CN101515944B - Method, system and device for P2P service access - Google Patents
Method, system and device for P2P service access Download PDFInfo
- Publication number
- CN101515944B CN101515944B CN 200810080612 CN200810080612A CN101515944B CN 101515944 B CN101515944 B CN 101515944B CN 200810080612 CN200810080612 CN 200810080612 CN 200810080612 A CN200810080612 A CN 200810080612A CN 101515944 B CN101515944 B CN 101515944B
- Authority
- CN
- China
- Prior art keywords
- tunnel
- data
- service
- node
- dpi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000002776 aggregation Effects 0.000 claims abstract description 13
- 238000004220 aggregation Methods 0.000 claims abstract description 13
- 230000011664 signaling Effects 0.000 claims description 32
- 238000007405 data analysis Methods 0.000 claims description 27
- 238000004458 analytical method Methods 0.000 claims description 19
- 238000001914 filtration Methods 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 abstract description 33
- 238000000926 separation method Methods 0.000 abstract description 5
- 230000005540 biological transmission Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 12
- 230000005641 tunneling Effects 0.000 description 10
- 238000012217 deletion Methods 0.000 description 7
- 230000037430 deletion Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 239000012717 electrostatic precipitator Substances 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000630 rising effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method for P2P service access, which comprises the following steps of: acquiring the initial information of a P2P service and determining a P2P tunnel path; controlling a starting node of a P2P tunnel and an end node of the P2P tunnel to build the P2P tunnel according to the P2P tunnel path, and using the P2P tunnel to carry the P2P service; acquiring termination information of the P2P service; and controlling the starting node of the P2P tunnel and the end node of the P2P tunnel to eliminate the P2P tunnel to terminate the P2P service. The embodiment of the invention also discloses a system and a device for P2P service access. The method, the system and the device realize the control of the P2P service and load separation, and reduce the data flow accessing an aggregation network, hardware cost and data processing load.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a system, and an apparatus for accessing a P2P service.
Background
With the rapid development of the Internet, various broadband services are rapidly growing, which brings opportunities to operators and challenges, such as bandwidth management, content charging, information security and other new problems. Among them, the most prominent is the P2P (Point-to-Point) application. The P2P technology breaks through a C/S (Client-Server) flow model, adopts a mode of no centralized Server, eliminates the bottleneck problem of the Server, and quickly permeates into the service fields of file downloading, streaming media and the like. It is statistical that the traffic of P2P accounts for more than 50% of the network traffic, and this figure shows a rising trend, even considered as a killer application and revolutionary technology. However, in the current planning and construction mode of a broadband network, an operator obviously cannot adapt to a traffic model applied by P2P, and in addition, network equipment lacks an effective technical supervision means and cannot perceive P2P application, so that the network operator cannot effectively manage the operation condition of the network, the network has congestion phenomena of different degrees, and the operation is trapped in a predicament.
The inability to implement content charging is another obstacle affecting further development of operators. The content charging means that an operator distinguishes the service type of a user by deep analysis of a data packet and sets a reasonable rate according to service characteristics. On the contrary, data services and content services are continuously abundant, but an imperfect content charging method cannot convert service increment into equivalent profit increment, and the profit of some services is reduced.
Content security is yet another issue that is alarming to operators. In recent years, attacks or intrusions from the network cause very large losses to users and operators. Although firewalls can mitigate some attacks, firewalls are obviously not fooled by viruses that hide in the payload of IP packets. In recent years, the trend of cyber attacks is gradually moving to higher-level applications. According to Gartner statistics, more than 70% of network attack events are concentrated in the application layer, and the proportion is rising. Therefore, the content security has become a key link for information security.
Service identification cannot be realized, content charging cannot be realized, and the requirement of information safety cannot be met, so that the problems of the service identification, the content charging and the content charging cannot be solved, the operation cost of an operator is increased, and the satisfaction degree of a user is reduced.
So-called DPI (Deep Packet Inspection) is a new technology relative to ordinary Packet analysis, the ordinary Packet Inspection only analyzes the contents below four layers of an IP Packet, including a source address, a destination address, a source port, a destination port and a protocol type, and the DPI adds analysis to an application layer on the basis of the contents, and can identify various applications and contents thereof. The DPI divides the data messages on the network into application flows one by one according to the quintuple and detects specific data messages in the application flows through an identification technology so as to determine the application corresponding to the application flows or the actions of users. For different protocol types, identification techniques can be divided into the following three categories: a feature word-based recognition technique; application layer gateway identification technology; behavioral pattern recognition techniques.
The first support of DPI is to identify traffic and provide policy management. Service identification technologies are divided into two broad categories, i.e., DPI service identification and IMS (IP Multimedia Subsystem) architecture service identification. The DPI service identification is detected and identified by the network device according to the service flow, and the IMS architecture notifies the network device of the service identification through the application layer. The IMS architecture is adapted to the services of the client/server model operated centrally by the operator, whereas DPI service identification is adapted to the services of non-operators and the services carried by P2P, both technologies being complementary. After the service identification is completed, the operator can implement a corresponding QoS (Quality of service) technology according to the service policy of the user, thereby ensuring the service Quality customized by the user, and for other services, a best effort forwarding mode can be adopted.
In addition, traffic can also be identified by DFI (Deep Flow Inspection, a detection technique based on traffic characteristics). The technology utilizes an application (such as a P2P application) as a novel application for fully utilizing client resources, and the traffic characteristics expressed in a transport layer have many different places compared with other applications, such as HTTP (Hypertext Transfer Protocol), FTP (Transfer Protocol), DNS (Domain Name System), and the like. Traffic characteristic-based detection techniques identify traffic by detecting these new traffic characteristics.
Through service identification, an operator can realize five charging modes based on content: charging by time based on content value, charging by event or action number based on content value, charging by data flow based on content value, charging by QoS based on content value, and combinations thereof. The present invention broadly refers to deep packet inspection techniques and inspection techniques based on traffic characteristics, collectively referred to as "DPI".
Disclosure of Invention
Embodiments of the present invention provide a method, a system, and a device for accessing a P2P service, which implement separation of P2P service control and bearer, reduce data traffic accessing a convergence network, and reduce hardware cost and data processing burden.
In order to achieve the above object, an aspect of the embodiments of the present invention provides a P2P service access method, including:
the method comprises the steps of obtaining starting information of P2P service at least including configuration information of a P2P tunnel, determining a P2P tunnel path according to the starting information, obtaining starting information of P2P service at least including configuration information of a P2P tunnel, and determining a P2P tunnel path according to the starting information, wherein the specific steps comprise: the DPI agent module of the access node identifies the message from the sender as P2P data message by flow classification and/or DPI filtering, redirects the P2P data message to a data parsing unit, the data analysis unit carries out DPI analysis on the P2P data or the signaling message, identifies the application service type and the content of the corresponding flow or analyzes the P2P signaling, and check the DPI related policy of the P2P flow, if the DPI related policy of the P2P flow is to allow the P2P flow, the data analysis unit forwards the P2P data to a destination receiver, the data analysis unit issues a P2P tunnel and policy configuration command to a control node according to the DPI related policy, the control node determines a P2P tunnel path according to the P2P tunnel and policy configuration command, the P2P source user identifier and the P2P destination user identifier, and respectively issues the P2P tunnel and policy configuration command to the access node and the other access node;
establishing a P2P tunnel according to the P2P tunnel path, and carrying the P2P service through the P2P tunnel, where the carrying of the P2P service through the P2P tunnel specifically includes: when the P2P tunnel configuration is completed, the access node gates the P2P data packet, allowing the P2P data packet to pass through the P2P tunnel;
acquiring termination information of the P2P service;
deleting the P2P tunnel according to the termination information, and terminating the P2P service.
On the other hand, an embodiment of the present invention further provides a network system, including a P2P data forwarding apparatus, a data parsing unit, a control node, a P2P tunnel start node, and a P2P tunnel end node, where the P2P data forwarding apparatus includes a DPI agent module, where:
the DPI proxy module is used for classifying flows and/or filtering user messages by the DPI to obtain P2P service data messages and redirecting the P2P service data messages to the data analysis unit;
the P2P data forwarding device is configured to receive a P2P service data packet from a P2P service sender, and forward the P2P service data packet to the data analysis unit; receiving a data stream from the P2P service sender, and forwarding the data stream to the P2P tunnel starting point node;
the data analysis unit is configured to obtain start information or end information of the P2P service according to a P2P service data packet, and further configured to issue the P2P tunnel and a policy configuration command to a control node according to a DPI related policy of the P2P service;
the control node is configured to control the starting point node of the P2P tunnel and the end point node of the P2P tunnel to establish or delete the P2P tunnel according to the starting information or the ending information of the P2P service acquired by the data analysis unit;
the P2P tunnel starting point node is used for receiving the control of the control node, establishing or deleting the P2P tunnel and sending P2P data;
the P2P tunnel end node is used to receive the control of the control node, establish or delete the P2P tunnel, receive P2P data, and send to the receiver of the P2P service.
Compared with the prior art, the embodiment of the invention has the following advantages: by introducing a P2P tunnel starting point node and a P2P tunnel end point node and applying a P2P service access method, a system and a device, the separation of P2P service bearing and control is realized, the advantages of communication modes from clients to clients are fully exerted, P2P communication is directly carried out through the P2P tunnel between RG or AN, and P2P data messages do not need to reach IP Edge nodes, so that the data traffic of AN access aggregation network is greatly reduced, the requirements on the bandwidth and the cost of AN IP Edge are reduced, and the DPI processing burden of a DPI server is lightened.
FIG. 1 is a schematic diagram of an access network architecture;
fig. 2 is a schematic structural diagram of a P2P service access system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a P2P service access system including an access node according to a first embodiment of the present invention;
fig. 4 is a flowchart of a P2P service access method for terminating P2P transmission by DPI analysis according to a second embodiment of the present invention;
fig. 5 is a flowchart of a P2P service access method for signaling termination of P2P transmission according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a P2P service access system including a residential gateway according to a fourth embodiment of the present invention;
fig. 7 is a flowchart of a P2P service access method for terminating P2P transmission by DPI analysis according to a fifth embodiment of the present invention;
fig. 8 is a flowchart of a P2P service access method for signaling termination of P2P transmission according to a sixth embodiment of the present invention.
Drawings
Fig. 1 is a schematic diagram of an access network architecture. Wherein, the CPN (client premium Network, User Equipment) is composed of a UE (User Equipment) and an RG (Residential Gateway); the Access Network (Access Network) is composed of AN (Access Node) and AN IP Edge Node (IP Edge) and AN Aggregation Network (Aggregation Network) therebetween, the Access Network and the SP (Service Provider) are, for the wireless Network, the IP Edge is GGSN (Gateway GPRS Support Node, GPRS Gateway Support Node) or ASN GW (Access Service Gateway), the AN is BS (Base Station), for the DSL (Digital Subscriber Line) Network, the IP Edge Node is a BrAS (Broadband Access Server), the BNG (Broadband Access Server)/BNG (Broadband Network Gateway), the AN is a Broadband Access Multiplexer (DSL Multiplexer), for the PON (Passive Optical Network, PON), the PON (Passive Optical Network, ONU) is a Passive Optical Network (ONU), optical network unit), or an OLT (Optical Line Terminal).
In the access network, a communication mode from a Client to a Server is adopted, user data must be transmitted to an IP Edge, data flow of the access aggregation network is increased, extremely high requirements on bandwidth and cost of the IP Edge are provided, and DPI processing burden of a DPI Server is provided.
The embodiment of the invention provides a method, a system and a device for accessing a P2P service. The method is used for realizing separation of P2P service control and bearing, thereby reducing data flow of access aggregation network, and reducing hardware cost and data processing burden.
Detailed Description
The following detailed description of embodiments of the invention is provided in connection with the accompanying drawings and examples:
as shown in fig. 2, a P2P service access system provided in this embodiment of the present invention is configured to implement P2P service access between a P2P service sender a and a P2P service access control and bearer separation, and includes:
the P2P data forwarding apparatus 1 is configured to receive and filter a P2P signaling and a P2P data packet sent by a P2P service sender a through a DPI proxy module 11, forward the signaling and the P2P data packet to a data analysis unit 5, receive a data flow sent by the P2P service sender 1 after a P2P tunnel is established, forward the data flow to a P2P tunnel starting node 3 through a DPI redirection module 12, and configure a P2P policy of the DPI proxy module 11 according to feedback of the data analysis unit 5 through a protocol configuration module 13;
the data analysis unit 5 is configured to analyze, by using the information analysis module 52, the start information or the end information of the P2P service according to the P2P service data packet received by the packet receiving module 51 from the P2P data forwarding apparatus 1, and feed back the start information or the end information to the P2P data forwarding apparatus 1;
the control node 2 is used for controlling the P2P tunnel starting point node 3 and the P2P tunnel end point node 4 to establish or delete the P2P tunnel according to the starting information or the ending information of the P2P service analyzed and generated by the data analysis unit 5;
the P2P tunnel starting node 3 is configured to receive control of the control node 2, perform P2P tunnel configuration through the tunnel configuration module 31, establish or delete a P2P tunnel through the P2P tunnel starting point processing module 32, and send P2P data to the P2P tunnel end node 4;
the P2P tunnel endpoint node 4 is configured to receive control of the control node 2, perform P2P tunnel configuration through the tunnel configuration module 41, establish or delete a P2P tunnel through the P2P tunnel endpoint processing module 42, receive P2P data, and send the data to the receiver B of the P2P service through the P2P data forwarding module 43.
The data analysis unit 5 includes a DPI server and a policy server.
The system further comprises the following device structure:
the information analysis module 52 further includes:
and the data detection submodule 521 is configured to detect whether the data packet of the P2P service of the sender a is received in the response time.
The P2P tunnel starting point processing module 32 includes:
the P2P tunnel processing sub-module 321 is configured to establish or delete a P2P tunnel according to the P2P tunnel configuration set by the tunnel configuration module 31;
and the P2P data stream forwarding sub-module 322 is configured to receive the P2P data stream sent by the sender a, and send the P2P traffic data stream through the P2P tunnel.
The P2P tunnel endpoint processing module 42 includes:
the P2P tunnel processing sub-module 421, configured to establish or delete a P2P tunnel according to the P2P tunnel configuration set by the tunnel configuration module 41;
and the P2P data flow forwarding sub-module 422 is configured to receive the P2P traffic data flow through the P2P tunnel, and send the P2P traffic data flow to the P2P data forwarding module 43.
In practical application, the P2P service access system provided in the embodiment of the present invention has two forms, one is a P2P service access system in which a P2P data forwarding device 1 and a P2P tunnel starting node 3 are physically integrated into an access node an (access node), and the other is a P2P service access system in which the P2P data forwarding device 1 is installed in a residential gateway rg (intellectual gateway), and further, based on the above two types of P2P service access systems, the embodiment of the present invention provides a corresponding P2P service access method, and for convenience of description, the embodiments are respectively provided as follows:
fig. 3 is a schematic structural diagram of a P2P service access system including an access node according to a first embodiment of the present invention. In the system, a P2P tunnel starting point node 3 and a P2P tunnel end point node 4 are introduced. The P2P data forwarding device 1 and the P2P tunnel origin node 3 are physically merged into an access node 6.
The P2P tunnel start node 3 and the P2P tunnel end node 4 may be located in AN RG, AN or aggregation network node, and the DPI server may be deployed in AN IP edge node, SR or aggregation network node. The DPI server and the policy server may be physically combined into one, and the embodiment of the present invention is collectively referred to as a data parsing unit 5. Wherein, the DPI server is used to configure the P2P tunnel and DPI related policies to the DPI proxy module 11, the P2P tunnel start node 3 and the P2P tunnel end node 4 through the IP edge node 3.
The access node 6 includes a DPI proxy module 11, a DPI redirection module 12, a tunnel configuration module 31, and a P2P tunnel origin processing module 32.
The DPI agent module 11 is used for analyzing an application layer of the data message through flow classification and DPI filtering and/or identifying a specific application service type and content thereof through a detection technology based on flow characteristics, and then performing QoS control according to a DPI strategy; the module forwards the P2P data packet to the P2P tunnel start point processing module 32 for processing, on the other hand, redirects the P2P data or signaling packet to the data analysis unit 5 for further processing, and further performs traffic restriction on the P2P data packet sent by the sender a.
The DPI redirection module 12 is configured to redirect the P2P data or signaling packet to the data parsing unit 5, and may be completed by using a tunneling technique (the tunnel starting point is the DPI proxy module 11, and the end point is the data parsing unit 5), or modifying the destination address of the data packet to the destination address of the DPI server, so as to forward the data packet to the data parsing unit 5 for further processing.
Tunneling techniques such as ethernet tunneling, IP tunneling, or dedicated tunneling are used to mark a data packet with a special VLAN (Virtual Local Area Network) identifier or VPN (Virtual private Network) identifier.
The tunnel configuration module 31 is configured to configure a P2P tunnel and a P2P related policy through protocols such as L2C (layer Two Control), OMCI (ONU Management and Control Interface), TR069, or GMPLS.
The P2P tunnel start point processing module 32 is configured to encapsulate the P2P data into the P2P tunnel for data transmission.
The P2P tunnel endpoint node 4 includes a tunnel configuration module 41, a P2P tunnel endpoint processing module 42, and a P2P data forwarding module 43.
A tunnel configuration module 41, configured to configure a P2P tunnel and a P2P related policy through protocols such as L2C, OMCI, TR069, or GMPLS;
and the P2P tunnel endpoint processing module 42 is configured to perform tunnel decapsulation processing on the P2P tunnel packet to obtain a P2P data packet, and send the P2P data packet to a forwarding or routing unit.
The P2P data forwarding module 43 is configured to perform two-layer MAC forwarding, IP bridging forwarding, or IP routing forwarding on the P2P data packet, and send the P2P data stream to the receiver B.
Based on the system provided by the first embodiment of the present invention, the present invention provides a P2P service access method for stopping P2P transmission by DPI analysis and a P2P service access method for stopping P2P transmission by signaling, and the specific flow is as follows in the second and third embodiments of the present invention:
as shown in fig. 4, a flowchart of a P2P service access method for terminating P2P transmission by DPI analysis according to a second embodiment of the present invention is shown, and for convenience of description, in this embodiment, the access node 6 is referred to as AN1, the AN2 is referred to as AN2, and the AN1 and the AN2 are collectively referred to as a P2P tunnel path node.
The method specifically comprises the following steps:
P2P tunnel establishment phase:
step S401, the sender A sends P2P data message to AN 1.
Step S402, the DPI agent module 11 of the AN1 identifies that the packet from the sender a is a P2P data packet through flow classification and/or DPI filtering.
Step S403, redirecting the P2P data packet to the data parsing unit 5.
Step S404, the data parsing unit 5 performs DPI analysis on the P2P data or the signaling packet, identifies the application service type and the content of the corresponding flow or parses the P2P signaling, and finds out the DPI related policy of the P2P flow.
In step S405, if the DPI related policy of the P2P flow is to allow the P2P flow, the data analysis unit 5 forwards the P2P data to the destination recipient B.
Step S406, the data analysis unit 5 issues a P2P tunnel and a policy configuration command to the control node 2 according to the DPI related policy.
Step S407, the control node 2 determines the P2P tunnel path according to the P2P tunnel and policy configuration command, the P2P source user id and the P2P destination user id, and issues a P2P tunnel and policy configuration command to AN1 and AN2, respectively.
For a PBT tunnel, the control node 2 configures an ESP identified by a P2P tunnel start node MAC, a P2P VLAN, and a P2P tunnel end node MAC to the P2P tunnel path node;
for the MPLS tunnel, the control node 2 configures a corresponding MPLS label to each path node of the MPLS LSP;
for the VLAN tunnel, the IP edge node configures a corresponding VLAN to each path node of the VLAN tunnel.
P2P data transfer phase:
step S408, when the tunnel configuration of P2P is completed, AN1 gates P2P data packets, i.e. allowing P2P data packets to pass through the P2P tunnel, and starts P2P charging.
Step S409, AN1 performs tunnel encapsulation processing on the P2P data packet from the sender a.
Step S410, P2P data flow through tunnel to AN 2.
And S411, the AN2 carries out tunnel decapsulation processing to obtain a P2P data message.
Step S412, AN2 performs two-layer MAC forwarding, IP bridging forwarding or IP routing forwarding on the P2P data message.
Step S413, P2P, the data stream arrives at receiver B.
P2P is the service termination phase:
step S414, DPI analysis. When the DPI agent module 11 does not receive the P2P datagram from the sender a within the specified time, or analyzes that the P2P traffic flow of the sender a is terminated by other methods, the process goes to step S415.
Step S415, the notification data analysis unit 5 deletes the P2P tunnel and policy.
Step S416, the data analysis unit 5 issues a P2P tunnel and policy deletion command to the control node 2;
step S417, the control node 2 issues the P2P tunnel and policy configuration command to the P2P tunnel path node according to the P2P tunnel and policy configuration command.
In the embodiment of the invention, for the PBT tunnel, the control node 2 deletes the ESP identified by the P2P tunnel starting node MAC, the P2P VLAN and the P2P tunnel end node MAC from the P2P tunnel path node;
for the MPLS tunnel, the IP edge node deletes the corresponding MPLS label to each path node of the MPLS LSP;
and for the VLAN tunnel, the IP edge node deletes the corresponding VLAN from each path node of the VLAN tunnel.
Step S418, AN1 blocks the P2P flow corresponding to the sender A, and stops P2P charging.
The P2P service ends.
As shown in fig. 5, a flowchart of a P2P service access method for terminating P2P transmission by signaling according to a third embodiment of the present invention is shown, and for convenience of description, in this embodiment, AN access node 6 is referred to as AN1, AN2 is referred to as AN2, and AN1 and AN2 are collectively referred to as a P2P tunnel path node.
The method specifically comprises the following steps:
P2P tunnel establishment phase:
step S501, the P2P data message of the sender A is uploaded to AN 1.
Step S502, the DPI agent module 11 of the AN1 identifies that the packet from the sender a is a P2P data packet through flow classification and/or DPI filtering.
Step S503, redirecting the P2P data packet to the data parsing unit 5.
Step S504, the data parsing unit 5 parses the P2P signaling message.
And step S505, issuing a P2P tunnel and policy configuration command to the control node 2 according to the DPI related policy.
Step S506, the control node 2 determines a P2P tunnel path according to the P2P tunnel and policy configuration command, the P2P source user identifier and the P2P destination user identifier, and issues a P2P tunnel and policy configuration command to the P2P tunnel path node respectively.
In the embodiment of the invention, for the PBT tunnel, the control node 2 configures ESP identified by a P2P tunnel start node MAC, a P2P VLAN and a P2P tunnel end node MAC to AN1 and AN 2;
for the MPLS tunnel, the IP edge node configures corresponding MPLS label to each path node of the MPLS LSP;
for the VLAN tunnel, the IP edge node configures a corresponding VLAN to each path node of the VLAN tunnel.
P2P data transfer phase:
step S507, when the tunnel configuration of the P2P is completed, the AN1 gates the P2P data message, namely the P2P data message is allowed to pass through the P2P tunnel, and the P2P charging is started; but the P2P signaling message is still redirected to the data parsing unit 5.
Step S508, AN1 processes the P2P data message from the sender A to tunnel package.
Step S509, P2P data stream is tunneled to AN 2.
And step S510, the AN2 carries out tunnel decapsulation processing to obtain a P2P data message.
Step S511, AN2 performs two-layer MAC forwarding, IP bridging forwarding or IP routing forwarding on the P2P data message.
Step S512, P2P data flow reaches the receiver B.
P2P service termination phase:
in step S513, the sender a issues a P2P end command.
And step S514, DPI filtering. If the DPI Proxy recognizes that the packet from the sender a is a P2P signaling packet through flow classification and/or DPI filtering, the process goes to step S515.
Step S515, redirecting the P2P signaling message to the data parsing unit 5
Step S516, the data parsing unit 5 parses the P2P ending command, and issues a P2P tunnel and policy deletion command to the control node 2.
Step S517, the control node 2 issues a P2P tunnel and policy configuration command to the P2P tunnel path node according to the P2P tunnel and policy configuration command.
Step S518, AN1 blocks the P2P flow corresponding to the sender A, and stops P2P charging.
The two P2P service access methods provided in the second embodiment and the third embodiment are completed based on the P2P service access system in the third embodiment.
On the other hand, as described above, in the implementation, there is also a P2P service access system and a P2P service access method based on the P2P service access system, which is specifically referred to the following embodiments of the present invention.
As shown in fig. 6, a P2P service access system including a residential gateway is a fourth embodiment of the present invention. In the system, a P2P tunnel starting point node 3 and a P2P tunnel end point node 4 are introduced. The P2P data forwarding device 1 is installed on a residential gateway, and for convenience, the residential gateway is abbreviated as RG, the P2P tunnel start node 3 is abbreviated as AN1, and the P2P tunnel end node 4 is abbreviated as AN 2.
In the present system, the P2P tunnel start node 3 and the P2P tunnel end node 4 may be located in AN or aggregation network node, and the DPI device may be deployed in AN IP edge node, SR or aggregation network node. The DPI server and the policy server may be physically combined into one, which is referred to as a data parsing unit 5. The data analysis unit 5 is configured to configure the P2P tunnel and the DPI related policy to the AN1 and the AN2 through the control node 2, and configure the DPI related policy to the RG through the ACS.
The RG includes a DPI proxy module 11, a DPI redirection module 12 and a protocol configuration module 13.
The DPI agent module 11 is configured to perform application layer analysis on the data packet through flow classification and DPI filtering and/or identify a specific application service type and content thereof through a detection technology based on a flow characteristic, and then perform QoS control according to a DPI policy; on one hand, the P2P data packet is forwarded to the AN1 for processing, on the other hand, the P2P data or signaling packet is redirected to the data parsing unit 5 for further processing, and the traffic of the P2P data packet sent by the sender a is restricted.
The protocol configuration module 13 is used for configuring the P2P related policy of the RG through the protocols of OMCI, TR069, and the like.
The DPI redirection module 12 is configured to redirect the P2P data or signaling packet to the data parsing unit 5, and may be completed by using a tunneling technique (the tunnel starting point is the DPI proxy module 11, and the end point is the data parsing unit 5), or modifying the destination address of the data packet to the destination address of the data parsing unit 5, so as to forward the data packet to the data parsing unit 5 for further processing.
Tunneling techniques such as ethernet tunneling, IP tunneling, or dedicated tunneling are used to mark a data packet with a special VLAN (Virtual Local Area Network) identifier or VPN (Virtual private Network) identifier.
AN1, including a tunnel configuration module 31 and a P2P tunnel origination point processing module 32.
The tunnel configuration module 31 is configured to configure a P2P tunnel and a P2P related policy through protocols such as L2C, OMCI, TR069, GMPLS, and the like;
the P2P tunnel origination processing module 32 is used to encapsulate the P2P data into a P2P tunnel, and send it to the AN 2.
The AN2 includes a tunnel configuration module 41, a P2P tunnel endpoint processing module 42, and a P2P data forwarding module 43.
Based on the system provided by the fourth embodiment of the present invention, the present invention provides a P2P service access method for stopping P2P transmission by DPI analysis and a P2P service access method for stopping P2P transmission by signaling, and the specific flow is as follows in fifth and sixth embodiments of the present invention:
as shown in fig. 7, a fifth embodiment of the present invention is a flowchart of a P2P service access method for terminating P2P transmission by DPI analysis, and for convenience of description, in this embodiment, a residential gateway is abbreviated as RG, a P2P tunnel start node 3 is referred to as AN1, a P2P tunnel end node 4 is referred to as AN2, and AN1 and AN2 are collectively referred to as a P2P tunnel path node.
The method specifically comprises the following steps:
P2P tunnel establishment phase:
step S701, the P2P data message of the sender A is uploaded to the RG;
step S702, the DPI agent module 11 filters. The DPI agent module 11 of the RG recognizes that the packet from the sender a is a P2P data packet by flow classification and/or DPI filtering. The process proceeds to step S703.
Step S703, the P2P redirects the data packet to the data parsing unit 5.
Step S704, the data parsing unit 5 performs DPI analysis on the P2P data or the signaling packet, identifies the application service type and the content of the corresponding flow or parses the P2P signaling, and finds out the DPI related policy of the P2P flow.
Step S705, if the DPI related policy of the P2P flow is to allow the P2P flow, the data parsing unit 5 forwards the P2P data to the receiving side B.
Step S706, the data parsing unit 5 then issues a P2P tunnel and a policy configuration command to the control node 2 according to the DPI related policy.
And step S707, the control node 2 determines a P2P tunnel path according to the P2P tunnel and policy configuration command, the P2P source user identifier and the P2P destination user identifier, and respectively issues a P2P tunnel and policy configuration command to the P2P tunnel path node.
In the embodiment of the invention, for the PBT tunnel, the IP edge node configures ESPs identified by a P2P tunnel starting node MAC, a P2P VLAN and a P2P tunnel end node MAC to AN1 and AN 2;
for the MPLS tunnel, the IP edge node configures corresponding MPLS label to each path node of the MPLS LSP;
for the VLAN tunnel, the IP edge node configures a corresponding VLAN to each path node of the VLAN tunnel.
Step S708, the data parsing unit 5 issues a P2P policy configuration command to the ACS.
Step S709, the ACS configures the RG according to the policy configuration command P2P to gate the P2P data stream corresponding to the sender a, i.e. allow the P2P data packet to pass through the RG.
P2P data transfer phase:
step S710, when the P2P tunnel configuration is completed, the RG and/or P2P tunnel node gates the P2P data message of the sender A, and starts P2P charging.
Step S711, AN1 processes tunnel encapsulation for P2P data message from sender A.
Step S712, P2P data stream is tunneled to AN 2.
And S713, the AN2 carries out tunnel decapsulation processing to obtain the P2P data message.
Step S714, AN2 performs two-layer MAC forwarding, IP bridging forwarding or IP routing forwarding on the P2P data message.
Step S715, P2P shows that the data stream arrives at the receiver B.
P2P service termination phase:
step S716, DPI analysis. When the DPI agent module 11 of the RG does not receive the P2P data packet from the sender a within the specified time, or analyzes that the P2P traffic flow of the sender a is terminated by other methods, the process goes to step S717.
In step S717, the notification data analysis unit 5 deletes the P2P tunnel and policy.
Step S718, the data parsing unit 5 issues a P2P tunnel and policy deletion command to the control node 2.
Step S719, the control node 2 issues the P2P tunnel and policy configuration command to the P2P tunnel path node respectively according to the P2P tunnel and policy configuration command.
In the embodiment of the invention, for the PBT tunnel, the control node 2 deletes the ESP identified by the P2P tunnel start node MAC, the P2P VLAN and the P2P tunnel end node MAC from AN1 and AN 2;
for the MPLS tunnel, the IP edge node deletes the corresponding MPLS label to each path node of the MPLS LSP;
and for the VLAN tunnel, the IP edge node deletes the corresponding VLAN from each path node of the VLAN tunnel.
Step S720, the data parsing unit 5 issues a P2P policy deletion command to the ACS.
Step S721, ACS configures that RG can not gate P2P data stream corresponding to sender a according to P2P policy delete command, i.e. P2P data packet is not allowed to pass through RG.
Step S722, RG or AN1 blocks the P2P flow corresponding to the sender A, and stops P2P charging.
As shown in fig. 8, a flowchart of a P2P service access method for terminating P2P transmission by signaling according to a sixth embodiment of the present invention is shown, and for convenience of description, in this embodiment, a residential gateway is referred to as RG, a P2P tunnel start node 3 is referred to as AN1, a P2P tunnel end node 4 is referred to as AN2, and AN1 and AN2 are collectively referred to as a P2P tunnel path node.
The method specifically comprises the following steps:
step S801, the P2P signaling message of the sender A is uploaded to the RG.
And step S802, DPI filtering. The DPI agent module 11 of the RG recognizes that the packet from the sender a is the P2P signaling packet through flow classification and/or DPI filtering, and then proceeds to step S803.
Step S803, the P2P redirects the signaling message to the data parsing unit 5.
And step S804, DIP analysis. The data parsing unit 5 parses the P2P signaling message.
Step S805, according to the DPI related policy, issues a P2P tunnel and policy configuration command to the control node 2.
In step S806, the control node 2 determines a P2P tunnel path.
And step S807, respectively issuing a P2P tunnel and policy configuration command to the P2P tunnel path node.
In the embodiment of the invention, for the PBT tunnel, the IP edge node configures ESPs identified by a P2P tunnel starting node MAC, a P2P VLAN and a P2P tunnel end node MAC to AN1 and AN 2;
for the MPLS tunnel, the IP edge node configures corresponding MPLS label to each path node of the MPLS LSP;
for the VLAN tunnel, the IP edge node configures a corresponding VLAN to each path node of the VLAN tunnel.
Step S808, the data parsing unit 5 issues a P2P policy configuration command to the ACS.
Step S809, the ACS configures the RG according to the policy configuration command P2P to gate the P2P data stream corresponding to the sender a, i.e. allow the P2P data packet to pass through the RG.
Step S810, when the tunnel configuration of the P2P is completed, the RG and/or the AN1 gates the P2P data message, that is, the P2P data message is allowed to pass through the P2P tunnel, and the P2P charging is started; but the P2P signaling message is still redirected to the data parsing unit 5.
Step S811, AN1 performs tunnel encapsulation processing on the P2P data packet from the sender a.
Step S812, P2P data stream is tunneled to AN 2.
Step S813, AN2 carries out tunnel decapsulation processing to obtain P2P data message.
Step S814, AN2 performs two-layer MAC forwarding, IP bridging forwarding or IP routing forwarding on the P2P data message.
Step S815, the P2P data stream arrives at the receiver B.
In step S816, the sender a issues a P2P end command.
And step S817, DPI filtering. The DPI agent module 11 of the RG recognizes that the packet from the sender a is the P2P signaling packet through flow classification and/or DPI filtering, and then proceeds to step S818.
Step S818, the P2P signaling message is redirected to the data parsing unit 5.
Step S819, the data parsing unit 5 parses the P2P end command, and issues a P2P tunnel and policy deletion command to the control node 2.
Step S820, the control node 2 issues the P2P tunnel and policy configuration command to the P2P tunnel path node according to the P2P tunnel and policy configuration command.
In the embodiment of the invention, for the PBT tunnel, the IP edge node deletes ESPs identified by a P2P tunnel starting node MAC, a P2P VLAN and a P2P tunnel end node MAC from AN1 and AN 2;
for the MPLS tunnel, the IP edge node deletes the corresponding MPLS label to each path node of the MPLS LSP;
and for the VLAN tunnel, the IP edge node deletes the corresponding VLAN from each path node of the VLAN tunnel.
In step S821, the data analysis unit 5 issues a P2P policy deletion command to the ACS.
Step S822, the ACS configures that the RG cannot gate the P2P data stream corresponding to the sender a according to the P2P policy deletion command, i.e. the P2P data packet is not allowed to pass through the RG.
Step S823, RG or AN1 blocks the corresponding P2P flow of the sender A, and stops P2P charging.
By applying the P2P access system with separated bearing and control, the invention introduces the P2P tunnel starting point node and the P2P tunnel terminal point node, so as to realize that the P2P service can fully exert the advantages of the communication mode from the Client to the Client, and directly carry out P2P communication through the P2P tunnel between RG or AN, so that the P2P data messages do not need to all go up to the IP Edge, thereby greatly reducing the data flow of the access aggregation network, reducing the requirements on the bandwidth and the cost of the IP Edge, and lightening the DPI processing burden of a DPI server.
The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.
Claims (4)
1. A method for accessing point-to-point P2P service is characterized in that the method comprises the following steps:
the method comprises the steps of obtaining starting information of P2P service at least including configuration information of a P2P tunnel, determining a P2P tunnel path according to the starting information, obtaining starting information of P2P service at least including configuration information of a P2P tunnel, and determining a P2P tunnel path according to the starting information, wherein the specific steps comprise: the DPI agent module of the access node identifies the message from the sender as P2P data message by flow classification and/or DPI filtering, redirects the P2P data message to a data parsing unit, the data analysis unit carries out DPI analysis on the P2P data or the signaling message, identifies the application service type and the content of the corresponding flow or analyzes the P2P signaling, and check the DPI related policy of the P2P flow, if the DPI related policy of the P2P flow is to allow the P2P flow, the data analysis unit forwards the P2P data to a destination receiver, the data analysis unit issues a P2P tunnel and policy configuration command to a control node according to the DPI related policy, the control node determines a P2P tunnel path according to the P2P tunnel and policy configuration command, the P2P source user identifier and the P2P destination user identifier, and respectively issues the P2P tunnel and policy configuration command to the access node and the other access node;
establishing a P2P tunnel according to the P2P tunnel path, and carrying the P2P service through the P2P tunnel, where the carrying of the P2P service through the P2P tunnel specifically includes: when the P2P tunnel configuration is completed, the access node gates the P2P data packet, allowing the P2P data packet to pass through the P2P tunnel;
acquiring termination information of the P2P service;
deleting the P2P tunnel according to the termination information, and terminating the P2P service.
2. The P2P service access method of claim 1, wherein the step of obtaining the termination information of the P2P service comprises:
receiving P2P termination signaling from the P2P traffic sender; or,
and if the data message of the P2P service sent by the sender of the P2P service is not received in the response time, judging that the sender terminates the P2P service.
3. A network system comprising a P2P data forwarding apparatus, a data parsing unit, a control node, a P2P tunnel start node and a P2P tunnel end node, the P2P data forwarding apparatus comprising a DPI agent module, wherein:
the DPI proxy module is used for classifying flows and/or filtering user messages by the DPI to obtain P2P service data messages and redirecting the P2P service data messages to the data analysis unit;
the P2P data forwarding device is configured to receive a P2P service data packet from a P2P service sender, and forward the P2P service data packet to the data analysis unit; receiving a data stream from the P2P service sender, and forwarding the data stream to the P2P tunnel starting point node;
the data analysis unit is configured to obtain start information or end information of the P2P service according to a P2P service data packet, and further configured to issue the P2P tunnel and a policy configuration command to a control node according to a DPI related policy of the P2P service;
the control node is configured to control the starting point node of the P2P tunnel and the end point node of the P2P tunnel to establish or delete the P2P tunnel according to the starting information or the ending information of the P2P service acquired by the data analysis unit;
the P2P tunnel starting point node is used for receiving the control of the control node, establishing or deleting the P2P tunnel and sending P2P data;
the P2P tunnel end node is used to receive the control of the control node, establish or delete the P2P tunnel, receive P2P data, and send to the receiver of the P2P service.
4. The network system according to claim 3, wherein the P2P tunnel start node and the P2P tunnel end node are integrated in a residential gateway RG, AN access node AN or AN aggregation network node, and the data parsing unit is integrated in AN IP edge node, a traffic router SR or AN aggregation network node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810080612 CN101515944B (en) | 2008-02-22 | 2008-02-22 | Method, system and device for P2P service access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810080612 CN101515944B (en) | 2008-02-22 | 2008-02-22 | Method, system and device for P2P service access |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101515944A CN101515944A (en) | 2009-08-26 |
| CN101515944B true CN101515944B (en) | 2013-08-28 |
Family
ID=41040235
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810080612 Expired - Fee Related CN101515944B (en) | 2008-02-22 | 2008-02-22 | Method, system and device for P2P service access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101515944B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103037414B (en) * | 2012-11-21 | 2015-12-23 | 大唐移动通信设备有限公司 | Policy control method in communication system and system |
| CN107925611B (en) * | 2015-08-05 | 2021-09-17 | 高通股份有限公司 | Deep packet inspection indication for mobile CDN |
| CN106507414B (en) * | 2016-10-12 | 2020-02-11 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN107241346B (en) * | 2017-07-07 | 2020-03-24 | 中国电子科技集团公司第三十四研究所 | Pattern matching domain dividing and identifying method for photon firewall |
| CN108769394B (en) * | 2018-05-15 | 2021-02-09 | 中国联合网络通信集团有限公司 | Terminal service control method and related product |
| CN111064591B (en) * | 2018-10-16 | 2021-03-26 | 杭州海康威视数字技术股份有限公司 | Data aggregation method, apparatus, device, storage medium and system |
| US10721168B1 (en) * | 2019-03-15 | 2020-07-21 | Juniper Networks, Inc. | Utilizing constraint optimization for egress peer engineering to determine optimized traffic plans and to implement an optimized traffic plan |
| CN110474830B (en) * | 2019-08-20 | 2021-04-20 | 深圳市中仁信息科技有限公司 | P2P tunnel communication method based on port forwarding |
| CN110958160B (en) * | 2019-11-25 | 2021-06-15 | 睿哲科技股份有限公司 | Website detection method, device and system and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004077920A2 (en) * | 2003-03-07 | 2004-09-16 | Koninklijke Philips Electronics N.V. | Method and system for radio link establishment and maintenance with p2p communication in wireless communication |
| WO2006075274A1 (en) * | 2005-01-12 | 2006-07-20 | Koninklijke Philips Electronics N.V. | Communication method and apparatus for providing real-time wireless bulletin board system |
| CN1866922A (en) * | 2006-02-10 | 2006-11-22 | 华为技术有限公司 | Control system and data message transmission method in Ethernet |
| CN101035088A (en) * | 2007-04-20 | 2007-09-12 | 华为技术有限公司 | Method, system and access device for realizing the intercommunication of two layers of local specific service |
| CN101047580A (en) * | 2006-03-28 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Method for setting point-to-point data channel |
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
-
2008
- 2008-02-22 CN CN 200810080612 patent/CN101515944B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004077920A2 (en) * | 2003-03-07 | 2004-09-16 | Koninklijke Philips Electronics N.V. | Method and system for radio link establishment and maintenance with p2p communication in wireless communication |
| WO2006075274A1 (en) * | 2005-01-12 | 2006-07-20 | Koninklijke Philips Electronics N.V. | Communication method and apparatus for providing real-time wireless bulletin board system |
| CN1866922A (en) * | 2006-02-10 | 2006-11-22 | 华为技术有限公司 | Control system and data message transmission method in Ethernet |
| CN101047580A (en) * | 2006-03-28 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Method for setting point-to-point data channel |
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
| CN101035088A (en) * | 2007-04-20 | 2007-09-12 | 华为技术有限公司 | Method, system and access device for realizing the intercommunication of two layers of local specific service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101515944A (en) | 2009-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101515944B (en) | Method, system and device for P2P service access | |
| US8612612B1 (en) | Dynamic policy control for application flow processing in a network device | |
| KR101694082B1 (en) | Software-defined network overlay | |
| CN113132342B (en) | Method, network device, tunnel entry point device, and storage medium | |
| US9871766B2 (en) | Secure path determination between devices | |
| CN101399749B (en) | Method, system and equipment for filtering message | |
| EP3249863B1 (en) | Access control apparatus, system and method | |
| US20200344662A1 (en) | Enterprise network fabric extension across mobile networks | |
| US9473410B2 (en) | System and method for load balancing in computer networks | |
| CN106716927B (en) | Adaptive network function chain | |
| EP2629554B1 (en) | Service control method and system, enodeb and packet data network gateway | |
| US20070286185A1 (en) | Control of Mobile Packet Streams | |
| US7715407B2 (en) | Network apparatus and method for forwarding packet | |
| US6182149B1 (en) | System for managing dynamic processing resources in a network | |
| EP4175255B1 (en) | Gateway device, system and method for providing a forwarding policy | |
| WO2012159525A1 (en) | Service control method and system for autonomous network | |
| EP2909993B1 (en) | Method and system for handling subscribers' network traffic | |
| CN112585910B (en) | Method and apparatus for establishing secure, low-latency, optimized paths in a wide area network | |
| US20240276342A1 (en) | System and Method for Establishing a Dual-Layer PDU Session | |
| CN112910791A (en) | Diversion system and method thereof | |
| EP1766883B1 (en) | Head office and plurality of branches connected via network | |
| CA2847913C (en) | System and method for load balancing in computer networks | |
| CN112910790B (en) | Diversion system and method thereof | |
| US20230070388A1 (en) | Systems and methods for lossless broadband virtual private network access | |
| CN118101475A (en) | Gateway apparatus, system and method for providing forwarding policy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201204 Address after: No.3, East high tech Industrial Zone, Maqiao Town, Jingjiang City, Taizhou City, Jiangsu Province Patentee after: Jiangsu Hengbo pneumatic conveying equipment manufacturing Co.,Ltd. Address before: Unit 2414-2416, main building, no.371, Wushan Road, Tianhe District, Guangzhou City, Guangdong Province Patentee before: GUANGDONG GAOHANG INTELLECTUAL PROPERTY OPERATION Co.,Ltd. Effective date of registration: 20201204 Address after: Unit 2414-2416, main building, no.371, Wushan Road, Tianhe District, Guangzhou City, Guangdong Province Patentee after: GUANGDONG GAOHANG INTELLECTUAL PROPERTY OPERATION Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130828 Termination date: 20200222 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |