CN103312713B - Security association negotiation method, device and the network equipment - Google Patents

Security association negotiation method, device and the network equipment Download PDF

Info

Publication number
CN103312713B
CN103312713B CN201310233561.1A CN201310233561A CN103312713B CN 103312713 B CN103312713 B CN 103312713B CN 201310233561 A CN201310233561 A CN 201310233561A CN 103312713 B CN103312713 B CN 103312713B
Authority
CN
China
Prior art keywords
time
ipsec
out time
ike
soft
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310233561.1A
Other languages
Chinese (zh)
Other versions
CN103312713A (en
Inventor
朱天明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN201310233561.1A priority Critical patent/CN103312713B/en
Publication of CN103312713A publication Critical patent/CN103312713A/en
Application granted granted Critical
Publication of CN103312713B publication Critical patent/CN103312713B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of security association negotiation method, device and the network equipment.Method includes: when the soft time-out time of reality of an IPSec SA arrives, the 2nd IPSec SA is set up with Peer Negotiation, and when the hard time-out time of the 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, the soft time-out time of reality of the 2nd IPSec SA is set between the time-out time and the time-out time of IKE SA and first threshold sum of IKE SA, and the soft time-out time of reality that actual hard time-out time is the 2nd IPSec SA and the Second Threshold sum of the 2nd IPSec SA are set;When the actual hard time-out time of an IPSec SA arrives, delete an IPSec SA.The problem that technical solution of the present invention can solve to there is black hole, tunnel in prior art.

Description

Security association negotiation method, device and the network equipment
Technical field
The present invention relates to communication technology, particularly relate to a kind of security association negotiation method, device and network and set Standby.
Background technology
Internet key exchange (Internet Key Exchange, referred to as IKE) is a kind of close Key management agreement standard, need and internet safety protocol (Internet Protocol Security, Referred to as IPSec) it is used together.IPSec be responsible for Internet protocol (Internet Protocol, Referred to as IP) layer offer security service, enable the system to on-demand selection security protocol, determine to service institute Needed for the algorithm used and placement Demand and service, key arrives relevant position etc..Security Association (Security Association, referred to as SA) mainly it is responsible for the logic of specific data stream offer security service even Connect.At present, SA mainly includes IPSec SA and IKE SA, is typically set up by Peer Negotiation.IPSec SA and IKE SA has life cycle (lifetime), and the life cycle of usual IKE SA is long-range Life cycle in IPSec SA.
Dead opposite end detection (Dead Peer Detection, referred to as DPD) is a kind of for examining Survey the method whether IPSec opposite end exists and whether can communicate.Side in existing use DPD technology In case, DPD starts after IKE SA has consulted, and timing sends DPD probe messages detection opposite end Whether exist, i.e. DPD, DPD machine in the presence of only IKE SA if being associated with IKE SA System just can come into force.Due to IKE SA after life cycle terminates will not automatic Reconstruction, so as IKE SA Life cycle terminate after, the DPD mechanism failure associated with IKE SA, if at this moment IPSec SA Life cycle also do not terminate, then in the remaining life cycle of IPSEC SA, will be unable to pass through DPD mechanism detect to the state to tunnel, opposite end, if tunnel, opposite end do not exist and local terminal cannot perception, May result in black hole, tunnel.
Summary of the invention
The present invention provides a kind of security association negotiation method, device and the network equipment, in order to solve existing skill The problem that there is black hole, tunnel in art.
First aspect provides a kind of security association negotiation method, including:
When the soft time-out time of reality of an IPSec SA arrives, set up the 2nd IPSec SA with Peer Negotiation, and When the hard time-out time of the described 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, institute is set The soft time-out time of reality stating the 2nd IPSec SA is positioned at the time-out time of described IKE SA and the super of described IKE SA Time the time and first threshold sum between, and the actual hard time-out time arranging described 2nd IPSec SA is described The soft time-out time of reality of the 2nd IPSec SA and Second Threshold sum;Wherein, if consulting described first determined The hard time-out time of IPSec SA is later than the time-out time of described IKE SA, and the reality of a described IPSec SA is soft Time-out time be positioned at the time-out time of described IKE SA and the time-out time of described IKE SA and described first threshold it Between and, and the reality that actual hard time-out time is a described IPSec SA of a described IPSec SA is soft super Time time and described Second Threshold sum;
When the actual hard time-out time of a described IPSec SA arrives, delete a described IPSec SA.
Second aspect provides a kind of Security Association consulting device, including:
Set up module, for when the soft time-out time of reality of an IPSec SA arrives, setting up with Peer Negotiation 2nd IPSec SA;
Arranging module, the hard time-out time of the described 2nd IPSec SA for determining in negotiation is later than IKE SA's During time-out time, the soft time-out time of reality of described 2nd IPSec SA is set when being positioned at described IKE SA overtime Between and the time-out time of described IKE SA and first threshold sum between, and the reality of described 2nd IPSec SA is set The hard time-out time in border is the soft time-out time of reality and the Second Threshold sum of described 2nd IPSec SA;Wherein, if The hard time-out time of a described IPSec SA consulting to determine is later than the time-out time of described IKE SA, and described the When the soft time-out time of reality of one IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA overtime Between and described first threshold sum between, and the actual hard time-out time of a described IPSec SA is described first The soft time-out time of reality of IPSec SA and described Second Threshold sum;
Removing module, for when the actual hard time-out time of a described IPSec SA arrives, deleting described first IPSec SA。
The third aspect provides a kind of network equipment, including: arbitrary safety connection that second aspect present invention provides Alliance's consulting device.
Security association negotiation method, device and the network equipment that the present invention provides, by setting for IPSec SA Put soft time-out time and hard time-out time, for an IPSec SA, as the IPSec that negotiation determines The hard time-out time of SA is later than the time-out time of IKE SA, and the soft time-out time of reality of an IPSec SA is positioned at institute State between the time-out time of IKE SA and the time-out time of described IKE SA and described first threshold sum, and described The soft time-out time of reality that actual hard time-out time is a described IPSec SA of the oneth IPSec SA and described the Two threshold value sums, before so the actual hard time-out time at an IPSec SA arrives, local terminal can be in fact After the soft time-out time in border arrives, establish the 2nd IPSec SA with Peer Negotiation, due to the 2nd IPSec SA Foundation can trigger the foundation of IKE SA, so IKE SA in the whole life cycle of an IPSec SA All exist, for the 2nd IPSec SA, by local terminal at the soft time-out time of reality of an IPSec SA During arrival, set up with Peer Negotiation, and be later than IKE SA at the hard time-out time of the 2nd IPSec SA consulting to determine Time-out time time, the soft time-out time of reality arranging described 2nd IPSec SA is positioned at the time-out of described IKE SA Between time and the time-out time of described IKE SA and first threshold sum, and described 2nd IPSec SA is set The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and Second Threshold sum, equally may be used To ensure that IKE SA exists in the whole life cycle of the 2nd IPSec SA, say, that this Bright technical scheme ensure that DPD mechanism all exists in the whole life cycle of IPSec SA, such that it is able to The state in tunnel, opposite end can be detected in the whole life cycle of IPSec SA, solve prior art The problem that there is black hole, tunnel.
Accompanying drawing explanation
The flow chart of a kind of SA machinery of consultation that Fig. 1 provides for the embodiment of the present invention;
Fig. 2 is the schematic diagram of the DPD blank phase that prior art exists;
Fig. 3 is the effect schematic diagram of the embodiment of the present invention;
The structural representation of a kind of Security Association consulting device that Fig. 4 provides for the embodiment of the present invention.
Detailed description of the invention
The flow chart of a kind of SA machinery of consultation that Fig. 1 provides for the embodiment of the present invention.As it is shown in figure 1, institute The method of stating includes:
101, when the soft time-out time of reality of an IPSec SA arrives, second is set up with Peer Negotiation IPSec SA, and it is later than IKE SA's at the hard time-out time of described 2nd IPSec SA consulting to determine During time-out time, the soft time-out time of reality arranging described 2nd IPSec SA is positioned at described IKE SA's Between time-out time and the time-out time of described IKE SA and first threshold sum, and arrange described second The soft time-out time of reality and second that actual hard time-out time is described 2nd IPSec SA of IPSec SA Threshold value sum;Wherein, if the hard time-out time of a described IPSec SA consulting to determine is later than described The time-out time of IKE SA, the soft time-out time of reality of a described IPSec SA is positioned at described IKE SA Time-out time and the time-out time of described IKE SA and described first threshold sum between, and described first The actual hard time-out time of IPSec SA is that the soft time-out time of reality of a described IPSec SA is with described Second Threshold sum.
102, when the actual hard time-out time of a described IPSec SA arrives, a described IPSec SA is deleted.
In the present embodiment, by arranging two life cycle for IPSec SA, one is soft life cycle, one Individual is hard life cycle.Wherein, hard life cycle is only the real life cycle of IPSec SA, the hardest life After end cycle, IPSec SA just can be deleted.And after soft life cycle terminates, IPSec SA will not be deleted, Can still exist, but can consult between local terminal and opposite end to set up new IPSec SA.Wherein, any IPSec SA Once set up, will the most corresponding soft life cycle and hard life cycle.During IPSec SA sets up, local terminal Can consult to determine soft life cycle and hard life cycle with opposite end.So, this reality is equivalent at new IPSec SA( Execute the 2nd IPSec SA in example) set up after, and be equivalent to first in the present embodiment at old IPSec SA( IPSec SA) hard life cycle terminate before, two IPSec SA will be there are.
Wherein, the time point at the end of soft life cycle is referred to as soft time-out time, and at the end of hard life cycle time Between point be referred to as hard time-out time.Based on this, during IPSec SA sets up, consult the soft life cycle knot determined Time point during bundle referred to as consults the soft time-out time determined, consults the time point at the end of the hard life cycle determined Referred to as consult the hard time-out time determined;And in the present embodiment, may be according to practical situation, according to consulting really The hard time-out time of fixed IPSec SA, reality arranges soft time-out time and hard time-out time for IPSec SA, point Another name is actual soft time-out time and hard time-out time.The soft time-out time of reality of an above-mentioned IPSec SA refers to institute Stating the time point at the end of the soft life cycle of reality of an IPSec SA, an above-mentioned IPSec SA's is actual hard Time-out time refers to the time point at the end of the actual hard life cycle of a described IPSec SA, above-mentioned 2nd IPSec The actual hard time-out time of SA refers to the time point at the end of the actual hard life cycle of described 2nd IPSec SA, on The soft time-out time of reality stating the 2nd IPSec SA refers to that the soft life cycle of reality of described 2nd IPSec SA terminates Time time point.
In the present embodiment, IKE SA only one of which life cycle, the time-out time of IKE SA refers to described IKE SA Life cycle at the end of time point.
For example, it is assumed that the time-out time of IKE SA is t1, and to arrange first threshold be 1s, and arranging Second Threshold is 30s, then the reality soft time-out time t2 of the 2nd IPSec SA can be arranged to t1=< t2≤(t1+1), then and second The actual hard time-out time of IPSec SA also can be arranged to (t2+30).
Before step 101, local terminal can set up an IPSec SA with Peer Negotiation.For an IPSec SA For, if the hard time-out time of an IPSec SA consulting to determine is later than the time-out time of IKE SA, then The soft time-out time of reality of the oneth IPSec SA can be set equally and be positioned at the time-out time of described IKE SA with described Between time-out time and the described first threshold sum of IKE SA, and the actual hard time-out of a described IPSec SA Time also can be arranged to the soft time-out time of reality of a described IPSec SA and described Second Threshold sum.Such as, The time-out time assuming IKE SA is t1, and to arrange first threshold be 1s, and arranging Second Threshold is 30s, then first The reality soft time-out time t3 of IPSec SA can be arranged to t1=< t3≤(t1+1), then an IPSec SA Actual hard time-out time also can be arranged to (t3+30).So at the actual hard time-out time of an IPSec SA In the case of after the time-out time of IKE SA, it is possible to ensure when the actual hard time-out of an IPSec SA Between arrive before, the soft time-out time of reality of an IPSec SA trigger local terminal and opposite end and set up the 2nd IPSec SA, And the foundation of IKE SA is triggered by the 2nd IPSec SA so that IKE in the whole life cycle of an IPSec SA SA exists, and namely in the whole life cycle of an IPSec SA, DPD mechanism is all effective, such that it is able to keep away Exempt from the appearance in black hole, tunnel.
Further, if consult the hard time-out time of an IPSec SA that determines early than IKE SA overtime Between, then the soft time-out time of reality that can arrange an IPSec SA is the value consulting to determine, but an IPSec SA Actual hard time-out time still can be arranged to the soft time-out time of reality of a described IPSec SA and described second threshold Value sum.It is soft that the value that negotiation described here determines refers to that during setting up IPSec SA two ends consult to determine Time-out time.
In like manner, the 2nd IPSec is being set up because the soft time-out time of reality of an IPSec SA arrives with Peer Negotiation During SA, if consulting the hard time-out time of described 2nd IPSec SA that the determines time-out time early than described IKE SA Time, then the soft time-out time of reality arranging described 2nd IPSec SA is the value consulting to determine, and arranges described second The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of IPSec SA and described Second Threshold Sum.It is soft super that the value that negotiation described here determines refers to that during setting up the 2nd IPSec SA two ends consult to determine Time the time.
When the soft time-out time of reality of an IPSec SA arrives, set up the 2nd IPSec SA bag with Peer Negotiation Include: whether the IKE SA determining between opposite end exists, if it is determined that result is for existing, then the most right with described Described 2nd IPSec SA is set up in end negotiation;If it is determined that result is not for exist, then first assist with described opposite end Business sets up described IKE SA, then sets up described 2nd IPSec SA with described Peer Negotiation.Concrete, by Information in IKE SA, for setting up the negotiation passage of IPSEC SA, is protected IPSEC SA, therefore is being built During vertical 2nd IPSec SA, if there is not IKE SA between local terminal and opposite end, then first set up IKE SA with opposite end, Then use the information in IKE SA to set up the negotiation passage of IPSEC SA, complete the 2nd IPSEC SA afterwards Set up.Wherein, an IPSEC SA or the 2nd IPSEC SA is for finally setting up encryption tunnel, to protect Protect user data.
Illustrating at this, local terminal and Peer Negotiation set up the detailed of an IPSEC SA or the 2nd IPSEC SA Process can be found in the description of RFC2409 Section 5, repeats no more in the present embodiment.
Further, when the actual hard time-out time of an IPSec SA arrives, an IPSec SA will be deleted Remove, now can be using the 2nd IPSec SA again as a described IPSec SA, in order to continue IPSec SA Negotiation set up.
In the method that the present embodiment provides, by arranging soft time-out time and hard time-out time for IPSec SA, For an IPSec SA, when the hard time-out time of an IPSec SA consulting to determine is later than IKE SA's Time-out time, the soft time-out time of reality of an IPSec SA is positioned at the time-out time of described IKE SA and described IKE Between time-out time and the described first threshold sum of SA, and the actual hard time-out time of a described IPSec SA is The soft time-out time of reality of a described IPSec SA and described Second Threshold sum, so at an IPSec SA Actual hard time-out time arrive before, local terminal can establish with Peer Negotiation after soft time-out time arrives 2nd IPSec SA, owing to the foundation of the 2nd IPSec SA can trigger the foundation of IKE SA, so In the whole life cycle of one IPSec SA, IKE SA exists, for the 2nd IPSec SA, by Local terminal, when the soft time-out time of reality of an IPSec SA arrives, is set up with Peer Negotiation, and determine in negotiation When the hard time-out time of the 2nd IPSec SA is later than the time-out time of IKE SA, described 2nd IPSec SA is set The soft time-out time of reality be positioned at the time-out time of described IKE SA and the time-out time of described IKE SA and the first threshold Between value sum, and the actual hard time-out time arranging described 2nd IPSec SA is described 2nd IPSec SA Soft time-out time and Second Threshold sum, equally ensure the whole life cycle at the 2nd IPSec SA Interior IKE SA exists, say, that technical solution of the present invention ensure that DPD mechanism is at IPSec SA Whole life cycle in all exist, such that it is able to can detect in the whole life cycle of IPSec SA To the state in tunnel, opposite end, solve the problem that prior art exists black hole, tunnel.
After terminating in view of life cycle at IKE SA in prior art, the DPD associated with IKE SA Mechanism will lose efficacy, if now the life cycle of IPSec SA does not also terminate, then at IPSEC SA In remaining life cycle, will be unable to be detected the state to tunnel, opposite end by DPD mechanism, will go out The existing DPD blank phase, the schematic diagram of the DPD blank phase that prior art exists is as shown in Figure 2.And at this In bright embodiment, by arranging soft life cycle and hard life cycle for each IPSEC SA, and arrange soft Soft time-out time corresponding to life cycle is early than hard time-out time corresponding to hard life cycle, and only firmly When time-out time arrives, IPSEC SA just can be deleted, and builds with Peer Negotiation when soft time-out time arrives Vertical new IPSEC SA, the so time-out time at IKE SA can be by new IPSEC SA in the case of arriving Consulting to set up the negotiation foundation triggering IKE SA, this is for IPSEC SA before, whole at it IKE SA will be there is in hard life cycle always, thus overcome the existence of DPD blank phase, the present invention The effect schematic diagram of embodiment is as shown in Figure 3.By Fig. 2 with Fig. 3 is compared, can become apparent from See the beneficial effect that the embodiment of the present invention is brought, DPD does not haves the blank phase, thus solves The problem in black hole, tunnel.
Illustrate at this, as it is shown on figure 3, the time-out time of IKE SA and next IPsec SA initial time it Between there is the least blank phase, this blank phase be less than or equal to first threshold, in actual applications, this blank phase can To ignore, but in order to avoid the appearance of DPD blank phase, what in various embodiments of the present invention, first threshold was arranged gets over Little the best, such as first threshold more than or equal to 1 second (s) less than or equal to 5s, but can be not limited to this.
In various embodiments of the present invention, Second Threshold can be arranged according to practical situations, it is contemplated that IKE SA's It is unit that life cycle is usually sky, and the life cycle of IPsec SA be typically by hour in units of, both quantity Level difference is relatively big, so the difference of the soft time-out time of IPsec SA and hard time-out time (i.e. Second Threshold) is the most not Need the too small of setting, such as Second Threshold more than or equal to 30s less than or equal to 45s, but can be not limited to this.
The structural representation of a kind of Security Association consulting device that Fig. 4 provides for the embodiment of the present invention.Such as figure Shown in 4, described device includes: sets up module 41, arrange module 42 and removing module 43.
Set up module 41, for when the soft time-out time of reality of an IPSec SA arrives, building with Peer Negotiation Vertical 2nd IPSec SA.
Module 42 is set, is connected with setting up module 41, for consulting described 2nd IPSec SA hard that determine When time-out time is later than the time-out time of IKE SA, the reality soft time-out time position of described 2nd IPSec SA is set Between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and arrange The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and the Two threshold value sums;Wherein, if the hard time-out time of a described IPSec SA consulting to determine is later than described IKE SA Time-out time, the soft time-out time of reality of a described IPSec SA be positioned at the time-out time of described IKE SA with Between time-out time and the described first threshold sum of described IKE SA, and the reality of a described IPSec SA is hard Time-out time is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum.
Removing module 43, for when the actual hard time-out time of a described IPSec SA arrives, deletes described the One IPSec SA.
In an optional embodiment, module 42 is set and can be additionally used in the described 2nd IPSec SA determined in negotiation Hard time-out time early than the time-out time of described IKE SA time, the reality arranging described 2nd IPSec SA is soft super Time the time be to consult the value that determines, and the actual hard time-out time arranging described 2nd IPSec SA is described second The soft time-out time of reality of IPSec SA and described Second Threshold sum.
In an optional embodiment, set up module 41 and be additionally operable to setting up described second with described Peer Negotiation Before IPSec SA, set up a described IPSec SA with described Peer Negotiation.Accordingly, module 42 is set also When the hard time-out time of the described IPSec SA for determining in negotiation is later than the time-out time of described IKE SA, The soft time-out time of reality arranging a described IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA Time-out time and described first threshold sum between, and when the actual hard time-out of a described IPSec SA is set Between be the soft time-out time of reality and the described Second Threshold sum of a described IPSec SA.
Further, module 42 is set and is additionally operable to the hard time-out time morning of the described IPSec SA determined in negotiation When the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set for consulting really Fixed value, and the reality that actual hard time-out time is a described IPSec SA of a described IPSec SA is set The soft time-out time in border and described Second Threshold sum.
Wherein, set up module 41 to include for setting up the 2nd IPSec SA with Peer Negotiation: set up module 41 concrete Can be used for determining whether described IKE SA exists, if it is determined that result is existence, then direct and described opposite end Consult to set up described 2nd IPSec SA, if it is determined that result is not for exist, then first and described Peer Negotiation Set up described IKE SA, then set up described 2nd IPSec SA with described Peer Negotiation.
Further, set up module 41 and be also connected with removing module 43, for deleting described the at removing module 43 After one IPSec SA, using described 2nd IPSec SA again as a described IPSec SA.
Illustrating at this, in order to avoid the appearance of DPD blank phase, what in various embodiments of the present invention, first threshold was arranged gets over Little the best, such as first threshold more than or equal to 1 second (s) less than or equal to 5s, but can be not limited to this.
In various embodiments of the present invention, Second Threshold can be arranged according to practical situations, but can not be the least, example As Second Threshold more than or equal to 30s less than or equal to 45s, but can be not limited to this.
Each functional module of the Security Association consulting device that the present embodiment provides can be used for performing method shown in Fig. 1 The flow process of embodiment, its specific works principle repeats no more, and refers to the description of embodiment of the method.
The present embodiment provide Security Association consulting device, by for IPSec SA arrange soft time-out time and Hard time-out time, for an IPSec SA, when the hard time-out time consulting the IPSec SA determined Being later than the time-out time of IKE SA, the soft time-out time of reality of an IPSec SA is positioned at the time-out of described IKE SA Between time and the time-out time of described IKE SA and described first threshold sum, and a described IPSec SA Actual hard time-out time is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum, so Before the actual hard time-out time of an IPSec SA arrives, local terminal can after soft time-out time arrives, with Peer Negotiation establishes the 2nd IPSec SA, owing to the foundation of the 2nd IPSec SA can trigger IKE SA Set up, so IKE SA exists in the whole life cycle of an IPSec SA, for the 2nd IPSec For SA, by local terminal when the soft time-out time of reality of an IPSec SA arrives, set up with Peer Negotiation, and When the hard time-out time of the 2nd IPSec SA consulting to determine is later than the time-out time of IKE SA, arrange described the When the soft time-out time of reality of two IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA overtime Between and first threshold sum between, and the actual hard time-out time arranging described 2nd IPSec SA is described second The soft time-out time of reality of IPSec SA and Second Threshold sum, equally ensure at the 2nd IPSec SA is whole In individual life cycle, IKE SA exists, say, that technical solution of the present invention ensure that DPD mechanism exists All exist in the whole life cycle of IPSec SA, such that it is able at the whole life cycle of IPSec SA The interior state that can detect tunnel, opposite end, solves the problem that prior art exists black hole, tunnel.
The embodiment of the present invention provides a kind of network equipment, the Security Association association provided including the embodiment of the present invention Business's device.The description of previous embodiment is can be found in about the structure of Security Association consulting device and operation principle. The network equipment that the present embodiment provides ensure that DPD mechanism is in the whole life cycle of IPSec SA equally All exist, such that it is able to the state in tunnel, opposite end can be detected in the whole life cycle of IPSec SA, Solve the problem that prior art exists black hole, tunnel.
One of ordinary skill in the art will appreciate that: realize all or part of step of above-mentioned each method embodiment Suddenly can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer can Read in storage medium.This program upon execution, performs to include the step of above-mentioned each method embodiment;And Aforesaid storage medium includes: ROM, RAM, magnetic disc or CD etc. are various can store program code Medium.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, rather than right It limits;Although the present invention being described in detail with reference to foregoing embodiments, this area common Skilled artisans appreciate that the technical scheme described in foregoing embodiments still can be modified by it, Or the most some or all of technical characteristic is carried out equivalent;And these amendments or replacement, and The essence not making appropriate technical solution departs from the scope of various embodiments of the present invention technical scheme.

Claims (13)

1. a security alliance SA machinery of consultation, it is characterised in that including:
When the soft time-out time of reality of an IPSec SA arrives, the 2nd IPSec SA is set up with Peer Negotiation, and when the hard time-out time of the described 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, the soft time-out time of reality of described 2nd IPSec SA is set between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and the Second Threshold sum of described 2nd IPSec SA are set;Wherein, if the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the actual hard time-out time of a described IPSec SA is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum;
When the actual hard time-out time of a described IPSec SA arrives, delete a described IPSec SA.
Method the most according to claim 1, it is characterised in that also include:
When setting up described 2nd IPSec SA with described Peer Negotiation, if consult the hard time-out time of described 2nd IPSec SA that determines early than the time-out time of described IKE SA, the soft time-out time of reality then arranging described 2nd IPSec SA is the value consulting to determine, and arranges the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and described Second Threshold sum.
Method the most according to claim 1 and 2, it is characterised in that included before setting up the 2nd IPSec SA with Peer Negotiation:
A described IPSec SA is set up with described Peer Negotiation, and when the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is a described IPSec SA of a described IPSec SA and described Second Threshold sum are set.
Method the most according to claim 1 and 2, it is characterised in that described set up the 2nd IPSec SA with Peer Negotiation and include:
Determine whether described IKE SA exists;
If it is determined that result is for existing, then directly set up described 2nd IPSec SA with described Peer Negotiation;
If it is determined that result is not for exist, then first sets up described IKE SA with described Peer Negotiation, then set up described 2nd IPSec SA with described Peer Negotiation.
Method the most according to claim 1 and 2, it is characterised in that include after deleting a described IPSec SA:
Using described 2nd IPSec SA again as an IPSec SA.
Method the most according to claim 1 and 2, it is characterised in that described first threshold was less than or equal to 5 seconds more than or equal to 1 second;Described Second Threshold was less than or equal to 45 seconds more than or equal to 30 seconds.
7. a security alliance SA consulting device, it is characterised in that including:
Set up module, for when the soft time-out time of reality of an IPSec SA arrives, setting up the 2nd IPSec SA with Peer Negotiation;
Module is set, when the hard time-out time of the described 2nd IPSec SA for determining in negotiation is later than the time-out time of IKE SA, the soft time-out time of reality of described 2nd IPSec SA is set between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and the Second Threshold sum of described 2nd IPSec SA are set;Wherein, if the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the actual hard time-out time of a described IPSec SA is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum;
Removing module, for when the actual hard time-out time of a described IPSec SA arrives, deleting a described IPSec SA.
Device the most according to claim 7, it is characterized in that, the described module that arranges is additionally operable to when consulting the hard time-out time of described 2nd IPSec SA that determines early than the time-out time of described IKE SA, the soft time-out time of reality arranging described 2nd IPSec SA is the value consulting to determine, and arranges the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and described Second Threshold sum.
9. according to the device described in claim 7 or 8, it is characterised in that described module of setting up is additionally operable to, before setting up described 2nd IPSec SA with described Peer Negotiation, set up a described IPSec SA with described Peer Negotiation;
The described module that arranges is additionally operable to when the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is a described IPSec SA of a described IPSec SA and described Second Threshold sum are set.
10. according to the device described in claim 7 or 8, it is characterized in that, described module of setting up is specifically for determining whether described IKE SA exists, if it is determined that result is for existing, then directly set up described 2nd IPSec SA with described Peer Negotiation, if it is determined that result is not for exist, then first sets up described IKE SA with described Peer Negotiation, then set up described 2nd IPSec SA with described Peer Negotiation.
11. according to the device described in claim 7 or 8, it is characterised in that described module of setting up is additionally operable to after described removing module deletes a described IPSec SA, using described 2nd IPSec SA again as a described IPSec SA.
12. according to the device described in claim 7 or 8, it is characterised in that described first threshold was less than or equal to 5 seconds more than or equal to 1 second;Described Second Threshold was less than or equal to 45 seconds more than or equal to 30 seconds.
13. 1 kinds of network equipments, it is characterised in that include the security alliance SA consulting device described in any one of claim 7-12.
CN201310233561.1A 2013-06-13 2013-06-13 Security association negotiation method, device and the network equipment Active CN103312713B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310233561.1A CN103312713B (en) 2013-06-13 2013-06-13 Security association negotiation method, device and the network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310233561.1A CN103312713B (en) 2013-06-13 2013-06-13 Security association negotiation method, device and the network equipment

Publications (2)

Publication Number Publication Date
CN103312713A CN103312713A (en) 2013-09-18
CN103312713B true CN103312713B (en) 2016-08-10

Family

ID=49137497

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310233561.1A Active CN103312713B (en) 2013-06-13 2013-06-13 Security association negotiation method, device and the network equipment

Country Status (1)

Country Link
CN (1) CN103312713B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610577B (en) * 2016-01-07 2018-09-14 成都卫士通信息产业股份有限公司 A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure
CN106254204A (en) * 2016-09-28 2016-12-21 乐视控股(北京)有限公司 The collocation method of the Ipsec tunnel vital stage under cloud environment and device
CN113438094B (en) * 2020-03-23 2022-12-13 华为技术有限公司 Method and equipment for automatically updating manually configured IPSec SA

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007019583A2 (en) * 2005-08-09 2007-02-15 Sipera Systems, Inc. System and method for providing network level and nodal level vulnerability protection in voip networks
CN101227485A (en) * 2008-02-04 2008-07-23 杭州华三通信技术有限公司 Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period
CN102761553A (en) * 2012-07-23 2012-10-31 杭州华三通信技术有限公司 IPSec SA consultation method and device
CN102761541A (en) * 2012-05-31 2012-10-31 汉柏科技有限公司 Timer processing method and system
CN102868523A (en) * 2012-09-18 2013-01-09 汉柏科技有限公司 IKE (Internet Key Exchange) negotiation method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007019583A2 (en) * 2005-08-09 2007-02-15 Sipera Systems, Inc. System and method for providing network level and nodal level vulnerability protection in voip networks
CN101227485A (en) * 2008-02-04 2008-07-23 杭州华三通信技术有限公司 Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period
CN102761541A (en) * 2012-05-31 2012-10-31 汉柏科技有限公司 Timer processing method and system
CN102761553A (en) * 2012-07-23 2012-10-31 杭州华三通信技术有限公司 IPSec SA consultation method and device
CN102868523A (en) * 2012-09-18 2013-01-09 汉柏科技有限公司 IKE (Internet Key Exchange) negotiation method

Also Published As

Publication number Publication date
CN103312713A (en) 2013-09-18

Similar Documents

Publication Publication Date Title
McLaughlin et al. Multi-vendor penetration testing in the advanced metering infrastructure
CN103384242B (en) Intrusion detection method based on Nginx proxy server and system
CN109241087A (en) A kind of data processing method and terminal of alliance&#39;s chain
CN107566381A (en) Equipment safety control method, apparatus and system
US7386725B2 (en) Node device and communication control method for improving security of packet communications
CN105706099B (en) Software renewing apparatus
CN104219316A (en) Method and device for processing call request in distributed system
CN103607385A (en) Method and apparatus for security detection based on browser
WO2010057199A3 (en) Storage and retrieval of crytographically-split data blocks to/from multiple storage devices
WO2014199197A1 (en) A method, system and product for securely storing data files at a remote location by splitting and reassembling said files
CN103312713B (en) Security association negotiation method, device and the network equipment
CN104020999A (en) Management method and system of application programs
CN104766007A (en) Method for quickly recovering sandbox based on file system filter driver
CN107567616A (en) Operating system management
CN103227777B (en) A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake
CN105447385B (en) A kind of applied database honey jar detected at many levels realizes system and method
CN110505116A (en) Power information acquisition system and penetration test method, device, readable storage medium storing program for executing
CN103763137B (en) A kind of device configuration connection guard method, system and device
CN103634293B (en) Secure data transmission method based dual hardware and secure data transmission system based dual hardware
JP6164508B2 (en) Data processing system security apparatus and security method
CN113472789B (en) Attack detection method, attack detection system, storage medium and electronic device
KR20190003256A (en) Method and apparatus for vpn manegenment for ip camera
JP6256781B2 (en) Management device for file security to protect the system
CN105528542B (en) A kind of management-control method and system for exempting from installation and operation based on software
CN109670296A (en) A kind of method and apparatus removing iOS backup password

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant