CN101515896A - Safe socket character layer protocol message forwarding method, device, system and exchange - Google Patents

Safe socket character layer protocol message forwarding method, device, system and exchange Download PDF

Info

Publication number
CN101515896A
CN101515896A CNA2009101286503A CN200910128650A CN101515896A CN 101515896 A CN101515896 A CN 101515896A CN A2009101286503 A CNA2009101286503 A CN A2009101286503A CN 200910128650 A CN200910128650 A CN 200910128650A CN 101515896 A CN101515896 A CN 101515896A
Authority
CN
China
Prior art keywords
request message
resource request
message
resource
transparent transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009101286503A
Other languages
Chinese (zh)
Other versions
CN101515896B (en
Inventor
陈实
李滨江
胡振兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN2009101286503A priority Critical patent/CN101515896B/en
Publication of CN101515896A publication Critical patent/CN101515896A/en
Application granted granted Critical
Publication of CN101515896B publication Critical patent/CN101515896B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a safe socket character layer protocol message forwarding method, device and system. The method includes steps of receiving resource request message which is transmitted by user and is safe socket character layer protocol SSL message, adopting SSL to encrypt; adding transparent transmission information in the resource request message if the resource requested by the resource request message is ecdemic resource, wherein the transparent transmission information is used for informing each exchange node for transmitting the resource request message, the transmission control protocol TCP protocol is directly used for transmitting the resource request message while not needing to carry out encryption decryption operation of SSL to the resource request message when transmitted between each exchange node; and forwarding the resource request message containing the transparent transmission information. The invention employs message transparent transmission technology, thereby reducing encryption and decryption operation when transmitting the message and increasing network performance.

Description

Safe socket character layer protocol message forwarding method, device, system and switch
Technical field
The present invention relates to message and transmit the field, relate in particular to a kind of safe socket character layer protocol message forwarding method, device, system and switch.
Background technology
In network technology, message is transmitted at internetwork node, for example, safe socket character layer protocol (SSL) VPN(Virtual Private Network) is as a kind of emerging VPN technologies, compare a lot of advantages with traditional safe IP host-host protocol (IPSec) VPN technologies: 1) mobile subscriber of SSL VPN uses standard browser, need not to install client-side program, can insert internal network by the SSL vpn tunneling; And the mobile subscriber of IPSec VPN need install special ipsec client software.2) SSL VPN user is not limited by network access, and the SSL vpn tunneling can firewall-penetrating (Firewall); And ipsec client needs to support that " network address translation (nat) penetrates " function just can penetrate Firewall, and needs Firewall to open User Datagram Protoco (UDP) (UDP) 500 ports.3) SSL VPN only needs the gateway device of maintenance centre's node, and client is non-maintaining, reduced deployment and support cost, and IPSecVPN needs each node of management communication, and webmaster is highly professional.4) SSL VPN is easier provides the fine granularity access control, can carry out more careful control to user's authority, resource, service, file, it is more convenient to combine with third party's Verification System (as: remote customer dialing authentication system (radius), Active Directory (AD) etc.), and IPSec VPN mainly controls user access based on IP five-tuple (source/purpose IP, source/destination interface, protocol number).
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: along with the quickening of network technology renewal, message is transmitted between network through increasing intermediate node, and this message transmit between each node and all needs to carry out an encryption and decryption and operate.For example SSL VPN compares with IPSecVPN, SSL VPN has inadequate natural endowment in the connection of net to net, particularly for large-scale networking (for example star topology networking, hierarchical topology networking etc.), be in the realization of multistage website-switch-website (Site2Switch2Site), message transmits the encryption and decryption operation that all needs to carry out a SSL between each website (Site).As seen, be between the multilayer node of network, to carry out during owing to message transmissions, these frequent encryption and decryption operations can have a strong impact on the performance of network.
Summary of the invention
The embodiment of the invention provides a kind of message forwarding method, Apparatus and system, and the encryption and decryption number of operations when having reduced message transmissions has improved the performance of network.
On the one hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL message forwarding method, described method comprises: receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
If the resource request message requested resource is nonlocal resource, then in resource request message, increase transparent transmission information, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
The resource request message that will comprise transparent transmission information is transmitted.
On the other hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL apparatus for forwarding message, described device comprises: the message receiving element, be used to receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
Information increases the unit, be used for determining that the resource request message requested resource is the resource request message of nonlocal resource, then in being the resource request message of nonlocal resource, request resource increases transparent transmission information, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Information transparent transmission unit is used for the resource request message that comprises transparent transmission information is transmitted.
Another aspect, the embodiment of the invention provide a kind of switch, and described switch comprises: the message receiving element, be used for the resource request message that receiving end/sending end sends, and described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
The message retransmission unit is used for determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted; Described transparent transmission information is used to inform the respective switch of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switch, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.
Again on the one hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL message forwarding system, and described system comprises: the Source Site is used to receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt; If the resource request message requested resource is nonlocal resource, then in resource request message, increase transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Switching node is used for the resource request message that the reception sources website sends, and determines to comprise in the resource request message transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted;
The purpose website is used for the resource request message that desampler sends, and the feedback requested resource.
Technique scheme has following beneficial effect: because increase transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of SSL message forwarding method of embodiment of the invention flow chart;
Fig. 2 is a kind of SSL apparatus for forwarding message of embodiment of the invention frame assumption diagram;
Fig. 3 is the another kind of SSL apparatus for forwarding message of an embodiment of the invention frame assumption diagram;
Fig. 4 is a kind of switch frame assumption diagram of the embodiment of the invention;
Fig. 5 is the another kind of switch frame assumption diagram of the embodiment of the invention;
Fig. 6 is a kind of SSL message forwarding system of embodiment of the invention structural representation;
Fig. 7 adopts mesh topology networking schematic diagram between embodiment of the invention VPN website;
Fig. 8 adopts star topology networking schematic diagram between embodiment of the invention VPN website;
Fig. 9 adopts hierarchical topology networking schematic diagram between embodiment of the invention VPN website.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one:
As shown in Figure 1, be a kind of safe socket character layer protocol SSL of embodiment of the invention message forwarding method flow chart, described method comprises:
Step 101 receives the resource request message that the user sends.
Described resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.Before receiving the resource request message that the user sends, can also be included in that to carry out session key between Source Site and the purpose website shared.Carrying out session key shares and specifically can comprise: dynamically generate a key by a switching node, the key that generates can pass through source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization of generation on all website and switching node.Share by above-mentioned session key, during below resource request message transparent transmission, only need between Source Site and purpose website, carry out encryption and decryption operation, the fail safe when increasing this resource request message transmission.
Need to prove that the switch that dynamically generates key is previously selected switching node.
Step 102 if the resource request message requested resource is nonlocal resource, then increases transparent transmission information in resource request message.
If the resource request message requested resource is nonlocal resource, then in the resource request message head, increase transparent transmission information.The mode that increases transparent transmission information can comprise increases the transparent transmission label, increase the transparent transmission id signal or increase mode such as resource ID number at the head of message.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.After the resource request message that to request resource is nonlocal resource increases transparent transmission information, routing iinformation can also be increased to Bao Wenzhong, routing iinformation is used to indicate the information such as path of message forwarding.
Step 103, the resource request message that will comprise transparent transmission information is transmitted.
Can utilize the relevant informations such as forward-path in the routing iinformation, the resource request message that will comprise transparent transmission information is transparent to receiving terminal.Message is between source/purpose website and switching node, and/or when transmitting between switching node and the switching node, when each middle switching node receives resource request message, therefrom detect transparent transmission information, directly adopt transmission control protocol to connect the resource request message that will comprise transparent transmission information and transmit, and no longer resource request message information is carried out the encryption and decryption operation.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment method is because increase transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment two:
As shown in Figure 2, be a kind of SSL apparatus for forwarding message of embodiment of the invention frame assumption diagram, described device 20 comprises:
Message receiving element 201 is used to receive the resource request message that the user sends;
This resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Information increases unit 202, is used for determining that the resource request message requested resource is nonlocal resource, increases transparent transmission information in this request resource is the resource request message of nonlocal resource;
If the resource request message requested resource is nonlocal resource, then in the resource request message head, increase transparent transmission information.The mode that increases transparent transmission information can comprise increases the transparent transmission label, increase the transparent transmission id signal or increase mode such as resource ID number at the head of message.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.
Information transparent transmission unit 203 is used for the resource request message that comprises transparent transmission information is transmitted.
Here, owing to increased transparent transmission information in the resource request message, information transparent transmission unit 203 directly utilizes Transmission Control Protocol that message is transmitted.This resource request message, just not be used in the encryption and decryption that transmission all needs to carry out a SSL between each node and operates, but directly utilize transmission control protocol to carry out the transmission of data when transmitting in each node owing to added transparent transmission information.
Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Optionally, information increases unit 202, also is used for increasing routing iinformation at the resource request message head, and routing iinformation is used to indicate the information such as path of message forwarding; Information transparent transmission unit 203 so just can utilize routing iinformation will comprise that the resource request message of transparent transmission information transmits.
Here SSL apparatus for forwarding message 20 can be other devices of site apparatus or realization above-mentioned functions.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment device increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
As shown in Figure 3, be the another kind of SSL apparatus for forwarding message of embodiment of the invention frame assumption diagram, described device 30 comprises: message receiving element 201 is used to receive the resource request message that the user sends; Information increases unit 202, is nonlocal resource if be used for the resource request message requested resource, then increases transparent transmission information in resource request message; Information transparent transmission unit 203 is used for the resource request message that comprises transparent transmission information is transmitted.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
This device 30 comprises that not only the message receiving element 201 of apparatus for forwarding message 20 among Fig. 2, information increase unit 202 and information transparent transmission unit 203, can also comprise key shared cell 204, be used for before the resource request message that receives user's transmission, between Source Site and purpose website, carry out session key and share.Share by above-mentioned session key, can be when the resource request message transparent transmission, only need between Source Site and purpose website, carry out the encryption and decryption operation, the fail safe when increasing this resource request message transmission, the number of times of encryption and decryption operation when having significantly reduced message transmissions simultaneously.
Preferably, message receiving element 201, the resource request message that the user who specifically is used to receive sends can comprise the safe socket character layer protocol message of Virtual Private Network.Key shared cell 204, specifically can be used for a key by the dynamic generation of a previously selected switching node, by source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization that generates on all website and switching node.Information transparent transmission unit 203 specifically can be used between source/purpose website and switching node, and/or adopts transmission control protocol to be connected the resource request message that will comprise transparent transmission information between switching node and the switching node and transmit.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment device increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment three:
Corresponding with apparatus for forwarding message in the foregoing description, as shown in Figure 4, be a kind of switch frame assumption diagram of the embodiment of the invention, described switch 40 comprises:
Message receiving element 401 is used for the resource request message that receiving end/sending end sends;
This resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Message retransmission unit 402 is used for determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted.
Transparent transmission information is used to inform the respective switch of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all this resource request message being carried out a SSL when transmitting between each switch, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted, so just significantly reduced the number of times of the encryption and decryption operation when message is transmitted.
Among the invention described above embodiment, switch is by the transparent transmission information in the resource request message of confirming to receive, adopt the technological means of transparent transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
Optionally, as shown in Figure 5, it is the another kind of switch frame assumption diagram of the embodiment of the invention, this switch 50 not only comprises message receiving element 401, the message retransmission unit 402 among Fig. 4, can also comprise cipher key unit 403, be used for dynamically generating a key, the key of this generation is by source/purpose website and switch, and/or the safe socket character layer protocol passage between switch and the switch with the key synchronization that generates to all websites.
The switch of the invention described above embodiment is by the transparent transmission information in the resource request message of confirming to receive, adopt the technological means of transparent transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Simultaneously, share, only need between Source Site and purpose website, carry out the encryption and decryption operation, the fail safe when having increased the resource request message transmission by the session key of this switch.
Embodiment four:
As shown in Figure 6, be a kind of SSL message forwarding system of embodiment of the invention structural representation, described system comprises:
Source Site 61 is used to receive the resource request message that the user sends, if the resource request message requested resource is nonlocal resource, then increases transparent transmission information in resource request message, and the resource request message that will comprise transparent transmission information is transmitted; Here, resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Switching node 62 is used to receive the resource request message that described Source Site 61 sends, and is used for also determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information transmits, and can be forwarded to switch/purpose website;
Purpose website 63 is used for the resource request message that desampler 62 sends, and the feedback requested resource.
Telephone net node 62, can also be used for dynamically generating a key, the key that generates is by source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization of described generation on all website and switching node.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The system of the invention described above embodiment increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment five:
The embodiment of the invention is mainly introduced the quick forwarding capability of the SSL VPN of employing transparent transmission technology at website-website (Site2Site), thus the application that solves the Site2Site of SSL VPN.Meanwhile, the authentication of equipment between the easier realization of the relative IPSec VPN of the function Site of employing SSLVPN realization Site2Site.
As shown in Figure 7, for adopting mesh topology networking schematic diagram between embodiment of the invention VPN website.In the Site2Site of VPN networking, if adopt mesh topology, promptly (website A, website B, website C, website D) all is neighborhood and is reciprocity between each Site.When supposing that the number N of Site is very big, the state of a Site changes, and the neighborhood table of other N-1 Site all can refresh, and the maintenance cost of equipment list is very high like this.So the embodiment of the invention provides a kind of Star topology networking schematic diagram, as shown in Figure 8.
As shown in Figure 8, for adopting star topology networking schematic diagram between embodiment of the invention VPN website.When Site is very many, generally can adopt an intermediate node, i.e. switching node (Switch), networking mode also can become star topology.All Site nodes of Switch node administration are adopted in this networking, issue the resource of other Site simultaneously.But when website is that the strange land distributes, and quantity is when very big, adopts Star topology to satisfy the demand of all nodes of management with regard to difficulty or ease, so the embodiment of the invention provides a kind of hierarchical topology networking schematic diagram.
As shown in Figure 9, for adopting hierarchical topology networking schematic diagram between embodiment of the invention VPN website.The Site strange land distributes, and quantity is very big, adopts hierarchical topology.Be a plurality of Switch, each Switch is in charge of the Site that is adjacent, and outwards the resource of the issue Site that administers obtains the resource that other Switch issues are come by source synchronous simultaneously.
From Fig. 9 we as can be seen, need be through to Computer Browser-->website A, website A-->switching node A, switching node A-->switching node B when the resource of the user capture website D of website A, switching node B-->switching node D, switching node D-->five encryption and decryption operations of website D.So frequent encryption and decryption, and encryption and decryption all is that the loss of VPN network performance is very big like this by socket (Socket) layer.
The embodiment of the invention provides the method for the quick forwarding of a kind of SSLVPN of realization on the basis of the hierarchical topology shown in the figure for this reason:
1) the SSL heading expands
At Access Layer 901, receive the resource request message that the user sends, if find the non-local resource of requested resource, be nonlocal resource, then increase transparent transmission information, and increase corresponding routing iinformation by in resource request message, setting up the transparent transmission label or setting up the transparent transmission id signal or increase mode such as resource ID number.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.After the resource request message that to request resource is nonlocal resource increases transparent transmission information, routing iinformation can also be increased to Bao Wenzhong, routing iinformation is used to indicate the information such as path of message forwarding.
2) SSL message transmission
The SSL message website<--switching node, switching node<--between the switching node according to the transparent transmission information that increases, no longer carry out frequent encryption and decryption operation, but directly carry out the transmission of transmission control protocol, according to corresponding routing iinformation, the resource request message that increases transparent transmission information is sent to receiving terminal.
3) session key is shared
Since the SSL message website<--switching node, switching node<--〉switching node is transparent transmission, do not carry out the encryption and decryption operation, be that encryption and decryption are not to carry out between peer-to-peer (Peers) at SSL, the centre may be at interval several equipment, therefore to realize that the other end of being encrypted in of an end can decipher, can be by the shared realization of key between Source Site and purpose website.
4) key management system
Key is shared and may be caused session dangerous, so must set up a cover key management system, the key management system can be open key system (PKI system) in one embodiment, in another embodiment also can be for having other system of similar PKI systemic-function; Be understandable that, the key management system can also specify Switch dynamically to generate a key (Key) with one in one embodiment, SSL passage (this passage is carry out key transmission or other management information synchronous) by equipment room is synchronized to this Key on all websites, elaborate among the method specific implementation front embodiment, do not repeat them here.
Consider owing to device authentication configuration between the Site of IPSec VPN is very complicated, and the certificate verification of equipment employing ssl protocol itself (certificate by trusted third party's issue carries out mutual mutual authentication) between the Site of SSL VPN.In the solution that realizes SSL VPN Site2Site, as shown in Figure 9, can in Access Layer 901, (between user and the website), Access Layer 901 and convergence-level 902 (between source/purpose website and the switching nodes) use SSL VPN transparent transmission message, and (between switching node and the switching node) can adopt SSL VPN transparent transmission message in convergence-level 902, also can adopt IPSec VPN transparent transmission message.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct related hardware to finish by program, described program can be stored in the computer read/write memory medium, this program is when carrying out, comprise above-mentioned all or part of step, described storage medium, as: ROM/RAM, disk, CD etc.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1, a kind of safe socket character layer protocol SSL message forwarding method is characterized in that described method comprises:
Receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message;
If described resource request message requested resource is nonlocal resource, then in described resource request message, increase transparent transmission information, each switching node that described transparent transmission information is used to inform the centre of transmitting described resource request message directly utilizes the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
The resource request message that will comprise described transparent transmission information is transmitted.
2, method according to claim 1 is characterized in that if described resource request message requested resource is nonlocal resource, then increase transparent transmission information in described resource request message, also being included in the described resource request message increases routing iinformation; The resource request message of utilizing described routing iinformation will comprise described transparent transmission information is transmitted.
3, method according to claim 1 is characterized in that, before the resource request message that described reception user sends, also comprises:
The key that will dynamically generate by previously selected switching node, by source/purpose website and switching node, and/or the SSL passage between switching node and the switching node with the key synchronization of described generation on all website and switching node.
4, a kind of safe socket character layer protocol SSL apparatus for forwarding message is characterized in that described device comprises:
The message receiving element is used to receive the resource request message that the user sends, and described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
Information increases the unit, be used for the resource request message of determining that described resource request message requested resource is nonlocal resource, in being the resource request message of nonlocal resource, the described request resource increases transparent transmission information, each switching node that described transparent transmission information is used to inform the centre of transmitting described resource request message directly utilizes the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Information transparent transmission unit is used for the resource request message that comprises described transparent transmission information is transmitted.
5, as device as described in the claim 4, it is characterized in that,
Described information increases the unit, and the resource request message that also is used for resource in described request and is nonlocal resource increases routing iinformation;
Described information transparent transmission unit, the resource request message that also is used to utilize described routing iinformation will comprise described transparent transmission information is transmitted.
6, as device as described in the claim 4, it is characterized in that,
Described device also comprises the key shared cell, being used for will be by the dynamic key that generates of previously selected switching node, by source/purpose website and switching node, and/or the SSL passage between switching node and the switching node with the key synchronization of described generation on all website and switching node.
7, a kind of switch is characterized in that, described switch comprises:
The message receiving element is used for the resource request message that receiving end/sending end sends, and described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
The message retransmission unit is used for determining that described resource request message comprises transparent transmission information, and the resource request message that will comprise described transparent transmission information is transmitted; The respective switch that described transparent transmission information is used to inform the centre of transmitting described resource request message directly utilizes the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.
8, as switch as described in the claim 7, it is characterized in that,
Described switch also comprises cipher key unit, be used for dynamically generating key, described key is by source/purpose website and switch, and/or the safe socket character layer protocol passage between switch and the switch with the key synchronization of described generation on all website and switch.
9, a kind of safe socket character layer protocol SSL message forwarding system is characterized in that described system comprises:
The Source Site is used to receive the resource request message that the user sends, and described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt; If described resource request message requested resource is nonlocal resource, then in described resource request message, increase transparent transmission information, and the resource request message that will comprise described transparent transmission information is transmitted, each switching node that described transparent transmission information is used to inform the centre of transmitting described resource request message directly utilizes the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Switching node is used to receive the described resource request message that described Source Site sends, and determine to comprise described transparent transmission information in the described resource request message, and the resource request message that will comprise described transparent transmission information is transmitted;
The purpose website is used to receive the described resource request message that described switch sends, and the described resource of feedback request.
10, as system as described in the claim 9, it is characterized in that, described switching node, also be used for dynamically generating key, described key is by source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization of described generation on all website and switching node.
CN2009101286503A 2009-03-20 2009-03-20 Safe socket character layer protocol message forwarding method, device, system and exchange Expired - Fee Related CN101515896B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101286503A CN101515896B (en) 2009-03-20 2009-03-20 Safe socket character layer protocol message forwarding method, device, system and exchange

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101286503A CN101515896B (en) 2009-03-20 2009-03-20 Safe socket character layer protocol message forwarding method, device, system and exchange

Publications (2)

Publication Number Publication Date
CN101515896A true CN101515896A (en) 2009-08-26
CN101515896B CN101515896B (en) 2011-01-19

Family

ID=41040195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101286503A Expired - Fee Related CN101515896B (en) 2009-03-20 2009-03-20 Safe socket character layer protocol message forwarding method, device, system and exchange

Country Status (1)

Country Link
CN (1) CN101515896B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413176A (en) * 2011-11-11 2012-04-11 华为技术有限公司 Connection transfer method and equipment
CN102811225A (en) * 2012-08-22 2012-12-05 神州数码网络(北京)有限公司 Method and switch for security socket layer (SSL) intermediate agent to access web resource
CN103858389A (en) * 2013-05-31 2014-06-11 华为技术有限公司 Session transmission method, client and Push server
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device
WO2017210852A1 (en) * 2016-06-07 2017-12-14 华为技术有限公司 Service processing method and device
CN109981574A (en) * 2019-02-21 2019-07-05 深圳优仕康通信有限公司 A kind of networking encryption method, network relay equipment and computer readable storage medium
CN110519282A (en) * 2019-08-30 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of Message processing
CN111628976A (en) * 2020-05-15 2020-09-04 绿盟科技集团股份有限公司 Message processing method, device, equipment and medium
CN111756751A (en) * 2020-06-28 2020-10-09 杭州迪普科技股份有限公司 Message transmission method and device and electronic equipment
CN112615867A (en) * 2020-12-22 2021-04-06 北京天融信网络安全技术有限公司 Data packet detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642265A (en) * 2004-01-13 2005-07-20 北京中视联数字系统有限公司 Communication method of digital television network system
CN100479383C (en) * 2006-05-17 2009-04-15 华为技术有限公司 Management method and system for broadband access network far-end node

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413176B (en) * 2011-11-11 2014-01-01 华为技术有限公司 Connection transfer method and equipment
CN102413176A (en) * 2011-11-11 2012-04-11 华为技术有限公司 Connection transfer method and equipment
CN102811225A (en) * 2012-08-22 2012-12-05 神州数码网络(北京)有限公司 Method and switch for security socket layer (SSL) intermediate agent to access web resource
CN102811225B (en) * 2012-08-22 2016-08-17 神州数码网络(北京)有限公司 A kind of SSL middle-agent accesses method and the switch of WEB resource
CN103858389B (en) * 2013-05-31 2016-11-02 华为技术有限公司 A kind of method of transmission session, client and Push server
CN103858389A (en) * 2013-05-31 2014-06-11 华为技术有限公司 Session transmission method, client and Push server
CN104935593B (en) * 2015-06-16 2018-11-27 新华三技术有限公司 The transmission method and device of data message
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device
WO2017210852A1 (en) * 2016-06-07 2017-12-14 华为技术有限公司 Service processing method and device
US11108549B2 (en) 2016-06-07 2021-08-31 Huawei Technologies Co., Ltd. Service processing method and apparatus
CN109981574A (en) * 2019-02-21 2019-07-05 深圳优仕康通信有限公司 A kind of networking encryption method, network relay equipment and computer readable storage medium
CN109981574B (en) * 2019-02-21 2023-02-28 深圳优仕康通信有限公司 Networking encryption method, network relay equipment and computer readable storage medium
CN110519282A (en) * 2019-08-30 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of Message processing
CN111628976A (en) * 2020-05-15 2020-09-04 绿盟科技集团股份有限公司 Message processing method, device, equipment and medium
CN111628976B (en) * 2020-05-15 2022-06-07 绿盟科技集团股份有限公司 Message processing method, device, equipment and medium
CN111756751A (en) * 2020-06-28 2020-10-09 杭州迪普科技股份有限公司 Message transmission method and device and electronic equipment
CN111756751B (en) * 2020-06-28 2022-10-21 杭州迪普科技股份有限公司 Message transmission method and device and electronic equipment
CN112615867A (en) * 2020-12-22 2021-04-06 北京天融信网络安全技术有限公司 Data packet detection method and device

Also Published As

Publication number Publication date
CN101515896B (en) 2011-01-19

Similar Documents

Publication Publication Date Title
CN101515896B (en) Safe socket character layer protocol message forwarding method, device, system and exchange
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
Tysowski et al. The engineering of a scalable multi-site communications system utilizing quantum key distribution (QKD)
Karpijoki Security in ad hoc networks
CN101753302B (en) Method and system for guaranteeing SIP communication security
CN106209897B (en) Agent-based secure communication method for distributed multi-granularity controller of software defined network
US8582468B2 (en) System and method for providing packet proxy services across virtual private networks
KR20180028542A (en) End-to-end m2m service layer sessions
US20170126623A1 (en) Protected Subnet Interconnect
CN101277248A (en) Method and system for distributing network data
Lazar et al. Yodel: strong metadata security for voice calls
CN101515859B (en) Method for multicast transport in Internet protocol secure tunnel and device
WO2017075134A1 (en) Key management for privacy-ensured conferencing
Rossberg et al. A survey on automatic configuration of virtual private networks
CN111901315B (en) VPN user access method and system
CN106209401B (en) A kind of transmission method and device
Liyanage et al. A scalable and secure VPLS architecture for provider provisioned networks
Festijo et al. Software-defined security controller-based group management and end-to-end security management
CN111614596B (en) Remote equipment control method and system based on IPv6 tunnel technology
CN111934925A (en) Two-layer Ethernet circuit simulation service system based on IP/MPLS public network
CN102857918A (en) Vehicle-mounted communication system
CN102742247A (en) Data multiplexing transmission method, device and system
US8832311B1 (en) Diverter
CN112235318B (en) Metropolitan area network system for realizing quantum security encryption
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220916

Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041

Patentee after: Chengdu Huawei Technologies Co.,Ltd.

Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China

Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110119