[go: up one dir, main page]

WO2017045574A1 - Procédé et appareil de contrôle d'accès à fonction ip source guard - Google Patents

Procédé et appareil de contrôle d'accès à fonction ip source guard Download PDF

Info

Publication number
WO2017045574A1
WO2017045574A1 PCT/CN2016/098726 CN2016098726W WO2017045574A1 WO 2017045574 A1 WO2017045574 A1 WO 2017045574A1 CN 2016098726 W CN2016098726 W CN 2016098726W WO 2017045574 A1 WO2017045574 A1 WO 2017045574A1
Authority
WO
WIPO (PCT)
Prior art keywords
acl
ipsg
entry
software
software entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/098726
Other languages
English (en)
Chinese (zh)
Inventor
刘民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2017045574A1 publication Critical patent/WO2017045574A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This document relates to, but is not limited to, the field of communication technologies, and in particular, to a method and apparatus for source protection access control.
  • the source guard (IPSG) function is used to filter the data packets received by the port to prevent unauthorized user data packets from passing. If an IPSG is configured on a port of a device (such as a switch or a router), the device checks the IPSG entry when the data packet reaches the port. The data packets matching the entry can be forwarded or enter the subsequent process. Data packets matching the entry will be discarded.
  • IPSG IP Security
  • IPSG entries can be generated by manual configuration and dynamic acquisition.
  • the matching conditions of the IPSG are: protocol (IP) address, source physical (MAC) address, and virtual local area network (VLAN) label of the interconnection between the source networks.
  • IP protocol
  • MAC source physical
  • VLAN virtual local area network
  • the general combination methods include: IP, MAC, IP plus MAC, IP plus VLAN, MAC plus VLAN, and IP plus MAC plus VLAN.
  • the IPSG function is
  • the ACL is used to form an ACL (Access Control List).
  • the ACL is used to bind the ACL. (explicit occupancy), here called implicit occupancy.
  • an ACL resource is reserved for IPSG to use. Obviously, the number of users supported by the device is limited because of the reserved ACL resources, and the number of entries supported by the normal ACL is also reduced. In addition, in the scenario where the IPSG and the common ACL are not required to be configured at the same time, or the scenario where one of the functions needs to be maximized, the ACL resource may be wasted and the requirement cannot be met.
  • the embodiments of the present invention provide a source protection access control method and device, which can utilize ACL resources to maximize the simultaneous implementation of IPSG and ACL.
  • Embodiments of the present invention provide a method for source guard access control, the method comprising:
  • IPSG match condition to each rule in the ACL software entry, and add the first rule that includes only the IPSG match condition and the data message that does not contain the IPSG match condition.
  • the second rule is to obtain a new ACL software entry;
  • the new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry based on the new ACL software entry.
  • the method further includes:
  • the IPSG software entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.
  • the method further includes:
  • the IPSG entry is deleted. Perform the steps to add an IPSG match condition to each rule in the ACL software entry.
  • the method further includes:
  • IPSG software entry exists on the second port, determine whether the ACL software entry conflicts with the IPSG software entry.
  • the IPSG entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.
  • the method further includes:
  • the user is prompted to re-configure the ACL software entry for the second port.
  • An embodiment of the present invention further provides an apparatus for IPSG access control, the apparatus comprising:
  • Add a module set the IPSG match condition to be added to each rule in the ACL software entry, and add the first rule that contains only the IPSG match condition and the data packet that does not contain the IPSG match condition.
  • the second rule is to get a new ACL software entry;
  • the issuing module is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the device further includes:
  • the first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;
  • the first deletion module is configured to delete an IPSG software entry according to the trigger of the first check module, and trigger the add module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet
  • the second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;
  • the first determining module is configured to determine, according to the triggering of the second checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the second deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the second deletion module is configured to delete an IPSG entry according to the trigger of the first determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet
  • the third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;
  • the second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the third deletion module is configured to delete an IPSG entry according to the triggering of the second determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.
  • the technical solution provided by the embodiment of the present invention includes: adding an IPSG matching condition to each rule in the ACL software entry, and adding a first rule that includes only the IPSG matching condition in the ACL software entry. And the second rule of the data packet that does not contain the IPSG matching condition is discarded, the new ACL software entry is obtained, and the new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware is new.
  • the ACL software entry generates a hardware entry. The problem that the ACL resources are wasted, the IPSG and the ACL cannot be valid at the same time is solved, and the effect that the ACL resources can be maximized and the IPSG and the ACL can be simultaneously effective is achieved.
  • FIG. 1 is a flowchart of a method for source guard access control in a first embodiment of the present invention
  • FIG. 2 is a flowchart of modifying a ACL software entry to obtain a new ACL software entry when configuring an IPSG software entry (or an ACL software entry) in the first embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus for source protection access control according to a second embodiment of the present invention.
  • a first embodiment of the present invention provides a method for source guard access control, where the method includes:
  • Step 11 Add a source guard (IPSG) match condition to each rule in the access control list (ACL) software entry, and add a new rule that includes only the IPSG match condition and the discard does not include the ACL software entry.
  • the second rule of the data packet matching the IPSG condition is obtained, and a new ACL software entry is obtained.
  • the IPSG matching condition includes the following six forms: a source IP address, a source MAC address, a source IP address plus a source MAC address, a source IP address plus a VLAN tag, a source MAC address plus a VLAN tag, and a source. IP address plus source MAC address plus VLAN tag. Which form of IPSG matching condition to use can be determined by the device that receives the data message.
  • Step 12 The new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the IPSG matching condition is added to each rule in the ACL software entry, and the first rule that only includes the IPSG matching condition is added to the ACL software entry, and the discarding does not include the IPSG.
  • the second rule of the data packet matching the condition is such that the ACL resource is not reserved for the IPSG, but is reused with the ACL to fully utilize the ACL resource.
  • the new ACL software entry is sent to the hardware for generating the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry, and generates a new ACL software entry according to the first rule and the second rule.
  • the IPSG and the common ACL are recombined in the software table, and then the hardware is delivered, which can achieve the effect that both the IPSG and the ACL are effective at the same time. Therefore, the problem that the IPSG and the ACL cannot be simultaneously effective is effectively avoided, so that it can be better. Access control of data packets. It should be noted that when the device receives other data packets (that is, data packets that do not contain the IPSG matching condition), the device discards the data packets.
  • the method further includes: checking whether the ACL software entry and the IPSG software entry exist simultaneously on the first port for receiving the data packet, when When the ACL software entry and the IPSG software entry exist on the first port, the IPSG software entry is deleted. After the IPSG software entry is deleted, the process proceeds to Step 11 and Step 12 to generate hardware entries that can be used to maximize the use of ACL resources. If the ACL software entry and the IPSG software entry are not found on the first port, the ACL software entry and the IPSG software entry are not required to be deleted. For the steps of the IPSG software entry, simply write the software entry in the traditional way.
  • the generation process of a new ACL software entry is illustrated by an example.
  • the content of the IPSG software entry is: the data packet that meets the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1 permit sip smac); discard other data packets (the relevant pseudo code can be: Rule 2 deny all), the content of the ACL software entry is: the data packet that meets the destination IP address can pass (the relevant pseudo code can be: Rule 1 permit sip).
  • the content of the new ACL software entry formed after the execution of step 11 is: the data packet satisfying the destination IP address plus the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1permit sip smac) ; Discard other data packets (the relevant pseudo code can be: Rule 2 deny all).
  • the foregoing method further includes:
  • Step 201 Configure an IPSG software entry for the second port that is used to receive the data packet.
  • Step 202 After the IPSG software entry is configured, check whether an ACL exists on the second port. If the ACL software entry is found on the second port, go to step 2030. If the ACL software entry does not exist on the second port, go to step 2040.
  • Step 2030 Determine whether the ACL software entry conflicts with the IPSG software entry. When the ACL software entry does not conflict with the IPSG software entry, go to step 20310. When the ACL software entry conflicts with the IPSG software entry, Go to step 20320;
  • step 20310 the IPSG entry is deleted, and after the IPSG software entry is deleted, the ACL software entry is modified (ie, step 11 and step 12 are continued);
  • Step 20311 Generate a hardware entry according to the modified ACL software entry.
  • the hardware entry can not only utilize the ACL resource but also make the IPSG and the ACL take effect at the same time.
  • Step 20320 The user is prompted to re-configure an ACL software entry for the second port.
  • Step 2040 Write the IPSG software entry in a conventional manner.
  • the method may further include: configuring the ACL software entry for the second port for receiving the data packet, after the ACL software entry is configured, according to the process flow of FIG.
  • the user when it is determined that the ACL software entry conflicts with the IPSG software entry, when the ACL software entry conflicts with the IPSG software entry, the user is prompted to re-send The ACL software entry is configured on the second port so that the reconfigured ACL software entries do not conflict with the IPSG software entries.
  • a data packet that meets a source IP address (for example, IP1) can be passed in the IPSG software entry, and a data packet that meets a source IP address (for example, IP1) in the ACL software entry cannot pass.
  • the ACL software entry conflicts with the IPSG software entry.
  • the method of the embodiment of the present invention can be implemented by a computer loading based on a LINUX kernel.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the foregoing IPSG control method.
  • a second embodiment of the present invention provides a device for source protection access control, the device comprising:
  • the adding module 31 is configured to add an IPSG matching condition to each rule in the ACL software entry, and add a first rule that includes only the IPSG matching condition and a datagram that does not include the IPSG matching condition in the ACL software entry.
  • the second rule of the text obtains a new ACL software entry;
  • the sending module 32 is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the device further includes:
  • the first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;
  • the first deleting module is configured to delete the IPSG software entry according to the triggering of the first checking module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet
  • the second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;
  • the first determining module is configured to determine, according to the triggering of the second checking module, that the ACL software entry is
  • the second deletion module is triggered when the ACL software entry conflicts with the IPSG software entry.
  • the second deleting module is configured to delete the IPSG entry according to the triggering of the first determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet
  • the third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;
  • the second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the third deleting module is configured to delete the IPSG entry according to the triggering of the second determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.
  • the foregoing apparatus adds an IPSG matching condition to each rule in the ACL software entry, and adds a first rule that includes only the IPSG matching condition and discards the ACL software entry.
  • the second rule of the data packet that does not contain the IPSG matching condition is used to multiplex the IPSG and the ACL to fully utilize the ACL resource.
  • the new ACL software entries are sent to the hardware used to generate the hardware entries, so that the hardware generates hardware entries based on the new ACL software entries, effectively avoiding the problem that IPSG and ACL cannot be valid at the same time. Better access control of data packets.
  • the apparatus for controlling IPSG access provided by the second embodiment of the present invention is the apparatus applying the foregoing method, that is, all the embodiments of the foregoing methods are applicable to the apparatus, and both can achieve the same Or similar benefits.
  • each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, being executed by a processor and stored in a memory. Programs/instructions to implement their respective functions.
  • the invention is not limited to any specific form of combination of hardware and software.
  • the foregoing technical solution implements the simultaneous implementation of IPSG and ACL when maximizing the utilization of ACL resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de contrôle d'accès à fonction IP Source Guard (IPSG), consistant à : ajouter une condition de correspondance IPSG à chaque règle dans des entrées logicielles de liste de contrôle d'accès (ACL), ajouter aux entrées logicielles ACL une première règle comprenant seulement les conditions de correspondance IPSG dans les entrées logicielles ACL et une seconde règle pour rejeter les paquets de données qui ne comprennent pas les conditions de correspondance IPSG, pour obtenir de nouvelles entrées logicielles ACL ; et envoyer les nouvelles entrées logicielles ACL à un matériel utilisé pour générer des entrées matérielles, de sorte que le matériel génère des entrées matérielles en fonction des entrées logicielles ACL ; les modes de réalisation de la présente invention mettent en œuvre une validité IPSG et ACL simultanée tout en maximisant l'utilisation de ressources ACL.
PCT/CN2016/098726 2015-09-17 2016-09-12 Procédé et appareil de contrôle d'accès à fonction ip source guard Ceased WO2017045574A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510595553.0 2015-09-17
CN201510595553.0A CN106549910A (zh) 2015-09-17 2015-09-17 一种源防护ipsg接入控制的方法及装置

Publications (1)

Publication Number Publication Date
WO2017045574A1 true WO2017045574A1 (fr) 2017-03-23

Family

ID=58288118

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/098726 Ceased WO2017045574A1 (fr) 2015-09-17 2016-09-12 Procédé et appareil de contrôle d'accès à fonction ip source guard

Country Status (2)

Country Link
CN (1) CN106549910A (fr)
WO (1) WO2017045574A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589389A (zh) * 2022-09-23 2023-01-10 苏州浪潮智能科技有限公司 一种处理acl的方法、系统、设备和存储介质
CN118282696A (zh) * 2022-12-31 2024-07-02 华为技术有限公司 Acl处理装置及方法、转发芯片、网络设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141304A (zh) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Acl规则的管理方法和设备
CN101146026A (zh) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 报文过滤方法及系统和装置
CN101651623A (zh) * 2009-09-07 2010-02-17 中兴通讯股份有限公司 访问控制列表应用的生成方法及装置
CN101667965A (zh) * 2009-09-29 2010-03-10 华为技术有限公司 一种生成访问控制列表的方法及路由设备
US20120082048A1 (en) * 2010-10-05 2012-04-05 Cisco Technology, Inc. System and method for providing smart grid communications and management

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146026A (zh) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 报文过滤方法及系统和装置
CN101141304A (zh) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Acl规则的管理方法和设备
CN101651623A (zh) * 2009-09-07 2010-02-17 中兴通讯股份有限公司 访问控制列表应用的生成方法及装置
CN101667965A (zh) * 2009-09-29 2010-03-10 华为技术有限公司 一种生成访问控制列表的方法及路由设备
US20120082048A1 (en) * 2010-10-05 2012-04-05 Cisco Technology, Inc. System and method for providing smart grid communications and management

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589389A (zh) * 2022-09-23 2023-01-10 苏州浪潮智能科技有限公司 一种处理acl的方法、系统、设备和存储介质
CN118282696A (zh) * 2022-12-31 2024-07-02 华为技术有限公司 Acl处理装置及方法、转发芯片、网络设备

Also Published As

Publication number Publication date
CN106549910A (zh) 2017-03-29

Similar Documents

Publication Publication Date Title
US12218956B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
CN107332812B (zh) 网络访问控制的实现方法及装置
US11146551B2 (en) Access control
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
WO2019037775A1 (fr) Fourniture d'un fichier de configuration de service
KR101948049B1 (ko) 강제적 접근 제어 컴퓨팅 환경에서 네트워크 제어의 개선
CN108322467B (zh) 基于ovs的虚拟防火墙配置方法、电子设备及存储介质
WO2016067165A1 (fr) Filtrage de contenu pour réseaux centrés sur l'information
CN106453409B (zh) 一种报文处理方法及接入设备
WO2017143903A1 (fr) Procédé, dispositif et système pour un contrôle d'accès
WO2018113591A1 (fr) Procédé de planification, système, dispositif de commande et support de stockage informatique
US12177313B2 (en) Captive portal redirection by devices with no internet protocol connectivity in the host virtual local area network
US8887237B2 (en) Multimode authentication
WO2016138845A1 (fr) Procédé et dispositif réalisant un téléversement d'un paquet de protocole sur une unité centrale de traitement (cpu)
WO2019024844A1 (fr) Authentification d'utilisateur au moyen d'un bras dans une architecture séparant transmission et commande
WO2017045574A1 (fr) Procédé et appareil de contrôle d'accès à fonction ip source guard
CN108076459B (zh) 网络接入控制方法、相关设备及系统
US11658976B2 (en) Captive portal redirection and network access restriction of device using a single access control list
WO2017063578A1 (fr) Procédé et appareil de traitement de paquet de données
US10341259B1 (en) Packet forwarding using programmable feature prioritization
US12143381B2 (en) Multiple host web authentication on the same port using segment security
CN108259420B (zh) 一种报文处理方法及装置
CN104852923A (zh) 一种基于用户的路由隔离方法及系统
CN118353832B (zh) 流表处理方法、装置、计算机、存储介质及程序产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16845688

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16845688

Country of ref document: EP

Kind code of ref document: A1