WO2005048553A1 - A METHOD ON EMBEDDING IPSec PROTOCOL STACK - Google Patents

A METHOD ON EMBEDDING IPSec PROTOCOL STACK Download PDF

Info

Publication number
WO2005048553A1
WO2005048553A1 PCT/CN2003/001077 CN0301077W WO2005048553A1 WO 2005048553 A1 WO2005048553 A1 WO 2005048553A1 CN 0301077 W CN0301077 W CN 0301077W WO 2005048553 A1 WO2005048553 A1 WO 2005048553A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
ipsec
processing
embedding
security policy
Prior art date
Application number
PCT/CN2003/001077
Other languages
French (fr)
Chinese (zh)
Inventor
Kaiqu Chen
Zhuoming Li
Jie Zhao
Haibin Chen
Yahui Li
Yong Ding
Zhiwei Peng
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to AU2003292854A priority Critical patent/AU2003292854A1/en
Publication of WO2005048553A1 publication Critical patent/WO2005048553A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Definitions

  • the invention belongs to information security technology in the field of information technology, and relates to a method for implementing Internet Protocol Security (IPSec for short), in particular to a method for embedding 4 bar IPSec into an IP protocol stack.
  • IPSec Internet Protocol Security
  • IP refers to the Internet communication protocol Internet Protocol
  • IPSec refers to the protocol that provides security protection for IP, IP Security.
  • IP protocol itself is an insecure protocol, and IP packets may be attacked by eavesdropping, tampering, and retransmission during the transmission process.
  • IETF Internet Standards Organization
  • IPv4 and IPv6 messages include data source authentication, connectionless data integrity, anti-replay protection, data confidentiality, and limited Confidentiality of business flow, etc.
  • the IPSec protocol family can provide security services for the IP layer, enabling the system to select the required security protocol and determine the algorithm and key used by the service.
  • the IPSec protocol family can be used to protect the path between one or more hosts, between security gateways, and between a security gateway and a host.
  • a security gateway refers to an intermediate system that implements the IPSec protocol, such as a router or a firewall that implements IPSec.
  • the security services that IPSec can provide include connectionless data integrity, data source authentication, anti-replay protection, data confidentiality, and limited data flow confidentiality. Since these security services are provided at the IP layer, any high-level protocol, such as TCP, User Datagram Protocol UDP, Internet Control Message Protocol ICMP, Border Gateway Protocol BGP, etc., can be used.
  • AH Authentication Header
  • ESP Encapsulating Security Payload protocol
  • the AH protocol or ESP protocol can be used independently or in combination to provide the required set of security services in IPv4 and IPv6 environments. Both protocols support two modes: transport mode and tunnel mode.
  • the transmission mode is used to provide security protection for higher-level protocols; the tunnel mode is used to protect IP packets transmitted in the tunnel.
  • the difference between the original IP packet, the IP packet in the transmission mode, and the IP packet in the tunnel mode is shown in Figure 1.
  • Figure 1 (a) is the composition of the original IP packet, including the IP header, TCP header, and data; the IP packet in the transmission mode is shown in Figure 1 (b), which is added between the IP header and the TCP header of the original IP packet IPSec header; IP packets in tunnel mode are shown in Figure 1 (c), then an IPSec header is added before the IP header of the original IP packet, and a new IP header is generated before the IPSec header.
  • IPSec allows users or system administrators to control the granularity of security services. For example, users can use a single encrypted tunnel to transmit all information between two security gateways, or create a separate encrypted tunnel for each TCP connection between hosts that pass through the gateway. In IPSec management, it is necessary to specify which security services are used and in which combination these security services are used; specify the granularity that security protection should use; and the encryption and authentication algorithms used for security protection.
  • the IPSec protocol relies on a set of independent mechanisms to issue these keys.
  • the IPSec protocol supports both manual and automatic key distribution methods.
  • a special public key-based method is defined-Internet Key Exchange (IKE for short).
  • IKE Internet Key Exchange
  • Other automatic key distribution technologies can also be used, such as KDC-based Kerberos system or other public keys.
  • Key system such as SKIP.
  • IPSec can be implemented on the host or at the connection of a router or firewall (creating a secure gateway).
  • a router or firewall creating a secure gateway
  • IP layer One is to implement IPSec in the IP layer. This method requires obtaining IP source code, which is applicable to hosts and gateways.
  • IPSec is implemented at the lower end of the original IP protocol stack, between the IP layer and the network device driver layer. This method does not need to obtain the source code of the IP protocol stack, so it is suitable for legacy systems and is mostly used for hosts.
  • the third method is to use an external encryption processing device.
  • This is a network security system design scheme commonly used by the military and financial systems. It is also called “Bump-in-the-wire” (BITW). This implementation is used for hosts or gateways or both.
  • BITW Bump-in-the-wire
  • the IPSec embedding method must support the following functions: 1) Daily encapsulation and decapsulation, including: Encapsulating IPSec on the output data packet, and segmenting it if it exceeds the maximum transmission length of the network interface; Encapsulating the input data packet IPSec decapsulation is performed. If the data packet is fragmented, it is reorganized before decapsulation. If the decapsulated data packet is still fragmented, it is reorganized before being transmitted to the upper layer protocol.
  • the TCP port in the data packet is read. If the data packet is fragmented, it should be reassembled. 4) Supporting nested security policies, that is, implementing multiple IPSec protections on data packets. When data packets are output, IPSec encapsulation should be repeated; when data packets are input, IPSec decapsulation should be repeated.
  • IP protocol stack itself has input, forwarding, and output processes, it can also perform reorganization and segmentation in the middle. This is a very complicated process. Therefore, embedding IPSec into the IP protocol stack is also a very complicated problem. The point selection must be able to implement the basic functions of IPSec without affecting the normal flow of the IP protocol stack.
  • IPSec protocol stacks use a simple embedded design, but sacrifices some functions.
  • the FREESWAN protocol stack uses a BITS embedding method, and it loses some IPSec defects, such as the inability to forward IP packets.
  • the KAME protocol stack is fully integrated at the IP layer. Although it can realize the function of IPSec, there are still some defects: If the destination is a local IP packet and IPSec is not applied, security policy verification cannot be performed; upper layers cannot be used As a security policy selector, the protocol port cannot support high security granularity. In addition, because KAME and the IP protocol stack are designed together, the IPSec processing flow and the IP processing flow are very closely combined and are scattered in various parts of the IP protocol stack, so it is difficult to maintain. In general, the IP protocol stack is often ready-made and cannot be changed so much.
  • the technical problem to be solved by the present invention is to propose a method for embedding IPSec in the IP protocol stack.
  • the problems that the complete functions of IPSec cannot be realized and the problems that are difficult to achieve arise.
  • the method for embedding IPSec in an IP protocol stack comprises: performing basic IP input processing on an input IP packet; performing IPSec input processing on the IP packet; and performing other IP input processing on an IP packet that has undergone IPSec input processing.
  • the IP basic input processing includes: data packet length and checksum check; converting three fields of length, ID identifier and offset into machine byte order;
  • the other IP input processing includes: IP option processing; judging whether the destination address of the IP packet is the local machine; if it is, reassembling the IP packet segment and invoking the input processing of the upper layer protocol; if not, performing the forwarding processing.
  • the IPSec input processing includes: judging whether the IP packet is a multicast data packet, if yes, the IPSec input processing ends; if not, judging whether the IP packet is a local IPSec packet, and if so, then Perform IPSec decapsulation processing; if not, determine whether the IP packet is a segmented IP packet, and if so, reassemble the IP packet; perform security policy verification; if it is not a segmented IP packet, directly perform security policy verification .
  • the IPSec decapsulation processing includes:
  • step 2 1) determine whether the IP packet is a segmented IP packet, and if so, perform step 2); if not, perform step 3);
  • the method for embedding IPSec in an IP protocol stack includes: performing IP basic output processing on IP packets; performing IPSec output processing on the IP packets; and performing other IP output processing on IP packets that have undergone IPSec output processing.
  • the IP basic output processing includes: initializing an IP packet header; selecting a route; setting a source address; the other IP output processing includes: segmenting an IP packet; and invoking an interface layer to send an IP packet.
  • the IPSec output processing includes: judging whether the IP packet is a multicast data packet, and if yes, the IPSec output processing ends; if not, obtaining a security policy selector from the IP packet, and querying a security policy database to obtain a security policy; The corresponding processing is performed according to different security policies: If the security policy is PASS, the IPSec output processing ends; if the security policy is DROP, IP packets are directly discarded; if the security policy is IPSEC, IP packets are encapsulated by IPSec.
  • the IPSec encapsulation includes:
  • the embedding method described in the present invention overcomes the shortcomings of the two embedding modes of FREESWAN and KAME, and can completely realize all the functions of the IPSec protocol, including: performing security policy verification on the forwarded IP packets; Check the security policy of the local non-IPSEC packet; Handle the case where the IPSec packet is decapsulated to be a fragmented IP packet; Support nested security policies; Support high security granularity.
  • this invention It only needs to make simple changes to the IP protocol stack, which is very easy to implement.
  • Figure 1 is the schematic diagram of IPSec
  • FIG. 2 is a flowchart of IPSec input processing in the embedding method of the present invention
  • FIG. 3 is a flowchart of IPSec output processing in the embedding method of the present invention.
  • the IP packet is still an IP packet after being encapsulated by IPSec, and is still processed by the IP processing flow on the network as an IP packet. Therefore, IPSec processing is a part of IP processing.
  • the IPSec input processing flow must be embedded in the IP input processing flow, and the IPSec output processing flow must be embedded in the IP output processing flow. After embedding, the IPSEC output processing flow is called by the IP output processing flow, and the IP input processing flow calls the IPSEC input processing flow.
  • an IPSec embedding method needs to solve four problems: one is the embedding point of IPSec input processing; the other is the flow of IPSec input processing; the third is the embedding point of IPSec output processing; the fourth is the flow of IPSec output processing.
  • the IPSec input processing is embedded in the front end of the IP input processing.
  • the present invention chooses to insert the IPSec input processing after IP basic input processing has been completed for the IP packet and before other IP input processing is performed.
  • the basic IP input processing refers to data packet length and checksum (checksum, please provide Chinese meaning) check and conversion of the length, ID identifier and offset three fields in the IP packet header into machine byte order; and
  • Other input processing includes IP option processing; for the forwarding processing when the destination address is not the local machine, and for the input processing of reassembling IP fragment packets and calling upper layer protocols such as TCP and UDP when the destination address is the local machine.
  • Figure 2 shows the flow of IPSEC input processing.
  • the IP packet is a multicast data packet. If it is a multicast data packet, subsequent processing is not performed and the process is exited. If the IP packet is not a multicast data packet, it is determined whether the IP packet is an IPSec packet whose destination address is the local IPSec packet. If it is, the IPSec decapsulation process is performed. If the IP packet is not the local IPSec packet, it is determined whether the IP packet is Fragment IP packets. If yes, perform IP packet reassembly, and then check security policies. If the IP packet is not a segmented IP packet, the security policy is directly checked.
  • the IPSec decapsulation process includes the following steps: First, determine whether the IP packet is a segmented IP packet. If it is a segmented IP packet, reorganize the IP packet first, and then perform subsequent processing; if it is not a segmented IP packet, directly follow up deal with.
  • the three fields of length, ID identifier and offset in the IP packet header are converted into network byte order, and then the security parameter index is obtained from the IP packet, and the security parameter database is queried according to the security parameter index to obtain the corresponding security parameter.
  • the length, ID identifier and offset fields in the IP packet header are converted into native byte order.
  • the above steps can complete the decapsulation of the IPSec packet. It is repeatedly judged whether the next IP packet is an IPSec packet whose destination address is the local IPSec packet and subsequent processing.
  • the embedding point of the IPSec output processing is selected at the back end of the IP output processing, that is, after the IP basic output processing has been completed for the IP packets, the IPSec output processing is inserted before other IP output processing.
  • the IP basic output processing includes: initializing the IP packet header, selecting a route, and setting the source address; other IP output processing refers to segmenting the IP packet and calling the interface layer to send the IP packet.
  • the security policy selector is obtained from the IP packet, and then the security policy database is queried to obtain the security policy of the IP packet. If the security policy is PASS, exit the IPSec output processing; if the security policy is DROP, discard the IP packet; if the security policy For IPSec, perform IPSec output encapsulation.
  • the length and offset fields in the IP packet header are converted into network byte order, the specified security parameters are obtained according to the security policy, and then the security parameters are used for IPSec encapsulation, encryption, and authentication. This completes the encapsulation of a security policy. If there is a next nested security policy, the specified security parameters are obtained again, and subsequent encapsulation operations are repeated. After all the security policies are processed, the length and offset fields in the IP packet header are converted into machine byte order.
  • Example 1 policy verification for local non-IPSec packets
  • the IPSec input processing flow is called. Because it is a non-multicast data packet and a local non-IPSec packet, the IPSec decapsulation process is not performed, and the IP packet is directly judged whether it is a segmented IP packet. If it is, it is reassembled first, and then the security policy verification of the stack is performed. ; 1 If not, directly perform security policy inspection. Since the fragmented IP packet has been reorganized, the port can be included as a security policy selector for verification, which can support high security granularity at the port level.
  • Example 2 decapsulation and policy verification of the local IPSec packet
  • the IP packet is a non-multicast data packet and a local IPSec packet
  • IPSec decapsulation processing is performed. If the IP packet is a segmented IP packet, reassembly is performed first, and then the length, ID identifier, and offset fields in the IP packet header are converted into network byte order. An index of security parameters is obtained from the IP packet, and the security parameter database is queried to obtain the corresponding security parameters. Then use security parameters for IPSec input verification, decryption, and decapsulation. Finally, the length, ID, and offset fields in the IP packet header are converted into machine byte order.
  • the packet After the IPSec packet is verified and decapsulated by IPSec, it becomes a non-IPSec packet, and then the packet is determined to be If it is not, the packet is fragmented. If it is, it is reassembled, and then the security policy verification is performed on the stack; if not, the security policy verification is performed directly.
  • segmented IP packets are reorganized during the decapsulation process, even if the IP packet is a segmented data packet before decapsulation, the correct IPSec decapsulation can still be performed. After decapsulation, the segmented IP packets are also reorganized. Therefore, even if the IP packets are decapsulated, they can still include ports as security policy selectors for verification, so they can support high security at the port level. granularity.
  • IP packet whose destination is non-local and needs to be forwarded is received.
  • the IP input processing flow processes it to a certain extent.
  • the IP packet is a non-multicast data packet and a non-native IPSec packet, no IPSec decapsulation processing is performed, and the IP packet is directly judged whether it is a segmented IP packet. If it is, it is reassembled first, and then the security of the stack is entered. Policy check; if not, directly check the security policy. Since fragmented IP packets have been reorganized, ports can be included as security policy selectors for verification, so high security granularity at the port level can be supported.
  • IP packet is not a multicast data packet, processing continues.
  • the queried security policy should be IPSec. Then perform IPSec output encapsulation processing.
  • the length and offset fields in the IP packet header are first converted into network byte order, and the security parameters specified by the security policy are obtained. Then Use security parameters for IPSec encapsulation, encryption, and authentication. If there are multiple nested security policies, repeat the above steps to complete all security policies. Finally, the length and offset fields in the IP packet header are converted into local byte order.
  • the IP output process continues with the remaining processing. If the length of the packet after IPSec encapsulation exceeds the maximum transmission length of the network interface, it is segmented first, and then the interface layer is called to send the packet.
  • Embodiments 2 and 4 both the IPSec input decapsulation and the IPSec output encapsulation can obtain the security policy selector including the port, thereby supporting high security granularity.
  • Example 5 handling of nested security policies
  • the IP packet is not a multicast data packet, and subsequent processing is continued.
  • the queried security policy should be IPSec. Then perform IPSec output encapsulation processing.
  • the length and offset fields in the IP packet header are converted into network byte order to obtain the security parameters specified by the security policy. Then use security parameters for IPSec encapsulation, encryption, and authentication. Since two layers of nested security policies are required, the above steps need to be repeated: Obtain the security parameters specified by the security policy, and then use the security parameters for IPSec encapsulation, encryption, and authentication. Finally, the length and offset fields in the IP packet header are converted into machine byte order.
  • a data packet encapsulated with a two-layer nested security policy is received, and after the IP input processing flow processes a certain amount of it, the IPSec input processing flow is called. Since the data packet is a non-multicast data packet and a local IPSec packet, decapsulation processing is performed. If the data packet is a fragmented IP packet, reassembly is performed first. The three fields of length, ID identifier and offset in the header of the IP packet are converted into network byte order, a security parameter index is obtained from the IP packet, and a security parameter database is queried according to the index to obtain the corresponding security parameter.
  • the IPSec packet obtained after one decapsulation still needs to be decapsulated again.
  • the new data packet obtained is already a non-IPSec data packet, and then it is judged whether it is a segmented IP packet. If so, the IP packet is reassembled to perform a stack security policy check. If not, the security policy verification is performed directly.
  • the IPSec embedding method of the present invention can support nested security policies.

Abstract

The invention discloses a method on embedding IPSEC IP protocol stack, including the embedding method when inputs IP packet and outputs IP packet; wherein, the embedding method when IP packet inputs including: deal the inputting IP packet with the IP inputting process basically; deal the said IP packet with inputting process; deal the IP packet processed by IPSec inputting process with other process; the embedding method when IP packet outputs including: deal the IP packet with the IP inputting process basically; deal the said IP packet with outputting process; deal the IP packet processed by IPSec outputting process with other process. Use the method provided by the invention, overcome the shortcoming about the embedding manner of the FreeSWAN and KAME, realize the integrate function of the IPSEC, for example, check the forwarding IP packet security policy; check the non-IPSEC packet of the local computer security policy; support nesting security policy; support high security granularity; process the thing which IP is subsection after decapsulating the IPSEC.

Description

一种将 IPSec嵌入到 IP协议栈的方法 技术领域  Method for embedding IPSec in IP protocol stack
本发明属于信息技术领域中的信息安全技术, 涉及一种因特网协议安全 ( Internet Protocol Securi ty, 简称 IPSec ) 的实现方法, 尤其涉及 4巴 IPSec 嵌入到 IP协议栈的方法。  The invention belongs to information security technology in the field of information technology, and relates to a method for implementing Internet Protocol Security (IPSec for short), in particular to a method for embedding 4 bar IPSec into an IP protocol stack.
背景技术 Background technique
下文中, IP指 Internet通信协议 Internet Protocol , IPSec指为 IP提 供安全性保护的协议 IP Securi ty。  In the following, IP refers to the Internet communication protocol Internet Protocol, and IPSec refers to the protocol that provides security protection for IP, IP Security.
一般地, IP协议本身是不安全的协议, IP包在传输过程中可能遭到窃听、 篡改、重发等攻击。为了克服这些弱点, IETF( Internet标准組织)设计了 IPSEC 协议族, 为 IPv4报文和 IPv6报文提供安全性保护, 包括数据源认证、 无连接 数据完整性、 抗重播保护、 数据机密性和有限业务流机密性等。  Generally, the IP protocol itself is an insecure protocol, and IP packets may be attacked by eavesdropping, tampering, and retransmission during the transmission process. To overcome these weaknesses, the IETF (Internet Standards Organization) designed the IPSEC protocol family to provide security protection for IPv4 and IPv6 messages, including data source authentication, connectionless data integrity, anti-replay protection, data confidentiality, and limited Confidentiality of business flow, etc.
IPSec协议族可为 IP层提供安全服务, 能使系统选择所需的安全协议, 决 定服务所用的算法和密钥。 IPSec协议族可用于保护一条或多条主机之间、 安 全网关之间、 安全网关与主机之间的路径, 安全网关是指执行 IPSec协议的中 间系统, 例如路由器或实现了 IPSec的防火墙等。  The IPSec protocol family can provide security services for the IP layer, enabling the system to select the required security protocol and determine the algorithm and key used by the service. The IPSec protocol family can be used to protect the path between one or more hosts, between security gateways, and between a security gateway and a host. A security gateway refers to an intermediate system that implements the IPSec protocol, such as a router or a firewall that implements IPSec.
IPSec 能够提供的安全服务包括无连接数据的完整性、 数据源认证、 抗重 播保护、数据机密性和有限数据流机密性。 由于这些安全服务都是在 IP层提供 的, 因此任何高层协议, 例如传输控制协议 TCP、 用户数据报协议 UDP、 网间控 制报文协议 ICMP、 边界网关协议 BGP等, 都可以使用。  The security services that IPSec can provide include connectionless data integrity, data source authentication, anti-replay protection, data confidentiality, and limited data flow confidentiality. Since these security services are provided at the IP layer, any high-level protocol, such as TCP, User Datagram Protocol UDP, Internet Control Message Protocol ICMP, Border Gateway Protocol BGP, etc., can be used.
IPSec 协议族中采用两个协议来提供传输安全: 认证头 (Authent icat ion Header ,筒称 AH )协议和封装安全载荷协议( Encapsulat ing Secur i ty Pay load, 简称 ESP )。 认证头(AH )协议用于提供无连接的完整性验证、 数据源认证和选 择性抗重播的服务; 封装安全载荷( ESP )协议则用于提供加密和有限数据流加 密, 也能够提供无连接的完整性验证、 数据源认证和抗重播服务。 对于基于密 钥发布的数据流管理, AH和 ESP均可作为访问控制的载体。 Two protocols are used in the IPSec protocol suite to provide transmission security: the Authentication Header (AH) protocol and the Encapsulating Security Payload protocol, ESP for short). The Authentication Header (AH) protocol is used to provide connectionless integrity verification, data source authentication, and selective anti-replay services; the Encapsulated Security Payload (ESP) protocol is used to provide encryption and encryption of limited data streams, and it can also provide connectionlessness Integrity verification, data source authentication and anti-replay services. For key-based data flow management, both AH and ESP can be used as carriers for access control.
AH协议或者 ESP协议可以独立使用或者组合使用, 以提供 IPv4和 IPv6环 境下所需的安全服务集。 这两种协议都支持两种模式: 传输模式和隧道模式。 传输模式用于为高层协议提供安全保护; 隧道模式用于保护在隧道中传输的 IP 包。原始 IP包、传输模式下的 IP包以及隧道模式下的 IP包的区别如图 1所示。 图 1 (a)是原始 IP包的组成, 包括 IP头、 TCP头和数据; 传输模式下的 IP包如 图 1 (b)所示, 在原始 IP包的 IP头和 TCP头之间增加了 IPSec头; 隧道模式下 的 IP包如图 1 (c)所示, 则在原始 IP包的 IP头之前增加了 IPSec头, 并且在 IPSec头之前还产生了新的 IP头。  The AH protocol or ESP protocol can be used independently or in combination to provide the required set of security services in IPv4 and IPv6 environments. Both protocols support two modes: transport mode and tunnel mode. The transmission mode is used to provide security protection for higher-level protocols; the tunnel mode is used to protect IP packets transmitted in the tunnel. The difference between the original IP packet, the IP packet in the transmission mode, and the IP packet in the tunnel mode is shown in Figure 1. Figure 1 (a) is the composition of the original IP packet, including the IP header, TCP header, and data; the IP packet in the transmission mode is shown in Figure 1 (b), which is added between the IP header and the TCP header of the original IP packet IPSec header; IP packets in tunnel mode are shown in Figure 1 (c), then an IPSec header is added before the IP header of the original IP packet, and a new IP header is generated before the IPSec header.
IPSec允许用户或系统管理员控制安全服务的粒度(granulari ty)。 例如, 用户可以在两个安全网关之间使用单一加密隧道传输所有信息, 也可以为通过 网关的主机之间的每一个 TCP连接创建一个独立的加密隧道。 在 IPSec管理中 需要明确使用哪些安全服务以及这些安全服务在哪种组合中被使用; 指定安全 保护应该使用的粒度; 以及安全保护使用的加密和认证算法。  IPSec allows users or system administrators to control the granularity of security services. For example, users can use a single encrypted tunnel to transmit all information between two security gateways, or create a separate encrypted tunnel for each TCP connection between hosts that pass through the gateway. In IPSec management, it is necessary to specify which security services are used and in which combination these security services are used; specify the granularity that security protection should use; and the encryption and authentication algorithms used for security protection.
由于上述安全服务需使用共享密钥用于认证、 完整性验证及加密, 因此 IPSec协议依赖一组独立的机制来发布这些密钥。 IPSec协议支持手动和自动两 种密钥分配方式。对于自动密钥管理,定义了一个特殊的基于公共密钥的方法- 因特网密钥交换(Internet Key Exchange, 简称 IKE) , 也可采用其它自动密钥 分配技术, 例如基于 KDC 的 Kerberos系统或其它公共密钥系统, 如 SKIP等。  Because the above security services need to use shared keys for authentication, integrity verification, and encryption, the IPSec protocol relies on a set of independent mechanisms to issue these keys. The IPSec protocol supports both manual and automatic key distribution methods. For automatic key management, a special public key-based method is defined-Internet Key Exchange (IKE for short). Other automatic key distribution technologies can also be used, such as KDC-based Kerberos system or other public keys. Key system, such as SKIP.
IPSec 可以在主机上或路由器、 防火墙(创建安全网关) 的连接处实现。 下面给出几种通常的实现方式: IPSec can be implemented on the host or at the connection of a router or firewall (creating a secure gateway). Here are some common implementations:
一种是将 IPSec完全融合在 IP层中实现, 该方式需要获取 IP源码, 适用 于主机和网关。  One is to implement IPSec in the IP layer. This method requires obtaining IP source code, which is applicable to hosts and gateways.
二是通过 "Bump- in- the- s tack" (BITS)实现。 IPSec在原来 IP协议栈的下 端实现, 处于 IP层和网络设备驱动层之间。 这种方式不需要获取 IP协议栈的 源码, 因此适于遗留系统, 多用于主机。  The second is achieved through "Bump-in-the-s tack" (BITS). IPSec is implemented at the lower end of the original IP protocol stack, between the IP layer and the network device driver layer. This method does not need to obtain the source code of the IP protocol stack, so it is suitable for legacy systems and is mostly used for hosts.
第三种是采用外接加密处理设备的方式, 这是军方、 金融系统常用的网络 安全系统设计方案, 也被称为 "Bump-in- the- wire" ( BITW )实现。 这种实现方 式用于主机或网关或两者兼有。  The third method is to use an external encryption processing device. This is a network security system design scheme commonly used by the military and financial systems. It is also called "Bump-in-the-wire" (BITW). This implementation is used for hosts or gateways or both.
在实际应用中, 往往不是完全按照上述三种方式实现的, 而是部分采取, 或是混合使用多种方式的形式。  In practical applications, it is often not implemented in accordance with the three methods described above, but in part, or in a mixture of multiple methods.
根据协议要求, IPSec嵌入方法必须支持以下功能: 1 ) 日常的封装和解封 装, 包括: 对输出数据包进行 IPSec封装, 封装后如果超过网络接口的最大传 输长度, 则进行分段; 对输入数据包进行 IPSec解封装, 如果数据包是分段的, 则在解封装前进行重组, 如果解封装后仍是分段的数据包, 则在传输给上层协 议前先进行重组。 2 )对输入数据包进行安全策略校验, 即比较安全策略数据库 中为该数据包指定的安全策略与实际对该数据包实施的 IPSec保护是否一致; 不仅对发往本机的已实施 IPSec保护的数据包需要进行校验, 而且对发往本机 的未实施 IPSec保护的数据包以及路过本机的转发数据包都需要进行校验, 以 判断是否允许这些数据包经过。 3 )支持高安全粒度, 即如前所述的为通过网关 的主机之间的每一个 TCP连接创建一个独立的加密隧道。 这需要在对输入解封 装后, 进行安全策略校验时, 读取数据包中的 TCP端口, 如果解封装后的新数 据包是分段的, 应先进行重组; 另外对于输出, 则需要在输出封装前, 查询安 全策略时,读取数据包中的 TCP端口,如果数据包是分段的,也应进行重组。 4 ) 支持嵌套安全策略, 即对数据包实施多个 IPSec保护, 当数据包输出时, 应能 重复进行 IPSec封装; 数据包输入时, 应能重复进行 IPSec解封装。 According to the protocol requirements, the IPSec embedding method must support the following functions: 1) Daily encapsulation and decapsulation, including: Encapsulating IPSec on the output data packet, and segmenting it if it exceeds the maximum transmission length of the network interface; Encapsulating the input data packet IPSec decapsulation is performed. If the data packet is fragmented, it is reorganized before decapsulation. If the decapsulated data packet is still fragmented, it is reorganized before being transmitted to the upper layer protocol. 2) Checking the security policy of the input data packet, that is, comparing whether the security policy specified for the data packet in the security policy database is consistent with the actual IPSec protection implemented on the data packet; Data packets need to be verified, and data packets destined to the machine without IPSec protection and forwarded data packets passing through the machine need to be verified to determine whether these data packets are allowed to pass. 3) Support high security granularity, that is, as described above, an independent encrypted tunnel is created for each TCP connection between the hosts passing through the gateway. This requires reading the TCP port in the data packet after decapsulating the input and verifying the security policy. If the new packet after decapsulation is fragmented, it should be reorganized first. In addition, for the output, you need to Before exporting the package, In the full policy, the TCP port in the data packet is read. If the data packet is fragmented, it should be reassembled. 4) Supporting nested security policies, that is, implementing multiple IPSec protections on data packets. When data packets are output, IPSec encapsulation should be repeated; when data packets are input, IPSec decapsulation should be repeated.
由于 IP协议栈本身带有输入、 转发、 输出流程, 中间还可进行重组、 分段 等处理,这是一个很复杂的流程, 因此把 IPSec嵌入到 IP协议栈也是很复杂的 问题, 对 IPSec嵌入点的选择必须能够实现 IPSec的基本功能, 而且不影响 IP 协议栈的正常流程。  Because the IP protocol stack itself has input, forwarding, and output processes, it can also perform reorganization and segmentation in the middle. This is a very complicated process. Therefore, embedding IPSec into the IP protocol stack is also a very complicated problem. The point selection must be able to implement the basic functions of IPSec without affecting the normal flow of the IP protocol stack.
这种复杂性使得有的 IPSec协议栈虽然采用了简单的嵌入方式设计, 却牺 牲了一部分的功能, 例如 FREESWAN协议栈采用了 BITS嵌入方式, 将 IPSec输 了一些缺陷,例如无法对转发的 IP包进行安全策略校验; 对于目的地是本机的 IP包未应用 IPSec的情况, 无法进行安全策略校验; 无法处理 IPSec解封装后 IP包仍为分段的情况; 不支持上层协议端口作为安全策略选择符, 也就无法支 持高安全粒度。 .  This complexity makes some IPSec protocol stacks use a simple embedded design, but sacrifices some functions. For example, the FREESWAN protocol stack uses a BITS embedding method, and it loses some IPSec defects, such as the inability to forward IP packets. Perform security policy verification; For IP packets whose destination is the local machine, IPSec is not applied, security policy verification cannot be performed; Cannot handle the situation where IP packets are still fragmented after IPSec decapsulation; Upper-layer protocol ports are not supported as security Policy selectors cannot support high security granularity. .
KAME协议栈采用完全融合在 IP层的方式, 虽然能够实现 IPSec的功能, 但仍然存在一些缺陷: 如果目的地是本机的 IP包, 未应用 IPSec, 则无法进行 安全策略校验; 不能使用上层协议端口作为安全策略选择符, 也就不能支持高 安全粒度。 另外, 由于 KAME与 IP协议栈是一起设计, 其 IPSec处理流程和 IP 处理流程结合非常紧密, 散布于 IP协议栈的各个部分, 因此难于进行维护。 而 通常情况下, IP协议栈往往是现成的、 既定的, 也无法对 IP协议栈进行这么 大的 改。  The KAME protocol stack is fully integrated at the IP layer. Although it can realize the function of IPSec, there are still some defects: If the destination is a local IP packet and IPSec is not applied, security policy verification cannot be performed; upper layers cannot be used As a security policy selector, the protocol port cannot support high security granularity. In addition, because KAME and the IP protocol stack are designed together, the IPSec processing flow and the IP processing flow are very closely combined and are scattered in various parts of the IP protocol stack, so it is difficult to maintain. In general, the IP protocol stack is often ready-made and cannot be changed so much.
发明内容 Summary of the invention
本发明所要解决的技术问题在于提出一种将 IPSec嵌入到 IP协议栈的方 法, 克月良现有的 IPSec嵌入方式出现的无法实现 IPSec的完整功能和难以实现 的问题。 The technical problem to be solved by the present invention is to propose a method for embedding IPSec in the IP protocol stack. In the existing IPSec embedding method of Keyueliang, the problems that the complete functions of IPSec cannot be realized and the problems that are difficult to achieve arise.
本发明所述将 IPSec嵌入到 IP协议栈的方法, 包括: 对输入的 IP包进行 IP基本输入处理; 对上述 IP包进行 IPSec输入处理; 对经过 IPSec输入处理 的 IP包进行 IP其它输入处理。  The method for embedding IPSec in an IP protocol stack according to the present invention comprises: performing basic IP input processing on an input IP packet; performing IPSec input processing on the IP packet; and performing other IP input processing on an IP packet that has undergone IPSec input processing.
所述 IP基本输入处理, 包括: 数据包长度和校验和检查; 将长度、 ID标 识和偏移三个字段转化成本机字节序;  The IP basic input processing includes: data packet length and checksum check; converting three fields of length, ID identifier and offset into machine byte order;
所述 IP其它输入处理, 包括: IP选项处理; 判断 IP包的目的地址是否为 本机; 如果是, 则重组 IP包分段, 调用上层协议的输入处理; 如果不是, 则进 行转发处理。  The other IP input processing includes: IP option processing; judging whether the destination address of the IP packet is the local machine; if it is, reassembling the IP packet segment and invoking the input processing of the upper layer protocol; if not, performing the forwarding processing.
所述 IPSec输入处理, 包括: 判断 IP 包是否为组播数据包, 如果是, 则 IPSec输入处理结束; 如果不是, 则判断所述 IP包是否为目的是本机的 IPSec 包, 如果是, 则进行 IPSec解封装处理; 如果不是, 则判断所述 IP包是否是分 段 IP包, 如果是, 则重组 IP包; 进行安全策略校验; 如果不是分段 IP包, 则 直接进行安全策略校验。  The IPSec input processing includes: judging whether the IP packet is a multicast data packet, if yes, the IPSec input processing ends; if not, judging whether the IP packet is a local IPSec packet, and if so, then Perform IPSec decapsulation processing; if not, determine whether the IP packet is a segmented IP packet, and if so, reassemble the IP packet; perform security policy verification; if it is not a segmented IP packet, directly perform security policy verification .
所述 IPSec解封装处理, 包括:  The IPSec decapsulation processing includes:
1 ) 判断所述 IP包是否是分段 IP包, 如果是, 则执行步驟 2 ); 如果不是, 则执行步骤 3 );  1) determine whether the IP packet is a segmented IP packet, and if so, perform step 2); if not, perform step 3);
2 ) 对所述 IP包进行重组;  2) reorganizing the IP packet;
3 ) 将所述 IP 包包头中的长度、 ID标识和偏移三个字段转化成网絡字节 序;  3) converting the three fields of length, ID identifier and offset in the header of the IP packet into a network byte order;
4 ) 从所述 IP包中获取安全参数指引, 查询安全参数数据库, 得到相应的 安全参数; 5 ) 进行 IPSec输入验证、 解密和解封装操作; 4) Obtain a security parameter guide from the IP packet, query a security parameter database, and obtain corresponding security parameters; 5) Perform IPSec input verification, decryption, and decapsulation operations;
6 ) 将 IP包包头中的长度、 ID标识和偏移三个字段转化成本机字节序。 本发明所述将 IPSec嵌入到 IP协议栈的方法, 包括:对 IP包进行 IP基本 输出处理; 对上述 IP包进行 IPSec输出处理; 对经过 IPSec输出处理的 IP包 进行 IP其它输出处理。  6) The three fields of length, ID identifier and offset in the header of the IP packet are converted into native byte order. The method for embedding IPSec in an IP protocol stack according to the present invention includes: performing IP basic output processing on IP packets; performing IPSec output processing on the IP packets; and performing other IP output processing on IP packets that have undergone IPSec output processing.
所述 IP基本输出处理, 包括: 初始化 IP包包头; 选择路由; 设置源地址; 所述 IP其它输出处理, 包括: 将 IP包分段; 调用接口层发送 IP包。  The IP basic output processing includes: initializing an IP packet header; selecting a route; setting a source address; the other IP output processing includes: segmenting an IP packet; and invoking an interface layer to send an IP packet.
所述 IPSec输出处理, 包括: 判断 IP 包是否为组播数据包, 如果是, 则 IPSec输出处理结束; 如果不是, 则从 IP包中获取安全策略选择符, 查询安全 策略数据库, 得到安全策略; 根据不同的安全策略进行相应的处理: 如果安全 策略为 PASS, 则 IPSec输出处理结束; 如果安全策略是 DROP, 则直接丢弃 IP 包; 如果安全策略为 IPSEC, 则对 IP包进行 IPSec封装。  The IPSec output processing includes: judging whether the IP packet is a multicast data packet, and if yes, the IPSec output processing ends; if not, obtaining a security policy selector from the IP packet, and querying a security policy database to obtain a security policy; The corresponding processing is performed according to different security policies: If the security policy is PASS, the IPSec output processing ends; if the security policy is DROP, IP packets are directly discarded; if the security policy is IPSEC, IP packets are encapsulated by IPSec.
所述 IPSec封装包括:  The IPSec encapsulation includes:
1 ) 将 IP包包头中的长度和偏移两个字段转化成网络字节序;  1) Converting the length and offset fields in the IP packet header into network byte order;
2 ) 获取安全策略指定的安全参数;  2) obtaining the security parameters specified by the security policy;
3 ) 利用安全参数进行 IPSec封装、 加密和认证;  3) IPSec encapsulation, encryption and authentication using security parameters;
4 ) 判断是否还有一个安全策略, 如果有, 则转至步骤 2 ); 如果没有, 则 执行步骤 5 );  4) Determine if there is still a security policy, if there is, go to step 2); if not, go to step 5);
5 ) 将 IP包包头的长度和偏移两个字段转化成本机字节序。  5) The length and offset fields of the IP packet header are converted into native byte order.
采用本发明所述嵌入方法, 与现有技术相比, 克服了 FREESWAN和 KAME两 种嵌入方式的缺点, 能够完整地实现 IPSec协议的全部功能, 包括: 对转发的 IP包进行安全策略校验; 对本机的非 IPSEC包进行安全策略校验; 处理 IPSec 包解封装后是分段 IP包的情况; 支持嵌套安全策略; 支持高安全粒度。 本发明 只需要对 IP协议栈做简单的改动, 非常易于实现。 Compared with the prior art, the embedding method described in the present invention overcomes the shortcomings of the two embedding modes of FREESWAN and KAME, and can completely realize all the functions of the IPSec protocol, including: performing security policy verification on the forwarded IP packets; Check the security policy of the local non-IPSEC packet; Handle the case where the IPSec packet is decapsulated to be a fragmented IP packet; Support nested security policies; Support high security granularity. this invention It only needs to make simple changes to the IP protocol stack, which is very easy to implement.
附图说明 BRIEF DESCRIPTION OF THE DRAWINGS
图 1 是 IPSec的原理示意图;  Figure 1 is the schematic diagram of IPSec;
图 2 是本发明嵌入方法中 IPSec输入处理的流程图;  FIG. 2 is a flowchart of IPSec input processing in the embedding method of the present invention;
图 3 是本发明嵌入方法中 IPSec输出处理的流程图。  FIG. 3 is a flowchart of IPSec output processing in the embedding method of the present invention.
具体实施方式 detailed description
下面结合附图和实施例, 对本发明的技术方案做进一步的详细描述。  The technical solution of the present invention is described in further detail below with reference to the drawings and embodiments.
在图 1中, 如上所述, IP包经过 IPSec封装后仍然是 IP包, 仍然作为 IP 包在网络上由 IP处理流程处理, 因此 IPSec处理是 IP处理中的一部分。 为了 实现 IPSec的处理, 必须在 IP输入处理流程中嵌入 IPSec输入处理流程, 在 IP输出处理流程中嵌入 IPSec输出处理流程。 嵌入后, 由 IP输出处理流程调 用 IPSEC输出处理流程, IP输入处理流程调用 IPSEC输入处理流程。 因此, 一 个 IPSec 嵌入方法需要解决四个问题: 一是 IPSec 输入处理的嵌入点; 二是 IPSec输入处理的流程; 三是 IPSec输出处理的嵌入点; 四是 IPSec输出处理 的流程。  In FIG. 1, as described above, the IP packet is still an IP packet after being encapsulated by IPSec, and is still processed by the IP processing flow on the network as an IP packet. Therefore, IPSec processing is a part of IP processing. In order to realize the IPSec processing, the IPSec input processing flow must be embedded in the IP input processing flow, and the IPSec output processing flow must be embedded in the IP output processing flow. After embedding, the IPSEC output processing flow is called by the IP output processing flow, and the IP input processing flow calls the IPSEC input processing flow. Therefore, an IPSec embedding method needs to solve four problems: one is the embedding point of IPSec input processing; the other is the flow of IPSec input processing; the third is the embedding point of IPSec output processing; the fourth is the flow of IPSec output processing.
下面从这四个方面来详细介绍本发明的技术方案。  The technical solution of the present invention will be described in detail from these four aspects.
首先需要选择 IPSec输入处理的嵌入点。 IPSec输入处理嵌入在 IP输入处 理的较前端, 本发明选择在对 IP包已经完成了 IP基本输入处理之后, 而在执 行 IP其它输入处理之前插入 IPSec输入处理。 其中 IP基本输入处理指的是数 据包长度和校验和(checksum, 请给出中文意思)检查以及将 IP 包包头中的长 度、 ID标识和偏移三个字段转化成本机字节序; 而其它输入处理则包括 IP选 项处理; 对于目的地址不是本机时的转发处理以及对于目的地址是本机时的重 组 IP分段包并调用 TCP、 UDP等上层协议的输入处理。 图 2所示为 IPSEC输入处理的流程。 首先需判断输入的 IP包是否为组播数 据包, 如果是组播数据包, 则不执行后续的处理, 退出流程。 如果 IP包不是组 播数据包, 则判断该 IP包是否为目的地址是本机的 IPSec包, 如果是, 则进行 IPSec解封装处理; 如果不是本机的 IPSec包, 则判断该 IP包是否是分段 IP 包, 如果是, 则进行 IP包的重组, 然后进行安全策略的检 。 如果该 IP包不 是分段 IP包, 则直接进行安全策略的检验。 First you need to select the embedding point for IPSec input processing. The IPSec input processing is embedded in the front end of the IP input processing. The present invention chooses to insert the IPSec input processing after IP basic input processing has been completed for the IP packet and before other IP input processing is performed. The basic IP input processing refers to data packet length and checksum (checksum, please provide Chinese meaning) check and conversion of the length, ID identifier and offset three fields in the IP packet header into machine byte order; and Other input processing includes IP option processing; for the forwarding processing when the destination address is not the local machine, and for the input processing of reassembling IP fragment packets and calling upper layer protocols such as TCP and UDP when the destination address is the local machine. Figure 2 shows the flow of IPSEC input processing. First, it is necessary to determine whether the input IP packet is a multicast data packet. If it is a multicast data packet, subsequent processing is not performed and the process is exited. If the IP packet is not a multicast data packet, it is determined whether the IP packet is an IPSec packet whose destination address is the local IPSec packet. If it is, the IPSec decapsulation process is performed. If the IP packet is not the local IPSec packet, it is determined whether the IP packet is Fragment IP packets. If yes, perform IP packet reassembly, and then check security policies. If the IP packet is not a segmented IP packet, the security policy is directly checked.
IPSec解封装处理包括以下步骤: 首先判断该 IP包是否是分段 IP包, 若 是分段 IP包, 则先进行 IP包的重组, 再进行后续处理; 若不是分段 IP包, 则 直接进行后续处理。 将 IP包包头中的长度、 ID标识和偏移三个字段转化成网 络字节序,然后从 IP包中获取安全参数索引,并根据安全参数索引查询安全参 数数据库, 得到相应的安全参数。 使用安全参数进行 IPSec输入验证、 解密和 解封装。 最后将 IP包包头中的长度、 ID标识和偏移三个字段转化成本机字节 序。通过以上步骤即可完成对 IPSec包的解封装。重复判断下一个 IP包是否为 目的地址是本机的 IPSec包以及后续的处理过程。  The IPSec decapsulation process includes the following steps: First, determine whether the IP packet is a segmented IP packet. If it is a segmented IP packet, reorganize the IP packet first, and then perform subsequent processing; if it is not a segmented IP packet, directly follow up deal with. The three fields of length, ID identifier and offset in the IP packet header are converted into network byte order, and then the security parameter index is obtained from the IP packet, and the security parameter database is queried according to the security parameter index to obtain the corresponding security parameter. Use security parameters for IPSec input verification, decryption, and decapsulation. Finally, the length, ID identifier and offset fields in the IP packet header are converted into native byte order. The above steps can complete the decapsulation of the IPSec packet. It is repeatedly judged whether the next IP packet is an IPSec packet whose destination address is the local IPSec packet and subsequent processing.
IPSec输出处理的嵌入点选择在 IP输出处理的较后端, 即在对 IP包已经 完成了 IP基本输出处理之后, 在进行 IP其它输出处理之前插入 IPSec输出处 理。 其中 IP基本输出处理包括: 初始化 IP包包头、 选择路由和设置源地址; IP其它输出处理则是指对 IP包分段和调用接口层发送 IP包。  The embedding point of the IPSec output processing is selected at the back end of the IP output processing, that is, after the IP basic output processing has been completed for the IP packets, the IPSec output processing is inserted before other IP output processing. The IP basic output processing includes: initializing the IP packet header, selecting a route, and setting the source address; other IP output processing refers to segmenting the IP packet and calling the interface layer to send the IP packet.
参考图 3所示的 IPSec输出处理的流程,首先判断 IP包是否为组播数据包, 如果是, 则直接退出 IPSec输出处理流程, 也就是说, IPSec输出处理只针对 非组播数据包。 当判断 IP包是非组播数据包后, 从 IP包中获得安全策略选择 符,然后查询安全策略数据库,得到该 IP包的安全策略。如果安全策略为 PASS, 则退出 IPSec输出处理; 如果安全策略是 DROP, 则丟弃 IP包; 如果安全策略 为 IPSec, 则执行 IPSec输出封装操作。 首先将 IP包包头中的长度和偏移两个 字段转化成网络字节序, 根据安全策略取得指定的安全参数, 再利用安全参数 进行 IPSec封装、 加密和认证。 至此完成一个安全策略的封装, 如果还有下一 个嵌套安全策略, 则再获取指定的安全参数, 重复执行后续封装操作。 待所有 的安全策略均处理完毕后,将 IP包包头中的长度和偏移两个字段转化成本机字 节序。 Referring to the flow of the IPSec output processing shown in FIG. 3, first determine whether the IP packet is a multicast data packet, and if it is, exit the IPSec output processing flow directly, that is, the IPSec output processing is only for non-multicast data packets. After determining that the IP packet is a non-multicast data packet, the security policy selector is obtained from the IP packet, and then the security policy database is queried to obtain the security policy of the IP packet. If the security policy is PASS, exit the IPSec output processing; if the security policy is DROP, discard the IP packet; if the security policy For IPSec, perform IPSec output encapsulation. First, the length and offset fields in the IP packet header are converted into network byte order, the specified security parameters are obtained according to the security policy, and then the security parameters are used for IPSec encapsulation, encryption, and authentication. This completes the encapsulation of a security policy. If there is a next nested security policy, the specified security parameters are obtained again, and subsequent encapsulation operations are repeated. After all the security policies are processed, the length and offset fields in the IP packet header are converted into machine byte order.
以下再给出几个具体的实施例。  Several specific embodiments are given below.
实施例 1: 对本机非 IPSec包的策略校验  Example 1: policy verification for local non-IPSec packets
假设现收到一个目的地是本机的非 IPSec包, IP输入处理流程对其进行一 定处理后, 调用 IPSec输入处理流程。 由于是非组播数据包和本机的非 IPSec 包, 因此不进行 IPSec解封装处理, 直接判断该 IP包是否是分段 IP包, 如果 是则先进行重组, 然后进行入栈的安全策略校验; 1如果不是则直接进行安全策 略检验。 由于对分段 IP包已经进行了重组, 因此可以包含端口作为安全策略选 择符进行校验, 能支持端口级的高安全粒度。 Assume that a non-IPSec packet whose destination is the local machine is received, and after the IP input processing flow processes it to a certain extent, the IPSec input processing flow is called. Because it is a non-multicast data packet and a local non-IPSec packet, the IPSec decapsulation process is not performed, and the IP packet is directly judged whether it is a segmented IP packet. If it is, it is reassembled first, and then the security policy verification of the stack is performed. ; 1 If not, directly perform security policy inspection. Since the fragmented IP packet has been reorganized, the port can be included as a security policy selector for verification, which can support high security granularity at the port level.
实施例 2: 对本机 IPSec包的解封装和策略校验  Example 2: decapsulation and policy verification of the local IPSec packet
假设现收到一个目的地是本机的 IPSEC包, IP输入处理流程对其进行一定 处理后,调用 IPSec输入处理流程。由于该 IP包是非组播数据包和本机的 IPSec 包, 因此进行 IPSec解封装处理。 如果该 IP包是分段 IP包, 则先进行重组, 然后将 IP包包头中的长度、 ID标识和偏移三个字段转化成网络字节序。 从 IP 包中获得安全参数的索引, 并查询安全参数数据库, 得到相应的安全参数。 然 后使用安全参数进行 IPSec输入验证、解密和解封装,最后将 IP包包头中的长 度、 ID标识和偏移三个字段转化成本机字节序。  Assume that an IPSEC packet whose destination is the local machine is received. After the IP input processing flow processes it to a certain extent, the IPSec input processing flow is called. Since the IP packet is a non-multicast data packet and a local IPSec packet, IPSec decapsulation processing is performed. If the IP packet is a segmented IP packet, reassembly is performed first, and then the length, ID identifier, and offset fields in the IP packet header are converted into network byte order. An index of security parameters is obtained from the IP packet, and the security parameter database is queried to obtain the corresponding security parameters. Then use security parameters for IPSec input verification, decryption, and decapsulation. Finally, the length, ID, and offset fields in the IP packet header are converted into machine byte order.
IPSec包经过 IPSec验证和解封装后, 成为非 IPSec包, 然后判断该包是 否为分段数据包, 如果是则进行重組, 然后进行入栈安全策略校验; 如果不是, 则直接进行安全策略校验。 After the IPSec packet is verified and decapsulated by IPSec, it becomes a non-IPSec packet, and then the packet is determined to be If it is not, the packet is fragmented. If it is, it is reassembled, and then the security policy verification is performed on the stack; if not, the security policy verification is performed directly.
由于在进行解封装处理时, 对分段 IP 包进行了重组, 因此即使解封装前 IP包是分段的数据包, 也仍然可以进行正确的 IPSec解封装。 而在解封装处理 后对分段 IP包也进行了重组处理, 因此即使解封装后是 IP分段包, 也仍然可 以包含端口作为安全策略选择符进行校验, 所以能支持端口级的高安全粒度。  Because segmented IP packets are reorganized during the decapsulation process, even if the IP packet is a segmented data packet before decapsulation, the correct IPSec decapsulation can still be performed. After decapsulation, the segmented IP packets are also reorganized. Therefore, even if the IP packets are decapsulated, they can still include ports as security policy selectors for verification, so they can support high security at the port level. granularity.
实施例 3: 对转发 IP包的策略校验  Example 3: policy check for forwarding IP packets
假设现收到一个目的地是非本机的、 需要转发的 IP包, IP输入处理流程 对其进行一定处理后,调用 IPSec输入处理流程。 由于该 IP包是非组播数据包 和非本机的 IPSec包, 因此不进行 IPSec解封装处理, 直接判断该 IP包是否是 分段 IP包, 如果是则先进行重组, 然后进行入栈的安全策略校验; 如果不是则 直接进行安全策略检验。 由于已经对分段 IP包进行了重组, 因此可以包含端口 作为安全策略选择符进行校验, 所以可以支持端口级的高安全粒度。  Assume that an IP packet whose destination is non-local and needs to be forwarded is received. After the IP input processing flow processes it to a certain extent, the IPSec input processing flow is called. Since the IP packet is a non-multicast data packet and a non-native IPSec packet, no IPSec decapsulation processing is performed, and the IP packet is directly judged whether it is a segmented IP packet. If it is, it is reassembled first, and then the security of the stack is entered. Policy check; if not, directly check the security policy. Since fragmented IP packets have been reorganized, ports can be included as security policy selectors for verification, so high security granularity at the port level can be supported.
实施例 4: 对输出数据包的封装和分段  Example 4: Encapsulation and Segmentation of Output Packets
假设现要输出一个数据包, IP 输出处理流程对其进行一定处理后, 调用 IPSec输出处理流出。 由于该 IP包不是组播数据包, 因此继续进行处理。 从 IP 包中获取安全策略选择符, 然后查询安全策略数据库。如果该 IP包是本机发出 的数据包, 则它尚未被分段, 可以获取包含端口在内的安全策略选择符; 如果 该 IP包是从其他网络接口上接收到的待转发的 IP包, 则该 IP包已经经过了 IP输入和 IPSec输入处理, 同时如果是分段 IP包, 也已经进行了重组, 所以 也能获取包含端口在内的安全策略选择符。 因为要进行 IPSec封装, 所以查询 到的安全策略应为 IPSec。 然后执行 IPSec输出封装处理。 先将 IP包包头中的 长度和偏移两个字段转化成网络字节序, 获取安全策略指定的安全参数。 然后 利用安全参数进行 IPSec封装、 加密和认证。 如果有多个嵌套安全策略, 则重 复执行上述步驟, 完成所有的安全策略。最后将 IP包包头中的长度和偏移两个 字段转化成本地字节序。 It is assumed that a data packet is to be output now, and after the IP output processing flow processes it to a certain extent, the IPSec output processing is called to flow out. Since the IP packet is not a multicast data packet, processing continues. Obtain the security policy selector from the IP packet and query the security policy database. If the IP packet is a data packet sent by the local machine, it has not been segmented, and a security policy selector including a port can be obtained; if the IP packet is an IP packet to be forwarded received from another network interface, Then the IP packet has undergone IP input and IPSec input processing, and if it is a segmented IP packet, it has also been reorganized, so the security policy selector including the port can also be obtained. Because IPSec encapsulation is performed, the queried security policy should be IPSec. Then perform IPSec output encapsulation processing. The length and offset fields in the IP packet header are first converted into network byte order, and the security parameters specified by the security policy are obtained. Then Use security parameters for IPSec encapsulation, encryption, and authentication. If there are multiple nested security policies, repeat the above steps to complete all security policies. Finally, the length and offset fields in the IP packet header are converted into local byte order.
因此经过上述步骤, 无论是转发的 IP包, 或是本机往外发的 IP包, 都能 够获取包含端口在内的安全策略选择符, 所以可以支持端口级的高安全粒度。  Therefore, after the above steps, whether it is a forwarded IP packet or an IP packet sent by the local machine, it can obtain the security policy selector including the port, so it can support high security granularity at the port level.
在 IPSec输出处理结束后, IP输出流程继续余下的处理, 如果经过 IPSec 封装后数据包的长度超过网络接口的最大传输长度, 则先对其进行分段, 然后 调用接口层发送数据包。  After the IPSec output processing ends, the IP output process continues with the remaining processing. If the length of the packet after IPSec encapsulation exceeds the maximum transmission length of the network interface, it is segmented first, and then the interface layer is called to send the packet.
从实施例 2和实施例 4可以看出, IPSec输入解封装和 IPSec输出封装都 可以获取包含端口在内的安全策略选择符, 从而可支持高安全粒度。  It can be seen from Embodiments 2 and 4 that both the IPSec input decapsulation and the IPSec output encapsulation can obtain the security policy selector including the port, thereby supporting high security granularity.
实施例 5: 对于嵌套安全策略的处理  Example 5: handling of nested security policies
假设现要对一个输出 IP包实施两层嵌套安全策略, IP输出处理流程对其 进行一定处理后, 调用 IPSec输出处理流程。 首先该 IP包不是组播数据包, 继 续后续处理。 从 IP 包中获取安全策略选择符, 查询安全策略数据库。 如果该 IP包是本机发出的数据包, 则尚未被分段, 那么可以获取包含端口在内的安全 策略选择符。 如果该 IP包是从其他网络接口上接收到的, 则已经经过了 IP输 入和 IPSec输入处理, 已经进行了重组, 所以也能获取包含端口在内的安全策 略选择符。 因为是嵌套的安全策略, 所以查询到的安全策略应为 IPSec。 然后 进行 IPSec输出封装处理。将 IP包包头中的长度和偏移两个字段转化成网络字 节序, 获取安全策略指定的安全参数。 然后利用安全参数进行 IPSec封装、 加 密和认证。 由于需要两层嵌套安全策略, 因此需重复执行上述步骤: 获取安全 策略指定的安全参数, 然后利用安全参数进行 IPSec封装、 加密和认证。 最后 将 IP包包头中的长度和偏移两个字段转化成本机字节序。 假设现收到一个经过两层嵌套安全策略封装过的数据包, IP输入处理流程 对其进行一定处理后, 调用 IPSec输入处理流程。 由于该数据包是非组播数据 包和本机的 IPSec包, 因此进行解封装处理。 如果该数据包是分段 IP包, 则先 进行重组。 将 IP包包头中的长度、 ID标识和偏移三个字段转化成网络字节序, 从 IP 包中获得安全参数索引, 并依据该索引查询安全参数数据库, 得到相应 的安全参数。 然后使用安全参数进行 IPSec输入验证、 解密和解封装, 再将 IP 包包头中的长度、 ID标识和偏移三个字段转化成本机字节序。 由于该数据包经 过了两层嵌套安全策略的封装, 因此经过一次解封装后得到的仍是 IPSec包, 还需再进行解封装。 经过两层安全策略的解封装后, 得到的新数据包已经是非 IPSec数据包, 然后判断是否是分段 IP包, 如果是则重组该 IP包, 进行入栈 安全策略校验。 如果不是, 则直接进行安全策略校验。 It is assumed that a two-layer nested security policy is to be implemented on an output IP packet. After the IP output processing process has processed it to a certain extent, the IPSec output processing process is invoked. First, the IP packet is not a multicast data packet, and subsequent processing is continued. Obtain the security policy selector from the IP packet and query the security policy database. If the IP packet is a data packet sent by the local machine and has not been fragmented, then a security policy selector including a port can be obtained. If the IP packet is received from another network interface, it has undergone IP input and IPSec input processing, and has been reorganized, so the security policy selector including the port can also be obtained. Because it is a nested security policy, the queried security policy should be IPSec. Then perform IPSec output encapsulation processing. The length and offset fields in the IP packet header are converted into network byte order to obtain the security parameters specified by the security policy. Then use security parameters for IPSec encapsulation, encryption, and authentication. Since two layers of nested security policies are required, the above steps need to be repeated: Obtain the security parameters specified by the security policy, and then use the security parameters for IPSec encapsulation, encryption, and authentication. Finally, the length and offset fields in the IP packet header are converted into machine byte order. It is assumed that a data packet encapsulated with a two-layer nested security policy is received, and after the IP input processing flow processes a certain amount of it, the IPSec input processing flow is called. Since the data packet is a non-multicast data packet and a local IPSec packet, decapsulation processing is performed. If the data packet is a fragmented IP packet, reassembly is performed first. The three fields of length, ID identifier and offset in the header of the IP packet are converted into network byte order, a security parameter index is obtained from the IP packet, and a security parameter database is queried according to the index to obtain the corresponding security parameter. Then use security parameters to perform IPSec input verification, decryption, and decapsulation, and then convert the length, ID identifier, and offset fields in the IP packet header into native byte order. Since the data packet is encapsulated by two layers of nested security policies, the IPSec packet obtained after one decapsulation still needs to be decapsulated again. After decapsulation of the two-layer security policy, the new data packet obtained is already a non-IPSec data packet, and then it is judged whether it is a segmented IP packet. If so, the IP packet is reassembled to perform a stack security policy check. If not, the security policy verification is performed directly.
对于多于两层的嵌套安全策略, 其封装、 解封装过程都是类似的。 因此本 发明 IPSec嵌入方法可以支持嵌套安全策略。  For nested security policies with more than two layers, the encapsulation and decapsulation processes are similar. Therefore, the IPSec embedding method of the present invention can support nested security policies.
最后所应说明的是, 以上实施例仅用以说明本发明的技术方案而非限制 , 尽管参照较佳实施例对本发明进行了详细说明, 本领域的普通技术人员应当理 解, 可以对本发明的技术方案进行修改或者等同替换, 而不脱离本发明技术方 案的精神和范围, 其均应涵盖在本发明的权利要求范围当中。  Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention and not limiting. Although the present invention has been described in detail with reference to the preferred embodiments, those skilled in the art should understand that the technology of the present invention can be Modifications or equivalent replacements of the solutions without departing from the spirit and scope of the technical solutions of the present invention should be covered by the claims of the present invention.

Claims

权利要求书 Claim
1、 一种将 IPSec嵌入到 IP协议栈的方法, 其特征在于, 包括: 对输入的 IP包进行 IP基本输入处理; 对上述 IP包进行 IPSec输入处理; 对经过 IPSec 输入处理的 IP包进行 IP其它输入处理。  1. A method for embedding IPSec into an IP protocol stack, comprising: performing IP basic input processing on an input IP packet; performing IPSec input processing on the above IP packet; performing IP processing on the IP packet subjected to IPSec input processing Other input processing.
2、 根据权利要求 1所述的将 IPSec嵌入到 IP协议栈的方法,其特征在于, 所述 IP基本输入处理, 包括: 数据包长度和校验和检查; 将长度、 ID标 识和偏移三个字段转化成本机字节序; 2. The method for embedding IPSec in an IP protocol stack according to claim 1, wherein the basic IP input processing comprises: packet length and checksum check; length, ID identification and offset three Field conversion into machine byte order;
所述 IP其它输入处理, 包括: IP选项处理; 判断 IP包的目的地址是否为 本机; 如果是, 则重组 IP包分段, 调用上层协议的输入处理; 如果不是, 则进 行转发处理。  The other IP input processing includes: IP option processing; judging whether the destination address of the IP packet is the local machine; if it is, reassembling the IP packet segment and invoking the input processing of the upper layer protocol; if not, performing the forwarding processing.
3、 根据权利要求 1或 1所述的将 IPSec嵌入到 IP协议栈的方法,其特征 在于, 所述 IPSec输入处理, 包括: 判断 IP包是否为組播数据包, 如果是, 则 IPSec输入处理结束; 如果不是, 则判断所述 IP包是否为目的是本机的 IPSec 包, 如果是, 则进行 IPSec解封装处理; 如果不是, 则判断所述 IP包是否是分 段 IP包, 如果是, 则重组 IP包; 进行安全策略校验; 如果不是分段 IP包, 则 直接进行安全策略校验。 3. The method for embedding IPSec into an IP protocol stack according to claim 1 or 1, wherein the IPSec input processing comprises: determining whether the IP packet is a multicast data packet, and if so, the IPSec input processing End; if not, determine whether the IP packet is a local IPSec packet, and if yes, perform IPSec decapsulation processing; if not, determine whether the IP packet is a segmented IP packet, and if so, Then reassemble IP packets; perform security policy verification; if it is not a segmented IP packet, directly perform security policy verification.
4、 根据权利要求 3所述的将 IPSec嵌入到 IP协议栈的方法,其特征在于, 所述 IPSec解封装处理, 包括: 4. The method for embedding IPSec in an IP protocol stack according to claim 3, wherein the IPSec decapsulation processing comprises:
1 ) 判断所述 IP包是否是分段 IP包, 如果是, 则执行步骤 2 ); 如果不是, 则执行步骤 3 ); 2 ) 对所述 IP包进行重组; 1) determine whether the IP packet is a segmented IP packet, and if so, perform step 2); if not, perform step 3); 2) reorganizing the IP packet;
3 ) 将所述 IP 包包头中的长度、 ID标识和偏移三个字段转化成网络字节 序;  3) converting the three fields of length, ID identifier and offset in the header of the IP packet into a network byte order;
4 ) 从所述 IP包中获取安全参数指引, 查询安全参数数据库, 得到相应的 安全参数;  4) Obtaining a security parameter guide from the IP packet, querying a security parameter database, and obtaining corresponding security parameters;
5 ) 进行 IPSec输入验证、 解密和解封装操作;  5) Perform IPSec input verification, decryption, and decapsulation operations;
6 ) 将 IP包包头中的长度、 ID标识和偏移三个字段转化成本机字 序。  6) The three fields of length, ID identifier and offset in the header of the IP packet are converted into machine words.
5、 一种将 IPSec嵌入到 IP协议栈的方法, 其特征在于, 包括: 对 IP包 进行 IP基本输出处理; 对上述 IP包进行 IPSec输出处理; 对经过 IPSec输出 处理的 IP包进行 IP其它输出处理。 5. A method for embedding IPSec in an IP protocol stack, comprising: performing IP basic output processing on IP packets; performing IPSec output processing on the above IP packets; and performing other IP output on IP packets subjected to IPSec output processing deal with.
6、 才艮据权利要求 5所述的将 IPSec嵌入到 IP协议栈的方法,其特征在于, 所述 IP基本输出处理, 包括: 初始化 IP包包头; 选择路由; 设置源地址; 所 述 IP其它输出处理, 包括: 将 IP包分段; 调用接口层发送 IP包。 6. The method for embedding IPSec into an IP protocol stack according to claim 5, wherein the basic output processing of the IP comprises: initializing an IP packet header; selecting a route; setting a source address; the IP other The output processing includes: segmenting the IP packet; calling the interface layer to send the IP packet.
7、 才艮据权利要求 5或 6所述的将 IPSec嵌入到 IP协议栈的方法,其特征 在于, 所述 IPSec输出处理, 包括: 判断 IP包是否为组播数据包, 如果是, 则 IPSec输出处理结束; 如果不是, 则从 IP包中获取安全策略选择符, 查询安全 策略数据库, 得到安全策略; 根据不同的安全策略进行相应的处理: 如果安全 策略为 PASS, 则 IPSec输出处理结束; 如果安全策略是 DROP, 则直接丢弃 IP 包; 如果安全策略为 IPSEC, 则对 IP包进行 IPSec封装。 7. The method for embedding IPSec in an IP protocol stack according to claim 5 or 6, wherein the IPSec output processing comprises: determining whether the IP packet is a multicast data packet, and if so, IPSec The output processing ends; if not, obtain the security policy selector from the IP packet and query the security policy database to obtain the security policy; perform the corresponding processing according to the different security policies: If the security policy is PASS, the IPSec output processing ends; if If the security policy is DROP, IP packets are directly discarded; if the security policy is IPSEC, IP packets are encapsulated by IPSec.
8、 根据权利要求 7所述的将 IPSec嵌入到 IP协议栈的方法,其特征在于, 所述 IPSec封装包括: 8. The method for embedding IPSec in an IP protocol stack according to claim 7, wherein the IPSec encapsulation comprises:
1 ) 将 IP包包头中的长度和偏移两个字段转化成网络字节序;  1) Converting the length and offset fields in the IP packet header into network byte order;
2 ) 获取安全策略指定的安全参数;  2) obtaining the security parameters specified by the security policy;
3 ) 利用安全参数进行 IPSec封装、 加密和认证;  3) IPSec encapsulation, encryption and authentication using security parameters;
4 ) 判断是否还有一个安全策略, 如果有, 则转至步骤 2 ); 如果没有, 则 执行步骤 5 );  4) Determine if there is still a security policy, if there is, go to step 2); if not, go to step 5);
5 ) 将 IP包包头的长度和偏移两个字段转化成本机字节序。  5) The length and offset fields of the IP packet header are converted into native byte order.
9、 一种将 IPSec嵌入到 IP协议栈的方法, 其特征在于, 包括: IP包输 入时的嵌入方法和 IP包输出时的嵌入方法; 其中 9. A method for embedding IPSec in an IP protocol stack, comprising: an embedding method when an IP packet is input and an embedding method when an IP packet is output; wherein
所述 IP包输入时的嵌入方法包括: 对输入的 IP包进行 IP基本输入处理; 对上述 IP包进行 IPSec输入处理;对经过 IPSec输入处理的 IP包进行 IP其它 输入处理;  The embedding method when the IP packet is input includes: performing IP basic input processing on the input IP packet; performing IPSec input processing on the IP packet; performing IP other input processing on the IP packet that has undergone IPSec input processing;
所述 IP包输出时的嵌入方法包括:对 IP包进行 IP基本输出处理; 对上述 IP包进行 IPSec输出处理; 对经过 IPSec输出处理的 IP包进行 IP其它输出处 理。  The embedding method when the IP packet is output includes: performing IP basic output processing on the IP packet; performing IPSec output processing on the IP packet; and performing other IP output processing on the IP packet that has undergone the IPSec output processing.
10、 根据权利要求 9所述的将 IPSec嵌入到 IP协议栈的方法, 其特征在 于, 所述 IP基本输入处理, 包括: 数据包长度和校验和检查; 将长度、 ID标 识和偏移三个字段转化成本机字节序; 10. The method for embedding IPSec into an IP protocol stack according to claim 9, wherein the basic IP input processing comprises: packet length and checksum check; length, ID identification and offset Field conversion into machine byte order;
所述 IP其它输入处理, 包括: IP选项处理; 判断 IP包的目的地址是否为 本机; · 如果是, 则重组 IP包分段, 调用上层协议的输入处理; 如果不是, 则进 行转发处理。 The other IP input processing includes: IP option processing; judging whether the destination address of the IP packet is local; if it is, reassembling the IP packet segment and invoking the input processing of the upper layer protocol; if not, proceeding to Line forwarding processing.
11、 才艮据权利要求 9或 10所述的将 IPSec嵌入到 IP协议栈的方法,其特 征在于, 所述 IPSec输入处理, 包括: 判断 IP包是否为组播数据包, 如果是, 则 IPSec输入处理结束;如果不是,则判断所述 IP包是否为目的是本机的 IPSec 包, 如果是, 则进行 IPSec解封装处理; 如果不是, 则判断所述 IP包是否是分 段 IP包, 如果是, 则重组 IP包; 进行安全策略校验; 如果不是分段 IP包, 则 直接进行安全策略校验。 11. The method for embedding IPSec in an IP protocol stack according to claim 9 or 10, wherein the IPSec input processing comprises: determining whether the IP packet is a multicast data packet, and if so, IPSec The input processing ends; if not, it is determined whether the IP packet is a local IPSec packet, and if it is, the IPSec decapsulation process is performed; if not, it is determined whether the IP packet is a segmented IP packet. If yes, then reassemble IP packets; perform security policy verification; if it is not a segmented IP packet, directly perform security policy verification.
12、 才艮据权利要求 11所述的将 IPSec嵌入到 IP协议栈的方法,其特征在 于, 所述 IPSec解封装处理, 包括: 12. The method for embedding IPSec in an IP protocol stack according to claim 11, characterized in that the IPSec decapsulation processing includes:
1 ) 判断所述 IP包是否是分段 IP包, 如果是, 则执行步骤 2 ); 如果不是, 则执行步骤 3 );  1) determine whether the IP packet is a segmented IP packet, and if so, perform step 2); if not, perform step 3);
2 ) 对所述 IP包进行重组;  2) reorganizing the IP packet;
3 ) 将所述 IP 包包头中的长度、 ID标识和偏移三个字段转化成网络字节 序;  3) converting the three fields of length, ID identifier and offset in the header of the IP packet into a network byte order;
4 ) 从所述 IP包中获取安全参数指引, 查询安全参数数据库, 得到相应的 安全参数;  4) Obtaining a security parameter guide from the IP packet, querying a security parameter database, and obtaining corresponding security parameters;
5 ) 进行 IPSec输入验证、 解密和解封装操作;  5) Perform IPSec input verification, decryption, and decapsulation operations;
6 ) 将 IP包包头中的长度、 ID标识和偏移三个字段转化成本机字节序。  6) The three fields of length, ID identifier and offset in the header of the IP packet are converted into native byte order.
13、 根据权利要求 9所述的将 IPSec嵌入到 IP协议栈的方法, 其特征在 于, 所述 IP基本输出处理, 包括: 初始化 IP包包头; 选择路由; 设置源地址; 所述 IP其它输出处理, 包括: 将 IP包分段; 调用接口层发送 IP包。 13. The method for embedding IPSec in an IP protocol stack according to claim 9, wherein the IP basic output processing comprises: initializing an IP packet header; selecting a route; setting a source address; The other IP output processing includes: segmenting the IP packet; and invoking the interface layer to send the IP packet.
14、 根据权利要求 9或 13所述的将 IPSec嵌入到 IP协议栈的方法,其特 征在于, 所述 IPSec输出处理, 包括: 判断 IP包是否为组播数据包, 如果是, 则 IPSec输出处理结束; 如果不是, 则从 IP包中获取安全策略选择符, 查询安 全策略数据库, 得到安全策略; 根据不同的安全策略进行相应的处理: 如果安 全策略为 PASS, 则 IPSec输出处理结束; 如果安全策略是 DROP, 则直接丟弃 IP包; 如果安全策略为 IPSEC, 则对 IP包进行 IPSec封装。 14. The method for embedding IPSec into an IP protocol stack according to claim 9 or 13, wherein the IPSec output processing comprises: determining whether the IP packet is a multicast data packet, and if so, the IPSec output processing End; if not, obtain the security policy selector from the IP packet, query the security policy database to obtain the security policy; and perform corresponding processing according to different security policies: If the security policy is PASS, the IPSec output processing ends; if the security policy If it is DROP, IP packets are directly discarded; if the security policy is IPSEC, IP packets are encapsulated by IPSec.
15、 根据权利要求 14所述的将 IPSec嵌入到 IP协议栈的方法,其特征在 于, 所述 IPSec封装包括: 15. The method for embedding IPSec in an IP protocol stack according to claim 14, wherein the IPSec encapsulation comprises:
1 ) 将 IP包包头中的长度和偏移两个字段转化成网络字节序;  1) Converting the length and offset fields in the IP packet header into network byte order;
2 ) 获取安全策略指定的安全参数;  2) obtaining the security parameters specified by the security policy;
3 ) 利用安全参数进行 IPSec封装、 加密和认证;  3) IPSec encapsulation, encryption and authentication using security parameters;
4 ) 判断是否还有一个安全策略, 如果有, 则转至步骤 2 ); 如果没有, 则 执行步骤 5 );  4) Determine if there is still a security policy, if there is, go to step 2); if not, go to step 5);
5 ) 将 IP包包头的长度和偏移两个字段转化成本机字节序。  5) The length and offset fields of the IP packet header are converted into native byte order.
PCT/CN2003/001077 2003-11-13 2003-12-17 A METHOD ON EMBEDDING IPSec PROTOCOL STACK WO2005048553A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003292854A AU2003292854A1 (en) 2003-11-13 2003-12-17 A method on embedding ipsec protocol stack

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200310113603.4 2003-11-13
CN 200310113603 CN100512278C (en) 2003-11-13 2003-11-13 A method for embedding IPSEC in IP protocol stack

Publications (1)

Publication Number Publication Date
WO2005048553A1 true WO2005048553A1 (en) 2005-05-26

Family

ID=34336935

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2003/001077 WO2005048553A1 (en) 2003-11-13 2003-12-17 A METHOD ON EMBEDDING IPSec PROTOCOL STACK

Country Status (3)

Country Link
CN (1) CN100512278C (en)
AU (1) AU2003292854A1 (en)
WO (1) WO2005048553A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8181014B2 (en) * 2007-05-09 2012-05-15 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for protecting the routing of data packets
CN103888450B (en) * 2014-03-06 2017-04-26 江苏金陵科技集团有限公司 IPSec processing method on Window platform
CN106941488B (en) * 2017-03-09 2019-11-29 西安电子科技大学 Multi-layer protocol packet encapsulation device and method based on FPGA

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2317792A (en) * 1996-09-18 1998-04-01 Secure Computing Corp Virtual Private Network for encrypted firewall
WO2000078008A1 (en) * 1999-06-15 2000-12-21 Ssh Communications Security Ltd A method and arrangement for providing security through network address translations using tunneling and compensations
WO2001091413A2 (en) * 2000-05-24 2001-11-29 Telefonaktiebolaget Lm Ericsson (Publ) Ipsec processing
WO2002041564A2 (en) * 2000-11-16 2002-05-23 Telefonaktiebolaget Lm Ericsson (Publ) Securing voice over ip traffic
WO2002096043A1 (en) * 2001-05-21 2002-11-28 Xelerated Ab Method and apparatus for processing blocks in a pipeline

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2317792A (en) * 1996-09-18 1998-04-01 Secure Computing Corp Virtual Private Network for encrypted firewall
WO2000078008A1 (en) * 1999-06-15 2000-12-21 Ssh Communications Security Ltd A method and arrangement for providing security through network address translations using tunneling and compensations
WO2001091413A2 (en) * 2000-05-24 2001-11-29 Telefonaktiebolaget Lm Ericsson (Publ) Ipsec processing
WO2002041564A2 (en) * 2000-11-16 2002-05-23 Telefonaktiebolaget Lm Ericsson (Publ) Securing voice over ip traffic
WO2002096043A1 (en) * 2001-05-21 2002-11-28 Xelerated Ab Method and apparatus for processing blocks in a pipeline

Also Published As

Publication number Publication date
CN1545292A (en) 2004-11-10
CN100512278C (en) 2009-07-08
AU2003292854A1 (en) 2005-06-06

Similar Documents

Publication Publication Date Title
US11283772B2 (en) Method and system for sending a message through a secure connection
US7346770B2 (en) Method and apparatus for traversing a translation device with a security protocol
Doraswamy et al. IPSec: the new security standard for the Internet, intranets, and virtual private networks
EP2823620B1 (en) Enhancing ipsec performance and security against eavesdropping
Kent RFC 4303: IP encapsulating security payload (ESP)
US8468337B2 (en) Secure data transfer over a network
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
US7434045B1 (en) Method and apparatus for indexing an inbound security association database
US20030023845A1 (en) Method and apparatus for providing secure streaming data transmission facilites using unreliable protocols
JP2004295891A (en) Method for authenticating packet payload
WO2007103338A2 (en) Technique for processing data packets in a communication network
US20050198498A1 (en) System and method for performing cryptographic operations on network data
US7564976B2 (en) System and method for performing security operations on network data
WO2005048553A1 (en) A METHOD ON EMBEDDING IPSec PROTOCOL STACK
US20100275008A1 (en) Method and apparatus for secure packet transmission
JP2001007849A (en) Mpls packet processing method and mpls packet processor
Schwenk IP Security (IPSec)
Linehan Comparison of network-level security protocols
Guide et al. Security Architecture for the Internet Protocol
LIOY Advanced Security Technologies in Networking 55 95 B. Jerman-Blažič et al.(Eds.) IOS Press, 2001

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP