy control module, where:
  • the management unit is configured to save and manage system information, and is provided with a first interface for interacting with an entity in a next generation network;
  • the detecting module is configured to: perform a deep packet detection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is a rule that is sent by the entity in the next generation network through the first interface;
  • the control unit is configured to deliver a control policy, where the control policy is a policy generated according to the first detection result and system information;
  • a policy control module configured to control service traffic in a next generation network environment according to the control policy.
  • the deep packet detection system wherein the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network;
  • the detecting module performs deep packet inspection on the data packet according to the identification rule of the static configuration of the network management, and obtains the second detection result;
  • the control unit is further configured to generate a fourth control policy according to the second detection result and system information
  • the policy control module is further configured to perform control of service traffic according to the fourth control policy.
  • control strategy includes:
  • An entity in the next generation network generates a second control policy based on the first detection result and the system information.
  • control unit when the control policy is the first control policy, the control unit specifically includes:
  • a first receiving module configured to receive the detection result
  • a policy generating module configured to generate the first control policy according to the detection result and the system information
  • the first sending module is configured to send the first control policy to the policy control module.
  • the above-mentioned deep packet detection system wherein, when the control policy is the second control policy, the control unit specifically includes:
  • a first receiving module configured to receive the detection result
  • An uploading module configured to upload the detection result to an entity in the next generation network by using the first interface
  • a second receiving module configured to receive the second control policy that is sent by the entity in the next generation network by using the first interface
  • control policy further includes a third control policy
  • control unit further includes:
  • a third sending module configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
  • control unit further includes:
  • the information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection.
  • control unit further includes:
  • the associated stream processing module is configured to identify a service type used to generate the control policy according to the multiple detection results saved in the information collection module.
  • the embodiment of the present invention further provides a packet processing method, including: the deep packet detection system performs deep packet inspection on the data packet according to the identification rule sent by the entity in the next generation network, and obtains the first a test result;
  • the deep packet inspection system controls the traffic according to the control policy.
  • control policy includes:
  • An entity in the next generation network generates a second control policy based on the first detection result and the system information. .
  • the deep packet detection system performs deep packet detection on the data packet according to the identification rule, and further includes:
  • the depth message detection system generates a fourth control policy according to the second detection result and system information
  • the depth packet detection system performs control of service traffic according to the fourth control policy.
  • the foregoing packet processing method wherein the control policy further includes a third control policy for static configuration of the network management.
  • the data packet is sent by the detection module according to the identification rule issued by the entity in the NGN.
  • the policy control module is configured to control the traffic according to the control policy generated by using the detection result and the system information, so that any service in the NGN can be performed Control, therefore, can guarantee the quality of service and meet the needs of users.
  • the deep packet detection system and the packet processing method of the present invention can be simultaneously applied to other than NGN and NGN by setting an interface that interacts with an entity in the NGN and an entity in a network other than the NGN.
  • Network versatile.
  • FIG. 1 is a schematic structural diagram of a depth packet detecting system according to a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of a first structure of a control unit according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a second structure of a control unit according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart diagram of a method according to an embodiment of the present invention. detailed description
  • the packet detection system identifies the packet according to the identification rule sent by the entity in the NGN network, and uses the detection result to control the service data packet, so that the NGN is used. All services in the network can achieve Qos control.
  • the deep packet detection system of the embodiment of the present invention includes a management unit, a control unit, and an execution unit, where the execution unit is provided with a detection module and a policy control module, where: the management unit is configured to save And managing system information, and setting a first interface that interacts with the first application domain in the NGN;
  • the detecting module is configured to perform a deep packet inspection on the data packet according to the identification rule, and obtain a first detection result, where the identification rule is that the entity set in the first application domain is provided by the management unit. Rules issued by the interface;
  • the control unit is configured to deliver a control policy, where the control policy is based on the first detection Results and strategies for generating system information;
  • the policy control module is configured to control service traffic according to a control policy
  • the control policy is a policy generated according to the detection result and the system information.
  • the control policy in the NGN environment, is:
  • the control unit generates and delivers the first control policy to the policy control module according to the first detection result and system information; and/or
  • the entity in the first application domain is generated and delivered to the second control policy of the policy control module according to the first detection result and the system information.
  • the entity in the first application domain is an RACF, a NACF (Network Attachment Control Function) entity, and an SCF (Service Control Function) entity.
  • RACF Access Control Function
  • NACF Network Attachment Control Function
  • SCF Service Control Function
  • the RACF is taken as an example for detailed description.
  • the management unit and the execution unit are connected by a control unit, it should be understood that the management unit may also be directly connected to the execution unit, and therefore, the RACF entity passes the
  • the identification rule delivered by the interface provided by the management unit can be delivered to the execution unit by the management unit through the control unit, and the management unit and the execution unit can be directly connected to the management unit. Execution unit.
  • control of the service traffic includes shaping, current limiting, packet modification, packet dropping, and the like.
  • the performing deep packet detection on the data packet according to the identification rule may include user identification, content identification, service identification, priority recognition, and the like.
  • the system information is preset by a network administrator, and the content includes but is not limited to: user information, service information, subscription policy information, and associated information.
  • the deep packet detection system is generally provided with multiple, where the associated information records a deep-text detection system that can be mutually backed up or has an associated relationship. If there is a problem in some units in the current depth detection system (such as abnormal system operation, heavy load, etc.), according to the related information, it can be processed by other deep packet inspection systems to ensure the stability of the system.
  • RACF Whether the RACF or the control unit generates a control policy, it needs to consider user information, service information, and subscription policy information, as illustrated below.
  • control policy it is determined whether the service type of the identified data packet is a customized service type. If not, the control policy is to discard the data packet. Otherwise, the control policy is to discard the data packet. For forwarding packets.
  • the subscription policy information is a data packet for discarding the P2P service
  • the control policy when the control policy is formulated, it is determined whether the service type of the identified data packet is a P2P service, and if yes, the control policy is to discard the data packet, otherwise, For forwarding packets.
  • the policy control module performs the control of the service traffic according to the control policy, where the control policy includes two situations, which may be the first control policy generated by the control unit according to the detection result and the system information, It may be a second control strategy generated by the RACF according to the detection result and the system information, and the structures of the control unit in each of the two cases are respectively described below.
  • the control unit When the control policy is the first control policy, the control unit needs to generate a control policy by combining the detection result and the system information. As shown in FIG. 2, the control unit specifically includes: a first receiving module, configured to receive The detection result;
  • a policy generating module configured to generate the first control policy according to the detection result and the system information
  • the first sending module is configured to send the first control policy to the policy control module.
  • the control unit specifically includes: a first receiving module. , for receiving the detection result;
  • a uploading module configured to upload the detection result to the RACF by using the management unit
  • a second receiving module configured to receive the second control policy that is sent by the RACF by using the management unit
  • control unit further includes:
  • a third sending module configured to send a third control policy of the network management static configuration received from the management unit to the policy control module.
  • control unit may include all of the aforementioned modules (a first receiving module, a policy generating module, a first sending module, a second receiving module, and a second sending unit).
  • control unit further includes:
  • the information collection module is configured to collect and save the detection result obtained by the detection module for deep packet detection, for charging, statistics, and query.
  • control unit further includes an associated stream processing module. Identifying a service type according to the packet detection result saved in the information collection module, where the policy generation module generates the first control policy or the RACF generates the second control policy.
  • the associated flow processing module When the service type identified by the associated flow processing module is used by the policy generation module to generate the first control policy, the associated flow processing module is connected to the information collection module and the policy generation module, and Describe the service type identified by the associated stream processing module for the RACF When the second control policy is generated, the associated flow processing module is connected to the information collection module and the uploading module, and the uploading module is further configured to upload the service type detection result to the RACF through the management unit. .
  • the data message can also be controlled by the RACF.
  • the management unit is further provided with a second interface of an entity in a second application domain of a network other than the NGN.
  • the management unit is further provided with a second interface for interacting with an entity in a network other than the next generation network.
  • the detecting module is further configured to perform deep packet detection on the data packet according to the static configuration rule of the network management, to obtain a second detection result, where the control unit is further configured to use the second detection result and the system information according to the second detection result.
  • Generating a fourth control policy the policy control module is further configured to perform control of service traffic in a network environment other than the next generation network according to the fourth control policy.
  • the entities in the second application domain include an AAA server, a security management entity, a linkage management entity, and the like.
  • non-NGN network a network other than the NGN
  • the difference is only in the difference of the interactive content and in the non-NGN network.
  • the entity cannot control the data packet by itself, so its control policy must be generated by the control unit, so the generation of the control policy is the same as the first control policy, and will not be described in detail here.
  • the method for processing the text in the specific embodiment of the present invention is as shown in FIG. 4, and includes:
  • Step 41 The management unit of the deep packet detection system acquires the identification rule delivered by the entity in the application domain of the NGN through the first interface.
  • Step 42 The detection module in the deep packet detection system performs logarithm according to the identification rule. Perform deep packet inspection based on the packet to obtain the detection result;
  • Step 43 The policy control module in the deep packet detection system controls the traffic according to the control policy; the control policy is a policy generated according to the detection result and the system information.
  • control strategy for the NGN environment includes:
  • the steps 42 and 43 further include: the detecting module in the deep packet detecting system uploading the detection result to the RACF through the management unit;
  • the management unit in the deep packet detection system acquires the second control policy by using the first interface, and sends the second control policy to the policy control module.
  • control strategy for a network environment other than NGN includes:
  • the control unit is further configured to generate a fourth control policy according to the second detection result and the system information; and the second detection result is that the detection module performs deep packet detection on the data packet according to the identification rule of the network management static configuration.
  • the results obtained In the prior art, in an NGN environment, certain services do not have resource request functions (such as games, network-critical services, etc.), and therefore, the network operator cannot guarantee the QoS of these high-quality services, and the embodiment of the present invention The device and method can solve the above problems.
  • the RACF first formulates an identification rule and sends it to the management unit in the deep packet detection system through the interface; After receiving the identification rule, the management unit sends the identification rule to the detection module directly or through the control unit;
  • the detecting module After receiving the identification rule, the detecting module performs packet depth detection on the received data packet, and obtains the detection result;
  • control strategy can be formulated in two ways, respectively.
  • the detecting module sends the detection result to the control unit
  • the control unit uses the system information and the detection result in the management unit to formulate a control strategy; the control unit delivers the control policy to the policy control module;
  • the policy control module uses the control policy to process the data packet accordingly.
  • the control unit finds that the feature word of the current data packet is A according to the detection result
  • the control unit determines the corresponding control according to the detection result and the information in the management unit.
  • the policy is "forwarding with the highest priority.”
  • the policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
  • the network operator can guarantee the QoS of these high-quality services.
  • the detection module reports the detection result to the NACF through the interface set in the management unit;
  • NACF uses the system information and test results in the management unit to formulate control strategies;
  • the NACF sends the control policy to the management unit through the interface set in the management unit.
  • the management unit sends the control policy to the policy control module directly or through the control unit.
  • the policy control module uses the control policy to perform corresponding data packet. deal with.
  • the NACF finds that the feature word of the current data packet is A;
  • the NACF determines the corresponding control strategy according to the detection result and the information in the management unit. For "forwarding with the highest priority.”
  • the policy control module forwards the data packet with the highest priority according to the control policy to ensure the Qos of the service.
  • the network operator can guarantee the QoS of these high-quality services.
  • control strategy is merely an example, and the specific control strategy is not limited in the specific embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un système d'inspection de paquets en profondeur et sur un procédé de traitement de paquets. Le système comporte une unité de gestion, une unité de commande et une unité de mise en application, l'unité de mise en application comportant un module d'inspection et un module de commande de politique. L'unité de gestion, qui est utilisée pour préserver et gérer des informations système, est munie de la première interface pour interagir avec une entité d'un réseau de prochaine génération; le module d'inspection effectue une inspection de paquets en profondeur pour des paquets de données conformément à des règles d'identification et obtient le premier résultat d'inspection, les règles d'identification étant envoyées par l'intermédiaire de la première interface par l'entité du réseau de prochaine génération; l'unité de commande est utilisée pour envoyer une politique de commande, la politique de commande étant générée conformément au premier résultat d'inspection et aux informations système; le module de commande de politique est utilisé pour commander le flux de service conformément à la politique de commande dans l'environnement de réseau de prochaine génération. La solution technique peut commander n'importe quel service dans le réseau de prochaine génération, ainsi la qualité de service peut être assurée et les besoins des utilisateurs peuvent être satisfaits.
PCT/CN2010/072882 2009-09-02 2010-05-18 Système d'inspection de paquets en profondeur et procédé de traitement de paquets WO2011026345A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910168943.4 2009-09-02
CN200910168943.4A CN102006216B (zh) 2009-09-02 2009-09-02 一种深度报文检测***及报文处理方法

Publications (1)

Publication Number Publication Date
WO2011026345A1 true WO2011026345A1 (fr) 2011-03-10

Family

ID=43648863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/072882 WO2011026345A1 (fr) 2009-09-02 2010-05-18 Système d'inspection de paquets en profondeur et procédé de traitement de paquets

Country Status (2)

Country Link
CN (1) CN102006216B (fr)
WO (1) WO2011026345A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011157137A2 (fr) * 2011-05-31 2011-12-22 华为技术有限公司 Procédé de contrôle de politique, appareil et système de communication
CN102868571B (zh) 2012-08-07 2015-04-08 华为技术有限公司 一种规则匹配方法和装置
CN104935478A (zh) * 2015-06-19 2015-09-23 上海斐讯数据通信技术有限公司 一种智能终端深度感知方法及其***
CN107645400B (zh) * 2016-07-22 2019-09-03 中兴通讯股份有限公司 策略发送、接收方法、装置及控制器
CN115150338A (zh) * 2021-03-29 2022-10-04 华为技术有限公司 报文流量控制的方法、装置、设备及计算机可读存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (zh) * 2006-10-18 2007-03-28 华为技术有限公司 一种控制网络业务的方法及***
US20080307081A1 (en) * 2007-06-05 2008-12-11 Dobbins Kurt A System and method for controlling non-compliant applications in an IP multimedia subsystem
CN101399749A (zh) * 2007-09-27 2009-04-01 华为技术有限公司 一种报文过滤的方法、***和设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (zh) * 2006-10-18 2007-03-28 华为技术有限公司 一种控制网络业务的方法及***
US20080307081A1 (en) * 2007-06-05 2008-12-11 Dobbins Kurt A System and method for controlling non-compliant applications in an IP multimedia subsystem
CN101399749A (zh) * 2007-09-27 2009-04-01 华为技术有限公司 一种报文过滤的方法、***和设备

Also Published As

Publication number Publication date
CN102006216A (zh) 2011-04-06
CN102006216B (zh) 2015-04-01

Similar Documents

Publication Publication Date Title
JP5880560B2 (ja) 通信システム、転送ノード、受信パケット処理方法およびプログラム
US9906527B2 (en) Device blocking tool
US9240946B2 (en) Message restriction for diameter servers
EP2629554B1 (fr) Procédé et système de contrôle de service, enodeb et passerelle de réseau de données en mode paquet
RU2435205C2 (ru) Способ законного перехвата информации и устройство для этого
WO2020034864A1 (fr) Procédé d'implémentation de politique de sécurité de plan utilisateur, appareil, et système
US8681803B2 (en) Communication system, policy management apparatus, communication method, and program
US11252196B2 (en) Method for managing data traffic within a network
US9553891B1 (en) Device blocking tool
WO2009132548A1 (fr) Entité à fonction de détermination de stratégie, passerelle domestique, procédé de contrôle de qualité de service et système correspondant
WO2014101228A1 (fr) Système, passerelle, serveur mandataire et procédé de présentation de capacités d'un réseau sans fil
WO2010003354A1 (fr) Serveur d'authentification et procédé de commande pour l'accès d'un terminal de communication mobile à un réseau privé virtuel
WO2009152702A1 (fr) Procédé et système de contrôle de flux et équipement de couche support de ce dernier
WO2011026345A1 (fr) Système d'inspection de paquets en profondeur et procédé de traitement de paquets
WO2022206252A1 (fr) Procédé et appareil de traitement d'attaque de réseau, dispositif, support de stockage lisible par ordinateur, et produit-programme d'ordinateur
WO2009138044A1 (fr) Procédé, appareil et système pour le contrôle de la qos d’un service
WO2015192498A1 (fr) Procédé et appareil d'envoi d'informations de liaison, et procédé et appareil de commande du trafic
CN111245740A (zh) 配置业务的服务质量策略方法、装置和计算设备
WO2016109970A1 (fr) Entité de réseau et procédé de gestion de politique de service
WO2007090322A1 (fr) Procédé, appareil et système de régulation de trafic ascendant dans un réseau d'accès
WO2012037817A1 (fr) Procédé et système de mise en oeuvre d'une synchronisation de stratégie
WO2012028008A1 (fr) Procédé et système pour contrôler des réseaux hétérogènes
WO2009056022A1 (fr) Procédé, appareil et système pour obtenir un état de sécurité du réseau
TWI392273B (zh) 上網時間管理與上網監控系統以及方法
EP2068508A1 (fr) Procédé, dispositif et système de synchronisation de données utilisateur dans un réseau nouvelle génération

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10813267

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10813267

Country of ref document: EP

Kind code of ref document: A1