CN101309273B - Method and device for generating safety alliance - Google Patents
Method and device for generating safety alliance Download PDFInfo
- Publication number
- CN101309273B CN101309273B CN2008101167425A CN200810116742A CN101309273B CN 101309273 B CN101309273 B CN 101309273B CN 2008101167425 A CN2008101167425 A CN 2008101167425A CN 200810116742 A CN200810116742 A CN 200810116742A CN 101309273 B CN101309273 B CN 101309273B
- Authority
- CN
- China
- Prior art keywords
- message
- security strategy
- module
- heading
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and a device which generate the security alliance SA; the method includes that step 1, the current security strategy node on which the security strategy is set by the IPSEC is matched with the encapsulation packet after being encapsulated; wherein at least a security strategy node is configured with a specific label; step 2, the current security strategy node is judged if a specific label exists; if no specific label exists, the source address and the destination address of the header of the encapsulation packet are matched with the strategy rule defined by the security strategy node; if the judgment result true, the header of the original message before the encapsulation message is encapsulated; the source address and the destination address of the header of the original message are matched with the strategy rule; step 3, the corresponding SA is generated according to the successfully-matched result. When the method and the device which generate the security alliance SA are adopted, different SA can be generated according to different operations; thereby, different encryption protocols and encryption algorithms can be adopted for the data flow transmission.
Description
Technical field
The present invention relates to communication technique field, refer in particular to a kind of method and apparatus that under the GREoverIPSEC networking model, generates security alliance SA.
Background technology
Current enterprise branch and enterprise center are interconnected by carrier network, usually adopt the networking model of GREoverIPSEC, use combines with IPSEC tunnel (IP Security address safety cryptographic protocol) and gre tunneling (Genericrouting Encapsulation generic route encapsulation), when overcoming independent use GRE and IPSEC respectively, GRE does not have encryption function, and requiring the public network address of encapsulation must be the shortcoming of fixing, and the route of IPSEC is dumb, needs the shortcoming of configuring static route.
In the GREoverIPSEC networking model, IPSEC generates the division of SA (Security Association) according to being Access-List (being called for short ACL) rule, and the message after ACL and the GRE encapsulation is complementary, and every acl rule can generate a SA.The new IP header coupling of acl rule and GRE encapsulation back message, the source address of new IP header is the loopback address of local terminal, and destination address is the loopback address of opposite end, and protocol number is 47; And IPSEC is when creating SA, can usually distinguish interested stream by five kinds of units: source address, destination address, protocol number, source port number and destination slogan, for communicating by letter of enterprise headquarters and specific enterprise branch, source address, destination address and protocol number are all fixed, and therefore can only generate a SA.
Yet, under special circumstances, exist the intercommunication of multiple business between the private network of enterprise center and enterprise branch, the privacy degrees of required miscellaneous service may be different, the needed cryptographic protocol of different business is different with cryptographic algorithm, therefore just needs to form different SA at different business under this kind situation.
Summary of the invention
The purpose of technical solution of the present invention is to provide a kind of method and apparatus that generates Security Association under the GREoverIPSEC networking model, adopt this method and apparatus, under the GREoverIPSEC pattern, different business can generate different SA, therefore can use different cryptographic protocols and cryptographic algorithm that data stream is transmitted.
For achieving the above object, an aspect according to the specific embodiment of the invention, a kind of method that generates security alliance SA is provided, comprise: step 1, address safety cryptographic protocol IPSEC sets the current safety polices node of security strategy and enters coupling through the encapsulated message after the encapsulation, disposes specific markers at least one security strategy node of wherein said security strategy; Step 2 judges on the described current safety polices node whether have described specific markers; If described judged result is then mated with source and destination address in the heading of described encapsulated message and the defined policing rule of described security strategy node for not; If described judged result is then searched the heading of the preceding original message of encapsulation of described encapsulated message for being, mate with source and destination address in the heading of described original message and described policing rule; Step 3 according to the described result that the match is successful, generates corresponding SA.
Preferably, above-mentioned described method before described step 3, also comprises step: judge whether described coupling is successful; If described judged result is for being then to carry out described step 3; If described judged result is not for, then with the next security strategy node of described security strategy as the current safety polices node, return step 1.
Preferably, above-mentioned described method is in described step 2, if described judged result for being, before the step of the heading of searching described original message, also comprises step: judge whether current message is through the described encapsulated message after the encapsulation; If judged result is not for, then with the next security strategy node of described security strategy as the current safety polices node, return step 1; If judged result is for being the then downward step of carrying out the heading of searching described original message.
Preferably, above-mentioned described method, described encapsulated message is the message after the generic route encapsulation gre tunneling encapsulates, described original message is the message before described gre tunneling encapsulates.
Preferably, above-mentioned described method in described security strategy, is defined within order to before the security strategy node that mates described encapsulated message in order to the security strategy node that mates described original message.
Preferably, above-mentioned described method, described encapsulated message is made of the heading of heading, GRE head, original message and the payload of original message.
Preferably, above-mentioned described method is according to the total length field of the heading length of described encapsulated message, described encapsulated message and the attribute field of described GRE head, the position of searching the heading of described original message.
Preferably, above-mentioned described method, the described heading of described encapsulated message and the form of described GRE head are for fixing the position that the method for employing skew fixed byte is searched the heading of described original message.
Preferably, above-mentioned described method, described policing rule is the access control list ACL rule.
The specific embodiment of the invention a kind of device that generates security alliance SA also is provided on the other hand, comprising: memory module is used for the security strategy that storing IP SEC sets; Setting module is connected with described memory module, is used for disposing specific markers at least one security strategy node of IPSEC security strategy that described memory module is stored; First judge module is connected with described memory module, is used to judge on the security strategy node that is complementary with an encapsulated message whether have described specific markers; Locating module is connected with described first judge module, and when described first judge module is judged when having described specific markers on the described security strategy node, described locating module is in order to the position of the heading of the original message of determining described encapsulated message; Matching module, be connected with described memory module with described locating module, described first judge module, be used for the source and destination address of the heading of defined policing rule of described security strategy node and described encapsulated message mated or mate with the source and destination address in the heading of described original message; Encrypting module is connected with described matching module, is used for encrypting according to the matching result generation security alliance SA of described matching module and to described encapsulated message.
Preferably, above-mentioned described device, also comprise second judge module, be connected with described first judge module, described locating module respectively, when described first judge module is judged when having described specific markers on the described security strategy node, described second judge module is used to judge whether current message is described encapsulated message, and described judged result is transferred to described locating module.
Preferably, above-mentioned described device, also comprise the 3rd judge module, be connected with described matching module, described encrypting module respectively, be used to judge whether the matching result of described matching module is successful, when judging that described matching result is successful, described judged result is transferred to described encrypting module encrypt.
Wherein at least one embodiment of the specific embodiment of the invention has following beneficial effect: the method and apparatus of described generation security alliance SA, under the GREoverIPSEC networking model, defined policing rule of security strategy node and the original message head coupling that encapsulates the back message with the IPSEC security strategy, because the source address in the original message head of different messages, destination address is different with protocol number, when therefore adopting the policing rule coupling of original message head and security strategy node, different business can be generated as different SA, thereby can use different cryptographic algorithm and cryptographic protocol that data stream is transmitted; Described in addition method and apparatus and when QOS (quality of service requirement) is used, also have the function of avoiding the anti-playback packet loss of IPSEC.
Description of drawings
Fig. 1 is the connecting structure schematic diagram of GREoverIPSEC networking model;
Fig. 2 is the structural representation of the forward and backward IP message format of GRE encapsulation;
Fig. 3 is the principle schematic of the described generation security alliance SA of embodiment of the invention method;
Fig. 4 adopts the method for the invention one embodiment to generate the flow chart of security alliance SA for illustrating under the GREoverIPSEC networking model;
Fig. 5 is used to generate the structural principle schematic diagram of the device of security alliance SA for the embodiment of the invention is described.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
The method and apparatus of the described generation security alliance SA of the specific embodiment of the invention is the GREoverIPSEC networking model that adopts IPSEC tunneling technique and gre tunneling technology to combine, and concrete networking structure as shown in Figure 1.Among Fig. 1, on enterprise's center gateway 1, router one 1 is set, router two 1 is set on the enterprise branch gateway 2, and configuration Loopback interface on the router two 1 of enterprise branch gateway 2 and enterprise's center gateway 1 and router one 1 respectively, as the Loopback interface 12 on the enterprise center gateway 1 among Fig. 1, Loopback interface 22 on the enterprise branch gateway 2, and separately IP address of configuration respectively.
In addition, configuring GRE tunnel 13 on the router one 1 of enterprise's center gateway, and be these gre tunneling 13 configuration enterprise private net addresses, the source address of gre tunneling 13 is addresses of the Loopback interface 12 of local terminal, destination address is the address of the Loopback interface 22 of opposite end; Same configuring GRE tunnel 23 on the router two 1 of enterprise branch gateway 2, the source address of this gre tunneling 23 is addresses of the Loopback interface 22 of local terminal, destination address is the address of the Loopback interface 12 of opposite end.
On the router two 1 of enterprise branch gateway 2, be configured to the IPSEC tunnel of the router one 1 of enterprise's center gateway 1, and the IPSEC security strategy is configured on the public network interface 24 of router two 1, the interested stream of IPSEC uses the IP address to represent: the source network segment is the address of the Loopback interface 22 of local terminal, and destination network segment is the address of the Loopback interface 12 of opposite end; Equally, on the router one 1 of enterprise's center gateway 1, be configured to the IPSEC tunnel of enterprise branch gateway 2 router twos 1, the IPSEC security strategy is configured on the public network interface 14 of router one 1, the interested stream of IPSEC is: the source network segment is the address of the Loopback interface 12 of local terminal, and destination network segment is the address of the Loopback interface 22 of opposite end.
In the GREoverIPSEC networking model, combine with the IPSEC encryption by gre tunneling, the packet of gre tunneling encapsulation can be encrypted by IPSEC.Be illustrated in figure 2 as IP message by the GRE encapsulation, the message format 100 before the encapsulation and the structural representation of the message format 200 after the encapsulation, the ipsec security strategy mates data of interest stream by access control list (ACL), in the GREoverIPSEC networking model, be exactly through the encapsulated message after the GRE encapsulation, when the source and destination address of the heading of packet matches defined ACL, then set up a Security Association (SA), set up the transmission channel of a safety for communicating pair, definite in advance security strategy that will adopt, the cryptographic algorithm that comprises use, the life cycle of key and key etc., set up the encryption tunnel of IPSec with this.
In the specific embodiment of the invention, described acl rule is except that can mating with the new IP heading after the gre tunneling encapsulation, the method of described generation Security Association (SA) can also be complementary the initial IP heading after acl rule and the gre tunneling encapsulation, as shown in Figure 2.When the new IP heading after acl rule and the gre tunneling encapsulation mated, for communicating by letter of enterprise headquarters and specific enterprise branch, source IP address, purpose IP address and the protocol number of new IP heading were all fixed, and therefore can only form a SA; And when the initial IP heading after acl rule and the gre tunneling encapsulation is complementary, because source IP address, purpose IP address in the IP heading of different initial IP messages are different with protocol number, therefore if adopt the initial IP heading and the ACL coupling of gre tunneling encapsulation, then different business promptly can be generated as different SA.
Like this, for the common IP message after the GRE encapsulation, the new IP heading that can adopt acl rule and gre tunneling to encapsulate back IP message is complementary and forms unified SA, and when specific service traffics need special processing, can adopt the initial IP heading of acl rule and GRE encapsulation back IP message to be complementary, form specific SA separately.
The described encapsulation IP message of one embodiment of the invention through GRE encapsulation can generate different SA method operation principle as shown in Figure 3, when the security strategy of configuring IPSEC, on at least one security strategy node, be configured to specific markers, as be configured to the mark of generic route encapsulation (GRE), for example, when the security strategy node of configuring IPSEC, add instruction checking GRE mark, when this security strategy node and IP message enter coupling, whether with the described IP message of this instruction checking is encapsulation IP message after the GRE encapsulation, if initial IP heading and acl rule that check result for being, then adopts gre tunneling to encapsulate mate.
As shown in Figure 3, at step S301, described IP message is through the gre tunneling encapsulation.Step S302, a security strategy node of IPSEC security strategy enters coupling as current safety polices node and this encapsulation IP message.
At step S303, judge on the described current safety polices node whether have the GRE mark.
When step S303 judges that when having the GRE mark on the described current safety polices node, then flow process enters step S305; When not having described GRE mark on judging described current safety polices node, then flow process enters step S304.
At step S304, be complementary with the new IP heading of described encapsulation IP message and the ACL of described security strategy node.
At step S305, search the IP heading of the original message of described encapsulation IP message, mate with the acl rule of initial IP heading and described current safety polices node.
Step S304 and step S305 are after complete, and flow process all enters step S306.
At step S306, the matching result of step S305 and step S304 is judged.
If step S306 judges the matching result of described step S305 or described step S304 for unsuccessful, then flow process is returned step S302, and next security strategy node of IPSEC security strategy enters coupling as current safety polices node and described encapsulation IP message; If step S306 judges that the matching result of described step S305 or described step S304 is successfully, then flow process enters step S307.
At step S307, the matching result according to described step S304 and described step S305 generates corresponding security alliance SA.
As Fig. 2, form according to gre tunneling encapsulation back message 200, constitute by new IP heading, GRE head, initial IP heading and payload successively through the encapsulated message after the GRE encapsulation, therefore according to the heading length of new IP heading and the attribute field of message total length field and GRE head, promptly can calculate the position of initial IP heading; In addition, under specific implementation, it is the set form field that new IP heading and GRE head can be set, and can directly use the method that is offset fixed byte length promptly can determine the position of initial IP heading like this.
Method according to generation SA of the present invention is applied under the GREoverIPSEC networking model, and the idiographic flow of IP message in institute's transmitting data stream and IPSEC security strategy coupling generation SA as shown in Figure 4.In the specific embodiment of the invention, in order at first to carry out message analysis, can generate specific SA with the flow that guarantees special processing, described IPSEC security strategy is defined within before the security strategy node in order to the new IP heading that mates described encapsulation back IP message in order to the security strategy node of the initial IP heading that mates described original message.
Consult Fig. 4, dispose specific markers at least one security strategy node of described IPSEC security strategy configuration, at step S401, the IP message in institute's transmitting data stream at first enters first security strategy node.
At step S402, to whether existing predefined specific markers to judge on this first current security strategy node.
If the judged result of step S402 is that then flow process does not enter step S404; If the judged result of step S402 is for being that then flow process enters step S403.
At step S403, whether described IP message is judged for the GRE message.
If the judged result of step S403 is that then flow process does not enter step S406; If the judged result of step S403 is for being that then flow process enters step S405.
At step S404, the new IP heading of the acl rule of this first security strategy node and described IP message is complementary.
If the match is successful in step S404, then flow process enters step S407; If the coupling in step S404 is unsuccessful, then flow process enters step S406.
At step S405, the acl rule of this first security strategy node and this IP heading through the original message of the IP message of GRE encapsulation are complementary.
If the match is successful among the step S405, then flow process enters step S407; If the coupling in step S405 is unsuccessful, then flow process enters step S406.
At step S406, described IP message continues to mate with next security strategy node.
At step S407,, generate corresponding SA according to the described result that the match is successful.
Comprehensive the above, the method of the described generation of specific embodiment of the invention SA can be encrypted the message with multilayer encapsulation header, when carrying out IPSEC stream coupling interested, needn't necessarily use outermost heading to mate, also can use the heading of internal layer to mate.
In addition, under the networking condition of GREoverIPSEC, if represent the identical SA of the different IP message generation of different business, when with QOS (quality of service requirement) when being used, since the message rearrangement after QOS can encrypt IPSEC, the therefore easy anti-playback packet loss that causes IPSEC; And the method for the described generation of specific embodiment of the invention SA is when being used with QoS, carrying out before the IPSEC sealing different business being generated different SA, under the consistent situation of the professional classifying rules of the professional classifying rules of SA and QOS, also can solve the anti-playback packet loss problem of the IPSEC under the GREoverIPSEC networking.
In addition, the specific embodiment of the invention also provides a kind of device that generates Security Association, as shown in Figure 5, comprising: memory module is used for the security strategy that memory address safety encipher protocol IP SEC sets; Setting module is connected with described memory module, is used for disposing specific markers at least one security strategy node of IPSEC security strategy that described memory module is stored; First judge module is connected with described memory module, is used to judge on the security strategy node that is complementary with an encapsulated message whether have described specific markers; Locating module is connected with described first judge module, and when described first judge module is judged when having described specific markers on the described security strategy node, described locating module is in order to the position of the heading of the original message of determining described encapsulated message; Matching module, be connected with described memory module with described locating module, described first judge module, be used for the judged result according to described first judge module, the source and destination address in the defined policing rule of described security strategy node that described memory module is preserved and the heading of described encapsulated message is mated or is mated with the source and destination address in the heading of described original message; Encrypting module is connected with described matching module, is used for encrypting according to the matching result generation security alliance SA of described matching module and to described encapsulated message.
The device of the described generation Security Association of the specific embodiment of the invention, also comprise second judge module, input is connected with described first judge module, output is connected with described locating module, when described first judge module is judged when having described specific markers on the described security strategy node, described second judge module is used to judge whether current message is described encapsulated message, and described judged result transferred to described locating module, when described judged result when being, determine the position of heading of the original message of described encapsulated message by locating module; The 3rd judge module, input is connected with described matching module, and output is connected with described encrypting module, is used to judge whether the matching result of described matching module is successful, when judging that described matching result is successful, described judged result is transferred to described encrypting module encrypt.
Therefore, adopt the method and apparatus of the described generation Security Association of the specific embodiment of the invention, can encrypt the heading of multilayer message, under GREoverIPSEC networking condition, for communicating by letter between enterprise's center private network and enterprise branch private network, different business can form a plurality of different SA, therefore can guarantee that different business can have different cryptographic protocols and cryptographic algorithm; Described in addition method and apparatus can be avoided the phenomenon of the anti-playback packet loss of IPSEC when being used with QOS.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention
Claims (12)
1. a method that generates security alliance SA is characterized in that, comprising:
Step 1, address safety cryptographic protocol IPSEC sets the current safety polices node of security strategy and enters coupling through the encapsulated message after the encapsulation, disposes specific markers at least one security strategy node of wherein said security strategy;
Step 2 judges on the described current safety polices node whether have described specific markers;
If described judged result is then mated with source and destination address in the heading of described encapsulated message and the defined policing rule of described security strategy node for not;
If described judged result is then searched the heading of the preceding original message of encapsulation of described encapsulated message for being, mate with source and destination address in the heading of described original message and described policing rule;
Step 3 according to the described result that the match is successful, generates corresponding SA.
2. the method for claim 1 is characterized in that, before described step 3, also comprises step:
Judge whether described coupling is successful;
If described judged result is for being then to carry out described step 3;
If described judged result is not for, then with the next security strategy node of described security strategy as the current safety polices node, return step 1.
3. the method for claim 1 is characterized in that, in described step 2, if described judged result for being, before the step of the heading of searching described original message, also comprises step:
Judge whether current message is through the described encapsulated message after the encapsulation;
If judged result is not for, then with the next security strategy node of described security strategy as the current safety polices node, return step 1;
If judged result is for being the then downward step of carrying out the heading of searching described original message.
4. as claim 1 or 3 described methods, it is characterized in that described encapsulated message is the message after the generic route encapsulation gre tunneling encapsulates, described original message is the message before described gre tunneling encapsulates.
5. the method for claim 1 is characterized in that, in described security strategy, is defined within order to before the security strategy node that mates described encapsulated message in order to the security strategy node that mates described original message.
6. method as claimed in claim 4 is characterized in that, described encapsulated message is made of the heading of heading, GRE head, original message and the payload of original message.
7. method as claimed in claim 6 is characterized in that, according to the total length field of the heading length of described encapsulated message, described encapsulated message and the attribute field of described GRE head, the position of searching the heading of described original message.
8. method as claimed in claim 6 is characterized in that, the described heading of described encapsulated message and the form of described GRE head are for fixing the position that the method for employing skew fixed byte is searched the heading of described original message.
9. the method for claim 1 is characterized in that, described policing rule is the access control list ACL rule.
10. a device that generates security alliance SA is characterized in that, comprising:
Memory module is used for the security strategy that storing IP SEC sets;
Setting module is connected with described memory module, is used for disposing specific markers at least one security strategy node of IPSEC security strategy that described memory module is stored;
First judge module is connected with described memory module, is used to judge on the security strategy node that is complementary with an encapsulated message whether have described specific markers;
Locating module is connected with described first judge module, and when described first judge module is judged when having described specific markers on the described security strategy node, described locating module is in order to the position of the heading of the original message of determining described encapsulated message;
Matching module, be connected with described memory module with described locating module, described first judge module, described matching module is used for: when the judged result of described first judge module for not the time, the source and destination address in the heading of defined policing rule of described security strategy node and described encapsulated message is mated; When the judged result of described first judge module when being, the source and destination address in the heading of defined policing rule of described security strategy node and described original message is mated;
Encrypting module is connected with described matching module, is used for generating security alliance SA according to the matching result of described matching module, and described encapsulated message is encrypted.
11. device as claimed in claim 10, it is characterized in that, also comprise second judge module, be connected with described first judge module, described locating module respectively, when described first judge module is judged when having described specific markers on the described security strategy node, described second judge module is used to judge whether current message is described encapsulated message, and described judged result is transferred to described locating module.
12. device as claimed in claim 10, it is characterized in that, also comprise the 3rd judge module, be connected with described matching module, described encrypting module respectively, be used to judge whether the matching result of described matching module is successful, when judging that described matching result is successful, described judged result is transferred to described encrypting module encrypt.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101167425A CN101309273B (en) | 2008-07-16 | 2008-07-16 | Method and device for generating safety alliance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101167425A CN101309273B (en) | 2008-07-16 | 2008-07-16 | Method and device for generating safety alliance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101309273A CN101309273A (en) | 2008-11-19 |
| CN101309273B true CN101309273B (en) | 2011-06-01 |
Family
ID=40125491
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101167425A Active CN101309273B (en) | 2008-07-16 | 2008-07-16 | Method and device for generating safety alliance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101309273B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499972B (en) * | 2009-03-16 | 2012-01-11 | 杭州华三通信技术有限公司 | IP security packet forwarding method and apparatus |
| CN101640614B (en) * | 2009-09-03 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method and device for configuring IPSEC security strategy |
| CN103546497B (en) * | 2012-07-09 | 2016-12-21 | 杭州华三通信技术有限公司 | A kind of method and device of distributed fire wall IPSec sharing business load |
| CN102904901B (en) * | 2012-10-29 | 2015-07-29 | 杭州华三通信技术有限公司 | The method of synchronous IPsec SA, group membership and group key server |
| CN103227777B (en) * | 2013-03-26 | 2015-11-25 | 汉柏科技有限公司 | A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake |
| CN104993995A (en) * | 2015-07-15 | 2015-10-21 | 上海地面通信息网络有限公司 | Interurban virtual private line control device based on GRE routing encapsulation |
| CN106936795B (en) * | 2015-12-31 | 2019-12-24 | 华为技术有限公司 | Method and gateway device for establishing internet protocol security tunnel |
| CN107547564A (en) * | 2017-09-28 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of method and device of Message processing |
| CN108076066B (en) * | 2017-12-27 | 2021-03-23 | 杭州迪普科技股份有限公司 | Method and device for protecting GRE (generic routing encapsulation) message |
| CN109379391B (en) * | 2018-12-25 | 2021-06-01 | 北京物芯科技有限责任公司 | Communication method, device, equipment and storage medium based on IPSec |
| CN112714097A (en) * | 2019-10-25 | 2021-04-27 | 华为技术有限公司 | Secure communication method, device and system |
| CN111614691B (en) * | 2020-05-28 | 2021-06-22 | 广东纬德信息科技股份有限公司 | Outbound message processing method and device based on power gateway |
| CN114760166B (en) * | 2020-12-28 | 2023-05-26 | 国家计算机网络与信息安全管理中心 | Tunnel message processing method and device |
| CN114697160B (en) * | 2020-12-28 | 2023-05-26 | 国家计算机网络与信息安全管理中心 | Tunnel message processing method and device |
| CN114697408B (en) * | 2020-12-28 | 2023-09-26 | 国家计算机网络与信息安全管理中心 | Tunnel message processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| US20040029584A1 (en) * | 2002-06-28 | 2004-02-12 | Nokia Corporation | Method of registering home address of a mobile node with a home agent |
| CN1917516A (en) * | 2006-07-31 | 2007-02-21 | 杭州华为三康技术有限公司 | Method for negotiating about security alliance |
| CN101110672A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | Method and system for establishing ESP security alliance in communication system |
| WO2008039486A2 (en) * | 2006-09-26 | 2008-04-03 | Idt Corporation | Multi-mode wireless communication devices and systems for prepaid communication services |
-
2008
- 2008-07-16 CN CN2008101167425A patent/CN101309273B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1406005A (en) * | 2001-09-17 | 2003-03-26 | 华为技术有限公司 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
| US20040029584A1 (en) * | 2002-06-28 | 2004-02-12 | Nokia Corporation | Method of registering home address of a mobile node with a home agent |
| CN101110672A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | Method and system for establishing ESP security alliance in communication system |
| CN1917516A (en) * | 2006-07-31 | 2007-02-21 | 杭州华为三康技术有限公司 | Method for negotiating about security alliance |
| WO2008039486A2 (en) * | 2006-09-26 | 2008-04-03 | Idt Corporation | Multi-mode wireless communication devices and systems for prepaid communication services |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101309273A (en) | 2008-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101309273B (en) | Method and device for generating safety alliance | |
| US11659385B2 (en) | Method and system for peer-to-peer enforcement | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| US8112622B2 (en) | Chaining port scheme for network security | |
| CN106878138B (en) | A kind of message transmitting method and device | |
| US20030145118A1 (en) | Bridged cryptographic VLAN | |
| US20060112426A1 (en) | Method and system for including security information with a packet | |
| CN112422389B (en) | Ethernet and field bus fusion gateway based on chip-level encryption and transmission method | |
| CN106301765B (en) | Encryption and decryption chip and method for realizing encryption and decryption | |
| CN101325557A (en) | Method, system and apparatus for sharing tunnel load | |
| US9094375B2 (en) | WAN transport of frames with MAC security | |
| CN103188351A (en) | IPSec VPN communication service processing method and system under IPv6 environment | |
| CN101572644B (en) | Data encapsulation method and equipment thereof | |
| CN110663217A (en) | Configurable traffic packet engine using frame attributes | |
| CN106790200B (en) | Chip co-processing method for DTLS encryption and decryption of CAPWAP control channel | |
| CN104184646A (en) | VPN data interaction method and system and VPN data interaction device | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| US20060143701A1 (en) | Techniques for authenticating network protocol control messages while changing authentication secrets | |
| CN100563148C (en) | The MAC secure network communication method and the network equipment | |
| CN101471839A (en) | Method for asynchronously implementing IPSec vpn through multi-nuclear | |
| CN110868362B (en) | Method and device for processing MACsec uncontrolled port message | |
| WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device | |
| CN103581034B (en) | Message mirroring and encrypted transmitting method | |
| EP4181431A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| CN114338116B (en) | Encryption transmission method and device and SD-WAN network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |