Embodiment
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, below in conjunction with accompanying drawing embodiments of the invention are described in detail, following description only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other execution mode of the present invention according to these embodiment.
The embodiment of the invention provides a kind of implementation method, device and communication equipment of IP safety service, can realize the IPSEC business in the multi-service plate.
The implementation method of the IP safety service that the embodiment of the invention one provides comprises at least two CPU, and as shown in Figure 1, this method specifically comprises the steps:
Step 11, interface board obtain a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives from least two CPU;
Step 12, a described CPU carry out corresponding IPSEC Business Processing to this IP message and send.
The technical scheme that the embodiment of the invention one provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The implementation method of the IP safety service that the embodiment of the invention two is provided is specifically described below.
Adopted printed words such as " first ", " second " in embodiments of the present invention, when being used for an IP message handled, played not that the CPU of same-action distinguishes, quantitatively do not limited.Hereinafter will the concrete function of a CPU and the 2nd CPU be introduced.
As the physical entity on the VPN equipment, following a CPU and the 2nd CPU do not have substantial difference, can be any CPU on the business board, below all with, repeat no more.
The implementation method of the IP safety service that the embodiment of the invention two provides comprises at least two CPU, and as shown in Figure 2, this method specifically comprises the steps:
Step S1: interface board obtains a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives from least two CPU.
For the ease of clearly demonstrating, in the embodiment of the invention two, as shown in Figure 3, comprise business board one to four, interface board one and two, but be not limited thereto, can comprise a business board, comprise a plurality of CPU on this business board; Perhaps, also can comprise a plurality of business boards, above-mentioned CPU is distributed on a plurality of business boards, and interface board can be one or more, is that example describes with interface board one or interface board two as the inlet of above-mentioned IP message below, specifically is divided into two kinds of situations:
First kind of situation: the above-mentioned IP message specifically comprises for adding the IP message of encapsulation:
Step S11: interface board adds the IP message of encapsulation according to described need, obtains the 2nd CPU.
Interface board one adds the inlet of the IP message (IP message 1) of encapsulation for above-mentioned need, interface board one receives the IP message that sends client from data, this IP message carries the source and destination IP address that the IP message data sends client and Data Receiving client, in the embodiment of the invention two, interface board one obtains the 2nd CPU according to the source and destination IP address of carrying in this IP message, and the mode of processing is as follows:
Hash (HASH) conversion is carried out in the source and destination IP address that the embodiment of the invention two is at first carried the above-mentioned IP message, obtains the HASH index value of above-mentioned IP message, and is preferred, and the HASH transform method that the embodiment of the invention two adopts comprises the steps:
Step S111, above-mentioned source IP address (SounceIp) and purpose IP address (DestinationIp) sum are moved to right 16, obtain first parameter X 1, promptly X1=(SounceIp+DestinationIp) 16;
Above-mentioned SounceIp and DestinationIp sum and 1 are carried out and computing, obtain second parameter X 2, be i.e. X2=(SourceIp+DestinationIp) ﹠amp; 0xFFFF;
Step S112, above-mentioned first parameter X 1 and second parameter X 2 are carried out exclusive disjunction, obtain the 3rd parameter X 3, i.e. X3=X1^X2;
Step S113, above-mentioned the 3rd parameter X 3 is moved to right 1, back 6 of the numerical value that obtains after the displacement are carried out and computing with 1, obtain the 4th parameter X 4, i.e. X4=(X3>>1) ﹠amp; 0x3F.
The 4th parameter X 4 that to obtain by above-mentioned steps S111 to S113 is as the HASH index value of this IP message.
Then, with the HASH index value of above-mentioned IP message corresponding to CPU different on each business board, thereby add the IP message of encapsulation according to above-mentioned need, can get access to corresponding the 2nd CPU.
The above-mentioned HASH index value that obtains, promptly the 4th parameter range is generally 0 to 63, with four business boards that provide among Fig. 3, comprises on each business board that two CPU are the corresponding relation of the example explanation IP message and second business board.
Can adopt several different methods with the above-mentioned IP message corresponding to corresponding the 2nd CPU, thereby obtain the 2nd CPU on the business board according to the above-mentioned IP message, preferred, the method that the embodiment of the invention two provides is as follows:
Each CPU on the business board can be as the 2nd CPU, the IP message is forwarded to a corresponding CPU, and the data volume of the IP message of being transmitted also is arbitrarily, in order to make full use of the advantage that the distributed multi-service plate comprises a plurality of CPU, improve the treatment effeciency of IPSEC business, preferred, the embodiment of the invention two with the HASH index value according to the data volume of IP message on average corresponding to each CPU, for the ease of understanding, existing simplified illustration is as follows:
For example, for each CPU is provided with a numbering, when the different IP message that needs in the network to handle has 160, get access to 160 different HASH index values according to this IP message, it is between 0 to 63 that scope is in.Comprised 8 CPU in four business boards, to this CPU be numbered 1 to 8, be CPU1 and CPU2 on the business board one, be CPU3 and CPU4 on the business board two, be CPU5 and CPU6 on the business board three, be CPU7 and CPU8 on the business board four.
Above-mentioned span 0 to 63 can be equally divided into 8 subranges, the span of each subrange is followed successively by 0 to 7,8 to 15,16 to 23,24 to 31,31 to 38,39 to 46,47 to 55,56 to 63, the HASH index value of these 8 subrange correspondences is corresponded to CPU1 to CPU8 respectively.
But be not limited thereto, for example, the IP message of the HASH index value correspondence in certain scope more for a long time, if in 160 above-mentioned IP messages, the HASH index value span that gets access to 60 IP messages is all between 24 to 31, then can with the IP message correspondence of HASH index value correspondence in this scope on two or more CPU,, improve the data processing performance of VPN equipment to guarantee to make full use of each CPU.
Receive the IP message that sends client from data when interface board one, earlier according to the source and destination IP in this IP message, obtain the HASH index value of this IP message, by above-mentioned corresponding relation, can obtain the 2nd CPU of this IP message correspondence according to this HASH index value.
Dotted line is depicted as IP message 1 among Fig. 3, after interface board one receives this IP message 1, source and destination IP to this IP message 1 carries out the HASH conversion, obtain the HASH index value, utilize this HASH index value to obtain the 2nd CPU by above-mentioned corresponding relation and be the CPU8 on the business board four, interface board one sends to CPU8 with this IP message 1.
Step S12: described the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
The 2nd CPU is used for the IP message from interface board, carries out the ACL coupling, when the match is successful, this I P message is sent to the CPU that realizes the IPSEC business, and this CPU is a CPU; When it fails to match, this IP message is sent to interface board, directly send.Wherein, disposition when it fails to match and relation of the present invention are little, no longer describe.
The embodiment of the invention two has been utilized the VPN equipment that comprises a plurality of CPU, the characteristics that the data volume disposal ability is strong, between a plurality of CPU, the IP message has been adopted a kind of technology of load bridging, promptly the IP message is mated with the different ACL data that set in advance by above-mentioned the 2nd CPU, according to matching result, when needs carry out the IPSEC Business Processing, obtain the CPU of the IPSEC business of carrying out this IP message correspondence, this CPU is a CPU of this IP message.To not needing to carry out the IP message of IPSEC Business Processing, directly this IP message is sent.
As shown in Figure 3, the 2nd CPU (CPU8) with IP message 1 with its on the ACL data that disposed mate, according to matching result, can judge this IP message 1 and whether need to carry out the IPSEC Business Processing, when needs carry out the IPSEC Business Processing, according to the configuration of ACL, can obtain out a CPU who this IP message 1 is carried out the IPSEC Business Processing.
The configuration of above-mentioned ACL data can be realized by master control borad.
Second kind of situation, above-mentioned IP message are the IP message that needs decapsulation, specifically comprise:
Step S13: hash conversion is carried out in the IP address at the two ends, IPSEC tunnel of carrying in the IP message to the decapsulation of described need, obtains the hash index value;
Still Figure 3 shows that example describes, wherein interface board two is as the inlet of the IP message (IP message 2) that needs decapsulation, interface board two receives IP message 2, has encapsulated the IP address at (comprising the ESP encapsulation or/and the AH encapsulation) its IP tunnel of living in two ends in this IP message 2.Hash conversion is carried out in IP address to these IP tunnel two ends, the method for obtaining the hash index value referring to above-mentioned steps 111 to step 113.
Step S14: obtain a described CPU according to described hash index value.
Because master control borad is to the data configuration of each CPU in advance, when the address of adopting the residing IP tunnel of IP message two ends during, can directly get access to a CPU of the IPSEC business that realizes this IP message according to the HASH index value that gets access to as the source and destination address of above-mentioned HASH conversion.
Below master control borad is described the method that each CPU carries out data configuration in advance.Before above-mentioned steps S1, also comprise:
Step S0: master control borad carries out data configuration to CPU in advance, comprising:
Step S01: master control borad is that described IP message distributes a corresponding CPU;
In the embodiment of the invention two, master control borad distributes a corresponding CPU according to the address at IP message IP tunnel of living in two ends for this IP message.The above-mentioned IP message comprises IP message that need add encapsulation and the IP message that needs decapsulation.
Master control borad carries out the HASH conversion to the address at two ends, above-mentioned IP tunnel, obtains the hash index value, with the hash index value of described IP message corresponding to described CPU, concrete grammar referring to above-mentioned steps 111 to step 113.The IP message that this method has guaranteed to be in same IP tunnel can be sent to same CPU and carry out the IPSEC Business Processing, promptly to the IP message in same the IP tunnel add encapsulation and decapsulation processing be same CPU.
Step S02: master control borad carries out corresponding ACL configuration to a CPU of described IP message correspondence, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
For the IP message distributes after the CPU, master control borad carries out the ACL configuration according to the corresponding relation of IP message and CPU, and this ACL allocation list is understood a CPU who handles the IP message in the same IP tunnel.Master control borad is broadcast to each CPU in the business board with the ACL data configuration, will carry out the professional required data of corresponding IPSEC simultaneously and also send to fixed each corresponding CPU.
From the above mentioned, add the IP message of encapsulation for need, at first get access to the 2nd CPU by interface board according to its source and destination IP address, the 2nd CPU is the ACL data of its configuration according to master control borad, this IP message is carried out the ACL coupling, this IP message is sent to a CPU according to matching result.Because when master control borad carries out the ACL data configuration to CPU, it is IP address according to IP message IP tunnel of living in two ends, and to the IP message of need decapsulation is directly to obtain a CPU according to the IP address at IP tunnel two ends, thus guaranteed to the IP message in same the IP tunnel add encapsulation and decapsulation processing be same CPU.
Above-mentioned master control borad carries out CPU and distributes, configuration ACL and send to carry out the step of the professional required data of corresponding IPSEC to CPU, can be according to the factors such as variation of IP message, periodically or as required transmitting control commands carries out, for example, when the IP address of the client of message or server change has taken place or had new IP message to carry out the IPSEC Business Processing, can carry out steps such as above-mentioned configuration once more.
As shown in Figure 3, master control borad disposes above-mentioned ACL and carry out the professional required data of corresponding IPSEC and sends to business board one to four by data flow 1.
From the above mentioned, the 2nd CPU, be the CPU8 in the business board four, ACL with configuration mates with IP message 1, judge the IPSEC Business Processing that this IP message 1 need add encapsulation, CPU8 according to corresponding IPSEC professional with the corresponding relation of handling this professional CPU, find out the CPU that adds encapsulation IPSEC Business Processing and be the CPU1 on the business board one, promptly the execution CPU of this IP message 1 is CPU1.
Step S2: a described CPU carries out corresponding IPSEC Business Processing to this IP message and sends.
Add the IP message of encapsulation for need, a CPU adds encapsulation to it to be handled; For the IP message of need decapsulation, a CPU carries out decapsulation to it to be handled.
The embodiment of the invention two is by adopting the load bridging technology, make a plurality of CPU carry the different ACL data flow and the IPSEC Business Processing of different IP message respectively, and by setting up the corresponding relation of IP message and the CPU of the I PSEC business of handling this IP message, make each CPU be in a kind of uniform state to the data processing of IP message, and guaranteed that same CPU handles the IP message in same the IP tunnel, improved the vpn service handling property of complete machine, comprise the newly-built tunnel of IPSEC per second quantity, maximum concurrent tunnel quantity, encryption and decryption throughput etc. promote greatly.
The technical scheme that the embodiment of the invention two provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The embodiment of the invention three also provides a kind of implement device of IP safety service, as shown in Figure 4, comprising: a CPU acquiring unit 41 and a CPU42; Wherein
A described CPU acquiring unit 41 is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives,
A described CPU42 is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
Described IP message comprises IP message that need add encapsulation and the IP message that needs decapsulation, when this IP message is that a described CPU acquiring unit 41 also comprises when needing the IP message of decapsulation:
The 2nd CPU acquisition module is used for adding according to described need the IP message of encapsulation, obtains the 2nd CPU, and the 2nd CPU utilizes access control list ACL that this IP message is mated, and obtains a described CPU.
When the IP message of this IP message for the need decapsulation, a described CPU acquiring unit also comprises:
Computing module, hash conversion is carried out in the IP address that is used for two ends, IPSEC tunnel that the described IP message that needs decapsulation is carried, obtains the hash index value;
Acquisition module obtains a described CPU according to described hash index value.
In the embodiment of the invention three, an above-mentioned CPU acquiring unit 41 can be realized that an above-mentioned CPU42 can be the arbitrary CPU on the business board by interface board.
The concrete working method of each functional module is referring to the inventive method embodiment among apparatus of the present invention embodiment.
The technical scheme that the embodiment of the invention three provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
The embodiment of the invention four also provides a kind of communication equipment, as shown in Figure 5, comprises at least one interface board and at least two CPU,
Described interface board 51 is used for obtaining a CPU who this IP message is carried out IP safety IPSEC Business Processing according to the IP message that receives;
A described CPU52 is used for this IP message is carried out corresponding IPSEC Business Processing and transmission.
Further, this communication equipment also comprises:
Master control borad 53 is used to described IP message to distribute a corresponding CPU; CPU to described IP message correspondence carries out corresponding ACL configuration, and will realize the professional required data of the corresponding IPSEC of this IP message, sends to a CPU.
Above-mentioned CPU can be distributed on the business board or on a plurality of business board, the 2nd CPU and a CPU are when the IP message in same the IP tunnel is handled, play the not CPU of same-action, as the physical entity on the VPN equipment, above-mentioned the 2nd CPU and execution CPU do not have substantial difference, can be any CPU on the business board.
As shown in Figure 6, the workflow schematic diagram of the communication equipment that the embodiment of the invention provides comprises interface board 61 and interface board 62, and master control borad 63 comprises CPU65 on the business board 64, comprises CPU67 on the business board 66.But be not limited thereto, for example, the quantity of interface board can be for one or more, and the quantity of business board can be for a plurality of etc.
63 pairs of business boards 61 of master control borad and business board 62 carry out the configuration of ACL data, interface board 61 receives IP message 1, the 2nd CPU that gets access to this IP message 1 is the CPU65 on the business board 64, CPU65 mates this IP message 1 according to the ACL data, the execution CPU that gets access to the IPSEC business (adding encapsulation) of carrying out this IP message correspondence is the CPU67 on the business board 66, CPU67 sends by interface board 62 after this IP message 1 is added encapsulation.
Interface board 62 receives the IP message 2 that utilizes after same way as adds the encapsulation processing, directly gets access to corresponding execution CPU67, and this IP message 2 is sent to this CPU67, and this CPU67 carries out sending by interface board 61 after the decapsulation to IP message 2.
The concrete working method of each functional entity can be referring to method embodiment of the present invention in the above-mentioned communication equipment.
The technical scheme that the embodiment of the invention four provides, obtain a CPU who realizes this IP message IPSEC business by the IP message, with the IP message corresponding to corresponding C PU, by the IPSEC business of this CPU realization to this IP message, utilize different CPU to realize the load bridging of IP message, solved in the prior art because of realizing the problem that the IPSEC business is brought, thereby can in comprising the VPN equipment of a plurality of CPU, realize the IPSEC business having the high-end VPN equipment of many CPU.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description, can finish by the program command related hardware.The software of described embodiment correspondence can be stored in a computer and can store in the medium that reads.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.