CN103297348A - Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation - Google Patents
Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation Download PDFInfo
- Publication number
- CN103297348A CN103297348A CN201310172604XA CN201310172604A CN103297348A CN 103297348 A CN103297348 A CN 103297348A CN 201310172604X A CN201310172604X A CN 201310172604XA CN 201310172604 A CN201310172604 A CN 201310172604A CN 103297348 A CN103297348 A CN 103297348A
- Authority
- CN
- China
- Prior art keywords
- node
- message
- mtu
- esp
- path testing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation. The method includes the steps that an IPSec (internet protocol security) tunnel is established based on the negotiation of a node A and a node B; the node A sends a path test request packet to the node B; the number of request packet bytes is equal to MTU (maximum transmission unit) of the node A; after the node B receives the request packet, whether the request packet is fragmented or not is determined; when the request packet is fragmented, the MTU of the request packet is set to be the maximum number of the bytes of a plurality of the packets obtained by the fragmentation, or the MTU is set to be the number of the request packet bytes; the node B sends a path test response packet to the node A, and the number of the response packet bytes is equal to the number of the request packet bytes; after the node A receives the response packet, whether the response packet is fragmented or not is determined; and when the response packet is fragmented, the MTU of the response packet is set to be the maximum number of the bytes of a plurality of the packets obtained by the fragmentation. According to the technical scheme of the method, ESP/ AH packets are effectively prevented from being fragmented by intermediate devices during the transmission process, and thus, packet reassembly failures and inefficient packet forwarding are avoided.
Description
Technical field
The present invention relates to the message transmissions technical field, particularly a kind of method that prevents the ESP/AH message fragment.
Background technology
In VPN (virtual private network) (Virtual Private Network, be called for short VPN), ipsec tunnel generates ESP or AH message after with message encryption, then the ESP/AH message is transferred to receiving terminal by intermediate equipment.The intermediate equipment that part manufacturer provides can be carried out burst to message and handle when the byte number of finding message transmission is excessive.If the ESP/AH message of encrypting is by the intermediate equipment burst, when receiving terminal is received a plurality of fragment message, owing to can't normally decipher, thereby cause message at the receiving terminal reconstructing failure.Simultaneously, message fragment also can reduce message forwarding efficient.
Summary of the invention
(1) technical problem to be solved
The object of the present invention is to provide a kind of method of the ESP/AH of preventing message fragment, with solve ESP/AH message after the encryption that exists in the prior art in transmission course by the intermediate equipment burst, thereby cause message in receiving terminal reconstructing failure and the low problem of message forward efficiency.
(2) technical scheme
In order to solve the problems of the technologies described above, the present invention proposes a kind of method of the ESP/AH of preventing message fragment, said method comprising the steps of:
Node A among S1, the VPN and Node B are held consultation and are set up ipsec tunnel, and node A sends a path testing request message to Node B, and the byte number of described path testing request message equals the MTU of node A self;
After S2, Node B receive described path testing request message, judge that whether described path testing request message is by burst, if, the maximum number of byte in the MTU of Node B self a plurality of messages of being set to obtain behind the burst then, if not, then the MTU of Node B self is set to the byte number of described path testing request message;
S3, Node B send a path testing response message to node A, and the byte number of described path testing response message equals the byte number of described path testing request message;
After S4, node A receive described path testing response message, whether judge described path testing response message by burst, if, the maximum number of byte in the MTU of node A self a plurality of messages of being set to obtain behind the burst then.
Optionally, described method further comprises step:
S5, node A carry out burst according to the MTU of self with message to be sent, and the message behind the burst is encrypted, and the byte number of the ESP/AH message that obtains after feasible the encryption is not more than the MTU of node A self;
S6, node A send to Node B with the ESP/AH message by ipsec tunnel.
Optionally, node A and Node B are the network firewall nodes.
Optionally, among the step S1, node A utilizes the ping order to send described path testing request message to Node B; Among the step S3, Node B utilizes the ping order to send described path testing response message to node A.
(3) beneficial effect
Compared with prior art, the technical scheme that the present invention proposes is when holding consultation the tunnel, by bigger message of byte number of ping, obtain the maximum of message fragment on the path, thereby determine to propagate on the path MTU MTU of message, utilize this method can effectively prevent the ESP/AH message in transmission course by the intermediate equipment burst, thereby avoid the message reconstructing failure and the low problem of message forward efficiency that cause because of message fragment.
Description of drawings
Fig. 1 is the flow chart of the method that prevents the ESP/AH message fragment that proposes of the present invention.
Fig. 2 is the schematic diagram of ESP/AH message transmissions in the one embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.
As shown in Figure 1, the method that prevents the ESP/AH message fragment of the present invention's proposition may further comprise the steps:
Node A among S1, the VPN and Node B are held consultation and are set up ipsec tunnel, and node A sends a path testing request message to Node B, and the byte number of described path testing request message equals the MTU of node A self;
After S2, Node B receive described path testing request message, judge that whether described path testing request message is by burst, if, the maximum number of byte in the MTU of Node B self a plurality of messages of being set to obtain behind the burst then, if not, then the MTU of Node B self is set to the byte number of described path testing request message;
S3, Node B send a path testing response message to node A, and the byte number of described path testing response message equals the byte number of described path testing request message;
After S4, node A receive described path testing response message, whether judge described path testing response message by burst, if, the maximum number of byte in the MTU of node A self a plurality of messages of being set to obtain behind the burst then.
Preferably, described method further comprises step:
S5, node A carry out burst according to the MTU of self with message to be sent, and the message behind the burst is encrypted, and the byte number of the ESP/AH message that obtains after feasible the encryption is not more than the MTU of node A self;
S6, node A send to Node B with the ESP/AH message by ipsec tunnel.
Below by an embodiment implementation procedure of described method is illustrated.
As shown in Figure 2, there are 4 network firewall nodes among the VPN, are designated as FW1, FW2, FW3 and FW4 respectively.
At first, FW1 and FW4 consult to set up an ipsec tunnel, simultaneously at super large message of ping on the FW1 to FW4, this super large message is the path testing request message, the byte number of request message equals the MTU MTU of FW1 self, for example, the MTU of FW1 is 2000 bytes, then size of ping message that is 2000 bytes.
After the forwarding of request message through FW2 and FW3, arrive FW4.After FW4 receives request message, find to have received 2 of fragment messages (FW2, FW3 are that the message of maximum MTU carries out burst with message with 1500 bytes), one is 1500 bytes, and one is 500 bytes.
At this moment, FW4 is recorded as 1500 bytes with the MTU of local terminal, and the path testing response message of 2000 bytes of ping is given FW1.
FW1 can receive 2 fragment messages equally, 1500 bytes, 500 bytes.So the maximum MTU that FW1 records ipsec path too is 1500 bytes.
When the ipsec tunnel between FW1 and the FW4 is encrypted message, in advance the IP head of ipsec tunnel and the size of ESP head or AH head are calculated, then message is shifted to an earlier date burst, be encrypted again behind the burst, reach the purpose that total size behind the ESP/AH message encryption is not more than 1500 bytes, message just can not be by burst by FW2 and FW3 the time like this.
The above only is preferred implementation of the present invention; should be pointed out that for the person of ordinary skill of the art, under the prerequisite that does not break away from the technology of the present invention principle; can also make some improvement and replacement, these improvement and replacement also should be considered as protection scope of the present invention.
Claims (4)
1. a method that prevents the ESP/AH message fragment is characterized in that, said method comprising the steps of:
Node A among S1, the VPN and Node B are held consultation and are set up ipsec tunnel, and node A sends a path testing request message to Node B, and the byte number of described path testing request message equals the MTU of node A self;
After S2, Node B receive described path testing request message, judge that whether described path testing request message is by burst, if, the maximum number of byte in the MTU of Node B self a plurality of messages of being set to obtain behind the burst then, if not, then the MTU of Node B self is set to the byte number of described path testing request message;
S3, Node B send a path testing response message to node A, and the byte number of described path testing response message equals the byte number of described path testing request message;
After S4, node A receive described path testing response message, whether judge described path testing response message by burst, if, the maximum number of byte in the MTU of node A self a plurality of messages of being set to obtain behind the burst then.
2. the method that prevents the ESP/AH message fragment according to claim 1 is characterized in that, described method further comprises step:
S5, node A carry out burst according to the MTU of self with message to be sent, and the message behind the burst is encrypted, and the byte number of the ESP/AH message that obtains after feasible the encryption is not more than the MTU of node A self;
S6, node A send to Node B with the ESP/AH message by ipsec tunnel.
3. the method that prevents the ESP/AH message fragment according to claim 1 is characterized in that, node A and Node B are the network firewall nodes.
4. the method that prevents the ESP/AH message fragment according to claim 1 is characterized in that, among the step S1, node A utilizes the ping order to send described path testing request message to Node B; Among the step S3, Node B utilizes the ping order to send described path testing response message to node A.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310172604XA CN103297348A (en) | 2013-05-10 | 2013-05-10 | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310172604XA CN103297348A (en) | 2013-05-10 | 2013-05-10 | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103297348A true CN103297348A (en) | 2013-09-11 |
Family
ID=49097688
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310172604XA Pending CN103297348A (en) | 2013-05-10 | 2013-05-10 | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103297348A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103797836A (en) * | 2013-09-18 | 2014-05-14 | 华为技术有限公司 | Scheduling method and base station |
| CN105530193A (en) * | 2014-09-30 | 2016-04-27 | 华为技术有限公司 | Method for determining maximum transmission unit of tunnel, network device and system |
| CN110086823A (en) * | 2019-05-07 | 2019-08-02 | 山东渔翁信息技术股份有限公司 | A kind of data communications method, device, equipment and medium |
| WO2021208088A1 (en) * | 2020-04-17 | 2021-10-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for security communication |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1545253A (en) * | 2003-11-13 | 2004-11-10 | 中兴通讯股份有限公司 | Method for dynamically discovering IPsec tunnel PMTU |
| CN1716944A (en) * | 2004-06-28 | 2006-01-04 | 杭州华为三康技术有限公司 | Method for discovering maximum transmission length of network path |
| CN101663864A (en) * | 2007-03-22 | 2010-03-03 | 艾利森电话股份有限公司 | Method for configuring the link maximum transmission unit (MTU) in a user equipment (UE). |
-
2013
- 2013-05-10 CN CN201310172604XA patent/CN103297348A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1545253A (en) * | 2003-11-13 | 2004-11-10 | 中兴通讯股份有限公司 | Method for dynamically discovering IPsec tunnel PMTU |
| CN1716944A (en) * | 2004-06-28 | 2006-01-04 | 杭州华为三康技术有限公司 | Method for discovering maximum transmission length of network path |
| CN101663864A (en) * | 2007-03-22 | 2010-03-03 | 艾利森电话股份有限公司 | Method for configuring the link maximum transmission unit (MTU) in a user equipment (UE). |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103797836A (en) * | 2013-09-18 | 2014-05-14 | 华为技术有限公司 | Scheduling method and base station |
| WO2015039316A1 (en) * | 2013-09-18 | 2015-03-26 | 华为技术有限公司 | Scheduling method and base station |
| CN105530193A (en) * | 2014-09-30 | 2016-04-27 | 华为技术有限公司 | Method for determining maximum transmission unit of tunnel, network device and system |
| CN105530193B (en) * | 2014-09-30 | 2019-06-07 | 华为技术有限公司 | Determine method, the network equipment and the system of tunnel maximum transmission unit |
| CN110086823A (en) * | 2019-05-07 | 2019-08-02 | 山东渔翁信息技术股份有限公司 | A kind of data communications method, device, equipment and medium |
| WO2021208088A1 (en) * | 2020-04-17 | 2021-10-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for security communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9369550B2 (en) | Protocol for layer two multiple network links tunnelling | |
| US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| WO2016058245A1 (en) | Processing method and apparatus for operation, administration and maintenance (oam) message | |
| US20110243063A1 (en) | Method for Configuring the Link Maximum Transmission Unit (MTU) in a User Equipment (UE) | |
| WO2021037216A1 (en) | Message transmission method and device, and computer storage medium | |
| CN102420770B (en) | Method and equipment for negotiating internet key exchange (IKE) message | |
| EP3116160B1 (en) | Oam packet processing method, network device and network system | |
| CN101783789A (en) | Method, device and system for transmitting and processing network packet | |
| WO2013060298A1 (en) | Method, device, and system for network testing under ipsec protocol | |
| CN102739494B (en) | SSL vpn gateway and the method automatically controlling SSL VPN passage thereof | |
| CN103297348A (en) | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation | |
| JP2015526954A (en) | Data transmission method, network element device, and communication system | |
| EP3413533A1 (en) | Data transmission method and server | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN110024432B (en) | X2 service transmission method and network equipment | |
| EP2600569B1 (en) | Method, apparatus and system for processing a tunnel packet | |
| CN109600277B (en) | IPSec tunnel keep-alive method and device based on NAT equipment | |
| CN102868522B (en) | A kind of processing method of ike negotiation exception | |
| CN106685896A (en) | Plaintext data acquisition method and system within SSH protocol multi-layer channel | |
| CN111866865B (en) | Data transmission method, 5G private network establishment method and system | |
| WO2021208088A1 (en) | Method and apparatus for security communication | |
| CN104333554A (en) | Security association negotiation method and device for internet protocol security | |
| CN104125151A (en) | IPSec (Internet protocol security) packet forwarding method and system | |
| CN116471345B (en) | Data communication method, device, equipment and medium | |
| JP2010011344A (en) | Packet processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130911 |