CN110958334B - Message processing method and device - Google Patents
Message processing method and device Download PDFInfo
- Publication number
- CN110958334B CN110958334B CN201911171934.0A CN201911171934A CN110958334B CN 110958334 B CN110958334 B CN 110958334B CN 201911171934 A CN201911171934 A CN 201911171934A CN 110958334 B CN110958334 B CN 110958334B
- Authority
- CN
- China
- Prior art keywords
- ipv6 address
- user role
- mapping
- address
- ipv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a message processing method and device, and relates to the field of communication. The method and the device have the advantages that the IPv6 address of the data message and the user role corresponding to the IPv6 address are obtained, the IPv6 address and the user role are mapped, the mapping identifier of the IPv6 address is generated, the data message is forwarded according to the mapping identifier and the matching strategy of the access control list ACL, and occupied switch hardware resources can be reduced when the ACL strategy is executed according to the ACL list.
Description
Technical Field
The present application relates to the field of communications. In particular, the present invention relates to a method and an apparatus for processing a packet.
Background
With the development of Internet technology, the available IP addresses in Internet Protocol Version 4 (IPv 4) are becoming insufficient, and the Internet is faced with the problem of IP address exhaustion. The popularization of Internet Protocol Version 6 (IPv 6) upgrades the IP address from the original 32 bits to 128 bits, which can double the number of IP addresses.
The switch can realize the stateless firewall function of the network through an Access Control List (ACL), so that users in various roles can realize isolation or mutual Access, and the safe operation of the network is effectively ensured. The ACL may implement an inter-access policy through an IP + Port (Port) + Protocol (Protocol).
When an IPv6 address is introduced into a switch, the IP address in IPv6 is upgraded from 32 bits to 128 bits relative to the IP address in IPv4, which may cause the switch to consume a large amount of switch hardware resources when the switch executes a corresponding policy on a data packet through an ACL, thereby greatly limiting the scalability of switch services.
Disclosure of Invention
In view of this, the present application provides a message processing method and apparatus, which are used to alleviate the problem that when IPv6 is introduced into a switch, an IP address in IPv6 is upgraded from 32 bits to 128 bits relative to an IP address in IPv4, so that when the switch executes a corresponding policy on a data message through an ACL, a large amount of switch hardware resources are consumed.
In a first aspect, the present application provides a method for processing a packet, including:
acquiring an IPv6 address of the data message and a user role corresponding to the IPv6 address;
mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address;
and forwarding the data message according to the mapping identifier and the matching strategy of the access control list ACL.
Optionally, the obtaining of the user role corresponding to the IPv6 address includes:
acquiring a network segment corresponding to an IPv6 address, and determining the corresponding relation between the network segment and a user role;
and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining of the user role corresponding to the IPv6 address includes:
and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
Optionally, after the IPv6 address is mapped with the user role and the mapping identifier of the IPv6 address is generated, the method further includes:
acquiring an address resolution mapping table of an IPv6 address;
and writing the mapping identification corresponding to the IPv6 address into an address resolution mapping table of the IPv6 address.
Optionally, the obtaining an IPv6 address of the data packet includes:
and acquiring the source IPv6 address and/or the destination IPv6 address of the data message.
In a second aspect, the present application provides a packet processing apparatus, including: the device comprises an acquisition module, a generation module and a control module; the acquisition module is used for acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address; the generation module is used for mapping the IPv6 address and the user role and generating a mapping identifier of the IPv6 address; and the control module is used for forwarding the data message according to the mapping identifier and the matching strategy of the access control list ACL.
Optionally, the obtaining module is specifically configured to obtain a network segment corresponding to the IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining module is specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine a user role corresponding to the IPv6 address.
Optionally, the apparatus further comprises: and the writing module is used for acquiring the address resolution mapping table of the IPv6 address and writing the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address after the generating module maps the IPv6 address with the user role and generates the mapping identifier of the IPv6 address.
Optionally, the obtaining module is specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
In a third aspect, the present application further provides an electronic device, including: a processor, a storage medium and a bus, the storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating via the bus when the electronic device is operating, the processor executing the machine-readable instructions to perform the method according to the first aspect.
In a fourth aspect, the present application also provides a storage medium having a computer program stored thereon, the computer program, when executed by a processor, performing the method according to the first aspect.
Therefore, the IPv6 address and the user role are mapped by acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address, the mapping identifier of the IPv6 address is generated, the data message is forwarded according to the mapping identifier and the matching strategy of the access control list ACL, and the occupied switch hardware resources can be reduced when the ACL strategy is executed according to the ACL list.
For example, when the message processing method is applied to a switch with IPV6, the problem that the switch hardware resources are consumed in a large amount when the switch executes a corresponding policy on a data message through an ACL due to the fact that the IP address in IPV6 is upgraded from 32 bits to 128 bits with respect to the IP address in IPV4 can be effectively alleviated, and the scalability of the switch service can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 shows a schematic flow chart of a message processing method provided in an embodiment of the present application;
fig. 2 is another schematic flow chart illustrating a message processing method according to an embodiment of the present application;
FIG. 3 illustrates a diagram of generation of mapping identifiers in one embodiment;
FIG. 4 is a schematic diagram illustrating the generation of mapping identifiers in another embodiment;
fig. 5 is a schematic structural diagram illustrating a message processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram illustrating a message processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating another structure of a message processing apparatus according to an embodiment of the present application;
fig. 8 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The embodiment of the present application provides a message processing method, which may be applied to a switch, a router, a firewall device, and the like, and is not limited in this application. Taking the switch as an example, the message processing method can execute a corresponding ACL policy on the data message received by the switch to allow or reject the message to pass, thereby achieving the purpose of controlling the message flow.
Fig. 1 shows a flowchart of a message processing method according to an embodiment of the present application.
As shown in fig. 1, the message processing method may include:
s101, acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address.
Taking a switch as an example, the switch may be disposed between a plurality of network nodes, and forward the data packet of the previous node to the next node. For example, the two-layer switch may establish a MAC Address table according to a source Media Access Control Address (MAC) Address in the received data packet, and then may look up a destination MAC Address of the data packet in the MAC Address table. When finding out the corresponding destination MAC address, the data message can be forwarded to the corresponding port; when the corresponding destination MAC address cannot be found, the data packet may be broadcast to other ports except the source port.
Before the data message is forwarded by the switch, the switch can execute an ACL policy on the data message according to each matching rule in the ACL table so as to control the transmission of the data message. For example, the switch may obtain the IPv6 address of the data packet, and execute a corresponding ACL policy for the IPv6 address of the data packet, and determine whether to Permit (Permit) or Deny (Deny) forwarding of the data packet. The obtained IPv6 address of the data packet may include a source IPv6 address and/or a destination IPv6 address.
Fig. 2 is another schematic flow chart of the message processing method according to the embodiment of the present application.
Optionally, as shown in fig. 2, in an embodiment, the obtaining of the user role corresponding to the IPv6 address may include:
s201, obtaining a network segment corresponding to the IPv6 address, and determining the corresponding relation between the network segment and the user role.
Taking the campus network as an example, the campus network may include multiple IPv6 addresses corresponding to different users, and multiple IPv6 addresses may forward data packets through the switch. After the switch receives the data message, the network segment corresponding to the IPv6 address of the data message can be determined. The network segments in the campus network may correspond to user roles one to one, for example, as shown in table 1 below:
TABLE 1
| Network segment | User roles |
| Network segment 1 | Character 1 |
| Network segment 2 | Character 2 |
| Network segment 3 | Character 3 |
In table 1, each network segment may include a plurality of IPv6 addresses, for example, network segment 1 may include IP1, IP2, IP3, etc. The number of IPv6 addresses included in each network segment is not limited by the present application.
And determining the network segment corresponding to the IPv6 address of the obtained data message, and further obtaining the corresponding relation between the network segment corresponding to the IPv6 address of the data message and the user role.
Taking the example shown in table 1, assuming that the network segment corresponding to the IPv6 address of a certain data packet is network segment 1, it can be determined that the corresponding relationship between the network segment corresponding to the IPv6 address of the data packet and the user role is "network segment 1-role 1".
S202, obtaining the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
As described above, after obtaining the correspondence between the network segment corresponding to the IPv6 address of the data packet and the user role, the user role corresponding to the IPv6 address of the data packet may be obtained based on the correspondence.
Also, taking the above table 1 as an example, assuming that the corresponding relationship between the network segment corresponding to the IPv6 address of a certain data packet and the user role is "network segment 1-role 1", it can be determined that the user role corresponding to the IPv6 address of the data packet is "role 1".
That is, in this embodiment, the user role may be used to represent the network segment where the IPv6 address of the data packet is located.
In another embodiment, the obtaining of the user role corresponding to the IPv6 address may include: and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
The user equipment refers to a network device used by a user corresponding to the IPv6 address, such as: server, computer, panel computer etc. the rule of predetermineeing can refer to: and determining the user role of the user according to the user type to which the user corresponding to the user equipment belongs. Also taking campus networks as an example, in a certain campus network, the user types may include: research and development personnel, marketers, financial personnel, etc.; suppose that: if the research personnel is the role 1, the market personnel is the role 2, and the financial personnel is the role 3, after the IPv6 address is obtained, the user equipment corresponding to the IPv6 address can be authenticated based on the IPv6 address, the user type to which the user corresponding to the user equipment belongs is determined, and then the user role corresponding to the IPv6 address is determined based on the user type to which the user belongs. For example, if it is determined that a user device corresponding to a certain IPv6 address belongs to a developer, it may be determined that the user role corresponding to the IPv6 address is role 1.
S102, mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address.
The mapping identifier may correspond to a role identifier of a user role one to one. Correspondingly, the mapping the IPv6 address with the user role to generate the mapping identifier of the IPv6 address may refer to: and acquiring the role identification of the user role as the mapping identification of the IPv6 address. For example, when mapping the IPv6 address with role 1, the generated mapping identifier may be "1"; when mapping the IPv6 address with role 2, the generated mapping identifier may be "2" or the like.
S103, forwarding the data message according to the mapping identifier and the matching strategy of the ACL list.
Optionally, when the ACL policies in the ACL list are configured in advance, the ACL policies may be configured as the inter-access policies between different user roles based on the mapping identifier. Correspondingly, after the mapping identifier of the IPv6 address is generated, the corresponding ACL policy may be executed according to the ACL list based on the mapping identifier of the IPv6 address, and the data packet may be forwarded.
Taking the example of executing the ACL policy for the destination IPv6 address "IP 1", the ACL matching rule may be: "the destination IPv6 address is the data packet of IP1, and the execution is Deny", that is, the data packet of IPv6 address IP1 is rejected to pass through. Assuming that the mapping identifier of the IP1 is mapping identifier 1, when the ACL policy is configured in advance, the data packet whose destination IPv6 address is IP1 in the ACL matching rule may be modified to "the data packet corresponding to mapping identifier 1 is modified to" Deny ". Then, based on the mapping identifier 1, the corresponding ACL policy may be executed, and the data packet may be matched with the data packet corresponding to the ACL matching rule "mapping identifier 1" as Deny ", so as to refuse to forward the data packet to the network device corresponding to the IP 1.
Optionally, when the ACL policy is executed on the data packet, the corresponding ACL policy may be executed based on the mapping identifier corresponding to the source IPv6 address, or the corresponding ACL policy may be executed based on the mapping identifier corresponding to the destination IPv6 address, or the corresponding ACL policy may be executed based on the source IPv6 address and the destination IPv6 address at the same time, which is not limited herein.
FIG. 3 illustrates a diagram of generation of mapping identifiers in one embodiment.
Optionally, as shown in fig. 3, in the above embodiment in which the network segment determines the corresponding user role according to the IPv6 address, the correspondence between the network segment and the user role may be statically specified in advance (that is, the table 1 may be obtained by statically specifying in advance). For example, as shown in fig. 3, the user roles corresponding to all IPv6 addresses in the network segment in which the IP1 is located may be designated as role 1, and the user roles corresponding to all IPv6 addresses in the network segment in which the IP2 is located may be designated as role 2. Assuming that the ACL policy is configured as "data packet sent by role 1 to role 2 and refused to pass", for data packet with source IPv6 address being IP1 and destination IPv6 address being IP2, mapping identifier 1 corresponding to IP1 and mapping identifier 2 corresponding to IP2 may be generated, respectively, and then the ACL policy "data packet sent by role 1 to role 2 and refused to pass" is executed based on mapping identifier 1 and mapping identifier 2. In this embodiment, when there are multiple IPv6 addresses in a network segment, the relationship between IPv6 addresses and mapping identifiers is a many-to-one relationship.
Alternatively, in other embodiments, the relationship between the IPv6 address and the user role may be directly specified, for example, one user role may be corresponding to each IPv6 address, or one user role may be corresponding to a plurality of IPv6 addresses, and the specific specifying mode may be set arbitrarily, and in this case, the relationship between the IPv6 address and the mapping identifier may be a one-to-one relationship, or may be a multiple-to-one relationship.
Fig. 4 shows a schematic diagram of generation of mapping identifiers in another embodiment.
Optionally, as shown in fig. 4, in another embodiment of authenticating the user equipment corresponding to the IPv6 address according to the preset rule and determining the user role corresponding to the IPv6 address, as described in the foregoing campus network example, the IPv6 address may be authenticated according to the user type corresponding to each IPv6 address to determine the corresponding user role, and when the users corresponding to multiple user equipments are all the same user type, the relationship between the IPv6 address and the mapping identifier is also a many-to-one relationship. For example, as shown in fig. 3, the mapping identifier obtained by authenticating the user with IPv6 addresses IP1, IP2, IP3, and IP4 may be mapping identifier 1, and the mapping identifier obtained by authenticating the user with IPv6 addresses IP5, IP6, IP7, and IP8 may be mapping identifier 2. It should be noted that, when the ACL policies of role 1 to role 2 are configured in advance, the ACL policies of mapping identifier 1 to mapping identifier 2 may be configured, which is not described herein again.
Or, in other embodiments, similar to the foregoing statically specified embodiment, the preset rule may be that each IPv6 address corresponds to a user role, at this time, the mapping identifier determined according to the IPv6 address is unique, and the relationship between the IPv6 address and the mapping identifier is a one-to-one relationship.
The present application is not limited to the specific manner of mapping the IPv6 address and the user role to generate the mapping identifier of the IPv6 address.
No matter which embodiment is adopted, since the number of the user roles is much smaller than the total number of IPv6 addresses, all the user roles can be represented by the mapping id with smaller bit width relative to the IPv6 address, such as: for the switch after introducing the IPV6 address, the IPV6 address occupies 256 bits, and the mapping identifier may occupy a bit width smaller than 256 bits, such as 12 bits, 24 bits, and the like.
When the corresponding ACL policy is executed on the data packet, the switch hardware resources need to be occupied. For example, the switch hardware resource may be a Ternary Content Addressable Memory (TCAM) resource, each ACL lookup may access a TCAM register, and the TCAM may complete a search of an ACL table up to several hundred bits per statement in a short time. When the corresponding ACL strategy is executed on the data message based on the mapping identification with smaller bit width, the occupied switch hardware resource can be smaller than that when the ACL strategy is executed based on the IPv6 address with larger bit width. For example, fewer TCAM resources may be occupied.
In this way, in the embodiment of the present application, the IPv6 address and the user role are mapped by obtaining the IPv6 address of the data packet and the user role corresponding to the IPv6 address, so as to generate the mapping identifier of the IPv6 address, and forward the data packet according to the mapping identifier and the matching policy of the access control list ACL, so that the switch hardware resources occupied when the ACL policy is executed according to the ACL list can be reduced.
For example, when the message processing method is applied to a switch with IPV6, the problem that the switch hardware resources are consumed in a large amount when the switch executes a corresponding policy on a data message through an ACL due to the fact that the IP address in IPV6 is upgraded from 32 bits to 128 bits with respect to the IP address in IPV4 can be effectively alleviated, and the scalability of the switch service can be improved.
Optionally, in some embodiments, the ACL policy executed on the mask corresponding to the IPv6 address may be implemented by mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address, or by mapping the mask corresponding to the IPv6 address and the user role to generate a mapping identifier of the mask corresponding to the IPv6 address, which has the same principle as that of generating the mapping identifier according to the IPv6 address, and is not described herein again.
Optionally, after the IPv6 address is mapped with the user role and the mapping identifier of the IPv6 address is generated, a mapping relationship between the IPv6 address and the mapping identifier may also be established, and when a data packet is subsequently received, the mapping identifier corresponding to the IPv6 address of the data packet may be directly queried based on the mapping relationship, and a corresponding ACL policy is executed based on the mapping identifier obtained by the query.
For example, in one embodiment, the mapping relationship between the IPv6 address and the mapping identifier may be as shown in table 2 below:
TABLE 2
| IPv6 address | Mapping identification |
| IP1 | Mapping identifier 1 |
| IP2 | Mapping identity 2 |
| … | … |
| IPn | Mapping identifier m |
In Table 1, n is equal to or greater than m, and n and m are each an integer greater than 0.
When n is equal to m, the IP 1-IPn are in one-to-one correspondence with the mapping identifier 1-the mapping identifier m, and each IPv6 address corresponds to one mapping identifier; when n is larger than m, different IPv6 addresses may correspond to different mapping identifications and may also correspond to the same mapping identification. For example, IP1 corresponds to mapping id 1, IP2, IP3, and IP4 correspond to mapping id 2, IPn corresponds to mapping id m, and so on.
Optionally, in the mapping relationship between the IPv6 address and the mapping identifier, the bit width of the mapping identifier may be a bit width size supportable by a chip for executing the ACL policy.
For example, in a broadcast (BroadCom) chip, the supportable bit width size may be 12 bits. When the switch uses the BroadCom chip to execute the ACL policy, the bit width of the mapping identifier in the mapping relationship may be 12 bits. It should be noted that the size of bytes that can be supported by different chips is different, and when other chips are used, the size may not be 12 bytes.
Continuing to take the BroadCom chip as an example, the mapping identifier may be a Segment Tag Identity identifier (SGTID), the BroadCom chip may support at least 1000 SGTID numbers, and the mapping identifier corresponding to the IPv6 address may be: SGT1, SGT2, SGT3 … SGTm and the like. It should be noted that the number of SGTID numbers that different BroadCom chips with different specifications can support may be different, and the specific number of SGTID numbers may not be limited.
Fig. 5 is a schematic flowchart illustrating a message processing method according to an embodiment of the present application.
Optionally, as shown in fig. 5, in some embodiments, establishing a mapping relationship between an IPv6 address and a mapping identifier may include:
s501, obtaining an address resolution mapping table of the IPv6 address.
S502, writing the mapping identification corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
The Address Resolution mapping table may be an Address Resolution Protocol (ARP) table, where ARP is a Protocol that resolves an IPv6 Address into an ethernet MAC Address. When the exchanger analyzes the target MAC address through the ARP protocol, the IP address and the MAC address mapping relation table item are added in the ARP table of the exchanger for the subsequent forwarding of the data message to the same destination. Therefore, the ARP table already contains information of IPv6 addresses. Therefore, when the mapping relation between the IPv6 address and the mapping identifier is established, only the mapping identifier corresponding to the IPv6 address needs to be written into the ARP table and corresponds to the IPv6 address.
Correspondingly, when a certain data message is received, the ARP table written with the mapping identifier can be queried according to the IPv6 address of the data message, so as to obtain the mapping identifier corresponding to the IPv6 address of the data message, and execute a corresponding ACL policy.
Alternatively, after writing the mapping identifier corresponding to the IPv6 address into the ARP table, a portion of the ARP table used for representing the mapping relationship between the IPv6 address and the mapping identifier may be as follows:
ARP table
Wherein, the definitions of n and m are the same as those in the previous embodiment, and are not described herein again.
Based on the message processing method described in the foregoing embodiment, an embodiment of the present application further provides a message processing apparatus, and fig. 6 shows a schematic structural diagram of the message processing apparatus provided in the embodiment of the present application.
As shown in fig. 6, the message processing apparatus may include: the device comprises an acquisition module 11, a generation module 12 and a control module 13; the obtaining module 11 may be configured to obtain an IPv6 address of the data packet and a user role corresponding to the IPv6 address; the generating module 12 may be configured to map the IPv6 address with the user role, and generate a mapping identifier of the IPv6 address; the control module 13 may be configured to forward the data message according to the mapping identifier and the matching policy of the access control list ACL.
Optionally, the obtaining module 11 may be specifically configured to obtain a network segment corresponding to an IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
Optionally, the obtaining module 11 may be specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine a user role corresponding to the IPv6 address.
Fig. 7 is a schematic diagram illustrating another structure of a message processing apparatus according to an embodiment of the present application.
Optionally, as shown in fig. 7, the message processing apparatus may further include: the writing module 14 is configured to, after the generating module 12 maps the IPv6 address with the user role and generates the mapping identifier of the IPv6 address, obtain an address resolution mapping table of the IPv6 address, and write the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
Optionally, the obtaining module 11 may be specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
The embodiment of the present application further provides an electronic device, where the electronic device may be a switch, a router, a firewall device, or may also be a data processing chip integrated in the switch, the router, and the firewall device, and this application is not limited thereto.
Fig. 8 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
As shown in fig. 8, the electronic device may include: the message processing system comprises a processor 100, a storage medium 200 and a bus (not labeled), wherein the storage medium 200 stores machine-readable instructions executable by the processor 100, when the electronic device runs, the processor 100 communicates with the storage medium 200 through the bus, and the processor 100 executes the machine-readable instructions to execute the message processing method in the foregoing method embodiment. The specific implementation and technical effects are similar, and are not described herein again.
The embodiment of the application also provides a storage medium, and the storage medium can be a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk and the like. The storage medium has stored thereon a computer program which, when executed by a processor, performs the message processing method as described in the preceding method embodiments. The specific implementation and technical effects are similar, and are not described herein again.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A message processing method is characterized by comprising the following steps:
acquiring an IPv6 address of the data message and a user role corresponding to the IPv6 address;
mapping the IPv6 address and the user role to generate a mapping identifier of the IPv6 address, wherein the bit width of the mapping identifier is smaller than that of the IPv6 address;
and forwarding the data message according to the mapping identifier and a matching strategy of an Access Control List (ACL).
2. The method of claim 1, wherein the obtaining the user role corresponding to the IPv6 address comprises:
acquiring a network segment corresponding to the IPv6 address, and determining the corresponding relation between the network segment and a user role;
and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
3. The method of claim 1, wherein the obtaining the user role corresponding to the IPv6 address comprises:
and authenticating the user equipment corresponding to the IPv6 address according to a preset rule, and determining the user role corresponding to the IPv6 address.
4. The method according to any of claims 1-3, wherein after the mapping the IPv6 address with the user role and generating the mapping identifier of the IPv6 address, the method further comprises:
acquiring an address resolution mapping table of the IPv6 address;
and writing the mapping identification corresponding to the IPv6 address into an address resolution mapping table of the IPv6 address.
5. The method according to any of claims 1-3, wherein obtaining the IPv6 address of the datagram comprises:
and acquiring the source IPv6 address and/or the destination IPv6 address of the data message.
6. A message processing apparatus, comprising:
the acquisition module is used for acquiring the IPv6 address of the data message and the user role corresponding to the IPv6 address;
a generating module, configured to map the IPv6 address with the user role, and generate a mapping identifier of the IPv6 address, where a bit width of the mapping identifier is smaller than a bit width of the IPv6 address;
and the control module is used for forwarding the data message according to the mapping identifier and a matching strategy of an Access Control List (ACL).
7. The apparatus according to claim 6, wherein the obtaining module is specifically configured to obtain a network segment corresponding to the IPv6 address, and determine a correspondence between the network segment and a user role; and acquiring the user role corresponding to the IPv6 address according to the corresponding relation between the network segment and the user role.
8. The apparatus of claim 6, wherein the obtaining module is specifically configured to authenticate the user equipment corresponding to the IPv6 address according to a preset rule, and determine the user role corresponding to the IPv6 address.
9. The apparatus according to any one of claims 6-8, further comprising: and a writing module, configured to obtain an address resolution mapping table of the IPv6 address after the generating module maps the IPv6 address with the user role and generates the mapping identifier of the IPv6 address, and write the mapping identifier corresponding to the IPv6 address into the address resolution mapping table of the IPv6 address.
10. The apparatus according to any of claims 6-8, wherein the obtaining module is specifically configured to obtain a source IPv6 address and a destination IPv6 address of the data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911171934.0A CN110958334B (en) | 2019-11-25 | 2019-11-25 | Message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911171934.0A CN110958334B (en) | 2019-11-25 | 2019-11-25 | Message processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110958334A CN110958334A (en) | 2020-04-03 |
| CN110958334B true CN110958334B (en) | 2022-08-09 |
Family
ID=69978589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911171934.0A Active CN110958334B (en) | 2019-11-25 | 2019-11-25 | Message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110958334B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111628939B (en) * | 2020-05-20 | 2023-06-13 | 新华三信息安全技术有限公司 | Stream classification processing method and device |
| CN112738113B (en) * | 2020-12-31 | 2022-04-01 | 清华大学 | Organization information label generation method and message transmission method |
| CN115514579B (en) * | 2022-11-09 | 2023-03-03 | 北京连星科技有限公司 | Method and system for realizing service identification based on IPv6 address mapping flow label |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332812A (en) * | 2016-04-29 | 2017-11-07 | 新华三技术有限公司 | The implementation method and device of NS software |
| CN109327395A (en) * | 2018-11-30 | 2019-02-12 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7530112B2 (en) * | 2003-09-10 | 2009-05-05 | Cisco Technology, Inc. | Method and apparatus for providing network security using role-based access control |
| ATE343892T1 (en) * | 2004-08-05 | 2006-11-15 | Cit Alcatel | METHOD AND DEVICE FOR ACCESS CONTROL |
| US7669244B2 (en) * | 2004-10-21 | 2010-02-23 | Cisco Technology, Inc. | Method and system for generating user group permission lists |
| CN101262474B (en) * | 2008-04-22 | 2012-02-01 | 武汉理工大学 | A cross-domain access control system for realizing role and group mapping based on cross-domain authorization |
| CN102263679B (en) * | 2010-05-24 | 2013-11-06 | 杭州华三通信技术有限公司 | Source role information processing method and forwarding chip |
| CN103404093B (en) * | 2011-02-21 | 2016-09-07 | 日本电气株式会社 | Communication system, data base, control device, communication means |
| CN107707477A (en) * | 2017-09-28 | 2018-02-16 | 杭州迪普科技股份有限公司 | The processing method and processing device of message, computer-readable recording medium |
-
2019
- 2019-11-25 CN CN201911171934.0A patent/CN110958334B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332812A (en) * | 2016-04-29 | 2017-11-07 | 新华三技术有限公司 | The implementation method and device of NS software |
| CN109327395A (en) * | 2018-11-30 | 2019-02-12 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110958334A (en) | 2020-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110958334B (en) | Message processing method and device | |
| US20190116220A1 (en) | Neighbor Discovery for IPV6 Switching Systems | |
| US5815664A (en) | Address reporting device and method for detecting authorized and unauthorized addresses in a network environment | |
| US8937955B2 (en) | System and method for scaling IPv6 addresses in a network environment | |
| US7756956B2 (en) | Mimic support address resolution | |
| US20070016637A1 (en) | Bitmap network masks | |
| US20060098644A1 (en) | Translating native medium access control (MAC) addresses to hierarchical MAC addresses and their use | |
| JP2011040928A (en) | Network system, packet forwarding apparatus, packet forwarding method, and computer program | |
| US11818096B2 (en) | Enforcement of inter-segment traffic policies by network fabric control plane | |
| US10873564B2 (en) | Cloud-based device manager based on message queues | |
| US12088552B2 (en) | Synchronizing dynamic host configuration protocol snoop information | |
| US20160359801A1 (en) | Method of and a Processing Device Handling a Protocol Address in a Network | |
| US20060215649A1 (en) | Network address converting apparatus using SSW tree | |
| US11240200B1 (en) | Time-dependent network addressing | |
| CN116684869B (en) | IPv 6-based park wireless network trusted access method, system and medium | |
| US11902158B2 (en) | System and method for forwarding packets in a hierarchical network architecture using variable length addresses | |
| US7844731B1 (en) | Systems and methods for address spacing in a firewall cluster | |
| US20130077530A1 (en) | Scaling IPv6 on Multiple Devices Virtual Switching System with Port or Device Level Aggregation | |
| US9712541B1 (en) | Host-to-host communication in a multilevel secure network | |
| CN113691650B (en) | IPv4/IPv6 stateless segmented safety mapping method and control system | |
| CN107547687B (en) | Message transmission method and device | |
| Wang et al. | A YANG Data Model for the Routing Information Base (RIB) | |
| CN114301680B (en) | Security policy matching method and device and storage medium | |
| Wang et al. | RFC 8431: A YANG Data Model for the Routing Information Base (RIB) | |
| US11956201B2 (en) | Method and system for efficient address resolution in extended subnets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |