CN118631575A - A resource pool data forwarding method and system - Google Patents

A resource pool data forwarding method and system Download PDF

Info

Publication number
CN118631575A
CN118631575A CN202410893611.7A CN202410893611A CN118631575A CN 118631575 A CN118631575 A CN 118631575A CN 202410893611 A CN202410893611 A CN 202410893611A CN 118631575 A CN118631575 A CN 118631575A
Authority
CN
China
Prior art keywords
data packet
data
access switch
firewall
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410893611.7A
Other languages
Chinese (zh)
Other versions
CN118631575B (en
Inventor
刘思聪
邢建兵
邱佳慧
韩肆威
蔡超
徐亚楠
韩艳华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202410893611.7A priority Critical patent/CN118631575B/en
Publication of CN118631575A publication Critical patent/CN118631575A/en
Application granted granted Critical
Publication of CN118631575B publication Critical patent/CN118631575B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请实施例提供一种资源池数据转发方法和系统,本申请涉及数据传输领域,该方法包括:UPF接收数据源发送的第一数据包,对第一数据包进行流量检测,对检测通过的第一数据包封装第一报文标识符,通过VPN通道直接转发至LEAF,对未通过检测的第二数据包封装第二报文标识符,数据包绕道防火墙,通过防火墙验证的数据包转发至LEAF。该方法通过避免所有流量绕道防火墙,减少了不必要的流量绕转,从而提高了数据包的转发效率。

The embodiment of the present application provides a resource pool data forwarding method and system, and the present application relates to the field of data transmission. The method includes: UPF receives a first data packet sent by a data source, performs flow detection on the first data packet, encapsulates a first message identifier for the first data packet that passes the detection, and directly forwards it to LEAF through a VPN channel, encapsulates a second message identifier for the second data packet that fails the detection, and the data packet bypasses the firewall, and the data packet that passes the firewall verification is forwarded to LEAF. The method reduces unnecessary flow detours by preventing all flows from bypassing the firewall, thereby improving the forwarding efficiency of data packets.

Description

Resource pool data forwarding method and system
Technical Field
The present application relates to the field of data transmission, and in particular, to a method and a system for forwarding data in a resource pool.
Background
An edge computing node (Mobile Edge Computing, MEC) is a computing architecture located at the edge of a network that aims to place computing, storage, and application functions closer to users and data sources to reduce latency and improve efficiency. The MEC core concept is to bring cloud computing resources and services close to data sources and end users, achieving this by deploying on physical or virtual nodes near the network edge of the users.
Importantly, the MEC is a pool of resources that centralizes computing, storage, and network functions. These resources can be dynamically allocated and managed as needed to meet the computing needs in different application scenarios. The resource pool of the MEC is typically made up of a plurality of physical or virtual nodes that may be deployed on edge devices, base stations, routers, or other edge facilities. The resource pool of the MEC allows for dynamic allocation of computing, storage and network resources according to demand.
This means that the application can automatically adjust resource usage based on user location, real-time data requirements, or other conditions to provide better performance and response time. The MEC nodes are located at the edge of the network, closer to the user and the data source. This positional advantage reduces the delay of data transmission and improves data access speed and bandwidth utilization. Particularly for applications requiring fast response (e.g. intelligent transportation, industrial automation), the low latency characteristics of MECs are critical. Moving computing and storage functions to the network edge may help protect data privacy and improve security. Sensitive data can be processed on edge devices, so that abnormal problems of data transmission in a network are reduced, and privacy regulations and safety standards are met.
By deploying applications and services on MEC nodes, users may experience lower latency and higher bandwidth utilization. The architecture also supports various application scenarios including smart city, internet of things, internet of vehicles, 5G communications, and the like. The resource pool concept of the MEC enables edge computing to be more flexible and efficient to cope with changing computing demands, thereby providing better user experience and quality of service.
Disclosure of Invention
The embodiment of the application provides a resource pool data forwarding method and a system, which are used for solving the problem that all traffic is processed by a firewall, so that the traffic forwarding efficiency is reduced and becomes a bottleneck of network forwarding efficiency.
In a first aspect, an embodiment of the present application provides a method for forwarding data in a resource pool, where the method is applied to a data transmission system, where the data transmission system includes a private branch exchange, an access switch, a central switch, a firewall, and an access switch, and the private branch exchange and the access switch are connected through a VPN tunnel through the central switch, where the method includes:
The user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not;
the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel;
The central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through a gateway link through the firewall; the firewall is used for verifying the fifth data packet;
The access switch decapsulates the fourth data packet to obtain a second data packet, and decapsulates the fifth data packet passing verification to obtain a third data packet.
In one possible design, detecting validity of the first data packet by a preset traffic detection mechanism, using the detected first data packet as the second data packet, otherwise, using the detected first data packet as the third data packet, including:
Sending an authentication request of the first data packet to an authentication server to acquire an authentication result of the first data packet; the authentication result is used for indicating whether the first data packet comprises abnormal data or not;
decoding and analyzing the first data packet to obtain an analysis result of the first data packet;
the analysis result is used for indicating whether the first data packet comprises abnormal behaviors or not;
and taking the first data packet which does not comprise the abnormal data and the abnormal behavior as the second data packet, and taking the first data packet which comprises the abnormal data and/or the abnormal behavior as the third data packet.
In one possible design, the access switch performs packet encapsulation on the second data packet to obtain a fourth data packet, and performs packet encapsulation on the third data packet to obtain a fifth data packet, including:
Packaging the second data packet, and inserting the first identifier into a reserved field of the message header to obtain a fourth data packet; packaging the third data packet, and inserting a second identifier into a reserved field of the message header to obtain a fifth data packet; the central switch takes the data packet carrying the first identifier as a fourth data packet and takes the data packet carrying the second identifier as a fifth data packet.
In one possible design, an access switch performs VxLAN formatted packet encapsulation on a data packet;
The second data packet is subjected to message encapsulation, and a first identifier is inserted into a reserved field of a message header to obtain a fourth data packet, wherein the method comprises the following steps:
The second data packet is encapsulated by a virtual extensible local area network, and a first identifier is inserted into a Reserved field of the VxLAN Header to obtain a fourth data packet;
the third data packet is subjected to message encapsulation, and a second identifier is inserted into a reserved field of a message header to obtain a fifth data packet, wherein the method comprises the following steps:
the third data packet is packaged in a virtual extensible local area network, and a second identifier is inserted into a Reserved field of the VxLAN Header to obtain a fifth data packet; wherein the Reserved field where the second identifier is located is the same as the Reserved field where the first identifier is located.
In one possible design, before the access switch performs message encapsulation on the second data packet to obtain the fourth data packet and performs message encapsulation on the third data packet to obtain the fifth data packet, the method further includes:
the access switch writes a plurality of first message information in the second data packet into one item of the white list; wherein the plurality of first message information includes: a source address and a destination address.
In one possible design, after the central switch forwards the fourth data packet to the access switch through the virtual private network tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall, the method further comprises:
The central switch writes a plurality of second message information in the fourth data packet into one entry of the maintenance table; wherein the plurality of second message information includes: vxLAN ID and destination MAC address.
In one possible design, after the access switch writes the first plurality of message information in the second data packet to an entry of the whitelist, the method further comprises:
the access switch sets the failure time of a plurality of first message information in the white list;
After the central switch writes the plurality of second message information in the fourth data packet into an entry of the maintenance table, the method further comprises:
The central switch sets the failure time of a plurality of second message information in the maintenance table.
In one possible design, forwarding the fifth data packet to the access switch via the gateway link through the firewall includes:
the central switch transmits the fifth data packet to the firewall through the gateway link;
the firewall verifies a plurality of data information of the fifth data packet according to the predefined rule; wherein the predefined rules include filter verification, status verification, and intrusion verification, the plurality of data information including source address, destination address, protocol type, and data content;
the firewall forwards the verified fifth data packet to the access switch through the gateway link.
In one possible design, before detecting the validity of the first data packet by using a preset traffic detection mechanism, the method further includes:
the user exchanger collects own equipment operation data and obtains the resource utilization rate of the data transmission system according to the equipment operation data, wherein the equipment operation data comprises interface flow and session quantity, and the resource utilization rate comprises CPU utilization rate and memory utilization rate;
when the resource utilization is greater than a preset threshold, the access switch forwards the first data packet to the access switch over a gateway link through the firewall.
In a second aspect, an embodiment of the present application provides a resource pool data forwarding system, where the method includes:
The user exchanger is used for receiving a first data packet from a data source, detecting the validity of the first data packet through a preset flow detection mechanism, taking the detected first data packet as a second data packet, and taking the detected first data packet as a third data packet;
The access switch is used for carrying out message encapsulation on the second data packet to obtain a fourth data packet, carrying out message encapsulation on the third data packet to obtain a fifth data packet, and transmitting the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
A central switch for forwarding the fourth data packet to the access switch via the virtual private network tunnel and forwarding the fifth data packet to the access switch via a gateway link via the firewall; the firewall is used for verifying the fifth data packet;
And the access switch is used for decapsulating the fourth data packet to obtain the second data packet, and decapsulating the verified fifth data packet to obtain the third data packet.
The user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet; the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
The central switch forwards the fourth data packet to the access switch through the virtual private network tunnel and forwards the fifth data packet to the access switch through a gateway link through the firewall; the firewall is used for verifying the fifth data packet; the access switch decapsulates the fourth data packet to obtain a second data packet, and decapsulates the fifth data packet passing verification to obtain a third data packet. The following technical effects are realized: by avoiding all traffic from bypassing the firewall, unnecessary traffic revolution is reduced, so that the forwarding efficiency of the data packet is improved;
the data transmission is encrypted by a virtual private network tunnel technology, so that the safety of data transmission between different devices and networks is ensured, and the data package is prevented from being stolen or tampered; the central exchanger establishes and maintains a dynamic table according to the legitimacy of the flow, assists the forwarding decision of the subsequent flow, and further optimizes the flow path.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without any inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a scenario of a resource pool data forwarding method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a resource pool data forwarding method according to an embodiment of the present application;
Fig. 3 is a second flow chart of a resource pool data forwarding method according to an embodiment of the present application;
fig. 4 is a flowchart of a method for forwarding data in a resource pool according to an embodiment of the present application;
Fig. 5 is a flow chart diagram of a resource pool data forwarding method according to an embodiment of the present application.
Reference numerals:
110-terminal; 120-base station; 130-UPF;140-EOR; 150-spin; 160-a firewall; 170-LEAF; 180-resource pool.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
In the embodiments of the present application, the words "first", "second", etc. are used to distinguish between the same item or similar items that have substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ. It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion. In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more.
It should be noted that "at … …" in the embodiment of the present application may be an instant when a certain situation occurs, or may be a period of time after a certain situation occurs, which is not particularly limited in the embodiment of the present application. In addition, the data transmission method of edge calculation provided by the embodiment of the application is only used as an example, and the data transmission method of edge calculation can also comprise more or less contents.
In order to facilitate the clear description of the technical solutions of the embodiments of the present application, the following simply describes some terms and techniques involved in the embodiments of the present application:
Virtual private network (Virtual Private Network, VPN): a secure, encrypted professional channel can be established over the public network. Through this channel, the user can transmit data as in a private network, ensuring the privacy, security and integrity of the data message.
Virtual professional network tunnel: generally referred to as tunneling in VPN. Virtual private network tunnels create a secure, encrypted private channel over the public network to simulate a point-to-point direct connection.
User plane function (User Plane Function, UPF): is a key component in 5G network architecture, mainly responsible for handling traffic of user data plane, deep packet inspection can be performed, analyzing packet content to identify and filter content-based policies.
Fifth generation mobile communication technology (The 5thGenerationMobileCommunication Technology, 5G).
Access switch (Edge of Routing, EOR): usually referred to as the edge portion of the network, the last router or switch between the network core and the user device, is responsible for routing the user's traffic to the core network or internet, and also is the endpoint of the VPN tunnel, and for encrypting and decrypting data transmitted through the VPN.
Data center network (Spine-and-Leaf): the SPINE switch acts as a core switching layer, responsible for connecting multiple LEAF switches, forwarding packets, and in MEC environments, the SPINE switch may take on additional roles, for example, as a bridge connecting MEC nodes to other network components, supporting efficient data forwarding and network services.
LEAF switches are typically located at the edge of the network fabric, directly connected to terminals, servers, or resource pools, and have a high density of ports that support the connection of a large number of terminal devices.
Firewall (FW): the user monitors the data flow entering and exiting the network, controls and filters the flow according to a set of preset safety rules, and ensures the safety of the resource pool.
Virtual extension local network (Virtual eXtensible Local Area Network, vxLAN) messages: refers to a message in VxLAN format. Which is encapsulated on the basis of standard ethernet frames for transmitting two-layer data frames in an internet protocol (Internet Protocol, IP) network.
Network identifier (VxLAN Network Identifier, VNI): is a key field of VxLAN messages. And is 24 bits in size to distinguish and identify different VxLAN networks.
Source physical address (src.mac Addr): an ethernet header (INNER ETHERNET HEADER) located at the inner layer of the VxLAN message. It represents the physical (MEDIA ACCESS Control Address, MAC) Address of the source device that sent the VxLAN encapsulated packet.
Outer source internet protocol address (Outer src.ip): refers to the source IP address encapsulated in the outermost IP header of the VxLAN message. Which is the IP address of the device sending the VxLAN message, specifically the IP address of the source VxLAN Tunnel Endpoint (VTEP).
Destination internet protocol address (Outer dst.ip): refers to the destination IP address encapsulated in the outermost IP header of the VxLAN message. Which is the IP address of the device receiving the VxLAN message, i.e., the IP address of the destination VxLAN Tunnel Endpoint (VTEP).
Original ethernet frame (Original ETHERNET FRAME): refers to the two-layer data frame prior to the VXLAN encapsulation process. Which contains all the basic components of a conventional ethernet frame.
Reserved identifier (Reserved): the Reserved field is Reserved for future protocol expansion or new characteristics, so that new functions can be added on the premise of not changing the existing protocol structure, and the Reserved field is used for marking the data packet corresponding to legal flow.
Edge computing aims to extend data processing and storage functions from a conventional cloud computing center to edge locations near data sources. In edge computing, data processing occurs closer to the data generation site, typically on a device, sensor, or edge server, rather than on a traditional remote cloud server. Edge computing has wide application potential in various industries, and can realize real-time data analysis and processing and reduce data transmission delay.
MEC is a pool of resources that centralizes computing, storage, and network functions. These resources can be dynamically allocated and managed as needed to meet the computing needs in different application scenarios. The resource pool of the MEC is typically made up of a plurality of physical or virtual nodes that may be deployed on edge devices, base stations, routers, or other edge facilities. The resource pool of the MEC allows for dynamic allocation of computing, storage and network resources according to demand. This means that the application can automatically adjust resource usage based on user location, real-time data requirements, or other conditions to provide better performance and response time. The MEC nodes are located at the edge of the network, closer to the user and the data source. This positional advantage reduces the delay of data transmission and improves data access speed and bandwidth utilization. Particularly for applications requiring fast response (e.g. intelligent transportation, industrial automation), the low latency characteristics of MECs are critical. Moving computing and storage functions to the network edge may help protect data privacy and improve security. Sensitive data can be processed on edge devices, so that abnormal problems of data transmission in a network are reduced, and privacy regulations and safety standards are met.
In the prior art, data sent by a terminal finally reaches a spin switch through network equipment (a base station, a UPF, an EOR switch and a carrier network routing device), and then, the traffic is transmitted to a firewall, and the firewall deploys related policies to selectively process the traffic. The traffic then returns to the SPINE switch, after which it passes through the LEAF switch to the resource pool.
In this process, the firewall is a gateway of the whole network, all traffic (uplink or downlink) needs to be processed by the firewall, and the traffic sent by the MEC resource pool reaches the spin switch through the LEAF switch, then enters the firewall again, returns to the spin after passing through the firewall, and then is sent by the spin, passes through the bearer network, the EOR device and the like, and finally reaches the user terminal.
Since MEC resource pools typically have a high level of security, it is a standard configuration that all traffic enters the firewall. In order to enhance the security of the system, all legal traffic and illegal traffic bypass the firewall, and this operation increases the revolution of the traffic and reduces the forwarding efficiency.
However, in practice, the firewall does not need to configure different flows in a targeted manner, so that the flows are not necessary to revolve around in many times, and may become a bottleneck for network forwarding efficiency.
In order to solve the problem that the flow forwarding efficiency is low due to the fact that all uplink and downlink flows are processed through a firewall and the revolution of the flows is increased, the embodiment of the application designs a flow detection mechanism, and by means of participation of EOR (Ethernet over coax) equipment and the like, marking of characteristic flows and establishment and maintenance of a security policy dynamic table, bypass forwarding processing of all uplink and downlink flows can be avoided, and meanwhile the security of an MEC resource pool is guaranteed.
Based on the above, the embodiment of the application provides a method, a device and a system for forwarding data in a resource pool, which can be used in the field of data transmission and aims to solve the problem that the efficiency of forwarding the traffic is low due to the fact that all uplink and downlink traffic is processed through a firewall and the revolution of the traffic is increased.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic view of a scenario of a resource pool data forwarding method according to an embodiment of the present application. It should be noted that fig. 1 is only an example of a scenario in which an embodiment of the present application may be applied to help those skilled in the art understand the technical content of the present application, but it does not mean that an embodiment of the present application may not be applied to other devices, systems, environments, or scenarios.
As shown in fig. 1, a topology of a data transmission method of edge computation is shown, including: a terminal 110; a base station 120; UPF130; EOR140; SPINE150; a firewall 160; LEAF170; MEC180.
In this scenario, the terminal 110 sends an access request through the base station 120 to request to access the resource pool 180, the back of the base station is connected with the UPF130, the data packet sent by the terminal 110 is received, the flow of the data packet is detected, the UPF130 is connected with two EORs 140 to represent different networks of signal flow, the EORs 140 package the data packet through a VPN tunnel between the EORs 140 and the pline 150, the pline 150 is connected with the firewall 160 and the LEAF170, the data packet is forwarded to the firewall 160 through the pline 150, after verification, the data packet is returned to the pline 150, or the data packet is directly forwarded to the LEAF170 without going around the firewall 160, and a plurality of LEAF170 are connected with different resource pools 180, and finally the data packet sent by the terminal 110 is transmitted to the resource pool 180.
Fig. 2 is a schematic flow chart of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 2, the method is applied to a data transmission system, and then the method includes:
S201, a user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not;
Specifically, the UPF receives a data packet through an N3 interface, the N3 interface is an interface between the base station and the UPF, and the data packet sent by the terminal device is not necessarily legal, so that the preset flow detection mechanism judges the validity of the first data packet, and for the legal data packet and the common data packet processing mode, the legal data packet and the common data packet need to be marked out, the detected first data packet is marked as a second data packet, and the first data packet which does not pass through detection is marked as a third data packet.
S202, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel;
Specifically, the EOR device receives a second data packet and a third data packet with marks, which are sent by the UPF side, and encapsulates the data packet before transmission, wherein the header of the encapsulated packet has two null fields, and bit information in the null fields is set to distinguish the second data packet from the third data packet;
A VPN is a data tunnel in which data transmitted by one VPN and another VPN are isolated from each other and data is not changed during the transmission in the tunnel. This means that if the data enters the VPN tunnel at EOR is legitimate traffic, then it is also legitimate traffic when it exits the tunnel and arrives at the spine switch.
S203, the central switch forwards the fourth data packet to the access switch through the VPN tunnel, and forwards the fifth data packet to the access switch through a gateway link through a firewall;
specifically, the firewall is used for verifying the fifth data packet;
The SPINE receives the fourth data packet, forwards the fourth data packet to the LEAF through the VPN channel, receives the fifth data packet, forwards the fifth data packet to the firewall for verification, returns the verified fifth data packet to the SPINE, forwards the fifth data packet to the LEAF through the VPN channel, and enters the resource pool after the fifth data packet is verified by the firewall as the fifth data packet in the prior art.
S204, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet;
specifically, the LEAF receives a fourth data packet, decapsulates the fourth data packet to obtain a second data packet, accesses a corresponding resource pool according to a destination address in the second data packet, and receives
And the fifth data packet is unpacked to obtain a third data packet, and the corresponding resource pool is accessed according to the destination address in the second data packet.
The embodiment of the application provides a method for forwarding data in a resource pool, wherein a user switch receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet; the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the SPINE through the VPN tunnel; the SPINE forwards the fourth data packet to the LEAF through the VPN tunnel, and forwards the fifth data packet to the LEAF through a gateway link through the firewall; the firewall is used for verifying the fifth data packet;
And the LEAF decapsulates the fourth data packet to obtain a second data packet, and decapsulates the verified fifth data packet to obtain a third data packet. The following technical effects are realized: by avoiding all traffic from bypassing the firewall, unnecessary traffic revolution is reduced, so that the forwarding efficiency of the data packet is improved; the data transmission is encrypted by VPN tunnel technology, so that the safety of data transmission between different devices and networks is ensured, and the data package is prevented from being stolen or tampered;
The SPINE exchanger establishes and maintains a dynamic table according to the legitimacy of the flow, assists the forwarding decision of the subsequent flow, and further optimizes the flow path.
Fig. 3 is a second flowchart of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 3, the method is applied to a data transmission system, and then the method includes:
s301, a user exchanger collects own equipment operation data and obtains the resource utilization rate of a data transmission system according to the equipment operation data;
Specifically, the device operational data includes interface traffic and number of sessions, the resource utilization includes CPU utilization and memory utilization,
And when the resource utilization rate is greater than a preset threshold, the SPINE forwards the first data packet to the LEAF through a gateway link of the firewall, so that the pressure of the UPF is reduced, the UPF and the firewall are ensured to maintain a dynamic adjustment process on the data packet processing, and the stability of the network is enhanced.
S302, a user switch sends an authentication request of a first data packet to an authentication server to acquire an authentication result of the first data packet; decoding and analyzing the first data packet to obtain an analysis result of the first data packet;
Specifically, the authentication server selected in this embodiment is an AAA server, which is a server for network security and management, and the AAA represents identity authentication, authorization and accounting, and in this embodiment, an authentication result is returned by sending an authentication request to the AAA server, where the authentication result is used to indicate whether the first data packet includes abnormal data;
in the embodiment, a deep packet inspection technology is utilized to decode and analyze a first data packet, each field of the first data packet is analyzed, key information such as a source address, a destination address, a protocol type, a port number and the like is extracted, protocol identification is carried out on the first data packet, a network protocol of the data packet is determined, and whether the first data packet has abnormal behaviors can be distinguished by the protocol identification;
UPF predefines security rules matching the characteristics of the first packet, which rules may include blacklisting (refusing access to a specific IP address or domain name) that the first packet cannot access if in the blacklist, detecting large-scale connection requests and first packet size anomalies, etc., UPF has various analysis mechanisms, takes as the second packet a first packet that does not include anomalous data and anomalous behavior, and takes as the third packet a first packet that includes anomalous data and/or anomalous behavior.
S303, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel.
S304, the central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall.
S305, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet.
S303, S304 and S305 are similar to S202, S203 and S204, and will not be described in detail in this embodiment.
The technical effects of the embodiment of the application are as follows: the method comprises the steps of presetting a flow detection mechanism in the UPF, analyzing abnormal data and abnormal behaviors of a first data packet through the flow detection mechanism, distinguishing the first data packet, and respectively marking the first data packet as a second data packet and a third data packet, so that the problems that all data packets sent by a terminal bypass a firewall side for verification, the firewall pressure is increased, and the data packet forwarding efficiency is reduced are solved.
Fig. 4 is a flowchart of a method for forwarding data in a resource pool according to an embodiment of the present application. As shown in fig. 4, the method is applied to a data transmission system, and then the method includes:
S401, the user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet;
s401 is similar to S201, and this embodiment is not described in detail.
S402, the access switch writes a plurality of first message information in the second data packet into one item of the white list, and sets the failure time of the second message information in the maintenance table;
Specifically, the first message information includes: source and destination addresses, including IP addresses and MAC addresses,
The second data packet is a legal data packet which is detected, the source address and the destination address in the second data packet are extracted and written into a white list, the white list only allows the access of known and trusted data sources, the source address and the destination in the second data packet are written into the white list, and the data packet corresponding to the second data packet is directly marked as the second data packet without flow detection when the data packet sends an access request;
legal data packets are not always legal, so that the invalid time is set for all items in the white list, and after the invalid time is exceeded, the data source corresponding to the data packet needs to be authenticated again, and the transmitted data packet needs to be detected again through a flow detection mechanism.
S403, packaging the second data packet, and inserting a first identifier into a reserved field of the message header to obtain a fourth data packet; packaging the third data packet, and inserting a second identifier into a reserved field of the message header to obtain a fifth data packet;
specifically, EOR takes a data packet carrying a first identifier as a fourth data packet, and takes a data packet carrying a second identifier as a fifth data packet;
the EOR device receives a second data packet and a third data packet sent by UPF, the EOR packages the second data packet, in order to distinguish the second data packet from the third data packet after packaging the packet, identifiers are inserted into a reserved field when packaging the packet, the packet format heads of the second data packet and the third data packet are the same, the outer layer of the packet is the source address and the scaring address of the data packet, the data packet is forwarded to the next device according to the scaring address of the packet, and the first identifier and the second identifier are used for distinguishing the second data packet and the third data packet.
S404, performing virtual extensible local area network encapsulation on the second data packet, and inserting a first identifier into a Reserved field of the VxLAN Header to obtain a fourth data packet;
Specifically, EOR encapsulates the data packet in a message of a VxLAN format;
In the EOR encapsulated packet, there is a VxLAN header, in which two Reserved fields are occupied empty fields, and the identifier may be any one of the two Reserved fields, and in this embodiment, the bit in the Reserved field of the second data packet is set to 1 to obtain the fourth data packet.
S405, performing virtual extensible local area network encapsulation on the third data packet, and inserting a second identifier into a Reserved field of the VxLAN Header to obtain a fifth data packet;
Specifically, EOR encapsulates the data packet in a message of a VxLAN format;
in the EOR encapsulated packet, there is a VxLAN header, in which two Reserved fields are occupied empty fields, and the identifier may be any one of the two Reserved fields, and in this embodiment, the bit in the Reserved field of the third data packet is kept unchanged to obtain the fifth data packet.
S406, the central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall.
S407, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet.
S406 and S407 are similar to S203 and S204, and the description of this embodiment is omitted.
The technical effects of the embodiment of the application are as follows: and the EOR performs message encapsulation in a VxLAN format on the received data packet, and is used for distinguishing the second data packet from the third data packet, the encapsulated message is convenient for transmission in a data transmission system, and the fourth data packet and the fifth data packet are forwarded to next hop equipment according to the address of the outer layer of the message.
Fig. 5 is a flow chart diagram of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 5, the method is applied to a data transmission system, and then the method includes:
S501, the user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not.
S502, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel.
S501 and S502 are similar to S201 and S202, and the description thereof is omitted.
S503, the central switch writes a plurality of second message information in the fourth data packet into one entry of the maintenance table, and sets the failure time of the plurality of second message information in the maintenance table;
specifically, the VxLAN ID and destination MAC address,
Extracting a source address and a destination address in a fourth data packet, writing the source address and the destination address into a maintenance table, wherein the fourth data packet is in an uplink direction, and when the data packet descends from a resource pool to a terminal, the maintenance table mainly aims at the data packet descending, and then the data packet sent by the resource pool address corresponding to the destination address is also defaulted to be a legal data packet, namely the data packet is directly forwarded to EOR through SPINE without passing through a firewall;
The legal data packet is not always legal, so that a failure time is set for the data packet address in the maintenance table, when the failure time is exceeded, the VXLAN ID and the destination address in the maintenance table can be automatically deleted, and when the downlink data packet passes through the SPINE, the data packet is verified by the bypass firewall and then returned to the SPINE, and is forwarded to the EOR.
S504, the central switch transmits the fifth data packet to the firewall through the gateway link;
Specifically, the fifth data packet of the SPINE is transmitted to the firewall, and in the prior art, the data transmission system needs to forward all the data packets to the firewall, return the SPINE after passing the firewall verification, and forward the data packets to the next hop device;
In this embodiment, the fifth data packet is obtained by packaging a third data packet, where the third data packet is a data packet passing through a flow detection mechanism, that is, a data packet corresponding to a common flow, and needs to be verified by a firewall before the data packet enters the resource pool, and the fifth data packet enters the firewall through a gateway link.
S505, the firewall verifies a plurality of data information of the fifth data packet according to a predefined rule, and forwards the verified fifth data packet to the access switch through the gateway link;
specifically, a firewall is a network security device that monitors and controls network traffic in and out;
The firewall decides whether to allow or organize a specific data packet according to a predefined rule, and for a fifth data packet, the firewall verifies the fifth data packet, and verifies the source address, the destination address, the protocol type and the data content of the fifth data packet through filtering verification, state verification and intrusion verification;
the SPINE forwards the fifth data packet to the firewall, the fifth data packet which passes the firewall verification returns to the SPINE, the fifth data packet which passes the firewall verification is forwarded to the LEAF through the SPINE and LEAF transmission link, and the fifth data packet which does not pass the firewall verification is not transmitted;
the firewall forwards the verified fifth data packet to the LEAF through the gateway link.
S306, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the verified fifth data packet to obtain a third data packet.
S306 is similar to S204, and the description of this embodiment is omitted.
The technical effects of the embodiment of the application are as follows: before the SPINE forwards the fifth data packet to the LEAF, the fifth data packet is verified through the firewall, only the fifth data packet passing verification can be continuously forwarded, a data packet verification mechanism and a data packet forwarding path are increased, the flexibility of the data transmission system is enhanced, and meanwhile the safety of the system is guaranteed.
In one possible design, EOR sets a failure time of the plurality of first message information in the white list;
Specifically, legal data packets are not always legal, the expiration time is required to be set for entries in the white list, after the expiration time is exceeded, the first message information in the white list is automatically deleted, and the data packet corresponding to the source address needs to be detected again through the flow detection mechanism.
In one possible design, SPINE sets a failure time of a plurality of second message information in the maintenance table;
Specifically, the legal data packet is not always legal, so that a failure time is set for the data packet address in the maintenance table, when the failure time is exceeded, the VXLAN ID and the destination address in the maintenance table are automatically deleted, and when the downlink data packet passes through the SPINE, the data packet is verified by the bypass firewall and then returns to the SPINE, and is forwarded to the EOR.
The application also provides a resource pool data forwarding system, as shown in fig. 2, comprising:
The UPF is used for receiving a first data packet from a data source, detecting the validity of the first data packet through a preset flow detection mechanism, taking the detected first data packet as a second data packet, and taking the detected first data packet as a third data packet if the detected first data packet is not the second data packet;
The EOR is used for carrying out message encapsulation on the second data packet to obtain a fourth data packet, carrying out message encapsulation on the third data packet to obtain a fifth data packet, and transmitting the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
SPINE for forwarding the fourth data packet to the access switch through the virtual private network tunnel and forwarding the fifth data packet to the access switch through the gateway link via the firewall; the firewall is used for verifying the fifth data packet;
The LEAF is used for decapsulating the fourth data packet to obtain a second data packet, and decapsulating the verified fifth data packet to obtain a third data packet;
The resource pool data forwarding system is used for realizing a resource pool data forwarding method.
While the present application has been described with reference to the preferred embodiments shown in the drawings, it will be readily understood by those skilled in the art that the scope of the application is not limited to those specific embodiments, and the above examples are intended only to illustrate the technical aspects of the application, not to limit it; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims (10)

1. A method for forwarding data in a resource pool, the method being applied to a data transmission system, the data transmission system comprising a private branch exchange, an access switch, a central switch, a firewall, and an access switch, the private branch exchange and the access switch being connected by a virtual private network tunnel through the central switch, the method comprising:
The user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet;
The access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
The central switch forwarding the fourth data packet to the access switch via the virtual private network tunnel and forwarding the fifth data packet to the access switch via a gateway link via the firewall; the firewall is used for verifying the fifth data packet;
And the access switch decapsulates the fourth data packet to obtain the second data packet, and decapsulates the verified fifth data packet to obtain the third data packet.
2. The method according to claim 1, wherein detecting the validity of the first data packet by a preset traffic detection mechanism, using the detected first data packet as a second data packet, and otherwise using the detected first data packet as a third data packet, includes:
Sending an authentication request of the first data packet to an authentication server to acquire an authentication result of the first data packet; the authentication result is used for indicating whether the first data packet comprises abnormal data or not;
Decoding and analyzing the first data packet to obtain an analysis result of the first data packet; the analysis result is used for indicating whether the first data packet comprises abnormal behaviors or not;
and taking the first data packet which does not comprise abnormal data and abnormal behaviors as the second data packet, and taking the first data packet which comprises abnormal data and/or abnormal behaviors as the third data packet.
3. The method of claim 1, wherein the access switch performing packet encapsulation on the second data packet to obtain a fourth data packet, and performing packet encapsulation on the third data packet to obtain a fifth data packet, comprises:
Packaging the second data packet, and inserting a first identifier into a reserved field of a message header to obtain the fourth data packet; packaging the third data packet, and inserting a second identifier into a reserved field of a message header to obtain the fifth data packet; the central switch takes the data packet carrying the first identifier as the fourth data packet, and takes the data packet carrying the second identifier as the fifth data packet.
4. The method of claim 3, wherein the access switch encapsulates the data packet in VxLAN format;
the step of packaging the second data packet and inserting the first identifier into a reserved field of the header to obtain the fourth data packet includes:
Performing virtual extensible local area network encapsulation on the second data packet, and inserting the first identifier into a Reserved field of a VxLAN Header to obtain the fourth data packet;
The step of packaging the third data packet and inserting a second identifier into a reserved field of a header to obtain the fifth data packet, including:
Performing virtual extensible local area network encapsulation on the third data packet, and inserting the second identifier into a Reserved field of a VxLAN Header to obtain the fifth data packet; the Reserved field where the second identifier is located is the same as the Reserved field where the first identifier is located.
5. The method of claim 4, wherein the access switch encapsulates the second data packet to obtain a fourth data packet, and before encapsulating the third data packet to obtain a fifth data packet, the method further comprises:
The access switch writes a plurality of first message information in the second data packet into one item of a white list; wherein the plurality of first message information includes: a source address and a destination address.
6. The method of claim 5, wherein after the central switch forwards the fourth data packet to the access switch via the virtual private network tunnel and forwards the fifth data packet to the access switch via a gateway link via the firewall, the method further comprises:
The central switch writes a plurality of second message information in the fourth data packet into one entry of a maintenance table; wherein the plurality of second message information includes: vxLAN ID and destination MAC address.
7. The method of claim 6, wherein after the access switch writes the first plurality of message information in the second data packet to an entry of a whitelist, the method further comprises:
the access switch sets the failure time of the first message information in the white list;
after the central switch writes the second plurality of message information in the fourth data packet into an entry of the maintenance table, the method further includes:
The central switch sets the failure time of the second message information in the maintenance table.
8. The method of claim 1, wherein forwarding the fifth data packet to the access switch via a gateway link through the firewall comprises:
The central switch transmits the fifth data packet to the firewall through the gateway link;
the firewall verifies a plurality of data information of the fifth data packet according to a predefined rule; wherein the predefined rules include filter verification, status verification, and intrusion verification, the plurality of data information including a source address, a destination address, a protocol type, and data content;
and the firewall forwards the fifth data packet passing through the verification to the access switch through the gateway link.
9. The method of claim 1, wherein before detecting the validity of the first data packet by a preset traffic detection mechanism, the method further comprises:
The user exchanger collects own equipment operation data and obtains the resource utilization rate of the data transmission system according to the equipment operation data, wherein the equipment operation data comprises interface flow and session quantity, and the resource utilization rate comprises CPU utilization rate and memory utilization rate;
And when the resource utilization rate is greater than a preset threshold value, the access switch forwards the first data packet to the access switch through a gateway link passing through the firewall.
10. A resource pool data forwarding system, the system comprising:
The user exchanger is used for receiving a first data packet from a data source, detecting the validity of the first data packet through a preset flow detection mechanism, taking the detected first data packet as a second data packet, and taking the detected first data packet as a third data packet;
The access switch is used for carrying out message encapsulation on the second data packet to obtain a fourth data packet, carrying out message encapsulation on the third data packet to obtain a fifth data packet, and transmitting the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
A central switch for forwarding the fourth data packet to the access switch via the virtual private network tunnel and forwarding the fifth data packet to the access switch via a gateway link via the firewall; the firewall is used for verifying the fifth data packet;
And the access switch is used for decapsulating the fourth data packet to obtain the second data packet, and decapsulating the verified fifth data packet to obtain the third data packet.
CN202410893611.7A 2024-07-04 2024-07-04 A method and system for forwarding data from a resource pool Active CN118631575B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410893611.7A CN118631575B (en) 2024-07-04 2024-07-04 A method and system for forwarding data from a resource pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410893611.7A CN118631575B (en) 2024-07-04 2024-07-04 A method and system for forwarding data from a resource pool

Publications (2)

Publication Number Publication Date
CN118631575A true CN118631575A (en) 2024-09-10
CN118631575B CN118631575B (en) 2026-03-27

Family

ID=92608286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410893611.7A Active CN118631575B (en) 2024-07-04 2024-07-04 A method and system for forwarding data from a resource pool

Country Status (1)

Country Link
CN (1) CN118631575B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026873A1 (en) * 2016-07-21 2018-01-25 Alibaba Group Holding Limited Express route transmissions between virtual machines and cloud service computing devices
CN110022263A (en) * 2018-01-08 2019-07-16 华为技术有限公司 A kind of method and relevant apparatus of data transmission
CN113612963A (en) * 2021-07-27 2021-11-05 深圳市捷视飞通科技股份有限公司 Data forwarding method and device, computer equipment and storage medium
CN114124618A (en) * 2021-12-06 2022-03-01 新华三技术有限公司成都分公司 Message transmission method and electronic equipment
CN115022909A (en) * 2022-05-27 2022-09-06 中国电信股份有限公司 UPF network element, data transmission method based on core network, equipment and medium
KR20220130022A (en) * 2021-03-17 2022-09-26 주식회사맥데이타 Apparatus, system and method for security and performance monitoring of network
US20230124136A1 (en) * 2021-10-18 2023-04-20 Honeywell International Inc. Cloud based platform to efficiently manage firewall rules and data traffic
CN116033495A (en) * 2022-12-28 2023-04-28 中国联合网络通信集团有限公司 Service data processing method, equipment and storage medium for user plane function
CN116233953A (en) * 2023-03-01 2023-06-06 深圳艾灵网络有限公司 Data transmission method, device, equipment and storage medium
DE102023100071A1 (en) * 2022-01-06 2023-07-06 Intel Corporation PROCEDURE FOR CONNECTING AN EDGE APPLICATION SERVER
CN117478583A (en) * 2022-07-20 2024-01-30 腾讯科技(深圳)有限公司 Network link switching method, device, equipment and storage medium
CN117714140A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 Safety protection method and cloud platform
CN117979359A (en) * 2022-10-26 2024-05-03 华为技术有限公司 Data transmission method and device

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026873A1 (en) * 2016-07-21 2018-01-25 Alibaba Group Holding Limited Express route transmissions between virtual machines and cloud service computing devices
CN110022263A (en) * 2018-01-08 2019-07-16 华为技术有限公司 A kind of method and relevant apparatus of data transmission
KR20220130022A (en) * 2021-03-17 2022-09-26 주식회사맥데이타 Apparatus, system and method for security and performance monitoring of network
CN113612963A (en) * 2021-07-27 2021-11-05 深圳市捷视飞通科技股份有限公司 Data forwarding method and device, computer equipment and storage medium
US20230124136A1 (en) * 2021-10-18 2023-04-20 Honeywell International Inc. Cloud based platform to efficiently manage firewall rules and data traffic
CN114124618A (en) * 2021-12-06 2022-03-01 新华三技术有限公司成都分公司 Message transmission method and electronic equipment
DE102023100071A1 (en) * 2022-01-06 2023-07-06 Intel Corporation PROCEDURE FOR CONNECTING AN EDGE APPLICATION SERVER
CN115022909A (en) * 2022-05-27 2022-09-06 中国电信股份有限公司 UPF network element, data transmission method based on core network, equipment and medium
CN117478583A (en) * 2022-07-20 2024-01-30 腾讯科技(深圳)有限公司 Network link switching method, device, equipment and storage medium
CN117979359A (en) * 2022-10-26 2024-05-03 华为技术有限公司 Data transmission method and device
CN116033495A (en) * 2022-12-28 2023-04-28 中国联合网络通信集团有限公司 Service data processing method, equipment and storage medium for user plane function
CN116233953A (en) * 2023-03-01 2023-06-06 深圳艾灵网络有限公司 Data transmission method, device, equipment and storage medium
CN117714140A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 Safety protection method and cloud platform

Also Published As

Publication number Publication date
CN118631575B (en) 2026-03-27

Similar Documents

Publication Publication Date Title
EP4000231B1 (en) Method and system for in-band signaling in a quic session
JP3778129B2 (en) Wireless network and authentication method in wireless network
US8555056B2 (en) Method and system for including security information with a packet
JP5497901B2 (en) Anonymous communication method, registration method, message sending / receiving method and system
CN101771619B (en) Network system for realizing integrated security services
CN107104872B (en) Access control method, device and system
WO2020238327A1 (en) Method, apparatus and system for establishing user plane connection
CN113497800B (en) Boundary filtering method and device for SRv trust domain
US10805826B2 (en) Quality of service (QoS) support for tactile traffic
WO2011044808A1 (en) Method and system for tracing anonymous communication
WO2016180020A1 (en) Message processing method, device and system
EP4557709A1 (en) Packet sending method, apparatus and system
WO2024088200A1 (en) Data verification method, first network element device, and storage medium
CN105591967B (en) A data transmission method and device
CN102123071A (en) Realizing method, network, terminal and intercommunication service node for classification processing of data messages
CN101242403A (en) Flow label allocation method and system, and flow label requesting device and allocation device
US7054321B1 (en) Tunneling ethernet
CN114079572A (en) Network attack defense method, CP device and UP device
CN108064441A (en) Method and system for accelerating network transmission optimization
CN109167774B (en) A data message and a data flow security mutual access method on a firewall
CN114338784A (en) Service processing method, device and storage medium
CN118631575B (en) A method and system for forwarding data from a resource pool
EP3982598A1 (en) Method and apparatus for sending and receiving message, and communication system
CN102487386B (en) The blocking-up method of identity position separation network and system
JP5947763B2 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant