CN1545292A - A method for embedding IPSEC in IP protocol stack - Google Patents
A method for embedding IPSEC in IP protocol stack Download PDFInfo
- Publication number
- CN1545292A CN1545292A CNA2003101136034A CN200310113603A CN1545292A CN 1545292 A CN1545292 A CN 1545292A CN A2003101136034 A CNA2003101136034 A CN A2003101136034A CN 200310113603 A CN200310113603 A CN 200310113603A CN 1545292 A CN1545292 A CN 1545292A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- bag
- security strategy
- security
- stack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Abstract
The invention discloses a method to insert IPSEC in IP protocol stack, including the following steps: 1, during the IP input processing course of IP protocol stack, after IP processing is basically completed, inserting IPSec input processing flow; 2, during the IP output processing course, after IP processing is basically completed, inserting IPSec output processing flow. By this method, compared with existing techniques, it overcomes the disadvantage of inserting modes of Free SWAN and KAME and can implement complete IPSec funciotns such as safety policy inspection for transmitted IP packages, safety policy inspection for non-IPSec package in local computer, supporting inserted safety policy, supporting high safety particle size, etc.
Description
Technical field
The invention belongs to the information security technology in the areas of information technology, relate to a kind of IPSEC implementation method, relate in particular to the method that IPSEC is embedded into IP stack.
Background technology
Hereinafter, IP refers to the communication protocol Internet Protocol of Internet, and IPSEC refers to provide for IP the protocol IP Security of fail safe protection.
One, the basic function of IPSEC
The IP agreement itself is unsafe, attacks such as IP wraps in and may suffer in the transmission course to eavesdrop, distorts, repeating transmission.In order to overcome these weakness; IETF (Internet normal structure) has designed the IPSEC protocol suite; the fail safe protection is provided for IPv4 and IPv6 message, comprises data source authentication, connectionless data integrity, anti-replay, data confidentiality and limited Business Stream confidentiality or the like.
IPSec provides security service for the IP layer, and it can allow system select required security protocol, algorithm and key that the decision service is used.IPSec is used for protecting between one or more main frame, between the security gateway, the path between security gateway and the main frame (" security gateway " refers to carry out the intermediate system of ipsec protocol, for example router or realized fire compartment wall of IPSec or the like).
The security service that IPSec can provide comprises connectionless integrality, data source authentication, anti-(anti-replay) protection of replaying, confidentiality and finite data stream confidentiality.Because these services all provide at the IP layer, so any upper-layer protocol can both use them, for example TCP, UDP, ICMP, BGP or the like.
Two, the operation principle of IPSec
IPSec uses two agreements that transmission security is provided: authentication header agreement (AH), encapsulating security payload (esp) (ESP).These two agreements all have detailed description in standard document separately.
√ IP authentication header (AH) provides connectionless integrity verification, data source authentication, the anti-service of replaying of selectivity.
√ ESP (ESP) provides encryption, finite data stream encryption, and it also provides connectionless integrity verification, data source authentication, the anti-service of replaying.
√ is based on the data stream management of cipher key distribution, and AH and ESP all can be used as the carrier of access control.
AH agreement or ESP agreement can independently be used or be used in combination, so that security service collection required under IPv4 and the IPv6 environment to be provided.They all support two kinds of patterns: transmission mode and tunnel mode.Under transmission mode, for upper-layer protocol provides safeguard protection; Under tunnel mode, be used for protection at tunnel transmission IP bag.The difference of two kinds of patterns is referring to accompanying drawing 1.
IPSec allows the granularity (granularity) of user (or system manager) control security service.For example, the user can use single encryption tunnel to transmit all information between two security gateways, also can create an independently encryption tunnel for connecting by each TCP between the main frame of gateway.The IPSec managerial demand embodies following properties:
Which security service √ uses and is used in which kind of combination;
The granularity that √ specifies safeguard protection to use;
Encryption and identifying algorithm that the √ safeguard protection is used.
Share key because these security services are used, IPSec rely on one group independently mechanism issue these keys.(these keys are as authentication, integrity verification and cryptographic services.) IPSec supports manual, automatic two kinds of encryption key distribution modes.It has defined a special method based on public keys (IKE-Internet KeyExchange) for automatic key management, but also may use other automatic cipher key distribution technique.For example, kerberos system (based on KDC) and other public key systems (as SKIP).
Three, IPSec implementation
IPSec can be implemented on the main frame or the junction of router, fire compartment wall (establishment security gateway).Several common implementations are provided below:
√ IPSec merges fully in the IP layer and realizes.This need obtain the IP source code.This implementation method is applicable to main frame and gateway.
√ " Bump-in-the-stack " (BITS) realizes.IPSec is implemented in the lower end of original IP stack, is between IP layer and the network device driver layer.Do not need to obtain the source code of IP stack in this case,, be used for main frame more so this implementation method is suitable for Legacy System.
It is the military, financial sector network safety system design commonly used that √ adopts external encryption processing apparatus.It is called as " Bump-in-the-wire " sometimes and (BITW) realizes.This implementation is used for main frame or gateway (or both have concurrently).
In the reality, often not to realize according to these three kinds of modes fully, but partly take, or mix the multiple mode of using.
Four, the problem of existing embedding grammar
The IPSEC embedding grammar must be supported following function:
Encapsulation, decapsulation that √ is daily.
Comprise: the dateout bag is done the IPSEC encapsulation,, then carry out segmentation if the encapsulation back surpasses the maximum transmitted length of network interface; The input packet is done the IPSEC decapsulation,, should recombinate before the decapsulation,, then delivering to before the upper-layer protocol and should recombinate earlier if be still segmentation after the decapsulation if packet is segmentation.
√ does the security strategy verification to the input packet.
Whether the security strategy and the actual IPSEC to this packet enforcement that promptly relatively in the Security Policy Database be this packet appointment protect consistent.Not only the packets need of implementing IPSEC protection that mails to this machine is done verification, mail to the packet of not implementing the IPSEC protection of this machine, the forwarding packet of passing by from this machine also needs to do verification, to judge whether to allow their processes.
√ supports high safe granularity.
Be foregoing for creating an independently encryption tunnel by each TCP connection between the main frame of gateway.This just need when doing the security strategy verification, read out the tcp port in the packet after the input decapsulation, if the new data packets after the decapsulation is segmentation, should recombinate earlier.Also need before the output encapsulation, during the query safe strategy, read out the tcp port in the packet,, also should recombinate if packet is segmentation.
√ supports nested security strategy.
Promptly packet is implemented a plurality of IPSEC protections.During packet output, should be able to repeat the IPSEC encapsulation; During the packet input, should be able to repeat the IPSEC decapsulation.
Because IP stack itself just has input, forwarding, exports flow process, processing such as reorganization, segmentation have also been carried out in the centre, itself are very complicated flow processs, also are complicated problems very so IPSEC is embedded into IP stack.The selection that embeds point must be able to realize the basic function of IPSEC, and does not influence the normal flow of IP stack.
This complexity makes the IPSEC protocol stack that has adopt simple embedded mode when design, thereby has sacrificed part of functions.Adopted simple BITS embedded mode such as the FREESWAN protocol stack, adopt the IPSEC input be embedded in IP stack the top, IPSEC output is embedded in the plain mode of the below of IP stack, the result has caused some defectives, as:
√ can't carry out the security strategy verification to the IP bag of transmitting.
Do not use IPSEC if the √ destination is the IP bag of this machine, then can't carry out the security strategy verification.
√ can't be the situation of IP segmentation after the process IP SEC decapsulation.
√ does not support the upper-layer protocol port as the security strategy selector, just can not support high safe granularity yet.
The KAME protocol stack adopts the mode that merges fully at the IP layer, though can realize the function of IPSEC, it has following defective:
If the √ destination is the IP bag of this machine, do not use IPSEC, then can't carry out the security strategy verification.
√ can not use the upper-layer protocol port as the security strategy selector, also just can not support high safe granularity.
KAME designs with IP stack, and its IPSEC processing and IP handling process intersperse among the various piece of IP stack in conjunction with very tight, therefore are difficult to safeguard.And generally, the IP stack that the designer faces ready-made often, set, can't make so big modification to IP stack.
This patent proposes the method that a kind of IPSEC is embedded into IP stack, and it can not only solve above-mentioned challenge, and only need do simple change to IP stack, is highly susceptible to realizing.
Summary of the invention
The embedded mode that the present invention has overcome in the existing IPSEC realization technology causes realizing the complete function of IPSEC and the problem that is difficult to realize, proposes a kind of IPSEC embedding grammar that is easy to realize, can realize the complete function of IPSEC.
The method that IPSEC is embedded into IP stack of the present invention comprises following treatment step:
The first step, the IP basic handling is inserted IPSec input handling process after having finished in the IP of IP stack input processing procedure;
The insertion point of described IPSec input handling process, be positioned at after IP message basic process finishes, handle (is not the situation of this machine for destination address) before or reorganization IP segmentation and call upper-layer protocols inputs such as TCP, UDP and handle (is the situation of this machine for destination address) before transmitting.
In second step, after the IP basic handling has been finished in the IP of IP stack output processing procedure, insert IPSec output handling process.
The insertion point of described IPSec output handling process is positioned at the assembling of IP message and finishes and finish after the Route Selection, before segmentation and calling interface layer send packet.
Described IPSec input handling process comprises following processing procedure:
1) judges that whether IP wraps multicast packet, if directly withdraw from;
2) carry out the IPSEC decapsulation;
The IPSEC decapsulation may further comprise the steps:
A. if not the IPSEC of this machine bag jumps to step 3);
If b. segmentation IP wraps, reorganization IP bag;
C. length, ID, three fields of skew are changed into the network bytes preface;
D. from the IP bag, obtain Security Parameter Index, and the query safe parameter database, corresponding security parameter obtained;
E. parameter safe in utilization is carried out IPSEC input validation, deciphering and decapsulation;
F. length, ID, three fields of skew are transformed cost machine syllable sequence;
G. jump to step a.
3) if segmentation IP wraps, reorganization IP bag;
4) carry out the security strategy verification;
5) finish.
Described IPSec output handling process comprises following processing procedure:
1) judges that whether IP wraps multicast packet, if directly withdraw from;
2) obtain the security strategy selector from the IP bag, the query safe policy database obtains security strategy;
3) if security strategy is PASS, directly withdraw from; If DROP directly abandons the IP bag; If security strategy is IPSEC, change step 4);
4) carry out the IPSEC encapsulation;
The IPSEC encapsulation comprises following treatment step:
A. length, offset field are changed into the network bytes preface;
B. get the security parameter of security strategy appointment;
C. utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication;
D. if next nested security strategy is arranged, jump to step b;
E. length, offset field are changed into the host byte preface;
5) finish.
Adopt embedding grammar of the present invention, compared with prior art, overcome the weakness of the embedded mode of FreeSWAN and KAME, it can realize the complete function of IPSEC, comprise preceding two kinds of embedded modes can not accomplish:
√ carries out the security strategy verification to the IP bag of transmitting.
√ carries out the security strategy verification to the non-IPSEC bag of this machine.
After the √ process IP SEC decapsulation is the situation of IP segmentation.
√ supports nested security strategy.
√ supports high safe granularity.
Description of drawings
Fig. 1 is an IPSEC operation principle schematic diagram.
Fig. 2 is an IPSEC input process chart of the present invention.
Fig. 3 is an IPSEC output process chart of the present invention.
Embodiment
From accompanying drawing 1 as can be seen, IP bag remains the IP bag after through the IPSEC encapsulation, is still to wrap on the network as IP to be handled by the IP handling process.So it is the part that IP handles that IPSEC handles.Finish the processing of IPSEC, must export at IP and embed IPSEC output handling process in the handling process, in IP input handling process, embed IPSEC input handling process.After the embedding, IP output handling process can be called IPSEC output handling process, and IP input handling process can be called IPSEC input handling process.Therefore, an IPSEC embedding grammar comprises four aspects:
The embedding point of √ IPSEC input;
The handling process of √ IPSEC input;
The embedding point of √ IPSEC output;
The handling process of √ IPSEC output;
Introduce IPSEC embedding grammar of the present invention below:
One, the embedding point of IPSEC input
The IPSec input is handled and is embedded in the beginning that the IP input is handled, and promptly finishes at IP
√ data packet length and verification and (checksum) inspection;
√ length, ID, three fields of skew transform cost machine syllable sequence;
Afterwards, carrying out
√ IP option is handled;
√ judges it is to throw this machine of giving or need to transmit;
√ calls ip_forward () if need to transmit;
√ is if throw this machine of giving, and the IP segmentation of then recombinating is called the input of upper-layer protocols such as TCP, UDP and handled function.
Before, insert IPSec input handling process.
Two, the handling process of importing with reference to IPSEC shown in Figure 2
The first step judges that whether IP wraps multicast packet, if directly withdraw from.
In second step, carry out the IPSEC decapsulation.
This step is divided into following steps again:
1 if not the IPSEC bag of this machine jumped to for the 3rd step.
If 2 segmentation IP bag, reorganization IP bag.
3 change into the network bytes preface with length, ID, three fields of skew.
4 obtain Security Parameter Index from the IP bag, and the query safe parameter database, obtain corresponding security parameter.
5 parameters safe in utilization are carried out IPSEC input validation, deciphering and decapsulation.
6 with length, ID, three fields conversions of skew cost machine syllable sequence
7 jump to 1.
The 3rd step, if segmentation IP bag, reorganization IP bag.
In the 4th step, carry out the security strategy verification.
In the 5th step, finish.
Three, the embedding point of IPSEC output
IPSec output handle be embedded in that IP output handles than the back, promptly finish at IP
The initialization of √ header;
√ selects route;
√ is provided with source address;
Afterwards, exist
The √ segmentation;
√ calling interface layer sends packet.
Before, insert IPSec output handling process.
Four, the handling process of exporting with reference to IPSEC shown in Figure 3
The first step judges that whether IP wraps multicast packet, if directly withdraw from.
Second step, obtain the security strategy selector from the IP bag, the query safe policy database obtains security strategy.
In the 3rd step,, directly withdraw from if security strategy is PASS; If DROP directly abandons the IP bag.
The 4th step, otherwise security strategy is IPSEC, then carries out IPSEC output encapsulation.
1 changes into the network bytes preface with length, offset field.
2 get the security parameter of security strategy appointment.
3 utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication.
4 if there is next nested security strategy, jumps to 2.
5 change into the host byte preface with length, offset field.
In the 5th step, finish.
Below introduce the method that the present invention is embedded into IPSEC IP stack in detail by several specific embodiments again.
One, the policy check that the non-IPSEC of this machine is wrapped
Suppose now to receive that a destination is the non-IPSEC bag of this machine, after IP input flow process is necessarily handled it, call IPSEC input handling process:
The first step, it is not a multicast packet, so continue to handle.
Second step, the IPSEC decapsulation, owing to be not the IPSEC bag of this machine, so jumped to for the 3rd step.
The 3rd step, if segmentation, this IP bag of recombinating.
In the 4th step, carry out inbound security strategy verification.The 3rd goes on foot the IP segmentation of having recombinated, and therefore can comprise port here carries out verification as the security strategy selector, can support the high safe granularity of port level.
In the 5th step, finish.
Two, decapsulation and the policy check that this machine IPSEC is wrapped
Suppose now to receive that the IPSEC that a destination is this machine wraps, after IP input flow process is necessarily handled it, call IPSEC input handling process:
The first step, it is not a multicast packet, so continue to handle.
Second step, the IPSEC decapsulation
1 owing to the IPSEC bag that is this machine, so continue other steps in second step.
If 2 segmentation IP bag, reorganization IP bag.
3 change into the network bytes preface with length, ID, three fields of skew.
4 obtain Security Parameter Index from the IP bag, and the query safe parameter database, obtain corresponding security parameter.
5 parameters safe in utilization are carried out IPSEC input validation, deciphering and decapsulation.
6 with length, ID, three fields conversions of skew cost machine syllable sequence
7 jump to 1.
Because through IPSEC checking and decapsulation, the IPSEC of right and wrong that obtains bag, so, jumped to for the 3rd step.
The 3rd step, if segmentation, this IP bag of recombinating.
In the 4th step, carry out stacked security strategy verification.
In the 5th step, finish.
The step 2 IP segmentation of having recombinated in second step is so even before the decapsulation be the IP segmentation, still can carry out correct IPSEC decapsulation.The 3rd goes on foot the IP segmentation of also having recombinated, so even after the decapsulation be the IP segmentation, still can comprise port here and carry out verification as the security strategy selector, so can support the high safe granularity of port level.
Three, to transmitting the policy check of IP bag
Suppose now to receive that a destination is the IP bag of transmitting, after IP input flow process is necessarily handled it, call IPSEC input handling process:
The first step, it is not a multicast packet, so continue to handle.
Second step, the IPSEC decapsulation, owing to be not the IPSEC bag of this machine, so jumped to for the 3rd step.
The 3rd step, if segmentation, this IP bag of recombinating.
In the 4th step, carry out inbound security strategy verification.The 3rd goes on foot the IP segmentation of having recombinated, carries out verification so can comprise port here as the security strategy selector, so can support the high safe granularity of port level.
In the 5th step, finish.
Four, to the encapsulation and fragmentation of dateout bag
Suppose now will export a packet, after IP output outflow is necessarily handled it, call IPSEC output and handle outflow:
The first step, it is not a multicast packets, so continue other steps.
In second step, obtain security strategy selector, query safe policy database from the IP bag.If its packet that to be this machine send, then it is not as yet by segmentation, and this step can be obtained and comprise port at interior security strategy selector.If it is the forwarding IP bag that receives from other network interfaces, it has passed through the processing of IP input and IPSEC input certainly, the 3rd step in IPSEC output handling process shown in Figure 3, it is recombinated, comprise port at interior security strategy selector so also can obtain.
The 3rd step is because will do the IPSEC encapsulation to it, so the security strategy that inquires should be IPSEC.
In the 4th step, carry out IPSEC output encapsulation;
1 changes into the network bytes preface with length, offset field.
2 get the security parameter of security strategy appointment.
3 utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication.
4 if there is next nested security strategy, jumps to 2.
5 change into the host byte preface with length, offset field.
The 5th EOS.
No matter the explanation of second step is the IP bag of transmitting, or the IP that this machine is sent out outward wraps, and can both obtain to comprise port at interior security strategy selector, so can support the high safe granularity of port level.
After IPSEC output processing finished, the IP output stream went out to continue remaining processing, that is:
The √ segmentation;
√ calling interface layer sends packet.
If, in IP output flow process, will do segmentation to it so IPSEC encapsulation back data packet length surpasses the maximum transmitted length of network interface.
Five, support high safe granularity
Example two can be seen, after the IPSEC input decapsulation new data packets is recombinated, and comprises port at interior security strategy selector so can obtain, thereby can support high safe granularity.
Example four can see that IPSEC output encapsulation also can be obtained and be comprised port at interior security strategy selector, also can support high safe granularity.
Six, support nested security strategy
Suppose now will implement two-layer nested security strategy, after IP output flow process is necessarily handled it, call IPSEC output handling process an output IP bag:
The first step, it is not a multicast packets, so continue other steps.
In second step, obtain security strategy selector, query safe policy database from the IP bag.If its packet that to be this machine send, as yet not by segmentation, then this step can be obtained and comprise port at interior security strategy selector.If it receives from other network interfaces, it has passed through the processing of IP input and IPSEC input certainly, in the 3rd step of example four, it is recombinated, and comprises port at interior security strategy selector so also can obtain.
The 3rd step is because be nested security strategy, so the security strategy that inquires should be IPSEC.
In the 4th step, carry out IPSEC output encapsulation;
1 changes into the network bytes preface with length, offset field.
2 get the security parameter of security strategy appointment.
3 utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication.
4 because of being first strategy of nested security strategy, so this security strategy should have next nested safe plan
Slightly, jump to 2.
2 get the security parameter of security strategy appointment.
3 utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication.
4 because of being second strategy of nested security strategy, so this security strategy should not have next nested safe plan
Slightly, continue following step.
5 change into the host byte preface with length, offset field.
The 5th EOS.
Suppose now to receive a packet that encapsulated through two-layer nested security strategy, after IP input flow process is necessarily handled it, call IPSEC input handling process:
The first step, it is not a multicast packet, so continue to handle.
Second step, the IPSEC decapsulation
1 it be the IPSEC bag of this machine, so continue other steps in second step.
If 2 segmentation IP bag, reorganization IP bag.
3 change into the network bytes preface with length, ID, three fields of skew.
4 obtain Security Parameter Index from the IP bag, and the query safe parameter database, obtain corresponding security parameter.
5 parameters safe in utilization are carried out IPSEC input validation, deciphering and decapsulation.
6 with length, ID, three fields conversions of skew cost machine syllable sequence
7 jump to 1.
1 because of the encapsulation of this packet through nested security strategy, so through a decapsulation, what obtain is still
The IPSEC bag is so continue other steps in second step.
If 2 segmentation IP bag, reorganization IP bag.
3 change into the network bytes preface with length, ID, three fields of skew.
4 obtain Security Parameter Index from the IP bag, and the query safe parameter database, obtain corresponding security parameter.
5 parameters safe in utilization are carried out IPSEC input validation, deciphering and decapsulation.
6 with length, ID, three fields conversions of skew cost machine syllable sequence
7 jump to 1.
1 because passed through the decapsulation of two-layer security strategy, and new data packets is right and wrong IPSEC packet, so, jumped to for the 3rd step.
The 3rd step, if segmentation, this IP bag of recombinating.
In the 4th step, carry out inbound security strategy verification.
In the 5th step, finish.
If implement more than two-layer nested security strategy, its encapsulation, decapsulation process are similar.So IPSEC embedded mode of the present invention can be supported nested security strategy.
Claims (7)
1. method that IPSEC is embedded into IP stack is characterized in that described method comprises following treatment step:
The first step, the IP basic handling is inserted IPSec input handling process after having finished in the IP of IP stack input processing procedure;
In second step, after the IP basic handling has been finished in the IP of IP stack output processing procedure, insert IPSec output handling process.
2. the method that IPSEC is embedded into IP stack according to claim 1, it is characterized in that the insertion point of described IPSec input handling process is positioned at after IP message basic process finishes, for destination address is not the situation of this machine, before transmitting processing; For destination address is the situation of this machine, before reorganization IP segmentation and calling upper-layer protocol input processing such as TCP, UDP.
3. the method that IPSEC is embedded into IP stack according to claim 1, it is characterized in that, the insertion point of described IPSec output handling process is positioned at the assembling of IP message and finishes and finish after the Route Selection, before segmentation and calling interface layer send packet.
4. the method that IPSEC is embedded into IP stack according to claim 1 and 2 is characterized in that IPSec input handling process comprises following processing procedure:
1) judges that whether IP wraps multicast packet, if directly withdraw from;
2) carry out the IPSEC decapsulation;
3) if segmentation IP wraps, reorganization IP bag;
4) carry out the security strategy verification;
5) finish.
5. the method that IPSEC is embedded into IP stack according to claim 4 is characterized in that described IPSEC decapsulation may further comprise the steps:
A. if not the IPSEC of this machine bag jumps to step 3);
If b. segmentation IP wraps, reorganization IP bag;
C. length, ID, three fields of skew are changed into the network bytes preface;
D. from the IP bag, obtain Security Parameter Index, and the query safe parameter database, corresponding security parameter obtained;
E. parameter safe in utilization is carried out IPSEC input validation, deciphering and decapsulation;
F. length, ID, three fields of skew are transformed cost machine syllable sequence;
G. jump to step a.
6. according to claim 1 or the 3 described methods that IPSEC is embedded into IP stack, it is characterized in that described IPSec output handling process comprises following processing procedure:
1) judges that whether IP wraps multicast packet, if directly withdraw from;
2) obtain the security strategy selector from the IP bag, the query safe policy database obtains security strategy;
3) if security strategy is PASS, directly withdraw from; If DROP directly abandons the IP bag; If security strategy is IPSEC, change step 4);
4) carry out the IPSEC decapsulation;
5) finish.
7. the method that IPSEC is embedded into IP stack according to claim 6 is characterized in that described IPSEC decapsulation comprises following treatment step:
A. length, offset field are changed into the network bytes preface;
B. get the security parameter of security strategy appointment;
C. utilize security parameter to carry out the IPSEC encapsulation, encrypt and authentication;
D. if next nested security strategy is arranged, jump to step b;
E. length, offset field are changed into the host byte preface.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310113603 CN100512278C (en) | 2003-11-13 | 2003-11-13 | A method for embedding IPSEC in IP protocol stack |
| PCT/CN2003/001077 WO2005048553A1 (en) | 2003-11-13 | 2003-12-17 | A METHOD ON EMBEDDING IPSec PROTOCOL STACK |
| AU2003292854A AU2003292854A1 (en) | 2003-11-13 | 2003-12-17 | A method on embedding ipsec protocol stack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310113603 CN100512278C (en) | 2003-11-13 | 2003-11-13 | A method for embedding IPSEC in IP protocol stack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1545292A true CN1545292A (en) | 2004-11-10 |
| CN100512278C CN100512278C (en) | 2009-07-08 |
Family
ID=34336935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200310113603 Expired - Fee Related CN100512278C (en) | 2003-11-13 | 2003-11-13 | A method for embedding IPSEC in IP protocol stack |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN100512278C (en) |
| AU (1) | AU2003292854A1 (en) |
| WO (1) | WO2005048553A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101682656B (en) * | 2007-05-09 | 2013-07-24 | 艾利森电话股份有限公司 | Method and apparatus for protecting the routing of data packets |
| CN103888450A (en) * | 2014-03-06 | 2014-06-25 | 江苏金陵科技集团有限公司 | IPSec processing method on Window platform |
| CN106941488A (en) * | 2017-03-09 | 2017-07-11 | 西安电子科技大学 | Multi-layer protocol packet encapsulation device and method based on FPGA |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2317792B (en) * | 1996-09-18 | 2001-03-28 | Secure Computing Corp | Virtual private network on application gateway |
| US6957346B1 (en) * | 1999-06-15 | 2005-10-18 | Ssh Communications Security Ltd. | Method and arrangement for providing security through network address translations using tunneling and compensations |
| GB2365717B (en) * | 2000-05-24 | 2004-01-21 | Ericsson Telefon Ab L M | IPsec processing |
| GB2363549B (en) * | 2000-11-16 | 2002-05-29 | Ericsson Telefon Ab L M | Securing voice over IP traffic |
| US7397798B2 (en) * | 2001-05-21 | 2008-07-08 | Xelerated Ab | Method and apparatus for processing blocks in a pipeline |
-
2003
- 2003-11-13 CN CN 200310113603 patent/CN100512278C/en not_active Expired - Fee Related
- 2003-12-17 WO PCT/CN2003/001077 patent/WO2005048553A1/en active Application Filing
- 2003-12-17 AU AU2003292854A patent/AU2003292854A1/en not_active Abandoned
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101682656B (en) * | 2007-05-09 | 2013-07-24 | 艾利森电话股份有限公司 | Method and apparatus for protecting the routing of data packets |
| CN103888450A (en) * | 2014-03-06 | 2014-06-25 | 江苏金陵科技集团有限公司 | IPSec processing method on Window platform |
| CN103888450B (en) * | 2014-03-06 | 2017-04-26 | 江苏金陵科技集团有限公司 | IPSec processing method on Window platform |
| CN106941488A (en) * | 2017-03-09 | 2017-07-11 | 西安电子科技大学 | Multi-layer protocol packet encapsulation device and method based on FPGA |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2005048553A1 (en) | 2005-05-26 |
| CN100512278C (en) | 2009-07-08 |
| AU2003292854A1 (en) | 2005-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100338597C (en) | Information processing device and method, recording medium, and program | |
| CN1202643C (en) | Radio communication system with radio chain-circuit control layer and data processing method | |
| CN1901512A (en) | Information communication system, information communication apparatus and method, and computer program | |
| CN1661990A (en) | Protocol translator | |
| CN1260930C (en) | Apparatus and method for transmitting and realizing control instruction of receiver reference function | |
| CN1759564A (en) | Access control processing method | |
| CN101061672A (en) | Communication system, wireless lan base station controller, and wireless lan base station device | |
| CN1867094A (en) | Short message encryption protection realizing method and system | |
| CN1568597A (en) | Encrypting, decoding, and wireless communication device | |
| CN1829195A (en) | Packet forwarding apparatus | |
| CN1531287A (en) | Communication stream mould grouping filter and filtering method | |
| CN1496628A (en) | Content delivery system | |
| CN1833403A (en) | Communication system, communication device, communication method, and communication program for realizing the same | |
| CN1689367A (en) | Security and privacy enhancements for security devices | |
| CN1902560A (en) | Contents distribution system, license distribution method and terminal | |
| CN1555170A (en) | Flow filtering fine wall | |
| CN1336053A (en) | Information transmission system and method, transmitter and receiver, data processing device and data processing method, and recorded medium | |
| CN1395191A (en) | Data verification method, data verification device and processing program products thereof | |
| CN1422035A (en) | Cipher key exchange equipment, method, program and recording medium for recording the same program | |
| CN1716943A (en) | Method and system for obtaining path maximum transmission length in channel gateway environment | |
| CN1602615A (en) | Packet routing device and packet routing method | |
| CN1716953A (en) | Method for identifying conversation initial protocol | |
| CN1342376A (en) | Radio communication device and radio communication method | |
| CN1909449A (en) | Method, apparatus, and program for processing information | |
| CN1518824A (en) | Method and system of conditional access to IP services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090708 Termination date: 20131113 |