The research on the next generation information network architecture is one of the hottest subjects at the present, and a viewpoint accepted by most researches currently is that the future network will take the Internet as a uniform bearer network. The Internet has maintained a rapid development since it came forth, and has become the most successful and vital communication network, its characteristics such as flexible extendibility, efficient packet switching and powerful terminal functions and so on strongly meet the design demands of the new generation of the networks, and the Internet will be a main reference blueprint of the new generation of the network designs.
However, the structure of the Internet is still far from the optimum and has many significant design problems, wherein a comparatively typical problem is a problem of dual attributes of IP address, that is, the IP address represents a user identity and also represents a network topology where a user is located, and this is the dual attributes of IP address. The Internet is invented in the 1970s, it was difficult for the people at that time to expect that large quantities of mobile terminals and multi-homing terminals would exist in the world today, thus internet protocol stacks at that time were designed with respect to terminals connected in a fixed way. In the temporal network environment, since a terminal generally would not move from one location to other locations, and a sending address was exactly a receiving address, and the path was reversible, an IP address with dual attributes of identity and location could work extremely well, and no conflict was generated between the identity attribute and the location attribute of the IP address. The IP address representing both the identity and location simultaneously met the temporal network requirements precisely. Seen from the temporal network environment, this design scheme was simple and effective, which simplified the hierarchical structure of the protocol stacks.
Nonetheless, it is undoubted that inner contradictions exist between the identity attribute and the location attribute of the IP address; the identity attribute of the IP address requires that two arbitrary IP addresses should be equal, though the IP addresses can be allocated according to an organizational structure, there is no inevitable relationship between the IP addresses coded sequentially; the location attribute of the IP address requires that the IP addresses should be allocated based on the network topology (but not the organizational structure), and all IP addresses located within the same subnetwork should be located in a sequential IP address block, thus IP address prefixes in the network topology can be aggregated, thereby reducing entries of routing tables of a router device and guaranteeing the extendibility of a routing system.
In general, the inner contradictions of the dual attributes of IP address will cause the following major problems.
1. Route extendibility problem. A basic assumption exists with regard to the extendibility of the routing system in the Internet:
The addresses are allocated according to the topology, or the topology is deployed according to the addresses, it has to select one between the two. The identify attribute of the IP address requires that the IP addresses be allocated based on the organizational structure to which the terminal belongs (but not the network topology), and this kind of allocation is required to keep a certain stability and cannot be changed frequently; and the location attribute of the IP address requires that the IP addresses be allocated based on the network topology, so as to guarantee the extendibility of the routing system. Therefore, the two attributes of IP address generate a conflict, which eventually triggers the extendibility problem of the routing system in the Internet.
2. Mobility problem. The identify attribute of the IP address requires that the IP addresses should not be changed with the change of locations of the terminal, thus it can guarantee that communications bound with the identities are not interrupted, and it also can guarantee that other terminals still can use the identity of the terminal to establish a communication relation with the terminal after the terminal moves; and the location attribute of the IP address requires that the IP addresses should be changed with the change of locations of the terminal, such that the IP addresses can be aggregated in a new network topology, otherwise the network must maintain separate routing information for the moved terminal, thereby causing that the number of entries of the routing table increases sharply.
3. Multi-homing problem. The multi-homing normally refers to that the terminal or network accesses the Internet through multiple international Internet Services Providers (ISP) simultaneously, the advantages of the multi-homing technology include increasing reliability of the network, supporting traffic load balancing between multiple ISPs and improving the overall available bandwidth and so on. However, the inner contradictions of the dual attributes of IP address make it difficult to implement the multi-homing technology. The identify attribute of the IP address requires that a multi-homing terminal should always reveal an unchanged identity to other terminals, no matter how many ISPs through which the multi-homing terminal accesses the Internet are; and the location attribute of the IP address requires that a multi-homing terminal should use different IP addresses to communicate in different ISP networks, thus it can guarantee that IP addresses of the terminal can be aggregated in the topology of the ISP network.
4. Security and location privacy problem. Since the IP address simultaneously contains identity information and location information of the terminal, both a communication opposite terminal and a malevolent listener can simultaneously obtain the identity information and topology location information of the terminal according to an IP address of one terminal.
In general, since the architecture of the traditional Internet has been established, the technological environment and user group of the Internet has great changes, and the Internet is required to perform innovation along with the changes. The problem of dual attributes of IP address is one of primary causes that perplex the sustainable development of the Internet, separating the identity attribute and the location attribute of the IP address is a good idea of solving the problem which the Internet faces. A new network will be design based on this idea and put forward a network structure in which the identity information and the location information are mapped separately, so as to solve certain serious defects existing in the existing Internet.
In order to solve the problem of identity and location, the industry makes a mass of researches and explorations, and all the basic ideas of schemes for separating the identity and location are to separate the dual attributes of identity and location originally bound with the IP address. Wherein, certain schemes use a Uniform Resource Locator (URL, it is an identification method used for completely describing addresses of other resources and webpages in the Internet) of an application layer or a Fully Qualified Domain Name (FQDN) to serve as an identify identifier of the terminal; certain schemes introduce a new name space to serve as the identity identifier, such as a Host Identity Protocol (Host Identity Protocol), and add a host identity on a network layer using the IP address as the identifier; certain schemes perform classification on the IP addresses, part of IPs are taken as identity identities, and part of IPs are taken as location identifiers, such as a Locator/ID Separation Protocol (LISP) and so on; and the patent CN200610001825 of Hong-Ke Zhang from the Northern Jiaotong University also puts forward a scheme in which the IP address is used to serve as the location identifier of the host and a terminal host identifier is introduced to serve as the identity identifier, which solves the problem of a separation between an identity and a location.
All the above schemes put forward the schemes for implementing the separation between an identity and a location in the existing network architecture from certain parts of the problem, and the separation between an identity and a location is a core technology of the future data communication network, especially a mobile data communication network.
In the existing locator/identifier separation technology, it is required to establish a mapping relation between the identity identifier and the location identifier to be used when the network device performs addressing. This mapping relation is maintained in a mapping server, an edge router receives a data packet from the terminal, and if a target identity identifier of the data packet is unknown, it is required to query a locator/identifier mapping table of the mapping server, find a target location identifier according to the target identity identifier, encapsulate the data packet and then send the encapsulated data packet to a corresponding network.
Services of the Internet network include Internet browsing, e-mail receiving and sending, instant messaging, video upload and download and so on, sources of the information are extensive, and the state security and social stability may even be harmed, thus carrying out lawful interceptions on the Internet network has an important significance.
A monitoring function is mainly to acquire and record communication data of a monitored object in the way of bypass, and provide the communication data to state security departments such as the public security and the army and so on.
The monitoring function of the network is required to possess the following characteristics:
1. The monitored object can be a certain user, a certain terminal, a certain service provider or a certain service;
2. The data are acquired in the way of bypass during the monitoring, which does not influence the service and is not perceived by the user;
3. The monitoring is required to obtain an authorization, and supervision departments with different authorities monitor contents of different levels.
The definitions of the monitoring function of the network are limited at the network layer of the ISO seven layer model, that is, according to a set monitoring rule, data packets of the network layer matching the condition are mirrored to a supervision center.
During the implementation of the monitoring function, a data mirroring function of the network device is mainly utilized; the data mirroring function is to copy data of a source port and data screened out according to rules of an access control list to a destination port, and the destination port is connected to a data monitoring device of the supervision center. Currently, most of the network devices such as a switch, a router and an access server and so on all support a port mirroring function.
Currently, in the existing locator/identifier separation network architecture, the monitoring function is not implemented.