CN110191098A - A kind of method, first network equipment and second network equipment transmitting data - Google Patents
A kind of method, first network equipment and second network equipment transmitting data Download PDFInfo
- Publication number
- CN110191098A CN110191098A CN201910366851.0A CN201910366851A CN110191098A CN 110191098 A CN110191098 A CN 110191098A CN 201910366851 A CN201910366851 A CN 201910366851A CN 110191098 A CN110191098 A CN 110191098A
- Authority
- CN
- China
- Prior art keywords
- data packet
- network equipment
- address
- addition
- head
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the invention provides a kind of method, first network equipment and second network equipments for transmitting data, it is related to field of data transmission, this method comprises: first network equipment encrypts to raw data packets and adds data packet head, determine reconstruct data packet, it include the address information chosen from the first address list in the data packet head of addition, it include the address information of source-end networks equipment and the destination network equipment in the original packet header of raw data packets, the address information in the data packet head of addition and the address information in original packet header are inconsistent.First network equipment is sent to second network equipment for data packet is reconstructed, when address information of second network equipment in the data packet head for determining reconstruct data packet is matched with the address information in the second address list, the data packet head of addition and decryption are removed, raw data packets are obtained.Since first network equipment adds data packet head in raw data packets, original packet header is hidden, to improve the safety of address information in original packet header.
Description
Technical field
The present embodiments relate to technical field of data transmission more particularly to a kind of methods for transmitting data, first network
Equipment and second network equipment.
Background technique
With the universal and application of mobile interchange, equipment for surfing the net is more and more abundant, and network also becomes increasingly complex, and protects network
The secure private of middle transmission data is also more and more important.Currently, the packet header between node contains when carrying out data transmission
There is the address information of client and server-side, these address informations are easy the leakage when data are transmitted, to influence data
Secure private.
Summary of the invention
Since the address information of client and server-side is easy leakage in data packet head, to influence the secure private of data
Property the problem of, the embodiment of the invention provides it is a kind of transmit data method, first network equipment and second network equipment.
On the one hand, the embodiment of the invention provides a kind of methods for transmitting data, this method comprises:
First network equipment encrypts to raw data packets and adds data packet head, determines reconstruct data packet, the data of addition
It include the address information chosen from preconfigured first address list in packet header, in the original packet header of the raw data packets
Address information including source-end networks equipment and the destination network equipment, address information and institute in the data packet head of the addition
The address information stated in original packet header is inconsistent;
The reconstruct data packet is sent to second network equipment by the first network equipment, so that second net
Network equipment is in the address information and preconfigured second address list in the data packet head for determining the reconstruct data packet
When address information matches, the data packet head of the addition and decryption are removed, the raw data packets are obtained.
Optionally, the first network equipment encrypts to raw data packets and adds data packet head, comprising:
After the first network equipment encrypts raw data packets, addition data packet is wrapped in the initial data
Head, or the raw data packets are encrypted after initial data wraps addition data packet head;
Second network equipment removes data packet head and the decryption of the addition, comprising:
After the raw data packets are decrypted in second network equipment, the data packet head of the addition is removed,
Or after the data packet head for removing the addition, the raw data packets are decrypted.
It is optionally, described that the raw data packets are encrypted, comprising:
The raw data packets are encrypted according to preset data encryption length.
Optionally, the first network equipment and second network equipment are data transfer equipment, the number of the addition
The network layer address of the first network equipment and second network equipment is included at least according to the address information in packet header, it is described
Network layer address in the data packet head of addition and the network layer address in the original packet header are inconsistent.
Optionally, the first network equipment adds data packet head in raw data packets, before determining reconstruct data packet,
Further include:
The first network equipment received data packet;
The first network equipment judges whether the purpose network layer address in the packet header of the data packet is first net
The network layer address of network equipment, if it is not, the data packet is then determined as raw data packets.
Optionally, the raw data packets further include the virtual packet header added by source-end networks equipment, the virtual packet header
In address information and the original packet header in address information and the addition data packet head in address information not
Unanimously.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
Standby, the address information of the first network equipment and second network equipment includes at least transport Layer address, the addition
Transport Layer address in data packet head and the transport Layer address in the original packet header are inconsistent.
On the one hand, the embodiment of the invention provides a kind of methods for transmitting data, comprising:
Second network equipment receives the reconstruct data packet that first network equipment is sent, and the reconstruct data packet is described first
The network equipment, which to raw data packets is encrypted and added, to be determined after data packet head, includes from being pre-configured in the data packet head of addition
The first address list in the address information chosen, include source-end networks equipment and mesh in the original packet header of the raw data packets
The end network equipment address information, the address in address information and the original packet header in the data packet head of the addition is believed
It ceases inconsistent;
Second network equipment is determining the address information in the data packet head for reconstructing data packet and is being pre-configured with
The second address list in address information matching when, remove the data packet head of the addition and decryption, obtain the original number
According to packet.
Optionally, the first network equipment encrypts to raw data packets and adds data packet head, comprising:
After the first network equipment encrypts the raw data packets, addition number is wrapped in the initial data
According to packet header, or after the initial data wraps addition data packet head, the raw data packets are encrypted;
Second network equipment removes data packet head and the decryption of the addition, comprising:
After the raw data packets are decrypted in second network equipment, the data packet head of the addition is removed,
Or after the data packet head for removing the addition, the raw data packets are decrypted.
Optionally, the first network equipment and second network equipment are data transfer equipment;
Second network equipment is determining the address information in the data packet head for reconstructing data packet and is being pre-configured with
The second address list in address information matching when, remove the data packet head of the addition and decryption, obtain the original number
According to packet, comprising:
Second network equipment is described in the purpose network layer address for the data packet head for determining the reconstruct data packet
The network layer address of second network equipment, and second network equipment is in the data packet head for determining the reconstruct data packet
When address information is matched with the address information in preconfigured second address list, the data packet head and solution of the addition are removed
It is close, the raw data packets are obtained, the source network layer address of the data packet head of the reconstruct data packet is stored in connection tracking
In.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
It is standby;
Second network equipment is determining the address information in the data packet head for reconstructing data packet and is being pre-configured with
The second address list in address information matching when, remove the data packet head of the addition and decryption, obtain the original number
According to packet, comprising:
Second network equipment is described in the purpose network layer address for the data packet head for determining the reconstruct data packet
The network layer address of second network equipment, the data packet head for reconstructing data packet include transport Layer address and the reconstruct data
When transport Layer address in the data packet head of packet is matched with the transport Layer address in preconfigured second address list, institute is removed
The data packet head of addition and decryption are stated, the raw data packets are obtained.
On the one hand, the embodiment of the invention provides a kind of first network equipment, comprising:
First processing module, it is determining to reconstruct data packet for raw data packets to be encrypted and added with data packet head, addition
It include the address information chosen from preconfigured first address list, the original packet of the raw data packets in data packet head
It include the address information of source-end networks equipment and the destination network equipment in head, the address information in the data packet head of the addition
It is inconsistent with the address information in the original packet header;
First sending module, for the reconstruct data packet to be sent to second network equipment, so that described second
The network equipment is in the address information and preconfigured second address list in the data packet head for determining the reconstruct data packet
Address information matching when, remove the data packet head of the addition and decryption, obtain the raw data packets.
Optionally, the first processing module is also used to:
After encrypting to raw data packets, addition data packet head is wrapped in the initial data, or in initial data
Addition data packet head is wrapped later to encrypt the raw data packets;Second network equipment is to the raw data packets
After being decrypted, the data packet head of the addition is removed, or after the data packet head for removing the addition, to described original
Data packet is decrypted.
Optionally, the first processing module is specifically used for:
The raw data packets are encrypted according to preset data encryption length.
Optionally, the first network equipment and second network equipment are data transfer equipment, the number of the addition
The network layer address of the first network equipment and second network equipment is included at least according to the address information in packet header, it is described
Network layer address in the data packet head of addition and the network layer address in the original packet header are inconsistent.
It optionally, further include the first receiving module;
First receiving module is specifically used for, and adds data packet head in raw data packets, determine reconstruct data packet it
Before, received data packet;
The first processing module is also used to, and judges whether the purpose network layer address in the packet header of the data packet is described
The network layer address of first network equipment, if it is not, the data packet is then determined as raw data packets.
Optionally, the raw data packets further include the virtual packet header added by source-end networks equipment, the virtual packet header
In address information and the original packet header in address information and the addition data packet head in address information not
Unanimously.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
Standby, the address information of the first network equipment and second network equipment includes at least transport Layer address, the addition
Transport Layer address in data packet head and the transport Layer address in the original packet header are inconsistent.
On the one hand, the embodiment of the invention provides a kind of second network equipments, comprising:
Second receiving module, for receiving the reconstruct data packet of first network equipment transmission, the reconstruct data packet is institute
First network equipment is stated to what is determined after raw data packets encryption and addition data packet head, includes from pre- in the data packet head of addition
The address information chosen in the first address list first configured is set including source-end networks in the original packet header of the raw data packets
The address information of the standby and destination network equipment, in the address information and the original packet header in the data packet head of the addition
Address information is inconsistent;
Second processing module, for determining the address information in the data packet head for reconstructing data packet and being pre-configured with
The second address list in address information matching when, remove the data packet head of the addition and decryption, obtain the original number
According to packet.
Optionally, after the first network equipment encrypts the raw data packets, in the raw data packets
Upper addition data packet head, or after the initial data wraps addition data packet head, the raw data packets are encrypted;
The Second processing module is also used to:
After the raw data packets are decrypted, the data packet head of the addition is removed, or removing the addition
Data packet head after, the raw data packets are decrypted.
Optionally, the first network equipment and second network equipment are data transfer equipment;
The Second processing module is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the net of second network equipment
Network layers address, and second network equipment is determining the address information in the data packet head for reconstructing data packet and is matching in advance
When address information in the second address list set matches, the data packet head of the addition and decryption are removed, is obtained described original
The source network layer address of the data packet head of the reconstruct data packet is stored in connection tracking by data packet.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
It is standby;
The Second processing module is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the net of second network equipment
Network layers address, the data packet head for reconstructing data packet include in the data packet head of transport Layer address and the reconstruct data packet
When transport Layer address is matched with the transport Layer address in preconfigured second address list, the data packet head of the addition is removed
And decrypt, obtain the raw data packets.
On the one hand, the embodiment of the invention provides a kind of terminal devices, including at least one processing unit and at least one
A storage unit, wherein the storage unit is stored with computer program, when described program is executed by the processing unit,
So that the processing unit executes the step of method of transmission data.
On the one hand, the embodiment of the invention provides a kind of computer-readable medium, being stored with can be executed by terminal device
Computer program, when described program is run on the terminal device so that the terminal device execute transmission data method
The step of.
In the embodiment of the present invention, first network equipment encrypts to raw data packets and adds data packet head, determines reconstruct number
According to packet, so that the data of raw data packets and original packet header are hidden, the address in the data packet head of addition and original packet header
Information is inconsistent, therefore when reconstructing data packet by malicious intercepted, exposed data packet head is not the address information in original packet header,
But the address information in the data packet of addition, to improve source-end networks equipment and the destination network equipment in original packet header
Address information safety.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is a kind of application scenarios schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of application scenarios schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of application scenarios schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of method for transmitting data provided in an embodiment of the present invention;
Fig. 5 is a kind of flow diagram of method for transmitting data provided in an embodiment of the present invention;
Fig. 6 is a kind of flow diagram of method for transmitting data provided in an embodiment of the present invention;
Fig. 7 is a kind of flow diagram of method for transmitting data provided in an embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of first network equipment provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of second network equipment provided in an embodiment of the present invention;
Figure 10 is a kind of structural schematic diagram of terminal device provided in an embodiment of the present invention.
Specific embodiment
In order to which the purpose of the present invention, technical solution and beneficial effect is more clearly understood, below in conjunction with attached drawing and implementation
Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair
It is bright, it is not intended to limit the present invention.
The method of transmission data in the embodiment of the present invention can be applied to application scenarios as shown in Figure 1, in the application
It include first network equipment 101 and second network equipment 102 in scene.First network equipment 101 can be a server
Or several servers composition server cluster or cloud computing center, second network equipment 102 can be a server or
The server cluster or cloud computing center of several servers composition.First network equipment 101 can be the data in network and turn
Equipment is sent out, the source-end networks equipment or the destination network equipment of network are also possible to.Second network equipment 102 can be in network
Data transfer equipment, be also possible to the source-end networks equipment or the destination network equipment of network.Illustratively, as shown in Fig. 2,
First network equipment 101 and second network equipment 102 are the data transfer equipment in network, first network equipment 101 and second
The network equipment 10 is between source-end networks equipment and the destination network equipment, for source-end networks equipment and destination network
Data are transmitted between equipment to be forwarded.Illustratively, as shown in figure 3, first network equipment 101 is source-end networks equipment, the
Two network equipments 102 are the destination network equipments.
First network equipment 101 is connect by network with second network equipment 102.First network equipment 101 and the second net
For network equipment 102 when carrying out data transmission, first network equipment 101 encrypts to raw data packets and adds data packet head, determines
Reconstruct data packet, then will reconstruct data packet be sent to second network equipment 102, wherein include in the data packet head of addition from
The address information chosen in preconfigured first address list includes source-end networks equipment in the original packet header of raw data packets
With the address information of the destination network equipment, the address information in address information and original packet header in the data packet head of addition is not
Unanimously.Address information and preconfigured second ground of second network equipment 102 in the data packet head for determining reconstruct data packet
When address information in the list of location matches, the data packet head of addition and decryption are removed, obtains raw data packets.
Based on application scenario diagram shown in FIG. 1, the embodiment of the invention provides a kind of processes of method for transmitting data, should
The process of method can be executed by first network equipment and the interaction of second network equipment, as shown in Figure 4, comprising the following steps:
Step S401, first network equipment encrypt to raw data packets and add data packet head, determine reconstruct data packet.
It specifically, include the address information chosen from preconfigured first address list in the data packet head of addition,
It include the address information of source-end networks equipment and the destination network equipment, the data packet of addition in the original packet header of raw data packets
Address information in head and the address information in original packet header are inconsistent.First ground is pre-configured with using the configuration tool of application layer
Location list, the first address list include transport Layer address, for example, including that pre-set first network is set in the first address list
It is standby with the second network equipment appropriate ports information pair.First address list also may include network layer address information, for example, the
It include pre-set first network equipment and the matched IP address pair of second network equipment in one address list.First address column
Table can also include transport Layer address and network layer address simultaneously.It should be noted that the address information in the first address list
It can be first network equipment and the true address information of second network equipment, be also possible to preset not first network equipment
With the true address information of second network equipment.
In a kind of possible embodiment, after first network equipment can encrypt raw data packets, in original
Data packet head is added in beginning data packet.
Specifically, first network equipment first identifies the length in raw data packets packet header and the length of initial data bag data,
Read the initial data packet address that stores in kernel, then according to the length in the packet header of raw data packets, the length of data and
Initial data packet address determines the position of addition data packet head.Original number is encrypted further according to the configuration information in configuration module later
According to packet, data packet head finally is added in the position of addition data packet head.
In a kind of possible embodiment, first network equipment can initial data wrap addition data packet head it
Afterwards, the raw data packets are encrypted.
Specifically, first network equipment reads position of the initial data packet address stored in kernel as addition data packet head
It sets, data packet head is added in the position of addition data packet head, then according to the length and raw data packets of the data packet head of addition
Address determines encryption initial position, later further according to the configuration information in encryption initial position and configuration module to initial data
Packet is encrypted.By encrypting to raw data packets, the safety of raw data packets is improved.
Optionally, the configuration information in configuration module includes preset data encryption length, and first network equipment is according to pre-
If data encryption length raw data packets are encrypted.Data encryption length can be configured according to practical business, from
And realize and the significant data of different business is encrypted, improve the safety of significant data.
Step S402, first network equipment are sent to second network equipment for data packet is reconstructed.
Step S403, second network equipment are determining the address information in the data packet head for reconstructing data packet and are being pre-configured with
The second address list in address information matching when, remove the data packet head of addition and decryption, obtain raw data packets.
Specifically, the second address list is pre-configured with using the configuration tool of application layer, the address in the second address list
Information is corresponding with the address information in the first address list, for judging whether received reconstruct data packet is additionally added to data
Packet header.Address information and preconfigured second address column of second network equipment in the data packet head for determining reconstruct data packet
When address information in table matches, illustrate that the data packet head for reconstructing data packet is the data packet head of addition, i.e. reconstruct data packet volume
It is added to data packet head outside.Address information in first address list can be with the complete phase of address information in the second address list
Together.Further, after second network equipment can be decrypted raw data packets, the data packet head of addition is removed, or
After the data packet head for removing addition, raw data packets are decrypted.
Since first network equipment encrypts to raw data packets and add data packet head, reconstruct data packet is determined, so that former
The data of beginning data packet and original packet header are hidden, and the data packet head of addition and the address information in original packet header are inconsistent,
Therefore when reconstructing data packet by malicious intercepted, address information in the not original packet header of exposed data packet head, addition
Address information in data packet, to improve the address information of source-end networks equipment and the destination network equipment in original packet header
Safety.
Optionally, first network equipment and second network equipment are data transfer equipment, the ground in the data packet head of addition
Location information includes at least the network layer address of first network equipment and second network equipment, the network layer in the data packet head of addition
Address and the network layer address in original packet header are inconsistent.
In a kind of possible embodiment, the data packet head of addition is the packet header IP, wherein the address information in the packet header IP
It is a pair of of the IP address randomly selected from the first address list, the source address in the packet header IP is the IP address of first network equipment,
The destination address in the packet header IP is the IP address of second network equipment.
In a kind of possible embodiment, the data packet head of addition includes the packet header IP and the packet header TCP, wherein the packet header IP
In address information be a pair of of the IP address randomly selected from the first address list, the address information in the packet header TCP is from
A pair of of the port address randomly selected in one address list.The source address in the packet header IP is the IP address of first network equipment, IP packet
The destination address of head is the IP address of second network equipment.The source address in the packet header TCP is the port address of first network equipment,
The destination address in the packet header TCP is the port address of second network equipment.
Since when first network equipment and second network equipment are data transfer equipment, first network equipment is in original number
According to data packet head is added on the basis of packet, data packet head includes the address information of first network equipment and second network equipment, from
And the address information of source-end networks equipment and the destination network equipment in original packet header is concealed, improve the secure private of data
Property.
Optionally, corresponding one or more second network equipments of first network equipment.
Specifically, the address information that a first network equipment can be set in the first address list is one second corresponding
The address information of the network equipment, the address information that a first network equipment also can be set correspond to multiple second network equipments
Address information.Initial data wrap addition data packet head when, if in the first address list a first network equipment address
Information corresponds to the address information of multiple second network equipments, and a pair of of address information can be therefrom chosen using hash algorithm.
Optionally, first network equipment and second network equipment are data transfer equipment, and first network equipment is to original number
According to packet encryption and addition data packet head, before determining reconstruct data packet, first network equipment received data packet, first network equipment
Judge the packet header of data packet purpose network layer address whether be first network equipment network layer address, if it is not, then by data
Packet is determined as raw data packets.
Specifically, first network equipment judges whether the IP address in the packet header of data packet is when receiving data packet
Otherwise data packet is determined as initial data if so, data packet is determined as general data packet by the IP address of one network equipment
Packet.
Optionally, in above-mentioned steps S403, when first network equipment and second network equipment are data transfer equipment, the
Two network equipments judge whether received reconstruct data packet is added to data packet head including at least following two embodiment:
In a kind of possible embodiment, purpose net of second network equipment in the data packet head for determining reconstruct data packet
Network layers address is the network layer address of second network equipment, and second network equipment is in the data packet head for determining reconstruct data packet
Address information when being matched with the address information in preconfigured second address list, remove the data packet head and solution of addition
It is close, obtain raw data packets.
Illustratively, second network equipment receive reconstruct data packet after, judge the IP address in data packet head whether be
The IP address of second network equipment, if so, further judging whether the port address in data packet head is the second address list
In address pair, if so, removal addition data packet head and decryption, obtain raw data packets.
In a kind of possible embodiment, the first address list and address information in the second address list are simultaneously non-genuine
Address information, but preset address information.Second network equipment determine addition data packet head in address information with
When address information in preconfigured second address list matches, the data packet head of addition and decryption are removed, obtains original number
According to packet.
Illustratively, after second network equipment receives reconstruct data packet, judge whether the IP address of data packet head is the
Address pair in double-address list, if so, further judging whether the port address in data packet head is the second address list
In address pair, if so, removal addition data packet head and decryption, obtain raw data packets.
Since first network equipment presets the first address list, addition data packet head Shi Cong is wrapped in initial data
Address information is chosen in one address list, second network equipment presets the second address list, is receiving reconstruct data packet
When, judged to reconstruct whether data packet is added to data packet head according to the second address list, therefore data are in first network equipment and the
When transmitting between two network equipments, the source address in original packet header and destination address are effectively concealed, improves data peace
Quan Xing.
Embodiment in order to preferably explain the present invention describes the embodiment of the present invention below with reference to specific implement scene and provides
A kind of transmission data method, set first network equipment and second network equipment as data transfer equipment, first network is set
Standby and second network equipment is between source-end networks equipment and the destination network equipment, and this method is by source-end networks equipment,
One network equipment, second network equipment and the interaction of the destination network equipment execute, as shown in figure 5, this method includes following step
It is rapid:
Step S501, source-end networks equipment send data packet to first network equipment.
Step S502, the purpose IP address of first network device identification data packet are not the network layers of first network equipment
When location, data packet is determined as raw data packets.
Raw data packets are encrypted and are added in raw data packets after encryption by step S503, first network equipment
Data packet head determines the first reconstruct data packet.
Specifically, addition data packet head include the packet header IP and the packet header TCP, wherein the address information in the packet header IP be from
A pair of of the IP address randomly selected in first address list, the address information in the packet header TCP are random from the first address list
A pair of of port address of selection.The source address in the packet header IP is the IP address of first network equipment, and the destination address in the packet header IP is the
The IP address of two network equipments.The source address in the packet header TCP is the port address of first network equipment, the destination address in the packet header TCP
For the port address of second network equipment.
First reconstruct data packet is sent to second network equipment by step S504, first network equipment.
Step S505, second network equipment are determining that the purpose network layer address of the data packet head of the first reconstruct data packet is
The network layer address of second network equipment, and the address information and preconfigured the in the data packet head of the first reconstruct data packet
When address information in double-address list matches, the data packet head of addition and decryption are removed, obtains raw data packets.
The source network layer address for reconstructing the data packet head of data packet is stored in connection tracking by second network equipment, i.e., will
The IP address of first network equipment is stored in connection tracking.
Raw data packets are sent to the destination network equipment by step S506, second network equipment.
Specifically, the snat rule that iptable is preset in second network equipment, for being sent by raw data packets
When to the destination network equipment, with being converted to the IP of second network equipment by source IP address in the original packet header of raw data packets
Location.The destination network equipment in this way sets the second net for the target ip address for replying data packet when replying raw data packets
The IP address of network equipment.Second network equipment sets the target ip address for replying data packet further according to the dnat rule of iptable
It is set to source-end networks equipment.
Step S507, the destination network equipment send back complex data packet to second network equipment.
The purpose IP address of step S508, second network equipment identification reply data packet are not the networks of second network equipment
When layer address, data packet will be replied and be determined as original reply data packet.
Original reply data packet is carried out the original reply data encrypted and after encryption by step S509, second network equipment
Data packet head is added in packet, determines the second reconstruct data packet.
Specifically, addition data packet head include the packet header IP and the packet header TCP, wherein the address information in the packet header TCP be from
A pair of of the port address randomly selected in second address list.The source address in the packet header IP is the IP address of second network equipment, IP
The destination address in packet header is the IP address for the first network equipment being stored in connection tracking.The source address in the packet header TCP is second
The port address of the network equipment, the destination address in the packet header TCP are the port address of first network equipment.
Second reconstruct data packet is sent to first network equipment by step S510, second network equipment.
Step S511, first network equipment are determining that the purpose network layer address of the data packet head of the second reconstruct data packet is
The network layer address of first network equipment, and the address information and preconfigured the in the data packet head of the second reconstruct data packet
When address information in one address list matches, the data packet head of addition and decryption are removed, original reply data packet is obtained.
Original reply data packet is sent to source-end networks equipment by step S512, first network equipment.
Since when first network equipment and second network equipment are data transfer equipment, first network equipment is in original number
According to data packet head is added on the basis of packet, data packet head includes the address information of first network equipment and second network equipment, from
And the address information of source-end networks equipment and the destination network equipment in original packet header is concealed, improve the secure private of data
Property.
Optionally, first network equipment is source-end networks equipment, holds the network equipment, the first net for the purpose of second network equipment
Network equipment and the address information of second network equipment include at least transport Layer address, the transport Layer address in the data packet head of addition
It is inconsistent with the transport Layer address in original packet header.
In a kind of possible embodiment, the data packet head of addition includes the packet header IP and the packet header TCP, wherein the packet header IP
In address information be a pair of of the IP address randomly selected from the first address list, the address information in the packet header TCP is from
A pair of of the port address randomly selected in one address list.The source address in the packet header IP is the IP address of source-end networks equipment, IP packet
The destination address of head is the IP address of source-end networks equipment.The source address in the packet header TCP is the port address of source-end networks equipment,
The destination address in the packet header TCP is the port address of source-end networks equipment.Address in the address information in the packet header TCP and original packet header
Information is inconsistent.
In a kind of possible embodiment, the data packet head of addition includes the packet header IP and the packet header TCP, wherein the packet header IP
In address information be a pair of of the IP address randomly selected from the first address list, the address information in the packet header TCP is from
A pair of of the port address randomly selected in one address list.Address information in first address list be not source-end networks equipment and
The end true address information of the network equipment, but preset address information.The source address and destination address in the packet header IP are preset
IP address.The source address and destination address in the packet header TCP are preset port address.The address information in the packet header IP and the packet header TCP with
Address information in original packet header is inconsistent.
Optionally, in above-mentioned steps S403, first network equipment is source-end networks equipment, for the purpose of second network equipment
When holding the network equipment, second network equipment judges whether received reconstruct data packet is added to data packet head including at least following two
Kind embodiment:
In a kind of possible embodiment, purpose net of second network equipment in the data packet head for determining reconstruct data packet
Network layers address is the network layer address of second network equipment, reconstructs the data packet head of data packet comprising transport Layer address and reconstruct number
When being matched according to the transport Layer address in the data packet head of packet with the transport Layer address in preconfigured second address list, removal
The data packet head of addition and decryption obtain raw data packets.
Illustratively, after the destination network equipment receives reconstruct data packet, judge the address in the packet header IP in data packet head
Whether it is the IP address of the second network equipment, if so, further judging whether comprising the packet header TCP in data packet head, if so, sentencing
Whether port address in the disconnected packet header TCP is address pair in the second address list, if so, the data packet head of removal addition is simultaneously
Decryption obtains raw data packets.
In a kind of possible embodiment, the first address list and address information in the second address list are simultaneously non-genuine
Address information, but preset address information.Second network equipment determine addition data packet head in address information with
When address information in preconfigured second address list matches, the data packet head of addition and decryption are removed, obtains original number
According to packet.
Illustratively, the destination network equipment receive reconstruct data packet after, judge data packet head IP address whether be
Address pair in second address list, if so, further judging whether the port address in data packet head is the second address column
Address pair in table, if so, the data packet head of removal addition and decryption, obtain raw data packets.
Since first network equipment presets the first address list, addition data packet head Shi Cong is wrapped in initial data
Address information is chosen in one address list, second network equipment presets the second address list, is receiving reconstruct data packet
When, judged to reconstruct whether data packet is added to data packet head according to the second address list, therefore data are in first network equipment and the
When transmitting between two network equipments, the source address in original packet header and destination address are effectively concealed, improves data peace
Quan Xing.
Embodiment in order to preferably explain the present invention describes the embodiment of the present invention below with reference to specific implement scene and provides
A kind of transmission data method, set first network equipment as source-end networks equipment, hold network for the purpose of second network equipment
Equipment, this method is executed by source-end networks equipment and the interaction of the destination network equipment, as shown in fig. 6, this method includes following step
It is rapid:
Raw data packets are encrypted and are added in raw data packets after encryption by step S601, source-end networks equipment
Data packet head determines the first reconstruct data packet.
Specifically, addition data packet head include the packet header IP and the packet header TCP, wherein the address information in the packet header IP be from
A pair of of the IP address randomly selected in first address list, the address information in the packet header TCP are random from the first address list
A pair of of port address of selection.The source address in the packet header IP is the IP address of source-end networks equipment, and the destination address in the packet header IP is mesh
End the network equipment IP address.The source address in the packet header TCP is the port address of source-end networks equipment, the destination in the packet header TCP
The port address of the network equipment is held for the purpose of location.Address in the address information in the packet header TCP and the original packet header of raw data packets
Information is inconsistent.
First reconstruct data packet is sent to the destination network equipment by step S602, source-end networks equipment.
Step S603, the destination network equipment are held for the purpose of determining the IP address of data packet head of the first reconstruct data packet
The IP address of the network equipment, data packet of the data packet head comprising port address and the first reconstruct data packet of the first reconstruct data packet
When port address in head is matched with the port address in preconfigured second address list, the data packet head of addition is removed simultaneously
Decryption obtains raw data packets.
Original reply data packet is carried out the original reply number encrypted and after encryption by step S604, the destination network equipment
According to data packet head is added in packet, the second reconstruct data packet is determined.
Specifically, addition data packet head include the packet header IP and the packet header TCP, wherein the address information in the packet header IP be from
A pair of of the IP address randomly selected in second address list, the address information in the packet header TCP are random from the second address list
A pair of of port address of selection.The IP address of the network equipment is held for the purpose of the source address in the packet header IP, the destination address in the packet header IP is
The IP address of source-end networks equipment.The port address of the network equipment, the purpose in the packet header TCP are held for the purpose of the source address in the packet header TCP
Address is the port address of source-end networks equipment.In the address information in the packet header TCP and the original original packet header for replying data packet
Address information is inconsistent.
Step S605, the destination network equipment send the second reconstruct data packet to source-end networks equipment.
Step S606, source-end networks equipment are source-end networks in the IP address for determining the data packet head of the second reconstruct data packet
The data packet head that the IP address of equipment, second reconstruct data packet includes in port address and the data packet head of the second reconstruct data packet
Port address when being matched with the port address in preconfigured first address list, remove the data packet head and solution of addition
It is close, obtain original reply data packet.
Since first network equipment is source-end networks equipment, when holding the network equipment for the purpose of second network equipment, source net
Network equipment adds data packet head on the basis of raw data packets, and data packet head includes the ground of the acquisition from the first address list
Location information, the address information of the data packet head of addition and the address information in original packet header are inconsistent, to conceal original packet
The address information of source-end networks equipment and the destination network equipment, improves the secure private of data in head.
Optionally, first network equipment and second network equipment are data transfer equipment, and raw data packets further include by source
The virtual packet header for holding network equipment addition, address information in address information and original packet header and addition in virtual packet header
Address information in data packet head is inconsistent.
Embodiment in order to preferably explain the present invention describes the embodiment of the present invention below with reference to specific implement scene and provides
A kind of transmission data method, set first network equipment and second network equipment as data transfer equipment, first network is set
Standby and second network equipment is between source-end networks equipment and the destination network equipment, and this method is by source-end networks equipment,
One network equipment, second network equipment and the interaction of the destination network equipment execute, as shown in fig. 7, this method includes following step
It is rapid:
The request data that request data package encrypt and after encryption is wrapped addition by step S701, source-end networks equipment
Virtual packet header, determines raw data packets.
Specifically, configuring third address list in source-end networks equipment using the configuration tool of application layer in advance, virtually
Packet header includes the packet header IP and the packet header TCP, wherein the address information in the packet header IP is one randomly selected from third address list
To IP address, the address information in the packet header TCP is a pair of of the port address randomly selected from third address list.The packet header IP
Source address is the IP address of source-end networks equipment, and the IP address of the network equipment is held for the purpose of the destination address in the packet header IP.The packet header TCP
Source address be source-end networks equipment port address, the port address of the network equipment is held for the purpose of the destination address in the packet header TCP.
Address information in the address information in the packet header TCP and the original packet header of request data package is inconsistent.
Step S702, source-end networks equipment send raw data packets to first network equipment.
Raw data packets are encrypted and are added in raw data packets after encryption by step S703, first network equipment
Data packet head determines the first reconstruct data packet.
Specifically, addition data packet head include the packet header IP and the packet header TCP, wherein the address information in the packet header IP be from
A pair of of the IP address randomly selected in first address list, the address information in the packet header TCP are random from the first address list
A pair of of port address of selection.The source address in the packet header IP is the IP address of first network equipment, and the destination address in the packet header IP is the
The IP address of two network equipments.The source address in the packet header TCP is the port address of first network equipment, the destination address in the packet header TCP
For the port address of second network equipment.
First reconstruct data packet is sent to second network equipment by step S704, first network equipment.
Step S705, second network equipment are determining that the purpose network layer address of the data packet head of the first reconstruct data packet is
The network layer address of second network equipment, and the address information and preconfigured the in the data packet head of the first reconstruct data packet
When address information in double-address list matches, the data packet head of addition and decryption are removed, obtains raw data packets.
Raw data packets are sent to the destination network equipment by step S706, second network equipment.
The 4th address list, third address column are configured in the destination network equipment using the configuration tool of application layer in advance
The address information of table is corresponding with the address information in the 4th address list.
Step S707, the destination network equipment hold network for the purpose of determining the IP address in virtual packet header of raw data packets
The IP address of equipment, raw data packets virtual packet header include port in port address and the virtual packet header of raw data packets
When location is matched with the port address in preconfigured 4th address list, removes the virtual packet header of raw data packets and decrypts,
Obtain request data package.
Step S708, the destination network equipment, which wraps the response data that response data packet encrypt and after encryption, to be added
Add virtual packet header, determines original reply data packet.
Specifically, addition virtual packet header include the packet header IP and the packet header TCP, wherein the address information in the packet header IP be from
A pair of of the IP address randomly selected in 4th address list, the address information in the packet header TCP are random from the 4th address list
A pair of of port address of selection.The IP address of the network equipment is held for the purpose of the source address in the packet header IP, the destination address in the packet header IP is
The IP address of source-end networks equipment.The port address of the network equipment, the purpose in the packet header TCP are held for the purpose of the source address in the packet header TCP
Address is the port address of source-end networks equipment.Address in the address information in the packet header TCP and the original packet header of response data packet
Information is inconsistent.
Step S709, the destination network equipment send original reply data packet to second network equipment.
Original reply data packet is carried out the original reply data encrypted and after encryption by step S710, second network equipment
Data packet head is added in packet, determines the second reconstruct data packet.
Second reconstruct data packet is sent to first network equipment by step S711, second network equipment.
Step S712, first network equipment are determining that the purpose network layer address of the data packet head of the second reconstruct data packet is
The network layer address of first network equipment, and the address information and preconfigured the in the data packet head of the second reconstruct data packet
When address information in one address list matches, the data packet head of addition and decryption are removed, original reply data packet is obtained.
Original reply data packet is sent to source-end networks equipment by step S713, first network equipment.
Step S714, source-end networks equipment are determining that the IP address in the original virtual packet header for replying data packet is source-end networks
The IP address of equipment, the original virtual packet header for replying data packet include in port address and the original virtual packet header for replying data packet
Port address when being matched with the port address in preconfigured first address list, remove and original reply the virtual of data packet
Packet header is simultaneously decrypted, and response data packet is obtained.
Due to simultaneously to source-end networks equipment, first network equipment, second network equipment and the destination network equipment into
Row configuration, in data transmission, addition data packet head hides the ground of source-end networks equipment and the destination network equipment in original packet header
Location information, therefore data transmission, first network equipment and second network equipment between source-end networks equipment and first network equipment
Between data transmission, the data transmission between second network equipment and the destination network equipment be avoided that exposed source-end networks
The address information of equipment and the destination network equipment, to improve the secure private of data.
Based on the same technical idea, the embodiment of the invention provides a kind of first network equipment, as shown in figure 8, the dress
Setting 800 includes:
First processing module 801 determines reconstruct data packet, adds for raw data packets to be encrypted and added with data packet head
It include the address information chosen from preconfigured first address list, the original of the raw data packets in the data packet head added
It include the address information of source-end networks equipment and the destination network equipment in beginning packet header, the address in the data packet head of the addition
Information and the address information in the original packet header are inconsistent;
First sending module 802, for the reconstruct data packet to be sent to second network equipment, so that described
Address information and preconfigured second address list of two network equipments in the data packet head for determining the reconstruct data packet
In address information matching when, remove the data packet head of the addition and decryption, obtain the raw data packets.
Optionally, the first processing module 801 is also used to:
After encrypting to raw data packets, addition data packet head is wrapped in the initial data, or in initial data
Addition data packet head is wrapped later to encrypt the raw data packets;Second network equipment is to the raw data packets
After being decrypted, the data packet head of the addition is removed, or after the data packet head for removing the addition, to described original
Data packet is decrypted.
Optionally, the first processing module 801 is specifically used for:
The raw data packets are encrypted according to preset data encryption length.
Optionally, the first network equipment and second network equipment are data transfer equipment, the number of the addition
The network layer address of the first network equipment and second network equipment is included at least according to the address information in packet header, it is described
Network layer address in the data packet head of addition and the network layer address in the original packet header are inconsistent.
It optionally, further include the first receiving module 803;
First receiving module 803 is specifically used for, and data packet head is added in raw data packets, determines reconstruct data packet
Before, received data packet;
The first processing module 801 is also used to, judge the packet header of the data packet purpose network layer address whether be
The network layer address of the first network equipment, if it is not, the data packet is then determined as raw data packets.
Optionally, the raw data packets further include the virtual packet header added by source-end networks equipment, the virtual packet header
In address information and the original packet header in address information and the addition data packet head in address information not
Unanimously.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
Standby, the address information of the first network equipment and second network equipment includes at least transport Layer address, the addition
Transport Layer address in data packet head and the transport Layer address in the original packet header are inconsistent.
Based on the same technical idea, the embodiment of the invention provides a kind of second network equipments, as shown in figure 9, the dress
Setting 900 includes:
Second receiving module 901, for receiving the reconstruct data packet of first network equipment transmission, the reconstruct data packet is
The first network equipment to raw data packets encrypt and add data packet head after determine, include in the data packet head of addition from
The address information chosen in preconfigured first address list includes source-end networks in the original packet header of the raw data packets
The address information of equipment and the destination network equipment, in the address information and the original packet header in the data packet head of the addition
Address information it is inconsistent;
Second processing module 902, for the address information in the data packet head for determining the reconstruct data packet and in advance
When address information in second address list of configuration matches, the data packet head of the addition and decryption are removed, the original is obtained
Beginning data packet.
Optionally, after the first network equipment encrypts the raw data packets, in the raw data packets
Upper addition data packet head, or after the initial data wraps addition data packet head, the raw data packets are encrypted;
The Second processing module 902 is also used to:
After the raw data packets are decrypted, the data packet head of the addition is removed, or removing the addition
Data packet head after, the raw data packets are decrypted.
Optionally, the first network equipment and second network equipment are data transfer equipment;
The Second processing module 902 is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the net of second network equipment
Network layers address, and second network equipment is determining the address information in the data packet head for reconstructing data packet and is matching in advance
When address information in the second address list set matches, the data packet head of the addition and decryption are removed, is obtained described original
The source network layer address of the data packet head of the reconstruct data packet is stored in connection tracking by data packet.
Optionally, the first network equipment is source-end networks equipment, and end network is set for the purpose of second network equipment
It is standby;
The Second processing module 902 is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the net of second network equipment
Network layers address, the data packet head for reconstructing data packet include in the data packet head of transport Layer address and the reconstruct data packet
When transport Layer address is matched with the transport Layer address in preconfigured second address list, the data packet head of the addition is removed
And decrypt, obtain the raw data packets.
Based on the same technical idea, the embodiment of the invention provides a kind of terminal devices, as shown in Figure 10, including at least
One processor 1001, and the memory 1002 connecting at least one processor do not limit processing in the embodiment of the present invention
Specific connection medium between device 1001 and memory 1002 passes through bus between processor 1001 and memory 1002 in Figure 10
For connection.Bus can be divided into address bus, data/address bus, control bus etc..
In embodiments of the present invention, memory 1002 is stored with the instruction that can be executed by least one processor 1001, until
The instruction that a few processor 1001 is stored by executing memory 1002 can execute institute in the method for transmission data above-mentioned
Include the steps that.
Wherein, processor 1001 is the control centre of terminal device, can use various interfaces and connection terminal is set
Standby various pieces are stored in memory 1002 by running or executing the instruction being stored in memory 1002 and calling
Data, to transmit data.Optionally, processor 1001 may include one or more processing units, and processor 1001 can collect
At application processor and modem processor, wherein the main processing operation system of application processor, user interface and apply journey
Sequence etc., modem processor mainly handle wireless communication.It is understood that above-mentioned modem processor can not also collect
At into processor 1001.In some embodiments, processor 1001 and memory 1002 can be realized on the same chip,
In some embodiments, they can also be realized respectively on independent chip.
Processor 1001 can be general processor, such as central processing unit (CPU), digital signal processor, dedicated collection
At circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array or other
Perhaps transistor logic, discrete hardware components may be implemented or execute the present invention in fact for programmable logic device, discrete gate
Apply each method, step disclosed in example and logic diagram.General processor can be microprocessor or any conventional processing
Device etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware processor and execute completion, or
With in processor hardware and software module combination execute completion.
Memory 1002 is used as a kind of non-volatile computer readable storage medium storing program for executing, can be used for storing non-volatile software journey
Sequence, non-volatile computer executable program and module.Memory 1002 may include the storage medium of at least one type,
It such as may include flash memory, hard disk, multimedia card, card-type memory, random access storage device (Random Access
Memory, RAM), static random-access memory (Static Random Access Memory, SRAM), may be programmed read-only deposit
Reservoir (Programmable Read Only Memory, PROM), read-only memory (Read Only Memory, ROM), band
Electrically erasable programmable read-only memory (Electrically Erasable Programmable Read-Only Memory,
EEPROM), magnetic storage, disk, CD etc..Memory 1002 can be used for carrying or storing have instruction or data
The desired program code of structure type and can by any other medium of computer access, but not limited to this.The present invention is real
Applying the memory 1002 in example can also be circuit or other devices that arbitrarily can be realized store function, for storing program
Instruction and/or data.
Based on the same technical idea, the embodiment of the invention provides a kind of computer-readable medium, being stored with can be by
The computer program that terminal device executes, when described program is run on the terminal device, so that the terminal device executes biography
The step of method of transmission of data.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the present invention
Form.It is deposited moreover, the present invention can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (24)
1. a kind of method for transmitting data characterized by comprising
First network equipment encrypts to raw data packets and adds data packet head, determines reconstruct data packet, the data packet head of addition
In include the address information chosen from preconfigured first address list, include in the original packet header of the raw data packets
The address information of source-end networks equipment and the destination network equipment, address information and the original in the data packet head of the addition
Address information in beginning packet header is inconsistent;
The reconstruct data packet is sent to second network equipment by the first network equipment, so that second network is set
The standby address information in the data packet head for determining the reconstruct data packet and the address in preconfigured second address list
When information matches, the data packet head of the addition and decryption are removed, obtains the raw data packets.
2. the method as described in claim 1, which is characterized in that the first network equipment is encrypted and added to raw data packets
Data packet head, comprising:
After the first network equipment encrypts raw data packets, addition data packet head is wrapped in the initial data,
Or the raw data packets are encrypted after initial data wraps addition data packet head;
Second network equipment removes data packet head and the decryption of the addition, comprising:
After the raw data packets are decrypted in second network equipment, the data packet head of the addition is removed, or
After the data packet head for removing the addition, the raw data packets are decrypted.
3. method according to claim 2, which is characterized in that described to be encrypted to the raw data packets, comprising:
The raw data packets are encrypted according to preset data encryption length.
4. method according to claim 2, which is characterized in that the first network equipment and second network equipment are number
According to forwarding device, the address information in the data packet head of the addition includes at least the first network equipment and second net
The network layer address of network equipment, the network layer in network layer address and the original packet header in the data packet head of the addition
Location is inconsistent.
5. method as claimed in claim 4, which is characterized in that the first network equipment adds data in raw data packets
Packet header determines before reconstructing data packet, further includes:
The first network equipment received data packet;
The first network equipment judges whether the purpose network layer address in the packet header of the data packet is that the first network is set
Standby network layer address, if it is not, the data packet is then determined as raw data packets.
6. method as claimed in claim 4, which is characterized in that the raw data packets further include being added by source-end networks equipment
Virtual packet header, the number of the address information and the addition in address information and the original packet header in the virtual packet header
It is inconsistent according to the address information in packet header.
7. method according to claim 2, which is characterized in that the first network equipment is source-end networks equipment, described the
Hold the network equipment for the purpose of two network equipments, the address information of the first network equipment and second network equipment is at least wrapped
Transport Layer address is included, the transport Layer address in the data packet head of the addition and the transport Layer address in the original packet header are different
It causes.
8. a kind of method for transmitting data characterized by comprising
Second network equipment receives the reconstruct data packet that first network equipment is sent, and the reconstruct data packet is the first network
Equipment, which to raw data packets is encrypted and added, to be determined after data packet head, includes from preconfigured the in the data packet head of addition
The address information chosen in one address list includes source-end networks equipment and destination in the original packet header of the raw data packets
The address information of the network equipment, the address information in address information and the original packet header in the data packet head of the addition is not
Unanimously;
Address information and preconfigured the of second network equipment in the data packet head for determining the reconstruct data packet
When address information in double-address list matches, the data packet head of the addition and decryption are removed, the raw data packets are obtained.
9. method according to claim 8, which is characterized in that the first network equipment is encrypted and added to raw data packets
Data packet head, comprising:
After the first network equipment encrypts the raw data packets, addition data packet is wrapped in the initial data
Head, or after the initial data wraps addition data packet head, the raw data packets are encrypted;
Second network equipment removes data packet head and the decryption of the addition, comprising:
After the raw data packets are decrypted in second network equipment, the data packet head of the addition is removed, or
After the data packet head for removing the addition, the raw data packets are decrypted.
10. method as claimed in claim 9, which is characterized in that the first network equipment and second network equipment are
Data transfer equipment;
Address information and preconfigured the of second network equipment in the data packet head for determining the reconstruct data packet
When address information in double-address list match, the data packet head of the addition and decryption are removed, the raw data packets are obtained,
Include:
Second network equipment is described second in the purpose network layer address for the data packet head for determining the reconstruct data packet
The network layer address of the network equipment, and address information and preconfigured second ground in the data packet head of the reconstruct data packet
When address information in the list of location matches, the data packet head of the addition and decryption are removed, the raw data packets are obtained, by institute
The source network layer address for stating the data packet head of reconstruct data packet is stored in connection tracking.
11. method as claimed in claim 9, which is characterized in that the first network equipment is source-end networks equipment, described the
The network equipment is held for the purpose of two network equipments;
Address information and preconfigured the of second network equipment in the data packet head for determining the reconstruct data packet
When address information in double-address list match, the data packet head of the addition and decryption are removed, the raw data packets are obtained,
Include:
Second network equipment is described second in the purpose network layer address for the data packet head for determining the reconstruct data packet
The network layer address of the network equipment, the data packet head for reconstructing data packet include transport Layer address and the reconstruct data packet
When transport Layer address in data packet head is matched with the transport Layer address in preconfigured second address list, add described in removal
The data packet head added and decryption obtain the raw data packets.
12. a kind of first network equipment characterized by comprising
First processing module determines reconstruct data packet, the data of addition for raw data packets to be encrypted and added with data packet head
It include the address information chosen from preconfigured first address list in packet header, in the original packet header of the raw data packets
Address information including source-end networks equipment and the destination network equipment, address information and institute in the data packet head of the addition
The address information stated in original packet header is inconsistent;
First sending module, for the reconstruct data packet to be sent to second network equipment, so that second network
Address information of the equipment in the data packet head for determining the reconstruct data packet and the ground in preconfigured second address list
When the information matches of location, the data packet head of the addition and decryption are removed, obtains the raw data packets.
13. first network equipment as claimed in claim 12, which is characterized in that the first processing module is also used to:
After encrypting to raw data packets, addition data packet head is wrapped in the initial data, or wrap in initial data
The raw data packets are encrypted after addition data packet head;Second network equipment carries out the raw data packets
After decryption, the data packet head of the addition is removed, or after the data packet head for removing the addition, to the initial data
Packet is decrypted.
14. first network equipment as claimed in claim 13, which is characterized in that the first processing module is specifically used for:
The raw data packets are encrypted according to preset data encryption length.
15. first network equipment as claimed in claim 13, which is characterized in that the first network equipment and second net
Network equipment is data transfer equipment, the address information in the data packet head of the addition include at least the first network equipment and
The network layer address of second network equipment, in the network layer address and the original packet header in the data packet head of the addition
Network layer address it is inconsistent.
16. first network equipment as claimed in claim 15, which is characterized in that further include the first receiving module;
First receiving module is specifically used for, and adds data packet head in the raw data packets, determine reconstruct data packet it
Before, received data packet;
The first processing module is also used to, and judges whether the purpose network layer address in the packet header of the data packet is described first
The network layer address of the network equipment, if it is not, the data packet is then determined as raw data packets.
17. first network equipment as claimed in claim 15, which is characterized in that the raw data packets further include by source net
The virtual packet header of network equipment addition, address information in address information and the original packet header and institute in the virtual packet header
The address information stated in the data packet head of addition is inconsistent.
18. first network equipment as claimed in claim 13, which is characterized in that the first network equipment sets for source-end networks
It is standby, the network equipment, the address of the first network equipment and second network equipment are held for the purpose of second network equipment
Information includes at least transport Layer address, the transmission in transport Layer address and the original packet header in the data packet head of the addition
Layer address is inconsistent.
19. a kind of second network equipment characterized by comprising
Second receiving module, for receiving the reconstruct data packet of first network equipment transmission, the reconstruct data packet is described the
One network equipment includes matching in the data packet head of addition from advance to what is determined after raw data packets encryption and addition data packet head
The address information chosen in the first address list set, include in the original packet header of the raw data packets source-end networks equipment and
The address information of the destination network equipment, the address in address information and the original packet header in the data packet head of the addition
Information is inconsistent;
Second processing module, for the address information and preconfigured the in the data packet head for determining the reconstruct data packet
When address information in double-address list matches, the data packet head of the addition and decryption are removed, the raw data packets are obtained.
20. second network equipment as claimed in claim 19, which is characterized in that the first network equipment is to the original number
After being encrypted according to packet, addition data packet head is wrapped in the initial data, or wrap addition data in the initial data
After packet header, the raw data packets are encrypted;
The Second processing module is also used to:
After the raw data packets are decrypted, the data packet head of the addition is removed, or in the number for removing the addition
After packet header, the raw data packets are decrypted.
21. second network equipment as claimed in claim 20, which is characterized in that the first network equipment and second net
Network equipment is data transfer equipment;
The Second processing module is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the network layer of second network equipment
Address, and the address information in the data packet head of the reconstruct data packet and the address in preconfigured second address list are believed
When breath matching, the data packet head of the addition and decryption are removed, the raw data packets are obtained, by the number of the reconstruct data packet
It is stored in connection tracking according to the source network layer address in packet header.
22. second network equipment as claimed in claim 20, which is characterized in that the first network equipment sets for source-end networks
It is standby, the network equipment is held for the purpose of second network equipment;
The Second processing module is specifically used for:
Determining that the purpose network layer address of the data packet head of the reconstruct data packet is the network layer of second network equipment
Address, the data packet head for reconstructing data packet include the transmission in the data packet head of transport Layer address and the reconstruct data packet
When layer address is matched with the transport Layer address in preconfigured second address list, the data packet head and solution of the addition are removed
It is close, obtain the raw data packets.
23. a kind of terminal device, which is characterized in that including at least one processing unit and at least one storage unit, wherein
The storage unit is stored with computer program, when described program is executed by the processing unit, so that the processing unit
Perform claim requires the step of 1~7 or 8~11 any claim the method.
24. a kind of computer-readable medium, which is characterized in that it is stored with the computer program that can be executed by terminal device, when
When described program is run on the terminal device, so that the terminal device perform claim requires 1~7 or 8~11 any sides
The step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366851.0A CN110191098A (en) | 2019-05-05 | 2019-05-05 | A kind of method, first network equipment and second network equipment transmitting data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910366851.0A CN110191098A (en) | 2019-05-05 | 2019-05-05 | A kind of method, first network equipment and second network equipment transmitting data |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110191098A true CN110191098A (en) | 2019-08-30 |
Family
ID=67715646
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910366851.0A Pending CN110191098A (en) | 2019-05-05 | 2019-05-05 | A kind of method, first network equipment and second network equipment transmitting data |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110191098A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030018908A1 (en) * | 2001-07-23 | 2003-01-23 | Mercer Chad W. | Method for establishing a security association between two or more computers communicating via an interconnected computer network |
EP1333642B1 (en) * | 2002-01-28 | 2008-08-20 | Hughes Network Systems, LLC | Method and system for integrating performance enhancing functions in a virtual private network (VPN) |
CN101753531A (en) * | 2008-12-19 | 2010-06-23 | 上海安达通信息安全技术股份有限公司 | Method utilizing https/http protocol to realize encapsulation of IPsec protocol |
CN102710487A (en) * | 2012-05-25 | 2012-10-03 | 广东电网公司电力科学研究院 | Method for simplifying network data flow based on ESP (Encapsulating Security Payload) technology encapsulation |
CN102868686A (en) * | 2012-08-31 | 2013-01-09 | 广东电网公司电力科学研究院 | Method for enhancing data encryption based on ESP (encapsulating security payload) encapsulation |
CN103888450A (en) * | 2014-03-06 | 2014-06-25 | 江苏金陵科技集团有限公司 | IPSec processing method on Window platform |
CN104184646A (en) * | 2014-09-05 | 2014-12-03 | 深信服网络科技(深圳)有限公司 | VPN data interaction method and system and VPN data interaction device |
CN108134794A (en) * | 2017-12-26 | 2018-06-08 | 南京航空航天大学 | A kind of method of business datum encrypted transmission in intelligence manufacture Internet of Things based on GRE and IPSEC |
-
2019
- 2019-05-05 CN CN201910366851.0A patent/CN110191098A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030018908A1 (en) * | 2001-07-23 | 2003-01-23 | Mercer Chad W. | Method for establishing a security association between two or more computers communicating via an interconnected computer network |
EP1333642B1 (en) * | 2002-01-28 | 2008-08-20 | Hughes Network Systems, LLC | Method and system for integrating performance enhancing functions in a virtual private network (VPN) |
CN101753531A (en) * | 2008-12-19 | 2010-06-23 | 上海安达通信息安全技术股份有限公司 | Method utilizing https/http protocol to realize encapsulation of IPsec protocol |
CN102710487A (en) * | 2012-05-25 | 2012-10-03 | 广东电网公司电力科学研究院 | Method for simplifying network data flow based on ESP (Encapsulating Security Payload) technology encapsulation |
CN102868686A (en) * | 2012-08-31 | 2013-01-09 | 广东电网公司电力科学研究院 | Method for enhancing data encryption based on ESP (encapsulating security payload) encapsulation |
CN103888450A (en) * | 2014-03-06 | 2014-06-25 | 江苏金陵科技集团有限公司 | IPSec processing method on Window platform |
CN104184646A (en) * | 2014-09-05 | 2014-12-03 | 深信服网络科技(深圳)有限公司 | VPN data interaction method and system and VPN data interaction device |
CN108134794A (en) * | 2017-12-26 | 2018-06-08 | 南京航空航天大学 | A kind of method of business datum encrypted transmission in intelligence manufacture Internet of Things based on GRE and IPSEC |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11706026B2 (en) | Location aware cryptography | |
US20220131709A1 (en) | Mutually Authenticated ECDHE Key Exchange for a Device and a Network Using Multiple PKI Key Pairs | |
US8300822B2 (en) | System for secure packet communication | |
CN109450852B (en) | Network communication encryption and decryption method and electronic equipment | |
CN105262772B (en) | Data transmission method, system and related device | |
CN112491821B (en) | IPSec message forwarding method and device | |
CN106452770B (en) | Data encryption method, data decryption method, device and system | |
CN103442059A (en) | File sharing method and device | |
CN110399717A (en) | Key acquisition method and device, storage medium and electronic device | |
CN107528917B (en) | File storage method and device | |
CN103916477A (en) | Data storage method and device and data downloading method and device for cloud environment | |
CN103248476B (en) | The management method of data encryption key, system and terminal | |
CN106101007B (en) | Handle the method and device of message | |
CN104184740A (en) | Credible transmission method, credible third party and credible transmission system | |
CN107454590A (en) | A kind of data ciphering method, decryption method and wireless router | |
CN110620762A (en) | RDMA (remote direct memory Access) -based data transmission method, network card, server and medium | |
US8880892B2 (en) | Secured embedded data encryption systems | |
CN111192050B (en) | Digital asset private key storage and extraction method and device | |
CN106789008B (en) | Method, device and system for decrypting sharable encrypted data | |
CN107872315B (en) | Data processing method and intelligent terminal | |
CN108933758B (en) | Sharable cloud storage encryption and decryption method, device and system | |
CN111835613B (en) | Data transmission method of VPN server and VPN server | |
CN110598427B (en) | Data processing method, system and storage medium | |
CN110191098A (en) | A kind of method, first network equipment and second network equipment transmitting data | |
CN105450597B (en) | A kind of information transferring method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190830 |