CN101345689A - Method, apparatus and communication equipment for implementing IP safety service - Google Patents
Method, apparatus and communication equipment for implementing IP safety service Download PDFInfo
- Publication number
- CN101345689A CN101345689A CNA2008102121823A CN200810212182A CN101345689A CN 101345689 A CN101345689 A CN 101345689A CN A2008102121823 A CNA2008102121823 A CN A2008102121823A CN 200810212182 A CN200810212182 A CN 200810212182A CN 101345689 A CN101345689 A CN 101345689A
- Authority
- CN
- China
- Prior art keywords
- message
- cpu
- ipsec
- obtains
- carried out
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000004891 communication Methods 0.000 title claims abstract description 15
- 238000005538 encapsulation Methods 0.000 claims description 25
- 238000006243 chemical reaction Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 9
- 230000008569 process Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an implement method of IP safety service, a device and a communication device, relating to virtual private network (VPV) technology, realizing IPSEC service in the VPN including a plurality of CPUs. A technical scheme provided by the embodiment of the invention comprises that: an interface board obtains a first CPU for performing IP safety IPSEC service process on the IP message from at least two CPUs according to received IP message; the first CPU performs corresponding IPSEC service process on the IP message and transmits.
Description
Technical field
The present invention relates to virtual private network technology, relate in particular to a kind of implementation method, device and communication equipment of IP safety service.
Background technology
(Virtual Private Network, VPN) technology is meant methods such as adopting tunneling technique and encryption and decryption, authentication to Virtual Private Network, makes up the technology of dedicated network on public network.VPN technologies have save cost, safe, autgmentability strong, be convenient to management and realize advantages such as control comprehensively, is the trend that the current and expected future enterprise network develops.
(Internet Engineering Task Force, IETF) (IP Security, IPSec) standard are a kind of ripe international standards of building VPN to the open Internet protocol security of Zhi Dinging by Internet engineering duty group.The IPSEC agreement is by differentiating stem (Authentication Header, AH) agreement, encapsulating security payload (Encapsulating Security Payload, ESP) agreement, IKE (Internet Key Exchange, composition such as IKE), problems such as the Information Security when passing through public network, validity, integrality, legitimacy at data message, schemes such as cover encryptions that has proposed, authentication have improved the fail safe of enterprise at the use public network.
Ipsec protocol provides a kind of Layer 3 Tunneling Protocol; VPN technologies utilize the IPSEC agreement to set up the IPSEC tunnel; carry out data protection according to certain rule in the IPSEC tunnel, (Access Control List ACL) realizes and this rule is based on Access Control List (ACL).ACL is the list of rules that is made of a series of permit and deny statement, and these rules mainly source IP, the purpose IP by packet, security protocol numbers, source port, destination interface five kinds of data are described in VPN.
When using, ACL according to matching result, judges which packet can receive by these rules are mated with packet, which packets need refusal, thus realized packet filter firewall, tactful route, functions such as NAT, QOS.
Prior art has provided in the vpn environment of centralized or single business board, and all packets according to ACL, are realized the processing method of IPSEC business by the same CPU on the single business board.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: prior art does not provide the high-end VPN equipment with many CPU, realizes the processing method of IPSEC business.
Summary of the invention
In order to solve in the prior art because of can't be to having the high-end VPN equipment of many CPU, realize the problem that the IPSEC business is brought, embodiments of the invention provide a kind of implementation method, device and communication equipment of IP safety service, can realize the IPSEC business in comprising the VPN equipment of a plurality of CPU.
For achieving the above object, embodiments of the invention adopt following technical scheme:
A kind of implementation method of IP safety service, this method specifically comprises the steps:
Interface board obtains a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives from least two CPU;
A described CPU carries out corresponding IPSEC Business Processing to this IP message and sends.
A kind of implement device of IP safety service comprises: a CPU acquiring unit and a CPU; Wherein, a described CPU acquiring unit is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
A kind of communication equipment comprises at least one interface board and at least two CPU,
Described interface board is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
The technical scheme that the embodiment of the invention provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
Description of drawings
The implementation method flow chart of the IP safety service that Fig. 1 provides for the embodiment of the invention one;
The implementation method flow chart of the IP safety service that Fig. 2 provides for the embodiment of the invention two;
The implementation method schematic diagram of the IP safety service that Fig. 3 provides for the embodiment of the invention two;
The implement device schematic diagram of the IP safety service that Fig. 4 provides for the embodiment of the invention three;
The communication equipment structural representation that Fig. 5 provides for the embodiment of the invention four;
The communication device works schematic flow sheet that Fig. 6 provides for the embodiment of the invention four.
Embodiment
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, below in conjunction with accompanying drawing embodiments of the invention are described in detail, following description only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other execution mode of the present invention according to these embodiment.
The embodiment of the invention provides a kind of implementation method, device and communication equipment of IP safety service, can realize the IPSEC business in the multi-service plate.
The implementation method of the IP safety service that the embodiment of the invention one provides comprises at least two CPU, and as shown in Figure 1, this method specifically comprises the steps:
The technical scheme that the embodiment of the invention one provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The implementation method of the IP safety service that the embodiment of the invention two is provided is specifically described below.
Adopted printed words such as " first ", " second " in embodiments of the present invention, when being used for an IP message handled, played not that the CPU of same-action distinguishes, quantitatively do not limited.Hereinafter will the concrete function of a CPU and the 2nd CPU be introduced.
As the physical entity on the VPN equipment, following a CPU and the 2nd CPU do not have substantial difference, can be any CPU on the business board, below all with, repeat no more.
The implementation method of the IP safety service that the embodiment of the invention two provides comprises at least two CPU, and as shown in Figure 2, this method specifically comprises the steps:
Step S1: interface board obtains a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives from least two CPU.
For the ease of clearly demonstrating, in the embodiment of the invention two, as shown in Figure 3, comprise business board one to four, interface board one and two, but be not limited thereto, can comprise a business board, comprise a plurality of CPU on this business board; Perhaps, also can comprise a plurality of business boards, above-mentioned CPU is distributed on a plurality of business boards, and interface board can be one or more, is that example describes with interface board one or interface board two as the inlet of above-mentioned IP message below, specifically is divided into two kinds of situations:
First kind of situation: the above-mentioned IP message specifically comprises for adding the IP message of encapsulation:
Step S11: interface board adds the IP message of encapsulation according to described need, obtains the 2nd CPU.
Interface board one adds the inlet of the IP message (IP message 1) of encapsulation for above-mentioned need, interface board one receives the IP message that sends client from data, this IP message carries the source and destination IP address that the IP message data sends client and Data Receiving client, in the embodiment of the invention two, interface board one obtains the 2nd CPU according to the source and destination IP address of carrying in this IP message, and the mode of processing is as follows:
Hash (HASH) conversion is carried out in the source and destination IP address that the embodiment of the invention two is at first carried the above-mentioned IP message, obtains the HASH index value of above-mentioned IP message, and is preferred, and the HASH transform method that the embodiment of the invention two adopts comprises the steps:
Step S111, above-mentioned source IP address (SounceIp) and purpose IP address (DestinationIp) sum are moved to right 16, obtain first parameter X 1, promptly X1=(SounceIp+DestinationIp) 16;
Above-mentioned SounceIp and DestinationIp sum and 1 are carried out and computing, obtain second parameter X 2, be i.e. X2=(SourceIp+DestinationIp) ﹠amp; 0xFFFF;
Step S112, above-mentioned first parameter X 1 and second parameter X 2 are carried out exclusive disjunction, obtain the 3rd parameter X 3, i.e. X3=X1^X2;
Step S113, above-mentioned the 3rd parameter X 3 is moved to right 1, back 6 of the numerical value that obtains after the displacement are carried out and computing with 1, obtain the 4th parameter X 4, i.e. X4=(X3>>1) ﹠amp; 0x3F.
The 4th parameter X 4 that to obtain by above-mentioned steps S111 to S113 is as the HASH index value of this IP message.
Then, with the HASH index value of above-mentioned IP message corresponding to CPU different on each business board, thereby add the IP message of encapsulation according to above-mentioned need, can get access to corresponding the 2nd CPU.
The above-mentioned HASH index value that obtains, promptly the 4th parameter range is generally 0 to 63, with four business boards that provide among Fig. 3, comprises on each business board that two CPU are the corresponding relation of the example explanation IP message and second business board.
Can adopt several different methods with the above-mentioned IP message corresponding to corresponding the 2nd CPU, thereby obtain the 2nd CPU on the business board according to the above-mentioned IP message, preferred, the method that the embodiment of the invention two provides is as follows:
Each CPU on the business board can be as the 2nd CPU, the IP message is forwarded to a corresponding CPU, and the data volume of the IP message of being transmitted also is arbitrarily, in order to make full use of the advantage that the distributed multi-service plate comprises a plurality of CPU, improve the treatment effeciency of IPSEC business, preferred, the embodiment of the invention two with the HASH index value according to the data volume of IP message on average corresponding to each CPU, for the ease of understanding, existing simplified illustration is as follows:
For example, for each CPU is provided with a numbering, when the different IP message that needs in the network to handle has 160, get access to 160 different HASH index values according to this IP message, it is between 0 to 63 that scope is in.Comprised 8 CPU in four business boards, to this CPU be numbered 1 to 8, be CPU1 and CPU2 on the business board one, be CPU3 and CPU4 on the business board two, be CPU5 and CPU6 on the business board three, be CPU7 and CPU8 on the business board four.
Above-mentioned span 0 to 63 can be equally divided into 8 subranges, the span of each subrange is followed successively by 0 to 7,8 to 15,16 to 23,24 to 31,31 to 38,39 to 46,47 to 55,56 to 63, the HASH index value of these 8 subrange correspondences is corresponded to CPU1 to CPU8 respectively.
But be not limited thereto, for example, the IP message of the HASH index value correspondence in certain scope more for a long time, if in 160 above-mentioned IP messages, the HASH index value span that gets access to 60 IP messages is all between 24 to 31, then can with the IP message correspondence of HASH index value correspondence in this scope on two or more CPU,, improve the data processing performance of VPN equipment to guarantee to make full use of each CPU.
Receive the IP message that sends client from data when interface board one, earlier according to the source and destination IP in this IP message, obtain the HASH index value of this IP message, by above-mentioned corresponding relation, can obtain the 2nd CPU of this IP message correspondence according to this HASH index value.
Dotted line is depicted as IP message 1 among Fig. 3, after interface board one receives this IP message 1, source and destination IP to this IP message 1 carries out the HASH conversion, obtain the HASH index value, utilize this HASH index value to obtain the 2nd CPU by above-mentioned corresponding relation and be the CPU8 on the business board four, interface board one sends to CPU8 with this IP message 1.
Step S12: described the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
The 2nd CPU is used for the IP message from interface board, carries out the ACL coupling, when the match is successful, this I P message is sent to the CPU that realizes the IPSEC business, and this CPU is a CPU; When it fails to match, this IP message is sent to interface board, directly send.Wherein, disposition when it fails to match and relation of the present invention are little, no longer describe.
The embodiment of the invention two has been utilized the VPN equipment that comprises a plurality of CPU, the characteristics that the data volume disposal ability is strong, between a plurality of CPU, the IP message has been adopted a kind of technology of load bridging, promptly the IP message is mated with the different ACL data that set in advance by above-mentioned the 2nd CPU, according to matching result, when needs carry out the IPSEC Business Processing, obtain the CPU of the IPSEC business of carrying out this IP message correspondence, this CPU is a CPU of this IP message.To not needing to carry out the IP message of IPSEC Business Processing, directly this IP message is sent.
As shown in Figure 3, the 2nd CPU (CPU8) with IP message 1 with its on the ACL data that disposed mate, according to matching result, can judge this IP message 1 and whether need to carry out the IPSEC Business Processing, when needs carry out the IPSEC Business Processing, according to the configuration of ACL, can obtain out a CPU who this IP message 1 is carried out the IPSEC Business Processing.
The configuration of above-mentioned ACL data can be realized by master control borad.
Second kind of situation, above-mentioned IP message are the IP message that needs decapsulation, specifically comprise:
Step S13: hash conversion is carried out in the IP address at the two ends, IPSEC tunnel of carrying in the IP message to the decapsulation of described need, obtains the hash index value;
Still Figure 3 shows that example describes, wherein interface board two is as the inlet of the IP message (IP message 2) that needs decapsulation, interface board two receives IP message 2, has encapsulated the IP address at (comprising the ESP encapsulation or/and the AH encapsulation) its IP tunnel of living in two ends in this IP message 2.Hash conversion is carried out in IP address to these IP tunnel two ends, the method for obtaining the hash index value referring to above-mentioned steps 111 to step 113.
Step S14: obtain a described CPU according to described hash index value.
Because master control borad is to the data configuration of each CPU in advance, when the address of adopting the residing IP tunnel of IP message two ends during, can directly get access to a CPU of the IPSEC business that realizes this IP message according to the HASH index value that gets access to as the source and destination address of above-mentioned HASH conversion.
Below master control borad is described the method that each CPU carries out data configuration in advance.Before above-mentioned steps S1, also comprise:
Step S0: master control borad carries out data configuration to CPU in advance, comprising:
Step S01: master control borad is that described IP message distributes a corresponding CPU;
In the embodiment of the invention two, master control borad distributes a corresponding CPU according to the address at IP message IP tunnel of living in two ends for this IP message.The above-mentioned IP message comprises IP message that need add encapsulation and the IP message that needs decapsulation.
Master control borad carries out the HASH conversion to the address at two ends, above-mentioned IP tunnel, obtains the hash index value, with the hash index value of described IP message corresponding to described CPU, concrete grammar referring to above-mentioned steps 111 to step 113.The IP message that this method has guaranteed to be in same IP tunnel can be sent to same CPU and carry out the IPSEC Business Processing, promptly to the IP message in same the IP tunnel add encapsulation and decapsulation processing be same CPU.
Step S02: master control borad carries out corresponding ACL configuration to a CPU of described IP message correspondence, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
For the IP message distributes after the CPU, master control borad carries out the ACL configuration according to the corresponding relation of IP message and CPU, and this ACL allocation list is understood a CPU who handles the IP message in the same IP tunnel.Master control borad is broadcast to each CPU in the business board with the ACL data configuration, will carry out the professional required data of corresponding IPSEC simultaneously and also send to fixed each corresponding CPU.
From the above mentioned, add the IP message of encapsulation for need, at first get access to the 2nd CPU by interface board according to its source and destination IP address, the 2nd CPU is the ACL data of its configuration according to master control borad, this IP message is carried out the ACL coupling, this IP message is sent to a CPU according to matching result.Because when master control borad carries out the ACL data configuration to CPU, it is IP address according to IP message IP tunnel of living in two ends, and to the IP message of need decapsulation is directly to obtain a CPU according to the IP address at IP tunnel two ends, thus guaranteed to the IP message in same the IP tunnel add encapsulation and decapsulation processing be same CPU.
Above-mentioned master control borad carries out CPU and distributes, configuration ACL and send to carry out the step of the professional required data of corresponding IPSEC to CPU, can be according to the factors such as variation of IP message, periodically or as required transmitting control commands carries out, for example, when the IP address of the client of message or server change has taken place or had new IP message to carry out the IPSEC Business Processing, can carry out steps such as above-mentioned configuration once more.
As shown in Figure 3, master control borad disposes above-mentioned ACL and carry out the professional required data of corresponding IPSEC and sends to business board one to four by data flow 1.
From the above mentioned, the 2nd CPU, be the CPU8 in the business board four, ACL with configuration mates with IP message 1, judge the IPSEC Business Processing that this IP message 1 need add encapsulation, CPU8 according to corresponding IPSEC professional with the corresponding relation of handling this professional CPU, find out the CPU that adds encapsulation IPSEC Business Processing and be the CPU1 on the business board one, promptly the execution CPU of this IP message 1 is CPU1.
Step S2: a described CPU carries out corresponding IPSEC Business Processing to this IP message and sends.
Add the IP message of encapsulation for need, a CPU adds encapsulation to it to be handled; For the IP message of need decapsulation, a CPU carries out decapsulation to it to be handled.
The embodiment of the invention two is by adopting the load bridging technology, make a plurality of CPU carry the different ACL data flow and the IPSEC Business Processing of different IP message respectively, and by setting up the corresponding relation of IP message and the CPU of the I PSEC business of handling this IP message, make each CPU be in a kind of uniform state to the data processing of IP message, and guaranteed that same CPU handles the IP message in same the IP tunnel, improved the vpn service handling property of complete machine, comprise the newly-built tunnel of IPSEC per second quantity, maximum concurrent tunnel quantity, encryption and decryption throughput etc. promote greatly.
The technical scheme that the embodiment of the invention two provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The embodiment of the invention three also provides a kind of implement device of IP safety service, as shown in Figure 4, comprising: a CPU acquiring unit 41 and a CPU42; Wherein
A described CPU acquiring unit 41 is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives,
A described CPU42 is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
Described IP message comprises IP message that need add encapsulation and the IP message that needs decapsulation, when this IP message is that a described CPU acquiring unit 41 also comprises when needing the IP message of decapsulation:
The 2nd CPU acquisition module is used for adding according to described need the IP message of encapsulation, obtains the 2nd CPU, and the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
When the IP message of this IP message for the need decapsulation, a described CPU acquiring unit also comprises:
Computing module, hash conversion is carried out in the IP address that is used for two ends, IPSEC tunnel that the described IP message that needs decapsulation is carried, obtains the hash index value;
Acquisition module obtains a described CPU according to described hash index value.
In the embodiment of the invention three, an above-mentioned CPU acquiring unit 41 can be realized that an above-mentioned CPU42 can be the arbitrary CPU on the business board by interface board.
The concrete working method of each functional module is referring to the inventive method embodiment among apparatus of the present invention embodiment.
The technical scheme that the embodiment of the invention three provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The embodiment of the invention four also provides a kind of communication equipment, as shown in Figure 5, comprises at least one interface board and at least two CPU,
Described interface board 51 is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU52 is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
Further, this communication equipment also comprises:
Master control borad 53 is used to described IP message to distribute a corresponding CPU; CPU to described IP message correspondence carries out corresponding ACL configuration, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
Above-mentioned CPU can be distributed on the business board or on a plurality of business board, the 2nd CPU and a CPU are when the IP message in same the IP tunnel is handled, play the not CPU of same-action, as the physical entity on the VPN equipment, above-mentioned the 2nd CPU and execution CPU do not have substantial difference, can be any CPU on the business board.
As shown in Figure 6, the workflow schematic diagram of the communication equipment that the embodiment of the invention provides comprises interface board 61 and interface board 62, and master control borad 63 comprises CPU65 on the business board 64, comprises CPU67 on the business board 66.But be not limited thereto, for example, the quantity of interface board can be for one or more, and the quantity of business board can be for a plurality of etc.
63 pairs of business boards 61 of master control borad and business board 62 carry out the configuration of ACL data, interface board 61 receives IP message 1, the 2nd CPU that gets access to this IP message 1 is the CPU65 on the business board 64, CPU65 mates this IP message 1 according to the ACL data, the execution CPU that gets access to the IPSEC business (adding encapsulation) of carrying out this IP message correspondence is the CPU67 on the business board 66, CPU67 sends by interface board 62 after this IP message 1 is added encapsulation.
The concrete working method of each functional entity can be referring to method embodiment of the present invention in the above-mentioned communication equipment.
The technical scheme that the embodiment of the invention four provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description, can finish by the program command related hardware.The software of described embodiment correspondence can be stored in a computer and can store in the medium that reads.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (11)
1, a kind of implementation method of IP safety service is characterized in that, comprises the steps:
Interface board obtains a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives from least two CPU;
A described CPU carries out corresponding IPSEC Business Processing to this IP message and sends.
2, the implementation method of IP safety service according to claim 1, it is characterized in that, described IP message comprises the IP message that need add encapsulation, and described interface board is according to the IP message that receives, and obtains the CPU that this IP message is carried out IP safety IPSEC Business Processing and comprises:
Described interface board adds the IP message of encapsulation according to described need, obtains the 2nd CPU;
Described the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
3, the implementation method of IP safety service according to claim 2 is characterized in that, described interface board adds the IP message of encapsulation according to described need, obtains the 2nd CPU and comprises:
Hash conversion is carried out in the source and destination IP address that described need is added the IP message that carries in the IP message of encapsulation, obtains the hash index value;
Obtain described the 2nd CPU according to described hash index value.
4, the implementation method of IP safety service according to claim 1, it is characterized in that, described IP message comprises the IP message that needs decapsulation, and described interface board is according to the IP message that receives, and obtains the CPU that this IP message is carried out IP safety IPSEC Business Processing and comprises:
Hash conversion is carried out in the IP address at the two ends, IPSEC tunnel of carrying in the IP message to the decapsulation of described need, obtains the hash index value;
Obtain a described CPU according to described hash index value.
5, according to the implementation method of each described IP safety service of claim 1 to 4, it is characterized in that, according to the IP message that receives, obtain this IP message is carried out also comprising before the step of a CPU of IP safety IPSEC Business Processing at described interface board:
Master control borad is that described IP message distributes a corresponding CPU;
Master control borad carries out corresponding ACL configuration to a CPU of described IP message correspondence, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
6, the implementation method of IP safety service according to claim 5 is characterized in that, described master control borad is that described IP message distributes a corresponding CPU to comprise:
Hash conversion is carried out in IP address to two ends, described IP message IPSEC of living in tunnel, obtains the hash index value;
With the hash index value of described IP message corresponding to described CPU.
7, a kind of implement device of IP safety service is characterized in that, comprising: a CPU acquiring unit and a CPU; Wherein
A described CPU acquiring unit is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
8, the implement device of IP safety service according to claim 7 is characterized in that, described IP message comprises the IP message that need add encapsulation, and a described CPU acquiring unit comprises:
The 2nd CPU acquisition module is used for adding according to described need the IP message of encapsulation, obtains the 2nd CPU, and the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
9, the implement device of IP safety service according to claim 7 is characterized in that, described IP message comprises the IP message that needs decapsulation, and a described CPU acquiring unit comprises:
Computing module, hash conversion is carried out in the IP address that is used for two ends, IPSEC tunnel that the described IP message that needs decapsulation is carried, obtains the hash index value;
Acquisition module obtains a described CPU according to described hash index value.
10, a kind of communication equipment is characterized in that, comprises at least one interface board and at least two CPU,
Described interface board is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
11, communication equipment according to claim 10 is characterized in that, also comprises:
Master control borad is used to described IP message to distribute a corresponding CPU; CPU to described IP message correspondence carries out corresponding ACL configuration, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102121823A CN101345689B (en) | 2008-09-10 | 2008-09-10 | Method, apparatus and communication equipment for implementing IP safety service |
| PCT/CN2009/073100 WO2010020151A1 (en) | 2008-08-18 | 2009-08-05 | A method, apparatus and system for packet processing |
| US13/030,898 US8509239B2 (en) | 2008-08-18 | 2011-02-18 | Method, apparatus and system for processing packets |
| US13/935,929 US8737388B2 (en) | 2008-08-18 | 2013-07-05 | Method, apparatus and system for processing packets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102121823A CN101345689B (en) | 2008-09-10 | 2008-09-10 | Method, apparatus and communication equipment for implementing IP safety service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101345689A true CN101345689A (en) | 2009-01-14 |
| CN101345689B CN101345689B (en) | 2011-07-06 |
Family
ID=40247584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102121823A Expired - Fee Related CN101345689B (en) | 2008-08-18 | 2008-09-10 | Method, apparatus and communication equipment for implementing IP safety service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101345689B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020151A1 (en) * | 2008-08-18 | 2010-02-25 | 成都市华为赛门铁克科技有限公司 | A method, apparatus and system for packet processing |
| CN103475586A (en) * | 2013-08-22 | 2013-12-25 | 东软集团股份有限公司 | Method, device and system for forwarding network data messages |
| CN104618329A (en) * | 2014-12-26 | 2015-05-13 | 曙光信息产业(北京)有限公司 | Data processing method and device |
| CN106559838A (en) * | 2015-09-24 | 2017-04-05 | 大唐移动通信设备有限公司 | Business processing optimization method and device |
| CN107547508A (en) * | 2017-06-29 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message sending, receiving method, device and the network equipment |
| CN109145620A (en) * | 2018-08-13 | 2019-01-04 | 北京奇安信科技有限公司 | Data flow diversion processing method and device |
| CN109714293A (en) * | 2017-10-25 | 2019-05-03 | 中国移动通信有限公司研究院 | VoLTE data traffic filter method, device, gateway, equipment and medium |
| CN111522772A (en) * | 2020-04-27 | 2020-08-11 | 杭州迪普科技股份有限公司 | Method and device for configuring service board |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847185B (en) * | 2015-01-16 | 2019-04-09 | 杭州迪普科技股份有限公司 | Message processing method, device and the distributed apparatus of distributed apparatus |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838609A (en) * | 2005-03-22 | 2006-09-27 | 杭州华为三康技术有限公司 | Centralized service processing method and route apparatus |
| CN1984131A (en) * | 2005-12-14 | 2007-06-20 | 北京三星通信技术研究有限公司 | Method for processing distributed IPSec |
| CN100596349C (en) * | 2006-04-26 | 2010-03-31 | 南京大学 | Information processing method based on high-speed network data processing platform VPN gateway system |
| CN100596062C (en) * | 2007-08-16 | 2010-03-24 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
-
2008
- 2008-09-10 CN CN2008102121823A patent/CN101345689B/en not_active Expired - Fee Related
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8509239B2 (en) | 2008-08-18 | 2013-08-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, apparatus and system for processing packets |
| US8737388B2 (en) | 2008-08-18 | 2014-05-27 | Huawei Technologies Co., Ltd. | Method, apparatus and system for processing packets |
| WO2010020151A1 (en) * | 2008-08-18 | 2010-02-25 | 成都市华为赛门铁克科技有限公司 | A method, apparatus and system for packet processing |
| CN103475586A (en) * | 2013-08-22 | 2013-12-25 | 东软集团股份有限公司 | Method, device and system for forwarding network data messages |
| CN103475586B (en) * | 2013-08-22 | 2016-05-04 | 东软集团股份有限公司 | The retransmission method of network data message, Apparatus and system |
| CN104618329B (en) * | 2014-12-26 | 2018-06-05 | 曙光信息产业(北京)有限公司 | Data processing method and device |
| CN104618329A (en) * | 2014-12-26 | 2015-05-13 | 曙光信息产业(北京)有限公司 | Data processing method and device |
| CN106559838A (en) * | 2015-09-24 | 2017-04-05 | 大唐移动通信设备有限公司 | Business processing optimization method and device |
| CN106559838B (en) * | 2015-09-24 | 2019-12-06 | 大唐移动通信设备有限公司 | business processing optimization method and device |
| CN107547508A (en) * | 2017-06-29 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message sending, receiving method, device and the network equipment |
| CN109714293A (en) * | 2017-10-25 | 2019-05-03 | 中国移动通信有限公司研究院 | VoLTE data traffic filter method, device, gateway, equipment and medium |
| CN109714293B (en) * | 2017-10-25 | 2021-08-10 | 中国移动通信有限公司研究院 | VoLTE data traffic filtering method, device, gateway, equipment and medium |
| CN109145620A (en) * | 2018-08-13 | 2019-01-04 | 北京奇安信科技有限公司 | Data flow diversion processing method and device |
| CN111522772A (en) * | 2020-04-27 | 2020-08-11 | 杭州迪普科技股份有限公司 | Method and device for configuring service board |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101345689B (en) | 2011-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101345689B (en) | Method, apparatus and communication equipment for implementing IP safety service | |
| CN1209712C (en) | Network address translation gateway for local area networks using local IP addresses and non-translatable port addresses | |
| US7533409B2 (en) | Methods and systems for firewalling virtual private networks | |
| US8555373B2 (en) | Network security module for Ethernet-receiving industrial control devices | |
| CN100596062C (en) | Secure protection device and method for distributed packet transfer | |
| US8006297B2 (en) | Method and system for combined security protocol and packet filter offload and onload | |
| US6438612B1 (en) | Method and arrangement for secure tunneling of data between virtual routers | |
| CN104767748B (en) | Opc server security protection system | |
| CN101843033A (en) | Real-time communication security for automation networks | |
| JP2010200300A (en) | Tcp communication scheme | |
| CN102761494A (en) | IKE (Internet Key Exchange) negotiation processing method and device | |
| CN1523808A (en) | Method for encrypting data of an access virtual private network (vpn) | |
| CN100459568C (en) | System and method for realizing VPN protocol at application layer | |
| CN107040508B (en) | Device and method for adapting authorization information of terminal device | |
| CN113810397A (en) | Protocol data processing method and device | |
| CN114629853B (en) | Flow classification control method based on security service chain analysis in security resource pool | |
| CN114598724B (en) | Security protection method, device, equipment and storage medium for electric power Internet of things | |
| EP2028822B1 (en) | Method and system for securing a commercial grid network over non-trusted routes | |
| JP2013102454A (en) | Tcp communication method | |
| JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
| CN113472625A (en) | Transparent bridging method, system, equipment and storage medium based on mobile internet | |
| CN114402327A (en) | Maintaining access for security enablement on a host system | |
| RU2801835C1 (en) | Internal network formed by network cryptographic protection modules | |
| CN113438178B (en) | Message forwarding method and device, computer equipment and storage medium | |
| US20240195795A1 (en) | Computer-implemented methods and systems for establishing and/or controlling network connectivity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu hi tech Zone, Sichuan Province, China, 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Headquarters office building, Bantian HUAWEI base, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Qingshui River film, West Zone, hi tech Zone, Sichuan, Chengdu Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Qingshui River film, West Zone, hi tech Zone, Sichuan, Chengdu Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110706 Termination date: 20170910 |