CN106341404A - IPSec VPN system based on many-core processor and encryption and decryption processing method - Google Patents
IPSec VPN system based on many-core processor and encryption and decryption processing method Download PDFInfo
- Publication number
- CN106341404A CN106341404A CN201610813840.9A CN201610813840A CN106341404A CN 106341404 A CN106341404 A CN 106341404A CN 201610813840 A CN201610813840 A CN 201610813840A CN 106341404 A CN106341404 A CN 106341404A
- Authority
- CN
- China
- Prior art keywords
- module
- ipsec
- encryption
- packet
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Abstract
The invention discloses an IPSec VPN system based on a many-core processor. The system comprises an encryption system and a decryption system. A message receiving module, a speed limit module, an inlet firewall module, an IPSec strategy retrieval module, an IPSec plus packaging module, an encryption module, a decryption module, an outlet firewall, a decapsulation and Ethernet head adding module, a repackaging module, an IP data packet forwarding module, a message sending module and the like are included. The invention also discloses an encryption method and a decryption method which adopt an IPSec VPN encryption and decryption system. By using the IPSec VPN system, safety of data transmission between connected users can be guaranteed and a real-time on-line processing capability of a high speed network flow can be satisfied. An identification system of the invention can be applied to various kinds of many-core processors and a purpose of safely transmitting the high speed network flow can be realized.
Description
Technical field
The invention belongs to technical field of network security is and in particular to a kind of ipsec vpn system based on many-core processor
(network safety system of express network data traffic transmission), further relates to using above-mentioned ipsec vpn system to express network stream
Measure the method carrying out encryption and decryption process.
Background technology
With the extensive application of network technology, the safety problem that tcp/ip procotol itself exposes directly threatens ip number
According to bag in the safety of open interconnection transfers on network, become the major reason limiting future network application development.Network security is asked
Topic is main to include two aspects: on the one hand, tcp/ip procotol itself does not provide reliable authentication and encryption technology, no
Method ensures integrity in transmitting procedure for the data;On the other hand, tcp/ip procotol lacks reliable information integrity and tests
Card means and control resource allocation mechanism.These problems have threatened the interests of Internet user.Virtual Private Network
(virtual private network, abbreviation vpn) technology is a kind of important handss ensuring information security under internet environment
Section, it passes through to set up a safety, special tunnel in a common network, and the network connection in two strange lands is risen
Come, constitute virtual subnet in logic, ensure to connect using technology such as encryption and decryption, authentication, completeness check, access controls
The safety of data transfer between user.
Equally, developing rapidly with fiber optic communication, the network bandwidth is also continuously increased, and this just sets to most of network securitys
Standby disposal ability is put forward higher requirement.In order to meet the processing capability in real time to 10,000,000,000 high-speed network flows, many-core skill
Art and many-core processor also obtain developing rapidly and extensively apply.
Content of the invention
It is an object of the invention to provide a kind of ipsec vpn system based on many-core processor, solve existing ipsec
Vpn system lacks the problem meeting the processing capability in real time to 10,000,000,000 high-speed network flows.
It is a further object of the present invention to provide the encryption method of said system and decryption method.
The technical solution adopted in the present invention is, a kind of ipsec vpn encryption system based on many-core processor, including according to
The receiving literary composition module of secondary connection, speed limit module, entrance FWSM, ipsec strategy retrieval module, ipsec add package module,
Encrypting module, again package module, ip data packet forward module and message sending module.
Corresponding, based on the ipsec vpn decryption system of many-core processor, including the receiving literary composition module being sequentially connected,
Speed limit module, entrance FWSM, ipsec strategy retrieval module, ipsec decapsulation module, deciphering module, outlet fire prevention
Wall, decapsulation, increase Ethernet head module, ip data packet forward module and message sending module.
Another technical scheme of the present invention is, using the encryption method of above-mentioned ipsec vpn encryption system, wraps
Include following steps:
Message is received by the civilian module of receiving, and realizes message from mpipe to the load balancing of multinuclear tile cpu, obtain
Raw network data;Speed limit module carries out traffic shaping according to the speed limit rule of encryption flow table to message, abandons and does not meet speed limit
The stream packet of rule;Message is filtered according to the access control rule of encryption flow table by entrance FWSM;ipsec
Strategy retrieval module internal network interface incoming data bag is mated according to five-tuple, retrieves corresponding encryption parameter;Ipsec adds
Package module carries out sealing up dress to packet according to esp agreement under ipsec tunnel mode;Encrypting module carries out to packet adding
Close;New ip head and Ethernet heading are increased to the data after encryption by package module again;Ip data packet forward module root
According to purpose ip address information table of query and routing in ip packet, obtain transmission interface, next-hop ip address corresponding mac address;
Outer net is sent data packets to by message sending module.
Corresponding, using the decryption method of above-mentioned ipsec vpn decryption system, message is received by the civilian module of receiving,
And realize message from mpipe to the load balancing of multinuclear tile cpu, obtain raw network data;Speed limit module is according to encryption
The speed limit rule of flow table carries out traffic shaping to message, abandons the stream packet not meeting speed limit rule;By entrance fire wall mould
Tuber filters to message according to the access control rule of encryption flow table;The number that the ipsec strategy retrieval external network interface of module enters
Mated according to five-tuple according to bag, retrieved corresponding deciphering parameter;Ipsec decapsulation module is according under ipsec tunnel mode
Esp agreement decapsulates to packet;Deciphering module is decrypted to packet;By exporting FWSM according to deciphering
The access control rule of flow table filters to the clear data message after deciphering;By decapsulation, increase Ethernet head module
Restore original message, add new ethernet packet header;Ip data packet forward module is believed according to purpose ip address in ip packet
Breath table of query and routing, obtains transmission interface, next-hop ip address corresponding mac address;By message sending module by packet
Interface sends to Intranet.
The invention has the beneficial effects as follows, the ipsec vpn system based on many-core network processing unit of the present invention can not only
Ensure to connect the safety of data transfer between user, also meet the real-time online disposal ability of high-speed network flow.The knowledge of the present invention
Other system can be applicable to various many-core processors, all enables high-speed network flow is carried out with the purpose of safe transmission.
Brief description
Fig. 1 is the general frame figure of present system;
The schematic diagram of Fig. 2 mpipe load balancing;
Fig. 3 is ipsec encryption process sequence (interior network interface is to outer network interface);
Fig. 4 is ipsec decryption process sequence (outer network interface is to interior network interface);
Fig. 5 is ciphertext data packet format;
Fig. 6 is encapsulation before ipsec deciphering;
Fig. 7 is clear data bag form;
Fig. 8 is encapsulation before ipsec encryption;
Fig. 9 router-table structure;
Figure 10 security-association tables structure;
Figure 11 system test figure;
Clear data form before Figure 12 encryption;
Data form after Figure 13 deciphering.
In figure, civilian module of 1. receiving telegraph, 2. speed limit module, 3. FWSM, 4.ipsec strategy retrieval module, 5.ipsec
Protocol encapsulation module, 6. encryption-decryption coprocessor, 7. outer network interface outlet FWSM, 8. decapsulation, increase Ethernet head mould
Block, message package module again after 9. encrypting, 10.ip data packet forward module, 11. message sending modules.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and detailed description, but the present invention is not limited to
These embodiments.
Below with source ip address 10.0.0.1 source port 1-1023, purpose ip address 40.55.28.112, destination interface 1-
1024th, as a example wrapping the tcp message of long 128b, the present invention is carried out based on the ipsec vpn system of many-core network processing unit in detail
Thin introduction, whole handling process is as shown in Figure 1.
The present invention includes encryption system and decryption system based on the ipsec vpn system of many-core processor, this system
Hardware is made up of host processor chip and encryption-decryption coprocessor chip.
Main process task chip is a piece of many-core network processing unit, and this processor adds up to 36 cores, these cores be divided for
Processing controls plane data plane traffic.Wherein, on the specific cpu of zol that primary processor datum plane operates in, it is responsible for fast
Path data is processed, including psec encapsulation/decapsulation, the forwarding of ip packet, ipsec strategy retrieval etc.;Primary processor controls flat
Face operates on common linux core, and responsible ike consults to exchange, control the slow path message such as packet sending and receiving to process and equipment
The functions such as configuration management.
Main process task chip is divided into encryption flow and deciphering flow process according to handling process, and encryption flow is to receive report from Intranet
Literary composition, is packaged encryption and is sent to outer net;Deciphering flow process is that the bag receiving from outer net is decapsulated, decryption processing
It is End-to-End Security transmission reach packet to enter outer net.
Encryption and decryption association process chip is a piece of many-core network processing unit, and processor adds up to 36 cores, and encryption and decryption association is processed
Chip is mainly responsible for the work such as message encryption and decryption computing and packet order preserving, and these cores are divided into control plane cpu, encryption and decryption cpu
With stream order-preserving cpu.Wherein, encryption-decryption coprocessor control plane cpu operates on common linux core, the joining of responsible equipment
Put the functions such as management;Encryption-decryption coprocessor encryption and decryption cpu operates on the cpu of zol characteristic, is responsible for that to carry out aes to message soft
Part encryption and decryption and md5 completeness check;Encryption-decryption coprocessor stream order-preserving cpu operates on the cpu of zol characteristic, be responsible for plus
Message after deciphering carries out software order-preserving process.
The many-core processor that the present embodiment uses is that (processor divides four same treatment lists to tilera gx-36 processor
Unit, each unit is 36 cores), this processor can provide high performance disposal ability, meets the reality to 10,000,000,000 network datas
When process demand, it mainly includes multinuclear Intelligent programmable packet engine (multicore programmable
Intelligent packetengine, mpipe) and core processing unit tile.Core Intelligent programmable packet engine is main
The classification of responsible packet and load balancing, packet are sent to corresponding processor according to the pattern formulated and are processed.
Tilera gx-36 processor is a kind of processor of imesh framework, and this is a kind of matrix type structure of improvement, can
With Lothrus apterus communication simultaneously between realization two-by-two assembly, the present invention selects tilera gx36 money multi-core network processor as hard
Part platform, it is integrated with 36 tile processors on a single die, and each processor host frequency reaches 1.2ghz, has 32k's
9m three-level cache that two grades of cache and 36 cores of data cache, 256k of command cache and 32k are shared, it is right to support
The disposal ability of 10000000000 network bandwidths.
(1) encrypt
As shown in figure 3, in the ipsec vpn system of the present embodiment, encryption system includes the receiving literary composition module being sequentially connected
1st, speed limit module 2, entrance FWSM 3, ipsec strategy retrieval module 4, ipsec add package module 5, the process of encryption and decryption association
Device 6, again package module 9, ip data packet forward module 10, message sending module 11.
Using this encryption system to the method that high-speed network flow is encrypted it is:
Step 1, interior network interface receiving literary composition
Message is received by the civilian module 1 of receiving, and realizes message from mpipe to the load balancing of multinuclear tile cpu, obtain
To raw network data.As shown in Fig. 2 specifically including:
Step 1-2, mpipe classifies
According to the rule of setting in mpipe, judge that the packet of capture is intended for control plane or datum plane;For
Control message to be responsible for process by the Linux system kernel protocol stack operating in control plane, the data message of user's space then around
Cross linux kernel protocol stack, directly by responsible datum plane high speed processing.
Step 1-2, mpipe load balancing
The information such as the five-tuple according to packet and No. vlan are determining will be received by which tile cpu and to process this
Individual packet.The method that the present invention adopts passive flow binding, by the packet of five-tuple and vlan hash result identical stream
It is sent to same tile cpu process.
Step 2, flow-control
Flow-control is exactly in the tile cpu receiving packet, and speed limit module 2 is according to flow table (flow table 1) before encryption
In speed limit rule message carried out with traffic shaping, abandon the stream packet not meeting speed limit rule.The receiving literary composition of one stream is sent
Accesses control list enters line retrieval, and obtains corresponding feature configuration, and is issued to flow table list item, using the stream in flow table list item
Measure feature carries out flow-control.As being the packet of 10.0.0.1 for source ip, speed limit rule is -- sip 10.0.0.2--
smsk 255.0.0.0--rate 10000.
Step 3, packet filtering
In two sub-sections, first is by accesses control list module, and second is by FWSM, such as packet filtering
Under this two modules are illustrated:
In interior network interface entrance, every stream is carried out with bandwidth restriction, abandon the stream packet not meeting speed limit rule;And to every
The first message of stream send accesses control list module (accesses control list module be system initialization when the module that creates, be used for
Management and control is carried out to the message come in, packet filtering is exactly that the packet loss not being inconsistent normally is processed) carry out firewall access control
Rule match processed, creates flow table according to matching result, and subsequent packet looks into flow table, according to the corresponding rule of this stream in flow table to message
Quickly processed (abandon/forward).
Accesses control list is sent to carry out firewall rule coupling the receiving literary composition of one stream by entrance FWSM 3,
Create flow table according to matching result, and corresponding forwarding rule be set, subsequent packet obtains corresponding rule by inquiring about flow table,
And message is filtered with (abandon/forward).
Step 4, strategy retrieval
Internally network interface incoming data bag, by ipsec strategy retrieval module 4, to the clear data bag after filtering according to
Five-tuple (sip, dip, protocol, sport, dport) carries out strategy retrieval, go to retrieve corresponding encryption parameter sa (spi,
Encryption key, hash key, seq), as shown in Figure 10.
Step 5, seals up dress
For packet to be encrypted, packet is as shown in fig. 7, ipsec adds package module 5 according to ipsec tunnel mode
Lower esp is carried out to ciphertext packet plus encapsulation process, adds encryption information (ekey, hkey, spi and seq) and arrives header, place
After reason, message format is as shown in Figure 8.
Step 6, encryption
Message after encapsulation is encrypted by encryption-decryption coprocessor 6.
Step 7, then encapsulate
New ip head and Ethernet heading are increased to the data after encryption by package module 9 again.
Step 8, ip packet forwards
By ip data packet forward module 10, according to purpose ip address information table of query and routing in ip packet, such as Fig. 9,
Obtain transmission interface, next-hop ip address corresponding mac address, then packet is carried out with two layers of header encapsulation, for being sent to
Outer network interface is prepared.
Step 9, message sends
By message sending module 11, the interface that packet obtains from step 8 is sent to outer net.
(2) decipher
As shown in figure 4, in the ipsec vpn system of this example, receiving literary composition module 1 that decryption system includes being sequentially connected,
Speed limit module 2, entrance FWSM 3, ipsec strategy retrieval module 4, ipsec decapsulation module 5, encryption-decryption coprocessor
6th, outlet fire wall 7, decapsulation, increase Ethernet head module 8, ip data packet forward module 10, message sending module 11.
Using the method that this decryption system is decrypted process to high-speed network flow it is:
Step 1, outer network interface receiving literary composition
Message is received by the civilian module 1 of receiving, and realizes message from mpipe to the load balancing of multinuclear tile cpu, obtain
To raw network data (issuing the message of unencryption encapsulation from sender's Intranet).Specifically include:
Step 1-2, mpipe classifies
According to the rule of setting in mpipe, judge that the packet of capture is intended for control plane or datum plane;For
Control message to be responsible for process by the Linux system kernel protocol stack operating in control plane, the data message of user's space then around
Cross linux kernel protocol stack, directly by responsible datum plane high speed processing.
Step 1-2, mpipe load balancing
The information such as the five-tuple according to packet and No. vlan are determining will be received by which tile cpu and to process this
Individual packet.The method that the present invention adopts passive flow binding, by the packet of five-tuple and vlan hash result identical stream
It is sent to same tile cpu process.
Step 2, flow-control
In the tile cpu receiving packet, speed limit module 2 is right according to the speed limit rule in encryption flow table (flow table 1)
Message carries out traffic shaping, abandons the stream packet not meeting speed limit rule.Accesses control list is sent to enter the receiving literary composition of a stream
Line retrieval, and obtain corresponding feature configuration, and it is issued to flow table list item, carry out flow using the traffic characteristic in flow table list item
Control.
Step 3, packet filtering
Accesses control list is sent to carry out firewall rule coupling the receiving literary composition of one stream by entrance FWSM 3,
Create flow table (flow table, flow table 1 before encryption) according to matching result, and corresponding forwarding rule is set, subsequent packet passes through inquiry
Flow table obtains corresponding rule, and message is filtered with (abandon/forward).
Step 4, strategy retrieval
By ipsec strategy retrieval module 4, to filter after clear data bag according to five-tuple (sip, dip,
Protocol, sport, dport) carry out strategy retrieval, go to retrieve corresponding deciphering parameter (decruption key, spi, authentication code
Deng).
Step 5, decapsulation
For packet to be decrypted, data packet format is as shown in figure 5, ipsec decapsulation module 5 is according to ipsec tunnel
Under pattern, esp carries out decapsulation process to ciphertext packet, adds decryption information (ekey, hkey) and arrives message tail, after process
Message format is as shown in Figure 6.
Step 6, decryption processing
Message after encapsulation is decrypted by encryption-decryption coprocessor 6.
Step 7, tactful management and control
By exporting FWSM 7 according to the access control rule in flow table (flow table 2) after deciphering to bright after deciphering
Civilian data message is filtered.
Step 8, increases ethernet packet header
Original message is restored by decapsulation, increase Ethernet head module 8, adds new ethernet packet header.
Step 9, ip packet forwards
Ip data packet forward module 10, according to purpose ip address information table of query and routing in ip packet, obtains transmission and connects
Mouth, next-hop ip address corresponding mac address, then carry out two layers of headers encapsulation, do standard for being sent to interior network interface to packet
Standby.
Step 10, message sends
By message sending module 11, the interface that packet obtains from step 8 is sent to Intranet.
In order to verify ipsec vpn system based on tilera many-core network processing unit whether meet at the beginning of design will
Ask, in the present invention, the test of whole system is carried out respectively in terms of functional test and performance test two, finally to test data
It is analyzed.The test environment equipment of the ipsec vpn system based on tilera many-core network processing unit connects as shown in figure 11,
Including two tilera gx36 many-core processing platforms, an outer net equipment and an Intranet equipment, in the present invention, use tilera
Gx36 simulation outer net equipment and Intranet equipment, outer net equipment is connected with subneta, and Intranet equipment is connected with subnetb, encryption and decryption
Coprocessor is attached by optical module with the ipsec vpn equipment based on tilera gx36, outer net equipment and Intranet equipment
Secure connection is carried out by the ipsec vpn equipment based on tilera gx36.Four equipment are all using tilera gx36 many-core
Network processes platform, each tilera gx36 is 36 core tilera processors, and each tile cpu dominant frequency is up to 1.2ghz,
Each cpu comprises 32kb privately owned first-level instruction caching and 32kb privately owned level one data caching, the privately owned L2 cache of 256kb and height
Reach the shared buffer memory equipment of 26mb, each many-core network processes platform uses the ddr3 internal memory of 8g, the access speed of internal memory is
1333mt/s.Equipment room is attached by optical module, meets the transmittability of 10gbps data.In order to simulate live network ring
Border with improve test accuracy, system respectively to different packet lengths (64b, 256b, 1518b), different agreement type (tcp,
Udp ip message) is tested, and carries out test analysis from bit per second (bitpersecond, bps) aspect.(all devices
It is connected by switch)
Functional test is mainly analysis and whether the service logic of checking system is correct, mainly provides ipsec in the present invention
The test of protocol encapsulation function, test includes ipsec protocol encapsulation, ipsec strategy retrieval, encryption and decryption, the forwarding of ip packet etc.
Whether the business logic processing of module is correct.Test be broadly divided into encryption flow with deciphering flow process, finally to encryption and decryption before and after
Data is contrasted, thus the feasibility of checking system.
(1) encryption flow
In test process, the rule such as the good fire wall of equipment, bandwidth restriction, qos, security strategy in advance, then start journey
Sequence carries out functional test, and the flow direction of data is as follows in systems:
(1) the Intranet equipment connecting subnetb Intranet sends length as 64b by device of giving out a contract for a project with the speed of 10gbps
Udp message.
(2) the ipsecvpn system based on tileragx36 captures network data bag from xuai mouth by mpipe, then carries out
Packet after encapsulation is finally sent to plus solves by encapsulation process before the tactful retrieval of interior network interface speed limit, fire wall, ipsec, encryption
Close coprocessor.
(3) encryption-decryption coprocessor captures network packet from xuai mouth by mpipe, is then encrypted place to data
Packet after encryption is finally sent to primary processor by xuai mouth by reason.
(4) primary processor captures network packet from xuai mouth by mpipe, and after encryption, message is in encapsulation, ipsec
After data packet forward module is processed, by ciphertext data is activation to the outer net equipment connecting subneta outer net.
The pcap data that Intranet equipment is sent to the ip packet of primary processor encryption is as shown in figure 12:
(2) decipher flow process
In test process, the rule such as the good fire wall of equipment, bandwidth restriction, qos, security strategy in advance, then start journey
Sequence carries out functional test, and the flow direction of data is as follows in systems:
(1) the outer net equipment connecting subneta outer net sends ipsec report after encryption by device of giving out a contract for a project with the speed of 10gbps
Literary composition.
(2) primary processor from xuai mouth by mpipe capture network data bag, then carry out outer network interface speed limit, fire wall,
Packaged packet is finally sent to encryption-decryption coprocessor by encapsulation process before ipsec strategy retrieval, deciphering.
(3) encryption-decryption coprocessor captures network packet from xuai mouth by mpipe, is then decrypted place to data
Packet after deciphering is finally sent to primary processor by xuai mouth by reason.
(4) primary processor from xuai mouth by mpipe capture network packet, through going out network interface fire wall, decapsulation with
After increase ethernet packet header, ipsec data packet forward module process are processed, by ciphertext data is activation to connection subnetb Intranet
Intranet equipment.
After deciphering, the data message form that primary processor issues Intranet equipment is as shown in figure 13:
From shown in Figure 12 and Figure 13, same clear data is encrypted respectively with decryption processing after, the encapsulation lattice of message
Formula is identical, meets target, may certify that the correct of system business logic.
In performance test, the impact to system processing power for the main test data packet length, if can reach in advance
The disposal ability to different length packet 40gbps that design proposes.As shown in figure 11, the present invention is using in 10k for test environment
Under the network environment of bar stream, respectively to encryption direction and deciphering direction to different reports length (64b, 128b, 196b, 1518b)
Packet is tested, and test result is as shown in table 1.
The long lower throughput of system of the different bag of table 1
As shown in Table 1, in deciphering direction and deciphering direction, for the ip of different length (64b, 128b, 196b, 1518b)
Packet, system all can meet the disposal ability of 40gbps.
Above description of the present invention is section Example, but the invention is not limited in above-mentioned specific embodiment.
Above-mentioned specific embodiment is schematic, is not restricted.Every employing apparatus and method of the present invention, is not taking off
In the case of present inventive concept and scope of the claimed protection, all concrete expand all belong to protection scope of the present invention it
Interior.
Claims (4)
1. a kind of ipsec vpn encryption system based on many-core processor is it is characterised in that include the receiving Wen Mo being sequentially connected
Block, speed limit module, entrance FWSM, ipsec strategy retrieval module, ipsec add package module, encrypting module, encapsulate
Module, ip data packet forward module and message sending module.
2. a kind of ipsec vpn decryption system based on many-core processor is it is characterised in that include the receiving Wen Mo being sequentially connected
Block, speed limit module, entrance FWSM, ipsec strategy retrieval module, ipsec decapsulation module, deciphering module, outlet are anti-
Wall with flues, decapsulation, increase Ethernet head module, ip data packet forward module and message sending module.
3. a kind of encryption method of the ipsec vpn encryption system described in employing claim 1 is it is characterised in that include following
Step:
Message is received by the civilian module of receiving, and realizes message from mpipe to the load balancing of multinuclear tile cpu, obtain original
Network data;Speed limit module carries out traffic shaping according to the speed limit rule of encryption flow table to message, abandons and does not meet speed limit rule
Stream packet;Message is filtered according to the access control rule of encryption flow table by entrance FWSM;Ipsec strategy
Retrieval module internal network interface incoming data bag is mated according to five-tuple, retrieves corresponding encryption parameter;Ipsec seals up dress
Module carries out sealing up dress to packet according to esp agreement under ipsec tunnel mode;Encrypting module is encrypted to packet;Logical
Crossing package module increases new ip head and Ethernet heading to the data after encryption again;Ip data packet forward module is according to ip number
According to purpose ip address information table of query and routing in bag, obtain transmission interface, next-hop ip address corresponding mac address;By report
Civilian sending module sends data packets to outer net.
4. a kind of decryption method of the ipsec vpn decryption system described in employing claim 2 is it is characterised in that include following
Step:
Message is received by the civilian module of receiving, and realizes message from mpipe to the load balancing of multinuclear tile cpu, obtain original
Network data;Speed limit module carries out traffic shaping according to the speed limit rule of encryption flow table to message, abandons and does not meet speed limit rule
Stream packet;Message is filtered according to the access control rule of encryption flow table by entrance FWSM;Ipsec strategy
Retrieval module external network interface incoming data bag is mated according to five-tuple, retrieves corresponding deciphering parameter;Ipsec decapsulates
Module decapsulates to packet according to esp agreement under ipsec tunnel mode;Deciphering module is decrypted to packet;Logical
Cross outlet FWSM according to the access control rule of deciphering flow table, the clear data message after deciphering to be filtered;Pass through
Decapsulation, increase Ethernet head module restore original message, add new ethernet packet header;Ip data packet forward module according to
Purpose ip address information table of query and routing in ip packet, obtains transmission interface, next-hop ip address corresponding mac address;Logical
Cross message sending module to send packet interfaces to Intranet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610813840.9A CN106341404A (en) | 2016-09-09 | 2016-09-09 | IPSec VPN system based on many-core processor and encryption and decryption processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610813840.9A CN106341404A (en) | 2016-09-09 | 2016-09-09 | IPSec VPN system based on many-core processor and encryption and decryption processing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106341404A true CN106341404A (en) | 2017-01-18 |
Family
ID=57822944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610813840.9A Pending CN106341404A (en) | 2016-09-09 | 2016-09-09 | IPSec VPN system based on many-core processor and encryption and decryption processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106341404A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107749826A (en) * | 2017-09-15 | 2018-03-02 | 深圳市盛路物联通讯技术有限公司 | A kind of data packet forwarding method and system |
| WO2018130079A1 (en) * | 2017-01-11 | 2018-07-19 | 京信通信系统(中国)有限公司 | Method for encrypting internet protocol security (ipsec) protocol and network device |
| CN109145620A (en) * | 2018-08-13 | 2019-01-04 | 北京奇安信科技有限公司 | Data flow diversion processing method and device |
| CN110138553A (en) * | 2019-05-10 | 2019-08-16 | 郑州信大捷安信息技术股份有限公司 | A kind of IPSec vpn gateway data packet processing and method |
| CN110191084A (en) * | 2019-03-27 | 2019-08-30 | 青岛海信电子设备股份有限公司 | The encapsulation of IPsec data, method of reseptance and device |
| CN110430111A (en) * | 2019-06-26 | 2019-11-08 | 厦门网宿有限公司 | A kind of data transmission method and vpn server of OpenVPN |
| CN110535742A (en) * | 2019-08-06 | 2019-12-03 | 杭州迪普科技股份有限公司 | Message forwarding method, device, electronic equipment and machine readable storage medium |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111147344A (en) * | 2019-12-16 | 2020-05-12 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN111565131A (en) * | 2020-04-22 | 2020-08-21 | 烽火通信科技股份有限公司 | Speed measuring method and system for household gateway CPU |
| CN111669374A (en) * | 2020-05-25 | 2020-09-15 | 成都安恒信息技术有限公司 | Encryption and decryption performance expansion method for single tunnel software of IPsec VPN |
| CN111800436A (en) * | 2020-07-29 | 2020-10-20 | 郑州信大捷安信息技术股份有限公司 | IPSec isolation network card equipment and secure communication method |
| WO2022022512A1 (en) * | 2020-07-31 | 2022-02-03 | 华为技术有限公司 | Method for transmitting message, and electronic device |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114448681A (en) * | 2022-01-04 | 2022-05-06 | 珠海横琴能源发展有限公司 | Energy station user data wireless communication system and experimental platform |
| CN114785536A (en) * | 2022-02-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN115333859A (en) * | 2022-10-11 | 2022-11-11 | 三未信安科技股份有限公司 | IPsec protocol message encryption and decryption method based on chip scheme |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045159A (en) * | 2010-12-30 | 2011-05-04 | 北京锐安科技有限公司 | Decryption processing method and device thereof |
| CN102057631A (en) * | 2008-06-09 | 2011-05-11 | 微软公司 | Data center interconnect and traffic engineering |
| CN102447627A (en) * | 2011-12-05 | 2012-05-09 | 上海顶竹通讯技术有限公司 | Message encapsulation/decapsulation device and method |
-
2016
- 2016-09-09 CN CN201610813840.9A patent/CN106341404A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102057631A (en) * | 2008-06-09 | 2011-05-11 | 微软公司 | Data center interconnect and traffic engineering |
| CN102045159A (en) * | 2010-12-30 | 2011-05-04 | 北京锐安科技有限公司 | Decryption processing method and device thereof |
| CN102447627A (en) * | 2011-12-05 | 2012-05-09 | 上海顶竹通讯技术有限公司 | Message encapsulation/decapsulation device and method |
Non-Patent Citations (1)
| Title |
|---|
| 王建: "众核网络处理器下IPSec VPN系统的设计与实现", 《西安工程大学学报》 * |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018130079A1 (en) * | 2017-01-11 | 2018-07-19 | 京信通信系统(中国)有限公司 | Method for encrypting internet protocol security (ipsec) protocol and network device |
| CN107749826A (en) * | 2017-09-15 | 2018-03-02 | 深圳市盛路物联通讯技术有限公司 | A kind of data packet forwarding method and system |
| CN107749826B (en) * | 2017-09-15 | 2021-10-08 | 深圳市盛路物联通讯技术有限公司 | Data packet forwarding method and system |
| CN109145620A (en) * | 2018-08-13 | 2019-01-04 | 北京奇安信科技有限公司 | Data flow diversion processing method and device |
| CN110191084A (en) * | 2019-03-27 | 2019-08-30 | 青岛海信电子设备股份有限公司 | The encapsulation of IPsec data, method of reseptance and device |
| CN110138553B (en) * | 2019-05-10 | 2022-08-19 | 郑州信大捷安信息技术股份有限公司 | IPSec VPN gateway data packet processing device and method |
| CN110138553A (en) * | 2019-05-10 | 2019-08-16 | 郑州信大捷安信息技术股份有限公司 | A kind of IPSec vpn gateway data packet processing and method |
| CN110430111B (en) * | 2019-06-26 | 2022-07-26 | 厦门网宿有限公司 | OpenVPN data transmission method and VPN server |
| CN110430111A (en) * | 2019-06-26 | 2019-11-08 | 厦门网宿有限公司 | A kind of data transmission method and vpn server of OpenVPN |
| CN110535742A (en) * | 2019-08-06 | 2019-12-03 | 杭州迪普科技股份有限公司 | Message forwarding method, device, electronic equipment and machine readable storage medium |
| CN110535742B (en) * | 2019-08-06 | 2022-03-01 | 杭州迪普科技股份有限公司 | Message forwarding method and device, electronic equipment and machine-readable storage medium |
| CN111147344A (en) * | 2019-12-16 | 2020-05-12 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN111147344B (en) * | 2019-12-16 | 2021-12-24 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN111147382B (en) * | 2019-12-31 | 2021-09-21 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111565131A (en) * | 2020-04-22 | 2020-08-21 | 烽火通信科技股份有限公司 | Speed measuring method and system for household gateway CPU |
| CN111565131B (en) * | 2020-04-22 | 2022-04-08 | 烽火通信科技股份有限公司 | Speed measuring method and system for household gateway CPU |
| CN111669374A (en) * | 2020-05-25 | 2020-09-15 | 成都安恒信息技术有限公司 | Encryption and decryption performance expansion method for single tunnel software of IPsec VPN |
| CN111669374B (en) * | 2020-05-25 | 2022-05-27 | 成都安恒信息技术有限公司 | Encryption and decryption performance expansion method for single tunnel software of IPsec VPN |
| CN111800436A (en) * | 2020-07-29 | 2020-10-20 | 郑州信大捷安信息技术股份有限公司 | IPSec isolation network card equipment and secure communication method |
| CN111800436B (en) * | 2020-07-29 | 2022-04-08 | 郑州信大捷安信息技术股份有限公司 | IPSec isolation network card equipment and secure communication method |
| WO2022022512A1 (en) * | 2020-07-31 | 2022-02-03 | 华为技术有限公司 | Method for transmitting message, and electronic device |
| CN114115099A (en) * | 2021-11-08 | 2022-03-01 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114115099B (en) * | 2021-11-08 | 2024-01-02 | 浙江高信技术股份有限公司 | PLC system supporting network security |
| CN114448681A (en) * | 2022-01-04 | 2022-05-06 | 珠海横琴能源发展有限公司 | Energy station user data wireless communication system and experimental platform |
| CN114785536A (en) * | 2022-02-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN115333859A (en) * | 2022-10-11 | 2022-11-11 | 三未信安科技股份有限公司 | IPsec protocol message encryption and decryption method based on chip scheme |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| CN100389400C (en) | VPN and firewall integrated system | |
| US11032190B2 (en) | Methods and systems for network security universal control point | |
| CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| CN1823496B (en) | Switch port analyzers | |
| CN103428094B (en) | Message forwarding method in open flows OpenFlow system and device | |
| EP2357763B1 (en) | Methods apparatuses for crossing virtual firewall to transmit and receive data | |
| US6854063B1 (en) | Method and apparatus for optimizing firewall processing | |
| CN104394148B (en) | The outgoing processing system for implementing hardware of ipsec protocol under IPv6 | |
| JP2002504285A (en) | Apparatus for realizing virtual private network | |
| CN102148727B (en) | Method and system for testing performance of network equipment | |
| CN107852359A (en) | Security system, communication control method | |
| CN104767752A (en) | Distributed network isolating system and method | |
| US20100138909A1 (en) | Vpn and firewall integrated system | |
| CN108881302A (en) | Industrial Ethernet and BLVDS bus bar communication device and industrial control system | |
| CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
| CN107612679B (en) | Ethernet bridge scrambling terminal based on state cryptographic algorithm | |
| CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
| CN105516062A (en) | L2TP over IPsec access realizing method | |
| CN1937571A (en) | System and method for realizing VPN protocol at application layer | |
| CN104468519B (en) | A kind of embedded electric power security protection terminal encryption device | |
| Luo et al. | Security analysis of the TSN backbone architecture and anomaly detection system design based on IEEE 802.1 Qci | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| CN103763301B (en) | A kind of system and method for use ppp protocol encapsulations IPsec frame structures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170118 |