[go: up one dir, main page]

CN102647358A - Message transmitting and processing method, device, client equipment and network equipment - Google Patents

Message transmitting and processing method, device, client equipment and network equipment Download PDF

Info

Publication number
CN102647358A
CN102647358A CN201210122829XA CN201210122829A CN102647358A CN 102647358 A CN102647358 A CN 102647358A CN 201210122829X A CN201210122829X A CN 201210122829XA CN 201210122829 A CN201210122829 A CN 201210122829A CN 102647358 A CN102647358 A CN 102647358A
Authority
CN
China
Prior art keywords
external connection
client
connection instruction
address
notification message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201210122829XA
Other languages
Chinese (zh)
Inventor
陈家锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN201210122829XA priority Critical patent/CN102647358A/en
Publication of CN102647358A publication Critical patent/CN102647358A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a message transmitting and processing method, a device, client equipment and network equipment. The message transmitting method comprises: packaging the source IP (internal protocol) address, the destination IP address, the destination port, the transmission layer protocol number of an external connection instruction intercepted by a client terminal, as well as a mark of the network communication progress for transmitting the external connection instruction and the hardware feature information of the client terminal in a notification message, and transmitting the notification message; receiving a response message transmitted by the network equipment connected with the client terminal; and transmitting the external connection instruction to the network equipment to process the external connection instruction according to a processing strategy corresponding to the external connection instruction. According to the invention, the network equipment can process the external connection instruction according to the processing strategy corresponding to the external connection instruction after receiving the external connection instruction from the client terminal, so that only the authorized external connection instruction can pass through the network equipment, thereby improving the network security.

Description

Message sending and processing method and device, client device and network device
Technical Field
The present invention relates to communications technologies, and in particular, to a method and an apparatus for sending and processing a packet, a client device, and a network device.
Background
Internet Protocol (IP) address is an address for marking each computer in Transmission Control Protocol (TCP)/IP, and in TCP/IP, each networked computer marks itself by means of an IP address and exchanges information with the IP address.
TCP is a connection-oriented transport layer protocol in the TCP/IP architecture that provides full-duplex and reliable delivery services. The four elements of a TCP connection include: a source IP address, a destination IP address, a source port, and a destination port.
In the prior art, in order to realize the credible communication of application programs in a network, a method of performing electronic signature on an IP header when sending IP data is adopted. Specifically, an IP datagram transceiving program is installed and run on each data receiving or transmitting device constituting a local area network or the internet to replace a protocol processing part of an operating system; carrying out electronic signature on an IP datagram to be sent by data sender equipment by an IP datagram transceiving program, and reconstructing the IP datagram; the data receiver equipment receives the IP datagram, and performs signature verification on the signature part of the 'option' field of the IP datagram, and forwards the IP datagram if the signature part is correct; if not, refusing to forward, and discarding the IP datagram.
However, in the prior art, the data receiver device needs to verify the signature of each IP datagram, the load of the data receiver device is heavy, and when the data receiver device receives more IP datagrams, the processing speed of the data receiver device is reduced, which results in the delay of data communication; similarly, the data sender device also needs to sign each IP datagram, the load of the data sender device is heavy, and when the data sender device needs to send more IP datagrams, the processing speed of the data sender device is reduced, which may also cause delay of data communication.
Disclosure of Invention
The invention provides a message sending and processing method, a message sending and processing device, client equipment and network equipment, which are used for reducing the load of the client equipment and reducing the delay of data communication.
One aspect of the present invention provides a method for sending a packet, including:
the client packages a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process for sending the external connection instruction and hardware characteristic information of the client in a notification message, and sends the notification message;
the client receives a response message sent by network equipment connected with the client, wherein the response message is sent to the client after the network equipment receives and analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection instruction;
and the client sends the external connection instruction to the network equipment so that the network equipment can process the external connection instruction according to a processing strategy corresponding to the external connection instruction.
Another aspect of the present invention provides a method for processing a packet, including:
the method comprises the steps that network equipment receives a notification message sent by a client, wherein the notification message sent by the client is sent after the client encapsulates a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process sending the external connection instruction and hardware characteristic information of the client in the notification message;
the network equipment analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection instruction;
and the network equipment sends a response message to the client, receives the external connection instruction sent by the client and processes the external connection instruction according to a processing strategy corresponding to the external connection instruction.
In another aspect, the present invention provides a packet sending apparatus, including: the system comprises a service processing module and a protocol driving module;
a service processing module, configured to encapsulate a source internet protocol IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, and an identifier of a network communication process that sends the external connection instruction and hardware feature information of the client in a notification message, and send the notification message; receiving a response message sent by the network device connected to the client, wherein the response message is sent to the service processing module after the network device receives and analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection command, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection command;
and the protocol driving module is used for sending the external connection instruction to the network equipment after the service processing module receives the response message, so that the network equipment can process the external connection instruction according to a processing strategy corresponding to the external connection instruction.
In another aspect, the present invention provides a client device, including the message sending apparatus as described above.
In another aspect, the present invention provides a packet processing apparatus, including: the device comprises a receiving module, an analysis module, a setting module, a sending module and a processing module;
the receiving module is configured to receive a notification message sent by a client, where the notification message sent by the client is sent after the client encapsulates a source internet protocol IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process that sends the external connection instruction, and hardware feature information of the client in the notification message; after the sending module sends a response message to the client, receiving the external connection instruction sent by the client;
the analysis module is configured to analyze the notification packet received by the receiving module to obtain a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process and hardware feature information of the client;
the setting module is used for setting a processing strategy corresponding to the external connection instruction;
the sending module is configured to send a response packet to the client after the setting module sets the processing policy corresponding to the external connection instruction;
the processing module is configured to process the external connection instruction received by the receiving module according to a processing policy corresponding to the external connection instruction.
In another aspect, the present invention provides a network device, including the message processing apparatus as described above.
The technical effects of the invention on one hand are as follows: the client packages a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process for sending the external connection instruction and hardware characteristic information of the client in a notification message, and sends the notification message; then, the client receives a response message sent by the network equipment connected with the client, and sends the external connection instruction to the network equipment; after receiving the notification message, the network device may acquire the hardware characteristics and the network communication process of the client initiating the external connection instruction, and set a processing policy for the external connection instruction; therefore, after the network equipment receives the external connection instruction sent by the client, the external connection instruction is processed according to the processing strategy corresponding to the external connection instruction, and only authorized external connection instruction can pass through the network equipment, so that the network safety is improved; the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication.
The technical effects of the other aspect of the invention are as follows: after receiving a notification message sent by a client, the network equipment analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process for sending the external connection instruction and hardware characteristic information of the client, sets a processing strategy corresponding to the external connection instruction and sends a response message to the client; and then, the network equipment receives the external connection instruction sent by the client and processes the external connection instruction according to a processing strategy corresponding to the external connection instruction. Therefore, after the network equipment receives the external connection instruction sent by the client, the external connection instruction is processed according to the processing strategy corresponding to the external connection instruction, and only authorized external connection instruction can pass through the network equipment, so that the network safety is improved; in addition, the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication; in addition, the operation of intercepting the external connection instruction and acquiring the information of the external connection instruction is completed by the client, so that the burden of the network equipment can be reduced, and the performance of the network equipment is ensured.
Drawings
Fig. 1 is a flowchart of an embodiment of a message sending method according to the present invention;
fig. 2 is a flowchart of another embodiment of a message sending method according to the present invention;
FIG. 3 is a flow chart of one embodiment of a message processing method of the present invention;
fig. 4 is a schematic structural diagram of an embodiment of a message sending apparatus according to the present invention;
fig. 5 is a schematic structural diagram of another embodiment of a message sending apparatus according to the present invention;
fig. 6 is a schematic structural diagram of an embodiment of a message processing apparatus according to the present invention.
Detailed Description
Fig. 1 is a flowchart of an embodiment of a message sending method according to the present invention, and as shown in fig. 1, the message sending method may include:
step 101, a client encapsulates a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process that sends the external connection instruction, and hardware feature information of the client in a notification message, and sends the notification message.
Step 102, the client receives a response message sent by the network device connected to the client, where the response message is sent to the client after the network device receives and analyzes the notification message, obtains a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, and obtains an identifier of the network communication process and hardware feature information of the client, and sets a processing policy corresponding to the external connection instruction.
In this embodiment, the hardware feature information of the client may be a Media Access Control (MAC) address of the client.
Step 103, the client sends the external connection instruction to the network device, so that the network device processes the external connection instruction according to the processing policy corresponding to the external connection instruction.
Further, before step 101, the client may intercept the external connection instruction sent by the network communication process, and obtain a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process.
In this embodiment, step 103 may be: and the client encapsulates the external connection instruction into a connection message and sends the connection message to the network equipment so that the network equipment processes the connection message according to a processing strategy corresponding to the external connection instruction. The connection packet may be an external connection handshake packet, although the present invention is not limited thereto, and in a specific implementation, the connection packet may also be a packet in other forms, for example: an Access Control List (ACL) notification message, etc., which are not limited in the present invention.
In this embodiment, the destination port of the notification message may be a default port, where the default port may be an uncommon rarely used port, for example: 20001; alternatively, the destination IP address of the notification message may be an agreed IP address, where the agreed IP address may be a different IP address, for example: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device; or, the destination port of the notification message is an agreed port, and the destination IP address of the notification message is an agreed IP address; wherein the default port may be a rarely used port, such as: 20001; the agreed-upon IP address may be a different IP address, such as: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device.
In this embodiment, the network device may be a router, a switch, a gateway, or the like, and the form of the network device is not limited in this embodiment.
In the above embodiment, after receiving the notification message, the network device may acquire the hardware feature and the network communication process of the client initiating the external connection instruction, and set a processing policy for the external connection instruction; therefore, after the network equipment receives the external connection instruction sent by the client, the external connection instruction is processed according to the processing strategy corresponding to the external connection instruction, and only authorized external connection instruction can pass through the network equipment, so that the network safety is improved; the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication.
Fig. 2 is a flowchart of another embodiment of the message sending method of the present invention, and as shown in fig. 2, the message sending method may include:
step 201, using a network communication process operated by a user of a client, where the network communication process of the client sends an external connection instruction to connect to a server corresponding to the network communication process.
Step 202, a Transport Driver Interface (TDI) Filter Driver (TDI Filter Driver) of the client intercepts an external connection instruction sent by the network communication process, and obtains a source IP address, a destination IP address, a source port, a destination port, a Transport layer protocol number of the external connection instruction, and an identifier of the network communication process.
Where the TDI is located between an upper network component (e.g., afd. sys) and a protocol driver (e.g., TCP/IP driver) of the operating system, a set of interface standards is defined, and any upper network component can call each network protocol driver in the operating system as long as the TDI specification is followed. TDI handles network commands for upper network components, such as: name resolution, connection establishment, data sending or receiving and the like are described by the same instruction set and converted into an Input/Output Request Packet (IRP) which can be identified by a protocol driver.
The TDI Filter Driver (TDI Filter Driver) binds the TDI Filter Driver to a protocol Driver of a client, so that IRPs sent to the protocol Driver are all driven through the TDI Filter Driver, and the TDI Filter Driver can intercept the IRPs to acquire communication actions and communication addresses of upper network components. Since the TDI filter driver is at a higher level of the network communication kernel, the identity of the network communication process performing these communication actions can be known.
In step 203, the TDI filter driver sends the source IP address, the destination IP address, the source port, the destination port, the transport layer protocol number of the external connection command, and the identifier of the network communication process to the service processing program of the client.
In this embodiment, after the TDI filter driver intercepts the external connection instruction, the TDI filter driver temporarily holds the external connection instruction, and first notifies the service processing program of the client of the source IP address, the destination IP address, the source port, the destination port, the transport layer protocol number of the external connection instruction, and the identifier of the network communication process.
Step 204, the service processing program encapsulates the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection instruction, the identifier of the network communication process, and the hardware feature information of the client in a notification message, and sends the notification message.
Further, the notification message may also carry the identity information of the user.
In this embodiment, the notification message may be a User Datagram Protocol (UDP) message or a TCP message, and the type of the notification message is not limited in the present invention, as long as the notification message can be routed to the network device, so that the network device knows the relevant information of the external connection instruction carried in the notification message.
In an implementation manner of this embodiment, the destination port of the notification message may be an appointed port, where the appointed port may be an uncommon rarely used port, for example: 20001; in this implementation manner, the source IP address, the destination IP address, and the source port of the notification packet may be the source IP address, the destination IP address, and the source port of the external connection instruction, respectively. Specifically, the service processing program may send the notification message according to a destination IP address of the notification message (in this implementation, the destination IP address of the external connection instruction), so that the notification message may be routed to the network device connected to the client. In this implementation, after the TDI filter driver monitors the notification message whose destination port is the appointed port, the TDI filter driver does not intercept the notification message, and directly passes the notification message.
In another implementation manner of this embodiment, the destination IP address of the notification message may be an agreed-upon IP address, where the agreed-upon IP address may be a different IP address, for example: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device; in this implementation manner, the source IP address, the source port, and the destination port of the notification packet may be the source IP address, the source port, and the destination port of the external connection instruction, respectively. Specifically, the service processing program may send the notification message according to the destination IP address (1.1.1.1 in this implementation) of the notification message, so that the notification message may be routed to the network device connected to the client. In this implementation, after the TDI filter driver monitors the notification packet with the destination IP address being the agreed IP address, the TDI filter driver does not intercept the notification packet and directly passes the notification packet.
In specific implementation, the above two implementations may be used alone or in combination, for example: the destination IP address of the notification message may be the agreed-upon IP address, and the destination port of the notification message is the agreed-upon port, which is not limited in this embodiment.
Step 205, the network device connected to the client receives and analyzes the notification message, obtains the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection command, the identifier of the network communication process and the hardware feature information of the client, and sets a processing policy corresponding to the external connection command.
In this embodiment, if the destination port of the notification message is an agreed port, the network device may analyze the notification message after determining that the destination port of the received notification message is the agreed port, and obtain a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, an identifier of the network communication process, and hardware feature information of the client; or,
if the destination IP address of the notification packet is the agreed IP address, the network device may analyze the notification packet after determining that the destination IP address of the received notification packet is the agreed IP address, and obtain the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection command, the identifier of the network communication process, and the hardware feature information of the client.
Further, when the notification message also carries the identity information of the user, the network device may also acquire the identity information of the user initiating the external connection instruction.
That is, after receiving the notification message, the network device may acquire the hardware characteristics of the client that sends the external connection instruction and the network communication process that sends the external connection instruction; optionally, identity information of the user initiating the external connection instruction may also be known.
Specifically, the network device may set the processing policy corresponding to the external connection instruction as follows: the network equipment sets a processing strategy corresponding to the external connection instruction as a release strategy when determining to release the external connection instruction according to a control strategy of the network equipment; or, when the network device determines to intercept the external connection instruction according to its own control policy, setting the processing policy corresponding to the external connection instruction as an interception policy.
Step 206, the service processing program of the client receives the response message sent by the routing device, and notifies the TDI filter driver to release the external connection instruction.
In this embodiment, the response message is also a UDP message, and is used to notify the service processing program that the network device has received the notification message, and the processing policy corresponding to the external connection instruction is set.
Step 207, the protocol driver of the client receives the external connection instruction, encapsulates the external connection instruction into a connection message, and sends the connection message to the network device.
The connection packet may be an external connection handshake packet, although the present invention is not limited thereto, and in a specific implementation, the connection packet may also be a packet in other forms, for example: ACL notification messages, etc., which are not limited by the present invention.
And step 208, after receiving the connection message, the network device processes the connection message according to the processing strategy corresponding to the external connection instruction.
Specifically, if the processing policy corresponding to the external connection instruction is a release policy, the network device releases the connection packet, and sends the connection packet according to a destination address of the connection packet; if the processing strategy corresponding to the external connection instruction is an interception strategy, the network device intercepts the connection message, that is, the connection message is not allowed to pass through the network device.
In this embodiment, the network device may be a router, a switch, a gateway, or the like, and the form of the network device is not limited in this embodiment.
The embodiment can realize that the network equipment acquires the information of each external connection instruction (the hardware characteristic of the client sending the external connection instruction and the network communication process sending the external connection instruction), so as to determine to pass or intercept the external connection instruction according to the information, thereby ensuring that the flow passing through the network equipment is authenticated and credible flow and improving the safety of the network; and the network equipment can store the attributes of the flow for later statistical investigation, thereby realizing safe and controllable access. In addition, the embodiment does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication. In addition, in this embodiment, the operations of intercepting the external connection instruction and obtaining the information of the external connection instruction are completed by the client, so that the burden of the network device is reduced, and the performance of the network device is ensured.
The embodiment shown in fig. 2 of the present invention is described by taking a scenario in which a client connects to an external TCP as an example, and an implementation process in a scenario in which a client connects to an external UDP is similar to the implementation process provided in the embodiment shown in fig. 2 of the present invention, except that in the TDI filter driver, an intercepted IRP instruction for sending a UDP packet is stored in a linked list and the linked list is sent to a service processing program; and the service processing program sends a notification message to the network equipment, and after receiving a response message sent by the network equipment, notifies the TDI filter driver to issue the stored IRP instruction for sending the UDP message.
It should be noted that in the method provided by the present invention, the TDI filter driver has a process of temporarily intercepting an external connection instruction, but the interception time is only the round-trip time of two messages, which is equivalent to calling a connection Application programming interface (hereinafter referred to as a connection API) to delay the millisecond-level time for the network communication process, and the influence on the whole network communication process is small.
Fig. 3 is a flowchart of an embodiment of a message processing method according to the present invention, and as shown in fig. 3, the message sending method may include:
step 301, a network device receives a notification message sent by a client, where the notification message sent by the client is sent after the client encapsulates a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process sending the external connection instruction, and hardware feature information of the client in the notification message.
Step 302, the network device analyzes the notification packet, obtains the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection command, the identifier of the network communication process and the hardware characteristic information of the client, and sets a processing policy corresponding to the external connection command.
In an implementation manner of this embodiment, the destination port of the notification message may be an appointed port, where the appointed port may be an uncommon rarely used port, for example: 20001; at this time, the analyzing of the notification message by the network device may be: after the network equipment receives the notification message, if the destination port of the notification message is determined to be the appointed port, the network equipment analyzes the notification message.
In another implementation manner of this embodiment, the destination IP address of the notification message may be an agreed-upon IP address, where the agreed-upon IP address may be a different IP address, for example: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device; at this time, the analyzing of the notification message by the network device may be: after the network equipment receives the notification message, if the destination IP address of the notification message is determined to be the appointed IP address, the network equipment analyzes the notification message.
In another implementation manner of this embodiment, a destination port of the notification message is an agreed port, and a destination IP address of the notification message is an agreed IP address; wherein the default port may be a rarely used port, such as: 20001; the agreed-upon IP address may be a different IP address, such as: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device; at this time, the analyzing of the notification message by the network device may be: after the network device receives the notification message, if the destination port of the notification message is determined to be the appointed port and the destination IP address of the notification message is the appointed IP address, the network device analyzes the notification message.
Specifically, the processing policy corresponding to the external connection instruction may be set as follows: the network equipment sets a processing strategy corresponding to the external connection instruction as a release strategy when determining to release the external connection instruction according to a control strategy of the network equipment; or, when the network device determines to intercept the external connection instruction according to its own control policy, setting the processing policy corresponding to the external connection instruction as an interception policy.
Step 303, the network device sends a response packet to the client, receives an external connection instruction sent by the client, and processes the external connection instruction according to the processing policy corresponding to the external connection instruction.
Specifically, receiving an external connection instruction sent by the client, and processing the external connection instruction according to the processing policy corresponding to the external connection instruction may be: the network equipment receives a connection message sent by the client and processes the connection message according to the processing strategy corresponding to the external connection instruction; the connection message sent by the client is obtained after the client encapsulates the external connection instruction.
Specifically, if the processing policy corresponding to the external connection instruction is a release policy, the network device releases the connection packet, and sends the connection packet according to a destination address of the connection packet; if the processing strategy corresponding to the external connection instruction is an interception strategy, the network device intercepts the connection message, that is, the connection message is not allowed to pass through the network device.
In this embodiment, the network device may be a router, a switch, a gateway, or the like, and the form of the network device is not limited in this embodiment.
The embodiment can realize that the network equipment processes the external connection instruction according to the processing strategy corresponding to the external connection instruction after receiving the external connection instruction sent by the client, thereby ensuring that only authorized external connection instruction can pass through the network equipment, and improving the network security; in addition, the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication; in addition, the operation of intercepting the external connection instruction and acquiring the information of the external connection instruction is completed by the client, so that the burden of the network equipment can be reduced, and the performance of the network equipment is ensured.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Fig. 4 is a schematic structural diagram of an embodiment of a message sending apparatus according to the present invention, where the message sending apparatus in this embodiment may implement the process of the embodiment shown in fig. 1 of the present invention, and as shown in fig. 4, the message sending apparatus may include: a service processing module 41 and a protocol driving module 42;
the service processing module 41 is configured to encapsulate a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process that sends the external connection instruction, and hardware feature information of the client in a notification message, and send the notification message; receiving a response message sent by the network device connected to the client, where the response message is sent to the service processing module 41 after the network device receives and analyzes the notification message, obtains the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection command, the identifier of the network communication process and the hardware feature information of the client, and sets a processing policy corresponding to the external connection command;
the protocol driving module 42 is configured to send the external connection instruction to the network device after the service processing module 41 receives the response packet, so that the network device processes the external connection instruction according to a processing policy corresponding to the external connection instruction.
In this embodiment, the network device may be a router, a switch, a gateway, or the like, and the form of the network device is not limited in this embodiment.
In the above embodiment, the service processing module 41 encapsulates the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number of the external connection instruction intercepted by the client, the identifier of the network communication process that sends the external connection instruction, and the hardware feature information of the client in the notification message, and sends the notification message; then, the service processing module 41 receives a response message sent by the network device connected to the client, and the protocol driver module 42 sends the external connection instruction to the network device; after receiving the notification message, the network device may acquire the hardware characteristics and the network communication process of the client initiating the external connection instruction, and set a processing policy for the external connection instruction; therefore, after the external connection instruction sent by the protocol driving module is received, the external connection instruction is processed according to the processing strategy corresponding to the external connection instruction, and only authorized external connection instruction can pass through the network equipment, so that the network safety is improved; the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication.
Fig. 5 is a schematic structural diagram of another embodiment of the message sending apparatus of the present invention, and compared with the message sending apparatus shown in fig. 4, the difference is that the message sending apparatus in this embodiment may further include: the TDI filtration drive module 43;
the TDI filter driver module 43 is configured to intercept the external connection instruction sent by the network communication process, and obtain a source IP address, a destination IP address, a source port, a destination port, a transport layer protocol number of the external connection instruction, and an identifier of the network communication process; and sends the source IP address, the destination IP address, the source port, the destination port, the transport layer protocol number of the external connection command, and the identifier of the network communication process to the service processing module 41.
In this embodiment, the service processing module 41 is further configured to notify the TDI filter driving module 43 to release the external connection instruction after receiving the response packet;
the protocol driver module 42 is specifically configured to, after receiving the external connection instruction, encapsulate the external connection instruction into a connection packet, and send the connection packet to the network device, so that the network device processes the connection packet according to a processing policy corresponding to the external connection instruction. The connection packet may be an external connection handshake packet, although the present invention is not limited thereto, and in a specific implementation, the connection packet may also be a packet in other forms, for example: ACL notification messages, etc., which are not limited by the present invention.
In an implementation manner of this embodiment, a destination port of the notification message sent by the service processing module 41 may be an agreed port, where the agreed port may be an uncommon port, for example: 20001; in this implementation, after receiving the notification message, if it is determined that the destination port of the notification message is the appointed port, the network device parses the notification message.
In another implementation manner of this embodiment, a destination IP address of the notification message sent by the service processing module 41 may be an agreed IP address, where the agreed IP address may be a different IP address, for example: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device; in this implementation, after receiving the notification message, if it is determined that the destination IP address of the notification message is the agreed IP address, the network device parses the notification message.
In another implementation manner of this embodiment, a destination port of the notification message sent by the service processing module 41 is an agreed port, and a destination IP address of the notification message is an agreed IP address; wherein the default port may be a rarely used port, such as: 20001; the agreed-upon IP address may be a different IP address, such as: 1.1.1.1, this embodiment does not limit this, as long as the notification packet using the agreed IP address as the destination IP address can be routed to the network device.
Further, the message sending apparatus may further include: and the network communication process module 44 is configured to send the external connection instruction.
Further, the message sending apparatus may further include: and a network card driving module 45, configured to drive a network card of the client device where the message sending apparatus is located.
In the above embodiment, after receiving the notification message, the network device may acquire the hardware feature and the network communication process of the client initiating the external connection instruction, and set a processing policy for the external connection instruction; therefore, after the external connection instruction sent by the protocol driving module is received, the external connection instruction is processed according to the processing strategy corresponding to the external connection instruction, and only authorized external connection instruction can pass through the network equipment, so that the network safety is improved; the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication. In addition, in this embodiment, the operations of intercepting the external connection instruction and acquiring the information of the external connection instruction are completed by the message sending apparatus, so that the burden of the network device is reduced, and the performance of the network device is ensured.
The present invention also provides a client device, which can be implemented by the message sending apparatus shown in fig. 4 or fig. 5 of the present invention.
Fig. 6 is a schematic structural diagram of an embodiment of a message processing apparatus according to the present invention, where the message processing apparatus in this embodiment may implement the flow of the embodiment shown in fig. 3 of the present invention, as shown in fig. 6, the message processing apparatus may include: a receiving module 61, an analyzing module 62, a setting module 63, a sending module 64 and a processing module 65;
the receiving module 61 is configured to receive a notification message sent by a client, where the notification message sent by the client is sent after the client encapsulates a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process that sends the external connection instruction, and hardware feature information of the client in the notification message; after the sending module 64 sends a response message to the client, an external connection instruction sent by the client is received;
an analyzing module 62, configured to analyze the notification packet received by the receiving module 61, to obtain a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process and hardware feature information of the client;
a setting module 63, configured to set a processing policy corresponding to the external connection instruction;
a sending module 64, configured to send a response message to the client after the setting module 63 sets the processing policy corresponding to the external connection instruction;
the processing module 65 is configured to process the external connection instruction received by the receiving module 61 according to a processing policy corresponding to the external connection instruction.
Specifically, the receiving module 61 may receive a connection packet sent by the client; the connection message sent by the client is obtained after the client packages the external connection instruction;
the processing module 65 may process the connection packet received by the receiving module 61 according to the processing policy corresponding to the external connection instruction.
The analyzing module 62 may analyze the notification message when it is determined that the destination port of the notification message is the appointed port after the receiving module 61 receives the notification message; or when the destination IP address of the notification message is determined to be the appointed IP address, analyzing the notification message; or when the destination port of the notification message is determined to be an agreed port and the destination IP address of the notification message is an agreed IP address, the notification message is analyzed.
The message processing device can process the external connection instruction according to the processing strategy corresponding to the external connection instruction after receiving the external connection instruction sent by the client, so that only authorized external connection instructions can pass through the network equipment, and the network safety is improved; in addition, the invention does not need to carry out signature or verify the signature, thereby reducing the load of the client and reducing the delay of data communication; in addition, the operation of intercepting the external connection instruction and acquiring the information of the external connection instruction is completed by the client, so that the burden of the network equipment where the message processing device is located can be reduced, and the performance of the network equipment is ensured.
The present invention further provides a network device, which can be implemented by the message processing apparatus shown in fig. 6 of the present invention, in this embodiment, the network device may be a router, a switch, a gateway, or the like, and the form of the network device is not limited in this embodiment.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (16)

1. A method for sending a message, comprising:
the client packages a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process for sending the external connection instruction and hardware characteristic information of the client in a notification message, and sends the notification message;
the client receives a response message sent by network equipment connected with the client, wherein the response message is sent to the client after the network equipment receives and analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection instruction;
and the client sends the external connection instruction to the network equipment so that the network equipment can process the external connection instruction according to a processing strategy corresponding to the external connection instruction.
2. The method according to claim 1, wherein before the client encapsulates a source internet protocol IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction intercepted by the client, and an identifier of a network communication process that sends the external connection instruction and hardware feature information of the client in a notification message, and sends the notification message, the method further comprises:
the client intercepts the external connection instruction sent by the network communication process, and obtains a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process.
3. The method according to claim 1, wherein the sending, by the client, the external connection instruction to the network device, so that the network device processes the external connection instruction according to a processing policy corresponding to the external connection instruction, comprises:
and the client encapsulates the external connection instruction into a connection message and sends the connection message to the network equipment so that the network equipment can process the connection message according to a processing strategy corresponding to the external connection instruction.
4. The method according to any one of claims 1 to 3, wherein the destination port of the notification message is an agreed port; and/or the destination IP address of the notification message is an appointed IP address.
5. A message processing method is characterized by comprising the following steps:
the method comprises the steps that network equipment receives a notification message sent by a client, wherein the notification message sent by the client is sent after the client encapsulates a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process sending the external connection instruction and hardware characteristic information of the client in the notification message;
the network equipment analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection instruction;
and the network equipment sends a response message to the client, receives the external connection instruction sent by the client and processes the external connection instruction according to a processing strategy corresponding to the external connection instruction.
6. The method according to claim 5, wherein the receiving the external connection instruction sent by the client, and the processing the external connection instruction according to the processing policy corresponding to the external connection instruction comprises:
the network equipment receives a connection message sent by the client and processes the connection message according to a processing strategy corresponding to the external connection instruction; the connection message sent by the client is obtained after the client packages the external connection instruction.
7. The method according to any one of claims 5 to 6, wherein the destination port of the notification message is an agreed port; the analyzing, by the network device, the notification packet includes:
after the network equipment receives the notification message, if the destination port of the notification message is determined to be the appointed port, the network equipment analyzes the notification message;
or,
the destination IP address of the notification message is an appointed IP address; the analyzing, by the network device, the notification packet includes:
after the network equipment receives the notification message, if the destination IP address of the notification message is determined to be the appointed IP address, the network equipment analyzes the notification message;
or,
the destination port of the notification message is an appointed port, and the destination IP address of the notification message is an appointed IP address; the analyzing, by the network device, the notification packet includes:
after the network device receives the notification message, if it is determined that the destination port of the notification message is the agreed port and the destination IP address of the notification message is the agreed IP address, the network device analyzes the notification message.
8. A message transmission apparatus, comprising: the system comprises a service processing module and a protocol driving module;
a service processing module, configured to encapsulate a source internet protocol IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, and an identifier of a network communication process that sends the external connection instruction and hardware feature information of the client in a notification message, and send the notification message; receiving a response message sent by the network device connected to the client, wherein the response message is sent to the service processing module after the network device receives and analyzes the notification message, acquires a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection command, an identifier of the network communication process and hardware characteristic information of the client, and sets a processing strategy corresponding to the external connection command;
and the protocol driving module is used for sending the external connection instruction to the network equipment after the service processing module receives the response message, so that the network equipment can process the external connection instruction according to a processing strategy corresponding to the external connection instruction.
9. The apparatus of claim 8, further comprising: a transmission driver interface TDI filtering driving module;
the TDI filtering driving module is used for intercepting the external connection instruction sent by the network communication process, and acquiring a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process; sending the source IP address, the destination IP address, the source port, the destination port and the transport layer protocol number of the external connection instruction and the identifier of the network communication process to the service processing module;
and the service processing module is further configured to notify the TDI filter driver to release the external connection instruction after receiving the response packet.
10. The apparatus of claim 9,
the protocol driving module is specifically configured to encapsulate the external connection instruction into a connection packet after receiving the external connection instruction, and send the connection packet to the network device, so that the network device processes the connection packet according to a processing policy corresponding to the external connection instruction.
11. The apparatus according to any one of claims 8 to 10, wherein a destination port of the notification message sent by the service processing module is an appointed port; and/or the destination IP address of the notification message sent by the service processing module is an appointed IP address.
12. A message processing apparatus, comprising: the device comprises a receiving module, an analysis module, a setting module, a sending module and a processing module;
the receiving module is configured to receive a notification message sent by a client, where the notification message sent by the client is sent after the client encapsulates a source internet protocol IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of an external connection instruction intercepted by the client, an identifier of a network communication process that sends the external connection instruction, and hardware feature information of the client in the notification message; after the sending module sends a response message to the client, receiving the external connection instruction sent by the client;
the analysis module is configured to analyze the notification packet received by the receiving module to obtain a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number of the external connection instruction, and an identifier of the network communication process and hardware feature information of the client;
the setting module is used for setting a processing strategy corresponding to the external connection instruction;
the sending module is configured to send a response packet to the client after the setting module sets the processing policy corresponding to the external connection instruction;
the processing module is configured to process the external connection instruction received by the receiving module according to a processing policy corresponding to the external connection instruction.
13. The apparatus of claim 12,
the receiving module is specifically configured to receive a connection packet sent by the client; the connection message sent by the client is obtained after the client packages the external connection instruction;
the processing module is specifically configured to process the connection packet received by the receiving module according to a processing policy corresponding to the external connection instruction.
14. The apparatus according to any one of claims 12 to 13,
the analyzing module is specifically configured to, after the receiving module receives the notification packet, analyze the notification packet when it is determined that a destination port of the notification packet is an agreed port; or when the destination IP address of the notification message is determined to be the appointed IP address, analyzing the notification message; or when the destination port of the notification message is determined to be the appointed port and the destination IP address of the notification message is determined to be the appointed IP address, analyzing the notification message.
15. A client device, comprising: the messaging device of any of claims 8-11.
16. A network device, comprising: the message processing apparatus according to any of claims 12-14.
CN201210122829XA 2012-04-24 2012-04-24 Message transmitting and processing method, device, client equipment and network equipment Pending CN102647358A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210122829XA CN102647358A (en) 2012-04-24 2012-04-24 Message transmitting and processing method, device, client equipment and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210122829XA CN102647358A (en) 2012-04-24 2012-04-24 Message transmitting and processing method, device, client equipment and network equipment

Publications (1)

Publication Number Publication Date
CN102647358A true CN102647358A (en) 2012-08-22

Family

ID=46659942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210122829XA Pending CN102647358A (en) 2012-04-24 2012-04-24 Message transmitting and processing method, device, client equipment and network equipment

Country Status (1)

Country Link
CN (1) CN102647358A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338230A (en) * 2013-06-03 2013-10-02 广州天宁信息技术有限公司 A method and a system both for processing business data
CN106406825A (en) * 2015-07-27 2017-02-15 中兴通讯股份有限公司 Command line processing method and device
CN107666474A (en) * 2016-07-30 2018-02-06 华为技术有限公司 A network message processing method, device and network server
CN110535743A (en) * 2019-08-19 2019-12-03 厦门亿联网络技术股份有限公司 A kind of processing method of data packet, device, storage medium and electronic device
CN112995179A (en) * 2021-02-25 2021-06-18 杭州迪普信息技术有限公司 Response message processing method and device
CN113923032A (en) * 2021-10-12 2022-01-11 成都安恒信息技术有限公司 Access method for application access control

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060090023A1 (en) * 2004-10-26 2006-04-27 International Business Machines Corporation Computer and method for on-demand network access control
CN101636998A (en) * 2006-08-03 2010-01-27 思杰系统有限公司 System and method for application-based interception and authorization of SSL/VPN traffic
CN101702121A (en) * 2009-10-29 2010-05-05 珠海金山软件股份有限公司 Device for controlling network flow of program in Windows system
CN101895529A (en) * 2010-05-31 2010-11-24 上海网宿科技股份有限公司 Method for judging process of TCP/IP packet in driver layer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060090023A1 (en) * 2004-10-26 2006-04-27 International Business Machines Corporation Computer and method for on-demand network access control
CN101636998A (en) * 2006-08-03 2010-01-27 思杰系统有限公司 System and method for application-based interception and authorization of SSL/VPN traffic
CN101702121A (en) * 2009-10-29 2010-05-05 珠海金山软件股份有限公司 Device for controlling network flow of program in Windows system
CN101895529A (en) * 2010-05-31 2010-11-24 上海网宿科技股份有限公司 Method for judging process of TCP/IP packet in driver layer

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338230A (en) * 2013-06-03 2013-10-02 广州天宁信息技术有限公司 A method and a system both for processing business data
CN103338230B (en) * 2013-06-03 2016-03-30 广州天宁信息技术有限公司 A kind of processing method of business datum and system
CN106406825A (en) * 2015-07-27 2017-02-15 中兴通讯股份有限公司 Command line processing method and device
CN107666474A (en) * 2016-07-30 2018-02-06 华为技术有限公司 A network message processing method, device and network server
CN107666474B (en) * 2016-07-30 2021-04-20 华为技术有限公司 A network message processing method, device and network server
US11218570B2 (en) 2016-07-30 2022-01-04 Huawei Technologies Co., Ltd. Network packet processing method and apparatus and network server
US11689646B2 (en) 2016-07-30 2023-06-27 Huawei Technologies Co., Ltd. Network packet processing method and apparatus and network server
CN110535743A (en) * 2019-08-19 2019-12-03 厦门亿联网络技术股份有限公司 A kind of processing method of data packet, device, storage medium and electronic device
CN112995179A (en) * 2021-02-25 2021-06-18 杭州迪普信息技术有限公司 Response message processing method and device
CN112995179B (en) * 2021-02-25 2022-08-26 杭州迪普信息技术有限公司 Response message processing method and device
CN113923032A (en) * 2021-10-12 2022-01-11 成都安恒信息技术有限公司 Access method for application access control
CN113923032B (en) * 2021-10-12 2024-04-09 成都安恒信息技术有限公司 Access method for application access control

Similar Documents

Publication Publication Date Title
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
US8332532B2 (en) Connectivity over stateful firewalls
CN115989661A (en) Securing control and user plane separation in a mobile network
US8060927B2 (en) Security state aware firewall
CN111131310B (en) Access control method, device, system, computer device and storage medium
US10298600B2 (en) Method, apparatus, and system for cooperative defense on network
RU2641233C2 (en) Method, device, and computer-readable storage medium for application-dependent filtering of file transfer protocol packets
CN112369115B (en) Methods and nodes for implementing service management
EP2770689A1 (en) Authentication method, transfer apparatus, and authentication server
CN102647358A (en) Message transmitting and processing method, device, client equipment and network equipment
US11677585B2 (en) Transparent TCP connection tunneling with IP packet filtering
CN106656648B (en) Application flow dynamic protection method and system based on home gateway and home gateway
CN104158808A (en) Portal authentication method based on APP application and device
CN105323259B (en) A kind of method and apparatus preventing synchronous packet attack
US11005813B2 (en) Systems and methods for modification of p0f signatures in network packets
US20200128083A1 (en) Method of activating processes applied to a data session
CN106789993B (en) TCP agent method and device
US11968237B2 (en) IPsec load balancing in a session-aware load balanced cluster (SLBC) network device
CN108064441A (en) Method and system for accelerating network transmission optimization
CN102984153A (en) Hacker preventing method, equipment and system
CN114465744A (en) Safety access method and network firewall system
CN106899635B (en) Method and device for realizing fixed communication port of file transfer protocol data link
CN115801629A (en) Bidirectional forwarding detection method and device, electronic equipment and readable storage medium
Takai et al. Quick Blocking Operation of IDS/SDN Cooperative Firewall Systems by Reducing Communication Overhead
US12052219B2 (en) Chassis system management through data paths

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120822