CN110535748B - VPN tunnel mode optimization method and system - Google Patents
VPN tunnel mode optimization method and system Download PDFInfo
- Publication number
- CN110535748B CN110535748B CN201910847173.XA CN201910847173A CN110535748B CN 110535748 B CN110535748 B CN 110535748B CN 201910847173 A CN201910847173 A CN 201910847173A CN 110535748 B CN110535748 B CN 110535748B
- Authority
- CN
- China
- Prior art keywords
- message
- table entry
- strategy table
- strategy
- keyid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a VPN tunnel mode optimization method and a system, which comprises the following processes: adding a strategy table entry, and configuring a unique number KeyID to identify the current strategy table entry; the strategy table entry comprises an IP address and a port number; the home terminal equipment carries out strategy matching on the plaintext message, after the strategy matching is successful, data encryption is carried out after the KeyID replaces the original IP message header and the port number, an external IP message header and AH/ESP information are added to generate an encrypted message, and the encrypted message is forwarded to the opposite terminal equipment; and after receiving the encrypted message, the opposite terminal equipment decrypts the data, searches the strategy table entry according to the KeyID after decryption, and restores the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched. The method of the invention reduces the increment of the data flow after encryption.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a VPN tunnel mode optimization method and system.
Background
When the existing IPsec VPN encryption equipment adopts a general tunnel mode, the home terminal encryption equipment encrypts an original IP message, adds an external IP message header and AH/ESP information, sends a new data packet to the opposite terminal equipment, decrypts the opposite terminal equipment to obtain original data, strips the external IP message header and the ESP/AH information, and sends the original message to a receiving terminal. In the existing IPsec protocol packet encapsulation format, as shown in fig. 1, in the tunnel mode, the content marked by the rectangular frame is an original IP packet, and the other is new data.
In summary, after data encryption is performed by using the IPsec VPN tunnel, a relatively large amount of data content (such as information of an external IP header, AH/ESP, etc.) is newly added to each packet. In the power protocol 104 message, many data packets are packets not exceeding 64 bytes, and if the existing tunnel mode is adopted for data encryption transmission, the proportion of the length of the increased message is large compared with the actual data length, which results in the increase of the actual network load.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a VPN tunnel mode optimization method, which reduces the increment of data flow after encryption.
In order to solve the technical problem, the invention provides a VPN tunnel mode optimization method, which is characterized by comprising the following steps:
adding a strategy table entry, and configuring a unique number KeyID to identify the current strategy table entry; the strategy table entry comprises an IP address and a port number;
the home terminal equipment carries out strategy matching on the plaintext message, after the strategy matching is successful, data encryption is carried out after the KeyID replaces the original IP message header and the port number, an external IP message header and AH/ESP information are added to generate an encrypted message, and the encrypted message is forwarded to the opposite terminal equipment;
and after receiving the encrypted message, the opposite terminal equipment decrypts the data, searches the strategy table entry according to the KeyID after decryption, and restores the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched.
Further, the data encryption adopts an IPsec tunnel mode.
Further, the KeyID is 4 bytes, and is customized according to the actual service.
Correspondingly, the invention also provides a VPN tunnel mode optimization system which is characterized by comprising a strategy table item establishing module, a data encryption module and a data decryption module;
the strategy table item establishing module is used for adding strategy table items and configuring a unique number KeyID to identify the current strategy table item; the strategy table entry comprises an IP address and a port number;
the data encryption module is used for carrying out strategy matching on the plaintext message, encrypting data after replacing an original IP message header and a port number by using KeyID after successful matching, adding an external IP message header and AH/ESP information to generate an encrypted message, and forwarding the encrypted message to opposite-end equipment;
and the data decryption module is used for decrypting the data after receiving the encrypted message, searching the strategy table entry according to the KeyID after decryption, and restoring the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched.
Further, in the data encryption module, an IPsec tunnel mode is used for data encryption.
Furthermore, in the policy table entry establishing module, the KeyID is 4 bytes, and is self-defined according to the actual service.
Compared with the prior art, the invention has the following beneficial effects: the method of the invention reduces the increment of the data flow after encryption.
Drawings
Fig. 1 is a schematic diagram of an IPsec protocol packet encapsulation format in the prior art;
fig. 2 is a schematic diagram of a message structure after data encryption according to the method of the present invention and the prior art method.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The invention discloses a VPN tunnel mode optimization method, which comprises the following processes:
step 1, the equipment on two sides adopts an IPsec tunnel mode to encrypt data.
And 2, adding a policy table entry for the devices on the two sides, wherein the table entry comprises an IP address, a port number and a protocol number (such as TCP, UDP, ICMP and the like), and configuring a unique number KeyID to identify the current policy table entry.
Data encryption and decryption exist in a pair mode, and for a pair of encryption devices, a policy is configured for each service, and the fact that one policy is required to be configured for one service can be understood. A plurality of policies can be configured in a device, the policies are independent of each other, all the policies are usually managed in a table, the table is called a policy table, and each policy is an entry, i.e. a policy entry.
For the policy configuration of the same service, the policy contents of the two devices should be the same. The two-side equipment needs to configure the same KeyID for the policy table entry of the same service, and the two-side equipment is guaranteed to find out the unique and same policy table entry through the KeyID.
The KeyID is stored by using 4 bytes, the first two bytes are definite item selection information such as the geographic position of service deployment, and the last two bytes are definite items, and are divided according to the information such as the actual service type.
The policy is the basis for judging whether the data packet is legal, and any check information can be added according to actual use, such as: source MAC, destination MAC, TCP/IP quintuple (source IP address, destination IP address, protocol number, source port, destination port).
And 3, after receiving the plaintext message, the home terminal equipment performs strategy matching on the plaintext message (information configured in the strategy needs to be judged, and the matching is successful only when the content in the data packet is completely consistent with the strategy configuration), after the matching is successful, the KeyID is used for replacing an original IP message header and a TCP/UDP port number (if the data packet is an ICMP protocol, and the ICMP protocol has no port number, only the original IP message header is replaced), data encryption is performed, an external IP message header and AH/ESP information are added (when the data is encrypted, the original IP header is encrypted, so that new IP header information needs to be added, the new IP header information points to the opposite terminal encryption equipment), and the encrypted message is generated and is forwarded to the opposite terminal equipment.
According to practical use, the encryption algorithm may be a national encryption algorithm such as SM1, SM2, SM3, SM4, etc., and the power-specific encryption algorithm is an SSF09 algorithm.
And 4, after receiving the encrypted message, the opposite terminal equipment decrypts the data, searches the strategy according to the KeyID after decryption, restores and forwards an IP message header and a TCP/UDP port number according to the configuration of the IP address, the port number, the protocol number and the like of the strategy after matching successfully (if the KeyID configured in a certain strategy is consistent with the strategy, calculates the information of the IP message header, such as message length, checksum, framing identification and the like according to the actual message, and fills other information according to the default configuration of the system. And forwarding the data packet to a destination IP address according to the recovered original IP message.
After the scheme of the present invention and the existing scheme are adopted for the same message, referring to fig. 2, the message length variation comparison analysis is as follows:
the scheme of the invention is as follows: the original IP message header length is 20 bytes, the TCP/UDP port information length is 4 bytes, and after the new scheme is replaced by using a 4-byte serial number, the external IP message header 20 bytes are added. When the message protocol is a TCP/UDP protocol, the length of the encrypted message is equal to the length of the original message; when the message protocol is ICMP protocol, the ICMP protocol has no port information, 4 bytes serial number only replaces original IP message head, and after 20 bytes of external IP message head are added, the length of encrypted message is 4 bytes longer than that of original message.
The existing scheme is as follows: and (4) adding 20 bytes of an external IP message header when the original IP message is not changed. The encrypted message length is 20 bytes longer than the original message length.
Therefore, for a 64-byte data packet, the original scheme increases the traffic by 30%, and the new scheme is not changed or only increased by 5%. (note: the above only compares the original data with the message length change after the external IP message header is added alone, and AH/ESP information is variable according to the length of the actual application scene and therefore does not participate in the comparison.)
When the network MTU =1500, the MTU means the maximum length of the IP message, if the message exceeds the MTU, the IP message fragmentation is necessary, the IP message fragmentation means that one IP message is divided into two IP messages, and the influence of the original/new scheme on data transmission is compared:
a) no comparison was involved because the AH/ESP information was increased by the same amount for the original/new scheme.
b) TCP/UDP messages over 1480 bytes:
i. the original scheme is increased by 20 bytes, IP message fragmentation is needed after the message length exceeds 1500, and the number of messages is increased;
the new scheme message length is unchanged.
c) ICMP message with more 1480 bytes and less than 1496 bytes:
i. the original scheme is increased by 20 bytes, IP message fragmentation is needed after the message length exceeds 1500, and the number of messages is increased;
and ii, adding 4 bytes in the new scheme, wherein the message length does not exceed 1500 and IP message fragmentation is not needed.
d) After the length of the ICMP message exceeds 1500, the IP message is required to be fragmented, and the number of the message is increased.
In summary, by adopting the technical scheme of the invention, the increment of the data flow after encryption is reduced.
Correspondingly, the invention also provides a VPN tunnel mode optimization system which is characterized by comprising a strategy table item establishing module, a data encryption module and a data decryption module;
the strategy table item establishing module is used for adding strategy table items and configuring a unique number KeyID to identify the current strategy table item; the strategy table entry comprises an IP address and a port number;
the data encryption module is used for carrying out strategy matching on the plaintext message, encrypting data after replacing an original IP message header and a port number by using KeyID after successful matching, adding an external IP message header and AH/ESP information to generate an encrypted message, and forwarding the encrypted message to opposite-end equipment;
and the data decryption module is used for decrypting the data after receiving the encrypted message, searching the strategy table entry according to the KeyID after decryption, and restoring the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched.
Further, in the data encryption module, an IPsec tunnel mode is used for data encryption.
Furthermore, in the policy table entry establishing module, the KeyID is 4 bytes, the first two bytes are defined item selection information, the last two bytes are defined items, and the policy table entry establishing module is divided according to information such as actual service types.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (6)
1. A VPN tunnel mode optimization method is characterized by comprising the following processes:
adding a strategy table entry, and configuring a unique number KeyID to identify the current strategy table entry; the strategy table entry comprises an IP address and a port number;
the home terminal equipment carries out strategy matching on the plaintext message, after the strategy matching is successful, data encryption is carried out after the KeyID replaces the original IP message header and the port number, an external IP message header and AH/ESP information are added to generate an encrypted message, and the encrypted message is forwarded to the opposite terminal equipment;
and after receiving the encrypted message, the opposite terminal equipment decrypts the data, searches the strategy table entry according to the KeyID after decryption, and restores the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched.
2. The method of claim 1, wherein the data encryption employs IPsec tunnel mode.
3. The method as claimed in claim 1, wherein the KeyID is 4 bytes, which is customized according to the actual service.
4. A VPN tunnel mode optimization system is characterized by comprising a strategy table item establishing module, a data encryption module and a data decryption module;
the strategy table item establishing module is used for adding strategy table items and configuring a unique number KeyID to identify the current strategy table item; the strategy table entry comprises an IP address and a port number;
the data encryption module is used for carrying out strategy matching on the plaintext message, encrypting data after replacing an original IP message header and a port number by using KeyID after successful matching, adding an external IP message header and AH/ESP information to generate an encrypted message, and forwarding the encrypted message to opposite-end equipment;
and the data decryption module is used for decrypting the data after receiving the encrypted message, searching the strategy table entry according to the KeyID after decryption, and restoring the IP message header and the port number according to the strategy table entry after the strategy table entry is successfully matched.
5. The VPN tunnel mode optimization system of claim 4, wherein the data encryption module employs IPsec tunnel mode for data encryption.
6. The VPN tunnel mode optimization system of claim 4, wherein in the policy table entry creation module, KeyID is 4 bytes, which is customized according to actual traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910847173.XA CN110535748B (en) | 2019-09-09 | 2019-09-09 | VPN tunnel mode optimization method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910847173.XA CN110535748B (en) | 2019-09-09 | 2019-09-09 | VPN tunnel mode optimization method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110535748A CN110535748A (en) | 2019-12-03 |
| CN110535748B true CN110535748B (en) | 2021-03-26 |
Family
ID=68667707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910847173.XA Active CN110535748B (en) | 2019-09-09 | 2019-09-09 | VPN tunnel mode optimization method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110535748B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371549B (en) * | 2020-03-05 | 2023-03-24 | 浙江双成电气有限公司 | Message data transmission method, device and system |
| CN112073372B (en) * | 2020-08-04 | 2023-06-27 | 南京国电南自维美德自动化有限公司 | Dual encryption method and decryption method for communication message of power system and message interaction system |
| CN112637237B (en) * | 2020-12-31 | 2022-08-16 | 网络通信与安全紫金山实验室 | Service encryption method, system, equipment and storage medium based on SRoU |
| CN114363257B (en) * | 2021-12-29 | 2023-10-17 | 杭州迪普信息技术有限公司 | Five-tuple matching method and device for tunnel message |
| CN114710324B (en) * | 2022-03-16 | 2024-02-13 | 深圳市风云实业有限公司 | Cross-network tunnel message transmission method based on cipher-key replacement encryption and decryption |
| CN114915451B (en) * | 2022-04-07 | 2023-07-21 | 南京邮电大学 | Fusion tunnel encryption transmission method based on enterprise-level router |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262331A (en) * | 2007-03-05 | 2008-09-10 | 株式会社日立制作所 | Communication content audit support system |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
| CN104618211A (en) * | 2014-12-31 | 2015-05-13 | 杭州华三通信技术有限公司 | Tunnel based message processing method and headquarters gateway device |
| CN106790200A (en) * | 2016-12-30 | 2017-05-31 | 盛科网络(苏州)有限公司 | The chip association processing method of CAPWAP control channel DTLS encryption and decryption |
| CN109005198A (en) * | 2018-09-12 | 2018-12-14 | 杭州和利时自动化有限公司 | A kind of controller attack protection security strategy generation method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8726007B2 (en) * | 2009-03-31 | 2014-05-13 | Novell, Inc. | Techniques for packet processing with removal of IP layer routing dependencies |
-
2019
- 2019-09-09 CN CN201910847173.XA patent/CN110535748B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262331A (en) * | 2007-03-05 | 2008-09-10 | 株式会社日立制作所 | Communication content audit support system |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
| CN104618211A (en) * | 2014-12-31 | 2015-05-13 | 杭州华三通信技术有限公司 | Tunnel based message processing method and headquarters gateway device |
| CN106790200A (en) * | 2016-12-30 | 2017-05-31 | 盛科网络(苏州)有限公司 | The chip association processing method of CAPWAP control channel DTLS encryption and decryption |
| CN109005198A (en) * | 2018-09-12 | 2018-12-14 | 杭州和利时自动化有限公司 | A kind of controller attack protection security strategy generation method and system |
Non-Patent Citations (1)
| Title |
|---|
| 《基于IPsec的VPN技术的应用研究》;王凤领;《计算机技术与发展》;20120910;第22卷(第9期);第250-253页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110535748A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535748B (en) | VPN tunnel mode optimization method and system | |
| US10404588B2 (en) | Path maximum transmission unit handling for virtual private networks | |
| TWI499342B (en) | Tunnel acceleration for wireless access points | |
| CN109450852B (en) | Network communication encryption and decryption method and electronic equipment | |
| CN102882789B (en) | A kind of data message processing method, system and equipment | |
| US9516061B2 (en) | Smart virtual private network | |
| US10397221B2 (en) | Network controller provisioned MACsec keys | |
| CN103139222A (en) | Internet protocol security (IPSEC) tunnel data transmission method and device thereof | |
| CN107104929B (en) | Method, device and system for defending network attack | |
| US11405407B2 (en) | Data packet sending method, network device, control device, and network system | |
| CN112887259A (en) | Application-based network security | |
| CN110912859B (en) | Method for sending message, method for receiving message and network equipment | |
| WO2019129201A1 (en) | Session management for communications between a device and a dtls server | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN103457952A (en) | IPSec processing method and device based on encrypting engine | |
| US10951520B2 (en) | SDN, method for forwarding packet by SDN, and apparatus | |
| CN110691074A (en) | IPv6 data encryption method and IPv6 data decryption method | |
| US20190058694A1 (en) | Mobile virtual private network configuration | |
| CN110943996B (en) | Management method, device and system for business encryption and decryption | |
| CN112217769B (en) | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel | |
| CN115225414B (en) | Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system | |
| CN109428868B (en) | Method, encryption device, encryption equipment and storage medium for encrypting OSPFv3 | |
| CN113542309B (en) | Data processing system and method | |
| CN115834026A (en) | Safety encryption method based on industrial protocol | |
| CN113765878B (en) | Selective transport layer security encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |