CN101309195A - A method and device for ensuring quality of service in a secure socket layer virtual private network - Google Patents
A method and device for ensuring quality of service in a secure socket layer virtual private network Download PDFInfo
- Publication number
- CN101309195A CN101309195A CNA2008101269397A CN200810126939A CN101309195A CN 101309195 A CN101309195 A CN 101309195A CN A2008101269397 A CNA2008101269397 A CN A2008101269397A CN 200810126939 A CN200810126939 A CN 200810126939A CN 101309195 A CN101309195 A CN 101309195A
- Authority
- CN
- China
- Prior art keywords
- application data
- type
- priority
- queue
- subunit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种在安全套接层虚拟专网中保证服务质量机制的方法及装置,本发明提供的方法包括:识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;按照所述划分的优先级发送所述应用数据。本发明提供的装置包括:优先级划分单元,用于识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;发送单元,用于按照所述划分的优先级发送所述应用数据。采用本发明提供的方法和装置,可以实现带宽合理分配,使得各类数据能够被合理地先后发送,预防网络阻塞的发生。
The present invention discloses a method and device for guaranteeing a quality of service mechanism in a secure socket layer virtual private network. The method provided by the present invention includes: identifying the type of application data, and processing the application data according to the relevant information of the type of application data Prioritization: sending the application data according to the divided priorities. The device provided by the present invention includes: a prioritization unit, configured to identify the type of application data, and classify the application data according to the relevant information of the type of application data; a sending unit, configured to prioritize according to the assigned priority Send the application data. By adopting the method and device provided by the present invention, reasonable allocation of bandwidth can be realized, so that various data can be sent in succession in a reasonable manner, and network congestion can be prevented.
Description
技术领域 technical field
本发明涉及网络安全领域,特别是涉及一种在安全套接层虚拟专网保证服务质量的方法及装置。The invention relates to the field of network security, in particular to a method and device for guaranteeing service quality in a secure socket layer virtual private network.
背景技术 Background technique
随着网络技术的不断进步,网络安全问题已经成为大家最为关心和重视的问题,安全套接层虚拟专网(SSL VPN:Security Socket Layer Virtual PrivateNetwork)作为一种安全的远程网络访问技术,在近两年内越来越受到企业用户的青睐。With the continuous advancement of network technology, network security issues have become the most concerned and valued issues. As a secure remote network access technology, Secure Socket Layer Virtual Private Network (SSL VPN: Security Socket Layer Virtual Private Network) has been used in the past two During the year, it has become more and more favored by enterprise users.
SSL VPN解决方案指的是使用者利用浏览器内建的SSL封包处理功能,通过网络封包转向的方式,让使用者可以在远程计算机执行应用程序,读取公司内部服务器数据。它采用标准的SSL对传输中的数据包进行加密,从而在应用层保护了数据的安全性。高质量的SSL VPN解决方案可保证企业进行安全的全局访问。The SSL VPN solution refers to the way that users use the browser's built-in SSL packet processing function to redirect network packets so that users can execute applications on remote computers and read company internal server data. It uses standard SSL to encrypt data packets in transmission, thus protecting data security at the application layer. High-quality SSL VPN solutions can guarantee secure global access for enterprises.
SSL VPN实现的两个关键技术是隧道技术和加密技术。隧道技术指原始报文在A地进行封装,到达B地后把封装去掉还原成原始报文,形成一条从A到B的通信隧道。加密技术是通过变换信息的表示形式来伪装需要保护的敏感信息,使非受权者不能了解被保护信息的内容。The two key technologies implemented by SSL VPN are tunneling technology and encryption technology. Tunneling technology means that the original message is encapsulated at A, and after arriving at B, the encapsulation is removed and restored to the original message, forming a communication tunnel from A to B. Encryption technology camouflages sensitive information that needs to be protected by changing the representation of information, so that unauthorized parties cannot understand the content of the protected information.
应用SSL VPN技术发送应用数据的过程为:在发送端对应用数据进行加密,在应用数据前加入SSL头,然后把加密后的应用数据传送给接收端,所述加密后的应用数据格式如表1所示,接收端对接收到的加密数据进行相应的解密和散列处理,得到应用数据。The process of using SSL VPN technology to send application data is as follows: encrypt the application data at the sending end, add an SSL header before the application data, and then transmit the encrypted application data to the receiving end. The format of the encrypted application data is as shown in the table As shown in 1, the receiving end performs corresponding decryption and hash processing on the received encrypted data to obtain application data.
通过上述隧道技术和加密技术,已经能够建立起一个具有安全性、互操作性的VPN。但是,由于广域网流量的不确定性使其带宽的利用率很低,在流量高峰时引起网络阻塞,产生网络瓶颈,使实时性要求高的数据得不到及时发送,而在流量低谷时又造成大量的网络带宽空闲。Through the above-mentioned tunnel technology and encryption technology, a secure and interoperable VPN has been established. However, due to the uncertainty of WAN traffic, the utilization rate of bandwidth is very low, causing network congestion and network bottlenecks during traffic peaks, so that data with high real-time requirements cannot be sent in time, and when traffic is low. A lot of network bandwidth is idle.
现有一种被称为服务质量(QoS:Quality of Service)的网络安全机制,可以用来解决网络延迟和阻塞等问题的一种技术。但是,现有技术还不能实现在SSL VPN中支持QoS策略,解决网络阻塞问题。There is an existing network security mechanism called Quality of Service (QoS: Quality of Service), which can be used to solve problems such as network delay and congestion. However, the prior art still cannot support QoS policy in SSL VPN and solve the problem of network congestion.
发明内容 Contents of the invention
有鉴于此,本发明实施例提供一种在安全套接层虚拟专网保证服务质量的方法及装置,实现带宽合理分配,使得各类数据能够被合理地先后发送,预防网络阻塞的发生。In view of this, the embodiments of the present invention provide a method and device for guaranteeing service quality in a secure socket layer virtual private network to realize reasonable allocation of bandwidth, so that various types of data can be sent in a reasonable order and prevent network congestion from occurring.
本发明实施例提供了一种在安全套接层虚拟专网中保证服务质量的方法,该方法包括:识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;按照所述划分的优先级发送所述应用数据。An embodiment of the present invention provides a method for ensuring quality of service in a secure socket layer virtual private network, the method comprising: identifying an application data type, and prioritizing the application data according to information related to the application data type; Sending the application data according to the divided priorities.
本发明实施例还提供了一种在安全套接层虚拟专网中保证服务质量的装置,该装置包括:优先级划分单元,用于识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;发送单元,用于按照所述划分的优先级发送所述应用数据。The embodiment of the present invention also provides a device for guaranteeing service quality in a secure socket layer virtual private network, the device includes: a prioritization unit, used to identify the application data type, and classify the application data type according to the relevant information of the application data type performing priority division on the application data; a sending unit configured to send the application data according to the divided priorities.
本发明实施例所提供的在安全套接层虚拟专网中保证服务质量的方法,通过识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分,按照所述划分的优先级发送所述应用数据。根据识别得到的应用数据类型的相关信息,实现对SSL VPN隧道下运行的加密数据的区分,通过对应用数据进行优先级划分,按照优先级对不同类型的应用数据分配带宽资源,使得各类数据能够被合理地先后发送,预防网络阻塞的发生,保证SSL VPN中的QoS。In the method for guaranteeing service quality in a secure socket layer virtual private network provided by the embodiment of the present invention, by identifying the application data type, the application data is prioritized according to the relevant information of the application data type, and according to the classification The priority of sending the application data. According to the relevant information of the identified application data type, the encrypted data running under the SSL VPN tunnel can be distinguished, and the application data is prioritized, and bandwidth resources are allocated to different types of application data according to the priority, so that all kinds of data It can be sent in a reasonable order to prevent network congestion and ensure QoS in SSL VPN.
附图说明 Description of drawings
图1为本发明实施例的应用环境示意图;FIG. 1 is a schematic diagram of an application environment of an embodiment of the present invention;
图2为本发明一实施例提供的在安全套接层虚拟专网中保证服务质量的方法流程图;Fig. 2 is a flow chart of a method for ensuring quality of service in a secure socket layer virtual private network provided by an embodiment of the present invention;
图3为本发明另一实施例提供的在安全套接层虚拟专网中保证服务质量的方法流程图;3 is a flowchart of a method for ensuring quality of service in a secure socket layer virtual private network provided by another embodiment of the present invention;
图4为本发明实施例提供的在安全套接层虚拟专网中保证服务质量的装置图;FIG. 4 is a device diagram for ensuring quality of service in a secure socket layer virtual private network provided by an embodiment of the present invention;
图5为本发明实施例所提供的优先级划分单元结构图;FIG. 5 is a structural diagram of a prioritization unit provided by an embodiment of the present invention;
图6为本发明实施例所提供的发送单元结构图;FIG. 6 is a structural diagram of a sending unit provided by an embodiment of the present invention;
图7为本发明另一实施例所提供的在安全套接层虚拟专网保证服务质量的装置图;FIG. 7 is a device diagram for ensuring quality of service in a secure socket layer virtual private network provided by another embodiment of the present invention;
图8为本发明另一实施例所提供的优先级划分单元结构图;FIG. 8 is a structural diagram of a prioritization unit provided by another embodiment of the present invention;
图9为本发明另一实施例所提供的发送单元结构图。FIG. 9 is a structural diagram of a sending unit provided by another embodiment of the present invention.
具体实施方式 Detailed ways
下面结合附图对本发明实施例所提供的在安全套接层虚拟专网中保证服务质量的方法进行详细描述。The method for ensuring quality of service in a secure socket layer virtual private network provided by an embodiment of the present invention will be described in detail below with reference to the accompanying drawings.
参见图1,为本发明实施例的应用环境示意图。如图1所示:要在A地内网和B地内网之间进行数据交互。其中,A地内网包括服务器组A、A地用户A1、在A地出差的B地用户B1、网关A;B地内网包括服务器组B、B地用户B2、在B地出差的A地用户A2、网关B。在网关A和网关B之间有大量设备需要进行应用数据交互,这些数据在传输时均采用SSL加密方式。在网络流量高峰期时,为了使各类数据能够被合理的先后传送,需要在图示SSL隧道的基础上保证QoS功能。Referring to FIG. 1 , it is a schematic diagram of an application environment of an embodiment of the present invention. As shown in Figure 1: data exchange is to be performed between the intranet of A and B. Among them, A's intranet includes server group A, A's user A1, B's user B1 who is on a business trip at A, and gateway A; B's intranet includes server group B, B's user B2, and A's user A2 who is on a business trip at B , Gateway B. There are a large number of devices that need to exchange application data between gateway A and gateway B, and the data is encrypted by SSL during transmission. During the peak period of network traffic, in order to enable all kinds of data to be transmitted in a reasonable sequence, it is necessary to ensure the QoS function on the basis of the illustrated SSL tunnel.
本发明实施例提供了一种在安全套接层虚拟专网保证服务质量的方法。由于SSL VPN是运行于应用层的网关设备,所以本发明实施例所提供的方法也是基于应用层的。本方法可以用在至少两个网关之间的数据交互中。The embodiment of the present invention provides a method for guaranteeing service quality in a secure socket layer virtual private network. Since the SSL VPN is a gateway device running on the application layer, the method provided by the embodiment of the present invention is also based on the application layer. This method can be used in data exchange between at least two gateways.
参见图2,为本发明一实施例所提供的在安全套接层虚拟专网中保证服务质量的方法流程图。该方法包括以下步骤:Referring to FIG. 2 , it is a flowchart of a method for ensuring quality of service in a secure socket layer virtual private network provided by an embodiment of the present invention. The method includes the following steps:
步骤201:识别应用数据类型,根据识别到的应用数据类型,按照应用数据的重要性和实时性,在应用数据前添加对应的级别标识;Step 201: Identify the application data type, and add a corresponding level identifier before the application data according to the identified application data type and according to the importance and real-time nature of the application data;
在网络中,所有应用都会在应用数据上留下可以用来识别源应用的标识,比如,协议类型、源IP地址或者资源类型等。其中,应用数据类型的识别通常可通过SSL VPN设备来识别;在SSL VPN网络中,设备能够自动识别出应用数据的源应用类别,根据设备识别到的源应用类别,判断应用数据是由哪种应用产生的。In the network, all applications will leave an identifier on the application data that can be used to identify the source application, such as protocol type, source IP address, or resource type. Among them, the identification of the application data type can usually be identified by the SSL VPN device; in the SSL VPN network, the device can automatically identify the source application type of the application data, and judge the source application type of the application data according to the source application type identified by the device. generated by the application.
由于不同应用产生的应用数据的重要性不同,这些应用数据传送时的实时性和稳定性的要求也有所不同。根据不同应用产生的应用数据的重要性在应用数据前添加级别标识。比如:有些核心应用数据对实时性要求很高,将此类型应用数据标注为最高级别,表示需要进行优先传送,以避免此类应用数据受网络阻塞的影响;而有些应用数据相对而言并不是那么重要,可以将此类应用数据标注为较低级别,表示可以暂缓发送。见表2所示:Due to the different importance of the application data generated by different applications, the real-time and stability requirements of these application data transmissions are also different. According to the importance of the application data generated by different applications, a level identifier is added before the application data. For example: Some core application data has high requirements for real-time performance, and this type of application data is marked as the highest level, indicating that it needs to be transmitted preferentially to avoid the impact of such application data from network congestion; while some application data is relatively not So important, such application data can be marked as a lower level, indicating that sending can be postponed. See Table 2:
步骤202:根据应用数据前添加的所述级别标识,确定所述应用数据的不同优先级;Step 202: Determine different priorities of the application data according to the level identifier added before the application data;
级别较高的数据,优先级较高;级别较低的数据,优先级较低。Data with a higher level has a higher priority; data with a lower level has a lower priority.
步骤203:按照所述优先级依次发送应用数据。Step 203: Send the application data sequentially according to the priority.
根据应用数据的优先级,将应用数据放入与所述优先级对应等级的队列中;再按照各队列的优先级顺序发送应用数据。According to the priority of the application data, put the application data into the queue corresponding to the priority; then send the application data according to the priority order of each queue.
将优先级最高的应用数据放入最高等级队列中,设定此队列的传送等级为第一优先级,将此队列中的应用数据最先发送Put the application data with the highest priority into the highest-level queue, set the transmission level of this queue as the first priority, and send the application data in this queue first
将优先级较高的应用数据放入较高等级队列中,设定此队列的传送等级为第二优先级,在第一优先级队列中的应用数据发送完毕后,再发送第二优先级队列中的应用数据。Put the application data with higher priority into the higher-level queue, set the transmission level of this queue as the second priority, and send the application data in the first priority queue to the second priority queue App data in .
依次类推,依次发送第三、第四……优先级队列中的应用数据。By analogy, the application data in the third, fourth... priority queues are sent in sequence.
将优先级最低的应用数据放入最低等级队列中,设定此队列的传送等级为最低。对传送等级较低的队列中的应用数据暂缓发送,等高级别队列中应用数据发送完毕后再依次发送。Put the application data with the lowest priority into the lowest level queue, and set the transmission level of this queue to be the lowest. The application data in the queue with a lower transmission level is temporarily sent, and the application data in the high-level queue is sent sequentially after being sent.
在实施例所提供的方法中,根据识别得到的应用数据类型,按照应用数据的重要性和实时性,在应用数据前添加级别标识,直接根据级别标识对应用数据进行优先级划分,再将应用数据依次发送。当SSLVPN网络中设备较多时,需要发送的应用数据很多,可能很难直接根据识别到的应用数据类型区分应用数据的重要级别,因此,本发明另一实施例提供了一种先对应用数据进行分类,再对各相同类别应用数据进行优先级划分的方法,也可以很好的实现上述发明目的。In the method provided in the embodiment, according to the identified application data type, according to the importance and real-time nature of the application data, a level identifier is added before the application data, and the application data is directly prioritized according to the level identifier, and then the application Data is sent sequentially. When there are many devices in the SSLVPN network, there is a lot of application data to be sent, and it may be difficult to directly distinguish the importance level of the application data according to the type of the identified application data. The method of classifying and prioritizing the application data of the same category can also achieve the purpose of the above invention well.
参见图3,为本发明另一实施例所提供的在安全套接层虚拟专网中保证服务质量方法流程图。该方法包括以下步骤:Referring to FIG. 3 , it is a flowchart of a method for ensuring quality of service in a secure socket layer virtual private network provided by another embodiment of the present invention. The method includes the following steps:
步骤301:识别应用数据类型,在应用数据前添加类型标识;Step 301: Identify the type of application data, and add a type identifier before the application data;
在网络中,所有应用都会在应用数据上留下可以用来识别源应用的标识,比如,协议类型、源IP地址或资源类型等。其中,应用数据类型的识别通常可通过SSL VPN设备来识别;在SSL VPN网络中,设备能够自动识别出应用数据的源应用类别,根据设备识别到的源应用类别,在应用数据前添加类型标识,见表2所示,用于判断应用数据是由哪种应用产生的。In the network, all applications will leave an identifier on the application data that can be used to identify the source application, such as protocol type, source IP address, or resource type. Among them, the identification of the application data type can usually be identified through the SSL VPN device; in the SSL VPN network, the device can automatically identify the source application category of the application data, and add the type identification before the application data according to the source application category identified by the device , as shown in Table 2, is used to determine which application generates the application data.
步骤302:获取上述添加的类型标识,对应用数据进行分类;Step 302: Obtain the type identifier added above, and classify the application data;
获取添加在应用数据前的类型标识,对应用数据进行分类,将相同类型的应用数据放在一起。Obtain the type identifier added before the application data, classify the application data, and put the application data of the same type together.
设备自动识别到的应用数据的源应用类型有很多,因此类型标识中可以包含很多种源应用类型信息,选择一种信息,对应用数据进行分类。例如:可以根据获取到的类型标识中所包含的协议类型信息、源IP和目的IP地址信息或资源类型信息进行分类。There are many source application types of the application data automatically identified by the device, so the type identifier can contain information of various source application types, and one type of information can be selected to classify the application data. For example, classification can be performed according to the protocol type information, source IP and destination IP address information or resource type information included in the obtained type identifier.
步骤303:对所述分类后得到的各类别应用数据确定不同优先级;Step 303: Determining different priorities for each category of application data obtained after the classification;
根据应用数据的重要性,相同类别的应用数据间存在发送优先级的差异,比如,有些核心应用数据需要及时传送,将此类型应用数据标注为最高优先级,优先传送,可以避免此类应用数据受网络阻塞的影响,而有些应用数据相对而言并不是那么重要,可以暂缓发送。因此,需要针对各类别中的应用数据的重要性确定应用数据的优先级。According to the importance of application data, there is a difference in sending priority between the same type of application data. For example, some core application data needs to be transmitted in time. Marking this type of application data as the highest priority and sending it first can avoid this type of application data. Affected by network congestion, some application data is relatively unimportant and can be deferred. Therefore, it is necessary to determine the priority of the application data according to the importance of the application data in each category.
以步骤302所述的三种分类方式举例说明确定优先级的方法:The method for determining priority is illustrated with the three classification methods described in step 302:
(1)协议类型:有些协议非常占用带宽,很容易导致业务延迟,因此对此协议类型的应用数据可以暂缓处理;相对而言,有些协议则不会占用太大带宽,可以优先处理该协议类型的应用数据。(1) Protocol type: some protocols occupy a lot of bandwidth and can easily cause business delays, so the application data of this protocol type can be temporarily processed; relatively speaking, some protocols do not occupy too much bandwidth, and this protocol type can be processed first application data.
(2)源IP和目的IP地址:可以是主机IP地址,也可以是一个网段的IP地址。大多时候服务器是专门针对单一应用而配置的,通过分析应用数据的源IP地址可以识别该应用数据是由哪些设备产生的,如电子邮件服务器等。在这些应用数据中,有些应用数据对实时性要求很高,有些应用数据对可靠性要求很高,也有些应用数据非常重要,要求立即传送。可以据此对应用数据进行优先级划分,确定哪些设备产生的应用数据需要优先传送,哪些应用数据可以暂缓传送。(2) Source IP and destination IP address: it can be the IP address of the host, or the IP address of a network segment. Most of the time, the server is specially configured for a single application. By analyzing the source IP address of the application data, it can be identified which device the application data is generated by, such as an email server. Among these application data, some application data have high requirements on real-time performance, some application data have high requirements on reliability, and some application data are very important and require immediate transmission. Based on this, application data can be prioritized to determine which application data generated by the device needs to be transmitted first, and which application data can be deferred.
(3)资源类型:大多SSL VPN设备都支持资源的分类,根据资源的类别对应用数据可以进行不同的处理。因此也可以根据资源类型对应用数据进行优先级划分。(3) Resource type: Most SSL VPN devices support resource classification, and application data can be processed differently according to resource types. Application data can thus also be prioritized according to resource type.
步骤304:按照所述优先级将应用数据依次发送。Step 304: Send the application data sequentially according to the priority.
根据应用数据的优先级,将应用数据放入与所述优先级对应等级的队列中;再按照各队列的优先级顺序发送应用数据。According to the priority of the application data, put the application data into the queue corresponding to the priority; then send the application data according to the priority order of each queue.
将优先级最高的应用数据放入最高等级队列中,设定此队列的传送等级为第一优先级,将此队列中的应用数据最先发送Put the application data with the highest priority into the highest-level queue, set the transmission level of this queue as the first priority, and send the application data in this queue first
将优先级较高的应用数据放入较高等级队列中,设定此队列的传送等级为第二优先级,在第一优先级队列中的应用数据发送完毕后,再发送第二优先级队列中的应用数据。Put the application data with higher priority into the higher-level queue, set the transmission level of this queue as the second priority, and send the application data in the first priority queue to the second priority queue App data in .
依次类推,依次发送第三、第四……优先级队列中的应用数据。By analogy, the application data in the third, fourth... priority queues are sent in sequence.
将优先级最低的应用数据放入最低等级队列中,设定此队列的传送等级为最低。对传送等级较低的队列中的应用数据暂缓发送,等高级别队列中数据发送完毕后再依次发送。Put the application data with the lowest priority into the lowest level queue, and set the transmission level of this queue to be the lowest. The transmission of application data in the lower-level queue is suspended, and the data in the higher-level queue is sent sequentially.
通过本发明实施例所提供的方法,可以保证在广域网流量高峰期时,关键数据的及时、准确发送,保证了SSLVPN中的QoS。Through the method provided by the embodiment of the present invention, the timely and accurate transmission of key data can be guaranteed during the peak period of wide area network traffic, and the QoS in SSLVPN can be guaranteed.
本发明实施例还提供了一种在安全套接层虚拟专网保证服务质量的装置。参见图4,为本发明一实施例所提供的在安全套接层虚拟专网保证服务质量的装置图。该装置包括:优先级划分单元401和发送单元402,其中,The embodiment of the present invention also provides a device for guaranteeing service quality in a secure socket layer virtual private network. Referring to FIG. 4 , it is a diagram of an apparatus for ensuring quality of service in a secure socket layer virtual private network provided by an embodiment of the present invention. The device includes: a
优先级划分单元401,用于识别应用数据类型,根据识别到的应用数据类型,按照应用数据的重要性和实时性,在应用数据前添加对应的级别标识,对应用数据进行优先级划分。The
发送单元402,用于按照所述优先级依次发送所述应用数据。The sending
参见图5所示,为本发明一实施例所提供的优先级划分单元结构图。优先级划分单元包括识别子单元501、添加标识子单元502和优先级确定子单元503,其中,Referring to FIG. 5 , it is a structural diagram of a prioritization unit provided by an embodiment of the present invention. The prioritization unit includes an
识别子单元501,用于识别应用数据类型。The identifying
在网络中,所有应用都会在应用数据上留下可以用来识别源应用的标识,比如,协议类型、源服务器地址或源端口地址等。在SSL VPN网络中,设备能够自动识别出应用数据的源应用类别。因此识别子单元501用于识别应用数据的类型;In the network, all applications will leave an identifier on the application data that can be used to identify the source application, such as protocol type, source server address or source port address, etc. In an SSL VPN network, the device can automatically identify the source application category of application data. Therefore, the
其中,应用数据类型的识别通常可通过SSL VPN设备来识别;Among them, the identification of the application data type can usually be identified through the SSL VPN device;
添加标识子单元502,用于根据识别到的应用数据类型,按照应用数据的重要性和实时性,在应用数据前添加级别标识。The adding
优先级确定子单元503,用于根据添加的级别标识,确定应用数据的不同优先级。The
参见图6所示,为本发明一实施例所提供的发送单元结构图。发送单元包括排队子单元601和顺序发送子单元602,其中,Referring to FIG. 6 , it is a structural diagram of a sending unit provided by an embodiment of the present invention. The sending unit includes a queuing
排队子单元601,用于根据应用数据的优先级,将应用数据放入与所述优先级对应等级的队列中。The queuing
将优先级最高的应用数据放入最高等级队列中,设定此队列的传送等级为第一优先级。将优先级较高的应用数据放入较高等级队列中,设定此队列的传送等级为第二优先级。依次类推,设定第三、第四……优先级队列。将优先级最低的应用数据放入最低等级队列中,设定此队列的传送等级为最低。Put the application data with the highest priority into the highest-level queue, and set the transmission level of this queue as the first priority. Put the application data with higher priority into a higher-level queue, and set the transmission level of this queue as the second priority. By analogy, set the third, fourth...priority queues. Put the application data with the lowest priority into the lowest level queue, and set the transmission level of this queue to be the lowest.
顺序发送子单元602,用于按照各队列的优先级顺序发送应用数据。The sequential sending
将第一优先级队列中的应用数据最先发送,在第一优先级队列中的应用数据发送完毕后,再发送第二优先级队列中的应用数据。依次类推,发送第三、第四……优先级队列中的应用数据。对传送等级较低的队列中的应用数据暂缓发送,等高级别队列中数据发送完毕后再依次发送。The application data in the first priority queue is sent first, and after the application data in the first priority queue is sent, the application data in the second priority queue is sent. By analogy, the application data in the third, fourth... priority queues are sent. The transmission of application data in the lower-level queue is suspended, and the data in the higher-level queue is sent sequentially.
参见图7,为本发明另一实施例所提供的在安全套接层虚拟专网保证服务质量的装置图。该装置包括:优先级划分单元701和发送单元702,其中,Referring to FIG. 7 , it is a diagram of an apparatus for guaranteeing QoS in a secure socket layer virtual private network provided by another embodiment of the present invention. The device includes: a
优先级划分单元701,用于识别应用数据类型,在应用数据前添加类型标识,根据类型标识,对应用数据进行分类,并对分类后的应用数据分别进行优先级划分;A
发送单元702,用于按照所述优先级依次发送所述应用数据。The sending
参见图8所示,为本发明另一实施例所提供的优先级划分单元结构图。优先级划分单元包括识别子单元801、添加标识子单元802、分类子单元803和优先级确定子单元804,其中:Referring to FIG. 8 , it is a structural diagram of a prioritization unit provided by another embodiment of the present invention. The prioritization unit includes an
识别子单元801,用于识别应用数据类型。The identifying
在网络中,所有应用都会在应用数据上留下可以用来识别源应用的标识,比如,协议类型、源服务器地址或源端口地址等。在SSL VPN网络中,设备能够自动识别出应用数据的源应用类别。因此识别子单元801用于识别应用数据的类型。In the network, all applications will leave an identifier on the application data that can be used to identify the source application, such as protocol type, source server address or source port address, etc. In an SSL VPN network, the device can automatically identify the source application category of application data. Therefore, the
其中,应用数据类型的识别通常可通过SSL VPN设备来识别。Among them, the identification of the application data type can usually be identified through the SSL VPN device.
添加标识子单元802,用于在应用数据前添加对应的类型标识。The adding
分类子单元803,用于根据获取到的所述类型标识,对应用数据分类。The
设备自动识别到的应用数据的源应用类型有很多,因此类型标识中可以包含很多种源应用类型信息,选择一种信息,对应用数据进行分类。例如:分类单元803可以根据获取到的类型标识中所包含的协议类型信息、源IP和目的IP地址信息或资源类型信息进行分类。There are many source application types of the application data automatically recognized by the device, so the type identifier can contain information of various source application types, and one type of information can be selected to classify the application data. For example: the classifying
优先级确定子单元804,用于对所述分类后得到的各类别应用数据确定优先级。The
参见图9所示,为本发明另一实施例所提供的发送单元结构图。发送单元包括排队子单元901和顺序发送子单元902,其中,Referring to FIG. 9 , it is a structural diagram of a sending unit provided by another embodiment of the present invention. The sending unit includes a queuing
排队子单元901,用于根据应用数据的优先级,将应用数据放入与所述优先级对应等级的队列中。The queuing
将优先级最高的应用数据放入最高等级队列中,设定此队列的传送等级为第一优先级。将优先级较高的应用数据放入较高等级队列中,设定此队列的传送等级为第二优先级。依次类推,设定第三、第四……优先级队列。将优先级最低的应用数据放入最低等级队列中,设定此队列的传送等级为最低。Put the application data with the highest priority into the highest-level queue, and set the transmission level of this queue as the first priority. Put the application data with higher priority into a higher-level queue, and set the transmission level of this queue as the second priority. By analogy, set the third, fourth...priority queues. Put the application data with the lowest priority into the lowest level queue, and set the transmission level of this queue to be the lowest.
顺序发送子单元902,用于按照各队列的优先级顺序发送应用数据。The sequential sending
将第一优先级队列中的应用数据最先发送,在第一优先级队列中的应用数据发送完毕后,再发送第二优先级队列中的应用数据。依次类推,发送第三、第四……优先级队列中的应用数据。对传送等级较低的队列中的应用数据暂缓发送,等高级别队列中数据发送完毕后再依次发送。The application data in the first priority queue is sent first, and after the application data in the first priority queue is sent, the application data in the second priority queue is sent. By analogy, the application data in the third, fourth... priority queues are sent. The transmission of application data in the lower-level queue is suspended, and the data in the higher-level queue is sent sequentially.
综上所述,本发明实施例所提供的在安全套接层虚拟专网中保证服务质量的方法,通过识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;按照所述划分的优先级依次发送所述应用数据。通过这种方法,在广域网流量高峰期时,按照优先级分配带宽资源,使得各类数据能够被合理地先后发送,预防网络阻塞的发生,保证SSL VPN中的QoS。To sum up, in the method for guaranteeing service quality in a secure socket layer virtual private network provided by the embodiment of the present invention, the application data is prioritized according to the relevant information of the application data type by identifying the application data type ; Sending the application data sequentially according to the divided priorities. Through this method, during the peak period of WAN traffic, bandwidth resources are allocated according to priority, so that various data can be sent in a reasonable sequence, preventing network congestion and ensuring QoS in SSL VPN.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,包括如下步骤:识别应用数据类型,根据所述应用数据类型的相关信息对所述应用数据进行优先级划分;按照所述划分的优先级发送所述应用数据。Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be executed during execution The method includes the following steps: identifying the application data type, and classifying the application data according to the related information of the application data type; and sending the application data according to the classifying priority.
以上对本发明实施例所提供的一种在安全套接层虚拟专网保证服务质量的方法及装置进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。A method and device for ensuring quality of service in a secure socket layer virtual private network provided by the embodiments of the present invention have been described above in detail. In this paper, specific examples are used to illustrate the principle and implementation of the present invention. The above embodiments The description is only used to help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary, As stated above, the content of this specification should not be construed as limiting the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101269397A CN101309195A (en) | 2008-06-18 | 2008-06-18 | A method and device for ensuring quality of service in a secure socket layer virtual private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101269397A CN101309195A (en) | 2008-06-18 | 2008-06-18 | A method and device for ensuring quality of service in a secure socket layer virtual private network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101309195A true CN101309195A (en) | 2008-11-19 |
Family
ID=40125425
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101269397A Pending CN101309195A (en) | 2008-06-18 | 2008-06-18 | A method and device for ensuring quality of service in a secure socket layer virtual private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101309195A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
| CN102413186A (en) * | 2011-12-02 | 2012-04-11 | 北京星网锐捷网络技术有限公司 | Resource scheduling method and device based on private cloud computing, and cloud management server |
| CN102520780A (en) * | 2011-11-22 | 2012-06-27 | 北京星网锐捷网络技术有限公司 | Resource scheduling method, device and cloud management server based on private cloud computation |
| CN102946362A (en) * | 2012-09-13 | 2013-02-27 | 杭州华三通信技术有限公司 | Method and device for allocating socket resources |
| CN103036803A (en) * | 2012-12-21 | 2013-04-10 | 南京邮电大学 | Flow control method based on application layer detection |
| CN103503403A (en) * | 2011-12-08 | 2014-01-08 | 华为技术有限公司 | Data processing method and equipment |
| CN103618681A (en) * | 2013-11-15 | 2014-03-05 | 深圳市磊科实业有限公司 | Elastic network bandwidth control method and system thereof |
| CN104113919A (en) * | 2014-06-04 | 2014-10-22 | 深圳市信锐网科技术有限公司 | Wireless data transmission control method and apparatus |
| CN104170329A (en) * | 2012-03-14 | 2014-11-26 | 瑞典爱立信有限公司 | Method for providing a QoS prioritized data traffic |
| CN104270441A (en) * | 2014-09-28 | 2015-01-07 | 曙光信息产业股份有限公司 | Multi-priority communication method and system of distributed system |
| CN104995891A (en) * | 2013-12-31 | 2015-10-21 | 华为技术有限公司 | Method and apparatus for processing service packet, and gateway device |
| CN105072050A (en) * | 2015-08-26 | 2015-11-18 | 联想(北京)有限公司 | Data transmission method and data transmission device |
| CN105389205A (en) * | 2015-10-26 | 2016-03-09 | 联想(北京)有限公司 | Information processing method and electronic device |
| CN105610665A (en) * | 2015-07-29 | 2016-05-25 | 哈尔滨工业大学(威海) | VPN protocol for mobile devices |
| CN107634915A (en) * | 2017-08-25 | 2018-01-26 | 中国科学院计算机网络信息中心 | Data transmission method, device and storage medium |
| CN108989244A (en) * | 2018-08-20 | 2018-12-11 | Oppo广东移动通信有限公司 | Data processing method, device, storage medium and electronic equipment |
| CN116781428A (en) * | 2023-08-24 | 2023-09-19 | 湖南马栏山视频先进技术研究院有限公司 | Forwarding system based on VPN flow |
-
2008
- 2008-06-18 CN CNA2008101269397A patent/CN101309195A/en active Pending
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143088B (en) * | 2011-04-29 | 2014-02-12 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
| CN102143088A (en) * | 2011-04-29 | 2011-08-03 | 杭州华三通信技术有限公司 | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) |
| CN102520780A (en) * | 2011-11-22 | 2012-06-27 | 北京星网锐捷网络技术有限公司 | Resource scheduling method, device and cloud management server based on private cloud computation |
| CN102520780B (en) * | 2011-11-22 | 2014-07-30 | 北京星网锐捷网络技术有限公司 | Resource scheduling method, device and cloud management server based on private cloud computation |
| CN102413186A (en) * | 2011-12-02 | 2012-04-11 | 北京星网锐捷网络技术有限公司 | Resource scheduling method and device based on private cloud computing, and cloud management server |
| CN102413186B (en) * | 2011-12-02 | 2014-07-30 | 北京星网锐捷网络技术有限公司 | Resource scheduling method and device based on private cloud computing, and cloud management server |
| CN103503403A (en) * | 2011-12-08 | 2014-01-08 | 华为技术有限公司 | Data processing method and equipment |
| CN103503403B (en) * | 2011-12-08 | 2016-09-28 | 华为技术有限公司 | Data processing method and equipment |
| CN104170329A (en) * | 2012-03-14 | 2014-11-26 | 瑞典爱立信有限公司 | Method for providing a QoS prioritized data traffic |
| CN102946362A (en) * | 2012-09-13 | 2013-02-27 | 杭州华三通信技术有限公司 | Method and device for allocating socket resources |
| CN103036803A (en) * | 2012-12-21 | 2013-04-10 | 南京邮电大学 | Flow control method based on application layer detection |
| CN103618681B (en) * | 2013-11-15 | 2017-04-12 | 深圳市磊科实业有限公司 | Elastic network bandwidth control method and system thereof |
| CN103618681A (en) * | 2013-11-15 | 2014-03-05 | 深圳市磊科实业有限公司 | Elastic network bandwidth control method and system thereof |
| CN104995891B (en) * | 2013-12-31 | 2018-12-25 | 华为技术有限公司 | The method, apparatus and gateway of processing business message |
| CN104995891A (en) * | 2013-12-31 | 2015-10-21 | 华为技术有限公司 | Method and apparatus for processing service packet, and gateway device |
| CN104113919A (en) * | 2014-06-04 | 2014-10-22 | 深圳市信锐网科技术有限公司 | Wireless data transmission control method and apparatus |
| CN104270441A (en) * | 2014-09-28 | 2015-01-07 | 曙光信息产业股份有限公司 | Multi-priority communication method and system of distributed system |
| CN104270441B (en) * | 2014-09-28 | 2018-12-04 | 曙光信息产业股份有限公司 | A kind of method and system of distributed system multipriority communication |
| CN105610665A (en) * | 2015-07-29 | 2016-05-25 | 哈尔滨工业大学(威海) | VPN protocol for mobile devices |
| CN105610665B (en) * | 2015-07-29 | 2019-06-18 | 哈尔滨工业大学(威海) | A VPN Protocol for Mobile Devices |
| CN105072050A (en) * | 2015-08-26 | 2015-11-18 | 联想(北京)有限公司 | Data transmission method and data transmission device |
| CN105389205A (en) * | 2015-10-26 | 2016-03-09 | 联想(北京)有限公司 | Information processing method and electronic device |
| CN105389205B (en) * | 2015-10-26 | 2019-08-27 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN107634915A (en) * | 2017-08-25 | 2018-01-26 | 中国科学院计算机网络信息中心 | Data transmission method, device and storage medium |
| CN108989244A (en) * | 2018-08-20 | 2018-12-11 | Oppo广东移动通信有限公司 | Data processing method, device, storage medium and electronic equipment |
| CN116781428A (en) * | 2023-08-24 | 2023-09-19 | 湖南马栏山视频先进技术研究院有限公司 | Forwarding system based on VPN flow |
| CN116781428B (en) * | 2023-08-24 | 2023-11-07 | 湖南马栏山视频先进技术研究院有限公司 | Forwarding system based on VPN flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101309195A (en) | A method and device for ensuring quality of service in a secure socket layer virtual private network | |
| CN116057900A (en) | Systems and methods for determining network path tracing | |
| US9397951B1 (en) | Quality of service using multiple flows | |
| US8971345B1 (en) | Method and apparatus for scheduling a heterogeneous communication flow | |
| US8990560B2 (en) | Multiple independent levels of security (MILS) host to multilevel secure (MLS) offload communications unit | |
| EP2566115A1 (en) | Method, network device and network system for data service processing | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| US10701582B2 (en) | Dynamic application QoS profile provisioning | |
| TWI239732B (en) | A method, computer readable medium and system for providing QoS for an iSCSI environment | |
| CN103269320B (en) | Data forwarding method and couple in router | |
| EP3094053A1 (en) | Predictive egress packet classification for quality of service | |
| US11729108B2 (en) | Queue management in a forwarder | |
| CN112600684B (en) | Cloud service bandwidth management and configuration method and related device | |
| WO2018121397A1 (en) | Network traffic control method and switch device | |
| WO2018223825A1 (en) | Data flow processing method and device | |
| US7471689B1 (en) | Method and apparatus for managing and accounting for bandwidth utilization within a computing system | |
| CN112769597A (en) | Container network current limiting method and system for cloud-edge collaborative virtualization scene | |
| CN109922003B (en) | Data sending method, system and related components | |
| JP2005295457A (en) | P2P traffic compatible router and P2P traffic information sharing system using the same | |
| US20090003354A1 (en) | Method and System for Packet Traffic Congestion Management | |
| CN115580584A (en) | A message processing method and device | |
| CN101459699B (en) | Method and apparatus for network address conversion | |
| CN102394816B (en) | User service quality control method and equipment for virtual private network | |
| CN111970149B (en) | Shared bandwidth implementation method based on hardware firewall QOS | |
| CN116614378A (en) | Bandwidth management and configuration method of cloud service and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20081119 |