CN101170517B - A method for aging the control session table - Google Patents

Abstract

The invention discloses a method for aging a control session table, comprising: allocating a unique control identifier for the control session entry, and setting an aging time for the control identifier; if the service data controlled by the control session entry is interrupted If the duration reaches the aging time, delete the control session entry. The present invention does not require CPU intervention when each data session table item is aging, which can greatly reduce the processing amount of CPU aging messages and reduce the CPU processing load. Corresponding to the above method, the present invention also provides a device for aging the control session table.

Description

A method for aging the control session table

technical field

The invention relates to the field of communication technology, in particular to a method and device for aging a control session table.

Background technique

Many network applications have multiple associated connections. One main connection controls multiple sub-connections, such as H.232, FTP (File Transfer Protocol, File Transfer Protocol), etc., and one control connection is associated with multiple data service connections. Taking an FTP connection as an example, an FTP control channel is first established to transmit FTP control information, and then a data channel is established to transmit data services. If the control connection is lost, all associated data connections are lost as well.

NAT (Network Address Translation, Network Address Translation) is to use the internal address inside the LAN, and when the internal node wants to communicate with the external network, replace the internal address with the global address, so that it can be accessed normally on the external public network (Internet). technology. When doing NAT to the data stream of certain network application (such as FTP), need to set up control session table and data session table, and the association table between control session table and data session table, wherein, so-called NAT session table (comprising control session table and data session table) refers to the establishment of a positive and negative flow table in order to record the NAT transformation relationship of a data flow. It may be composed of IP quintuples (or part of IP quintuples) before conversion and converted IP quintuples (or part of IP quintuples). Before performing NAT on the data flow, determine what kind of connection it is. If it is a control connection, look up the control session table and perform related control signaling operations; if it is a data connection, look up the data session table. If the data session table item is matched , indicating that the data packet is not the first type of data packet to be NATed, perform NAT according to the session entry, if no data session entry is matched, indicating that the data packet is the first type of data packet to be NATed, then search According to the association table established by the control session table, after NAT is performed, relevant data session table items are established, so that subsequent data packets of this type can directly match the data session table to perform NAT.

In order to make full use of resources, both the control session table and the data session table support automatic aging, that is, when a certain session entry is not looked up (refreshed) for a period of time, the entry will be deleted. Usually, the control session passes little data, and the data session passes more data. Therefore, when the same aging time is set for the two session tables, the control session table will be aged out before the data session table. As mentioned above, if the control connection is interrupted, all associated data connections will also be interrupted, which will cause interruption of data services and affect normal network applications. The above only uses NAT as an example for illustration. For other connection-based and state-based applications, the above-mentioned problem that the control session table ages before the data session table exists, such as firewall applications. The only difference between a firewall application and a NAT application is that the session entry is different. In the firewall application, if the data flow matches the session entry, the data flow is forwarded; otherwise, the data flow is shielded to ensure network security. The problem and solution to the problem of aging of the control session table before the aging of the data session table involved in the present invention also exist or are applicable to NAT applications and firewall applications.

In order to solve the above-mentioned problem that the control session table is aging before the data session table, a unified coordination method of the CPU software can be adopted. Specifically, the CPU software is notified when the control session table entry and the data session table entry are established and deleted, and the CPU software performs the task. maintain the relationship between the two. This method relies too much on the CPU software, and the CPU software is notified of the flow creation and deletion of the control channel or the data channel. Since the processing capability of the software is far lower than that of the hardware, this will greatly affect the processing speed of network applications, resulting in performance degradation. .

In addition, it is also possible to solve the problem that the control session table ages earlier than the data session table by setting the aging time of the control session table to be greater than the aging time of the data session table. However, there are two obvious disadvantages in this method of separately setting the aging time of the control channel and the data channel: one is that it is impossible to define how long the aging time of the control session table is specifically set, such as setting 24 hours, but if an FTP data The transmission is still not completed within 24 hours, and it can only be interrupted; second, it is vulnerable to attacks. In practice, it is possible that the data connection has been established, but the control connection is still maintained due to the long aging time of the control session table. Because the control channel is occupied for a long time, it is easy to be attacked by illegal attackers, which brings security risks to network applications. In this way, when the data session entries are all aging, the control session entries will not be aged in time, resulting in resource occupation for a long time.

Contents of the invention

In view of this, the present invention provides a method and device for aging the control session table, so as to overcome the problems of low performance or difficult implementation and potential safety hazards in existing solutions.

For this reason, the embodiment of the present invention adopts following technical scheme:

A method for aging a control session table, comprising: assigning a unique control identifier to a control session entry, and setting an aging time for the control identifier; if the service data interruption duration controlled by the control session entry reaches the specified If the aging time is set, delete the control session entry;

It also includes: assigning a unique control identifier to the control session entry, and all data session entries controlled by the control session entry correspond to the control identifier; when the business data of the control session entry is input, search the data session table , and refresh the control identifier corresponding to the matching data session entry; the service data interruption time controlled by the control session entry reaches the aging time, which means that the time that the control identifier has not been refreshed exceeds the preset When controlling the identification aging time.

Realize that all the data session entries correspond to the control identifiers through the following steps: after the control identifier is assigned to the control session entry, write the control identifier into the association table; when the first data packet arrives, search The association table obtains the control identifier; establishes a data session entry, and writes the control identifier into the established data session entry.

Refreshing the control identifier is achieved through the following steps: after the control identifier is allocated to the control session entry, a control identifier table is established for the control identifier; after the data session table is searched, the control identifier in the matched data session entry is used Determine the control identification table; refresh the determined control identification table.

The aging time of the control identifier is greater than the aging time of the data session entry.

The request to delete the control session entry is reported to the CPU only when the control identifier has not been refreshed for longer than the preset control identifier aging time.

A method for aging a control session table, comprising: assigning a unique control identifier to a control session entry, and all data session entries controlled by the control session entry correspond to the control identifier; setting a default for the control identifier A counter with a value of 0; when a new data session entry is created for the control session entry, 1 is added to the counter, and when a data session entry is deleted for the control session entry, the The counter is decremented by 1; if the counter does not become 0 for the first time, delete the control session entry.

Realize that all the data session entries correspond to the control identifiers through the following steps: after the control identifier is assigned to the control session entry, write the control identifier into the association table; when the first data packet arrives, search The association table obtains the control identifier; establishes a data session entry, and writes the control identifier into the established data session entry.

A device for aging a control session table, including a data interface unit, a control session table, an association table, and a data session table, and also includes: an identification configuration unit configured to configure a unique control identification for a control session entry; an identification corresponding unit All the data session entries associated with the control session entry through the association table correspond to the control identifier; the control identifier table is used to save the control identifier, and the control identifier has a value greater than that of the data session The identification aging time of the entry; the central control unit is used to refresh the control identification table when the business data matches the data session entry, and the control identification table is not refreshed within the identification aging time , the control deletes the control session entry.

The device refers to a NAT device or a firewall device, or, the device refers to an independent functional entity existing in the NAT device or the firewall device.

A device for aging a control session table, including a data interface module, a control session table, an association table, and a data session table, and also includes: an identification configuration module configured to configure a unique control identification for a control session entry; an identification corresponding module All the data session entries associated with the control session entry through the association table are corresponding to the control identifier; the counter is identified, and the default value of the counter is 0; the central control module is used for all the data session entries associated with the association table When the control session entry creates a new data session entry, add 1 to the counter, and when deleting a data session entry for the control session entry, decrement the counter by 1; and in the counter When the non-initial value becomes 0, the control deletes the control session entry.

The present invention introduces the control identification and determines that all associated data session entries have aged through the aging of the control identification, and at this time, the control session entry is aged. On the one hand, it effectively solves the problem that the control session table is older than the data session table. Problem, all is finished by hardware simultaneously again, does not need the intervention of CPU when each data session table item ages, can alleviate the processing capacity of CPU aging message greatly, reduces CPU processing load; And, the present invention only increases control on the basis of original session table The identification field is simple and easy to perform. The control session entry is deleted at the first time when all data session entries are aging, which can avoid occupying control channel resources and eliminate the hidden danger of control channel being attacked.

Description of drawings

Fig. 1 is a flow chart of the method of the present invention;

Fig. 2 is a processing flow chart of a control connection according to Embodiment 1 of the present invention;

Fig. 3 is a processing flowchart of a data connection according to Embodiment 1 of the present invention;

Fig. 4 is a schematic diagram of Embodiment 1 of the present invention;

Fig. 5 is a flowchart of Embodiment 2 of the present invention;

Fig. 6 is a schematic structural diagram of the device of the present invention.

Detailed ways

The core of the present invention is that a unique control identifier is configured for each control connection, and after the control identifier determines that all data connections of a certain control connection are aged, the control session table of the control connection is aged.

Generally speaking, the inventive method comprises the following steps:

1. Assign a unique control identifier to the control session entry;

2. Set the aging time for the control identification;

3. If the service data interruption duration controlled by the control session entry reaches the aging time, delete the control session entry.

Referring to Fig. 1, it is a flowchart of a method embodiment of the present invention, including:

Step 101: assigning a unique control identifier (session ID) to the control session entry, and all data session entries controlled by the control session entry correspond to the control identifier;

Step 102: When the business data of the control session entry is input, search the data session table, and refresh the control identifier corresponding to the matched data session entry;

Step 103: If the control identifier has not been refreshed for longer than the preset control identifier aging time, delete the control session entry.

In order to solve the problem that the control session table is older than the data session table, the present invention configures a unique session ID for each control connection, and the data session table items belonging to each control connection are associated with the session ID when they are established. When it arrives, after searching the session table, the session ID will be refreshed, that is to say, when the session ID is refreshed, it means that the business data of the control connection is being transmitted. If it is monitored, it is determined that the session ID has not been refreshed for a period of time It can be determined that no business data of the control connection has been transmitted, that is, all data session entries of the control connection have been deleted. At this time, the control session entries of the control connection are aged and deleted.

Therefore, after the data session table is aged, the control connection can be deleted to save system resources. The association between the control connection aging and the data connection aging is established through the session ID, which can ensure that the data session table entry is deleted at the first time. It also ages the control connection, so as to reduce the unnecessary occupation of resources as much as possible, and also reduces the probability of the control connection being attacked, improving security.

In specific implementation, a session ID table can be constructed for each control connection, and an identification aging time can be set for the session ID table. The identification aging time is slightly longer than the data session table aging time. The session ID table is only based on the session ID It is a keyword and has no other content. When searching for a session entry matching the session ID, the session ID table is refreshed. If there is no operation to refresh the session ID table within the identification aging time, all data sessions of the control connection are considered All table entries have been aged. At this time, a control connection aging notification can be sent to the CPU software to delete the control session table entries. Therefore, when each data session entry ages, the CPU software does not need to be notified, and only when it is determined that all data session entries have aged out and the control session entry needs to be aged, the CPU software is notified, that is, Most of the operations of the present invention are completed in the hardware part without excessive intervention of CPU software, and on the basis of reducing the burden of CPU software, it also provides response speed and improves the overall performance of the system.

Referring to Fig. 2, it is a flow chart of the processing of the control connection in Embodiment 1, including:

Step 201: Receive a request to establish a control connection;

Step 202: Establish a control session entry;

Step 203: the CPU assigns a unique session ID to the newly established session entry;

Step 204: create a session ID table;

Step 205: Add the session ID in the association table of the control session entry.

Wherein, the execution sequence of step 204 and step 205 may be reversed.

As mentioned above, taking NAT implementation as an example, it includes control session table, data session table and association table. When establishing a control connection, query the control session table; when establishing a data connection, search the data session table. If the match is successful , NAT is performed according to the matching data session entry. If no match is successful, the association table is searched to determine whether the data connection is legal. If it is legal, NAT is performed according to the association table, and a data session entry is established at the same time. It can be seen that the data connection processing is completed jointly by the data session table and the association table. For the first packet, NAT is first performed through the association table and then the data session entry is established. For subsequent data packets, the established data session table is directly followed. The data session entry can be NATed. Therefore, in the above step 205, storing the session ID in the association table is to provide a basis for subsequent establishment of a data session entry corresponding to the session ID.

Referring to Fig. 3, it is a processing flow diagram of a data connection in Embodiment 1, including:

Step 301: business data input;

Step 302: Query the data session table, if there is no matching data session entry, it means it is the first data packet, go to step 303, otherwise, it means it is not the first data packet, go to step 306;

Step 303: look up the association table;

Step 304: Obtain the session ID in the association table;

Step 305: Create a new data session entry, and establish the corresponding relationship between the data session entry and the session ID, and then go to step 308;

Wherein, the establishment of the corresponding relationship between the data session entry and the session ID in step 305, the simplest way is to add a field in the result of the data session entry to record the session ID.

Step 306: Extract the session ID corresponding to the matching data session entry;

Step 307: Utilize the extracted session ID of step 306 to find the session ID table, and refresh the session ID table;

Step 308: forward the data.

If it is a NAT application, then in the above step 308, first perform NAT on the data flow according to the matching data session entry or rule table, and then perform data forwarding; if it is a firewall application, after matching the data session entry or rule table Perform data forwarding, otherwise, filter the data.

Referring to Fig. 4, it is a schematic diagram of embodiment one, showing the relationship between the control session table, association table, data session table and session ID table with session ID as a link. In the figure, step ① means assigning a session D to a control session entry (corresponding to a control connection), step ② means creating a session ID table for the session ID, step ③ means writing the session ID into the association table, and step ④ Indicates that the first business data packet of the control connection is applied by NAT or firewall by looking up the association table. Step ⑤ indicates that the session ID matching the association table is written into the newly created data session entry. Step ⑥ indicates that subsequent data packets pass the matching data session table item to establish a NAT or firewall application, step ⑦ indicates that the session ID table is refreshed every time a data session entry is successfully matched, and step ⑧ indicates that the session ID table is not refreshed within the identification aging time. Control session entry aging.

Embodiment 1 will be described below by taking an FTP NAT application as an example. Assume that the address of the source device A is: 10.10.0.1, access the device B with the address 6.0.0.1:21 in the form of FTP protocol, and assume that the public network address after NAT conversion is 163.10.0.1.

First, the FTP control channel will send the data to the CPU software for analysis and processing. At this time, the CPU software will assign session ID1 to the session ID table of the hardware. See Table 1 for an example of the session ID table. In actual configuration, session IDs of different control connections can be configured in a session ID table, or a session ID table can be configured for each session ID.

Table 1

Session ID1

Assuming that port 10000 is opened on 10.10.0.1 for the control connection, the i-th control session entry shown in Table 2 will be established in the hardware data session table.

Table 2

control session entry Before NAT conversion After NAT conversion i Forward 10.10.0.1:10000--> 6.0.0.1:21   163.10.0.1:10000--＞ 6.0.0.1:21+session ID1 reverse 6.10.0.1:21--＞ 163.10.0.1:10000 6.10.0.1:21--＞ 10.10.0.1:10000+session ID1

If the FTP application executes the PORT operation and opens port 10001 on 10.10.0.1 for data connection, the CPU will deliver the association table. See Table 3 for an example of the association table.

table 3

  163.10.0.1:10001-->10.10.0.1:10001+session ID1

At this time, if device B initiates a data connection to 163.10.0.1:10001, it will hit the association table and obtain the converted 10.10.0.1:10001+session ID1. At this time, the hardware directly establishes a data session entry, assuming that it is established as shown in Table 4 The jth data session entry, and assume that the m and nth data session entries in Table 4 also contain session ID1, that is, the m and nth data session entries are also controlled by the i control session entry.

Table 4

data session entry Before NAT conversion After NAT conversion m ... ... n ... ... j Forward 10.10.0.1:10001--＞ 6.0.0.1:20   163.10.0.1:10001--＞ 6.0.0.1:20+session ID1 reverse 6.10.0.1:20--> 163.0.0.1:10001 6.10.0.1:21--＞ 10.10.0.1:10001+session ID1

Subsequent data packets of this data connection will match the jth entry in the above table 4, so as to obtain session ID1. At this time, the session ID table in table 1 will be queried, and table 1 will be refreshed.

If there is no data transmission for a long time, the session entry in Table 4 will be aged, as long as all data session entries (including the m, n and j data session entries) of the i-th control session entry in Table 2 are all When it is aged, table 1 will not be refreshed. At this time, it is necessary to report to the CPU to delete the i-th control session entry.

It can be seen that when a data session entry is aging, for example, only the mth data session entry is aging but the nth and jth data session entries are not aging, the CPU will not be notified, only when all the data of the corresponding session ID1 The CPU will be reported only when the session entries are aged out, thereby reducing the number of reporting to the CPU and reducing the processing burden on the CPU. More importantly, the above-mentioned series of operations of searching the session table and refreshing the session ID table can be completed by hardware. The processing speed of hardware is obviously higher than that of software, which can greatly increase the processing speed and improve the performance of the whole system.

In addition, in addition to the above-mentioned use of the session ID table and determining whether the aging control session entry is determined by judging whether the table is refreshed, in Embodiment 2 of the present invention, it can also be determined by setting a counter for the session ID and monitoring the value of the counter Whether it is necessary to implement the aging control session entry.

Referring to Fig. 5, it is a flow chart of embodiment two, including:

Step 501: assigning a session ID to a certain control session entry (corresponding to a certain control connection);

Step 502: Create a counter for the session ID;

Step 503: write the session ID into the association table;

Step 504: The first service data packet of the control connection is processed by searching the association table;

Step 505: write the session ID of the matching association table into the newly-created data session entry, and add 1 to the counter every time a new data session entry is established;

Step 506: Subsequent data packets establish related applications by matching data session entries;

Step 507: decrement the counter by 1 each time a data session entry corresponding to the session ID is deleted;

Step 508: When the counter value is 0, it can be determined that all data session entries corresponding to the session ID have been aged out, and at this time, the control session entry can be aged out.

It should be noted that, in the above steps 505 and 507, it is necessary to increase or decrease the counter by monitoring the flow creation (establishing the data session entry) and deleting the flow (deleting the data session entry), which requires identification of the flow establishment And delete stream, of course, this identification can be done by CPU software, of course, it can also be done by hardware with this function.

By adopting the solution of the second embodiment, the control session entry can be aged immediately when the counter is 0, without delay, and the occupation of control channel resources can be further avoided.

Corresponding to Embodiment 1 of the above method, the present invention also provides a device for aging the control session table, the device may be a NAT device or a firewall device, or the device may exist in a NAT device or a firewall device independent functional entity.

Referring to FIG. 6 , it is a schematic structural diagram of the device, including a data interface unit 601, a control session table 602, an association table 603, a data session table 604, an identification configuration unit 605, an identification correspondence unit 606, a control identification table 607, and a central control unit 608.

Among them, the identification configuration unit 605 is mainly used to configure a unique control identification for the control session entry; the identification corresponding unit 606 is used to set all the data session entries associated with the control session entry through the association table with the control session entry. corresponding to the identification; the control identification table 607 is used to save the control identification, and the control identification has an identification aging time greater than that of the data session entry; the central control unit 608 is the core unit of the device, and is used for matching the business data When the data session entry is selected, the control identification table 607 is refreshed, and when the control identification table 607 is not refreshed within the identification aging time, the control session entry is deleted.

For the device corresponding to the second method embodiment, the structure is similar to that shown in FIG. 6 , the difference lies in that the identification counter is used instead of the control identification table 607, and the processing of the central control module is different.

Specifically, the device at this time includes a data interface module, a control session table, an association table and a data session table, an identification configuration module, an identification corresponding module, an identification counter and a central control module.

Wherein, the identification configuration module is used to configure a unique control identification for the control session entry; the identification corresponding module is used to set the control session entry through the associated table. All data session entries are corresponding to the control identification ; The default value of the identification counter is 0; the central control module is the core module of the device, and is used to add 1 to the counter when each new data session entry is created for the control session entry. Each time a session entry deletes a data session entry, the counter is decremented by 1; and when the counter becomes 0 for a non-initial time, the control session entry is deleted.

The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (5)

1. A method for aging the control session table, characterized in that, comprising: Assigning a unique control identifier to the control session entry, and setting an aging time for the control identifier; If the service data interruption duration controlled by the control session entry reaches the aging time, then delete the control session entry; Also includes: Set all the data session entries controlled by the control session entry to correspond to the control identifier; When the business data of the control session entry is input, search the data session table, and refresh the control identifier corresponding to the matching data session entry; The interruption duration of the service data controlled by the control session entry reaches the aging time, which means that the time during which the control identifier is not refreshed exceeds the preset aging time of the control identifier. 2. The method according to claim 1, wherein the correspondence between all data session entries and the control identifier is realized by the following steps: After allocating the control identifier to the control session entry, writing the control identifier into the association table; When the first data packet arrives, search the association table to obtain the control identifier; A data session entry is established, and the control identifier is written into the established data session entry. 3. The method according to claim 1, characterized in that the control identification is refreshed through the following steps: After allocating the control identifier to the control session entry, establishing a control identifier table for the control identifier; After searching the data session table, determine the control identification table through the control identification in the matched data session entry; The determined control identification table is refreshed. 4. The method according to claim 1, 2 or 3, wherein the aging time of the control identifier is greater than the aging time of the data session entry. 5 . The method according to claim 4 , wherein the request to delete the control session entry is reported to the CPU only when the control identifier has not been refreshed for a period exceeding a preset control identifier aging time. 5 .

Images