CN102891850A - Method for preventing parameter resetting in IPSec (IP Security) channel updating - Google Patents
Method for preventing parameter resetting in IPSec (IP Security) channel updating Download PDFInfo
- Publication number
- CN102891850A CN102891850A CN2012103613450A CN201210361345A CN102891850A CN 102891850 A CN102891850 A CN 102891850A CN 2012103613450 A CN2012103613450 A CN 2012103613450A CN 201210361345 A CN201210361345 A CN 201210361345A CN 102891850 A CN102891850 A CN 102891850A
- Authority
- CN
- China
- Prior art keywords
- equipment
- message
- sequence number
- standby
- main equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method for preventing parameter resetting in IPSec (IP Security) channel updating, wherein the method transmits messages by a master device or a standby device. The method comprises the following steps that: A, a serial number threshold is set; B, the master device transmits the messages, wherein the message contains the serial number, and when the amount of the messages transmitted by the master device reaches the threshold, the master device transmits a synchronization signal to the standby device, wherein the synchronization signal contains the serial number of the current message; C, when the master device and the standby device are switched, the serial number of the current message is determined; and D, starting from the determined serial number of the current message, the standby device transmits the messages. According to the method provided by the invention, when the master device and the standby device are switched, the standby device is used for transmitting or receiving messages, and the serial numbers of the transmitted or received messages are synchronous with that in the master device.
Description
Technical field
The present invention relates to network communications technology field, particularly a kind of ipsec tunnel upgrades the method for anti-replay parameter.
Background technology
Internet Protocol Security (IP Security, IPSec) agreement is the IP layer security framework agreement of an opening.Ipsec protocol is a Layer 3 Tunneling Protocol, and the IP packet that transmits between the equipment that participates in IPSec is protected and authenticated, and can provide safeguard protection for the transmission sensitive data.
Can do not intercepted and not captured by third party or go-between in order to guarantee the IP packet, IPSec uses anti-replay mechanism, packet reinserts data flow after revising again, wherein, anti-replay mechanism is by authentication header (Authentication Header, AH) clean (Encapsulating Security Payload, the ESP) agreement of carrying of agreement and encapsulation safety realizes in IPSec.Anti-replay mechanism will trace into the sequence number of each packet of VPN end points.After having set up security association between two VPN end points, the sequence number register makes zero.By VPN encrypt and the packet sequence number of transmission all since 1.During each transmission packet, the recipient can check all whether identical with the sequence number that sent packet last time sequence number is.If the recipient has received the sequence number that repeats, then abandon this packet.Transmit an error message to VPN transmit leg end points simultaneously, and in daily record, record this event.
Usually the method that realizes of anti-replay is that sequence number in the message that will receive compares with the last sequence number of receiving, greater than a upper sequence number then think legal message, thinking that sequence number is less than or equal to is illegal.
Yet for master/slave device, it is unpractical that each message carries out sequence number synchronization.
Summary of the invention
(1) technical problem that solves
The invention solves when active and standby equipment switches every transmission or the technical problem of active and standby device synchronization when receiving a plurality of message.
(2) technical scheme
The present invention proposes the method that a kind of ipsec tunnel upgrades anti-replay parameter, wherein utilize main equipment or standby equipment to carry out the transmission of message, it is characterized in that, described method comprises:
A, setting sequence number threshold value;
B, main equipment send message, and described message comprises sequence number, and when main equipment sending threshold value message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C: when active and standby equipment switches, determine the sequence number of current message,
D: from the sequence number of definite current message, utilize standby equipment to send message.
Preferably, the sequence number N of current message is among the step C: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment sends when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
Preferably, main equipment will be counted the message that sends after sending synchronizing signal to standby equipment at every turn, the initial value of count value is 0, message of every transmission, and count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
Preferably, described N
iFor:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
Preferably, described method comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
The present invention proposes the method that a kind of ipsec tunnel upgrades anti-replay parameter, wherein utilize main equipment or standby equipment to carry out the reception of message, it is characterized in that, described method comprises:
A1, setting sequence number threshold value;
B1, main equipment receive message, and described message comprises sequence number, and when main equipment receive threshold message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C1: when active and standby equipment switches, determine the sequence number of current message,
D1: from the sequence number of definite current message, utilize standby equipment to receive message.
Preferably, the sequence number N of current message is among the step C1: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment receives when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
Preferably, main equipment will be counted the message that receives after sending synchronizing signal to standby equipment at every turn, the initial value of count value is 0, message of every reception, and count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
Preferably, described N
iFor:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
Preferably, described method comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
(3) beneficial effect
The present invention utilizes standby equipment to send or receive message after active and standby equipment switches, and the sequence number and the main equipment that send or receive message are synchronous.
Description of drawings
Fig. 1 is the method flow diagram that a kind of ipsec tunnel that the present invention proposes upgrades anti-replay parameter;
Fig. 2 is the method flow diagram that a kind of ipsec tunnel that the present invention proposes upgrades anti-replay parameter.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described.
Embodiment 1
The present embodiment has proposed the method that a kind of ipsec tunnel upgrades anti-replay parameter, wherein utilizes main equipment or standby equipment to carry out the transmission of message, and as shown in Figure 1, described method comprises:
A, setting sequence number threshold value;
B, main equipment send message, and described message comprises sequence number, and when main equipment sending threshold value message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C: when active and standby equipment switches, determine the sequence number of current message,
D: from the sequence number of definite current message, utilize standby equipment to send message.
Embodiment 2
Also comprise following content when comprising in the present embodiment embodiment 1, the sequence number N of current message is: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment sends when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
For N
iThe value preparation method has two kinds, wherein, the first is: main equipment after sending synchronizing signal to standby equipment at every turn, to count the message that sends, the initial value of count value is 0, message of every transmission, count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
Obtain N
iThe second method of value is:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
The present embodiment also comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
Embodiment 3
A kind of ipsec tunnel that the present embodiment proposes upgrades the method for anti-replay parameter, wherein utilizes main equipment or standby equipment to carry out the reception of message, it is characterized in that, described method comprises:
A1, setting sequence number threshold value;
B1, main equipment receive message, and described message comprises sequence number, and when main equipment receive threshold message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C1: when active and standby equipment switches, determine the sequence number of current message,
D1: from the sequence number of definite current message, utilize standby equipment to receive message.
Preferably, the sequence number N of current message is among the step C1: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment receives when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
Preferably, main equipment will be counted the message that receives after sending synchronizing signal to standby equipment at every turn, the initial value of count value is 0, message of every reception, and count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
Preferably, described N
iFor:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
Preferably, described method comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
Embodiment 4
Ipsec tunnel upgrades the method for anti-replay parameter when the present invention proposes a kind of more specifically a kind of active and standby switching, and is specific as follows:
Ipsec tunnel negotiation is got up rear since 1, message of every transmission, and sending sequence number adds 1.
Set the sequence number threshold value, such as 10,000, just send a synchronizing signal to standby equipment when main equipment whenever receives 10,000 messages.
When active and standby equipment switches, standby equipment switches to new main equipment, for example received the synchronizing signal of 4 main equipment transmissions before the new main equipment, the last time point that receives synchronizing signal is 10: 01: 01,10 seconds of time point of the last reception of distance synchronizing signal, the time point that current active and standby equipment switches is 10: 01: 06, can approximately send 5,000 messages this 5 second by calculating so, the test serial number that so new main equipment sends is since 40,000 5 thousand.
Embodiment 5
Ipsec tunnel upgrades the method for anti-replay parameter when the present invention proposes a kind of more specifically a kind of active and standby switching, and is specific as follows:
Whenever the sequence number that receives after the ipsec tunnel negotiation must be greater than the sequence number of previous message.
Set the sequence number threshold value, such as 10,000, have 4 times if standby equipment receives the synchronizing signal that main equipment sends before, work as the master, when standby equipment switches, standby equipment switches to new main equipment, new main equipment receives message, and the sequence number of first message that will receive is as the initial Receive sequence number of message, then this initial Receive sequence number must be greater than synchronous 40,000 sequence number before, and the last synchronous time of record is 10: 01: 01, with time interval of last information synchronization 10 seconds, current time is 10: 01: 06 so, the sequence number that can calculate current reception is 40,000 5 thousand, and then initial sequence number is 40,000 5 thousand, and the necessary sequence number of the message that receives again afterwards is greater than previous test serial number.
Illustrate: manual configuration according to demand when setting the sequence number threshold value, configurable to 100,000 such as 1,000.
Above execution mode only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; in the situation that do not break away from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (10)
1. the method for an ipsec tunnel renewal anti-replay parameter wherein utilizes main equipment or standby equipment to carry out the transmission of message, it is characterized in that, described method comprises:
A, setting sequence number threshold value;
B, main equipment send message, and described message comprises sequence number, and when main equipment sending threshold value message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C, when active and standby equipment switches, determine the sequence number of current message;
D, from the sequence number of the current message determined, utilize standby equipment to send message.
2. method according to claim 1 is characterized in that, the sequence number N of current message is among the step C: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment sends when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
3. method according to claim 2, it is characterized in that, main equipment after sending synchronizing signal to standby equipment at every turn, to count the message that sends, the initial value of count value is 0, message of every transmission, count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
4. method according to claim 2 is characterized in that, described N
iFor:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
5. method according to claim 1 is characterized in that, described method comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
6. the method for an ipsec tunnel renewal anti-replay parameter wherein utilizes main equipment or standby equipment to carry out the reception of message, it is characterized in that, described method comprises:
A1, setting sequence number threshold value;
B1, main equipment receive message, and described message comprises sequence number, and when main equipment receive threshold message, main equipment is to standby equipment transmission synchronizing signal, and described synchronizing signal comprises the sequence number of current message;
C1: when active and standby equipment switches, determine the sequence number of current message;
D1: from the sequence number of definite current message, utilize standby equipment to receive message.
7. method according to claim 6 is characterized in that, the sequence number N of current message is among the step C1: N=T * n+N
iWherein, T is the sequence number threshold value, and n is the number of times that main equipment sent synchronizing signal before active and standby equipment switched to standby equipment, N
iThe message number that main equipment receives when switching to active and standby equipment for sending for the last time synchronizing signal from main equipment to standby equipment.
8. method according to claim 7, it is characterized in that, main equipment after sending synchronizing signal to standby equipment at every turn, to count the message that receives, the initial value of count value is 0, message of every reception, count value adds 1, when active and standby equipment switched, main equipment sent to standby equipment with count value, and described count value is N
i
9. method according to claim 7 is characterized in that, described N
iFor:
Wherein, t
iTime when switching for active and standby equipment, t
nFor active and standby equipment switches front main equipment for the last time to the time that sends synchronizing signal for equipment.
10. method according to claim 6 is characterized in that, described method comprises:
The initial value of sequence number is 0, message of every transmission, and sequence number adds 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103613450A CN102891850A (en) | 2012-09-25 | 2012-09-25 | Method for preventing parameter resetting in IPSec (IP Security) channel updating |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103613450A CN102891850A (en) | 2012-09-25 | 2012-09-25 | Method for preventing parameter resetting in IPSec (IP Security) channel updating |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102891850A true CN102891850A (en) | 2013-01-23 |
Family
ID=47535217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012103613450A Pending CN102891850A (en) | 2012-09-25 | 2012-09-25 | Method for preventing parameter resetting in IPSec (IP Security) channel updating |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102891850A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973674A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Method and device for synchronizing host and backup information |
| CN104601459A (en) * | 2015-02-10 | 2015-05-06 | 杭州华三通信技术有限公司 | Method and device for processing messages in group-domain virtual private network |
| CN105991352A (en) * | 2015-07-22 | 2016-10-05 | 杭州迪普科技有限公司 | Security alliance backup method and security alliance backup apparatus |
| WO2017063537A1 (en) * | 2015-10-17 | 2017-04-20 | Huawei Technologies Co., Ltd. | Device, system and method for supporting high availability services in dtls using secure sequence number negotiation |
| CN107733807A (en) * | 2017-09-20 | 2018-02-23 | 新华三信息安全技术有限公司 | A kind of message anti-replay method and device |
| CN109450810A (en) * | 2018-12-30 | 2019-03-08 | 国网北京市电力公司 | Identify the method and device of redundancy message |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1491000A (en) * | 2002-10-15 | 2004-04-21 | 华为技术有限公司 | Method for realizing RTP stream continuity after switching host facility with stand-by one |
| CN1533100A (en) * | 2003-03-18 | 2004-09-29 | ����ͨѶ�ɷ�����˾ | Method for protecting coupling based on flow control transfer protocol |
| US6966003B1 (en) * | 2001-01-12 | 2005-11-15 | 3Com Corporation | System and method for switching security associations |
| WO2007047417A2 (en) * | 2005-10-12 | 2007-04-26 | Cisco Technology, Inc. | Strong anti-replay protection for ip traffic |
| CN101114942A (en) * | 2006-05-08 | 2008-01-30 | 奥科有限公司 | Switching between secured media devices |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
| CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
-
2012
- 2012-09-25 CN CN2012103613450A patent/CN102891850A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6966003B1 (en) * | 2001-01-12 | 2005-11-15 | 3Com Corporation | System and method for switching security associations |
| CN1491000A (en) * | 2002-10-15 | 2004-04-21 | 华为技术有限公司 | Method for realizing RTP stream continuity after switching host facility with stand-by one |
| CN1533100A (en) * | 2003-03-18 | 2004-09-29 | ����ͨѶ�ɷ�����˾ | Method for protecting coupling based on flow control transfer protocol |
| WO2007047417A2 (en) * | 2005-10-12 | 2007-04-26 | Cisco Technology, Inc. | Strong anti-replay protection for ip traffic |
| CN101114942A (en) * | 2006-05-08 | 2008-01-30 | 奥科有限公司 | Switching between secured media devices |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
| CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
Non-Patent Citations (1)
| Title |
|---|
| 吴晓辉: "IPsecVPN双机热备系统设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973674A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Method and device for synchronizing host and backup information |
| CN104601459A (en) * | 2015-02-10 | 2015-05-06 | 杭州华三通信技术有限公司 | Method and device for processing messages in group-domain virtual private network |
| CN104601459B (en) * | 2015-02-10 | 2019-02-22 | 新华三技术有限公司 | Message processing method and device in a kind of group of domain Virtual Private Network |
| CN105991352A (en) * | 2015-07-22 | 2016-10-05 | 杭州迪普科技有限公司 | Security alliance backup method and security alliance backup apparatus |
| WO2017063537A1 (en) * | 2015-10-17 | 2017-04-20 | Huawei Technologies Co., Ltd. | Device, system and method for supporting high availability services in dtls using secure sequence number negotiation |
| CN107733807A (en) * | 2017-09-20 | 2018-02-23 | 新华三信息安全技术有限公司 | A kind of message anti-replay method and device |
| CN107733807B (en) * | 2017-09-20 | 2020-04-03 | 新华三信息安全技术有限公司 | Message anti-replay method and device |
| CN109450810A (en) * | 2018-12-30 | 2019-03-08 | 国网北京市电力公司 | Identify the method and device of redundancy message |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10819462B2 (en) | System and method for protecting communication in time-sensitive networks using shared secret information | |
| CN104717201B (en) | Network device and network system | |
| CN102891850A (en) | Method for preventing parameter resetting in IPSec (IP Security) channel updating | |
| CN104092697A (en) | Anti-replaying method and device based on time | |
| US20130170507A1 (en) | Time synchronization for network testing equipment | |
| CN102282776B (en) | Communication means and system | |
| CN103475655A (en) | Method for achieving IPSecVPN main link and backup link dynamic switching | |
| US20140317406A1 (en) | Communication between network nodes that are not directly connected | |
| US20160006844A1 (en) | Method of preventing digital data packet reuse in network data transmission system | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN102857521A (en) | Method and device for setting operation, administration and maintenance (OAM) security authentication | |
| US20130136145A1 (en) | Time message processing method, apparatus and system | |
| CN105187209A (en) | Ethernet communication security protection method | |
| CN101841413A (en) | Creation method of end-to-end secure link and system | |
| CN104168640A (en) | Reception end PDCP layer HFN out-off-step recovering method and device | |
| WO2007099045A1 (en) | A method, communication system, central and peripheral communication unit for secure packet oriented transfer of information | |
| CN102255790A (en) | Method and system for informing congestion control information | |
| CN102348203A (en) | Method for realizing encryption synchronization | |
| CN102801733A (en) | Method for setting security authentication in precision time protocol (PTP) | |
| JP7427689B2 (en) | Calculation puzzle to counter DoS attacks | |
| US20130329733A1 (en) | Method, apparatus and system for processing a tunnel packet | |
| CN104135358B (en) | A method for executing an SNTP clock calibration on a power distribution terminal based on an asymmetric digital signature | |
| CN103297348A (en) | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation | |
| WO2011023010A1 (en) | Method, device and system for data security transmission and reception in a pseudo-wire network | |
| CN101841547A (en) | Creation method of end-to-end shared key and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130123 |
|
| RJ01 | Rejection of invention patent application after publication |