公开(公告)号：US08259740B2

公开(公告)日：2012-09-04

申请号：US12808426

申请日：2008-06-12

申请人： Xiao Li ,  Xiangqing Chang ,  Xudong Zou

发明人： Xiao Li ,  Xiangqing Chang ,  Xudong Zou

IPC分类号： H04L12/56

CPC分类号： H04L63/02 ,  H04L12/413 ,  H04L63/0209

摘要： The present invention discloses a packet processing method, which applies to a high-performance and scalable flow processing system architecture. The service board performs security processing for packets received from external devices by using the firewall function before sending them to the main CPU; similarly, the service board also performs security processing for packets sent from the main CPU by using the firewall function before the main CPU sends them to external devices. The methods of the present invention utilize high performance and good scalability of the new architecture. In a network with heavy and high-speed traffic, the service board performs security processing for packets by using the firewall function and then transmits the valid packets to the main CPU. Thus, the main CPU is protected by the firewall function against attack packets.

摘要翻译： 本发明公开了一种适用于高性能，可扩展的流处理系统架构的分组处理方法。 业务板在发送给主CPU之前，先通过防火墙功能对外部设备收到的报文进行安全处理; 类似地，在主CPU将它们发送到外部设备之前，服务板还通过使用防火墙功能对从主CPU发送的数据包进行安全处理。 本发明的方法利用新架构的高性能和良好的可扩展性。 在高速流量网络中，业务板通过防火墙功能对报文进行安全处理，然后将有效报文发送给主CPU。 因此，主CPU受到防火墙功能的攻击攻击。

公开(公告)号：US20100132028A1

公开(公告)日：2010-05-27

申请号：US12529907

申请日：2008-07-17

申请人： Ju Wang ,  Mingyu Li ,  Xudong Zou ,  Xiangqing Chang ,  Zhongwei Fang ,  Xiao Li

发明人： Ju Wang ,  Mingyu Li ,  Xudong Zou ,  Xiangqing Chang ,  Zhongwei Fang ,  Xiao Li

IPC分类号： G06F17/00 ,  G06F15/16

CPC分类号： H04L63/0236 ,  H04L69/326

摘要： Embodiments of the present invention provide method for implementing security-related processing on packet and a network security device. Through establishing a relationship between stream attribute information of an initial packet of a stream and security-related processing information implemented on the initial packet, when a succeeding packet of the stream is received, the previously stored relationship is acquired according to stream attribute information of the succeeding packet, the security-related processing is implemented on the succeeding packet according to the security-related processing information in the relationship. Therefore, according to the method for implementing security-related processing on packet and the network security device provided by the present invention, the process of searching for security information entries for succeeding packets of a stream is not required, the security-related processing procedure of the packet is thus accelerated, and the packet processing efficiency is improved.

摘要翻译： 本发明的实施例提供了用于在分组和网络安全设备上实现安全相关处理的方法。 通过建立流初始分组的流属性信息与在初始分组上实现的与安全相关的处理信息之间的关系，当接收到流的后续分组时，根据流的属性信息获取先前存储的关系 根据关系中的安全相关的处理信息，在后续的分组上实现与安全相关的处理。 因此，根据本发明提供的分组安全相关处理方法和网络安全设备的实现方法，不需要搜索流的后续分组的安全信息条目的过程，与安全相关的处理过程 因此分组被加速，并且提高分组处理效率。

公开(公告)号：US20110249674A1

公开(公告)日：2011-10-13

申请号：US12672110

申请日：2008-07-09

申请人： Xiangqing Chang ,  Xiao Li ,  Xudong Zou

发明人： Xiangqing Chang ,  Xiao Li ,  Xudong Zou

IPC分类号： H04L12/56

CPC分类号： H04L12/58 ,  H04L47/825 ,  H04L49/15 ,  H04L49/40 ,  H04L51/00

摘要： The present invention provides an apparatus and method for processing a packet. An interface processing module selects one from all service processing modules as a service processing module for processing a packet; if the service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet after performing the tunnel processing; if another service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet to a service processing module needing to perform tunnel processing for the packet. According to the present invention, the packet can be processed uniformly by the service processing module, so it is not unnecessary to store session states in the service processing modules, and also not unnecessary to perform synchronization between the service processing modules, which greatly decreases complexity of processing the packet and saves system bandwidth.

摘要翻译： 本发明提供一种用于处理分组的装置和方法。 接口处理模块从所有服务处理模块中选择一个作为处理分组的服务处理模块; 如果业务处理模块需要对报文进行隧道处理，则业务处理模块在进行隧道处理后发送报文; 如果另一业务处理模块需要对该报文执行隧道处理，则业务处理模块将该报文发送给需要对该报文进行隧道处理的业务处理模块。 根据本发明，服务处理模块可以均匀地处理分组，所以不必在服务处理模块中存储会话状态，也不必在服务处理模块之间进行同步，这大大降低了复杂度 处理数据包并节省系统带宽。

公开(公告)号：US20100195647A1

公开(公告)日：2010-08-05

申请号：US12670766

申请日：2008-06-26

申请人： Ju Wang ,  Zhanming Wei ,  Xudong Zou ,  Xiao Li ,  Xiangqing Chang

发明人： Ju Wang ,  Zhanming Wei ,  Xudong Zou ,  Xiao Li ,  Xiangqing Chang

IPC分类号： H04L12/56

CPC分类号： H04L67/16 ,  H04L67/14 ,  H04L69/32

摘要： The present invention discloses a packet processing apparatus and method. The packet processing apparatus is applied to an L4˜L7 network device, including a plurality of interface processing units and a plurality of service processing units, the interface processing units are connected with the service processing units through a first connection unit; and each of the interface processing units is adapted to select, after receiving a packet from outside, a service processing unit from all the service processing units and transmit the packet to the selected service processing unit; and each of the service processing units is adapted to perform service processing to the packet after receiving the packet. The present invention improves packet processing capability and reliability of the L4˜L7 network device.

摘要翻译： 本发明公开了一种分组处理装置和方法。 分组处理装置应用于包括多个接口处理单元和多个业务处理单元的L4〜17网络设备，接口处理单元通过第一连接单元与业务处理单元连接; 并且每个接口处理单元适于在从外部接收到分组之后从所有服务处理单元选择服务处理单元，并将所述分组发送到所选择的服务处理单元; 并且每个服务处理单元适于在接收到分组之后对分组执行服务处理。 本发明提高了L4〜17网络设备的分组处理能力和可靠性。

公开(公告)号：US08908689B2

公开(公告)日：2014-12-09

申请号：US12672110

申请日：2008-07-09

申请人： Xiangqing Chang ,  Xiao Li ,  Xudong Zou

发明人： Xiangqing Chang ,  Xiao Li ,  Xudong Zou

IPC分类号： H04L12/28 ,  H04L12/56 ,  H04J3/24 ,  H04L12/58 ,  H04L12/933 ,  H04L12/931 ,  H04L12/911

CPC分类号： H04L12/58 ,  H04L47/825 ,  H04L49/15 ,  H04L49/40 ,  H04L51/00

摘要： The present invention provides an apparatus and method for processing a packet. An interface processing module selects one from all service processing modules as a service processing module for processing a packet; if the service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet after performing the tunnel processing; if another service processing module needs to perform tunnel processing for the packet, the service processing module transmits the packet to a service processing module needing to perform tunnel processing for the packet. According to the present invention, the packet can be processed uniformly by the service processing module, so it is not unnecessary to store session states in the service processing modules, and also not unnecessary to perform synchronization between the service processing modules, which greatly decreases complexity of processing the packet and saves system bandwidth.

摘要翻译： 本发明提供一种用于处理分组的装置和方法。 接口处理模块从所有服务处理模块中选择一个作为处理分组的服务处理模块; 如果业务处理模块需要对报文进行隧道处理，则业务处理模块在进行隧道处理后发送报文; 如果另一业务处理模块需要对该报文执行隧道处理，则业务处理模块将该报文发送给需要对该报文进行隧道处理的业务处理模块。 根据本发明，服务处理模块可以均匀地处理分组，所以不必在服务处理模块中存储会话状态，也不必在服务处理模块之间进行同步，这大大降低了复杂度 处理数据包并节省系统带宽。

公开(公告)号：US08559423B2

公开(公告)日：2013-10-15

申请号：US12670766

申请日：2008-06-26

申请人： Ju Wang ,  Zhanming Wei ,  Xudong Zou ,  Xiao Li ,  Xiangqing Chang

发明人： Ju Wang ,  Zhanming Wei ,  Xudong Zou ,  Xiao Li ,  Xiangqing Chang

IPC分类号： H04L12/58

CPC分类号： H04L67/16 ,  H04L67/14 ,  H04L69/32

摘要： The present invention discloses a packet processing apparatus and method. The packet processing apparatus is applied to an L4˜L7 network device, including a plurality of interface processing units and a plurality of service processing units, the interface processing units are connected with the service processing units through a first connection unit; and each of the interface processing units is adapted to select, after receiving a packet from outside, a service processing unit from all the service processing units and transmit the packet to the selected service processing unit; and each of the service processing units is adapted to perform service processing to the packet after receiving the packet. The present invention improves packet processing capability and reliability of the L4˜L7 network device.

摘要翻译： 本发明公开了一种分组处理装置和方法。 分组处理装置应用于包括多个接口处理单元和多个业务处理单元的L4〜L7网络​​设备，接口处理单元通过第一连接单元与业务处理单元连接; 并且每个接口处理单元适于在从外部接收到分组之后从所有服务处理单元选择服务处理单元，并将所述分组发送到所选择的服务处理单元; 并且每个服务处理单元适于在接收到分组之后对分组执行服务处理。 本发明提高了L4〜L7网络​​设备的分组处理能力和可靠性。

公开(公告)号：US08316432B2

公开(公告)日：2012-11-20

申请号：US12529907

申请日：2008-07-17

申请人： Ju Wang ,  Mingyu Li ,  Xudong Zou ,  Xiangqing Chang ,  Zhongwei Fang ,  Xiao Li

发明人： Ju Wang ,  Mingyu Li ,  Xudong Zou ,  Xiangqing Chang ,  Zhongwei Fang ,  Xiao Li

IPC分类号： H04L29/06

CPC分类号： H04L63/0236 ,  H04L69/326

摘要： Embodiments of the present invention provide method for implementing security-related processing on packet and a network security device. Through establishing a relationship between stream attribute information of an initial packet of a stream and security-related processing information implemented on the initial packet, when a succeeding packet of the stream is received, the previously stored relationship is acquired according to stream attribute information of the succeeding packet, the security-related processing is implemented on the succeeding packet according to the security-related processing information in the relationship. Therefore, according to the method for implementing security-related processing on packet and the network security device provided by the present invention, the process of searching for security information entries for succeeding packets of a stream is not required, the security-related processing procedure of the packet is thus accelerated, and the packet processing efficiency is improved.

摘要翻译： 本发明的实施例提供了用于在分组和网络安全设备上实现安全相关处理的方法。 通过建立流初始分组的流属性信息与在初始分组上实现的与安全相关的处理信息之间的关系，当接收到流的后续分组时，根据流的属性信息获取先前存储的关系 根据关系中的安全相关的处理信息，在后续的分组上实现与安全相关的处理。 因此，根据本发明提供的分组安全相关处理方法和网络安全设备的实现方法，不需要搜索流的后续分组的安全信息条目的过程，与安全相关的处理过程 因此分组被加速，并且提高分组处理效率。

公开(公告)号：US20100322239A1

公开(公告)日：2010-12-23

申请号：US12808426

申请日：2008-06-12

申请人： Xiao Li ,  Xiangqing Chang ,  Xudong Zou

发明人： Xiao Li ,  Xiangqing Chang ,  Xudong Zou

IPC分类号： H04L12/56

CPC分类号： H04L63/02 ,  H04L12/413 ,  H04L63/0209

摘要： The present invention discloses a packet processing method, which applies to a high-performance and scalable flow processing system architecture. The service board performs security processing for packets received from external devices by using the firewall function before sending them to the main CPU; similarly, the service board also performs security processing for packets sent from the main CPU by using the firewall function before the main CPU sends them to external devices. The methods of the present invention utilize high performance and good scalability of the new architecture. In a network with heavy and high-speed traffic, the service board performs security processing for packets by using the firewall function and then transmits the valid packets to the main CPU. Thus, the main CPU is protected by the firewall function against attack packets.

摘要翻译： 本发明公开了一种适用于高性能，可扩展的流处理系统架构的分组处理方法。 业务板在发送给主CPU之前，先通过防火墙功能对外部设备收到的报文进行安全处理; 类似地，在主CPU将它们发送到外部设备之前，服务板还通过使用防火墙功能对从主CPU发送的数据包进行安全处理。 本发明的方法利用新架构的高性能和良好的可扩展性。 在高速流量网络中，业务板通过防火墙功能对报文进行安全处理，然后将有效报文发送给主CPU。 因此，主CPU受到防火墙功能的攻击攻击。

公开(公告)号：US08327129B2

公开(公告)日：2012-12-04

申请号：US12808978

申请日：2008-06-23

申请人： Weichen Ren ,  Xudong Zou ,  Zhanming Wei ,  Xiangqing Chang

发明人： Weichen Ren ,  Xudong Zou ,  Zhanming Wei ,  Xiangqing Chang

IPC分类号： H04L29/06

CPC分类号： H04L63/061 ,  H04L63/102 ,  H04L63/164

摘要： The present invention discloses a method, an apparatus, and a system for IKE negotiation. One method comprises: upon receiving a data packet, selecting one of multiple service cards according to a pre-configured policy and triggering the service card to send an IKE negotiation packet; and saving the mapping between the IKE negotiation packet and the service card. The other method comprises: upon receiving an IKE negotiation packet, selecting one of multiple service cards according to a pre-configured policy, triggering the service card to perform IKE negotiation, and saving the mapping between of the IKE negotiation packet and the service card. The solution enables a network node a node to distribute IKE negotiations to different service cards to perform IKE negotiation at the same time, improving IKE negotiation speed.

摘要翻译： 本发明公开了一种用于IKE协商的方法，装置和系统。 一种方法包括：在接收到数据包后，根据预先配置的策略选择多个业务卡中的一个，并触发业务卡发送IKE协商报文; 并保存IKE协商报文与业务卡之间的映射关系。 另一种方法是：收到IKE协商报文后，根据预先配置的策略选择多个业务板中的一个，触发业务卡进行IKE协商，保存IKE协商报文与业务卡的映射关系。 该解决方案使网络节点能够将IKE协商分发到不同的业务卡，同时进行IKE协商，提高IKE协商速度。

公开(公告)号：US20100313023A1

公开(公告)日：2010-12-09

申请号：US12808978

申请日：2008-06-23

申请人： Weichen Ren ,  Xudong Zou ,  Zhanming Wei ,  Xiangqing Chang

发明人： Weichen Ren ,  Xudong Zou ,  Zhanming Wei ,  Xiangqing Chang

IPC分类号： H04L9/08 ,  H04L9/32

CPC分类号： H04L63/061 ,  H04L63/102 ,  H04L63/164

摘要： The present invention discloses a method, an apparatus, and a system for IKE negotiation. One method comprises: upon receiving a data packet, selecting one of multiple service cards according to a pre-configured policy and triggering the service card to send an IKE negotiation packet; and saving the mapping between the IKE negotiation packet and the service card. The other method comprises: upon receiving an IKE negotiation packet, selecting one of multiple service cards according to a pre-configured policy, triggering the service card to perform IKE negotiation, and saving the mapping between of the IKE negotiation packet and the service card. The solution enables a network node a node to distribute IKE negotiations to different service cards to perform IKE negotiation at the same time, improving IKE negotiation speed.

摘要翻译： 本发明公开了一种用于IKE协商的方法，装置和系统。 一种方法包括：在接收到数据包后，根据预先配置的策略选择多个业务卡中的一个，并触发业务卡发送IKE协商报文; 并保存IKE协商报文与业务卡之间的映射关系。 另一种方法是：收到IKE协商报文后，根据预先配置的策略选择多个业务板中的一个，触发业务卡进行IKE协商，保存IKE协商报文与业务卡的映射关系。 该解决方案使网络节点能够将IKE协商分发到不同的业务卡，同时进行IKE协商，提高IKE协商速度。