Summary of the invention
The embodiment of the invention provides a kind of message forwarding method, Apparatus and system, and the encryption and decryption number of operations when having reduced message transmissions has improved the performance of network.
On the one hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL message forwarding method, described method comprises: receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
If the resource request message requested resource is nonlocal resource, then in resource request message, increase transparent transmission information, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
The resource request message that will comprise transparent transmission information is transmitted.
On the other hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL apparatus for forwarding message, described device comprises: the message receiving element, be used to receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
Information increases the unit, be used for determining that the resource request message requested resource is the resource request message of nonlocal resource, then in being the resource request message of nonlocal resource, request resource increases transparent transmission information, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Information transparent transmission unit is used for the resource request message that comprises transparent transmission information is transmitted.
Another aspect, the embodiment of the invention provide a kind of switch, and described switch comprises: the message receiving element, be used for the resource request message that receiving end/sending end sends, and described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt;
The message retransmission unit is used for determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted; Described transparent transmission information is used to inform the respective switch of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switch, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.
Again on the one hand, the embodiment of the invention provides a kind of safe socket character layer protocol SSL message forwarding system, and described system comprises: the Source Site is used to receive the resource request message that the user sends, described resource request message is a safe socket character layer protocol SSL message, adopts SSL to encrypt; If the resource request message requested resource is nonlocal resource, then in resource request message, increase transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted, described transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted;
Switching node is used for the resource request message that the reception sources website sends, and determines to comprise in the resource request message transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted;
The purpose website is used for the resource request message that desampler sends, and the feedback requested resource.
Technique scheme has following beneficial effect: because increase transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one:
As shown in Figure 1, be a kind of safe socket character layer protocol SSL of embodiment of the invention message forwarding method flow chart, described method comprises:
Step 101 receives the resource request message that the user sends.
Described resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.Before receiving the resource request message that the user sends, can also be included in that to carry out session key between Source Site and the purpose website shared.Carrying out session key shares and specifically can comprise: dynamically generate a key by a switching node, the key that generates can pass through source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization of generation on all website and switching node.Share by above-mentioned session key, during below resource request message transparent transmission, only need between Source Site and purpose website, carry out encryption and decryption operation, the fail safe when increasing this resource request message transmission.
Need to prove that the switch that dynamically generates key is previously selected switching node.
Step 102 if the resource request message requested resource is nonlocal resource, then increases transparent transmission information in resource request message.
If the resource request message requested resource is nonlocal resource, then in the resource request message head, increase transparent transmission information.The mode that increases transparent transmission information can comprise increases the transparent transmission label, increase the transparent transmission id signal or increase mode such as resource ID number at the head of message.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.After the resource request message that to request resource is nonlocal resource increases transparent transmission information, routing iinformation can also be increased to Bao Wenzhong, routing iinformation is used to indicate the information such as path of message forwarding.
Step 103, the resource request message that will comprise transparent transmission information is transmitted.
Can utilize the relevant informations such as forward-path in the routing iinformation, the resource request message that will comprise transparent transmission information is transparent to receiving terminal.Message is between source/purpose website and switching node, and/or when transmitting between switching node and the switching node, when each middle switching node receives resource request message, therefrom detect transparent transmission information, directly adopt transmission control protocol to connect the resource request message that will comprise transparent transmission information and transmit, and no longer resource request message information is carried out the encryption and decryption operation.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment method is because increase transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment two:
As shown in Figure 2, be a kind of SSL apparatus for forwarding message of embodiment of the invention frame assumption diagram, described device 20 comprises:
Message receiving element 201 is used to receive the resource request message that the user sends;
This resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Information increases unit 202, is used for determining that the resource request message requested resource is nonlocal resource, increases transparent transmission information in this request resource is the resource request message of nonlocal resource;
If the resource request message requested resource is nonlocal resource, then in the resource request message head, increase transparent transmission information.The mode that increases transparent transmission information can comprise increases the transparent transmission label, increase the transparent transmission id signal or increase mode such as resource ID number at the head of message.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.
Information transparent transmission unit 203 is used for the resource request message that comprises transparent transmission information is transmitted.
Here, owing to increased transparent transmission information in the resource request message, information transparent transmission unit 203 directly utilizes Transmission Control Protocol that message is transmitted.This resource request message, just not be used in the encryption and decryption that transmission all needs to carry out a SSL between each node and operates, but directly utilize transmission control protocol to carry out the transmission of data when transmitting in each node owing to added transparent transmission information.
Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Optionally, information increases unit 202, also is used for increasing routing iinformation at the resource request message head, and routing iinformation is used to indicate the information such as path of message forwarding; Information transparent transmission unit 203 so just can utilize routing iinformation will comprise that the resource request message of transparent transmission information transmits.
Here SSL apparatus for forwarding message 20 can be other devices of site apparatus or realization above-mentioned functions.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment device increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
As shown in Figure 3, be the another kind of SSL apparatus for forwarding message of embodiment of the invention frame assumption diagram, described device 30 comprises: message receiving element 201 is used to receive the resource request message that the user sends; Information increases unit 202, is nonlocal resource if be used for the resource request message requested resource, then increases transparent transmission information in resource request message; Information transparent transmission unit 203 is used for the resource request message that comprises transparent transmission information is transmitted.Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
This device 30 comprises that not only the message receiving element 201 of apparatus for forwarding message 20 among Fig. 2, information increase unit 202 and information transparent transmission unit 203, can also comprise key shared cell 204, be used for before the resource request message that receives user's transmission, between Source Site and purpose website, carry out session key and share.Share by above-mentioned session key, can be when the resource request message transparent transmission, only need between Source Site and purpose website, carry out the encryption and decryption operation, the fail safe when increasing this resource request message transmission, the number of times of encryption and decryption operation when having significantly reduced message transmissions simultaneously.
Preferably, message receiving element 201, the resource request message that the user who specifically is used to receive sends can comprise the safe socket character layer protocol message of Virtual Private Network.Key shared cell 204, specifically can be used for a key by the dynamic generation of a previously selected switching node, by source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization that generates on all website and switching node.Information transparent transmission unit 203 specifically can be used between source/purpose website and switching node, and/or adopts transmission control protocol to be connected the resource request message that will comprise transparent transmission information between switching node and the switching node and transmit.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment device increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment three:
Corresponding with apparatus for forwarding message in the foregoing description, as shown in Figure 4, be a kind of switch frame assumption diagram of the embodiment of the invention, described switch 40 comprises:
Message receiving element 401 is used for the resource request message that receiving end/sending end sends;
This resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Message retransmission unit 402 is used for determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information is transmitted.
Transparent transmission information is used to inform the respective switch of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all this resource request message being carried out a SSL when transmitting between each switch, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted, so just significantly reduced the number of times of the encryption and decryption operation when message is transmitted.
Among the invention described above embodiment, switch is by the transparent transmission information in the resource request message of confirming to receive, adopt the technological means of transparent transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.
Optionally, as shown in Figure 5, it is the another kind of switch frame assumption diagram of the embodiment of the invention, this switch 50 not only comprises message receiving element 401, the message retransmission unit 402 among Fig. 4, can also comprise cipher key unit 403, be used for dynamically generating a key, the key of this generation is by source/purpose website and switch, and/or the safe socket character layer protocol passage between switch and the switch with the key synchronization that generates to all websites.
The switch of the invention described above embodiment is by the transparent transmission information in the resource request message of confirming to receive, adopt the technological means of transparent transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Simultaneously, share, only need between Source Site and purpose website, carry out the encryption and decryption operation, the fail safe when having increased the resource request message transmission by the session key of this switch.
Embodiment four:
As shown in Figure 6, be a kind of SSL message forwarding system of embodiment of the invention structural representation, described system comprises:
Source Site 61 is used to receive the resource request message that the user sends, if the resource request message requested resource is nonlocal resource, then increases transparent transmission information in resource request message, and the resource request message that will comprise transparent transmission information is transmitted; Here, resource request message is the safe socket character layer protocol SSL message of Virtual Private Network.
Need to prove that here nonlocal resource is resource of website in another net territory, promptly with the user of the initiation resource request message resource of the website in same net territory not.
Switching node 62 is used to receive the resource request message that described Source Site 61 sends, and is used for also determining that resource request message comprises transparent transmission information, and the resource request message that will comprise transparent transmission information transmits, and can be forwarded to switch/purpose website;
Purpose website 63 is used for the resource request message that desampler 62 sends, and the feedback requested resource.
Telephone net node 62, can also be used for dynamically generating a key, the key that generates is by source/purpose website and switching node, and/or the safe socket character layer protocol passage between switching node and the switching node with the key synchronization of described generation on all website and switching node.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The system of the invention described above embodiment increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
Embodiment five:
The embodiment of the invention is mainly introduced the quick forwarding capability of the SSL VPN of employing transparent transmission technology at website-website (Site2Site), thus the application that solves the Site2Site of SSL VPN.Meanwhile, the authentication of equipment between the easier realization of the relative IPSec VPN of the function Site of employing SSLVPN realization Site2Site.
As shown in Figure 7, for adopting mesh topology networking schematic diagram between embodiment of the invention VPN website.In the Site2Site of VPN networking, if adopt mesh topology, promptly (website A, website B, website C, website D) all is neighborhood and is reciprocity between each Site.When supposing that the number N of Site is very big, the state of a Site changes, and the neighborhood table of other N-1 Site all can refresh, and the maintenance cost of equipment list is very high like this.So the embodiment of the invention provides a kind of Star topology networking schematic diagram, as shown in Figure 8.
As shown in Figure 8, for adopting star topology networking schematic diagram between embodiment of the invention VPN website.When Site is very many, generally can adopt an intermediate node, i.e. switching node (Switch), networking mode also can become star topology.All Site nodes of Switch node administration are adopted in this networking, issue the resource of other Site simultaneously.But when website is that the strange land distributes, and quantity is when very big, adopts Star topology to satisfy the demand of all nodes of management with regard to difficulty or ease, so the embodiment of the invention provides a kind of hierarchical topology networking schematic diagram.
As shown in Figure 9, for adopting hierarchical topology networking schematic diagram between embodiment of the invention VPN website.The Site strange land distributes, and quantity is very big, adopts hierarchical topology.Be a plurality of Switch, each Switch is in charge of the Site that is adjacent, and outwards the resource of the issue Site that administers obtains the resource that other Switch issues are come by source synchronous simultaneously.
From Fig. 9 we as can be seen, need be through to Computer Browser-->website A, website A-->switching node A, switching node A-->switching node B when the resource of the user capture website D of website A, switching node B-->switching node D, switching node D-->five encryption and decryption operations of website D.So frequent encryption and decryption, and encryption and decryption all is that the loss of VPN network performance is very big like this by socket (Socket) layer.
The embodiment of the invention provides the method for the quick forwarding of a kind of SSLVPN of realization on the basis of the hierarchical topology shown in the figure for this reason:
1) the SSL heading expands
At Access Layer 901, receive the resource request message that the user sends, if find the non-local resource of requested resource, be nonlocal resource, then increase transparent transmission information, and increase corresponding routing iinformation by in resource request message, setting up the transparent transmission label or setting up the transparent transmission id signal or increase mode such as resource ID number.
Here transparent transmission information is used to inform each switching node of the centre of transmitting described resource request message, not be used in the encryption and decryption operation of all described resource request message being carried out a SSL when transmitting between each switching node, but directly utilize the transmission control protocol Transmission Control Protocol that described resource request message is transmitted.After the resource request message that to request resource is nonlocal resource increases transparent transmission information, routing iinformation can also be increased to Bao Wenzhong, routing iinformation is used to indicate the information such as path of message forwarding.
2) SSL message transmission
The SSL message website<--switching node, switching node<--between the switching node according to the transparent transmission information that increases, no longer carry out frequent encryption and decryption operation, but directly carry out the transmission of transmission control protocol, according to corresponding routing iinformation, the resource request message that increases transparent transmission information is sent to receiving terminal.
3) session key is shared
Since the SSL message website<--switching node, switching node<--〉switching node is transparent transmission, do not carry out the encryption and decryption operation, be that encryption and decryption are not to carry out between peer-to-peer (Peers) at SSL, the centre may be at interval several equipment, therefore to realize that the other end of being encrypted in of an end can decipher, can be by the shared realization of key between Source Site and purpose website.
4) key management system
Key is shared and may be caused session dangerous, so must set up a cover key management system, the key management system can be open key system (PKI system) in one embodiment, in another embodiment also can be for having other system of similar PKI systemic-function; Be understandable that, the key management system can also specify Switch dynamically to generate a key (Key) with one in one embodiment, SSL passage (this passage is carry out key transmission or other management information synchronous) by equipment room is synchronized to this Key on all websites, elaborate among the method specific implementation front embodiment, do not repeat them here.
Consider owing to device authentication configuration between the Site of IPSec VPN is very complicated, and the certificate verification of equipment employing ssl protocol itself (certificate by trusted third party's issue carries out mutual mutual authentication) between the Site of SSL VPN.In the solution that realizes SSL VPN Site2Site, as shown in Figure 9, can in Access Layer 901, (between user and the website), Access Layer 901 and convergence-level 902 (between source/purpose website and the switching nodes) use SSL VPN transparent transmission message, and (between switching node and the switching node) can adopt SSL VPN transparent transmission message in convergence-level 902, also can adopt IPSec VPN transparent transmission message.
Need to prove that here switching node in one embodiment can be for having the switch of correlation function, in another embodiment also can be for having other switching equipment of similar functions.
The invention described above embodiment increases transparent transmission information in request resource is the resource request message of nonlocal resource, adopt the technological means of message transmission, only need carry out the operation of an encryption and decryption in Source Site and purpose website, and each switching node of centre that not be used in the transmission resource request message all carries out the encryption and decryption operation to message, directly utilize Transmission Control Protocol that message is transmitted, encryption and decryption number of operations when having reduced message transmissions, improve the speed that resource request message is transmitted, improved the performance of network.Fail safe when in addition, having increased the resource request message transmission by session key is shared.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct related hardware to finish by program, described program can be stored in the computer read/write memory medium, this program is when carrying out, comprise above-mentioned all or part of step, described storage medium, as: ROM/RAM, disk, CD etc.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.