CN109218308A - A kind of data high-speed secure exchange method based on intelligent network adapter - Google Patents

A kind of data high-speed secure exchange method based on intelligent network adapter Download PDF

Info

Publication number
CN109218308A
CN109218308A CN201811072394.6A CN201811072394A CN109218308A CN 109218308 A CN109218308 A CN 109218308A CN 201811072394 A CN201811072394 A CN 201811072394A CN 109218308 A CN109218308 A CN 109218308A
Authority
CN
China
Prior art keywords
data
intelligent network
network adapter
exchange method
queue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811072394.6A
Other languages
Chinese (zh)
Inventor
葛云生
蔡斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Fuhua Network Technology Co Ltd
Original Assignee
Shanghai Fuhua Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Fuhua Network Technology Co Ltd filed Critical Shanghai Fuhua Network Technology Co Ltd
Priority to CN201811072394.6A priority Critical patent/CN109218308A/en
Publication of CN109218308A publication Critical patent/CN109218308A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The data high-speed secure exchange method based on intelligent network adapter that the invention discloses a kind of, as the server of inside and outside network physical isolation, is placed between Intranet and outer net by the way that two intelligent accelerator cards are installed on testing service device.Outer net can be the not high internet of safety herein, also can be the lower network of level of confidentiality in same department, it is also possible to the lower department of series in different safety class.When there is outer network data to be transmitted, it can be by intercepting TCP/IP data flow, filtering abandons ICP/IP protocol format, restores upper layer application data and data safety, high speed are exchanged to Intranet by a series of safety prevention measures such as safe handling and then by this method.

Description

A kind of data high-speed secure exchange method based on intelligent network adapter
Technical field
The present invention relates to computer network security field, can integrate in security isolation and Information Exchange System, Ke Yizhi Hold the data high-speed secure exchange in multiple logical transport channels.
Background technique
With network technology it is continuous application and it is perfect, internet have become information publication important channel, in information Play indispensable key player, enterprise's office, e-commerce, openness of government affairsization, constituent parts informatization in exchange It flourishes therewith etc. a series of network applications.But due to hacker and virus etc. brought by network attack, virus it is general Excessively, a series of problems, such as unauthorized access, information-leakage, lead to information network, the core business data of business and government organ It there is security risk or timeliness when realizing partial sharing with the external world.
Summary of the invention
The technical problem to be solved by the present invention is to solve existing data between high sensitive network and low sensitive network at present The above-mentioned technical problem faced in high-speed secure exchange.
In order to solve the above-mentioned technical problem deficiency, the technical solution adopted by the present invention are as follows: a kind of based on intelligent network adapter Data high-speed secure exchange method, includes the following steps:
It two intelligent network adapters is configured, is separately mounted on two hosts as testing service device, wherein intelligent network adapter Physical interface is direct-connected;
The host of transmitting terminal sends program and writes data into the memory of zero-copy sendaisle, and limits transmission speed Rate, and monitoring transmission state, in the case where both sides' Network Abnormal, the transmission of real-time interrupt data;
It sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware instruction It is inserted into IQ hardware queue;
It sends program and doorbell signal is sent to intelligent network adapter by PCI-E;
Intelligent network adapter gets originally transmitted data by PKI, and by initial data by hardware enciphering and deciphering engine into Row data encryption operation;
Encrypted data are inserted into and send in backup queue by intelligent network adapter, then logical transmission unit is sent to opposite end;
The intelligent network adapter of receiving end receives data by PKI, and passes through crypto-engine for data deciphering;
Data after decryption are inserted into and are received in order-preserving queue, and initial data is passed through DMA engine by intelligent network adapter, it will Initial data is by PCI-E bus transfer into the receiving queue of host;
Packet loss message and back-pressure information are transmitted to opposite end intelligent network adapter by transmission unit by the intelligent network adapter of receiving end;
Receiving end host receives program by zero-copy receiving queue, obtains initial data.
Further, when correctly configuration or receiving channel do not block receiving end intelligent network adapter, data transmission is interrupted.
Further, the serial number of kernel automatically generated data is to realize order-preserving function.
Further, the receiving queue of the intelligent network adapter real-time monitoring data packet loss and receiving end host of receiving end.
The invention has the following advantages that the data in logical transport channel are protected using ten thousand Broadcom multi-core platforms of intelligence The functions such as sequence, re-transmission, encryption and decryption, zero-copy transmission are handled by the multi-core platform of intelligent network adapter, the dedicated transmitting-receiving provided in conjunction with x86 Interface realizes exchanging every discrete data for internal wet end network, it is ensured that high-performance, high reliability, high security.
Detailed description of the invention
Fig. 1 is sending logic schematic diagram of the invention.
Fig. 2 is reception logical schematic of the invention.
Specific embodiment
A specific embodiment of the invention is illustrated below in conjunction with attached drawing.
Two intelligent accelerator cards by being installed to by the data high-speed secure exchange method based on intelligent network adapter of the invention On testing service device, as the server of inside and outside network physical isolation, it is placed on Intranet (high sensitive network) and outer net (muting sensitive sense net Network) between.Outer net can be the not high internet of safety herein, also can be the lower net of level of confidentiality in same department Network, it is also possible to the lower department of series in different safety class.When there is outer network data to be transmitted, interception can be passed through TCP/IP data flow, filtering abandon ICP/IP protocol format, restore upper layer application data and by a series of peaces such as safe handlings Full protection measure and then data safety, high speed are exchanged to by Intranet by this method, vice versa.
Network deployment is carried out first:
A) two testing service devices are as high sensitive network and muting sensitive sense network interconnection device.
B) on each testing service device, installation one with intelligent network adapters more than multiple 10,000,000,000 network interfaces, and by all ten thousand Million interfaces use fiber direct connection.
Configure intelligent network adapter multi-core platform: including hardware co-processor configuration include PKI (packet receiving unit), (transmission is single by PKO Member), DMA, Crypto (encryption and decryption) etc., the configuration of double card Handshake Protocol, TX (transmissions) condition monitoring configures, and TX backup queue is matched It sets, TX retransmits configuration, the configuration of RX (reception) congestion, RX order-preserving queue configuration, the concurrent logical transport channel configuration in 64 tunnels, network interface prison Control statistics configuration etc..
Configure x86: data high-speed receives and dispatches zero-copy memory configurations, and transmission rate limitation arrangement, reiving/transmitting state, interface are matched It sets, Information Statistics management and intelligent network adapter associated drives etc..
As shown in Figure 1, sending logic following steps of the invention:
1) whole transmission rate limitation, (within the scope of 10,000,000,000 interfaces can be born, herein by rate control 9Gbps with Under): mainly by Data Transmission Controlling within zone of reasonableness, to ensure the reliable transmission of data.
2) condition monitoring is sent: in the case where both sides' Network Abnormal, real-time interrupt/prevent data from transmitting;Data transmission In the process, if there is link down, it will automatically switch to other one effective link and continue data transmission.
3) program is sent to write data into the memory of zero-copy sendaisle.
4) it sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware and refer to It enables.
5) hardware instruction is inserted into IQ hardware queue.
6) doorbell signal is sent to intelligent network adapter by PCI-E.
7) intelligent network adapter gets originally transmitted data by PKI.
8) initial data is carried out data encryption operation by hardware enciphering and deciphering engine by intelligent network adapter.
9) encrypted data are inserted into and send in backup queue by intelligent network adapter.
10) encrypted data are sent to opposite end by PKO by intelligent network adapter.
In step 2), both sides' Network Abnormal, including link are all interrupted, and opposite end intelligent network adapter does not configure correctly, are received Channel congestion.
In step 4), the serial number of kernel automatically generated data is to realize order-preserving function.
In step 9), order-preserving/re-transmission that backup queue mainly serves for ensuring data transmission is sent.
As shown in Fig. 2, reception logic following steps of the invention
1) intelligent network adapter receives data by PKI
2) intelligent network adapter passes through crypto-engine for data deciphering.
3) initial data is inserted into and receives in order-preserving queue by intelligent network adapter.
4) intelligent network adapter is received initial data by PCI-E bus transfer to x86 by initial data by DMA engine In queue.
5) intelligent network adapter real-time monitoring data packet loss and x86 receiving queue.
6) related news are transmitted to opposite end by PKO by intelligent network adapter.
7) x86 receives program by zero-copy receiving queue, obtains initial data.
In step 3), order-preserving/re-transmission that order-preserving queue mainly serves for ensuring data transmission is received.
In step 5), x86 receiving queue is monitored in real time, by sending back-pressure to realize congestion management.
In step 6), the message of forwarding includes packet loss message and transmission backpressure messages.
The present invention is using ten thousand Broadcom multi-core platforms of intelligence, by data order-preserving, re-transmission plus the solution in logical transport channel The functions such as close, zero-copy transmission are handled by the multi-core platform of intelligent network adapter, and the dedicated transceiver interface provided in conjunction with x86 is realized internal Wet end network is exchanged every discrete data, it is ensured that high-performance, high reliability, high security.

Claims (4)

1. a kind of data high-speed secure exchange method based on intelligent network adapter, includes the following steps:
Two intelligent network adapters are configured, are separately mounted to be used as testing service device on two hosts, wherein the physics of intelligent network adapter Interface is direct-connected;
The host of transmitting terminal sends program and writes data into the memory of zero-copy sendaisle, and limits transmission rate, And monitoring transmission state, in the case where both sides' Network Abnormal, the transmission of real-time interrupt data;
It sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware instruction and be inserted into To hardware instruction input rank;
It sends program and doorbell signal is sent to intelligent network adapter by PCI-E;
Intelligent network adapter gets originally transmitted data by PKI, and initial data is counted by hardware enciphering and deciphering engine According to cryptographic operation;
Encrypted data are inserted into and send in backup queue by intelligent network adapter, then logical transmission unit is sent to opposite end;
The intelligent network adapter of receiving end receives data by PKI, and passes through crypto-engine for data deciphering;
Data after decryption are inserted into and are received in order-preserving queue, and initial data is passed through DMA engine by intelligent network adapter, it will be original Data are by PCI-E bus transfer into the receiving queue of host;
Packet loss message and back-pressure information are transmitted to opposite end intelligent network adapter by transmission unit by the intelligent network adapter of receiving end;
Receiving end host receives program by zero-copy receiving queue, obtains initial data.
2. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: work as reception When end intelligent network adapter does not configure correctly or receiving channel blocks, data transmission is interrupted.
3. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: kernel is certainly The dynamic serial number for generating data is to realize order-preserving function.
4. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: receiving end Intelligent network adapter real-time monitoring data packet loss and receiving end host receiving queue.
CN201811072394.6A 2018-09-14 2018-09-14 A kind of data high-speed secure exchange method based on intelligent network adapter Pending CN109218308A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811072394.6A CN109218308A (en) 2018-09-14 2018-09-14 A kind of data high-speed secure exchange method based on intelligent network adapter

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811072394.6A CN109218308A (en) 2018-09-14 2018-09-14 A kind of data high-speed secure exchange method based on intelligent network adapter

Publications (1)

Publication Number Publication Date
CN109218308A true CN109218308A (en) 2019-01-15

Family

ID=64983969

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811072394.6A Pending CN109218308A (en) 2018-09-14 2018-09-14 A kind of data high-speed secure exchange method based on intelligent network adapter

Country Status (1)

Country Link
CN (1) CN109218308A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889506A (en) * 2019-01-24 2019-06-14 黄洪廉 Electric power big data network monitoring system
CN112637176A (en) * 2020-12-17 2021-04-09 山东云天安全技术有限公司 Industrial network data isolation method, device and storage medium
CN113595694A (en) * 2021-09-28 2021-11-02 阿里巴巴(中国)有限公司 Data transmission method, computing device and storage medium
CN113778320A (en) * 2020-06-09 2021-12-10 华为技术有限公司 Network card and method for processing data by network card
CN115118459A (en) * 2022-06-02 2022-09-27 合肥卓讯云网科技有限公司 Method and equipment for realizing secure data exchange based on security card and isolation card heterogeneous

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624726A (en) * 2012-03-07 2012-08-01 上海盖奇信息科技有限公司 Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method
WO2016086385A1 (en) * 2014-12-04 2016-06-09 华为技术有限公司 Congestion control method, device and system
CN106506540A (en) * 2016-12-15 2017-03-15 北京三未信安科技发展有限公司 A kind of intranet data transmission method of attack resistance and system
CN108243116A (en) * 2016-12-23 2018-07-03 华为技术有限公司 A kind of flow control methods and switching equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624726A (en) * 2012-03-07 2012-08-01 上海盖奇信息科技有限公司 Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method
WO2016086385A1 (en) * 2014-12-04 2016-06-09 华为技术有限公司 Congestion control method, device and system
CN106506540A (en) * 2016-12-15 2017-03-15 北京三未信安科技发展有限公司 A kind of intranet data transmission method of attack resistance and system
CN108243116A (en) * 2016-12-23 2018-07-03 华为技术有限公司 A kind of flow control methods and switching equipment

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889506A (en) * 2019-01-24 2019-06-14 黄洪廉 Electric power big data network monitoring system
CN113778320A (en) * 2020-06-09 2021-12-10 华为技术有限公司 Network card and method for processing data by network card
CN112637176A (en) * 2020-12-17 2021-04-09 山东云天安全技术有限公司 Industrial network data isolation method, device and storage medium
CN112637176B (en) * 2020-12-17 2021-08-20 山东云天安全技术有限公司 Industrial network data isolation method, device and storage medium
CN113595694A (en) * 2021-09-28 2021-11-02 阿里巴巴(中国)有限公司 Data transmission method, computing device and storage medium
CN113595694B (en) * 2021-09-28 2022-04-01 阿里巴巴(中国)有限公司 Data transmission method, computing device and storage medium
CN115118459A (en) * 2022-06-02 2022-09-27 合肥卓讯云网科技有限公司 Method and equipment for realizing secure data exchange based on security card and isolation card heterogeneous

Similar Documents

Publication Publication Date Title
CN109218308A (en) A kind of data high-speed secure exchange method based on intelligent network adapter
CN109842585B (en) Network information safety protection unit and protection method for industrial embedded system
JP4698982B2 (en) Storage system that performs cryptographic processing
EP2104892B1 (en) Secure archive
US10678913B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
US10255463B2 (en) Secure computer architecture
AU2018389883B2 (en) Device and method for transmitting data between a first and a second network
CN206712810U (en) A kind of high speed password card based on PCI E buses
CN103237036A (en) Device for realizing physical partition of internal and external networks
KR101534566B1 (en) Apparatus and method for security control of cloud virtual desktop
CN103209191A (en) Method for realizing physical partition of internal and external networks
CN109660565A (en) A kind of isolation gap equipment and implementation method
US20180241723A1 (en) Interconnection device, management device, resource-disaggregated computer system, method, and medium
EP2577548B1 (en) Network security content checking
CN114553577B (en) Network interaction system and method based on multi-host double-isolation secret architecture
CN112804265B (en) Unidirectional network gate interface circuit, method and readable storage medium
CN209419652U (en) A kind of isolation gap equipment
KR101227086B1 (en) Method and apparatus for data communication between physically separated networks
CN109688155A (en) A kind of network data security processing method, device and platform
CN218850785U (en) Network data isolation encryption system
Anderson et al. High-Performance Interface Architectures for Cryptographic Hardware
KR101495522B1 (en) Communication system for high speed data interlocking in multi-network separation environment and communication method therefor
Tawfik et al. A New Security Mechanism for MIL-STD-1553 Using Authenticated Encryption Algorithms
Hooda et al. A new approach to design programmable secure network interface card
CN115208673A (en) Method for transmitting data among multiple CPUs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190115