The present invention relates to communication technologies, and in particular, to a packet access control method, a forwarding engine, and communication apparatus.
With increase of the traffic over the Internet, stricter performance requirements are imposed on data communication network apparatus. The network apparatus with pure software forwarding is eliminated gradually, and more apparatus uses hardware forwarding to improve the performance.
Compared with software forwarding, hardware forwarding is less flexible. Many functions are impossible or almost impossible by relying solely on hardware forwarding engines such as Application-Specific Integrated Circuit (ASIC) and Network Processing Unit (NPU). Therefore, general network apparatus needs to provide both hardware forwarding and a device such as CPU which implements the functions unachievable by a forwarding engine in order to fulfill both performance and flexibility. Data communication apparatus includes a data plane and a control plane. The data plane includes a hardware forwarding engine, a switching network, and a physical-layer interface, and is adapted to forward most data packets. The control plane includes a CPU and peripheral devices such as memory, and is adapted to manage and control devices and handle the data packets, such as routing protocol packets and network management interaction packets, that need participation of software.
Generally, most packets received by the network apparatus can find the destination directly inside the data plane, and are sent to the destination. However, some packets still need participation of the control plane, for example, the protocol packet exchanged between network apparatus (most typically, routing protocol packets), the packet sent by other terminal or apparatus to the local apparatus such as the configuration request sent from the network management system, and the packet that passes through the local apparatus but needs special treatment such as IP packet and Time To Live (TTL) timeout packet.
After such packets are identified by the forwarding engine, they are sent through the channel between the forwarding engine and the CPU (hereinafter referred to as a “control channel”) to the CPU for processing; as well, some packets of the CPU are forwarded from the forwarding engine through the control channel. It is to be noted that the control plane includes not only the CPU on the line card but also the CPU on the control card, regarding the typical distributed data communication apparatus shown in
In such architecture, as restricted by the processing capability of the CPU and the bandwidth of the control channel, the network apparatus is vulnerable to intentional or unintentional Denial of Service (DoS) attacks (unintentional attacks may result from worms or network storms). If the traffic sent on the data plane is too large in a short time, the control channel may be congested, and the sent packets may be lost. If the traffic sent on the control plane is too large, the CPU is busy handling a certain type of sent packets and has no time for other processing.
Both consequences mentioned above may lead to faults of apparatus or network. Prevention of such attacks is essential to network apparatus.
Generally, the forwarding engine judges whether a packet that needs to be sent is based on some fields in the content of the packet, for example, destination IP address, protocol number, and port number. However, the packet determined by the forwarding engine as needed to be sent may be futile to the control plane (the packets futile to the control plane are called “trash packets”). The trash packets, which do not need to be sent but are actually sent, account for a great proportion of the total traffic of the sent packets.
The causes for such a consequence are: Although network apparatus supports multitudinous functions, it is possible that only a tiny portion of the functions of the apparatus are active in a specific scenario, and the remaining functions are inactive. After the packets attributable to the inactive functions are sent to the control plane, they are processed, found as futile, and discarded in the end. However, such packets occupy both bandwidth of the control channel and processing time of the CPU. Once the traffic of such packets is too large, it may be impossible to send normal packets or handle normal services in time, and the DoS attacks mentioned above may occur.
A practice in the conventional art is:
The forwarding engine categorizes the packets to be sent, and imposes a bandwidth limit on each category of packets, where the bandwidth is configurable. Once the traffic of a type of packets is relatively large in the apparatus and such packets are futile to the current service, the bandwidth configuration may be modified according to the current configuration of the apparatus to restrict the sending of such packets and prevent DoS attacks.
However, in order not to affect normal services, the default value of the bandwidth set for different packets is generally high to prevent problems from occurring at the time of using the service corresponding to such packets. If default parameter values are used to process the sent packets, trash packets may still occupy a large amount of bandwidth of the control channel. Moreover, it is difficult to exercise precise control (for example, only a specific type of packets from a specific source address is allowed to be sent) based on the packet category only.
To tackle such a problem, another practice of the conventional art is to configure an Access Control List (ACL) manually. Before sending the packet into the control channel, the forwarding engine queries the specific ACL rules configured for the apparatus, and performs a proper operation according to the action corresponding to the hit rule. The operation may be: discarding the packet, or restricting the bandwidth of this type of packets. A common practice is to configure information on packets that need to be discarded in the ACL. In this case, the apparatus maintainers need to be fairly aware of the implementation details of the apparatus. The configuration cost is high, and errors tend to occur. Consequently, some trash packets are still sent to the CPU, and it is still difficult to prevent trash packets from occupying too much bandwidth of the control channel, and difficult to exercise precise control. Another practice is to configure information on packets that need to be sent to the CPU for processing in the ACL, and discard the packets not configured. In this case, manual configuration is required, and a strict requirement is imposed on the person who performs the configuration. Some packets related to the service implementation may be configured mistakenly, and are discarded mistakenly, which disrupts normal service operation. In the case that a new service or connection is set up, the ACL needs to be configured again if no ACL rule is configured beforehand, which deteriorates the efficiency of service operation.
A packet access control method, a forwarding engine, and communication apparatus are provided in various embodiments of the present invention to implement both precise control and service operation stability.
A packet access control method provided in an embodiment of the present invention includes:
Another packet access control method provided in an embodiment of the present invention includes:
A packet forwarding engine provided in an embodiment of the present invention includes a setting module, a storing module, a receiving module, a forwarding judging module, an access control module, and a processing module, as detailed below.
The setting module is adapted to set bandwidth parameters.
The storing module is adapted to store and update the ACL.
The receiving module is adapted to receive packets.
The forwarding judging module is adapted to judge whether the packet needs to be forwarded according to the information on the packet received by the receiving module.
The access control module is adapted to query ACL rules in the ACL and query the ACL rules stored in the storing module according to the information on the packet after the forwarding judging module determines that the packet does not need to be forwarded.
The processing module is adapted to: process the packet received by the receiving module according to a hit ACL rule if the ACL rule is hit; or send the packet received by the receiving module to the control plane by applying the first bandwidth parameter set by the setting module if no ACL rule is hit.
Communication apparatus provided in an embodiment of the present invention includes: a control unit, adapted to configure the ACL and handle packets; and a data unit, adapted to: set bandwidth parameters and judge whether the received packet needs to be forwarded according to the information on the received packet; query the ACL configured by the control unit according to the information on the packet if the packet does not need to be forwarded; and perform a proper operation if an ACL rule is hit, or send the packet to the control unit by applying the set bandwidth parameter if no ACL rule is hit.
Through the packet access control method, packet forwarding engine, and communication apparatus provided by the present invention, the technical solution under the present invention presets the packet access control and configures a bandwidth parameter for the packet which hits no ACL rule. Therefore, while reducing the influence caused by the known trash packets onto the control plane of the apparatus, the present invention prevents the packets required for service implementation from being discarded, ensures normal operation of services, and improves stability of the apparatus and availability of the whole network.
In the embodiments of the present invention, the forwarding engine queries the ACL according to the information on the packet, and performs the corresponding action if an ACL rule is hit, or configures a bandwidth parameter for the packet and sends it to the control plane such as CPU if no ACL rule is hit.
An ACL may be an ordinary ACL or a special ACL. An ordinary ACL includes quintuplet information (namely, source IP address, destination IP address, source port, destination port, and protocol number). A special ACL includes only partial fields of a quintuplet, for example, includes only the source port field or source IP address field.
In an embodiment of the present invention, the forwarding engine needs to set the first bandwidth parameter. For a packet not configured in the ACL but required for service implementation, the packet may be sent through the bandwidth available from the first bandwidth parameter. Therefore, the packet is never discarded mistakenly for failure of hitting the ACL, and service operation exception never occurs for such a reason. The first bandwidth parameter may be set randomly. Preferably, the first bandwidth parameter is set to less than half of the total bandwidth. Besides, a second bandwidth parameter may be set. In the case that the packet hits the ACL and the packet needs to be sent to the control plane according to the ACL rules, the packet may be sent through the bandwidth available from the second bandwidth parameter. The value of the second bandwidth parameter may be greater than the value of the first bandwidth parameter so that the packet which hits the ACL and needs to be sent obtains a higher bandwidth than the packet which does not hit the ACL.
An ACL is configured in many ways. It may be configured manually; or, in the operation process of the apparatus, the apparatus reconfigures the ACL or updates the existing ACL. The packet which does not hit the ACL rules can still obtain a bandwidth. Therefore, when a new service or connection is set up successfully, the packet not configured in the ACL can still be sent to the control plane for processing, especially to the CPU. For example, the communication apparatus configures the ACL rules, delivers the action corresponding to the ACL rules, or deletes the ACL rules according to the currently configured service or the session set up with other apparatus or terminal.
When the apparatus configures a new service, the packet is sent over the bandwidth available from the first bandwidth parameter to the control plane for processing if the packet related to the new service is not configured in the ACL beforehand. The control plane judges whether the packet related to the new service is correlated with a specific service, namely, whether the packet related to the new service needs to be processed by the control plane all along. If the packet related to the new service needs to be processed by the control plane all along, the control plane sends the corresponding ACL rules, or concurrently, sends the information on the priority corresponding to such a type of packets according to importance of the service, to update the existing ACL. For example, the apparatus may allow the terminal to manage the apparatus through Telnet. In order to fulfill this function, the Telnet service needs to be configured and enabled for the apparatus, and a login right needs to be set so that only one terminal or certain terminals are allowed to log in to the apparatus (preventing illegal login). In light of the characteristics of the Telnet packet (the destination port number is 23, and the protocol number is the Transfer Control Protocol (TCP)) and the information on the IP address of the restricted terminals, three information elements, namely, source IP address, destination port, and protocol number, are extracted from the quintuplet to form the corresponding ACL rules which are sent to the data plane.
In the case that the network apparatus on the control plane sets up a session (TCP connection) with other apparatus or terminal dynamically, if the control plane analyzes and determines that the session is set up successfully according to the information on the current session, the control plane sends the corresponding ACL rule, or concurrently, sends the information on the priority corresponding to such a type of packets according to importance of the session, to update the existing ACL. For example, before exchanging route information through a route protocol, two routers A and B need to authenticate each other in order to prevent login of illegal terminals. The authentication process generally requires several attempts of handshake interaction. In the several attempts of handshake interaction, A and B tell their own information to the opposite party, possibly including encrypted information about the password to be authenticated. After authenticating each other successfully, A and B set up the session (connection) properly. After the protocol connection is set up, the control plane of the apparatus combines the elements (for example, the elements of a quintuplet: source IP address, destination IP address, source port, destination port, and protocol number) that identify the connection into the corresponding ACL rules, which are sent to the data plane.
In the foregoing method of configuring the ACL, the information elements in the quintuplet (namely, source IP address, destination IP address, source port, destination port, and protocol number) may be combined randomly into an ordinary ACL or special ACL. The corresponding action is configured according to the ACL; or concurrently, the information on the priority corresponding to such a type of packets is delivered according to importance of the service or session; or additionally, the configuration may be: the packet is discarded only if the packet matches the ACL.
In order to make the technical solution, objectives, and merits of the present invention clearer, a detailed description of the present invention is hereinafter given by reference to accompanying drawings and preferred embodiments.
In an embodiment of the packet access control method under the present invention, various parameters and the ACL may be set beforehand, or not set beforehand.
Step 101: The forwarding engine judges whether the packet needs to be forwarded according to the packet information. If the packet does not need to be forwarded, the process proceeds with step 103; or else step 102.
Generally, the packet needs to be analyzed in the following circumstances:
(1) The packet of the apparatus (for example, FTP packet, Telnet packet) needs to be sent.
(2) The broadcast or multicast protocol packet (for example, route protocol packet, ARP request packet) needs to be sent.
(3) If the packet by way of the apparatus is found incorrect in the processing process, the packet needs to be sent when the packet source needs to be notified, for example, when the destination is unreachable.
The forwarding engine makes a judgment by querying a specific table. If forwarding of an IP packet is involved, the forwarding engine may query the forwarding table. If the packet is ready for being forwarded directly, the process proceeds with step 102 where the packet is forwarded normally without being sent to the control plane; otherwise, the process proceeds with step 103.
Step 102: The packet is forwarded normally.
Step 103: The forwarding engine queries the ACL according to the packet information.
One more step is optional: Before the packet is sent to the control plane as required, a check is made on whether an ACL exists. If an ACL exists, the ACL is queried according to step 103; if no ACL exists, the packet is still sent to the control plane, but the packet is sent through the bandwidth available from the first bandwidth parameter in order to prevent all the bandwidth from being occupied.
Step 104: A judgment is made on whether an ACL rule is hit according to the contents in the ACL.
Step 105: The packet is sent to the control plane such as CPU through the bandwidth available from the first bandwidth parameter if no ACL rule is hit. Generally, the first bandwidth parameter is set to less than half of the total bandwidth, namely, the bandwidth configured for the packet which hits no ACL rule is relatively low.
Step 106: If an ACL rule is hit, a judgment is made on whether the corresponding action is to discard the packet. If the action is to discard the packet, the process proceeds with step 107; or else step 108. If no discarding action is set, this step may be omitted, and step 108 is performed only if an ACL rule is hit.
Step 107: The packet is discarded.
Step 108: The packet is sent to the control plane such as CPU. In this step, the packet is sent through the bandwidth available from the second bandwidth parameter, or concurrently, through the set priority. For example, the packet of higher priority is sent to the CPU through the bandwidth available from the second bandwidth parameter first. Preferably, the value of the second bandwidth parameter is greater than the value of the first bandwidth parameter, thus ensuring that the packet hitting the ACL rule obtains higher bandwidth and the packet not hitting the ACL rule obtains lower bandwidth.
If the control plane determines that the packet needs to be further routed after analyzing the packet sent through the bandwidth available from the first bandwidth parameter, the control plane sends the ACL rule according to the packet information, stipulates the specific action, sends such information to the forwarding engine, updates the existing ACL, and adds the packet information and the corresponding action into the ACL. Especially, if no ACL exists, the control generates an ACL according to the processing of the control plane, and sends the ACL to the forwarding engine.
Finally, after the configuration of a service is cancelled or a session is released, the corresponding ACL rule may be deleted.
In this embodiment, each step is not sequence-sensitive, and all step numbers are designed for ease of description.
In the embodiments of the present invention, if no ACL is stored in the apparatus or no ACL rule is hit, the packet may still be sent to the control plane through the bandwidth available from the first bandwidth parameter. Therefore, both precise control and service operation stability are taken good care of, and a supplement to the ACL is available, thus avoiding that some packets required for service implementation are discarded mistakenly for failure of hitting the ACL, and avoiding service operation exception caused thereby. In this sense, the stability of apparatus and the availability of the whole network are improved effectively, and the normal operation of the service is ensured.
As shown in
The setting module is adapted to set a bandwidth parameter. In this embodiment, the setting module is adapted to set the first bandwidth parameter and the second bandwidth parameter. The method and the objective of setting the parameters are described in the foregoing method embodiment, and not repeated here any further.
The storing module is adapted to store and update the ACL.
The receiving module is adapted to receive packets.
The forwarding judging module is adapted to judge whether the packet needs to be forwarded according to the information on the packet received by the receiving module, where the packet information generally includes at least one of the following: source IP address, destination IP address, source port, destination port and protocol number.
The access control module is adapted to query ACL rules stored in the storing module according to the information on the packet received by the receiving module after the forwarding judging module determines that the packet does not need to be forwarded. The access control module further includes: a querying module, adapted to query whether any ACL is stored in the storing module if the forwarding judging module determines that the packet does not need to be forwarded. In this embodiment, the ACL is not necessarily set beforehand; and a judging module, adapted to query the ACL rules stored in the storing module according to the information on the packet received by the receiving module if the querying module finds an ACL.
The access control module is adapted to query ACL rules stored in the storing module according to the information on the packet received by the receiving module after the forwarding judging module determines that the packet does not need to be forwarded. The access control module further includes: a querying module, adapted to query whether any ACL is stored in the storing module if the forwarding judging module determines that the packet does not need to be forwarded. In this embodiment, the ACL is not necessarily set beforehand; and a judging module, adapted to query the ACL rules stored in the storing module according to the information on the packet received by the receiving module if the querying module finds an ACL.
If the querying module finds no ACL, the processing module sends the packet received by the receiving module to the control plane by applying the first bandwidth parameter set by the setting module. That is, if no ACL exists, the packet can still be sent to the control plane directly through minor bandwidth. After the packet is sent to the control plane, the ACL is delivered to the forwarding engine according to the corresponding analysis. The forwarding engine reduces the impact caused by known trash packets onto the control plane of the apparatus and prevents the packets required for service implementation from being discarded mistakenly, thus ensuring normal service operation and improving stability of apparatus and availability of the whole network effectively.
If the access control module determines that an ACL rule stored in the storing module is hit, the sending module applies the second bandwidth parameter set by the setting module to the packet received by the receiving module on the precondition that a second bandwidth parameter is set by the setting module, and then sends the packet to the control plane.
The processing module is adapted to perform the corresponding action if the access control module determines that an ACL rule is hit, or send the packet received by the receiving module to the control plane by applying the first bandwidth parameter set by the setting module if no ACL rule is hit.
The processing module includes a forwarding module, adapted to normally forward the packet received by the receiving module after the forwarding judging module determines that the packet needs to be forwarded.
The processing module further includes: a discarding module, adapted to discard the packet received by the receiving module according to the hit ACL rule; and a sending module, adapted to send the packet received by the receiving module to the control plane.
Moreover, the present invention discloses a type of communication apparatus. As shown in
The data unit is adapted to: set the first bandwidth parameter; judge whether the packet needs to be forwarded according to the packet information, upon arrival of a packet; query the ACL configured and delivered by the control unit according to the packet information if the packet does not need to be forwarded; perform the corresponding action if an ACL rule is hit; or send the packet to the control unit by applying the first bandwidth parameter to the packet if no ACL rule is hit.
Especially, the data unit may include a packet forwarding engine provided by the present invention. Moreover, after analyzing the packet sent through the bandwidth available from the first bandwidth parameter, the control unit delivers the ACL rule according to the packet information and stipulates the specific action if determining that the packet needs further sending in the future. If determining that the packet needs no further sending, the control unit may also send the ACL, but stipulates the action as discarding the packet. Afterwards, the control unit delivers such information to the storing module of the forwarding engine to update the ACL already existent in the storing module. If no ACL is already existent, the control unit creates an ACL according to such information, and stores the ACL in the forwarding engine.
The apparatus includes the forwarding engine provided by this embodiment, and a bandwidth parameter is configured for the packet which hits no ACL rule. Moreover, through the configuration of packet access control, while reducing the impact caused by the known trash packets onto the control plane of the apparatus, the present invention prevents the packets required for service implementation from being discarded, ensures normal operation of services, and improves stability of the apparatus and availability of the whole network.
It is understandable to those skilled in the art that all or part of the modules (units) or steps in the foregoing embodiments can be realized through hardware based on a program. The program may be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk and compact disk. Alternatively, each module (unit) or step is made into an integrated circuit module respectively, or several modules (units) or steps are made into a single integrated circuit module. Therefore, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described through exemplary embodiments, the invention is not limited to such embodiments. It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention, and such modifications and variations are covered by the protection scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
200610064671.X | Dec 2006 | CN | national |
This application is a continuation of International Patent Application No. PCT/CN2007/070551, filed Aug. 24, 2007, which claims a priority to Chinese Patent Application No. 200610064671.X, filed with the Chinese Patent Office on Dec. 29, 2006 and entitled “Packet Access Control Method, Forwarding Engine, and Communication Apparatus”, both of which are hereby incorporated by reference in their entirety.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2007/070551 | Aug 2007 | US |
Child | 12493879 | US |