CN103312713B - Security association negotiation method, device and the network equipment - Google Patents
Security association negotiation method, device and the network equipment Download PDFInfo
- Publication number
- CN103312713B CN103312713B CN201310233561.1A CN201310233561A CN103312713B CN 103312713 B CN103312713 B CN 103312713B CN 201310233561 A CN201310233561 A CN 201310233561A CN 103312713 B CN103312713 B CN 103312713B
- Authority
- CN
- China
- Prior art keywords
- time
- ipsec
- out time
- ike
- soft
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of security association negotiation method, device and the network equipment.Method includes: when the soft time-out time of reality of an IPSec SA arrives, the 2nd IPSec SA is set up with Peer Negotiation, and when the hard time-out time of the 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, the soft time-out time of reality of the 2nd IPSec SA is set between the time-out time and the time-out time of IKE SA and first threshold sum of IKE SA, and the soft time-out time of reality that actual hard time-out time is the 2nd IPSec SA and the Second Threshold sum of the 2nd IPSec SA are set;When the actual hard time-out time of an IPSec SA arrives, delete an IPSec SA.The problem that technical solution of the present invention can solve to there is black hole, tunnel in prior art.
Description
Technical field
The present invention relates to communication technology, particularly relate to a kind of security association negotiation method, device and network and set
Standby.
Background technology
Internet key exchange (Internet Key Exchange, referred to as IKE) is a kind of close
Key management agreement standard, need and internet safety protocol (Internet Protocol Security,
Referred to as IPSec) it is used together.IPSec be responsible for Internet protocol (Internet Protocol,
Referred to as IP) layer offer security service, enable the system to on-demand selection security protocol, determine to service institute
Needed for the algorithm used and placement Demand and service, key arrives relevant position etc..Security Association (Security
Association, referred to as SA) mainly it is responsible for the logic of specific data stream offer security service even
Connect.At present, SA mainly includes IPSec SA and IKE SA, is typically set up by Peer Negotiation.IPSec
SA and IKE SA has life cycle (lifetime), and the life cycle of usual IKE SA is long-range
Life cycle in IPSec SA.
Dead opposite end detection (Dead Peer Detection, referred to as DPD) is a kind of for examining
Survey the method whether IPSec opposite end exists and whether can communicate.Side in existing use DPD technology
In case, DPD starts after IKE SA has consulted, and timing sends DPD probe messages detection opposite end
Whether exist, i.e. DPD, DPD machine in the presence of only IKE SA if being associated with IKE SA
System just can come into force.Due to IKE SA after life cycle terminates will not automatic Reconstruction, so as IKE SA
Life cycle terminate after, the DPD mechanism failure associated with IKE SA, if at this moment IPSec SA
Life cycle also do not terminate, then in the remaining life cycle of IPSEC SA, will be unable to pass through
DPD mechanism detect to the state to tunnel, opposite end, if tunnel, opposite end do not exist and local terminal cannot perception,
May result in black hole, tunnel.
Summary of the invention
The present invention provides a kind of security association negotiation method, device and the network equipment, in order to solve existing skill
The problem that there is black hole, tunnel in art.
First aspect provides a kind of security association negotiation method, including:
When the soft time-out time of reality of an IPSec SA arrives, set up the 2nd IPSec SA with Peer Negotiation, and
When the hard time-out time of the described 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, institute is set
The soft time-out time of reality stating the 2nd IPSec SA is positioned at the time-out time of described IKE SA and the super of described IKE SA
Time the time and first threshold sum between, and the actual hard time-out time arranging described 2nd IPSec SA is described
The soft time-out time of reality of the 2nd IPSec SA and Second Threshold sum;Wherein, if consulting described first determined
The hard time-out time of IPSec SA is later than the time-out time of described IKE SA, and the reality of a described IPSec SA is soft
Time-out time be positioned at the time-out time of described IKE SA and the time-out time of described IKE SA and described first threshold it
Between and, and the reality that actual hard time-out time is a described IPSec SA of a described IPSec SA is soft super
Time time and described Second Threshold sum;
When the actual hard time-out time of a described IPSec SA arrives, delete a described IPSec SA.
Second aspect provides a kind of Security Association consulting device, including:
Set up module, for when the soft time-out time of reality of an IPSec SA arrives, setting up with Peer Negotiation
2nd IPSec SA;
Arranging module, the hard time-out time of the described 2nd IPSec SA for determining in negotiation is later than IKE SA's
During time-out time, the soft time-out time of reality of described 2nd IPSec SA is set when being positioned at described IKE SA overtime
Between and the time-out time of described IKE SA and first threshold sum between, and the reality of described 2nd IPSec SA is set
The hard time-out time in border is the soft time-out time of reality and the Second Threshold sum of described 2nd IPSec SA;Wherein, if
The hard time-out time of a described IPSec SA consulting to determine is later than the time-out time of described IKE SA, and described the
When the soft time-out time of reality of one IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA overtime
Between and described first threshold sum between, and the actual hard time-out time of a described IPSec SA is described first
The soft time-out time of reality of IPSec SA and described Second Threshold sum;
Removing module, for when the actual hard time-out time of a described IPSec SA arrives, deleting described first
IPSec SA。
The third aspect provides a kind of network equipment, including: arbitrary safety connection that second aspect present invention provides
Alliance's consulting device.
Security association negotiation method, device and the network equipment that the present invention provides, by setting for IPSec SA
Put soft time-out time and hard time-out time, for an IPSec SA, as the IPSec that negotiation determines
The hard time-out time of SA is later than the time-out time of IKE SA, and the soft time-out time of reality of an IPSec SA is positioned at institute
State between the time-out time of IKE SA and the time-out time of described IKE SA and described first threshold sum, and described
The soft time-out time of reality that actual hard time-out time is a described IPSec SA of the oneth IPSec SA and described the
Two threshold value sums, before so the actual hard time-out time at an IPSec SA arrives, local terminal can be in fact
After the soft time-out time in border arrives, establish the 2nd IPSec SA with Peer Negotiation, due to the 2nd IPSec SA
Foundation can trigger the foundation of IKE SA, so IKE SA in the whole life cycle of an IPSec SA
All exist, for the 2nd IPSec SA, by local terminal at the soft time-out time of reality of an IPSec SA
During arrival, set up with Peer Negotiation, and be later than IKE SA at the hard time-out time of the 2nd IPSec SA consulting to determine
Time-out time time, the soft time-out time of reality arranging described 2nd IPSec SA is positioned at the time-out of described IKE SA
Between time and the time-out time of described IKE SA and first threshold sum, and described 2nd IPSec SA is set
The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and Second Threshold sum, equally may be used
To ensure that IKE SA exists in the whole life cycle of the 2nd IPSec SA, say, that this
Bright technical scheme ensure that DPD mechanism all exists in the whole life cycle of IPSec SA, such that it is able to
The state in tunnel, opposite end can be detected in the whole life cycle of IPSec SA, solve prior art
The problem that there is black hole, tunnel.
Accompanying drawing explanation
The flow chart of a kind of SA machinery of consultation that Fig. 1 provides for the embodiment of the present invention;
Fig. 2 is the schematic diagram of the DPD blank phase that prior art exists;
Fig. 3 is the effect schematic diagram of the embodiment of the present invention;
The structural representation of a kind of Security Association consulting device that Fig. 4 provides for the embodiment of the present invention.
Detailed description of the invention
The flow chart of a kind of SA machinery of consultation that Fig. 1 provides for the embodiment of the present invention.As it is shown in figure 1, institute
The method of stating includes:
101, when the soft time-out time of reality of an IPSec SA arrives, second is set up with Peer Negotiation
IPSec SA, and it is later than IKE SA's at the hard time-out time of described 2nd IPSec SA consulting to determine
During time-out time, the soft time-out time of reality arranging described 2nd IPSec SA is positioned at described IKE SA's
Between time-out time and the time-out time of described IKE SA and first threshold sum, and arrange described second
The soft time-out time of reality and second that actual hard time-out time is described 2nd IPSec SA of IPSec SA
Threshold value sum;Wherein, if the hard time-out time of a described IPSec SA consulting to determine is later than described
The time-out time of IKE SA, the soft time-out time of reality of a described IPSec SA is positioned at described IKE SA
Time-out time and the time-out time of described IKE SA and described first threshold sum between, and described first
The actual hard time-out time of IPSec SA is that the soft time-out time of reality of a described IPSec SA is with described
Second Threshold sum.
102, when the actual hard time-out time of a described IPSec SA arrives, a described IPSec SA is deleted.
In the present embodiment, by arranging two life cycle for IPSec SA, one is soft life cycle, one
Individual is hard life cycle.Wherein, hard life cycle is only the real life cycle of IPSec SA, the hardest life
After end cycle, IPSec SA just can be deleted.And after soft life cycle terminates, IPSec SA will not be deleted,
Can still exist, but can consult between local terminal and opposite end to set up new IPSec SA.Wherein, any IPSec SA
Once set up, will the most corresponding soft life cycle and hard life cycle.During IPSec SA sets up, local terminal
Can consult to determine soft life cycle and hard life cycle with opposite end.So, this reality is equivalent at new IPSec SA(
Execute the 2nd IPSec SA in example) set up after, and be equivalent to first in the present embodiment at old IPSec SA(
IPSec SA) hard life cycle terminate before, two IPSec SA will be there are.
Wherein, the time point at the end of soft life cycle is referred to as soft time-out time, and at the end of hard life cycle time
Between point be referred to as hard time-out time.Based on this, during IPSec SA sets up, consult the soft life cycle knot determined
Time point during bundle referred to as consults the soft time-out time determined, consults the time point at the end of the hard life cycle determined
Referred to as consult the hard time-out time determined;And in the present embodiment, may be according to practical situation, according to consulting really
The hard time-out time of fixed IPSec SA, reality arranges soft time-out time and hard time-out time for IPSec SA, point
Another name is actual soft time-out time and hard time-out time.The soft time-out time of reality of an above-mentioned IPSec SA refers to institute
Stating the time point at the end of the soft life cycle of reality of an IPSec SA, an above-mentioned IPSec SA's is actual hard
Time-out time refers to the time point at the end of the actual hard life cycle of a described IPSec SA, above-mentioned 2nd IPSec
The actual hard time-out time of SA refers to the time point at the end of the actual hard life cycle of described 2nd IPSec SA, on
The soft time-out time of reality stating the 2nd IPSec SA refers to that the soft life cycle of reality of described 2nd IPSec SA terminates
Time time point.
In the present embodiment, IKE SA only one of which life cycle, the time-out time of IKE SA refers to described IKE SA
Life cycle at the end of time point.
For example, it is assumed that the time-out time of IKE SA is t1, and to arrange first threshold be 1s, and arranging Second Threshold is
30s, then the reality soft time-out time t2 of the 2nd IPSec SA can be arranged to t1=< t2≤(t1+1), then and second
The actual hard time-out time of IPSec SA also can be arranged to (t2+30).
Before step 101, local terminal can set up an IPSec SA with Peer Negotiation.For an IPSec SA
For, if the hard time-out time of an IPSec SA consulting to determine is later than the time-out time of IKE SA, then
The soft time-out time of reality of the oneth IPSec SA can be set equally and be positioned at the time-out time of described IKE SA with described
Between time-out time and the described first threshold sum of IKE SA, and the actual hard time-out of a described IPSec SA
Time also can be arranged to the soft time-out time of reality of a described IPSec SA and described Second Threshold sum.Such as,
The time-out time assuming IKE SA is t1, and to arrange first threshold be 1s, and arranging Second Threshold is 30s, then first
The reality soft time-out time t3 of IPSec SA can be arranged to t1=< t3≤(t1+1), then an IPSec SA
Actual hard time-out time also can be arranged to (t3+30).So at the actual hard time-out time of an IPSec SA
In the case of after the time-out time of IKE SA, it is possible to ensure when the actual hard time-out of an IPSec SA
Between arrive before, the soft time-out time of reality of an IPSec SA trigger local terminal and opposite end and set up the 2nd IPSec SA,
And the foundation of IKE SA is triggered by the 2nd IPSec SA so that IKE in the whole life cycle of an IPSec SA
SA exists, and namely in the whole life cycle of an IPSec SA, DPD mechanism is all effective, such that it is able to keep away
Exempt from the appearance in black hole, tunnel.
Further, if consult the hard time-out time of an IPSec SA that determines early than IKE SA overtime
Between, then the soft time-out time of reality that can arrange an IPSec SA is the value consulting to determine, but an IPSec SA
Actual hard time-out time still can be arranged to the soft time-out time of reality of a described IPSec SA and described second threshold
Value sum.It is soft that the value that negotiation described here determines refers to that during setting up IPSec SA two ends consult to determine
Time-out time.
In like manner, the 2nd IPSec is being set up because the soft time-out time of reality of an IPSec SA arrives with Peer Negotiation
During SA, if consulting the hard time-out time of described 2nd IPSec SA that the determines time-out time early than described IKE SA
Time, then the soft time-out time of reality arranging described 2nd IPSec SA is the value consulting to determine, and arranges described second
The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of IPSec SA and described Second Threshold
Sum.It is soft super that the value that negotiation described here determines refers to that during setting up the 2nd IPSec SA two ends consult to determine
Time the time.
When the soft time-out time of reality of an IPSec SA arrives, set up the 2nd IPSec SA bag with Peer Negotiation
Include: whether the IKE SA determining between opposite end exists, if it is determined that result is for existing, then the most right with described
Described 2nd IPSec SA is set up in end negotiation;If it is determined that result is not for exist, then first assist with described opposite end
Business sets up described IKE SA, then sets up described 2nd IPSec SA with described Peer Negotiation.Concrete, by
Information in IKE SA, for setting up the negotiation passage of IPSEC SA, is protected IPSEC SA, therefore is being built
During vertical 2nd IPSec SA, if there is not IKE SA between local terminal and opposite end, then first set up IKE SA with opposite end,
Then use the information in IKE SA to set up the negotiation passage of IPSEC SA, complete the 2nd IPSEC SA afterwards
Set up.Wherein, an IPSEC SA or the 2nd IPSEC SA is for finally setting up encryption tunnel, to protect
Protect user data.
Illustrating at this, local terminal and Peer Negotiation set up the detailed of an IPSEC SA or the 2nd IPSEC SA
Process can be found in the description of RFC2409 Section 5, repeats no more in the present embodiment.
Further, when the actual hard time-out time of an IPSec SA arrives, an IPSec SA will be deleted
Remove, now can be using the 2nd IPSec SA again as a described IPSec SA, in order to continue IPSec SA
Negotiation set up.
In the method that the present embodiment provides, by arranging soft time-out time and hard time-out time for IPSec SA,
For an IPSec SA, when the hard time-out time of an IPSec SA consulting to determine is later than IKE SA's
Time-out time, the soft time-out time of reality of an IPSec SA is positioned at the time-out time of described IKE SA and described IKE
Between time-out time and the described first threshold sum of SA, and the actual hard time-out time of a described IPSec SA is
The soft time-out time of reality of a described IPSec SA and described Second Threshold sum, so at an IPSec SA
Actual hard time-out time arrive before, local terminal can establish with Peer Negotiation after soft time-out time arrives
2nd IPSec SA, owing to the foundation of the 2nd IPSec SA can trigger the foundation of IKE SA, so
In the whole life cycle of one IPSec SA, IKE SA exists, for the 2nd IPSec SA, by
Local terminal, when the soft time-out time of reality of an IPSec SA arrives, is set up with Peer Negotiation, and determine in negotiation
When the hard time-out time of the 2nd IPSec SA is later than the time-out time of IKE SA, described 2nd IPSec SA is set
The soft time-out time of reality be positioned at the time-out time of described IKE SA and the time-out time of described IKE SA and the first threshold
Between value sum, and the actual hard time-out time arranging described 2nd IPSec SA is described 2nd IPSec SA
Soft time-out time and Second Threshold sum, equally ensure the whole life cycle at the 2nd IPSec SA
Interior IKE SA exists, say, that technical solution of the present invention ensure that DPD mechanism is at IPSec SA
Whole life cycle in all exist, such that it is able to can detect in the whole life cycle of IPSec SA
To the state in tunnel, opposite end, solve the problem that prior art exists black hole, tunnel.
After terminating in view of life cycle at IKE SA in prior art, the DPD associated with IKE SA
Mechanism will lose efficacy, if now the life cycle of IPSec SA does not also terminate, then at IPSEC SA
In remaining life cycle, will be unable to be detected the state to tunnel, opposite end by DPD mechanism, will go out
The existing DPD blank phase, the schematic diagram of the DPD blank phase that prior art exists is as shown in Figure 2.And at this
In bright embodiment, by arranging soft life cycle and hard life cycle for each IPSEC SA, and arrange soft
Soft time-out time corresponding to life cycle is early than hard time-out time corresponding to hard life cycle, and only firmly
When time-out time arrives, IPSEC SA just can be deleted, and builds with Peer Negotiation when soft time-out time arrives
Vertical new IPSEC SA, the so time-out time at IKE SA can be by new IPSEC SA in the case of arriving
Consulting to set up the negotiation foundation triggering IKE SA, this is for IPSEC SA before, whole at it
IKE SA will be there is in hard life cycle always, thus overcome the existence of DPD blank phase, the present invention
The effect schematic diagram of embodiment is as shown in Figure 3.By Fig. 2 with Fig. 3 is compared, can become apparent from
See the beneficial effect that the embodiment of the present invention is brought, DPD does not haves the blank phase, thus solves
The problem in black hole, tunnel.
Illustrate at this, as it is shown on figure 3, the time-out time of IKE SA and next IPsec SA initial time it
Between there is the least blank phase, this blank phase be less than or equal to first threshold, in actual applications, this blank phase can
To ignore, but in order to avoid the appearance of DPD blank phase, what in various embodiments of the present invention, first threshold was arranged gets over
Little the best, such as first threshold more than or equal to 1 second (s) less than or equal to 5s, but can be not limited to this.
In various embodiments of the present invention, Second Threshold can be arranged according to practical situations, it is contemplated that IKE SA's
It is unit that life cycle is usually sky, and the life cycle of IPsec SA be typically by hour in units of, both quantity
Level difference is relatively big, so the difference of the soft time-out time of IPsec SA and hard time-out time (i.e. Second Threshold) is the most not
Need the too small of setting, such as Second Threshold more than or equal to 30s less than or equal to 45s, but can be not limited to this.
The structural representation of a kind of Security Association consulting device that Fig. 4 provides for the embodiment of the present invention.Such as figure
Shown in 4, described device includes: sets up module 41, arrange module 42 and removing module 43.
Set up module 41, for when the soft time-out time of reality of an IPSec SA arrives, building with Peer Negotiation
Vertical 2nd IPSec SA.
Module 42 is set, is connected with setting up module 41, for consulting described 2nd IPSec SA hard that determine
When time-out time is later than the time-out time of IKE SA, the reality soft time-out time position of described 2nd IPSec SA is set
Between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and arrange
The soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and the
Two threshold value sums;Wherein, if the hard time-out time of a described IPSec SA consulting to determine is later than described IKE SA
Time-out time, the soft time-out time of reality of a described IPSec SA be positioned at the time-out time of described IKE SA with
Between time-out time and the described first threshold sum of described IKE SA, and the reality of a described IPSec SA is hard
Time-out time is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum.
Removing module 43, for when the actual hard time-out time of a described IPSec SA arrives, deletes described the
One IPSec SA.
In an optional embodiment, module 42 is set and can be additionally used in the described 2nd IPSec SA determined in negotiation
Hard time-out time early than the time-out time of described IKE SA time, the reality arranging described 2nd IPSec SA is soft super
Time the time be to consult the value that determines, and the actual hard time-out time arranging described 2nd IPSec SA is described second
The soft time-out time of reality of IPSec SA and described Second Threshold sum.
In an optional embodiment, set up module 41 and be additionally operable to setting up described second with described Peer Negotiation
Before IPSec SA, set up a described IPSec SA with described Peer Negotiation.Accordingly, module 42 is set also
When the hard time-out time of the described IPSec SA for determining in negotiation is later than the time-out time of described IKE SA,
The soft time-out time of reality arranging a described IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA
Time-out time and described first threshold sum between, and when the actual hard time-out of a described IPSec SA is set
Between be the soft time-out time of reality and the described Second Threshold sum of a described IPSec SA.
Further, module 42 is set and is additionally operable to the hard time-out time morning of the described IPSec SA determined in negotiation
When the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set for consulting really
Fixed value, and the reality that actual hard time-out time is a described IPSec SA of a described IPSec SA is set
The soft time-out time in border and described Second Threshold sum.
Wherein, set up module 41 to include for setting up the 2nd IPSec SA with Peer Negotiation: set up module 41 concrete
Can be used for determining whether described IKE SA exists, if it is determined that result is existence, then direct and described opposite end
Consult to set up described 2nd IPSec SA, if it is determined that result is not for exist, then first and described Peer Negotiation
Set up described IKE SA, then set up described 2nd IPSec SA with described Peer Negotiation.
Further, set up module 41 and be also connected with removing module 43, for deleting described the at removing module 43
After one IPSec SA, using described 2nd IPSec SA again as a described IPSec SA.
Illustrating at this, in order to avoid the appearance of DPD blank phase, what in various embodiments of the present invention, first threshold was arranged gets over
Little the best, such as first threshold more than or equal to 1 second (s) less than or equal to 5s, but can be not limited to this.
In various embodiments of the present invention, Second Threshold can be arranged according to practical situations, but can not be the least, example
As Second Threshold more than or equal to 30s less than or equal to 45s, but can be not limited to this.
Each functional module of the Security Association consulting device that the present embodiment provides can be used for performing method shown in Fig. 1
The flow process of embodiment, its specific works principle repeats no more, and refers to the description of embodiment of the method.
The present embodiment provide Security Association consulting device, by for IPSec SA arrange soft time-out time and
Hard time-out time, for an IPSec SA, when the hard time-out time consulting the IPSec SA determined
Being later than the time-out time of IKE SA, the soft time-out time of reality of an IPSec SA is positioned at the time-out of described IKE SA
Between time and the time-out time of described IKE SA and described first threshold sum, and a described IPSec SA
Actual hard time-out time is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum, so
Before the actual hard time-out time of an IPSec SA arrives, local terminal can after soft time-out time arrives, with
Peer Negotiation establishes the 2nd IPSec SA, owing to the foundation of the 2nd IPSec SA can trigger IKE SA
Set up, so IKE SA exists in the whole life cycle of an IPSec SA, for the 2nd IPSec
For SA, by local terminal when the soft time-out time of reality of an IPSec SA arrives, set up with Peer Negotiation, and
When the hard time-out time of the 2nd IPSec SA consulting to determine is later than the time-out time of IKE SA, arrange described the
When the soft time-out time of reality of two IPSec SA is positioned at the time-out time of described IKE SA and described IKE SA overtime
Between and first threshold sum between, and the actual hard time-out time arranging described 2nd IPSec SA is described second
The soft time-out time of reality of IPSec SA and Second Threshold sum, equally ensure at the 2nd IPSec SA is whole
In individual life cycle, IKE SA exists, say, that technical solution of the present invention ensure that DPD mechanism exists
All exist in the whole life cycle of IPSec SA, such that it is able at the whole life cycle of IPSec SA
The interior state that can detect tunnel, opposite end, solves the problem that prior art exists black hole, tunnel.
The embodiment of the present invention provides a kind of network equipment, the Security Association association provided including the embodiment of the present invention
Business's device.The description of previous embodiment is can be found in about the structure of Security Association consulting device and operation principle.
The network equipment that the present embodiment provides ensure that DPD mechanism is in the whole life cycle of IPSec SA equally
All exist, such that it is able to the state in tunnel, opposite end can be detected in the whole life cycle of IPSec SA,
Solve the problem that prior art exists black hole, tunnel.
One of ordinary skill in the art will appreciate that: realize all or part of step of above-mentioned each method embodiment
Suddenly can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer can
Read in storage medium.This program upon execution, performs to include the step of above-mentioned each method embodiment;And
Aforesaid storage medium includes: ROM, RAM, magnetic disc or CD etc. are various can store program code
Medium.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, rather than right
It limits;Although the present invention being described in detail with reference to foregoing embodiments, this area common
Skilled artisans appreciate that the technical scheme described in foregoing embodiments still can be modified by it,
Or the most some or all of technical characteristic is carried out equivalent;And these amendments or replacement, and
The essence not making appropriate technical solution departs from the scope of various embodiments of the present invention technical scheme.
Claims (13)
1. a security alliance SA machinery of consultation, it is characterised in that including:
When the soft time-out time of reality of an IPSec SA arrives, the 2nd IPSec SA is set up with Peer Negotiation, and when the hard time-out time of the described 2nd IPSec SA that negotiation determines is later than the time-out time of IKE SA, the soft time-out time of reality of described 2nd IPSec SA is set between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and the Second Threshold sum of described 2nd IPSec SA are set;Wherein, if the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the actual hard time-out time of a described IPSec SA is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum;
When the actual hard time-out time of a described IPSec SA arrives, delete a described IPSec SA.
Method the most according to claim 1, it is characterised in that also include:
When setting up described 2nd IPSec SA with described Peer Negotiation, if consult the hard time-out time of described 2nd IPSec SA that determines early than the time-out time of described IKE SA, the soft time-out time of reality then arranging described 2nd IPSec SA is the value consulting to determine, and arranges the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and described Second Threshold sum.
Method the most according to claim 1 and 2, it is characterised in that included before setting up the 2nd IPSec SA with Peer Negotiation:
A described IPSec SA is set up with described Peer Negotiation, and when the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is a described IPSec SA of a described IPSec SA and described Second Threshold sum are set.
Method the most according to claim 1 and 2, it is characterised in that described set up the 2nd IPSec SA with Peer Negotiation and include:
Determine whether described IKE SA exists;
If it is determined that result is for existing, then directly set up described 2nd IPSec SA with described Peer Negotiation;
If it is determined that result is not for exist, then first sets up described IKE SA with described Peer Negotiation, then set up described 2nd IPSec SA with described Peer Negotiation.
Method the most according to claim 1 and 2, it is characterised in that include after deleting a described IPSec SA:
Using described 2nd IPSec SA again as an IPSec SA.
Method the most according to claim 1 and 2, it is characterised in that described first threshold was less than or equal to 5 seconds more than or equal to 1 second;Described Second Threshold was less than or equal to 45 seconds more than or equal to 30 seconds.
7. a security alliance SA consulting device, it is characterised in that including:
Set up module, for when the soft time-out time of reality of an IPSec SA arrives, setting up the 2nd IPSec SA with Peer Negotiation;
Module is set, when the hard time-out time of the described 2nd IPSec SA for determining in negotiation is later than the time-out time of IKE SA, the soft time-out time of reality of described 2nd IPSec SA is set between the time-out time and the time-out time of described IKE SA and first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA and the Second Threshold sum of described 2nd IPSec SA are set;Wherein, if the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the actual hard time-out time of a described IPSec SA is the soft time-out time of reality of a described IPSec SA and described Second Threshold sum;
Removing module, for when the actual hard time-out time of a described IPSec SA arrives, deleting a described IPSec SA.
Device the most according to claim 7, it is characterized in that, the described module that arranges is additionally operable to when consulting the hard time-out time of described 2nd IPSec SA that determines early than the time-out time of described IKE SA, the soft time-out time of reality arranging described 2nd IPSec SA is the value consulting to determine, and arranges the soft time-out time of reality that actual hard time-out time is described 2nd IPSec SA of described 2nd IPSec SA and described Second Threshold sum.
9. according to the device described in claim 7 or 8, it is characterised in that described module of setting up is additionally operable to, before setting up described 2nd IPSec SA with described Peer Negotiation, set up a described IPSec SA with described Peer Negotiation;
The described module that arranges is additionally operable to when the hard time-out time of the described IPSec SA that negotiation determines is later than the time-out time of described IKE SA, the soft time-out time of reality of a described IPSec SA is set between the time-out time and the time-out time of described IKE SA and described first threshold sum of described IKE SA, and the soft time-out time of reality that actual hard time-out time is a described IPSec SA of a described IPSec SA and described Second Threshold sum are set.
10. according to the device described in claim 7 or 8, it is characterized in that, described module of setting up is specifically for determining whether described IKE SA exists, if it is determined that result is for existing, then directly set up described 2nd IPSec SA with described Peer Negotiation, if it is determined that result is not for exist, then first sets up described IKE SA with described Peer Negotiation, then set up described 2nd IPSec SA with described Peer Negotiation.
11. according to the device described in claim 7 or 8, it is characterised in that described module of setting up is additionally operable to after described removing module deletes a described IPSec SA, using described 2nd IPSec SA again as a described IPSec SA.
12. according to the device described in claim 7 or 8, it is characterised in that described first threshold was less than or equal to 5 seconds more than or equal to 1 second;Described Second Threshold was less than or equal to 45 seconds more than or equal to 30 seconds.
13. 1 kinds of network equipments, it is characterised in that include the security alliance SA consulting device described in any one of claim 7-12.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310233561.1A CN103312713B (en) | 2013-06-13 | 2013-06-13 | Security association negotiation method, device and the network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310233561.1A CN103312713B (en) | 2013-06-13 | 2013-06-13 | Security association negotiation method, device and the network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103312713A CN103312713A (en) | 2013-09-18 |
CN103312713B true CN103312713B (en) | 2016-08-10 |
Family
ID=49137497
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310233561.1A Active CN103312713B (en) | 2013-06-13 | 2013-06-13 | Security association negotiation method, device and the network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103312713B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105610577B (en) * | 2016-01-07 | 2018-09-14 | 成都卫士通信息产业股份有限公司 | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure |
CN106254204A (en) * | 2016-09-28 | 2016-12-21 | 乐视控股(北京)有限公司 | The collocation method of the Ipsec tunnel vital stage under cloud environment and device |
CN113438094B (en) * | 2020-03-23 | 2022-12-13 | 华为技术有限公司 | Method and equipment for automatically updating manually configured IPSec SA |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007019583A2 (en) * | 2005-08-09 | 2007-02-15 | Sipera Systems, Inc. | System and method for providing network level and nodal level vulnerability protection in voip networks |
CN101227485A (en) * | 2008-02-04 | 2008-07-23 | 杭州华三通信技术有限公司 | Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period |
CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
CN102761541A (en) * | 2012-05-31 | 2012-10-31 | 汉柏科技有限公司 | Timer processing method and system |
CN102868523A (en) * | 2012-09-18 | 2013-01-09 | 汉柏科技有限公司 | IKE (Internet Key Exchange) negotiation method |
-
2013
- 2013-06-13 CN CN201310233561.1A patent/CN103312713B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007019583A2 (en) * | 2005-08-09 | 2007-02-15 | Sipera Systems, Inc. | System and method for providing network level and nodal level vulnerability protection in voip networks |
CN101227485A (en) * | 2008-02-04 | 2008-07-23 | 杭州华三通信技术有限公司 | Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period |
CN102761541A (en) * | 2012-05-31 | 2012-10-31 | 汉柏科技有限公司 | Timer processing method and system |
CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
CN102868523A (en) * | 2012-09-18 | 2013-01-09 | 汉柏科技有限公司 | IKE (Internet Key Exchange) negotiation method |
Also Published As
Publication number | Publication date |
---|---|
CN103312713A (en) | 2013-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
McLaughlin et al. | Multi-vendor penetration testing in the advanced metering infrastructure | |
CN103384242B (en) | Intrusion detection method based on Nginx proxy server and system | |
CN109241087A (en) | A kind of data processing method and terminal of alliance's chain | |
CN107566381A (en) | Equipment safety control method, apparatus and system | |
US7386725B2 (en) | Node device and communication control method for improving security of packet communications | |
CN105706099B (en) | Software renewing apparatus | |
CN104219316A (en) | Method and device for processing call request in distributed system | |
CN103607385A (en) | Method and apparatus for security detection based on browser | |
WO2010057199A3 (en) | Storage and retrieval of crytographically-split data blocks to/from multiple storage devices | |
WO2014199197A1 (en) | A method, system and product for securely storing data files at a remote location by splitting and reassembling said files | |
CN103312713B (en) | Security association negotiation method, device and the network equipment | |
CN104020999A (en) | Management method and system of application programs | |
CN104766007A (en) | Method for quickly recovering sandbox based on file system filter driver | |
CN107567616A (en) | Operating system management | |
CN103227777B (en) | A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake | |
CN105447385B (en) | A kind of applied database honey jar detected at many levels realizes system and method | |
CN110505116A (en) | Power information acquisition system and penetration test method, device, readable storage medium storing program for executing | |
CN103763137B (en) | A kind of device configuration connection guard method, system and device | |
CN103634293B (en) | Secure data transmission method based dual hardware and secure data transmission system based dual hardware | |
JP6164508B2 (en) | Data processing system security apparatus and security method | |
CN113472789B (en) | Attack detection method, attack detection system, storage medium and electronic device | |
KR20190003256A (en) | Method and apparatus for vpn manegenment for ip camera | |
JP6256781B2 (en) | Management device for file security to protect the system | |
CN105528542B (en) | A kind of management-control method and system for exempting from installation and operation based on software | |
CN109670296A (en) | A kind of method and apparatus removing iOS backup password |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |