WO2017173806A1 - Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet - Google Patents

Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet Download PDF

Info

Publication number
WO2017173806A1
WO2017173806A1 PCT/CN2016/102806 CN2016102806W WO2017173806A1 WO 2017173806 A1 WO2017173806 A1 WO 2017173806A1 CN 2016102806 W CN2016102806 W CN 2016102806W WO 2017173806 A1 WO2017173806 A1 WO 2017173806A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
cpu
interface
ipsec
encryption
Prior art date
Application number
PCT/CN2016/102806
Other languages
French (fr)
Chinese (zh)
Inventor
王颖
饶冀
周万涛
李先鲜
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Publication of WO2017173806A1 publication Critical patent/WO2017173806A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Definitions

  • the present invention relates to an IPSEC encryption technology, and in particular to a method and system for a switch chip or an NP to cooperate with a CPU to complete packet IPSEC encryption.
  • IP Security IP Security
  • IP Protocol IP Protocol
  • IETF Internet Engineering Task Force
  • a high-performance forwarding chip such as a switch chip or an NP (network processor) is used to receive and forward data packets.
  • the packets that need to be encrypted and decrypted by IPSEC are sent to the service board for processing.
  • the service board is used to perform IPSEC encryption and decryption on the packet, and the processed packet is sent to the interface board.
  • the main control board performs routing protocol packets and IKE (Internet Key Exchange, Internet Key Exchange Protocol) is IPSec. Signaling protocol) Protocol packets exchange, generate routing and IPSEC related configuration, but do not participate in specific data forwarding.
  • IKE Internet Key Exchange, Internet Key Exchange Protocol
  • the IPSEC encryption and decryption is generally implemented on the business board CPU.
  • the CPU can use the software encryption and decryption algorithm or the internal hardware encryption and decryption engine to complete the IPSEC encryption and decryption function.
  • Figure 1 shows the current business boards.
  • the IPSEC encryption method includes the following steps: after receiving the packet sent by the interface board through the switching network, the service board CPU according to the packet quintuple (source IP address, destination IP address, source port, The destination port and the security protocol are queried by the security policy database (SPD) to obtain and judge the security policy. If the security policy is discarded, the packet is discarded. If the security policy is bypassed, the packet is discarded. Send back to the interface board and perform route forwarding.
  • SPD security policy database
  • the security policy is IPSEC
  • query the SA Security Association
  • the triplet Security Parameter Index, destination IP address, and security protocol. If the SA is not found, the SA is discarded. Otherwise, the packet is discarded according to the found SA, and the generated ciphertext is sent to the interface card.
  • the service board receives the packet sent by the interface board through the switching network. After the service board queries the SPD, the service board encrypts only the packets with the security policy applied for IPSEC, and the other packets are discarded or sent back to the interface. The board performs routing and forwarding, which consumes too much switching network bandwidth.
  • the interface board sends the packets that need or are not encrypted to the CPU of the service board for processing, which increases the CPU load and reduces the CPU processing capability.
  • the technical problem to be solved by the present invention is that the interface board sends the packets that need or need not be encrypted to the CPU of the service board for processing through the switching network, which increases the CPU burden and consumes too much switching network bandwidth, resulting in a decrease in CPU processing capability.
  • the problem is that the interface board sends the packets that need or need not be encrypted to the CPU of the service board for processing through the switching network, which increases the CPU burden and consumes too much switching network bandwidth, resulting in a decrease in CPU processing capability.
  • the technical solution adopted by the present invention is to provide a method for the IPSEC encryption of the exchange chip or the NP and the CPU to complete the message, comprising the following steps:
  • Receive packets from the service interface check the routing table based on the destination IP address of the packet, and determine the route. If the interface is an ordinary interface, the packet is forwarded. If the IPSEC tunnel interface is used, the ACL is queried according to the quintuple of the packet and the ACL is determined. If the ACL is missed, the packet is discarded. Otherwise, the ACL is discarded.
  • the action of the security policy is to encapsulate the private header of the packet applying the IPSEC and send it to the CPU of the service board; the action is to forward the packet that is bypassed; the action is to discard the discarded packet;
  • the service board CPU receives the packet to be encrypted, queries the SPD according to the packet quintuple and obtains the corresponding SPI, and then queries the SA information according to the SIP and the packet triplet, and determines whether the SA information is found. If yes, the packet is discarded; otherwise, the packet is IPSEC encrypted according to the SA information and sent to the interface board.
  • the private header includes an encryption identifier and a decryption identifier.
  • the invention also provides a system for the exchange chip or the NP and the CPU to complete the IPSEC encryption of the message, including
  • the screening module receives the packet from the service interface, and encapsulates the private header of the packet applying the IPSEC according to the destination IP address of the packet, the outgoing interface type of the routing entry, and the ACL security policy action.
  • the service board CPU routes the packets that are bypassed by the action; discards the discarded packets.
  • the encryption and decryption module receives the message, and queries the SPD and the corresponding SPI according to the packet quintuple according to the quintuple of the message, and then queries the SA information according to the SIP and the message triplet, according to the query result.
  • the packet is subjected to IPSEC encryption or discarding processing; finally, the encrypted packet is sent to the screening module via the switching network.
  • the screening module is disposed on the switch chip or the NP of the interface board, and the encryption and decryption module is disposed on the service board CPU.
  • 1 is a flow chart of an existing packet IPSEC encryption
  • FIG. 3 is a flowchart of IPSEC encryption of a filtered message according to the present invention.
  • FIG. 4 is a system block diagram of a switch chip or an NP and a CPU for completing IPSEC encryption of a message according to the present invention.
  • the invention provides a method for the exchange chip or NP and the CPU to complete the IPSEC encryption of the message.
  • the invention will now be described in detail in conjunction with the specific embodiments and the drawings.
  • the main control board After receiving the user configuration or IKE negotiation, the main control board generates the SPD and the SA and sends the configuration to the CPU of the service board.
  • the ACL Access Controil List
  • the matching rule is the packet quintuple (source IP address, destination IP address, source port, destination port, protocol number).
  • the action of the SP (Security Policy) of the ACL is to discard, bypass or apply IPSEC.
  • the generated ACL is delivered to the switch chip or NP of the interface board. After the switch chip or NP of the interface board receives the packet, the following processing will continue.
  • a flow chart of packet screening provided by the present invention includes the following steps:
  • S203 Determine the interface type of the routing entry, if it is a normal interface, go to S208, if it is an IPSEC tunnel interface, go to S204;
  • S208 Perform routing and forwarding, and after sending the egress, send the packet to the egress, and then go to S210;
  • the CPU After receiving the packet filtered by the foregoing steps, the CPU performs IPSEC encryption processing on the packet.
  • the flow chart of the IPSEC encryption of the filtered packet provided by the present invention includes the following steps:
  • the present invention also provides a switching chip or a system in which an NP and a CPU cooperate to complete packet IPSEC encryption.
  • the system includes a screening module 10 disposed on a switch chip or an NP of an interface board, and is disposed on a service board.
  • the encryption and decryption module 20 on the CPU;
  • the screening module 10 receives the packet sent from the service interface, and encapsulates the private header of the packet applying the IPSEC according to the destination IP address of the packet, the outgoing interface type of the routing entry, and the ACL security policy action. Concurrently sent to the business board CPU; the action is bypassed The packets are forwarded by the route. The packets discarded are discarded.
  • the encryption and decryption module 20 determining the encryption and decryption identifier carried by the private header of the packet sent to the module. If the encryption identifier is used, the SPD and the corresponding SPI are queried according to the packet quintuple, and then according to the SIP and the message triplet. Query the SA information and perform IPSEC encryption or discarding on the packet according to the query result. If the identifier is decrypted, the packet is decrypted according to the corresponding SA information. Finally, the encrypted or decrypted packet is sent to the switched network.
  • the screening module 10 performs route forwarding.
  • the main control board After receiving the user configuration or performing the IKE negotiation, the main control board generates the SPD and the SA for the specified flow, and sends the configuration to the encryption and decryption module 20, and generates an ACL according to the SPD information.
  • the matching rule of the ACL is the message five.
  • the action of the security policy is to discard, bypass, or apply IPSEC, and then send the generated ACL to the forwarding information base (FIB) of the screening module 10.
  • the screening module 10 After receiving the packet, the screening module 10 checks the routing table according to the destination IP address of the packet and obtains the outgoing interface type of the routing entry. If the outgoing interface is a common port, the ordinary routing is performed; if the outgoing interface is an IPSEC virtual tunnel. The interface searches for an ACL based on the packet quintuple and determines whether the ACL is hit. If the IPSec policy is not generated, the packet is discarded. If the action of the IPSec policy is bypassed, the packet is forwarded to the common route forwarding. If the action of the IPSec policy is IPSEC, the packet is encapsulated with a private header, and the private header contains the encryption or decryption identifier. And then sent to the encryption and decryption module 20 through the switching network.
  • the encryption/decryption module 20 After receiving the to-be-encrypted packet, the encryption/decryption module 20 determines that the private header of the packet carries an encryption or decryption identifier; if it is an encrypted identifier, it queries the SPD according to the packet quintuple and obtains a corresponding SPI. The SA is queried according to the packet triplet (SPI, destination IP address, protocol number). If the SA is not queried, the packet is discarded. If the SA is queried, the SA is based on the SA. The packet is subjected to IPSEC encryption processing, and finally the encrypted packet is sent back to the screening module 10 through the switching network for subsequent routing and forwarding.
  • SPI packet triplet
  • the packet that is processed by the CPU of the service board is filtered by the interface board, and only the packets whose security policy is applied to the IPSEC are sent to the CPU of the service board, and the packets whose security policy is discarded or bypassed are in the The interface board completes the processing, which not only improves the bandwidth utilization of the switching network, but also enhances the processing efficiency of the service board CPU.

Abstract

Disclosed are a method and system using cooperation of a switch chip or an NP and a CPU to perform IPSEC encryption on a packet. The method comprises the following steps: receiving a packet from a service interface; querying a routing table according to a destination IP address of the packet, and if an egress interface is a normal interface, performing route forwarding on the packet; if the egress interface is an IPSEC tunnel interface, querying, according to a 5-tuple of the packet, an ACL, to determine if the packet satisfies an ACL rule; if not, discarding the packet; if so, determining an action of a security policy, and performing route forwarding on the packet, discarding the packet, or encapsulating a private header of the packet and transmitting the packet to a CPU according to the action of the security policy; receiving, by the CPU, a packet to be encrypted, searching for SA information according to the 5-tuple and a packet 3-tuple of the packet; if no SA information is found, discarding the packet; and if the SA information is found, performing, according to the SA information, IPSEC encryption on the packet, and transmitting the same to an interface board. In the invention, a packet is filtered by an interface board before being inputted to a CPU for processing, and only a packet adopting an IPSEC security policy is inputted to the CPU, thereby increasing a bandwidth utilization rate of a switching network, and enhancing processing efficiency of the CPU.

Description

交换芯片或NP与CPU协同完成报文IPSEC加密的方法与系统Method and system for switching IPSEC encryption by using switch chip or NP and CPU 技术领域Technical field
本发明涉及IPSEC加密技术,具体涉及一种交换芯片或NP与CPU协同完成报文IPSEC加密的方法与系统。The present invention relates to an IPSEC encryption technology, and in particular to a method and system for a switch chip or an NP to cooperate with a CPU to complete packet IPSEC encryption.
背景技术Background technique
IPSEC(IP Security,IP(Internet Protocol,因特网协议)安全)是IETF(Internet Engineering Task Force,因特网工程任务组)制定的为保证在Internet上传送数据的安全加密性能的框架协议。主要通过封装安全载荷和或通过使用加密的安全服务以确保在Internet协议(IP)网络上进行保密而安全的通讯,它在IP层对数据包进行高强度的安全处理,提供包括访问控制、无连接的完整性、数据源认证、抗重播(replay)保护(序列完整性(sequence integrity)的一个组成部分)、保密性和有限传输流保密性在内的服务。这些服务是基于IP层的,提供对IP及其上层协议的保护。IP Security (IP Security, IP Protocol) is a framework protocol developed by the Internet Engineering Task Force (IETF) to ensure secure encryption of data transmitted over the Internet. Mainly by encapsulating security payloads and or by using encrypted security services to ensure secure and secure communication over Internet Protocol (IP) networks, it provides high-strength security processing of packets at the IP layer, including access control, none Services such as integrity of connections, data source authentication, anti-replay protection (a component of sequence integrity), confidentiality, and limited transport stream confidentiality. These services are based on the IP layer and provide protection for IP and its upper layer protocols.
目前支持IPSEC功能的分布式设备一般由接口板、业务板和主控板组成。接口板上一般设有交换芯片或NP(网络处理器)等高性能的转发芯片,用于接收和转发数据报文,并通过交换网络将需要进行IPSEC加解密的报文发送到业务板进行处理;业务板用于对报文进行IPSEC加解密,并将处理后的报文发送到接口板;主控板进行路由协议报文和IKE((Internet Key Exchange,因特网密钥交换协议)是IPSec的信令协议)协议报文交互,生成路由和IPSEC相关配置,但不参与具体的数据转发。IPSEC加解密一般是在业务板CPU上实现,CPU可以采用软件加解密算法或内部硬件加解密引擎完成IPSEC加解密功能。图1为目前常用的业务板 的IPSEC加密方法,如图1所示,包括以下步骤:业务板CPU收到接口板通过交换网络送来的报文后,根据报文五元组(源IP地址、目的IP地址、源端口、目的端口、安全协议)查询SPD(security policy database,安全策略数据库),获取并判断安全策略的指示,如安全策略为丢弃,则丢弃该报文;如果安全策略为绕过,则将该报文发回给接口板并进行路由转发;如果安全策略为应用IPSEC,则再根据三元组(SPI(Security Parameter Index,安全参数索引)、目的IP地址、安全协议)查询SA(Security Association,安全联盟),如果未查到,说明SA还未建立,则丢弃报文;否则根据查到的SA对报文进行加密处理,并将生成的密文发送到接口卡后,进行路由转发。Currently, distributed devices that support the IPSEC function are generally composed of an interface board, a service board, and a main control board. A high-performance forwarding chip, such as a switch chip or an NP (network processor), is used to receive and forward data packets. The packets that need to be encrypted and decrypted by IPSEC are sent to the service board for processing. The service board is used to perform IPSEC encryption and decryption on the packet, and the processed packet is sent to the interface board. The main control board performs routing protocol packets and IKE (Internet Key Exchange, Internet Key Exchange Protocol) is IPSec. Signaling protocol) Protocol packets exchange, generate routing and IPSEC related configuration, but do not participate in specific data forwarding. IPSEC encryption and decryption is generally implemented on the business board CPU. The CPU can use the software encryption and decryption algorithm or the internal hardware encryption and decryption engine to complete the IPSEC encryption and decryption function. Figure 1 shows the current business boards. The IPSEC encryption method, as shown in FIG. 1 , includes the following steps: after receiving the packet sent by the interface board through the switching network, the service board CPU according to the packet quintuple (source IP address, destination IP address, source port, The destination port and the security protocol are queried by the security policy database (SPD) to obtain and judge the security policy. If the security policy is discarded, the packet is discarded. If the security policy is bypassed, the packet is discarded. Send back to the interface board and perform route forwarding. If the security policy is IPSEC, query the SA (Security Association) according to the triplet (Security Parameter Index, destination IP address, and security protocol). If the SA is not found, the SA is discarded. Otherwise, the packet is discarded according to the found SA, and the generated ciphertext is sent to the interface card.
采用上述的方法实现IPSEC加密功能,存在以下问题:Using the above method to implement IPSEC encryption, there are the following problems:
1)业务板收到接口板通过交换网络送来的报文,待业务板查询SPD后,只对安全策略为应用IPSEC的报文进行加密操作,而其余的报文则丢弃或者发回到接口板并进行路由转发,这样消耗了过多的交换网络带宽。1) The service board receives the packet sent by the interface board through the switching network. After the service board queries the SPD, the service board encrypts only the packets with the security policy applied for IPSEC, and the other packets are discarded or sent back to the interface. The board performs routing and forwarding, which consumes too much switching network bandwidth.
2)接口板将需要或不需要加密的报文都送到业务板CPU进行处理,增加了CPU负担,导致CPU处理能力降低。2) The interface board sends the packets that need or are not encrypted to the CPU of the service board for processing, which increases the CPU load and reduces the CPU processing capability.
有鉴于此,急需提供一种提升交换网络带宽利用率和业务板CPU的处理效率的IPSEC加密的方法。In view of this, there is an urgent need to provide an IPSEC encryption method for improving the bandwidth utilization of the switching network and the processing efficiency of the service board CPU.
发明内容Summary of the invention
本发明所要解决的技术问题是接口板通过交换网络将需要或不需要加密的报文都送到业务板CPU进行处理,加了CPU负担和消耗了过多的交换网络带宽,导致CPU处理能力降低的问题。The technical problem to be solved by the present invention is that the interface board sends the packets that need or need not be encrypted to the CPU of the service board for processing through the switching network, which increases the CPU burden and consumes too much switching network bandwidth, resulting in a decrease in CPU processing capability. The problem.
为了解决上述技术问题,本发明所采用的技术方案是提供了一种交换芯片或NP与CPU协同完成报文IPSEC加密的方法,包括以下步骤:In order to solve the above technical problem, the technical solution adopted by the present invention is to provide a method for the IPSEC encryption of the exchange chip or the NP and the CPU to complete the message, comprising the following steps:
从业务接口接收报文,根据报文的目的IP地址查路由表,并判断路由 表项的出接口类型,若是普通接口,将报文进行路由转发;若是IPSEC隧道接口,则根据报文五元组查询ACL并判断ACL是否命中,如未命中,则丢弃报文;否则判断ACL的安全策略的动作,将动作为应用IPSEC的报文封装私有头,并发往业务板CPU;将动作为绕过的报文进行路由转发;将动作为丢弃的报文丢弃;Receive packets from the service interface, check the routing table based on the destination IP address of the packet, and determine the route. If the interface is an ordinary interface, the packet is forwarded. If the IPSEC tunnel interface is used, the ACL is queried according to the quintuple of the packet and the ACL is determined. If the ACL is missed, the packet is discarded. Otherwise, the ACL is discarded. The action of the security policy is to encapsulate the private header of the packet applying the IPSEC and send it to the CPU of the service board; the action is to forward the packet that is bypassed; the action is to discard the discarded packet;
业务板CPU接收待加密的报文,将根据报文五元组查询SPD且获得对应的SPI,再根据本SIP及报文三元组查询SA信息,并判断是否查到SA信息,若未查到,则丢弃报文;否则根据SA信息对报文进行IPSEC加密并发送至接口板。The service board CPU receives the packet to be encrypted, queries the SPD according to the packet quintuple and obtains the corresponding SPI, and then queries the SA information according to the SIP and the packet triplet, and determines whether the SA information is found. If yes, the packet is discarded; otherwise, the packet is IPSEC encrypted according to the SA information and sent to the interface board.
在上述方法中,所述私有头中包含加密标识与解密标识。In the above method, the private header includes an encryption identifier and a decryption identifier.
本发明还提供了一种交换芯片或NP与CPU协同完成报文IPSEC加密的系统,包括The invention also provides a system for the exchange chip or the NP and the CPU to complete the IPSEC encryption of the message, including
筛选模块:从业务接口处接收报文,并根据该报文的目的IP地址、路由表项的出接口类型及ACL的安全策略动作,将动作为应用IPSEC的报文封装私有头,并发往业务板CPU;将动作为绕过的报文进行路由转发;将动作为丢弃的报文丢弃;The screening module: receives the packet from the service interface, and encapsulates the private header of the packet applying the IPSEC according to the destination IP address of the packet, the outgoing interface type of the routing entry, and the ACL security policy action. The service board CPU; routes the packets that are bypassed by the action; discards the discarded packets.
加解密模块:接收报文,将报文私有头为加密标识的报文根据报文五元组查询SPD及对应的SPI,再根据本SIP及报文三元组查询SA信息,根据查询结果对该报文进行IPSEC加密或丢弃的处理;最后将加密后的报文经交换网络发送至所述筛选模块。The encryption and decryption module: receives the message, and queries the SPD and the corresponding SPI according to the packet quintuple according to the quintuple of the message, and then queries the SA information according to the SIP and the message triplet, according to the query result. The packet is subjected to IPSEC encryption or discarding processing; finally, the encrypted packet is sent to the screening module via the switching network.
在上述方案中,所述筛选模块设于接口板的交换芯片或NP上,所述加解密模块设置在业务板CPU上。 In the above solution, the screening module is disposed on the switch chip or the NP of the interface board, and the encryption and decryption module is disposed on the service board CPU.
附图说明DRAWINGS
图1为现有的报文IPSEC加密的流程图;1 is a flow chart of an existing packet IPSEC encryption;
图2为本发明提供的报文筛选的流程图;2 is a flowchart of packet screening provided by the present invention;
图3为本发明提供的筛选后的报文IPSEC加密的流程图;3 is a flowchart of IPSEC encryption of a filtered message according to the present invention;
图4为本发明提供的交换芯片或NP与CPU协同完成报文IPSEC加密的系统框图。FIG. 4 is a system block diagram of a switch chip or an NP and a CPU for completing IPSEC encryption of a message according to the present invention.
具体实施方式detailed description
本发明提供了一种交换芯片或NP与CPU协同完成报文IPSEC加密的方法。下面结合具体实施例和说明书附图对本发明予以详细说明。The invention provides a method for the exchange chip or NP and the CPU to complete the IPSEC encryption of the message. The invention will now be described in detail in conjunction with the specific embodiments and the drawings.
首先主控板在收到用户配置或进行IKE协商后,生成SPD和SA,并将这些配置下发到业务板CPU上;同时,根据SPD信息生成ACL(Access Controil List,权限安全策略),ACL的匹配规则为报文五元组(源IP地址、目的IP地址、源端口、目的端口、协议号),ACL的SP(Security Policy,安全策略)的动作为丢弃、绕过或应用IPSEC,再将生成的ACL下发到接口板的交换芯片或NP上,接口板的交换芯片或NP收到报文后,将会继续以下处理。After receiving the user configuration or IKE negotiation, the main control board generates the SPD and the SA and sends the configuration to the CPU of the service board. At the same time, the ACL (Access Controil List) is generated based on the SPD information. The matching rule is the packet quintuple (source IP address, destination IP address, source port, destination port, protocol number). The action of the SP (Security Policy) of the ACL is to discard, bypass or apply IPSEC. The generated ACL is delivered to the switch chip or NP of the interface board. After the switch chip or NP of the interface board receives the packet, the following processing will continue.
如图2所示,为本发明提供的报文筛选的流程图,包括以下步骤:As shown in FIG. 2, a flow chart of packet screening provided by the present invention includes the following steps:
S201、从业务接口接收报文,转S202;S201. Receive a packet from the service interface, and go to S202.
S202、根据报文的目的IP地址查路由表,转S203;S202. Check the routing table according to the destination IP address of the packet, and go to S203.
S203、判断路由表项的出的接口类型,如果是普通接口,转S208,如果是IPSEC隧道接口,转S204;S203: Determine the interface type of the routing entry, if it is a normal interface, go to S208, if it is an IPSEC tunnel interface, go to S204;
S204、根据报文五元组查询ACL,转S205;S204. Query an ACL according to the packet quintuple, and switch to S205.
S205、判断ACL是否命中,如果命中,转S206,否则转S209; S205, determining whether the ACL is hit, if the hit, go to S206, otherwise go to S209;
S206、判断ACL的安全策略的动作,如果是应用IPSEC,转S207,如果是绕过,转S208,如果是丢弃,转S209;S206, determining the action of the ACL security policy, if the application of IPSEC, go to S207, if it is bypassed, go to S208, if it is discarded, go to S209;
S207、报文封装私有头,私有头中包含加密标志,并通过交换网络发往业务板CPU,转S210;S207, the packet encapsulation private header, the private header contains an encryption flag, and sent to the service board CPU through the switching network, and then proceeds to S210;
S208、进行路由转发,找到出口后将报文发往出口,转S210;S208: Perform routing and forwarding, and after sending the egress, send the packet to the egress, and then go to S210;
S209、丢弃报文,转S210;S209. Discard the packet and go to S210.
S210、流程结束。S210, the process ends.
CPU接收到经上述步骤筛选的报文后,对报文进行IPSEC加密处理,如图3所示,为本发明提供的筛选后的报文IPSEC加密的流程图,包括以下步骤:After receiving the packet filtered by the foregoing steps, the CPU performs IPSEC encryption processing on the packet. As shown in FIG. 3, the flow chart of the IPSEC encryption of the filtered packet provided by the present invention includes the following steps:
S301、收到待加密的报文,转S302;S301. Receive a packet to be encrypted, and go to S302.
S302、根据报文五元组查询SPD,得到对应的SPI,转S303;S302, querying the SPD according to the message quintuple, obtaining the corresponding SPI, and transferring to S303;
S303、根据报文的三元组查询SA信息,转S304;S303. Query the SA information according to the triplet of the packet, and then go to S304.
S304、判断是否查到SA信息,如果查到SA信息,转S305,否则转S306;S304, determining whether to find the SA information, if the SA information is found, go to S305, otherwise go to S306;
S305、根据SA信息对报文进行IPSEC加密,转S307;S305. Perform IPSEC encryption on the packet according to the SA information, and switch to S307.
S306、丢弃报文;S306. Discard the packet.
S307、将报文通过交换网络发送到接口板进行后续路由转发流程;S307. Send the packet to the interface board through the switching network for subsequent route forwarding.
S308、流程结束。S308, the process ends.
本发明还提供了一种交换芯片或NP与CPU协同完成报文IPSEC加密的系统,如图4所示,本系统包括设于接口板的交换芯片或NP上的筛选模块10与设于业务板CPU上的加解密模块20;The present invention also provides a switching chip or a system in which an NP and a CPU cooperate to complete packet IPSEC encryption. As shown in FIG. 4, the system includes a screening module 10 disposed on a switch chip or an NP of an interface board, and is disposed on a service board. The encryption and decryption module 20 on the CPU;
筛选模块10:接收从业务接口送入的报文,并根据该报文的目的IP地址、路由表项的出接口类型及ACL的安全策略动作,将动作为应用IPSEC的报文封装私有头,并发往业务板CPU;将动作为绕过 的报文进行路由转发;将动作为丢弃的报文丢弃。The screening module 10: receives the packet sent from the service interface, and encapsulates the private header of the packet applying the IPSEC according to the destination IP address of the packet, the outgoing interface type of the routing entry, and the ACL security policy action. Concurrently sent to the business board CPU; the action is bypassed The packets are forwarded by the route. The packets discarded are discarded.
加解密模块20:判断发送至本模块的报文私有头携带的加解密标识,若为加密标识,则根据报文五元组查询SPD及对应的SPI,再根据本SIP及报文三元组查询SA信息,并根据查询结果对该报文进行IPSEC加密或丢弃的处理;若为解密标识,则根据相应的SA信息为报文解密;最后将加密或解密后的报文经交换网络发送至筛选模块10进行路由转发。The encryption and decryption module 20: determining the encryption and decryption identifier carried by the private header of the packet sent to the module. If the encryption identifier is used, the SPD and the corresponding SPI are queried according to the packet quintuple, and then according to the SIP and the message triplet. Query the SA information and perform IPSEC encryption or discarding on the packet according to the query result. If the identifier is decrypted, the packet is decrypted according to the corresponding SA information. Finally, the encrypted or decrypted packet is sent to the switched network. The screening module 10 performs route forwarding.
本发明系统的工作原理如下:The working principle of the system of the invention is as follows:
主控板在收到用户配置或进行IKE协商后,对指定流生成SPD和SA,并将这些配置下发到加解密模块20上,同时根据SPD信息生成ACL,ACL的匹配规则为报文五元组;安全策略的动作为:丢弃、绕过或应用IPSEC,再将生成的ACL下发至筛选模块10的转发信息库(FIB)中。After receiving the user configuration or performing the IKE negotiation, the main control board generates the SPD and the SA for the specified flow, and sends the configuration to the encryption and decryption module 20, and generates an ACL according to the SPD information. The matching rule of the ACL is the message five. The action of the security policy is to discard, bypass, or apply IPSEC, and then send the generated ACL to the forwarding information base (FIB) of the screening module 10.
筛选模块10收到报文后,先根据报文的目的IP地址查路由表并得到路由表项的出接口类型;如果出接口为普通端口,则进行普通路由转发;如果出接口为IPSEC虚拟隧道接口,则根据报文五元组查找ACL并判断ACL是否命中,若未命中,说明该条流对应的安全策略还未生成,则将报文丢弃。如命中且查询到安全策略的动作为绕过,则将报文转至普通路由转发;如果查询到安全策略的动作为应用IPSEC,则将报文封装私有头,私有头中包含加密或解密标识,再通过交换网络送至加解密模块20。After receiving the packet, the screening module 10 checks the routing table according to the destination IP address of the packet and obtains the outgoing interface type of the routing entry. If the outgoing interface is a common port, the ordinary routing is performed; if the outgoing interface is an IPSEC virtual tunnel. The interface searches for an ACL based on the packet quintuple and determines whether the ACL is hit. If the IPSec policy is not generated, the packet is discarded. If the action of the IPSec policy is bypassed, the packet is forwarded to the common route forwarding. If the action of the IPSec policy is IPSEC, the packet is encapsulated with a private header, and the private header contains the encryption or decryption identifier. And then sent to the encryption and decryption module 20 through the switching network.
加解密模块20收到待加密报文后,判断该报文私有头携带的是加密或解密标识;若为加密标识,则根据报文五元组查询SPD,并获得相应的SPI。再根据报文三元组(SPI、目的IP地址、协议号)查询SA,若未查询到SA,则丢弃该报文;若查询到SA,则根据SA的信 息对该报文进行IPSEC加密处理,最后将加密后的报文通过交换网络发回至筛选模块10进行后续的路由转发。After receiving the to-be-encrypted packet, the encryption/decryption module 20 determines that the private header of the packet carries an encryption or decryption identifier; if it is an encrypted identifier, it queries the SPD according to the packet quintuple and obtains a corresponding SPI. The SA is queried according to the packet triplet (SPI, destination IP address, protocol number). If the SA is not queried, the packet is discarded. If the SA is queried, the SA is based on the SA. The packet is subjected to IPSEC encryption processing, and finally the encrypted packet is sent back to the screening module 10 through the switching network for subsequent routing and forwarding.
本发明将输入至业务板CPU处理的报文先经过接口板进行筛选,将只有安全策略为应用IPSEC的报文才会送至业务板CPU处理,安全策略为丢弃或绕过的报文都在接口板完成处理,这样不仅提升了交换网络带宽利用率,同时加强了业务板CPU的处理效率。The packet that is processed by the CPU of the service board is filtered by the interface board, and only the packets whose security policy is applied to the IPSEC are sent to the CPU of the service board, and the packets whose security policy is discarded or bypassed are in the The interface board completes the processing, which not only improves the bandwidth utilization of the switching network, but also enhances the processing efficiency of the service board CPU.
本发明不局限于上述最佳实施方式,任何人应该得知在本发明的启示下作出的结构变化,凡是与本发明具有相同或相近的技术方案,均落入本发明的保护范围之内。 The present invention is not limited to the above-described preferred embodiments, and any one skilled in the art should be aware of the structural changes made in the light of the present invention. Any technical solutions having the same or similar to the present invention fall within the protection scope of the present invention.

Claims (4)

  1. 交换芯片或NP与CPU协同完成报文IPSEC加密的方法,其特征在于,包括以下步骤:The switch chip or the NP cooperates with the CPU to complete the IPSEC encryption of the message, and is characterized in that the method comprises the following steps:
    从业务接口接收报文,根据报文的目的IP地址查路由表,并判断路由表项的出接口类型,若是普通接口,将报文进行路由转发;若是IPSEC隧道接口,则根据报文五元组查询ACL并判断ACL是否命中,如未命中,则丢弃报文;否则判断ACL的安全策略的动作,将动作为应用IPSEC的报文封装私有头,并发往业务板CPU;将动作为绕过的报文进行路由转发;将动作为丢弃的报文丢弃;Receives a packet from the service interface, checks the routing table according to the destination IP address of the packet, and determines the outgoing interface type of the routing entry. If the interface is a normal interface, the packet is forwarded. If the IPSEC tunnel interface is used, the packet is five yuan. The group queries the ACL and determines whether the ACL is hit. If the ACL is missed, the packet is discarded. Otherwise, the action of the ACL is determined. The action is to encapsulate the private header of the packet that is applied to the IPSEC and send it to the CPU of the service board. The packets are forwarded by the route; the discarded packets are discarded.
    业务板CPU接收待加密的报文,将根据报文五元组查询SPD且获得对应的SPI,再根据本SIP及报文三元组查询SA信息,并判断是否查到SA信息,若未查到,则丢弃报文;否则根据SA信息对报文进行IPSEC加密并发送至接口板。The service board CPU receives the packet to be encrypted, queries the SPD according to the packet quintuple and obtains the corresponding SPI, and then queries the SA information according to the SIP and the packet triplet, and determines whether the SA information is found. If yes, the packet is discarded; otherwise, the packet is IPSEC encrypted according to the SA information and sent to the interface board.
  2. 如权利要求1所述的方法,其特征在于,所述私有头中包含加密标识与解密标识。The method of claim 1 wherein said private header includes an encrypted identification and a decrypted identification.
  3. 交换芯片或NP与CPU协同完成报文IPSEC加密的系统,其特征在于,包括A system in which a switch chip or an NP cooperates with a CPU to complete packet IPSEC encryption, and is characterized in that
    筛选模块:从业务接口处接收报文,并根据该报文的目的IP地址、路由表项的出接口类型及ACL的安全策略动作,将动作为应用IPSEC的报文封装私有头,并发往业务板CPU;将动作为绕过的报文进行路由转发;将动作为丢弃的报文丢弃;The screening module: receives the packet from the service interface, and encapsulates the private header of the packet applying the IPSEC according to the destination IP address of the packet, the outgoing interface type of the routing entry, and the ACL security policy action. The service board CPU; routes the packets that are bypassed by the action; discards the discarded packets.
    加解密模块:接收报文,将报文私有头为加密标识的报文根据报文五元组查询SPD及对应的SPI,再根据本SIP及报文三元组查询SA信息,根据查询结果对该报文进行IPSEC加密或丢弃的处理;最后将加密后的报文经交换网络发送至所述筛选模块。 The encryption and decryption module: receives the message, and queries the SPD and the corresponding SPI according to the packet quintuple according to the quintuple of the message, and then queries the SA information according to the SIP and the message triplet, according to the query result. The packet is subjected to IPSEC encryption or discarding processing; finally, the encrypted packet is sent to the screening module via the switching network.
  4. 如权利要求3所述的系统,其特征在于,所述筛选模块设于接口板的交换芯片或NP上,所述加解密模块设置在业务板CPU上。 The system of claim 3, wherein the screening module is disposed on a switch chip or NP of the interface board, and the encryption and decryption module is disposed on the service board CPU.
PCT/CN2016/102806 2016-04-07 2016-10-21 Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet WO2017173806A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610212912.4 2016-04-07
CN201610212912.4A CN105763557B (en) 2016-04-07 2016-04-07 Exchange chip or NP cooperate with the method and system for completing message IPSEC encryption with CPU

Publications (1)

Publication Number Publication Date
WO2017173806A1 true WO2017173806A1 (en) 2017-10-12

Family

ID=56334401

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/102806 WO2017173806A1 (en) 2016-04-07 2016-10-21 Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet

Country Status (2)

Country Link
CN (1) CN105763557B (en)
WO (1) WO2017173806A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109542633A (en) * 2018-09-29 2019-03-29 江苏新质信息科技有限公司 A method of improving network packet enciphering rate
CN111431921A (en) * 2020-03-31 2020-07-17 杭州迪普科技股份有限公司 Configuration synchronization method
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN112332982A (en) * 2020-11-25 2021-02-05 盛科网络(苏州)有限公司 Macsec decryption method and device
CN113872956A (en) * 2021-09-24 2021-12-31 深圳供电局有限公司 Method and system for inspecting IPSEC VPN transmission content
CN114095383A (en) * 2022-01-20 2022-02-25 紫光恒越技术有限公司 Network flow sampling method and system and electronic equipment
CN114189484A (en) * 2021-12-28 2022-03-15 杭州迪普科技股份有限公司 Method and device for forwarding message internally
CN114697408A (en) * 2020-12-28 2022-07-01 国家计算机网络与信息安全管理中心 Tunnel message processing method and device

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763557B (en) * 2016-04-07 2019-01-22 烽火通信科技股份有限公司 Exchange chip or NP cooperate with the method and system for completing message IPSEC encryption with CPU
CN106603523A (en) * 2016-12-09 2017-04-26 北京东土军悦科技有限公司 Message forwarding method and network switching device
CN109302354A (en) * 2018-10-26 2019-02-01 盛科网络(苏州)有限公司 A kind of chip implementing method and device of UDP encapsulation GRE message
CN110636078B (en) * 2019-10-12 2022-02-11 苏州盛科通信股份有限公司 Method and device for realizing Cloudsec
CN111371549B (en) * 2020-03-05 2023-03-24 浙江双成电气有限公司 Message data transmission method, device and system
CN113347230B (en) * 2021-05-13 2022-09-06 长沙星融元数据技术有限公司 Load balancing method, device, equipment and medium based on programmable switch
CN114301735B (en) * 2021-12-10 2023-05-02 北京天融信网络安全技术有限公司 Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data
CN114915451B (en) * 2022-04-07 2023-07-21 南京邮电大学 Fusion tunnel encryption transmission method based on enterprise-level router
CN115941290A (en) * 2022-11-15 2023-04-07 迈普通信技术股份有限公司 Data packet processing method, device, central node and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070165638A1 (en) * 2006-01-13 2007-07-19 Cisco Technology, Inc. System and method for routing data over an internet protocol security network
CN101106450A (en) * 2007-08-16 2008-01-16 杭州华三通信技术有限公司 Secure protection device and method for distributed packet transfer
CN101442470A (en) * 2008-12-18 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and equipment for establishing tunnel
CN101616084A (en) * 2009-07-29 2009-12-30 中兴通讯股份有限公司 A kind of distributed IPSec load sharing device and method
CN105763557A (en) * 2016-04-07 2016-07-13 烽火通信科技股份有限公司 Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267399B (en) * 2008-04-24 2010-10-27 杭州华三通信技术有限公司 Packet forward method, device and its uplink interface board
CN103973687B (en) * 2014-05-08 2017-07-14 新华三技术有限公司 IP Security Associations maintaining method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070165638A1 (en) * 2006-01-13 2007-07-19 Cisco Technology, Inc. System and method for routing data over an internet protocol security network
CN101106450A (en) * 2007-08-16 2008-01-16 杭州华三通信技术有限公司 Secure protection device and method for distributed packet transfer
CN101442470A (en) * 2008-12-18 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and equipment for establishing tunnel
CN101616084A (en) * 2009-07-29 2009-12-30 中兴通讯股份有限公司 A kind of distributed IPSec load sharing device and method
CN105763557A (en) * 2016-04-07 2016-07-13 烽火通信科技股份有限公司 Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109542633A (en) * 2018-09-29 2019-03-29 江苏新质信息科技有限公司 A method of improving network packet enciphering rate
CN111431921A (en) * 2020-03-31 2020-07-17 杭州迪普科技股份有限公司 Configuration synchronization method
CN111431921B (en) * 2020-03-31 2022-08-26 杭州迪普科技股份有限公司 Configuration synchronization method
CN111800436B (en) * 2020-07-29 2022-04-08 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN112332982A (en) * 2020-11-25 2021-02-05 盛科网络(苏州)有限公司 Macsec decryption method and device
CN112332982B (en) * 2020-11-25 2022-08-26 苏州盛科通信股份有限公司 Macsec decryption method and device
CN114697408A (en) * 2020-12-28 2022-07-01 国家计算机网络与信息安全管理中心 Tunnel message processing method and device
CN114697408B (en) * 2020-12-28 2023-09-26 国家计算机网络与信息安全管理中心 Tunnel message processing method and device
CN113872956A (en) * 2021-09-24 2021-12-31 深圳供电局有限公司 Method and system for inspecting IPSEC VPN transmission content
CN114189484A (en) * 2021-12-28 2022-03-15 杭州迪普科技股份有限公司 Method and device for forwarding message internally
CN114189484B (en) * 2021-12-28 2023-10-27 杭州迪普科技股份有限公司 Method and device for forwarding message internally
CN114095383B (en) * 2022-01-20 2022-04-12 紫光恒越技术有限公司 Network flow sampling method and system and electronic equipment
CN114095383A (en) * 2022-01-20 2022-02-25 紫光恒越技术有限公司 Network flow sampling method and system and electronic equipment

Also Published As

Publication number Publication date
CN105763557A (en) 2016-07-13
CN105763557B (en) 2019-01-22

Similar Documents

Publication Publication Date Title
WO2017173806A1 (en) Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet
JP6288802B2 (en) Improved IPsec communication performance and security against eavesdropping
CN102882789B (en) A kind of data message processing method, system and equipment
WO2009021428A1 (en) Secure protection device and method for message transfer
JP2004524768A (en) System and method for distributing protection processing functions for network applications
US20100313023A1 (en) Method, apparatus and system for internet key exchange negotiation
US20100268935A1 (en) Methods, systems, and computer readable media for maintaining flow affinity to internet protocol security (ipsec) sessions in a load-sharing security gateway
WO2010060385A1 (en) Method, apparatus and system for crossing virtual firewall to transmit and receive data
CN101499972A (en) IP security packet forwarding method and apparatus
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
CN112491821B (en) IPSec message forwarding method and device
WO2020134413A1 (en) Data transmission method and apparatus, related device, and storage medium
CN103227742B (en) A kind of method of ipsec tunnel fast processing message
WO2010091579A1 (en) Method and client for packet tranmission based on the virtual private network tunnel
WO2016165277A1 (en) Ipsec diversion implementing method and apparatus
CN106209401B (en) A kind of transmission method and device
JP2003169097A (en) Method and device for packet processing
US8687485B1 (en) Method and apparatus for providing replay protection in systems using group security associations
US8332639B2 (en) Data encryption over a plurality of MPLS networks
Liyanage et al. Secure hierarchical VPLS architecture for provider provisioned networks
CN114039795B (en) Software defined router and data forwarding method based on same
Hohendorf et al. Secure End-to-End Transport Over SCTP.
US8971330B2 (en) Quality of service and encryption over a plurality of MPLS networks
Cisco Configuring IPSec Network Security
Zhang et al. Application research of MPLS VPN all-in-one campus card network based on IPSec

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16897738

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16897738

Country of ref document: EP

Kind code of ref document: A1