WO2011082584A1 - Implementing method, network and terminal for processing data packet classification - Google Patents

Implementing method, network and terminal for processing data packet classification Download PDF

Info

Publication number
WO2011082584A1
WO2011082584A1 PCT/CN2010/076022 CN2010076022W WO2011082584A1 WO 2011082584 A1 WO2011082584 A1 WO 2011082584A1 CN 2010076022 W CN2010076022 W CN 2010076022W WO 2011082584 A1 WO2011082584 A1 WO 2011082584A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
data packet
packet
terminal
header
Prior art date
Application number
PCT/CN2010/076022
Other languages
French (fr)
Chinese (zh)
Inventor
张世伟
符涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011082584A1 publication Critical patent/WO2011082584A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present invention relates to the field of data communications, and in particular, to a method, a network, and a terminal for implementing data packet classification processing.
  • IP Internet Protocol
  • the technical problem to be solved by the present invention is to provide a method, a network and a terminal for implementing data packet classification processing to improve network security.
  • the present invention provides a method for implementing data packet classification processing, which is implemented on a network that performs classification processing on data packets, and the implementation method includes processing of received data packets by a terminal.
  • This process includes:
  • the terminal performs a difference processing on the data packet according to the category information.
  • the category information in the packet header of the data packet is determined by the intermediate node according to the type of the source of the packet and added to the packet header.
  • the intermediate node is an access device that is responsible for accessing the source end of the packet, and the implementation method further includes processing, by the access device, the original data packet sent by the source end of the packet, where the processing includes: Receiving, by the access device, the original data packet sent by the source end of the packet;
  • the access device Processing, by the access device, the original data packet, including adding category information indicating the source end category of the packet to the packet header;
  • the source end of the packet is sent by the authentication server to the access device during the access authentication process of the source end of the packet.
  • the intermediate node refers to an interworking service node that connects the data packet classification processing network with the external network
  • the implementation method further includes the interworking service node (ISN) external network data. Processing of the message, the process includes:
  • the ISN receives an external network data packet sent by the external network to the data packet classification processing network; the ISN determines, according to the source of the data packet, the data packet source end in the data packet classification processing network.
  • the category information and converting the external network data packet into an intranet data packet, including adding category information to the packet header or modifying the original category information in the packet header according to the determined category information;
  • the ISN forwards the converted intranet data packet to the intranet route.
  • the ISN receives the intranet data packet sent by the data packet classification processing network to the external network; the ISN converts the intranet data packet into an external network data packet, including according to the trustworthiness of the external network. , modifying or deleting the category information in the header of the data packet;
  • the ISN forwards the converted external network data packet in the data packet classification processing network.
  • the step of performing the difference processing on the received data packet by the terminal includes: determining, according to the source category of the packet, the confidentiality of the service application in combination with the terminal's own attribute, and determining the processing of the data Method.
  • the data packet classification processing network is an Internet network or an identity and location separation network (SILSN).
  • SILSN identity and location separation network
  • the category information is carried by the IPV6 extended header.
  • the category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
  • the category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user Group users in the network, Internet cafe users in the network, similar network users that can be trusted outside the network, heterogeneous network users that can be trusted outside the network, or untrusted network users outside the network. And/or the intra-domain identifier of the terminal.
  • SIDT source identifier type
  • CG trustworthiness
  • the present invention further provides a terminal, where the terminal is implemented based on a communication network, and the terminal includes:
  • a receiving module configured to: receive a data packet, where the packet header of the data packet carries category information indicating a source category of the packet;
  • a packet source end category determining module connected to the receiving module, configured to: determine a source type of the packet according to the category information in the data packet;
  • the data packet processing module is configured to be connected to the packet source class determining module, and configured to: perform differential processing on the data packet according to the source class of the packet.
  • the data packet processing module is configured to: determine, according to the source type of the packet, the method for processing the data packet according to the confidentiality of the service application in combination with the terminal's own attribute.
  • the category information is carried by the IPV6 extension header.
  • the category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
  • the category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user , intranet group users, intranet cafe users, trusted network users of the same network, extranet Trusted heterogeneous network users or untrusted network users outside the network.
  • SIDT source identifier type
  • CG trustworthiness
  • the present invention further provides a network for classifying data packets, the network comprising:
  • the terminal is configured to: receive and receive a data packet, where the packet header of the received data packet carries category information indicating a source category of the packet; and the received data packet according to the category information in the received data packet Differentiate processing; and
  • the intermediate node is connected to the terminal through the network, and is configured to: receive and forward the data packet, and add the source of the packet to the packet header of the received data packet according to the category of the source of the packet before forwarding. Category information.
  • the intermediate node is an access device that implements access by the terminal, and the network further includes an authentication server that is connected to the access device;
  • the server is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process; the access device is configured to: according to the terminal acquired from the authentication server The category adds the corresponding category information to the header of the data packet sent by the terminal.
  • the intermediate node is an interworking service node (ISN) between the network and the external network, and the ISN includes:
  • a receiving module configured to: receive an external network data packet sent by the external network to the data packet classification processing network;
  • a category information determining module configured to be connected to the receiving module, configured to: determine, according to the category information of the data packet classification processing network of the source end of the external network data message;
  • the data packet conversion module is connected to the category information determining module, and is configured to: convert the external network data packet into an intranet data packet, and include adding category information to the packet header according to the determined category information. Or modify the original category information in the header of the message;
  • the data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the intranet data packet converted by the data packet conversion module in the data packet classification processing network.
  • the receiving module of the ISN is further configured to: receive a data packet classification processing network and send it to other Intranet data message of the network;
  • the category information determining module of the ISN is further configured to: determine, according to a trusted situation of the external network, category information of the source end of the intranet data packet in the outer network;
  • the data packet conversion module of the ISN is further configured to: convert the intranet data packet into an external network data packet, and include deleting or modifying category information in the packet header according to the determined category information;
  • the data packet forwarding module is further configured to: forward the external network data packet converted by the data packet conversion module to the external network.
  • the terminal is configured to perform the difference processing on the received data packet in the following manner: determining the data packet according to the source type of the packet, and combining the attribute of the terminal with the confidentiality of the service application. The way to deal with it.
  • the category information is carried by the IPV6 extension header.
  • the category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
  • the category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user Group users in the network, Internet cafe users in the network, similar network users that can be trusted outside the network, heterogeneous network users that can be trusted outside the network, or untrusted network users outside the network.
  • SIDT source identifier type
  • CG trustworthiness
  • the present invention utilizes the category information of the source class of the packet carried in the packet header, so that the terminal that receives the packet can distinguish the user outside the network from the user and/or the trusted user according to the category information in the packet header.
  • the security of the user and the upper-layer services can be differentiated according to the category, which not only satisfies the interconnection and intercommunication requirements required by the user for common services, but also enables the P-network users to identify untrusted users for corresponding processing. While improving the flexibility of networking, it also ensures the security of the network.
  • FIG. 1 is a schematic diagram of a method for classifying a data packet by a terminal of the present invention
  • FIG. 2 is a schematic diagram of a method for processing a data packet by an access device according to the present invention
  • FIG. 3 is a schematic diagram of a method for processing an external network data packet of an interworking service node according to the present invention
  • Figure 5 is a network architecture diagram of identity and location identification separation
  • FIG. 6 is a processing flow of the access service node ASN adding a source identification type
  • Figure 7 is a method for determining the source identification type of the access device ASN
  • FIG. 9 is a schematic diagram of determining a source identifier type of an external network data packet by the interworking service node ISN;
  • FIG. 10 is a schematic diagram of processing, by the terminal, a data packet sent by another user according to the category information carried by the destination extension header.
  • the main idea of the data packet classification processing method, the network, and the terminal of the present invention is to use the packet header of the data packet to carry the category information indicating the source end category of the packet, so that the terminal receiving the data packet can be based on the category information. Data packets are treated differently.
  • the invention is mainly applied to a network with independent management authority, and has an access control device at the boundary, such as an operator's network, or an enterprise network, or a single autonomous domain, etc., the network and other networks have obvious boundaries, and the boundary device It is responsible for adding or deleting the category information mentioned in the present invention.
  • this network with independent management capability we refer to this network with independent management capability as a P network.
  • the users in the network will receive the packets of the trusted users and the packets of the untrusted users outside the network.
  • the P-network is required.
  • the user can identify different sources and/or trust levels of these data messages. In order to distinguish the source and/or trust level of these packets, it is necessary to take some new control measures at the borders of the P network, such as the access node and the interworking node, so that the data packets in the network entering the P network can carry the classes. Information, so that the terminal device can be based on the category information carried in the data message, for different sources or not Users with the same level of trust learn different ways.
  • the method for implementing data packet classification processing according to the present invention is implemented by a data packet classification processing network (P network) for classifying data packets, and the implementation method includes the terminal receiving data.
  • P network data packet classification processing network
  • Step 101 The terminal receives a data packet, where the packet header of the data packet carries category information indicating a source category of the packet.
  • Step 102 The terminal performs a difference processing on the data packet according to the category information.
  • the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the terminal's own attribute. .
  • the source type of the packet For example, for a more confidential server-type terminal, untrusted external network users can be denied access to avoid leakage of confidential information.
  • the BBS Forum publishes malicious information.
  • the category information mentioned in the present invention is that the source node sends the original data packet, and the intermediate node (such as the access device in the P network or the interworking service node between the P network and the external network) determines and joins the report according to the source of the packet.
  • Header including source identification type and/or trustworthiness:
  • the source identifier type is determined by the intermediate node according to the type of the source of the packet, including:
  • the source type information of the packet also includes:
  • the source of the message can be distinguished according to the source identification type.
  • the trustworthiness is determined by the intermediate node according to the trustworthiness or trustworthiness level of the source of the message. It can be divided into two (such as: fully trusted and completely untrustworthy) or multiple trustworthiness, and the data packet is received. The P network users are differentiated according to the trustworthiness.
  • the header of the data packet may also carry a domain identifier, or both a domain identifier and an intra-domain user identifier, where the domain may be a group, an Internet cafe, or The internet.
  • the intermediate node referred to in the present invention refers to an access device in the network or an interworking service node between the networks, and the following respectively describe:
  • the method for processing, by the access device, the data packet sent by the source of the packet includes: Step 201: The access device receives the original data packet sent by the source end of the packet; Step 202: The access device processes the original data packet, including adding category information indicating the source end category of the packet to the packet header;
  • the source end of the packet is sent by the authentication server to the access device during the access authentication process of the source end of the packet.
  • the access device adds different category information according to different source terminal categories, such as trusted users in the network, group users in the network, and users in the network.
  • Step 203 The access device forwards the processed data packet.
  • the interworking service node processes the packet headers of the data packets across the network, including processing the data packets sent to the external network and the content sent to the external network.
  • Data packet processing as shown in Figure 3, the method for processing the data packet sent by the ISN to the external network to the internal network includes:
  • Step 301 The ISN receives an external network data packet sent by the external network to the internal network.
  • Step 302 The ISN determines, according to the source of the data packet, the category information of the source end of the data packet in the internal network, and converts the external network data packet into an intranet data packet, including according to the determined category.
  • the information adds category information to the packet header or modifies the original category information in the packet header;
  • the method for processing the data packet sent by the ISN to the external network includes:
  • Step 401 The ISN receives an intranet data packet sent by the intranet to the external network.
  • Step 402 The ISN converts the intranet data packet into the external network data packet, including modifying or deleting the category information in the data packet header according to the trusted condition of the external network.
  • Step 403 The ISN forwards the route of the external network data packet obtained after the conversion to the external network.
  • the categorization information of the present invention is carried by the IPV4 or IPV6 packet header. Specifically, it can be implemented by adding or defining a new packet header option in the IPV4 or IPV6 packet header, in order to change the current information as little as possible.
  • the present invention preferably utilizes the extended message header of the IPV6 data message to carry the type information referred to in the present invention.
  • the user In order to distinguish the source of the data packet, the user needs to carry the category information of the user in the IPV6 packet.
  • the IPV6 protocol does not have a complete mechanism for carrying the source identifier category information in the data packet, and the category information cannot be encapsulated into the IPV6 packet.
  • the IPV6 protocol In the text transmission, in order to enable the user of the P network to identify the user whose received data message is derived, the IPV6 protocol needs to be extended so that the data message carries the sender's category information.
  • IPV6 header shown in Table 1 is defined in the IPV6 protocol (RFC2460) to carry additional Internet information:
  • RFC2460 proposes to add an IPV6 extension header between the header of the IPV6 and the header of the upper layer.
  • RFC2460 defines six types of extended packet headers, which are Hop-by-Hop Options header, Routing header, Fragment header, Authentication header, and ESP. Encapsulating Security Payload header, Destination Options header.
  • the RFC2460 defines a protocol number for each extension header, such as a hop-by-hop option header of 0 and a destination option header of 60.
  • a protocol number for each extension header such as a hop-by-hop option header of 0 and a destination option header of 60.
  • IPV6 extension headers can coexist in a certain order, as shown in Table 2. Immediately after the IPV6 header is the routing header, then the destination option header, and finally the TCP packet header.
  • the destination option header is used to carry information that is only checked by the destination node.
  • the message format of the destination option header is shown in Table 3 below:
  • the Next Header indicates the next protocol header type, and Hdr Ext Len indicates the length of the destination option extension header, in units of 8 bytes, excluding the first byte.
  • Options are further selected by Option Type and Options.
  • Length Opt Data Len
  • option data The first three bits of the option type are specified, and the first and second bits specify the action taken by the node that processes the IPV6 data message without knowing the tag:
  • RFC2460 has the following three bits for the Option Type: 1 if the option data affects the route, otherwise 0.
  • the RFC has specified a destination option for the mobile IP protocol, called the home address.
  • the Home Address option whose value defines 0xC9, has a lower 5 bits of 00111 and occupies the sequence number 9.
  • the option length is in bytes and describes the actual length of the option data.
  • the embodiment of the method is generally set to 12.
  • the present invention preferably uses the destination option header for extension.
  • next header Next Header
  • header extension length Hdr Ext Len
  • the option type in the destination option header has a total of 8 bits:
  • the present invention does not make special provisions, and can be set by the node processing device according to the situation.
  • this option can be set to 01, that is, if this is handled
  • the node of the data packet does not recognize this data format and discards the entire packet.
  • it can be set to 00, so that even if the node does not recognize this option, the entire data packet can be processed normally, thereby improving system compatibility and maximizing the use of the original device.
  • the intermediate node will process this option, and the option data will affect the route, so it is set to 1;
  • This new extended option type can have two alternative values:
  • One is 00111111, which is 0X3F, which means that when the destination node does not recognize this option, it should discard this data message.
  • the present invention provides a method for carrying an identifier of a sender class in an IPV6 data packet.
  • the terminal user can conveniently recognize that the received data packet is a trust.
  • the node is also sent by the non-trusted node, so that data packets of different sources and different trust levels can be distinguished.
  • the present invention provides a method for carrying a user source address classification in an extended header of an IPV6 packet header. The method is applicable to a network that uses IPV6 to transmit and needs to distinguish the source of the packet.
  • the source ID type (SIDT) is allocated a space of one byte.
  • the values of each source identification type are defined as follows:
  • 0X00 A common user in the network that can be trusted.
  • a space of one byte is allocated for Credibility Grade (CG), and the trustworthiness is divided into two levels of trustworthiness: fully trustworthy and completely untrustworthy. If the source address is completely untrustworthy, it should be set to 0. If this source address is fully trusted, it should be set to 255.
  • CG Credibility Grade
  • the domain identifier is the information of the domain where the source of the packet is located. It is assigned 48 bits. This identifier has different roles under different source identifier types:
  • DID can be used to represent the MAC address of the source ID, or it can have no meaning. When there is no meaning, the DID should be set to 0.
  • DID stands for group number and is valid within one operator. For example, China Telecom can use Lenovo as a group user and give a 48-bit group number 0X0000 0000 F001.
  • DID stands for the Internet cafe number, which is valid nationwide. If the source ID type is a trusted P network (like network) user: DID represents the same type of network identifier.
  • DID stands for heterogeneous network ID.
  • DID is meaningless.
  • the Domain User Identification indicates the user's number in this domain, which is assigned 32 bits. It has different roles under different source identification types:
  • the source ID type is a normal user that can be trusted in the network: meaningless. If the source identification type is an intranet group user: Represents the user serial number within the group.
  • the source ID type is a network user that can be trusted outside the network: Represent the network's own number. If the source ID type is a trusted heterogeneous network user: Represent the network's own number. If the source ID type is untrusted outside the network. External network users: meaningless
  • DID 0, indicating that the DID is not used, which means that the DID field is meaningless.
  • DUI 0, indicating that the DUI is not used, which means that the DDI field is meaningless.
  • Table 7 below shows the destination extension headers of data packets sent by group users in the network received by the P network terminal:
  • DID 0x000000Al , indicating that the user who sent this packet is from a group user with group number 101.
  • DUI 0x55667788, which indicates that the user of this packet is a user number within the group of 0x55667788.
  • Table 8 below is the destination extension header of the data packet sent by the Internet cafe user received by the P network terminal:
  • DID 0x99F8AABBCCDD , indicating that the user who sent this packet is from the Internet cafe user whose Internet cafe number is 0x99F8AABBCCDD.
  • DUI 0x00000005, which indicates that the user of this packet is the user number 5 in the Internet cafe.
  • Table 9 below shows the destination extension headers of data packets sent by peer-to-peer network users that are received by the P-network terminal:
  • CG 10, indicating that this user is trustworthy, but the trust is not high.
  • DID 0xA0, indicating that the user who sent this data packet is sent from the network with external trusted network number 100.
  • the DID number is only related to the single P network itself, and no global unified number is used.
  • Table 10 shows the destination extension headers of data packets sent by heterogeneous network users outside the network received by the P-network terminal: Table 10
  • DID 3, indicating that the user who sent the data packet is from a network with an externally trusted heterogeneous network sequence number 3.
  • the DID number is the number assigned by the P network itself, and the global unified number is not used.
  • DUI 0xl 234, which indicates that the user of this packet was sent by a user numbered 0x1234 in the trusted external network.
  • Table 11 below shows the destination extension headers of data packets sent by untrusted network users received by the P-network terminal:
  • DUI 0, indicating that the DUI is not being used.
  • the method of the present invention can be implemented based on an Internet network or an Identity and Location Separation Network (SILSN).
  • SILSN Identity and Location Separation Network
  • the following is a basic implementation of the present invention with SILSN as the basis for implementing the P network.
  • FIG. 5 is a network architecture in which an identity identifier and a location identifier are separated.
  • the network is a separate identity and location identifier network, including an Access Service Node (ASN), a User Equipment (UE), and a User Equipment (UE). Identification & Location Register (IRR), authentication server, Interworking Service Node (ISN), etc.
  • ASN is used to access the user terminal, and is responsible for realizing the access of the user terminal, and is responsible for charging and switching functions;
  • the ILR is responsible for the location registration function of the user, and the authentication server assumes the user identity identification and authentication function, the ISN user and the external network. Users are interconnected.
  • Each user terminal has a unique identity identifier, Access Identification (AID).
  • AID Access Identification
  • the user identity and location separation network is simply referred to as a PI network, where UE1 and UE3 are PI network intranet users, and UE2 is an extranet user.
  • UE3 can receive data packets from UE1 of the P1 intranet and UE2 data packets from the external network.
  • the invention helps the intranet user UE3 to distinguish these different sources and different trusts and process them separately.
  • ASN1 and ASN2 are access devices for accessing user terminal devices UE1, UE3, UE1 and UE3 respectively having unique identity identifiers AID1 and AID3.
  • the ISN1 is used to process data packets from users outside the network, such as UE2, to perform format conversion on data packets outside the P1 network.
  • Figure 6 shows the process of adding the source identification type to the packets sent by the intranet users on the ASN of the P1 network:
  • the ASN When the user UE accesses the network, the ASN first authenticates to the authentication server, and after the authentication server passes the authentication, the source identifier type is returned. The ASN saves the source identification type of the user. When the subsequent user sends a data packet, the corresponding IPV6 destination extension header option is added to the message sent by the user.
  • Step 601 The user terminal UE initiates an access request to the ASN.
  • Step 602 The ASN initiates an authentication process for the UE to the authentication server.
  • Step 603 After the authentication is passed, the authentication server returns the source identification type of the user to the ASN.
  • Step 604 The ASN saves the source identification type of the user for subsequent check and use.
  • Step 605 the ASN notifies the UE that the authentication passes, and allows access;
  • Step 606 The UE starts to send a data packet.
  • Step 607 The ASN adds the corresponding source address identifier type extension to the IPV6 sent by the UE.
  • 603, 604, 607 are the key steps to implement the source identification type check.
  • the ASN receives the data packet sent by the intranet user, extracts the source identifier, and then searches for the source identifier type corresponding to the source identifier.
  • This source identification type is obtained by the ASN from the authentication server.
  • the source identification type (SIDT) is assigned a value of 1;
  • the source identification type (SIDT) is assigned a value of 2;
  • FIG. 8 is a schematic diagram of the ISN of the P1 network processing the data originating from the external network and the intranet.
  • the ISN needs to do the following work:
  • the IPV6 destination extension header option needs to be modified or deleted according to the trusted condition of the external network.
  • Step 801 The external network user sends a data packet to the ISN.
  • Step 802 The ISN determines, according to the source of the data packet, whether the source of the packet is a trusted network user of the same type, or a trusted heterogeneous network user, or another network user that is not trusted, in each case, respectively, in the data packet. Add or modify the corresponding destination extension header option;
  • Step 803 The ISN sends the converted data packet to the ASN, and the ASN forwards the packet to the actual Intranet user;
  • Step 805 the ISN according to the trusted situation of the network where the destination address is located, or modify the destination extension header option (for a trusted peer network, and a trusted heterogeneous network), or delete the destination extension header option (for untrusted The internet) .
  • Step 806 The ISN sends the converted data packet to the external network.
  • the source identifier type is changed to 0x80
  • the DID is set to the network number of the network
  • the DUI is set to 0.
  • the source label i in the IPV6 destination extension header is deleted and only extended.
  • the ISN determines whether the source network is a trusted P network network, a trusted heterogeneous network, or an untrusted network, and respectively respectively data from these sources.
  • the source identification type is set to 0x80, 0x81, 0x82, etc.:
  • the 901 receives the data packet sent by the external network user, and starts the process of adding the source identifier according to the attribute of the source network.
  • 906 - 907 if the data message comes from other untrusted network users, set the source identification type to 0x82; 908-909, if the data message is from other users not defined by the present invention, the source identification type is set to the reserved XX;
  • FIG. 10 is a specific application scenario of the present invention, which is an example of classifying processing when different types of information are received by a P1 network user. Since the P1 network has been classified into different sources, the users in the P1 network can clearly know which data packets are from external users, which are from intranet users, and which data packets are available. Trusted, how trustworthy, and then based on these category information, when doing business, take the classification process:
  • the user terminal in the P network can perform classification processing according to the source identification type when receiving the data packets of the above types of identifiers, for example, for a relatively confidential server.
  • a class terminal can deny users whose source ID is 0x82 (untrusted external network users) to access confidential information.
  • the BBS Forum publishes malicious information.
  • Step 1001 The P1 network user receives a data packet, and analyzes the types of users allowed by the service according to the attributes of the user and the confidentiality of the service application.
  • 802-804 is an example of the corresponding policy implementation: Step 1002, when the network user When it is a private network user such as the public security network, it can limit the users of the network to not process any data packets of the external network users. Therefore, only the data packets whose source identification type is 0, 1 can be accepted.
  • the user of the local network is a group The user can only receive data packets with source ID type 1. The data packets of other Internet cafe users (2) and external network users (0x80 ⁇ 0x82) will be blocked.
  • Step 1003 when the local network user is a group user For a server, only data packets with source ID type 1 (group user) can be accepted, and messages from other sources are not accepted.
  • Step 1004 When the user of the local network is a politically sensitive BBS server, the user of the Internet cafe and the user of the external network are only allowed to browse the BBS information, and the BBS information is not allowed to be modified or released to avoid attacks from the external network user.
  • the above embodiment uses the network with the identity and location identifier separated by P1 as an example, it is also applicable to other IPV6-based networks, and other IPV6 extension headers provided by the method are used for source identification. A method of distinguishing processing is also within the scope of the present invention.
  • the present invention further provides a network for classifying data data, the network comprising:
  • the terminal is configured to send and receive data packets, where the packet header of the received data packet carries category information indicating a source category of the packet, and is further configured to receive the received data packet according to the category information in the received data packet. Perform differential processing;
  • the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the attribute of the terminal itself.
  • the intermediate node is connected to the terminal through the network, and is configured to receive and forward the data packet, and add the category information of the source of the packet to the packet header of the received data packet according to the category of the source of the packet before forwarding. .
  • the intermediate node may be an access device that implements access by the terminal or an interworking service node (ISN) between the network and the external network.
  • ISN interworking service node
  • the network further includes an authentication server connected to the access device, where the server is configured to perform user identification and authentication on the terminal, and notify the category of the terminal in the authentication process.
  • the ISN include:
  • the receiving module is configured to receive an external network data packet sent by the external network to the data packet classification processing network, and is further configured to receive the internal network data packet sent by the network packet classification processing network to the other network;
  • a category information determining module configured to be connected to the receiving module, configured to determine the category information of the source of the data packet of the external network in the data packet classification processing network; and further configured to determine according to the trusted situation of the external network The source information of the packet of the intranet data packet in the external network;
  • the data packet conversion module is connected to the category information determining module, and is configured to convert the external network data packet into an intranet data packet, including adding category information or modifying the packet header according to the determined category information.
  • the original category information in the packet header is further used to convert the intranet data packet into an external network data packet, including deleting or modifying the category information in the packet header according to the determined category information;
  • a data packet forwarding module configured to be connected to the data packet conversion module, configured to forward and forward the intranet data packet converted by the data packet conversion module in the data packet classification processing network; And transmitting, by the data packet conversion module, the external network data packet to the external network.
  • the category information is carried by the IPV6 extended header.
  • the category information is carried by the Destination Options header of the IPV6 extended header, and the option type of the Destination Options header ( The first two digits of Option Type are 00 or 01, indicating that the destination node does not know the normal part of the data or discards the data packet when it does not recognize this option.
  • the category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes at least one of the following: Trusted users, intranet group users, intranet cafe users, trusted network users of the same network, heterogeneous network users that can be trusted outside the network, and untrusted network users outside the network.
  • Identifier DID and/or the intra-domain identifier of the terminal.
  • the present invention also provides a terminal, and the specific functions are the same as those described above, and are not traced here. While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.
  • the present invention utilizes the category information of the source class of the packet carried in the packet header, so that the terminal that receives the packet can distinguish the user outside the network from the user and/or the trusted user according to the category information in the packet header.
  • the security of the user and the upper-layer services can be differentiated according to the category, which not only satisfies the interconnection and intercommunication requirements required by the user for common services, but also enables the P-network users to identify untrusted users for corresponding processing. While improving the flexibility of networking, it also ensures the security of the network. For example, for a highly confidential service, only trusted user access is allowed. For a low security level service, users with low trust levels such as an external network can be appropriately accessed.

Abstract

An implementing method, network and terminal for processing data packet classification are provided by the present invention, said method is implemented based on a network which processes the data packet classification, the implementing method comprises a processing for the received data packet by the terminal, the processing comprises that the terminal receives the data packet, the packet header of the data packet carries the classification information which denotes the classification of the packet source terminal (101); the terminal processes distinctively said data packet according to said classification information (102). The present invention improves the flexibility for networking, at the same time also ensures the security of the network well.

Description

数据报文分类处理的实现方法、 网络及终端  Method, network and terminal for implementing data packet classification processing
技术领域 Technical field
本发明涉及数据通讯领域,尤其涉及一种数据报文分类处理的实现方法、 网络及终端。  The present invention relates to the field of data communications, and in particular, to a method, a network, and a terminal for implementing data packet classification processing.
背景技术 Background technique
现有互联网^ ^于互联网络协议(IP )技术构建的, IP 网络的开放性促 成了互联网的繁荣, 也带来了大量的安全问题, 互联网中的节点受多个国家 的多个机构管理, 有些节点是可信任的, 也可能是不可信任的, 网络中的用 户可能收到信任节点的数据报文, 也可能收到不可信任节点的数据报文, 在 现有技术下, IP用户无法分辨出哪些数据报文是可信节点发来的, 哪些数据 报文是不可信节点发来的, 无法进行区分处理, 从而为不可信节点冒充可信 节点访问网络留下了攻击空间, 严重降低了网络的安全性。  The existing Internet ^ ^ built on Internet Protocol (IP) technology, the openness of the IP network has contributed to the prosperity of the Internet, but also brought a large number of security issues, the nodes in the Internet are managed by multiple agencies in multiple countries, Some nodes are trusted or untrustworthy. Users in the network may receive data packets from trusted nodes and may receive data packets from untrusted nodes. Under the prior art, IP users cannot distinguish between them. Which data packets are sent by trusted nodes, and which data packets are sent by untrusted nodes, cannot be distinguished, thus leaving an attack space for untrusted nodes to impersonate trusted nodes to access the network, which seriously reduces the attack space. Network security.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种数据报文分类处理的实现方法、 网 络及终端, 以提高网络安全性。  The technical problem to be solved by the present invention is to provide a method, a network and a terminal for implementing data packet classification processing to improve network security.
为解决以上技术问题,本发明提供了一种数据报文分类处理的实现方法, 所述方法基于对数据报文进行分类处理的网络实现, 该实现方法包括终端对 接收的数据报文的处理, 该处理包括:  In order to solve the above technical problem, the present invention provides a method for implementing data packet classification processing, which is implemented on a network that performs classification processing on data packets, and the implementation method includes processing of received data packets by a terminal. This process includes:
终端接收数据报文, 所述数据报文的报文头中携带表示报文源端类别的 类别信息; 以及  Receiving, by the terminal, a data packet, where the packet header of the data packet carries category information indicating a source category of the packet;
所述终端根据所述类别信息对所述数据报文进行区别处理。  The terminal performs a difference processing on the data packet according to the category information.
所述数据报文的报文头中的类别信息是中间节点根据所述报文源端的类 别确定并加入报文头的。  The category information in the packet header of the data packet is determined by the intermediate node according to the type of the source of the packet and added to the packet header.
所述中间节点是负责报文源端接入的接入设备, 所述实现方法还包括接 入设备对报文源端发送的原始数据报文的处理, 该处理包括: 所述接入设备接收所述报文源端发送的原始数据报文; The intermediate node is an access device that is responsible for accessing the source end of the packet, and the implementation method further includes processing, by the access device, the original data packet sent by the source end of the packet, where the processing includes: Receiving, by the access device, the original data packet sent by the source end of the packet;
所述接入设备对原始数据报文进行处理, 包括在报文头中增加表示该报 文源端类别的类别信息; 以及  Processing, by the access device, the original data packet, including adding category information indicating the source end category of the packet to the packet header;
所述接入设备转发该处理后的数据报文;  Transmitting, by the access device, the processed data packet;
其中, 所述报文源端类别是在所述报文源端的接入认证过程中由认证服 务器发送给所述接入设备的。  The source end of the packet is sent by the authentication server to the access device during the access authentication process of the source end of the packet.
所述数据报文分类处理网络与外网进行互通时, 所述中间节点指连接数 据报文分类处理网络与外网的互通服务节点, 所述实现方法还包括互通服务 节点 (ISN )对外网数据报文的处理, 该处理包括:  When the data packet classification processing network communicates with the external network, the intermediate node refers to an interworking service node that connects the data packet classification processing network with the external network, and the implementation method further includes the interworking service node (ISN) external network data. Processing of the message, the process includes:
所述 ISN接收外网发送给数据报文分类处理网络的外网数据报文; 所述 ISN根据所述数据报文的来源确定所述数据报文源端在所述数据报 文分类处理网络中的类别信息,并将所述外网数据报文转换为内网数据报文, 包括根据确定的类别信息在报文头中增加类别信息或修改报文头中的原有类 别信息; 以及  The ISN receives an external network data packet sent by the external network to the data packet classification processing network; the ISN determines, according to the source of the data packet, the data packet source end in the data packet classification processing network. The category information, and converting the external network data packet into an intranet data packet, including adding category information to the packet header or modifying the original category information in the packet header according to the determined category information;
所述 ISN将转换得到的内网数据报文向内网路由转发。  The ISN forwards the converted intranet data packet to the intranet route.
所述 ISN接收所述数据报文分类处理网络发送给外网的内网数据报文; 所述 ISN将所述内网数据报文转换为外网数据报文, 包括根据外网的可 信任情况, 修改或删除数据报文头中的类别信息; 以及 The ISN receives the intranet data packet sent by the data packet classification processing network to the external network; the ISN converts the intranet data packet into an external network data packet, including according to the trustworthiness of the external network. , modifying or deleting the category information in the header of the data packet;
所述 ISN将转换得到的外网数据报文在所述数据报文分类处理网络内路 由转发。  The ISN forwards the converted external network data packet in the data packet classification processing network.
所述终端对接收的所述数据报文进行区别处理的步骤包括: 根据所述报 文源端类别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据 "^文的处理方法。  The step of performing the difference processing on the received data packet by the terminal includes: determining, according to the source category of the packet, the confidentiality of the service application in combination with the terminal's own attribute, and determining the processing of the data Method.
数据报文分类处理网络是 Internet 网络或身份标识和位置分离网络 ( SILSN ) 。  The data packet classification processing network is an Internet network or an identity and location separation network (SILSN).
所述类别信息通过 IPV6扩展 文头携带。 所述类别信息通过 IPV6扩展 文头的目的地选项头( Destination Options header )携带, 所述目的地选项头 (Destination Options header )的选项类型 ( Option Type ) 的前两位是 00或 01 , 表示目的节点不认识此选项时正常处 理数据报文的其余部分或丟弃该数据报文。 The category information is carried by the IPV6 extended header. The category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
所述类别信息包括 4艮据终端类型确定的源标识类型 ( SIDT )和 /或 4艮据终 端可信任度确定的可信任度(CG ) , 其中所述源标识类型包括: 网内可信任 用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、 网外可 信任的异类网络用户或网外不可信任的网络用户。 和 /或终端的域内标识符。  The category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user Group users in the network, Internet cafe users in the network, similar network users that can be trusted outside the network, heterogeneous network users that can be trusted outside the network, or untrusted network users outside the network. And/or the intra-domain identifier of the terminal.
为解决以上技术问题, 本发明还提供了一种终端, 所述终端基于通讯网 络实现, 所述终端包括:  In order to solve the above technical problem, the present invention further provides a terminal, where the terminal is implemented based on a communication network, and the terminal includes:
接收模块, 其设置为: 接收数据报文, 所述数据报文的报文头中携带表 示报文源端类别的类别信息;  a receiving module, configured to: receive a data packet, where the packet header of the data packet carries category information indicating a source category of the packet;
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据数据报 文的中的类别信息确定报文源端类别; 以及  a packet source end category determining module, connected to the receiving module, configured to: determine a source type of the packet according to the category information in the data packet;
数据报文处理模块, 与所述报文源端类别确定模块连接, 其设置为: 根 据所述报文源端类别对所述数据报文进行区别处理。  The data packet processing module is configured to be connected to the packet source class determining module, and configured to: perform differential processing on the data packet according to the source class of the packet.
所述数据报文处理模块是设置为: 根据所述报文源端类别, 并结合该终 端自身属性以业务应用的机密性, 确定对所述数据报文的处理方法。  The data packet processing module is configured to: determine, according to the source type of the packet, the method for processing the data packet according to the confidentiality of the service application in combination with the terminal's own attribute.
所述类别信息通过 IPV6扩展 文头携带。  The category information is carried by the IPV6 extension header.
所述类别信息通过 IPV6扩展 文头的目的地选项头( Destination Options header )携带, 所述目的地选项头 (Destination Options header )的选项类型 ( Option Type ) 的前两位是 00或 01 , 表示目的节点不认识此选项时正常处 理数据报文的其余部分或丟弃该数据报文。  The category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
所述类别信息包括 4艮据终端类型确定的源标识类型 ( SIDT )和 /或 4艮据终 端可信任度确定的可信任度(CG ) , 其中所述源标识类型包括: 网内可信任 用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、 网外可 信任的异类网络用户或网外不可信任的网络用户。 The category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user , intranet group users, intranet cafe users, trusted network users of the same network, extranet Trusted heterogeneous network users or untrusted network users outside the network.
为解决以上技术问题, 本发明还提供了一种数据报文分类处理的网络, 所述网络包括:  To solve the above technical problem, the present invention further provides a network for classifying data packets, the network comprising:
终端, 其设置为: 收发数据报文, 其中接收的数据报文的报文头中携带 表示报文源端类别的类别信息; 以及根据接收的数据报文中的类别信息对接 收的数据报文进行区别处理; 以及  The terminal is configured to: receive and receive a data packet, where the packet header of the received data packet carries category information indicating a source category of the packet; and the received data packet according to the category information in the received data packet Differentiate processing; and
中间节点, 通过网络与所述终端连接, 其设置为: 接收并转发数据报文, 以及在转发前根据报文源端的类别在接收的数据报文的报文头中加入所述报 文源端的类别信息。  The intermediate node is connected to the terminal through the network, and is configured to: receive and forward the data packet, and add the source of the packet to the packet header of the received data packet according to the category of the source of the packet before forwarding. Category information.
所述中间节点是实现所述终端接入的接入设备, 所述网络还包括与所述 接入设备连接的认证服务器;  The intermediate node is an access device that implements access by the terminal, and the network further includes an authentication server that is connected to the access device;
所述服务器设置为: 对终端进行用户身份识别及认证, 以及在认证过程 中将终端的类别通知所述终端所在的接入设备; 所述接入设备是设置为: 根 据从认证服务器获取的终端类别在该终端发送的数据报文的报文头中增加所 述对应的类别信息。  The server is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process; the access device is configured to: according to the terminal acquired from the authentication server The category adds the corresponding category information to the header of the data packet sent by the terminal.
所述中间节点是所述网络与外网之间的互通服务节点(ISN ) , 所述 ISN 包括:  The intermediate node is an interworking service node (ISN) between the network and the external network, and the ISN includes:
接收模块, 其设置为: 接收外网发送给数据报文分类处理网络的外网数 据报文;  a receiving module, configured to: receive an external network data packet sent by the external network to the data packet classification processing network;
类别信息确定模块, 与所述接收模块连接, 其设置为: 确定外网数据报 文的报文源端在所述数据报文分类处理网络的类别信息;  a category information determining module, configured to be connected to the receiving module, configured to: determine, according to the category information of the data packet classification processing network of the source end of the external network data message;
数据报文转换模块, 与所述类别信息确定模块连接, 其设置为: 将所述 外网数据报文转换为的内网数据报文, 包括根据确定的类别信息在报文头中 增加类别信息或修改报文头中的原有类别信息; 以及  The data packet conversion module is connected to the category information determining module, and is configured to: convert the external network data packet into an intranet data packet, and include adding category information to the packet header according to the determined category information. Or modify the original category information in the header of the message;
数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将所述 数据报文转换模块转换后的内网数据报文在所述数据报文分类处理网络内路 由转发。  The data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the intranet data packet converted by the data packet conversion module in the data packet classification processing network.
所述 ISN的接收模块还设置为: 接收数据报文分类处理网络发送给其他 网络的内网数据报文; The receiving module of the ISN is further configured to: receive a data packet classification processing network and send it to other Intranet data message of the network;
所述 ISN的类别信息确定模块还设置为: 根据外网的可信任情况, 确定 所述内网数据报文的报文源端在所述外网的类别信息;  The category information determining module of the ISN is further configured to: determine, according to a trusted situation of the external network, category information of the source end of the intranet data packet in the outer network;
所述 ISN的数据报文转换模块还设置为: 将所述内网数据报文转换为外 网数据报文, 包括根据确定的类别信息删除或修改报文头中的类别信息; 所述 ISN的数据报文转发模块还设置为: 将所述数据报文转换模块转换 后的外网数据报文向所述外网路由转发。  The data packet conversion module of the ISN is further configured to: convert the intranet data packet into an external network data packet, and include deleting or modifying category information in the packet header according to the determined category information; The data packet forwarding module is further configured to: forward the external network data packet converted by the data packet conversion module to the external network.
所述终端是设置为以如下方式对接收的所述数据报文进行区别处理: 根 据所述报文源端类别, 并结合该终端自身属性以业务应用的机密性, 确定对 所述数据报文的处理方式。  The terminal is configured to perform the difference processing on the received data packet in the following manner: determining the data packet according to the source type of the packet, and combining the attribute of the terminal with the confidentiality of the service application. The way to deal with it.
所述类别信息通过 IPV6扩展 文头携带。  The category information is carried by the IPV6 extension header.
所述类别信息通过 IPV6扩展 文头的目的地选项头( Destination Options header )携带, 所述目的地选项头 (Destination Options header )的选项类型 ( Option Type ) 的前两位是 00或 01 , 表示目的节点不认识此选项时正常处 理数据报文的其余部分或丟弃该数据报文。  The category information is carried by the Destination Options header of the IPV6 extension header, and the first two digits of the Option Type of the Destination Options header are 00 or 01, indicating the purpose. When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
所述类别信息包括 4艮据终端类型确定的源标识类型 ( SIDT )和 /或 4艮据终 端可信任度确定的可信任度(CG ) , 其中所述源标识类型包括: 网内可信任 用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、 网外可 信任的异类网络用户或网外不可信任的网络用户。  The category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes: an in-network trusted user Group users in the network, Internet cafe users in the network, similar network users that can be trusted outside the network, heterogeneous network users that can be trusted outside the network, or untrusted network users outside the network.
和 /或终端的域内标识符。 And/or the intra-domain identifier of the terminal.
本发明利用在报文头携带的表示报文源端类别的类别信息, 使得接收到 该报文的终端可以根据报文头中类别信息区分网外用户和网内用户和 /或可 信用户与不可信用户, 这样用户及上层业务的安全性都可以依据类别进行区 分处理, 既满足了用户进行普通业务所需要的互联互通需求, 也可以使 P网 用户识别出不可信用户进行相应处理, 从而在提高组网灵活性的同时, 也很 好保证了网络的安全性。 附图概述 The present invention utilizes the category information of the source class of the packet carried in the packet header, so that the terminal that receives the packet can distinguish the user outside the network from the user and/or the trusted user according to the category information in the packet header. For untrusted users, the security of the user and the upper-layer services can be differentiated according to the category, which not only satisfies the interconnection and intercommunication requirements required by the user for common services, but also enables the P-network users to identify untrusted users for corresponding processing. While improving the flexibility of networking, it also ensures the security of the network. BRIEF abstract
图 1 是本发明终端对数据报文分类处理的方法示意图;  1 is a schematic diagram of a method for classifying a data packet by a terminal of the present invention;
图 2 是本发明接入设备对数据报文的处理方法示意图;  2 is a schematic diagram of a method for processing a data packet by an access device according to the present invention;
图 3是本发明互通服务节点对外网数据报文的处理方法示意图;  3 is a schematic diagram of a method for processing an external network data packet of an interworking service node according to the present invention;
图 5是一种身份标识和位置标识分离的网络架构图; Figure 5 is a network architecture diagram of identity and location identification separation;
图 6是接入服务节点 ASN增加源标识类型的处理流程;  6 is a processing flow of the access service node ASN adding a source identification type;
图 7 是接入设备 ASN设置源标识类型的判断方法;  Figure 7 is a method for determining the source identification type of the access device ASN;
图 8是互通服务节点 ISN处理网间报文的流程图;  8 is a flow chart of processing an inter-network message by the interworking service node ISN;
图 9是互通服务节点 ISN设置外网数据报文的源标识类型的判断方法; 图 10 是终端根据目的地扩展头携带的类别信息处理其他用户发来的数 据报文的示意图。  FIG. 9 is a schematic diagram of determining a source identifier type of an external network data packet by the interworking service node ISN; FIG. 10 is a schematic diagram of processing, by the terminal, a data packet sent by another user according to the category information carried by the destination extension header.
本发明的较佳实施方式 Preferred embodiment of the invention
本发明数据报文分类处理的实现方法、 网络、 终端的主要思想是利用数 据报文的报文头携带表示报文源端类别的类别信息, 使得接收到数据报文的 终端能根据类别信息对数据报文进行区别处理。  The main idea of the data packet classification processing method, the network, and the terminal of the present invention is to use the packet header of the data packet to carry the category information indicating the source end category of the packet, so that the terminal receiving the data packet can be based on the category information. Data packets are treated differently.
本发明主要应用于具有独立管理权限的网络,且在边界有访问控制设备, 如一个运营商的网络, 或者企业网, 或者单一的自治域等, 这个网络和其他 网络具有明显的边界, 边界设备负责添加或删除本发明所说的类别信息, 为 了描述方便, 我们将这个具有独立管理能力的网络称为 P网。  The invention is mainly applied to a network with independent management authority, and has an access control device at the boundary, such as an operator's network, or an enterprise network, or a single autonomous domain, etc., the network and other networks have obvious boundaries, and the boundary device It is responsible for adding or deleting the category information mentioned in the present invention. For convenience of description, we refer to this network with independent management capability as a P network.
当 P网和其他网络如互联网互通时, 网内用户将同时接收到网内可信任 用户的报文和网外不可信任用户的报文, 出于用户安全和上层业务的需要, 要求 P网的用户能识别出这些数据报文的不同来源和 /或信任等级。 为了区分 这些报文的来源和 /或信任等级, 需要在 P网的边界, 如接入节点以及互通节 点釆取一些新的控制措施, 使进入 P网的网络中的数据报文都能携带类别信 息, 这样终端设备就可以根据数据报文中携带的类别信息, 对不同来源或不 同信任等级的用户釆取不同的处理方式。 When the P network and other networks are connected to the Internet, the users in the network will receive the packets of the trusted users and the packets of the untrusted users outside the network. For the security of the user and the needs of the upper-layer services, the P-network is required. The user can identify different sources and/or trust levels of these data messages. In order to distinguish the source and/or trust level of these packets, it is necessary to take some new control measures at the borders of the P network, such as the access node and the interworking node, so that the data packets in the network entering the P network can carry the classes. Information, so that the terminal device can be based on the category information carried in the data message, for different sources or not Users with the same level of trust learn different ways.
如图 1所示, 本发明数据报文分类处理的实现方法, 所述方法基于对数 据报文进行分类处理的数据报文分类处理网络(P 网) 实现, 该实现方法包 括终端对接收的数据报文的处理方法, 该处理方法包括:  As shown in FIG. 1 , the method for implementing data packet classification processing according to the present invention is implemented by a data packet classification processing network (P network) for classifying data packets, and the implementation method includes the terminal receiving data. The processing method of the message, the processing method includes:
步骤 101 : 终端接收数据报文, 所述数据报文的报文头中携带表示报文 源端类别的类别信息;  Step 101: The terminal receives a data packet, where the packet header of the data packet carries category information indicating a source category of the packet.
步骤 102: 所述终端根据所述类别信息对所述数据报文进行区别处理。 所述 P网终端对接收的所述数据报文进行区别处理时, 根据所述报文源 端类别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据报文 的处理方法。 例如, 对于比较机密的服务器类终端, 可以拒绝不受信任的外 网用户访问, 避免机密信息泄露。 另外, 对一些具有政治敏感性的 BBS论坛 服务器, 可以对不易溯源的网吧用户进行一些功能限制, 如只允许浏览论坛 内容但不允许发布新帖等, 从而保证 BBS论坛的秩序, 避免不法分子利用 BBS论坛发布恶意信息。  Step 102: The terminal performs a difference processing on the data packet according to the category information. When the P network terminal performs the difference processing on the received data packet, the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the terminal's own attribute. . For example, for a more confidential server-type terminal, untrusted external network users can be denied access to avoid leakage of confidential information. In addition, for some politically sensitive BBS forum servers, you can perform some functional restrictions on Internet cafe users who are not easy to trace, such as only allowing browsing of forum content but not allowing new posts to be posted, thus ensuring the order of the BBS forum and avoiding the use of criminals. The BBS Forum publishes malicious information.
本发明所说的类别信息是报文源端发送原始数据报文后由中间节点 (如 P网内接入设备或 P网与外网间的互通服务节点)根据报文源端确定并加入 报文头的, 包括源标识类型和 /或可信任度:  The category information mentioned in the present invention is that the source node sends the original data packet, and the intermediate node (such as the access device in the P network or the interworking service node between the P network and the external network) determines and joins the report according to the source of the packet. Header, including source identification type and/or trustworthiness:
源标识类型是中间节点根据报文源端的类型确定的, 包括:  The source identifier type is determined by the intermediate node according to the type of the source of the packet, including:
1、 网内可信任的普通用户  1. Trusted ordinary users in the network
2、 网内集团用户  2. Group users in the network
3、 网内网吧用户  3, Internet cafe users
在 P网和外网互通时, 除以上 3种外, 报文源端类型信息还包括: When the P network and the external network communicate with each other, in addition to the above three types, the source type information of the packet also includes:
4、 网外可信任的同类网络用户 4. Trusted similar network users outside the network
5、 网外可信任的异类网络用户 (如 IP V6源地址认证用户)  5. Trusted heterogeneous network users outside the network (such as IP V6 source address authentication users)
6、 网外不可信任的网络用户。  6. Untrusted network users outside the network.
P 网内部的用户在收到由中间节点转发的其他用户发来的数据报文时, 就可以根据源标识类型, 区分出报文的来源。 When a user inside the P network receives a data packet sent by another user forwarded by the intermediate node, The source of the message can be distinguished according to the source identification type.
可信任度是中间节点根据报文源端的可信任程度或可信任等级确定的, 可以划分为两个(如: 完全可信及完全不可信)或多个可信任度, 由接收到 数据报文的 P网用户根据可信任度进行区别处理。  The trustworthiness is determined by the intermediate node according to the trustworthiness or trustworthiness level of the source of the message. It can be divided into two (such as: fully trusted and completely untrustworthy) or multiple trustworthiness, and the data packet is received. The P network users are differentiated according to the trustworthiness.
另外, 为了实现对报文源端的追溯, 数据报文的报文头中还可以携带域 标识符, 或同时携带域标识符及域内用户标识符, 其中这里所说的域可以是 集团、 网吧或网络。  In addition, in order to implement traceback to the source of the packet, the header of the data packet may also carry a domain identifier, or both a domain identifier and an intra-domain user identifier, where the domain may be a group, an Internet cafe, or The internet.
本发明所说的中间节点指网内接入设备或网间互通服务节点, 以下分别 说明:  The intermediate node referred to in the present invention refers to an access device in the network or an interworking service node between the networks, and the following respectively describe:
如图 2所示, 接入设备对报文源端发送的数据报文的处理方法包括: 步骤 201 : 所述接入设备接收所述报文源端发送的原始数据报文; 步骤 202: 所述接入设备对原始数据报文进行处理, 包括在报文头中增 加表示该报文源端类别的类别信息;  As shown in FIG. 2, the method for processing, by the access device, the data packet sent by the source of the packet includes: Step 201: The access device receives the original data packet sent by the source end of the packet; Step 202: The access device processes the original data packet, including adding category information indicating the source end category of the packet to the packet header;
其中, 所述报文源端类别是在所述报文源端的接入认证过程中由认证服 务器发送给所述接入设备的。  The source end of the packet is sent by the authentication server to the access device during the access authentication process of the source end of the packet.
接入设备根据不同的源终端类别增加不同的类别信息, 如网内可信任用 户、 网内集团用户、 网内网吧用户等。  The access device adds different category information according to different source terminal categories, such as trusted users in the network, group users in the network, and users in the network.
步骤 203: 所述接入设备转发该处理后的数据报文;  Step 203: The access device forwards the processed data packet.
当 p网与其他同类或异类网络互通时, 由互通服务节点(ISN )对跨网络 的数据报文的报文头进行处理, 包括对发往外网的数据报文的处理及对发往 内容的数据报文的处理, 如图 3所示, ISN对发往给内网的外网数据报文的 处理方法包括:  When the p-network communicates with other similar or heterogeneous networks, the interworking service node (ISN) processes the packet headers of the data packets across the network, including processing the data packets sent to the external network and the content sent to the external network. Data packet processing, as shown in Figure 3, the method for processing the data packet sent by the ISN to the external network to the internal network includes:
步骤 301: ISN接收外网发送给内网的外网数据报文;  Step 301: The ISN receives an external network data packet sent by the external network to the internal network.
步骤 302: ISN根据所述数据报文的来源确定所述数据报文源端在内网中 的类别信息, 并将所述外网数据报文转换为内网数据报文, 包括根据确定的 类别信息在报文头中增加类别信息或修改报文头中的原有类别信息; 步骤 303: ISN将所述内网数据报文向内网路由转发。 Step 302: The ISN determines, according to the source of the data packet, the category information of the source end of the data packet in the internal network, and converts the external network data packet into an intranet data packet, including according to the determined category. The information adds category information to the packet header or modifies the original category information in the packet header; Step 303: The ISN forwards the intranet data packet to the intranet route.
如图 4所示, ISN对发送给外网的数据报文的处理方法包括:  As shown in Figure 4, the method for processing the data packet sent by the ISN to the external network includes:
步骤 401 : ISN接收内网发送给外网的内网数据报文;  Step 401: The ISN receives an intranet data packet sent by the intranet to the external network.
步骤 402: ISN将内网数据报文转换为外网数据报文, 包括根据外网的可 信任情况, 修改或删除数据报文头中的类别信息;  Step 402: The ISN converts the intranet data packet into the external network data packet, including modifying or deleting the category information in the data packet header according to the trusted condition of the external network.
步骤 403: ISN将转换后得到的外网数据报文路由转发至外网。  Step 403: The ISN forwards the route of the external network data packet obtained after the conversion to the external network.
本发明所述的类别信息是通过 IPV4或 IPV6报文头携带的, 具体地, 可 以通过在 IPV4或 IPV6报文头中增加或定义新的报文头选项来实现, 为了尽 可能少地改动现有数据报文协议,本发明优选地利用 IPV6数据报文的扩展报 文头来携带本发明所说的类型信息。 The categorization information of the present invention is carried by the IPV4 or IPV6 packet header. Specifically, it can be implemented by adding or defining a new packet header option in the IPV4 or IPV6 packet header, in order to change the current information as little as possible. With a data message protocol, the present invention preferably utilizes the extended message header of the IPV6 data message to carry the type information referred to in the present invention.
为了区分数据报文的来源, 需要在 IPV6报文中携带用户的类别信息, 目 前 IPV6协议中尚未有较完善的在数据报文中携带源标识类别信息的机制,无 法将类别信息封装到 IPV6报文中传输,为了能使 P网的用户能识别出收到的 数据报文来源于什么样的用户, 需要对 IPV6协议进行扩展,使数据报文中携 带发送者的类别信息。  In order to distinguish the source of the data packet, the user needs to carry the category information of the user in the IPV6 packet. Currently, the IPV6 protocol does not have a complete mechanism for carrying the source identifier category information in the data packet, and the category information cannot be encapsulated into the IPV6 packet. In the text transmission, in order to enable the user of the P network to identify the user whose received data message is derived, the IPV6 protocol needs to be extended so that the data message carries the sender's category information.
以下对现有的 IPV6数据报文的扩展头进行说明:  The following describes the extension header of the existing IPV6 data packet:
IPV6协议(RFC2460 ) 中定义了表 1所示的 IPV6 文头, 为携带附加 的 Internet信息:  The IPV6 header shown in Table 1 is defined in the IPV6 protocol (RFC2460) to carry additional Internet information:
表 1  Table 1
Figure imgf000011_0001
Figure imgf000011_0001
源地址(Source Address )  Source Address
目的地址(Destination Address ) RFC2460提出可以在 IPV6的报文头和上层协议头之间附加 IPV6扩展报 文头。 RFC2460中定义了 6种扩展报文头, 分别是逐跳选项头 (Hop-by-Hop Options header ) , 路由头 ( Routing header ) , 分段头 ( Fragment header ) , 认证头 ( Authentication header ) , ESP封装头 ( Encapsulating Security Payload header) , 目的地选项头 ( Destination Options header )。 Destination Address RFC2460 proposes to add an IPV6 extension header between the header of the IPV6 and the header of the upper layer. RFC2460 defines six types of extended packet headers, which are Hop-by-Hop Options header, Routing header, Fragment header, Authentication header, and ESP. Encapsulating Security Payload header, Destination Options header.
RFC2460对每种扩展头定义了协议号, 如逐跳选项头为 0, 目的地选项 头为 60。 当 Internet应用需要使用 IPV6报文扩展头来传递信息时, 只需要将 表 1中的下一个报文头 (Next Header )置为相应的协议号即可。 例如, 如果 需要在报文中釆用目的地选项头传递数据时, 只需要将表 1 中的下一个报文 头 (Next Header )置为 60。 The RFC2460 defines a protocol number for each extension header, such as a hop-by-hop option header of 0 and a destination option header of 60. When the Internet application needs to use the IPV6 packet extension header to deliver information, you only need to set the next header in Table 1 to the corresponding protocol number. For example, if you need to pass data in the message using the destination option header, you only need to set the next header in Table 1 (Next Header) to 60.
各种 IPV6扩展头可以按一定顺序并存, 如表 2所示, 在 IPV6头后面紧 接着是路由头, 再下来是目的地选项头, 最后是 TCP报文头。  The various IPV6 extension headers can coexist in a certain order, as shown in Table 2. Immediately after the IPV6 header is the routing header, then the destination option header, and finally the TCP packet header.
表 2  Table 2
Figure imgf000012_0001
Figure imgf000012_0001
在 IPV6定义的 6种扩展头中,目的地选项头用于携带那些只供目的节点 检查的信息。 目的地选项头的报文格式如下表 3所示:  Among the six extension headers defined in IPV6, the destination option header is used to carry information that is only checked by the destination node. The message format of the destination option header is shown in Table 3 below:
表 3  table 3
Figure imgf000012_0002
Figure imgf000012_0002
其中, Next Header表示下一个的协议头类型, Hdr Ext Len表示本目的地 选项扩展头的长度, 以 8个字节为单位, 不包含第一个字节。  The Next Header indicates the next protocol header type, and Hdr Ext Len indicates the length of the destination option extension header, in units of 8 bytes, excluding the first byte.
RFC2460中, 选项 (Options )进一步由选项类型 ( Option Type ) 、 选项 长度( Opt Data Len )和选项数据组成。 并对选项类型的前 3位都做了规定, 其中第一、第二位规定了处理此 IPV6数据报文的节点,在不认识此该标签时 所釆取的动作: In RFC2460, Options are further selected by Option Type and Options. Length (Opt Data Len) and option data. The first three bits of the option type are specified, and the first and second bits specify the action taken by the node that processes the IPV6 data message without knowing the tag:
00 -跳过此选项继续处理 文头 00 - Skip this option to continue processing
01 -丟弃此 文.  01 - Discard this article.
10 -丟弃此 文, 发送 ICMP  10 - Discard this text, send ICMP
11 -丟弃此报文, 当不是多播地址时, 发送 ICMP  11 - Discard this message, send ICMP when it is not a multicast address
除此之外, RFC2460对选项类型 (Option Type ) 的第 3位有如下规定, 如果选项数据会影响路由, 则设为 1 , 否则置为 0。  In addition, RFC2460 has the following three bits for the Option Type: 1 if the option data affects the route, otherwise 0.
对于 8位的 Option Type来说, 除了以上前三位, 只有 5位可选, 即实际 只有 32个编号空间,目前 RFC已规定了一种用于移动 IP协议的目的地选项 , , 叫做家乡地址选项 (The Home Address option ) , 其数值定义 0xC9, 其低 5 位为 00111 , 占据了序号 9。  For the 8-bit Option Type, except for the first three digits above, only 5 digits are available, that is, there are actually only 32 numbering spaces. Currently, the RFC has specified a destination option for the mobile IP protocol, called the home address. The Home Address option, whose value defines 0xC9, has a lower 5 bits of 00111 and occupies the sequence number 9.
选项长度是以字节为单位, 描述选项数据的实际长度, 所述方法的实施 例一般设为 12。  The option length is in bytes and describes the actual length of the option data. The embodiment of the method is generally set to 12.
由于目的地选项头用于携带那些只供目的节点检查的信息, 而本发明所 涉及的数据报文中的类别信息供终端用户使用, 故本发明优选地釆用目的地 选项头进行扩展。  Since the destination option header is used to carry information that is only checked by the destination node, and the category information in the data message of the present invention is used by the end user, the present invention preferably uses the destination option header for extension.
以下对本发明利用 IPV6 的目的地选项头携带类别信息 (包括源标识类 型、 可信任度)及追溯信息 (域标识符及域内用户标识符) 的具体方法进行 说明, 如表 4所示:  The following describes the specific method for carrying the category information (including source identification type, trustworthiness) and traceability information (domain identifier and intra-domain user identifier) by using the destination option header of IPV6, as shown in Table 4:
表 4  Table 4
Figure imgf000013_0001
Figure imgf000013_0001
表中, 下一个报文头 ( Next Header )及报文头扩展长度( Hdr Ext Len ) 的含义与上文相同, 在此不在赘述, 以下对本发明新增或新定义的目的地扩 展头选项进行说明: In the table, the next header (Next Header) and the header extension length ( Hdr Ext Len ) The meanings are the same as above, and are not described here. The following describes the new or newly defined destination extension header options of the present invention:
1、 选项类型 (Option Type ) :  1, option type (Option Type):
目的地选项头中的选项类型 Option Type共有 8位:  The option type in the destination option header has a total of 8 bits:
对于高 2位, 本发明不做特殊规定, 可由节点处理设备来根据情况设置, 例如, 当对安全等级要求比较高的场合,如公安网络, 可以将此选项设为 01 , 即, 如果处理这个数据报文的节点不认识此数据格式, 将整个报文丟弃。 对 于一般类型的节点, 可以设置为 00, 这样即使节点不认识此选项, 仍可以 正常处理整个数据报文, 从而提高系统的兼容性, 最大程度利用原有设备; 对于第 3位, 因在本发明中, 中间节点会处理此选项, 选项数据会影响 路由, 因此设为 1;  For the upper 2 bits, the present invention does not make special provisions, and can be set by the node processing device according to the situation. For example, when the security level is relatively high, such as the public security network, this option can be set to 01, that is, if this is handled The node of the data packet does not recognize this data format and discards the entire packet. For a general type of node, it can be set to 00, so that even if the node does not recognize this option, the entire data packet can be processed normally, thereby improving system compatibility and maximizing the use of the original device. For the third bit, In the invention, the intermediate node will process this option, and the option data will affect the route, so it is set to 1;
对于低 5位,可选取除家乡地址选项的序号 00111以外的其他 31个序号 中的任一个进行扩展, 如低 5位选用 11111来进行扩展。  For the lower 5 digits, you can select any of the 31 serial numbers other than the serial number option 00111 to expand. For example, the lower 5 digits use 11111 for expansion.
这样新扩展的选项类型可以有两个备选数值:  This new extended option type can have two alternative values:
一个是 00111111 , 也就是 0X3F, 代表当目的节点不认识此选项时, 应 该丟弃此数据报文。  One is 00111111, which is 0X3F, which means that when the destination node does not recognize this option, it should discard this data message.
一个是 01111111 , 也就是 0X9F, 代表当目的节点不认识此选项时, 仍 正常处理数据报文的其余部分。  One is 01111111, which is 0X9F, which means that when the destination node does not recognize this option, it still processes the rest of the data message normally.
本发明提供了一种在 IPV6数据报文中携带发送者类别的标识的方法,通 过在数据报文中携带发送者的类别, 终端用户就可以很方便的识别出收到的 数据报文是信任节点还是非信任节点发出的, 从而能够够对不同来源和不同 信任等级的数据报文进行区分处理。 更准确的说, 本发明提供了一种在 IPV6 报文头的扩展头携带用户源地址分类的方法,此方法适用于釆用 IPV6传输并 需要区分报文来源的网络。  The present invention provides a method for carrying an identifier of a sender class in an IPV6 data packet. By carrying the sender's category in the data packet, the terminal user can conveniently recognize that the received data packet is a trust. The node is also sent by the non-trusted node, so that data packets of different sources and different trust levels can be distinguished. More specifically, the present invention provides a method for carrying a user source address classification in an extended header of an IPV6 packet header. The method is applicable to a network that uses IPV6 to transmit and needs to distinguish the source of the packet.
2、 源标识类型  2, source identification type
为源标识类型 (Source ID Type, 简称 SIDT )分配一个字节的空间, 各 源标识类型的数值定义如下:  The source ID type (SIDT) is allocated a space of one byte. The values of each source identification type are defined as follows:
0X00 网内可信任的普通用户。  0X00 A common user in the network that can be trusted.
0X01 网内集团用户 0X02 网内网吧用户。 0X01 Group users in the network 0X02 Internet cafe users.
0X03 ~ 0X0F 保留  0X03 ~ 0X0F Reserved
0X80 网外可信任的同类网络用户。  0X80 Trusted network users of the same type.
0X81 网外可信任的异类网络用户。  0X81 Trusted heterogeneous network users outside the network.
0X82 网外不可信任的网络用户。  0X82 Untrusted network users outside the network.
0X83 ~ 0X8F 保留  0X83 ~ 0X8F Reserved
3、 可信任度  3. Trustworthiness
为可信任度( Credibility Grade , 简称 CG )分配一个字节的空间, 将可信 任度分为完全可信任及完全不可信任两个可信任度, 如果此源地址完全不可 信任, 应该置为 0, 如果此源地址完全可信, 应置为 255。  A space of one byte is allocated for Credibility Grade (CG), and the trustworthiness is divided into two levels of trustworthiness: fully trustworthy and completely untrustworthy. If the source address is completely untrustworthy, it should be set to 0. If this source address is fully trusted, it should be set to 255.
4、 域标识符  4, domain identifier
域标识符 (Domain Identification, 简称 DID)是报文源端所在域的信息, 为 其分配 48位, 此标识在不同的源标识类型下有不同的作用:  The domain identifier (DID) is the information of the domain where the source of the packet is located. It is assigned 48 bits. This identifier has different roles under different source identifier types:
如果源标识类型为网内可信任的普通用户: DID可以用来代表源标识所 在的 MAC地址, 也可以不具备任何含义, 当不具备含义时, DID应置为 0。  If the source ID type is a common user that can be trusted in the network: DID can be used to represent the MAC address of the source ID, or it can have no meaning. When there is no meaning, the DID should be set to 0.
如果源标识类型为网内集团用户: DID代表集团号, 在一个运营商内部 有效, 例如中国电信可将联想公司作为一个集团用户, 给予一个 48位集团编 号 0X0000 0000 F001。  If the source identification type is an intranet group user: DID stands for group number and is valid within one operator. For example, China Telecom can use Lenovo as a group user and give a 48-bit group number 0X0000 0000 F001.
如果源标识类型为网内网吧用户: DID代表网吧号, 全国范围有效 如果源标识类型为网外可信任的 P网 (同类网络)用户: DID代表同类 网络标识。  If the source ID type is the intranet user: DID stands for the Internet cafe number, which is valid nationwide. If the source ID type is a trusted P network (like network) user: DID represents the same type of network identifier.
如果源标识类型为网外可信任的其他网络(异类网络)用户: DID代表 异类网络标识。  If the source ID type is other network (heterogeneous network) users that are trusted outside the network: DID stands for heterogeneous network ID.
如果源标识类型为不可信的其他网络用户: DID无意义。  If the source ID type is other network users that are not trusted: DID is meaningless.
5、 域内用户标识符  5, domain user identifier
域内用户标识符( Domain User Identification, DUI )表示用户在此域内的 编号, 为其分配 32位, 在不同的源标识类型下有不同作用:  The Domain User Identification (DUI) indicates the user's number in this domain, which is assigned 32 bits. It has different roles under different source identification types:
如果源标识类型为网内可信任的普通用户: 无意义。 如果源标识类型为网内集团用户: 代表集团内用户序号。 If the source ID type is a normal user that can be trusted in the network: meaningless. If the source identification type is an intranet group user: Represents the user serial number within the group.
如果源标识类型为网内网吧用户: 代表网吧用户序号。  If the source ID type is Internet cafe user: Represents the Internet cafe user serial number.
如果源标识类型为网外可信任的同类网络用户: 代表此网络自己的编号 如果源标识类型为网外可信任的异类网络用户: 代表此网络自己的编号 如果源标识类型为网外不可信的外部网络用户: 无意义  If the source ID type is a network user that can be trusted outside the network: Represent the network's own number. If the source ID type is a trusted heterogeneous network user: Represent the network's own number. If the source ID type is untrusted outside the network. External network users: meaningless
源地址类型、 DID和 DUI关系如下表 5所示: The source address type, DID, and DUI relationships are shown in Table 5 below:
Figure imgf000016_0001
Figure imgf000016_0001
Figure imgf000016_0002
值得指出的是, 以上只是给出了一个示例, 实际网络中类别信息的表示 方法, 源标识类型和 /或可信任度的划分方法及排布顺序不一定严格按照上文 描述, 只要 P网内接收数据报文的终端可以根据类别信息进行区别处理都属 于本发明保护的范围。
Figure imgf000016_0002
It is worth noting that the above only gives an example. The representation method of the category information in the actual network, the source identification type and/or the partitioning method of the trust degree and the arrangement order are not necessarily strictly as described above, as long as the P network It is a protection scope of the present invention that the terminal that receives the data message can perform the difference processing according to the category information.
基于以上各部分的定义, 以下结合应用实例就各种情况下目的地扩展头 给出实例: Based on the definitions of the above sections, the following examples are given in conjunction with the application examples for the destination extension headers in each case:
应用实例 1  Application example 1
下表 6是 P网终端接收的网内普通用户发送的数据报文的目的地扩展头: 表 6 Option type= ^ T Table 6 below is the destination extension header of data packets sent by ordinary users in the network received by the P network terminal: Table 6 Option type= ^ T
Next Header Hdr Ext LeiFl ^ Opt Data Leffl2 Next Header Hdr Ext LeiFl ^ Opt Data Leffl2
0x3F  0x3F
Credibility  Credibility
Source-ID Type=0 Domain Identification (DID) =0  Source-ID Type=0 Domain Identification (DID) =0
Grade (CG) =255  Grade (CG) = 255
Domain Identification (DID) =0  Domain Identification (DID) =0
Domain User Identif icatio^DUI) =0 其中: Domain User Identif icatio^DUI) =0 where:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 的。  Hdr Ext Len=l means that the option is followed by an 8-byte length, which is basically fixed.
Option Type=0x3F表示如果目的地节点不认识此选项, 可以正常处理数 据报文。  Option Type=0x3F means that if the destination node does not recognize this option, the data message can be processed normally.
OptDataLen=12表示选项长度为 12个字节。  OptDataLen=12 indicates that the option length is 12 bytes.
Source-ID Type=0表示此数据包来源是一个网内普通用户发出的。  Source-ID Type=0 means that the source of this packet is sent by a normal user in the network.
CG=255, 表示此用户完全可信。  CG=255, indicating that this user is completely trusted.
DID=0, 表示未使用 DID, 也就是说 DID字段无意义。  DID=0, indicating that the DID is not used, which means that the DID field is meaningless.
DUI=0, 表示未使用 DUI, 也就是说 DDI字段无意义。  DUI=0, indicating that the DUI is not used, which means that the DDI field is meaningless.
应用实例 2  Application example 2
下表 7是 P网终端接收的网内集团用户发送的数据报文的目的地扩展头 示意:  Table 7 below shows the destination extension headers of data packets sent by group users in the network received by the P network terminal:
表 7  Table 7
Figure imgf000017_0001
Figure imgf000017_0001
其中:  among them:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 Option Type=0x3F表示如果目的地节点不认识此选项, 可以正常处理数 据报文。 Hdr Ext Len=l means that there is an 8-byte length after the option. This length is basically fixed Option Type=0x3F. If the destination node does not recognize this option, the number can be processed normally. According to the message.
Opt Data Len=12表示选项长度为 12个字节。  Opt Data Len=12 indicates that the option length is 12 bytes.
Source-ID Type=l表示此数据包来源是一个网内集团用户发出的。  Source-ID Type=l indicates that the source of this packet was sent by an intranet group user.
CG=255, 表示此用户完全可信。  CG=255, indicating that this user is completely trusted.
DID=0x000000Al ,表示发出此数据包的用户是来自于集团号为 101的集 团用户。  DID=0x000000Al , indicating that the user who sent this packet is from a group user with group number 101.
DUI=0x55667788 , 表示出此数据包的用户是在集团内的用户编号为 0x55667788。  DUI=0x55667788, which indicates that the user of this packet is a user number within the group of 0x55667788.
应用实例 3  Application example 3
下表 8是 P网终端接收的网内网吧用户发送的数据报文的目的地扩展头 示意:  Table 8 below is the destination extension header of the data packet sent by the Internet cafe user received by the P network terminal:
表 8  Table 8
Figure imgf000018_0001
Figure imgf000018_0001
其中:  among them:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 的。  Hdr Ext Len=l means that the option is followed by an 8-byte length, which is basically fixed.
Option Type=0x3F表示如果目的地节点不认识此选项, 可以正常处理数 据报文。  Option Type=0x3F means that if the destination node does not recognize this option, the data message can be processed normally.
Opt Data Len=12表示选项长度为 12个字节。  Opt Data Len=12 indicates that the option length is 12 bytes.
Source-ID Type=2表示此数据包来源是一个网内网吧用户发出的。  Source-ID Type=2 indicates that the source of this packet is sent by an Internet cafe user.
CG=1 , 表示此用户不太可信, 近似于不可信。  CG=1 means that this user is not very trustworthy and is similar to untrustworthy.
DID=0x99F8AABBCCDD , 表示发出此数据包的用户是来自于网吧号为 =0x99F8AABBCCDD的网吧用户。 DUI=0x00000005 , 表示出此数据包的用户是在网吧内的用户编号为 5。 应用实例 4 DID=0x99F8AABBCCDD , indicating that the user who sent this packet is from the Internet cafe user whose Internet cafe number is 0x99F8AABBCCDD. DUI=0x00000005, which indicates that the user of this packet is the user number 5 in the Internet cafe. Application example 4
下表 9是 P网终端接收的网外可信任的同类网络用户发送的数据报文的 目的地扩展头示意:  Table 9 below shows the destination extension headers of data packets sent by peer-to-peer network users that are received by the P-network terminal:
表 9  Table 9
Figure imgf000019_0001
其中:
Figure imgf000019_0001
among them:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 的。  Hdr Ext Len=l means that the option is followed by an 8-byte length, which is basically fixed.
Option Type=0x9F表示如果目的地节点不认识此选项, 应丟弃此数据报 文。  Option Type=0x9F indicates that this data message should be discarded if the destination node does not recognize this option.
Opt Data Len=12表示选项长度为 12个字节。  Opt Data Len=12 indicates that the option length is 12 bytes.
Source-ID Type=0x80表示此数据包来源是一个网外可信任的同类网络用 户发出的。  Source-ID Type=0x80 indicates that the source of this packet is sent by a network user of the same type that is trusted outside the network.
CG=10, 表示此用户可信,但信任度不高。  CG=10, indicating that this user is trustworthy, but the trust is not high.
DID=0xA0, 表示发出此数据包的用户是来自于外部可信任网络序号为 100的网络发出的, DID的编号只和单个 P网自身有关, 不用全球统一编号。  DID=0xA0, indicating that the user who sent this data packet is sent from the network with external trusted network number 100. The DID number is only related to the single P network itself, and no global unified number is used.
DUI=0xl l , 表示出此数据包的用户是在可信任的外部网络中编号为 17 的用户发出的。  DUI=0xl l , which indicates that the user of this packet was sent by a user numbered 17 in the trusted external network.
应用实例 5 Application example 5
下表 10是 P网终端接收的网外可信任的异类网络用户发送的数据报文的 目的地扩展头示意: 表 10 Table 10 below shows the destination extension headers of data packets sent by heterogeneous network users outside the network received by the P-network terminal: Table 10
Figure imgf000020_0001
Figure imgf000020_0001
其中:  among them:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 的。  Hdr Ext Len=l means that the option is followed by an 8-byte length, which is basically fixed.
Option Type=0x9F表示如果目的地节点不认识此选项, 应丟弃此数据报 文。  Option Type=0x9F indicates that this data message should be discarded if the destination node does not recognize this option.
Opt Data Len=12表示选项长度为 12个字节。  Opt Data Len=12 indicates that the option length is 12 bytes.
Source-ID Type=0x81表示此数据包来源是一个网外可信任的异类网络用 户发出的。  Source-ID Type=0x81 indicates that the source of this packet is sent by an alien network trusted external network user.
CG=30, 表示此用户的可信任度。  CG=30, indicating the trustworthiness of this user.
DID=3 , 表示发出此数据包的用户是来自于外部可信任的异类网络序号 为 3的网络发出的, DID的编号是 P网自身分配的编号, 不用全球统一编号。  DID=3, indicating that the user who sent the data packet is from a network with an externally trusted heterogeneous network sequence number 3. The DID number is the number assigned by the P network itself, and the global unified number is not used.
DUI=0xl 234, 表示出此数据包的用户是在可信任的外部网络中编号为 0x1234的用户发出的。  DUI=0xl 234, which indicates that the user of this packet was sent by a user numbered 0x1234 in the trusted external network.
应用实例 6 Application example 6
下表 11是 P网终端接收的网外不可信任的网络用户发送的数据报文的目 的地扩展头示意:  Table 11 below shows the destination extension headers of data packets sent by untrusted network users received by the P-network terminal:
表 11 Option ype= ^ π TTable 11 Option ype= ^ π T ~
Next Header Hdr Ext Len= l ^ ^ Opt Data Len=12  Next Header Hdr Ext Len= l ^ ^ Opt Data Len=12
0x9F  0x9F
Source -ID Credibility  Source -ID Credibility
Domain Identification (DID)=0  Domain Identification (DID)=0
Type=0x82 Grade(CG)=0  Type=0x82 Grade(CG)=0
Domain Identification (DID)=0  Domain Identification (DID)=0
Domain User
Figure imgf000021_0001
其中: Domain User
Figure imgf000021_0001
among them:
Hdr Ext Len=l表示选项后面有一个 8字节长度, 这个长度基本上是固定 的。  Hdr Ext Len=l means that the option is followed by an 8-byte length, which is basically fixed.
Option Type=0x9F表示如果目的地节点不认识此选项, 应丟弃此数据报 文。  Option Type=0x9F indicates that this data message should be discarded if the destination node does not recognize this option.
Opt Data Len=12表示选项长度为 12个字节。  Opt Data Len=12 indicates that the option length is 12 bytes.
Source-ID Type=0x82表示此数据包来源是一个网外不可信任的网络用户 发出的。  Source-ID Type=0x82 indicates that the source of this packet is from an untrusted network user outside the network.
CG=0, 表示此用户的完全不可信。  CG=0, indicating that this user is completely untrustworthy.
DID=0, 表示未使用 DID。  DID=0, indicating that the DID is not used.
DUI=0, 表示未使用 DUI。  DUI=0, indicating that the DUI is not being used.
本发明方法可以基于 Internet网络或身份标识和位置分离网络( SILSN ) 实现, 以下以 SILSN为实现 P网的基础, 结合附图详细说明本发明的具体实 施方式。  The method of the present invention can be implemented based on an Internet network or an Identity and Location Separation Network (SILSN). The following is a basic implementation of the present invention with SILSN as the basis for implementing the P network.
图 5是一种身份标识和位置标识分离的网络架构, 该网络是一种身份标 识和位置标识分离网络, 包含接入服务节点 (Access Service Node, ASN ) 、 用户终端(User Equipment, UE )、 身份位置寄存器( Identification & Location Register, ILR ) 、 认证服务器、 互联互通服务节点 ISN ( Interworking Service Node )等。 其中, ASN用于接入用户终端, 负责实现用户终端的接入, 并承 担计费以及切换等功能; ILR承担用户的位置注册功能, 认证服务器承担用 户身份识别和认证功能, ISN用户和外网用户进行互联互通。 每一个用户终 端都存在唯一的身份标识符, 即接入标识( Access Identification, AID ) 。  FIG. 5 is a network architecture in which an identity identifier and a location identifier are separated. The network is a separate identity and location identifier network, including an Access Service Node (ASN), a User Equipment (UE), and a User Equipment (UE). Identification & Location Register (IRR), authentication server, Interworking Service Node (ISN), etc. The ASN is used to access the user terminal, and is responsible for realizing the access of the user terminal, and is responsible for charging and switching functions; the ILR is responsible for the location registration function of the user, and the authentication server assumes the user identity identification and authentication function, the ISN user and the external network. Users are interconnected. Each user terminal has a unique identity identifier, Access Identification (AID).
为描述方便, 下文将此用户身份标识和位置分离网络简称为 PI网, 其中 UE1和 UE3是 PI网内网用户, UE2是外网用户, UE3既能收到来自于 P1 网内网的 UE1的数据报文,也能收到来自于外网的 UE2的数据报文。本发明 帮助内网用户 UE3区分这些不同来源和不同信任度的 文, 并分别处理。 For convenience of description, the user identity and location separation network is simply referred to as a PI network, where UE1 and UE3 are PI network intranet users, and UE2 is an extranet user. UE3 can receive data packets from UE1 of the P1 intranet and UE2 data packets from the external network. The invention helps the intranet user UE3 to distinguish these different sources and different trusts and process them separately.
图 5中, ASN1和 ASN2是接入设备,用来接入用户终端设备 UE1、 UE3 , UE1和 UE3分别存在唯一的身份标识符 AID1和 AID3。 ISN1用于处理来自 于网外用户如 UE2的数据报文, 对 P1 网内网外的数据报文进行进行格式转 换。  In Figure 5, ASN1 and ASN2 are access devices for accessing user terminal devices UE1, UE3, UE1 and UE3 respectively having unique identity identifiers AID1 and AID3. The ISN1 is used to process data packets from users outside the network, such as UE2, to perform format conversion on data packets outside the P1 network.
AS 处理  AS processing
图 6给出了 P1网的 ASN对内网用户发出的报文添加源标识类型的处理 流程:  Figure 6 shows the process of adding the source identification type to the packets sent by the intranet users on the ASN of the P1 network:
当用户 UE接入网络时, 首先要经 ASN向认证服务器进行认证, 认证服 务器在通过认证后, 返回源标识类型。 ASN保存此用户的源标识类型, 在后 续用户发出数据报文的时候,将用户发出的报文中添加相应的 IPV6目的地扩 展头选项。  When the user UE accesses the network, the ASN first authenticates to the authentication server, and after the authentication server passes the authentication, the source identifier type is returned. The ASN saves the source identification type of the user. When the subsequent user sends a data packet, the corresponding IPV6 destination extension header option is added to the message sent by the user.
步骤 601 , 用户终端 UE向 ASN发起接入请求;  Step 601: The user terminal UE initiates an access request to the ASN.
步骤 602, ASN向认证服务器发起对 UE的认证过程;  Step 602: The ASN initiates an authentication process for the UE to the authentication server.
601和 602可能存在多次消息交互, 以相互认证。  There may be multiple message interactions between 601 and 602 to authenticate each other.
步骤 603 , 当认证通过后,认证服务器向 ASN返回该用户的源标识类型; 步骤 604, ASN保存该用户的源标识类型, 以便后续检查使用; 步骤 605, ASN通知 UE认证通过, 允许接入;  Step 603: After the authentication is passed, the authentication server returns the source identification type of the user to the ASN. Step 604: The ASN saves the source identification type of the user for subsequent check and use. Step 605, the ASN notifies the UE that the authentication passes, and allows access;
步骤 606, UE开始发出数据报文;  Step 606: The UE starts to send a data packet.
步骤 607 , ASN为 UE发出的 IPV6增加对应的源地址标识类型扩展。 在上面步骤中, 603、 604、 607是实现源标识类型检查的关键步骤。  Step 607: The ASN adds the corresponding source address identifier type extension to the IPV6 sent by the UE. In the above steps, 603, 604, 607 are the key steps to implement the source identification type check.
图 7是 P1 Figure 7 is P1
的方法, 此图相当于步骤 607的细化。 吧用户,分别将这些用户发出的数据报文的 IPV6报文头中添加不同的目的地 扩展头选项: The method, this figure is equivalent to the refinement of step 607. Users add different destination extension header options to the IPV6 header of the data packets sent by these users:
701 , ASN收到内网用户发来的数据报文, 提取其中的源标识, 然后查 找此源标识对应的源标识类型;  701. The ASN receives the data packet sent by the intranet user, extracts the source identifier, and then searches for the source identifier type corresponding to the source identifier.
此源标识类型是 ASN从认证服务器获得的。  This source identification type is obtained by the ASN from the authentication server.
702-703, 如果数据"¾文来自于网内普通用户, 将源标识类型 (SIDT) 赋值为 0;  702-703, if the data "3⁄4 text" comes from ordinary users in the network, assign the source identification type (SIDT) to 0;
704-705, 如果数据报文来自于网内集团用户, 将源标识类型 (SIDT) 赋值为 1;  704-705, if the data message is from a group user in the network, the source identification type (SIDT) is assigned a value of 1;
706-707, 如果数据报文来自于网内网吧用户, 将源标识类型 (SIDT) 赋值为 2;  706-707, if the data message is from an intranet user, the source identification type (SIDT) is assigned a value of 2;
708-709, 如果数据"¾文来自于其他类型用户, 将源标识类型 (SIDT) 赋值为 XXX (即本发明未定义的类型) ;  708-709, if the data "3" is from another type of user, assign the source identification type (SIDT) to XXX (ie, the type not defined by the present invention);
710 将数据报文向目的地的下一跳发送。  710 sends the data message to the next hop of the destination.
IS 处理 IS processing
图 8为 P1网的 ISN对源于外网和内网数据"¾文的进行处理的示意图。 本发明中 ISN需要做如下工作:  FIG. 8 is a schematic diagram of the ISN of the P1 network processing the data originating from the external network and the intranet. In the present invention, the ISN needs to do the following work:
1、区分来自外网的数据报文的报文源端,对可信任的外网同类 P网用户、 外网异类可信任用户、外网不可信任用户分别标识不同的目的地扩展头选项。  1. Differentiate the source extension of the data packet from the external network, and identify different destination extension header options for the trusted external network peer P network users, the external network heterogeneous trusted users, and the external network untrusted users.
2、对网内用户向网外用户发送的部分数据报文, 也需要根据外网的可信 任情况, 修改或删除 IPV6目的地扩展头选项。  2. For some data packets sent by users in the network to users outside the network, the IPV6 destination extension header option needs to be modified or deleted according to the trusted condition of the external network.
步骤 801 , 外网用户向 ISN发送一条数据报文;  Step 801: The external network user sends a data packet to the ISN.
步骤 802, ISN根据数据报文来源,确定此报文源端是可信任的同类网络 用户, 还是可信任的异类网络用户, 或者是不可信任的其他网络用户, 对每 种情况分别在数据报文中添加或修改对应的目的地扩展头选项;  Step 802: The ISN determines, according to the source of the data packet, whether the source of the packet is a trusted network user of the same type, or a trusted heterogeneous network user, or another network user that is not trusted, in each case, respectively, in the data packet. Add or modify the corresponding destination extension header option;
步骤 803 , ISN将转换后的数据报文发送给 ASN, 由 ASN转发给实际的 内网用户; Step 803: The ISN sends the converted data packet to the ASN, and the ASN forwards the packet to the actual Intranet user;
文; Text
步骤 805, ISN根据目的地址所在的网络的可信任情况,或者修改目的地 扩展头选项 (对于可信任的同类网络, 以及可信任的异类网络) , 或者删除 目的地扩展头选项 (对于不可信任的网络) 。  Step 805, the ISN according to the trusted situation of the network where the destination address is located, or modify the destination extension header option (for a trusted peer network, and a trusted heterogeneous network), or delete the destination extension header option (for untrusted The internet) .
步骤 806 , ISN将转换后的数据报文发送到外网。  Step 806: The ISN sends the converted data packet to the external network.
例如:  E.g:
对网内用户发往可信任的同类网络的数据报文,将源标识类型改为 0x80, DID置为本网络的网络号, DUI置为 0。  For the data packets sent by the users in the network to the trusted network of the same type, the source identifier type is changed to 0x80, the DID is set to the network number of the network, and the DUI is set to 0.
对网内用户发往可信任的异类网络的数据报文,将源标识类型改为 0x81 , DID置为本网络的网络号, DUI置为 0。  For the data packets sent by the users in the network to the trusted heterogeneous network, change the source identifier type to 0x81, set the DID to the network number of the network, and set the DUI to 0.
对网内用户发往不可信任的外网的数据报文,删除 IPV6目的地扩展头中 的源标 i只扩展。  For the data packets sent by the users in the network to the untrusted external network, the source label i in the IPV6 destination extension header is deleted and only extended.
详细流程图, ISN收到来自于外网的数据报文后, 判断来源的网络是可信任 的 P网网络, 还是可信任的异类网络, 或者是不可信的网络, 分别将这些来 源的数据 文中的源标识类型置为 0x80、 0x81、 0x82等: Detailed flow chart, after receiving the data packet from the external network, the ISN determines whether the source network is a trusted P network network, a trusted heterogeneous network, or an untrusted network, and respectively respectively data from these sources. The source identification type is set to 0x80, 0x81, 0x82, etc.:
901 ISN收到外网用户发来的数据报文,根据来源网络的属性, 启动添加 源标识流程;  The 901 receives the data packet sent by the external network user, and starts the process of adding the source identifier according to the attribute of the source network.
902 - 903 , 如果数据报文来自于外网可信任的同类网络用户, 将源标识 类型置为 0x80;  902 - 903, if the data packet is from a similar network user that the external network can trust, set the source identifier type to 0x80;
904 - 905 , 如果数据报文来自于可信任的异类类网络用户, 将源标识类 型置为 0x81 ;  904 - 905, if the data message is from a trusted heterogeneous network user, set the source identity type to 0x81;
906 - 907 , 如果数据报文来自于不可信任的其他网络用户, 将源标识类 型置为 0x82; 908-909,如果数据报文来自于本发明未定义的其他用户, 将源标识类型 置为预留的 XX; 906 - 907, if the data message comes from other untrusted network users, set the source identification type to 0x82; 908-909, if the data message is from other users not defined by the present invention, the source identification type is set to the reserved XX;
910 将数据报文向目的地的下一跳发送。  910 sends the data packet to the next hop of the destination.
图 10是本发明的一个具体应用场景, 为 P1网用户接收到的不同类别信 息时进行分类处理的例子。由于 P1网网络已经对不同 文来源进行了详细分 类,因而 P1网网络内的用户就可以很清楚知道哪些数据报文是来自于外网用 户, 哪些是来自内网用户, 哪些数据报文是可信任的, 可信任的程度如何, 然后根据这些类别信息, 在进行业务的时候, 釆取分类处理: FIG. 10 is a specific application scenario of the present invention, which is an example of classifying processing when different types of information are received by a P1 network user. Since the P1 network has been classified into different sources, the users in the P1 network can clearly know which data packets are from external users, which are from intranet users, and which data packets are available. Trusted, how trustworthy, and then based on these category information, when doing business, take the classification process:
当釆用上述方法验证和区分源地址类型后, P 网中的用户终端在收到上 述几种类型标识符的数据报文时, 可以根据源标识类型进行分类处理, 例如, 对于比较机密的服务器类终端, 可以拒绝源标识为 0x82的用户 (不受信任的 外网用户)访问, 避免机密信息泄露。 另外, 对一些具有政治敏感性的 BBS 论坛服务器, 可以对不易溯源的网吧用户进行一些功能限制, 如只允许浏览 论坛内容但不允许发布新帖等, 从而保证 BBS论坛的秩序, 避免不法分子利 用 BBS论坛发布恶意信息。  When the source address type is verified and distinguished by the above method, the user terminal in the P network can perform classification processing according to the source identification type when receiving the data packets of the above types of identifiers, for example, for a relatively confidential server. A class terminal can deny users whose source ID is 0x82 (untrusted external network users) to access confidential information. In addition, for some politically sensitive BBS forum servers, you can perform some functional restrictions on Internet cafe users who are not easy to trace, such as allowing only browsing forum content but not allowing new posts to be posted, thus ensuring the order of the BBS forum and avoiding the use of criminals. The BBS Forum publishes malicious information.
步骤 1001 , P1网用户收到一个数据报文,根据用户的属性以及业务应用 的机密性,分析该业务允许哪类用户使用, 802 ~ 804为相应的策略实现例子: 步骤 1002, 当本网用户是公安网等机密专网用户时, 可以限定本网用户 不处理任何外网用户的数据报文, 因此只能接受源标识类型为 0, 1等数据 报文; 当该本网用户是一个集团用户, 则只能接收源标识类型为 1的数据报 文, 其他网吧用户 (2 )以及外网用户 ( 0x80 ~ 0x82 )的数据报文, 将被阻止; 步骤 1003 , 当本网用户是集团用户的一个服务器时, 可只接受源标识类 型为 1 (集团用户) 的数据报文, 不接受其他来源的报文。 Step 1001: The P1 network user receives a data packet, and analyzes the types of users allowed by the service according to the attributes of the user and the confidentiality of the service application. 802-804 is an example of the corresponding policy implementation: Step 1002, when the network user When it is a private network user such as the public security network, it can limit the users of the network to not process any data packets of the external network users. Therefore, only the data packets whose source identification type is 0, 1 can be accepted. When the user of the local network is a group The user can only receive data packets with source ID type 1. The data packets of other Internet cafe users (2) and external network users (0x80 ~ 0x82) will be blocked. Step 1003, when the local network user is a group user For a server, only data packets with source ID type 1 (group user) can be accepted, and messages from other sources are not accepted.
步骤 1004, 当本网用户是一个涉及政治敏感性的 BBS服务器时,对网吧 用户及外网的用户, 只允许浏览 BBS信息, 不允许修改和发布 BBS信息, 以 避免来自于外网用户的攻击。 值得指出的是,虽然上面的实施例以 P1这种身份标识与位置标识分离的 网络为例说明,但也适用于其他基于 IPV6的网络, 其他使用本方法所提供的 IPV6扩展头来进行源标识区分处理的方法也在本发明的保护范围内。 Step 1004: When the user of the local network is a politically sensitive BBS server, the user of the Internet cafe and the user of the external network are only allowed to browse the BBS information, and the BBS information is not allowed to be modified or released to avoid attacks from the external network user. . It should be noted that although the above embodiment uses the network with the identity and location identifier separated by P1 as an example, it is also applicable to other IPV6-based networks, and other IPV6 extension headers provided by the method are used for source identification. A method of distinguishing processing is also within the scope of the present invention.
值得注意的是, 以上基于 P1 网络的各实施例中, 主要针对源标识类型 ( SIDT )这一类别信息的添加和修改进行了说明, 可信任度( CG )及用于追 溯的域标识符( DID )及域内用户标识符( DUI )未在以上内容进行详细描述, 可以想到的是, 用 CG替换 SIDT, 或增加 CG和 /或用于追溯的 DID、 DUI 均可作为本发明的替换实现方式, 并不影响本发明的保护范围。  It is worth noting that in the above embodiments based on the P1 network, the addition and modification of the category information of the source identification type (SIDT) is mainly explained, the trustworthiness (CG) and the domain identifier for tracing ( DID) and Intra-domain User Identifier (DUI) are not described in detail above. It is conceivable that replacing SIDT with CG, or adding CG and/or DID for DTP, DUI can be used as an alternative implementation of the present invention. Does not affect the scope of protection of the present invention.
为实现以上方法, 本发明还提供了一种数据 文分类处理的网络, 所述 网络包括:  To achieve the above method, the present invention further provides a network for classifying data data, the network comprising:
终端, 用于收发数据报文, 其中接收的数据报文的报文头中携带表示报 文源端类别的类别信息; 还用于根据接收的数据报文中的类别信息对接收的 数据报文进行区别处理;  The terminal is configured to send and receive data packets, where the packet header of the received data packet carries category information indicating a source category of the packet, and is further configured to receive the received data packet according to the category information in the received data packet. Perform differential processing;
所述终端对接收的所述数据报文进行区别处理时, 根据所述报文源端类 别, 并结合该终端自身属性以业务应用的机密性, 确定对所述数据报文的处 理方法。  When the terminal performs the difference processing on the received data packet, the method for processing the data packet is determined according to the source type of the packet and the confidentiality of the service application in combination with the attribute of the terminal itself.
中间节点, 通过网络与所述终端连接, 用于接收并转发数据报文, 以及 在转发前根据报文源端的类别在接收的数据报文的报文头中加入所述报文源 端的类别信息。  The intermediate node is connected to the terminal through the network, and is configured to receive and forward the data packet, and add the category information of the source of the packet to the packet header of the received data packet according to the category of the source of the packet before forwarding. .
中间节点可以是实现所述终端接入的接入设备或所述网络与外网之间的 互通服务节点 (ISN ) 。  The intermediate node may be an access device that implements access by the terminal or an interworking service node (ISN) between the network and the external network.
中间节点是接入设备时, 所述网络还包括与所述接入设备连接的认证服 务器, 所述服务器用于对终端进行用户身份识别及认证, 以及在认证过程中 将终端的类别通知所述终端所在的接入设备; 所述接入设备根据从认证服务 器获取的终端类别在该终端发送的数据报文的报文头中增加所述对应的类别 信息。  When the intermediate node is an access device, the network further includes an authentication server connected to the access device, where the server is configured to perform user identification and authentication on the terminal, and notify the category of the terminal in the authentication process. The access device where the terminal is located; the access device adds the corresponding category information to the packet header of the data packet sent by the terminal according to the terminal category obtained from the authentication server.
所述中间节点是所述网络与外网之间的互通服务节点( ISN )时,所述 ISN 包括: When the intermediate node is an interworking service node (ISN) between the network and an external network, the ISN include:
接收模块,用于接收外网发送给数据报文分类处理网络的外网数据报文; 还用于接收数据报文分类处理网络发送给其他网络的内网数据报文;  The receiving module is configured to receive an external network data packet sent by the external network to the data packet classification processing network, and is further configured to receive the internal network data packet sent by the network packet classification processing network to the other network;
类别信息确定模块, 与所述接收模块连接, 用于确定外网数据报文的报 文源端在所述数据报文分类处理网络的类别信息; 还用于根据外网的可信任 情况, 确定所述内网数据报文的报文源端在所述外网的类别信息;  a category information determining module, configured to be connected to the receiving module, configured to determine the category information of the source of the data packet of the external network in the data packet classification processing network; and further configured to determine according to the trusted situation of the external network The source information of the packet of the intranet data packet in the external network;
数据报文转换模块, 与所述类别信息确定模块连接, 用于将所述外网数 据报文转换为的内网数据报文, 包括根据确定的类别信息在报文头中增加类 别信息或修改报文头中的原有类别信息; 还用于将所述内网数据报文转换为 外网数据报文, 包括根据确定的类别信息删除或修改报文头中的类别信息;  The data packet conversion module is connected to the category information determining module, and is configured to convert the external network data packet into an intranet data packet, including adding category information or modifying the packet header according to the determined category information. The original category information in the packet header is further used to convert the intranet data packet into an external network data packet, including deleting or modifying the category information in the packet header according to the determined category information;
数据报文转发模块, 与所述数据报文转换模块连接, 用于将所述数据报 文转换模块转换后的内网数据报文在所述数据报文分类处理网络内路由转 发; 还用于将所述数据报文转换模块转换后的外网数据报文向所述外网路由 转发。 a data packet forwarding module, configured to be connected to the data packet conversion module, configured to forward and forward the intranet data packet converted by the data packet conversion module in the data packet classification processing network; And transmitting, by the data packet conversion module, the external network data packet to the external network.
所述类别信息通过 IPV6扩展 文头携带,优选地所述类别信息通过 IPV6 扩展报文头的目的地选项头( Destination Options header )携带, 所述目的地选 项头 (Destination Options header )的选项类型 ( Option Type ) 的前两位是 00 或 01 , 表示目的节点不认识此选项时正常处理数据 ^艮文的其余部分或丟弃该 数据报文。  The category information is carried by the IPV6 extended header. Preferably, the category information is carried by the Destination Options header of the IPV6 extended header, and the option type of the Destination Options header ( The first two digits of Option Type are 00 or 01, indicating that the destination node does not know the normal part of the data or discards the data packet when it does not recognize this option.
所述类别信息包括 4艮据终端类型确定的源标识类型 ( SIDT )和 /或 4艮据终 端可信任度确定的可信任度(CG ) ,其中所述源标识类型包括以下至少一个: 网内可信任用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用 户、 网外可信任的异类网络用户、 网外不可信任的网络用户。 标识符(DID )和 /或终端的域内标识符。  The category information includes a source identifier type (SIDT) determined according to a terminal type and/or a trustworthiness (CG) determined according to a terminal trustworthiness, wherein the source identifier type includes at least one of the following: Trusted users, intranet group users, intranet cafe users, trusted network users of the same network, heterogeneous network users that can be trusted outside the network, and untrusted network users outside the network. Identifier (DID) and/or the intra-domain identifier of the terminal.
另外, 本发明还提供了一种终端, 具体功能与以上描述相同, 在此不再 追溯。 尽管为示例目的, 已经公开了本发明的优选实施例, 本领域的技术人员 将意识到各种改进、 增加和取代也是可能的, 因此, 本发明的范围应当不限 于上述实施例。 In addition, the present invention also provides a terminal, and the specific functions are the same as those described above, and are not traced here. While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the steps above may be accomplished by a program to instruct the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 Industrial applicability
本发明利用在报文头携带的表示报文源端类别的类别信息, 使得接收到 该报文的终端可以根据报文头中类别信息区分网外用户和网内用户和 /或可 信用户与不可信用户, 这样用户及上层业务的安全性都可以依据类别进行区 分处理, 既满足了用户进行普通业务所需要的互联互通需求, 也可以使 P网 用户识别出不可信用户进行相应处理, 从而在提高组网灵活性的同时, 也很 好保证了网络的安全性。 例如, 对于高机密的业务, 可以只允许信任用户访 问, 对于低安全等级的业务, 可以适当允许外网等低信任等级的用户访问。  The present invention utilizes the category information of the source class of the packet carried in the packet header, so that the terminal that receives the packet can distinguish the user outside the network from the user and/or the trusted user according to the category information in the packet header. For untrusted users, the security of the user and the upper-layer services can be differentiated according to the category, which not only satisfies the interconnection and intercommunication requirements required by the user for common services, but also enables the P-network users to identify untrusted users for corresponding processing. While improving the flexibility of networking, it also ensures the security of the network. For example, for a highly confidential service, only trusted user access is allowed. For a low security level service, users with low trust levels such as an external network can be appropriately accessed.

Claims

权 利 要 求 书 Claim
1、 一种数据报文分类处理的实现方法, 其特征在于, 所述方法基于对数 据报文进行分类处理的网络实现,该实现方法包括终端对接收的数据报文的处 理, 该处理包括: A method for implementing a data packet classification process, the method is characterized in that the method is based on a network for classifying a data packet, and the method includes the terminal processing the received data packet, the processing comprising:
终端接收数据报文, 所述数据报文的报文头中携带表示报文源端类别的 类别信息; 以及  Receiving, by the terminal, a data packet, where the packet header of the data packet carries category information indicating a source category of the packet;
所述终端根据所述类别信息对所述数据报文进行区别处理。  The terminal performs a difference processing on the data packet according to the category information.
2、 如权利要求 1所述的实现方法, 其中, 所述数据报文的报文头中的类 别信息是中间节点根据所述报文源端的类别确定并加入报文头的。 The implementation method of claim 1, wherein the category information in the packet header of the data packet is determined by the intermediate node according to the category of the source of the packet and added to the packet header.
3、 如权利要求 2所述的实现方法, 其中, 所述中间节点是负责报文源端 接入的接入设备,所述实现方法还包括接入设备对报文源端发送的原始数据报 文的处理, 该处理包括: The implementation method of claim 2, wherein the intermediate node is an access device that is responsible for accessing the source end of the packet, and the implementation method further includes the original datagram sent by the access device to the source end of the packet. The processing of the text, the processing includes:
所述接入设备接收所述报文源端发送的原始数据报文;  Receiving, by the access device, the original data packet sent by the source end of the packet;
所述接入设备对原始数据报文进行处理, 包括在报文头中增加表示该报 文源端类别的类别信息; 以及  Processing, by the access device, the original data packet, including adding category information indicating the source end category of the packet to the packet header;
所述接入设备转发该处理后的数据报文;  Transmitting, by the access device, the processed data packet;
其中, 所述报文源端类别是在所述报文源端的接入认证过程中由认证服 务器发送给所述接入设备的。  The source end of the packet is sent by the authentication server to the access device during the access authentication process of the source end of the packet.
4、 如权利要求 2所述的实现方法, 其中, 所述数据报文分类处理网络与 外网进行互通时,所述中间节点指连接数据报文分类处理网络与外网的互通服 务节点 (ISN ) , 所述实现方法还包括互通服务节点对外网数据报文的处理, 该处理包括: The implementation method of claim 2, wherein, when the data packet classification processing network communicates with the external network, the intermediate node refers to an interworking service node (ISN) that connects the data packet classification processing network with the external network. The implementation method further includes: processing, by the service node, an external network data packet, where the processing includes:
所述 ISN接收外网发送给数据报文分类处理网络的外网数据报文; 所述 ISN根据所述数据报文的来源确定所述数据报文源端在所述数据报 文分类处理网络中的类别信息,并将所述外网数据报文转换为内网数据报文, 包括根据确定的类别信息在报文头中增加类别信息或修改报文头中的原有类 别信息; 以及 The ISN receives an external network data packet sent by the external network to the data packet classification processing network; the ISN determines, according to the source of the data packet, the data packet source end in the data packet classification processing network. The category information, and converting the external network data packet into an intranet data packet, including adding category information to the packet header or modifying the original class in the packet header according to the determined category information. No information; and
所述 ISN将转换得到的内网数据报文向内网路由转发。  The ISN forwards the converted intranet data packet to the intranet route.
5、 如权利要求 4所述的实现方法, 所述实现方法还包括所述 ISN对内网 数据报文的处理, 所述处理包括: The method of claim 4, the method further includes: processing, by the ISN, an intranet data packet, where the processing includes:
所述 ISN接收所述数据报文分类处理网络发送给外网的内网数据报文; 所述 ISN将所述内网数据报文转换为外网数据报文, 包括根据外网的可 信任情况, 修改或删除数据报文头中的类别信息; 以及  The ISN receives the intranet data packet sent by the data packet classification processing network to the external network; the ISN converts the intranet data packet into an external network data packet, including according to the trustworthiness of the external network. , modifying or deleting the category information in the header of the data packet;
所述 ISN将转换得到的外网数据报文在所述数据报文分类处理网络内路 由转发。  The ISN forwards the converted external network data packet in the data packet classification processing network.
6、 如权利要求 1至 5中任一项所述的实现方法, 其中, 所述终端对接收 的所述数据报文进行区别处理的步骤包括:根据所述报文源端类别,并结合该 终端自身属性以业务应用的机密性, 确定对所述数据报文的处理方法。 The implementation method according to any one of claims 1 to 5, wherein the step of performing differentiating processing on the received data packet by the terminal includes: according to the source end category of the packet, combined with the The terminal's own attribute determines the processing method of the data packet based on the confidentiality of the service application.
7、 如权利要求 1至 5中任一项所述的实现方法, 其中, 数据报文分类处 理网络是 Internet网络或身份标识和位置分离网络(SILSN ) 。 The implementation method according to any one of claims 1 to 5, wherein the data message classification processing network is an Internet network or an identity and location separation network (SILSN).
8、 如权利要求 1至 5中任一项所述的实现方法, 其中, 所述类别信息通 过 IPV6扩展 文头携带。 The implementation method according to any one of claims 1 to 5, wherein the category information is carried by an IPV6 extension header.
9、 如权利要求 1至 5中任一项所述的实现方法, 其中, 所述类别信息通 过 IP V6扩展报文头的目的地选项头 (Destination Options header )携带, 所述 目的地选项头 (Destination Options header )的选项类型 ( Option Type ) 的前两 位是 00或 01 ,表示目的节点不认识此选项时正常处理数据报文的其余部分或 丟弃该数据报文。 The implementation method according to any one of claims 1 to 5, wherein the category information is carried by a destination option header of an IP V6 extension header, the destination option header ( The first two digits of the Option Type of the Destination Options header are 00 or 01, indicating that the destination node does not know the option to process the rest of the data packet or discard the data packet.
10、如权利要求 1至 5中任一项所述的实现方法, 其中, 所述类别信息包 括根据终端类型确定的源标识类型 (SIDT )和 /或根据终端可信任度确定的可 信任度(CG ) , 其中所述源标识类型包括: 网内可信任用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、 网外可信任的异类网络用户或网 外不可信任的网络用户。 The implementation method according to any one of claims 1 to 5, wherein the category information includes a source identification type (SIDT) determined according to a terminal type and/or a trust degree determined according to a terminal trustworthiness ( CG ) , wherein the source identification type includes: a trusted user in the network, a group user in the network, an internet cafe user in the network, a similar network user trusted outside the network, a heterogeneous network user trusted outside the network, or an untrusted network outside the network. Internet users.
11、 如权利要求 10所述实现方法, 其中, 所述数据报文的报文头还包括 根据终端所在域确定的域标识符(DID )和 /或终端的域内标识符。 The method according to claim 10, wherein the header of the data packet further includes a domain identifier (DID) determined according to a domain where the terminal is located and/or an intra-domain identifier of the terminal.
12、 一种终端, 其特征在于, 所述终端基于通讯网络实现, 所述终端包 括: 12. A terminal, wherein the terminal is implemented based on a communication network, where the terminal comprises:
接收模块, 其设置为: 接收数据报文, 所述数据报文的报文头中携带表 示报文源端类别的类别信息;  a receiving module, configured to: receive a data packet, where the packet header of the data packet carries category information indicating a source category of the packet;
报文源端类别确定模块, 与所述接收模块连接, 其设置为: 根据数据报 文的中的类别信息确定报文源端类别; 以及  a packet source end category determining module, connected to the receiving module, configured to: determine a source type of the packet according to the category information in the data packet;
数据报文处理模块, 与所述报文源端类别确定模块连接, 其设置为: 根 据所述报文源端类别对所述数据报文进行区别处理。  The data packet processing module is configured to be connected to the packet source class determining module, and configured to: perform differential processing on the data packet according to the source class of the packet.
13、如权利要求 12所述的终端, 其中, 所述数据报文处理模块是设置为: 根据所述报文源端类别,并结合该终端自身属性以业务应用的机密性,确定对 所述数据报文的处理方法。 The terminal according to claim 12, wherein the data packet processing module is configured to: determine, according to the source category of the packet, combined with the attribute of the terminal, the confidentiality of the service application, The processing method of data packets.
14、 如权利要求 12所述的终端, 其中, 所述类别信息通过 IPV6扩展报 文头携带。 The terminal according to claim 12, wherein the category information is carried by an IPV6 extended message header.
15、 如权利要求 12所述的终端, 其中, 所述类别信息通过 IPV6扩展报 文头的目的地选项头携带,所述目的地选项头的选项类型的前两位是 00或 01 , 表示目的节点不认识此选项时正常处理数据报文的其余部分或丟弃该数据报 文。 The terminal according to claim 12, wherein the category information is carried by a destination option header of an IPV6 extended packet header, and the first two digits of the option type of the destination option header are 00 or 01, indicating a purpose When the node does not recognize this option, it processes the rest of the data packet or discards the data packet.
16、 如权利要求 12所述的终端, 其中, 所述类别信息包括根据终端类型 确定的源标识类型 (SIDT )和 /或根据终端可信任度确定的可信任度(CG ) , 其中所述源标识类型包括: 网内可信任用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、网外可信任的异类网络用户或网外不可信任的网 络用户。 The terminal according to claim 12, wherein the category information includes a source identification type (SIDT) determined according to a terminal type and/or a trust degree (CG) determined according to a terminal trustworthiness, wherein the source The identification types include: Trusted users in the network, group users in the network, Internet cafe users in the network, trusted network users who are trusted outside the network, heterogeneous network users that can be trusted outside the network, or untrusted network users outside the network.
17、 一种数据>¾文分类处理的网络, 所述网络包括: 17. A network >3⁄4 text classification processing network, the network comprising:
终端, 其设置为: 收发数据报文, 其中接收的数据报文的报文头中携带 表示报文源端类别的类别信息; 以及根据接收的数据报文中的类别信息对接 收的数据报文进行区别处理; 以及 The terminal is configured to: send and receive data packets, where the received data packets are carried in the packet header And indicating category information of the source category of the packet; and distinguishing the received data packet according to the category information in the received data packet;
中间节点, 通过网络与所述终端连接, 其设置为: 接收并转发数据报文, 以及在转发前根据报文源端的类别在接收的数据报文的报文头中加入所述报 文源端的类别信息。  The intermediate node is connected to the terminal through the network, and is configured to: receive and forward the data packet, and add the source of the packet to the packet header of the received data packet according to the category of the source of the packet before forwarding. Category information.
18、 如权利要求 17所述的网络, 其中, 所述中间节点是实现所述终端接 入的接入设备, 所述网络还包括与所述接入设备连接的认证服务器; The network of claim 17, wherein the intermediate node is an access device that implements the terminal access, and the network further includes an authentication server that is connected to the access device;
所述服务器设置为: 对终端进行用户身份识别及认证, 以及在认证过程 中将终端的类别通知所述终端所在的接入设备;  The server is configured to: perform user identification and authentication on the terminal, and notify the access device where the terminal is located in the authentication process;
所述接入设备是设置为根据从认证服务器获取的终端类别在该终端发送 的数据报文的报文头中增加所述对应的类别信息。  The access device is configured to add the corresponding category information to a packet header of a data packet sent by the terminal according to a terminal category acquired from the authentication server.
19、 如权利要求 17所述的网络, 其中, 所述中间节点是所述网络与外网 之间的互通服务节点 (ISN ) , 所述 ISN包括: The network of claim 17, wherein the intermediate node is an interworking service node (ISN) between the network and an external network, and the ISN includes:
接收模块, 其设置为: 接收外网发送给数据报文分类处理网络的外网数 据报文;  a receiving module, configured to: receive an external network data packet sent by the external network to the data packet classification processing network;
类别信息确定模块, 与所述接收模块连接, 其设置为: 确定外网数据报 文的报文源端在所述数据报文分类处理网络的类别信息;  a category information determining module, configured to be connected to the receiving module, configured to: determine, according to the category information of the data packet classification processing network of the source end of the external network data message;
数据报文转换模块, 与所述类别信息确定模块连接, 其设置为: 将所述 外网数据报文转换为的内网数据报文, 包括根据确定的类别信息在报文头中 增加类别信息或修改报文头中的原有类别信息; 以及  The data packet conversion module is connected to the category information determining module, and is configured to: convert the external network data packet into an intranet data packet, and include adding category information to the packet header according to the determined category information. Or modify the original category information in the header of the message;
数据报文转发模块, 与所述数据报文转换模块连接, 其设置为: 将所述 数据报文转换模块转换后的内网数据报文在所述数据报文分类处理网络内路 由转发。  The data packet forwarding module is connected to the data packet conversion module, and is configured to: forward the intranet data packet converted by the data packet conversion module in the data packet classification processing network.
20、 如权利要求 19所述的网络, 其特征在于: 20. The network of claim 19, wherein:
所述 ISN的接收模块, 还设置为: 接收数据报文分类处理网络发送给其 他网络的内网数据报文;  The receiving module of the ISN is further configured to: receive an intranet data packet sent by the network packet classification processing network to another network;
所述 ISN的类别信息确定模块还设置为: 根据外网的可信任情况, 确定 所述内网数据报文的报文源端在所述外网的类别信息; The category information determining module of the ISN is further configured to: determine according to the trust situation of the external network The source information of the packet of the intranet data packet in the external network;
所述 ISN的数据报文转换模块还设置为: 将所述内网数据报文转换为外 网数据报文, 包括根据确定的类别信息删除或修改报文头中的类别信息; 所述 ISN的数据报文转发模块还设置为: 将所述数据报文转换模块转换 后的外网数据报文向所述外网路由转发。  The data packet conversion module of the ISN is further configured to: convert the intranet data packet into an external network data packet, and include deleting or modifying category information in the packet header according to the determined category information; The data packet forwarding module is further configured to: forward the external network data packet converted by the data packet conversion module to the external network.
21、如权利要求 17至 20中任一项所述的网络, 其中, 所述终端是设置为 以如下方式对接收的所述数据报文进行区别处理:根据所述报文源端类别,并 结合该终端自身属性以业务应用的机密性, 确定对所述数据报文的处理方式。 The network according to any one of claims 17 to 20, wherein the terminal is configured to perform differentiating processing on the received data packet in the following manner: according to the source type of the packet, and The processing manner of the data packet is determined according to the confidentiality of the service application in combination with the attribute of the terminal itself.
22、如权利要求 17至 20中任一项所述的网络, 其中, 所述类别信息通过 IPV6扩展报文头携带。 The network according to any one of claims 17 to 20, wherein the category information is carried by an IPV6 extended packet header.
23、如权利要求 17至 20中任一项所述的网络, 其中, 所述类别信息通过 IPV6扩展 文头的目的地选项头携带, 所述目的地选项头的选项类型的前两 位是 00或 01 ,表示目的节点不认识此选项时正常处理数据报文的其余部分或 丟弃该数据报文。 The network according to any one of claims 17 to 20, wherein the category information is carried by a destination option header of an IPV6 extended header, and the first two digits of the option type of the destination option header are 00 Or 01 indicates that the destination node does not know the option to process the rest of the data packet or discard the data packet.
24、如权利要求 17至 20中任一项所述的网络, 其中, 所述类别信息包括 根据终端类型确定的源标识类型 (SIDT )和 /或根据终端可信任度确定的可信 任度(CG ) , 其中所述源标识类型包括: 网内可信任用户、 网内集团用户、 网内网吧用户、 网外可信任的同类网络用户、 网外可信任的异类网络用户或网 外不可信任的网络用户。 The network according to any one of claims 17 to 20, wherein the category information includes a source identification type (SIDT) determined according to a terminal type and/or a trustworthiness determined according to a terminal trustworthiness (CG) The source identification type includes: a trusted user in the network, a group user in the network, an Internet cafe user in the network, a similar network user that can be trusted outside the network, a heterogeneous network user that is trusted outside the network, or an untrusted network outside the network. user.
25、如权利要求 17至 20中任一项所述的网络, 其中, 所述数据报文的报 文头还包括根据终端所在域确定的域标识符(DID )和 /或终端的域内标识符。 The network according to any one of claims 17 to 20, wherein the header of the data packet further includes a domain identifier (DID) determined according to a domain in which the terminal is located and/or an intra-domain identifier of the terminal. .
PCT/CN2010/076022 2010-01-11 2010-08-16 Implementing method, network and terminal for processing data packet classification WO2011082584A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010001627.0A CN102123072B (en) 2010-01-11 2010-01-11 The implementation method of Packet Classification process, network and terminal
CN201010001627.0 2010-01-11

Publications (1)

Publication Number Publication Date
WO2011082584A1 true WO2011082584A1 (en) 2011-07-14

Family

ID=44251530

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/076022 WO2011082584A1 (en) 2010-01-11 2010-08-16 Implementing method, network and terminal for processing data packet classification

Country Status (2)

Country Link
CN (1) CN102123072B (en)
WO (1) WO2011082584A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447637B (en) * 2012-01-09 2014-07-30 福建星网锐捷网络有限公司 Message processing method, system and network apparatus
CN103701837B (en) * 2012-09-27 2018-04-10 中兴通讯股份有限公司 A kind of point-to-point protocol dial on demand method and home gateway
CN103685284A (en) * 2013-12-18 2014-03-26 上海普华诚信软件技术有限公司 Data interception and conversion method and system
CN104735101B (en) 2013-12-19 2019-11-26 中兴通讯股份有限公司 Shared processing, sharing method and the device of Internet resources, system
CN105991464B (en) * 2015-04-20 2018-12-25 杭州迪普科技股份有限公司 Shunt method, master control borad, interface board and the gateway of network flow

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050076197A1 (en) * 2003-07-07 2005-04-07 Marinus Struik Method and apparatus for providing an adaptable security level in an electronic communication
CN1867152A (en) * 2006-06-01 2006-11-22 东南大学 Mobile Internet content supervising device and its supervising method
CN101547127A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Identification method of inside and outside network messages

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100479423C (en) * 2004-10-21 2009-04-15 中兴通讯股份有限公司 Point-to-point communication method on Ethernet
CN100563146C (en) * 2005-04-30 2009-11-25 华为技术有限公司 A kind of time division multiplex data transmitting method based on packet switching

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050076197A1 (en) * 2003-07-07 2005-04-07 Marinus Struik Method and apparatus for providing an adaptable security level in an electronic communication
CN1867152A (en) * 2006-06-01 2006-11-22 东南大学 Mobile Internet content supervising device and its supervising method
CN101547127A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Identification method of inside and outside network messages

Also Published As

Publication number Publication date
CN102123072A (en) 2011-07-13
CN102123072B (en) 2016-03-02

Similar Documents

Publication Publication Date Title
Kent et al. Security architecture for the internet protocol
Kent et al. RFC 4301: Security architecture for the Internet protocol
US8295285B2 (en) Method and apparatus for communication of data packets between local networks
US20040213237A1 (en) Network authentication apparatus and network authentication system
CN113132342B (en) Method, network device, tunnel entry point device, and storage medium
WO2016192396A1 (en) Exchanging application metadata for application context aware service insertion in service function chain
US9602485B2 (en) Network, network node with privacy preserving source attribution and admission control and device implemented method therfor
WO2015010307A1 (en) Service path allocation method, router and service execution entity
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
KR20150079236A (en) Virtual private network gateway and method for secure communication thereof
WO2011044808A1 (en) Method and system for tracing anonymous communication
CN105207778B (en) A method of realizing packet identity and digital signature on accessing gateway equipment
CN101902482B (en) Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
CN102710485B (en) Transparent proxy method and proxy server
WO2011032450A1 (en) Implement method and system for networks interworking
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
WO2011032447A1 (en) Method, system and communication terminal for implementing inter-communication between new network and internet
WO2011082584A1 (en) Implementing method, network and terminal for processing data packet classification
US20220174085A1 (en) Data Processing Method and Apparatus
WO2011041964A1 (en) Method, network system and network access node for network device management
CN102123071B (en) The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes
CN108989342B (en) Data transmission method and device
WO2012013003A1 (en) Method and system for processing data message
US20180097776A1 (en) Network protection entity and method for protecting a communication network against fraud messages
WO2012075768A1 (en) Method and system for monitoring locator/identifier separation network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10841927

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10841927

Country of ref document: EP

Kind code of ref document: A1