CN101572644B - Data encapsulation method and equipment thereof - Google Patents
Data encapsulation method and equipment thereof Download PDFInfo
- Publication number
- CN101572644B CN101572644B CN2009101477854A CN200910147785A CN101572644B CN 101572644 B CN101572644 B CN 101572644B CN 2009101477854 A CN2009101477854 A CN 2009101477854A CN 200910147785 A CN200910147785 A CN 200910147785A CN 101572644 B CN101572644 B CN 101572644B
- Authority
- CN
- China
- Prior art keywords
- tunnel
- equipment
- encapsulation
- ipsec
- tunneling technique
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a data encapsulation method. The method comprises the following steps: first equipment judges whether an endpoint of a configured tunnel is the same as that of an IPsec tunnel;the first equipment negotiates with second equipment according to a judgment result, and determines whether encapsulation of the configured tunnel is required according to a negotiation result; and t he first equipment performs IPsec tunnel encapsulation on the received data message and sends an encapsulated message to the second equipment when encapsulation of the configured tunnel is not required. In the invention, IPsec tunnel encapsulation is required only once, thus decreasing the encapsulation process of the configured tunnel. The invention also provides equipment corresponding to the data encapsulation method.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of data encapsulation method and equipment.
Background technology
IPsec (IP security, internet protocol secure) is the three layer tunnel cryptographic protocol, for the data of on Internet, transmitting provide high-quality, interoperable, based on cryptographic safety assurance, be to pass through modes such as encryption and data source authentication at the IP layer between the particular communication side, for data provide security service.This security service comprises the confidentiality (being that the IPsec transmit leg was encrypted packet) of data before by the transmitted data on network bag; Data integrity (be that IPsec recipient authenticates the packet from transmit leg, in transmission course, do not distorted) to guarantee packet; Data Source authentication (being whether IPsec is legal at the transmitting terminal that the receiving terminal authentication sends the IPsec packet); Anti-replay (being that IPsec recipient detects and reject packet out-of-date or that repeat) by above-mentioned security service, has fully guaranteed the fail safe of business datum.Wherein, the advantage of IPsec comprises: support IKE (Internet Key Exchange, the Internet Key Exchange), realize the auto-negotiation functionality of key, reduced the expense of key agreement, and can simplify using and managing of IPsec by the service of IKE foundation and maintenance safe alliance.
Based on above-mentioned security service and advantage, IPsec has a wide range of applications in present network.But IPsec also has the shortcoming of self, and (1) IPsec can only the process IP data flow, and this brings limitation just for the encapsulation scope of IPsec.(2) IPsec can't handle the IP traffic of multicast or broadcasting, this has brought limitation with regard to the application of giving IPsec, be that the ip multicast data flow can't be passed through the IPsec tunnel, multiple routing protocol, EIGRP (Enhanced Interior Gateway Routing Protocol for example, reinforced IGRP), OSPF (Open Shortest Path First, ospf) and RIPv2 (Routing Information Protocol, routing information protocol), when using the address of a multicast or broadcasting, can not on the IPsec peer-to-peer, use these Routing Protocols to dispose dynamic routing and select.
In the prior art; in order to overcome above-mentioned limitation; tunnel of configuration between the IPsec peer-to-peer, for example, GRE (Generic Routing Encapsulation; generic route encapsulation) tunnel; ip multicast message (or broadcasting packet) for going to endpoint of a tunnel to encapsulate at first encapsulates this ip multicast message with this gre tunneling, protects by the message after the tunnel encapsulation with IPsec then; thereby formed the structure in two-layer tunnel, application networking diagram as shown in Figure 1.As can be seen, no matter what content the gre tunneling encapsulation is, the IP message is multicast message or other data type, and the external manifestation after the encapsulation all is clean culture IP messages, IPsec encapsulation is needed just for this, and IPsec can encapsulate through the message after the gre tunneling encapsulation.Promptly by the applied in any combination of IPsec encapsulation with the gre tunneling encapsulation, the encapsulation scope of IPsec no longer is confined to the IP message, can encrypt encapsulation for the message of multicast, broadcasting and other types.Encapsulation flow process as shown in Figure 2, original message elder generation's process of passing through tunnel (for example, gre tunneling) encapsulation, encapsulation tunnel head before original message (Tunnel Header) and IP head (IP Header), as can be known, the original message after this encapsulation is elongated clean culture IP message can carry out IPsec encapsulation; Message after the gre tunneling encapsulation is carried out the IPsec encapsulation, encapsulation IPsec head (IPsecHeader) and IP head (IP Header) before the message after the encapsulation.Message after the encryption (through the message of IPsec encapsulation) passes go-between, after arriving the tunnel opposite equip., carries out the IPsec decapsulation earlier, carries out the gre tunneling decapsulation then and is reduced to original message.
Based on top analysis, realize that in the method for using the gre tunneling encapsulation to combine there is following shortcoming in IPsec when encapsulating any proforma message at present with the IPsec encapsulation:
Original message is encapsulating through gre tunneling, pass to before the IPsec encapsulation, the length of message has increased by 32 bytes, as shown in Figure 2, IP header has taken 20 bytes, Tunnel Header has taken 12 bytes (Tunnel Header took 12 bytes when gre tunneling was set to Key), thereby causes having increased the load of equipment carrying out the tunnel when adding encapsulation and carrying out decapsulation in the opposite end, tunnel; After the tunnel adds encapsulation, the length of message increases by 32 bytes, has reduced the efficient that IPsec adds encapsulation; The increase of message length has increased the network bandwidth that IPsec tunnel transmission approach takies.
Summary of the invention
The invention provides a kind of data encapsulation method and equipment,, reduce the unnecessary wasting of resources to save the load of equipment.
In order to achieve the above object, the present invention proposes a kind of data encapsulation method, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, between described first equipment and described second equipment, there are configured tunneling technique and IPsec tunnel, said method comprising the steps of:
Described first equipment judges whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel;
Described first equipment is held consultation according to judged result and described second equipment, and determines whether that according to negotiation result needs are configured tunnel encapsulation;
When not needing to be configured tunnel encapsulation, the data message that described first equipment interconnection is received carries out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
Preferably, whether the end points in described first equipment end points of judging described configured tunneling technique and described IPsec tunnel is identical specifically comprises:
Described first equipment judges whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel;
Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or
When the source address of described configured tunneling technique identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Preferably, described first equipment also comprises before holding consultation according to described judged result and described second equipment:
Described first equipment judges whether and need carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation;
Described first equipment is held consultation according to described judged result and described second equipment and is specifically comprised:
Described first equipment is provided with different signs in the configured tunneling technique heading of the first instruction message, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment;
Described first equipment receives the second instruction message from described second equipment, obtains the sign of configured tunneling technique heading in the described second instruction message;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation;
When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation.
Preferably, describedly determine whether that according to negotiation result needs are configured tunnel encapsulation and specifically comprise:
When the sign of carrying in the described first instruction message and the second instruction message was all represented not need to be configured the encapsulation in tunnel, described first equipment determined not need to be configured the encapsulation in tunnel; Otherwise described first equipment determines to be configured the encapsulation in tunnel.
Preferably, before whether the end points that described first equipment is judged described configured tunneling technique and the end points in described IPsec tunnel be identical, also comprise:
Described configured tunneling technique triggers described IPsec tunnel and carries out the negotiations process of IPsec, so that described first equipment judges according to negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Preferably, the data message received of described first equipment interconnection carries out the IPsec tunnel encapsulation and specifically comprises:
Described first equipment is packaged into next heading of described data message the sign of configured tunneling technique; According to the sign of described configured tunneling technique described data message is sent to the configured tunneling technique of described second equipment by the IPsec tunnel of described second equipment.
The present invention proposes a kind of data encapsulation equipment, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, have configured tunneling technique and IPsec tunnel between described first equipment and described second equipment, described equipment comprises:
The configured tunneling technique module is used to judge whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel, holds consultation according to judged result and described second equipment, and determines whether that according to negotiation result needs are configured tunnel encapsulation;
IPsec tunnel module electrically connects with described configured tunneling technique module, is used for when not needing to be configured tunnel encapsulation, the data message that receives is carried out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
Preferably, described configured tunneling technique module comprises:
First judges submodule, is used to judge whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel; Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or the source address of working as described configured tunneling technique is identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel;
Second judges submodule, is used to judge whether to carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation;
Consult submodule, judge that with the described first judgement submodule and described second submodule electrically connects respectively, be used at the configured tunneling technique heading of the first instruction message different signs being set, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment; Reception is obtained the sign of configured tunneling technique heading in the described second instruction message from the second instruction message of described second equipment;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation;
When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation;
Determine submodule, electrically connect, be used for when described first sign of instructing the message and the second instruction message to carry is all represented not need to be configured the encapsulation in tunnel, determining not need to be configured the encapsulation in tunnel with the negotiation submodule; Otherwise, determine to be configured the encapsulation in tunnel.
Preferably, described configured tunneling technique module also comprises:
Trigger submodule, be used to trigger described IPsec tunnel and carry out the negotiations process of IPsec, so that described configured tunneling technique module judges according to negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Preferably, described IPsec tunnel module comprises:
The encapsulation submodule is used for described data message is carried out the encapsulation in IPsec tunnel, next heading of described data message is packaged into the sign of configured tunneling technique;
Send submodule, electrically connect, be used for the message after the described encapsulation submodule encapsulation is sent to described second equipment with described encapsulation submodule;
The decapsulation submodule is used for the message of decapsulation after from the encapsulation of described second equipment, obtains original data message, and according to the sign of described configured tunneling technique described data message is sent to described configured tunneling technique module.
Compared with prior art, whether the present invention has the following advantages: by judging that configured tunneling technique end points and IPsec endpoint of a tunnel be whether identical and needing the message after the configured tunneling technique encapsulation is carried out the IPsec data encryption, and carry out negotiations process between the IPsec peer-to-peer according to judged result, when the configured tunneling technique end points of IPsec peer-to-peer all identical with the IPsec endpoint of a tunnel, and when needing that all the message after the configured tunneling technique encapsulation carried out the IPsec data encryption, only need an IPsec tunnel encapsulation, reduced the encapsulation process of configured tunneling technique.
Description of drawings
Fig. 1 is the networking schematic diagram of two-layer tunnel structure in the prior art;
Fig. 2 is an encapsulation schematic flow sheet of the prior art;
A kind of data encapsulation method flow chart that Fig. 3 proposes for the present invention;
The networking model structure chart that Fig. 4 proposes down for the concrete application scenarios of the present invention;
Fig. 5 is the present invention's pairing data encapsulation method flow chart of application scenarios shown in Figure 4;
Fig. 6 is the schematic diagram of GRE heading among the present invention;
Fig. 7 encapsulates schematic flow sheet among the present invention;
The data encapsulation equipment structure chart that Fig. 8 proposes for the present invention.
Embodiment
Core concept of the present invention is to exist configured tunneling technique (for example between application IPsec protocol of I Psec peer-to-peer, gre tunneling) and under the situation in IPsec tunnel, by judging whether the configured tunneling technique end points is identical with the IPsec endpoint of a tunnel, and between the IPsec peer-to-peer, hold consultation according to this judged result, when the judged result of IPsec peer-to-peer is the configured tunneling technique end points when identical with the IPsec endpoint of a tunnel, only the data message is carried out the encapsulation process in IPsec tunnel, do not need to be configured the process of tunnel encapsulation, thereby omitted the encapsulation process of configured tunneling technique, reduce the load of equipment, improved the efficient that IPsec encrypts.After message after the encapsulation arrived opposite end, IPsec tunnel, the IPsec decapsulation was directly handled original message, has omitted the process of configured tunneling technique decapsulation, has reduced the load of equipment equally.
A kind of data encapsulation method that the present invention proposes, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, between described first equipment and described second equipment, exist configured tunneling technique (for example, gre tunneling) and the IPsec tunnel, as shown in Figure 3, said method comprising the steps of:
Step S301, described first equipment judge whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Wherein, whether the end points in described first equipment end points of judging described configured tunneling technique and described IPsec tunnel is identical specifically comprises: described first equipment judges whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel; Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or the source address of working as described configured tunneling technique is identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Step S302, described first equipment is held consultation according to described judged result and described second equipment, and determines whether that according to described negotiation result needs are configured tunnel encapsulation.
Need to prove that described first equipment also needs to judge whether and need carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation;
Described first equipment is held consultation with described second equipment according to described judged result and specifically comprised: in the configured tunneling technique heading of the first instruction message different signs is set, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment;
Described first equipment receives the second instruction message from described second equipment, obtains the sign of configured tunneling technique heading in the described second instruction message;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation; When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation.
Describedly determine whether that according to negotiation result needs are configured tunnel encapsulation and specifically comprise: when the sign of carrying in the described first instruction message and the second instruction message was all represented not need to be configured the encapsulation in tunnel, described first equipment determined not need to be configured the encapsulation in tunnel; Otherwise described first equipment determines to be configured the encapsulation in tunnel.
Step S303, when not needing to be configured tunnel encapsulation, the data message that described first equipment interconnection is received carries out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
Need to prove, also comprised before whether the end points in end points that described first equipment is judged described configured tunneling technique and described IPsec tunnel is identical among the present invention: described configured tunneling technique triggers described IPsec tunnel and carries out the negotiations process of IPsec, so that described first equipment judges according to described negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Wherein, the data message received of described first equipment interconnection carries out the IPsec tunnel encapsulation and specifically comprises: described first equipment is packaged into next heading of described data message the sign of configured tunneling technique; According to the sign of described configured tunneling technique described data message is sent to the configured tunneling technique of described second equipment by the IPsec tunnel of described second equipment.
As seen, among the present invention, by judging that configured tunneling technique end points and IPsec endpoint of a tunnel be whether identical and whether needing the message after the configured tunneling technique encapsulation is carried out the IPsec data encryption, and carry out negotiations process between the IPsec peer-to-peer according to judged result, when the configured tunneling technique end points of IPsec peer-to-peer all identical with the IPsec endpoint of a tunnel, and when needing that all the message after the configured tunneling technique encapsulation carried out the IPsec data encryption, only need an IPsec tunnel encapsulation, reduced the encapsulation process of configured tunneling technique.
When the method that the application of the invention provides encapsulates data, add encapsulation owing to be not configured the tunnel, the message after the encapsulation has reduced length (for example, gre tunneling has reduced the length of 32 bytes), thereby has improved the efficient that IPsec encrypts; Because original message does not need to be configured the tunnel and adds encapsulation in tunnel local terminal equipment, do not carry out the tunnel decapsulation process in the tunnel opposite equip., thereby the processing links in the middle of having reduced has improved message forwarding efficient, has reduced apparatus of load; Owing to do not carry out the encapsulation that adds in tunnel, also corresponding minimizing of message length after IPsec encrypts reduced the bandwidth consumption of go-between.
Below in conjunction with a concrete application scenarios, being described in detail of the data encapsulation method that the present invention is proposed, the present invention is applicable in the IPsec agreement, this IPsec agreement is not an independent agreement, provided a whole set of architecture that is applied to network data security on the IP layer, comprise network authenticating protocol AH (Authentication Header, authentication header), ESP (Encapsulating Security Payload, ESP), IKE (Internet Key Exchange, the Internet Key Exchange) and be used for some algorithms of network authentication and encryption etc., wherein, AH agreement and ESP agreement are used to provide security service, and the IKE agreement is used for cipher key change.Be that example describes with AH agreement and ESP agreement among the present invention.When using the IPsec agreement to carry out data encryption, all application systems and services of using IP agreements to carry out transfer of data can be used the IPsec agreement, and do not need to make any modification to using system's kimonos body of attending to the basic or the fundamental; And be unit with the packet to the encryption of data, be not unit with the entire stream, realize flexibly and help further to improve the fail safe of IP packet, effectively guarding network attack.In the IPsec agreement, tunnel (tunnel) pattern and two kinds of mode of operations of transmission (transport) pattern are arranged, wherein, tunnel mode is that terminal use's entire I P packet is used to calculate AH head or ESP head, terminal use's data that AH head or ESP head and ESP encrypt are encapsulated in the new IP packet, and tunnel mode is applied in two communications between the security gateway usually; And being transport layer data, transmission mode is used to calculate AH head or ESP head, terminal use's data that AH head or ESP head and ESP encrypt are placed on back, former IP packet header, usually transmission mode is applied in two communications between the main frame, or the communication between main frame and the security gateway, IPsec agreement of the present invention is based on the IPsec agreement of tunnel mode.
Among the present invention, for the range of application that improves IPsec (for example, IPsec can be encapsulated) to multicast message, also need between the IPsec peer-to-peer, dispose a tunnel, tunnel by using this configuration is triggered to point-to-point tunnel mode with the application scenarios of IPsec, thereby realizes that the IPsec encapsulation under the plurality of application scenes (for example, encapsulates multicast message, or broadcasting packet encapsulated, or the message of other data types is encapsulated).Wherein, the tunnel of this configuration includes but not limited to: gre tunneling, manual tunnel etc. for convenience of description, are that example describes with the gre tunneling among the present invention.Wherein, the tunnel is meant the encapsulation technology of a kind of protocol encapsulation in another agreement, transmit another kind of procotol by a kind of procotol, promptly utilize a kind of network transmission protocol, the data message that other agreements are produced is encapsulated in the message of this network transmission protocol, transmits in network then.The tunnel is a virtual point-to-point connection, the virtual interface of only supporting point-to-point connection in actual applications is a tunnel interface, the path that tunnel interface provides a data message that makes encapsulation to transmit, and respectively the data message is encapsulated and decapsulation at the two ends of a tunnel interface.
As shown in Figure 4 should be with the networking model under the scene, tunnel local terminal equipment and tunnel opposite equip. are the equipment of same type, for example, router, switch, repeater, terminal etc., in tunnel local terminal equipment, comprise tunnel module and IPsec module, same, in the tunnel opposite equip., also comprise tunnel module (can be the gre tunneling module) and IPsec module, wherein, this tunnel module and IPsec module can also be chosen other title just for convenience of description in actual applications, do not repeat them here.This tunnel module is used to handle the related procedure of GRE encapsulation, and this IPsec module is used for the related procedure of process IP sec encapsulation, and the relevant treatment flow process of above-mentioned tunnel module and IPsec module will encyclopaedize in the step below, does not repeat them here.
Should may further comprise the steps with the data encapsulation method that proposes under the scene as shown in Figure 5:
Step S501, tunnel local terminal equipment carries out the negotiations process of IPsec SA (Security Association, Security Association).
Wherein, when initial configuration process, need carry out the negotiations process of IPsec SA earlier, among the present invention, the tunnel module in the tunnel local terminal equipment triggers the IPsec module by Keepalive (instruction) message and carries out the negotiation of IPsec SA.Certainly, the tunnel module can also trigger the negotiations process of IPsec SA by other modes, does not repeat them here.
Wherein, the negotiation mode of IPsec SA comprises that manual mode is carried out the negotiation of IPsec SA, the automatic negotiation mode of IKE is carried out the negotiation of IPsec SA, the characteristics of this manual mode are: configuration is complicated, create the required full detail of SA and all need manual configuration, (for example can not support some advanced features, timing is new key more), do not rely on IKE and realize the IPsec function separately; The characteristics of the automatic negotiation mode of IKE are: fairly simple, only need configure the information of ike negotiation security strategy, and consult to create and safeguard SA automatically by IKE.
In this step, the IPsec module is carried out process that IPsec SA consults and is specially between the negotiation communication peer-to-peer the agreement situation of information, and wherein, IPsec provides secure communication between two end points, and this end points is called as the IPsec peer-to-peer; The agreement of information includes but not limited to the agreement of agreement (AH agreement, ESP agreement, or both are used in combination), to the agreement of encapsulation mode (transmission mode and tunnel mode), to the agreement of cryptographic algorithm (DES, 3DES and AES) and to agreement of the life cycle of the shared key of protected data in the specific stream and key etc.
Concrete, IPsec SA is unidirectional, when carrying out two-way communication between two peer-to-peers, needs two SA respectively the data flow of both direction to be carried out safeguard protection; Simultaneously, if two peer-to-peers wish to use simultaneously AH and ESP to carry out secure communication, then each peer-to-peer all can make up an independently SA at each agreement.
Further, SA comes unique identification by a tlv triple, and this tlv triple comprises SPI (SecurityParameter Index, Security Parameter Index), purpose IP address and security protocol number (AH or ESP).This SPI is the numerical value of one 32 bit generating for unique identification SA, transmits in AH head and ESP head, when manual configuration SA, needs the value of the manual SPI of appointment, and when using ike negotiation to produce SA, SPI will generate at random.This purpose IP address is the IP address information of tunnel opposite equip., and this security protocol number is an employed protocol type among the IPsec.
Of particular note, this step need judge whether to be configured the encapsulation process in tunnel in the negotiations process of carrying out IPsec SA, and this deterministic process will be described in detail in the step below, does not repeat them here.
Step S502, tunnel local terminal equipment judge whether the gre tunneling end points is identical with the IPsec endpoint of a tunnel, when judged result when being identical, forward step S504 to, when judged result when being inequality, then forward step S503 to.
Wherein, tunnel local terminal equipment is judged gre tunneling end points and IPsec endpoint of a tunnel, and whether identical process is specially: endpoint of a tunnel (or tunnel module) judges whether the source address of gre tunneling is identical with the local address of IPsec endpoint of a tunnel, whether the destination address of gre tunneling is identical with the far-end address of IPsec endpoint of a tunnel, when the two homogeneous phase while, then the gre tunneling end points is identical with the IPsec endpoint of a tunnel, when the two have one inequality or the two when all inequality, then gre tunneling end points and IPsec endpoint of a tunnel are inequality.
Further, when endpoint of a tunnel knows that the initial address of IPsec endpoint of a tunnel is identical with the address of this endpoint of a tunnel, the source address of then judging gre tunneling is identical with the local address of IPsec endpoint of a tunnel, when the destination address of knowing the IPsec endpoint of a tunnel when endpoint of a tunnel is identical with the destination address of this endpoint of a tunnel, the destination address of then judging gre tunneling is identical with the far-end address of IPsec endpoint of a tunnel, wherein, SA after endpoint of a tunnel can be consulted by IPsec obtains the destination address of IPsec endpoint of a tunnel, and this endpoint of a tunnel itself has been stored the destination address information of endpoint of a tunnel.
Step S503, tunnel local terminal equipment judge and need carry out the gre tunneling encapsulation to original message that promptly local terminal equipment in tunnel needs to carry out the gre tunneling encapsulation after receiving original message, and the message after the encapsulation is carried out the IPsec tunnel encapsulation.The present invention is primarily aimed at the gre tunneling end points situation identical with the IPsec endpoint of a tunnel, and this gre tunneling end points and the asynchronous handling process of IPsec endpoint of a tunnel do not repeat them here.
Step S504, tunnel local terminal equipment judge message after the gre tunneling end points encapsulation whether in the scope of IPsecSA protection, and promptly whether local terminal equipment in tunnel needs to carry out the IPsec tunnel encapsulation for the message after this gre tunneling end points encapsulation.When judged result when being, forward step S505 to.Wherein, in initial configuration process, the gre tunneling end points needs also to judge whether the message through after this gre tunneling end points encapsulation needs to carry out the IPsec tunnel encapsulation, this deterministic process is specially that the IPsec endpoint of a tunnel judges by the corresponding information of above-mentioned IP secSA negotiations process, this process is a prior art, does not repeat them here.
Step S505, tunnel local terminal equipment and tunnel opposite equip. are held consultation, and promptly local terminal equipment in tunnel sends the Keepalive message to the tunnel opposite equip., and receives the Keepalive message from the tunnel opposite equip..Wherein, the tunnel module of the tunnel module in the tunnel local terminal equipment in the tunnel opposite equip. sends the Keepalive message.GRE heading in this Keepalive message represents whether the gre tunneling end points is identical with the IPsec endpoint of a tunnel by using, whether the message after the encapsulation of gre tunneling end points in the scope of IPsec SA protection; Wherein, GRE heading in this Keepalive message as shown in Figure 6, when last position of Flags in this GRE heading was 1, expression gre tunneling end points was identical with the IPsec endpoint of a tunnel, and the message after the encapsulation of gre tunneling end points is at IPsec SA protection range; When last position of Flags in this GRE heading is 0; expression gre tunneling end points and IPsec endpoint of a tunnel are inequality; and/or original message (is that any one condition in above-mentioned two conditions does not satisfy not within IPsec SA protection range; last position 0 of Flags); owing to judged that the gre tunneling end points is identical with the IPsec endpoint of a tunnel in the above-mentioned steps; and the message after the encapsulation of gre tunneling end points is within IPsec SA protection range, and promptly last position of Flags is 1 in this GRE heading.
Corresponding with this step, tunnel local terminal equipment will receive the Keepalive message from the tunnel opposite equip., the process that this tunnel opposite equip. sends this Keepalive message is identical with the process that above-mentioned tunnel local terminal equipment sends the Keepalive message, does not repeat them here.
Tunnel local terminal equipment is from the identification information from last position of Flags in the acquisition GRE heading the Keepalive message of tunnel opposite equip.; when the information that obtains from this position is 1; as can be known; the gre tunneling end points of tunnel opposite equip. is identical with the IPsec endpoint of a tunnel; and the message after the encapsulation of the gre tunneling end points of tunnel opposite equip. is at IPsec SA protection range, and promptly tunnel local terminal device learns tunnel opposite equip. also can carry out the IPsec tunnel encapsulation.Tunnel local terminal equipment and tunnel opposite equip. are finished mutual negotiations process by mutual Keepalive message.
Among the present invention; tunnel local terminal equipment can send the GREKeepalive message to the tunnel opposite equip. according to preset period; whether the message after, the gre tunneling end points encapsulation whether identical with the IPsec endpoint of a tunnel with the gre tunneling end points of notifying this tunnel local terminal equipment is in the scope of IPsec SA protection; this preset period is what choose according to actual needs; for example, this preset period is set to 5 minutes according to the actual needs.Certainly; tunnel local terminal equipment can also the periodic GREKeepalive message that receives from the tunnel opposite equip., and by this GRE Keepalive message knows whether the gre tunneling end points of tunnel opposite equip. identical with the IPsec endpoint of a tunnel, whether message after the encapsulation of gre tunneling end points is protected at IPsec SA scope.
Of particular note; having only tunnel local terminal equipment and tunnel opposite equip. all is that message after the encapsulation of gre tunneling end points and gre tunneling end points identical with the IPsec endpoint of a tunnel is within the scope of IPsec SA protection the time; could use method provided by the invention to omit the encapsulation process of gre tunneling, not repeat them here.
Certainly, be not limited among the present invention can also transmit by other modes, do not repeat them here by using the transmission of Keepalive message whether to need to save the relevant information of gre tunneling encapsulation process.
Among the present invention, the processing procedure of tunnel local terminal equipment and tunnel opposite equip. is identical, is that example describes with the correlation procedure of tunnel local terminal equipment, no longer encyclopaedizes for the correlation procedure of tunnel opposite equip..
Step S506, tunnel local terminal equipment receives original message.After initial configuration process is finished, the correlated process that can use this tunnel local terminal equipment to encapsulate, promptly local terminal equipment in tunnel can receive original message.
Wherein, the entity that sends this original message is that terminal is (certain, the entity that sends this original message can also be the equipment of other types, be that example describes just with the terminal), terminal sends to data message (above-mentioned original message) on the tunnel local terminal equipment by IP agreement (or agreement of other types).
Step S507, tunnel local terminal equipment carries out the IPsec tunnel encapsulation to this original message, and next heading of the message after encapsulating is set to the GRE sign, for example, when the IPsec agreement is when using AH, next heading of AH is set to the GRE sign, and when the IPsec agreement was use ESP, next heading of ESP was set to the GRE sign.
Need to prove; it is identical with the IPsec endpoint of a tunnel only to obtain the gre tunneling end points of tunnel local terminal equipment to the step S505 at above-mentioned steps S501; and the message after the gre tunneling end points encapsulation the scope of IPsec SA protection only in; tunnel local terminal equipment just can directly carry out the IPsec tunnel encapsulation to original message; otherwise; to carry out the gre tunneling encapsulation to this original message earlier; carry out the IPsec tunnel encapsulation afterwards; the present invention is identical with the IPsec endpoint of a tunnel with the gre tunneling end points, and the message after the gre tunneling end points encapsulation (tunnel local terminal equipment and tunnel opposite equip. all satisfy) within the scope of IPsec SA protection describes for example.
Wherein, comprise configured tunneling technique module (is that example describes with the gre tunneling module) and IPsec tunnel module in tunnel local terminal equipment, certainly, the title of above-mentioned two kinds of modules can also be selected other title just for convenience of description, does not repeat them here.Having judged in above-mentioned steps does not need this original message is carried out the gre tunneling encapsulation, promptly do not need to use this this original message of gre tunneling module package, original message is when the processing of process gre tunneling module and IPsec tunnel module, the gre tunneling module is a virtual interface, this gre tunneling module does not add the processing of encapsulation to this original message, just original message is received into, directly transfer to IPsec tunnel module and carry out encryption, IPsec tunnel module is when handling from original message that the gre tunneling module transmits, because the source address of gre tunneling is identical with the local address in IPsec tunnel, the destination address of gre tunneling is identical with the far-end address in IPsec tunnel, for the original message that receives from the gre tunneling module, IPsec tunnel module will use among the above-mentioned steps S501 information after the IPsec SA negotiation that original message is carried out encryption.
Further, IPsec provides two kinds of security mechanisms, authentication and encryption; Authentication mechanism makes the data receiver of IP communication can confirm whether the true identity of data receiver and data are tampered in transmission course; Encryption mechanism is by carrying out the confidentiality that cryptographic calculation guarantees data to data, in case data are eavesdropped in transmission course.AH protocol definition in the IPsec agreement application process of authentication, provide data source authentication and integrality to guarantee; The ESP protocol definition application process of encryption and optional authentication, provide data reliability to guarantee.Wherein, the AH agreement provides data source authentication, data integrity verifying and replay protection; thereby protection communication is avoided distorting; selectable identifying algorithm comprises MD5 (Message Digest in this AH agreement; message digest algorithm), SHA-1 (Secure Hash Algorithm; SHA) etc.; this MD5 is the message by the input random length; produce the eap-message digest of 128bit; this SHA-1 produces the eap-message digest of 160bit for by the message of input length less than 2 64 power bit.The ESP agreement provides encryption, data source authentication, data integrity verifying and replay protection, selectable identifying algorithm comprises DES (Data Encryption Algorithm in this ESP agreement, DEA), 3DES, AES (Advanced Encryption Standard, Advanced Encryption Standard) etc., this DES encrypts the Plaintext block of a 64bit for the key that uses 56bit; This 3DES encrypts plaintext for the DES key (168bit key altogether) that uses three 56bit; This AES encrypts plaintext for the aes algorithm that uses 128bit, 192bit or 256bit key length.Carry out IP when communication actual, can use these two kinds of agreements simultaneously or select to use wherein a kind of according to actual demand for security.
Further, the process that IPsec tunnel module is carried out encryption by the information of using after IPsec SA consults to original message is specially IPsec tunnel module and according to the situation that IPsec SA consults to be arranged the back original message is carried out encryption, for example, the agreement of being arranged when consulting is the AH agreement, when the cryptographic algorithm of agreement is MD5, this original message is carried out encryption by using this AH agreement and MD5.
Step S508, the IPsec after tunnel local terminal equipment will encapsulate encrypts message and sends to the tunnel opposite equip..
Step S509, the tunnel opposite equip. carries out decapsulation to the encryption message that receives, the message after the acquisition decapsulation.
Need to prove that the IPsec tunnel module of tunnel opposite equip. will be carried out decapsulation to the encryption message that receives, and the message that obtains after this decapsulation is an original message.
Among the present invention, when the heading of IPsec tunnel module in obtaining this message is the sign of GRE, this IPsec tunnel module needs the message after this decapsulation is sent to the gre tunneling module, the processing procedure of the GRE that is correlated with by the message of this gre tunneling module after to this decapsulation does not repeat them here.
Among the present invention, the relevant treatment flow process of tunnel opposite equip. is identical substantially with the relevant treatment flow process of above-mentioned tunnel local terminal equipment, does not repeat them here.
The data encapsulation method that the application of the invention proposes, original message do not carry out the gre tunneling encapsulation in adding the process of encapsulation, do not need to add gre tunneling heading and outer field IP heading, have reduced and have sealed up the load that installing is equipped with.As shown in Figure 7, the length of message has reduced 32 bytes (is that example describes with the gre tunneling).Because not being configured the tunnel adds encapsulation, the message after the encapsulation has reduced length (for example, gre tunneling has reduced the length of 32 bytes), thereby has improved the efficient that IPsec encrypts; Because original message does not need to be configured the tunnel and adds encapsulation in tunnel local terminal equipment, do not carry out the tunnel decapsulation process in the tunnel opposite equip., thereby the processing links in the middle of having reduced has improved message forwarding efficient, has reduced apparatus of load; Owing to do not carry out the encapsulation that adds in tunnel, also corresponding minimizing of message length after IPsec encrypts reduced the bandwidth consumption of go-between.
Wherein, the inventive method can be adjusted each sequence of steps according to actual needs.
The invention allows for a kind of data encapsulation equipment, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, have configured tunneling technique and IPsec tunnel between described first equipment and described second equipment, as shown in Figure 8, described equipment comprises configured tunneling technique module 81 and IPsec tunnel module 82, wherein
Configured tunneling technique module 81 is used to judge whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel, holds consultation according to described judged result and described second equipment, and determines whether that according to described negotiation result needs are configured tunnel encapsulation.
Wherein, described configured tunneling technique module 81 further comprises:
First judges submodule 811, is used to judge whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel; Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or the source address of working as described configured tunneling technique is identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
Second judges submodule 812, is used to judge whether to carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation.
Consult submodule 813, judge that with the described first judgement submodule 811 and described second submodule 812 electrically connects respectively, be used at the configured tunneling technique heading of the first instruction message different signs being set, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment; Reception is obtained the sign of configured tunneling technique heading in the described second instruction message from the second instruction message of described second equipment;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation;
When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation.
Determine submodule 814, electrically connect, be used for when described first sign of instructing the message and the second instruction message to carry is all represented not need to be configured the encapsulation in tunnel, determining not need to be configured the encapsulation in tunnel with negotiation submodule 813; Otherwise, determine to be configured the encapsulation in tunnel.
Trigger submodule 815, be used to trigger described IPsec tunnel and carry out the negotiations process of IPsec, so that described configured tunneling technique module judges according to described negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
IPsec tunnel module 82 electrically connects with described configured tunneling technique module 81, is used for when not needing to be configured tunnel encapsulation, the data message that receives is carried out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
Further, described IPsec tunnel module 82 comprises:
Encapsulation submodule 821 is used for described data message is carried out the encapsulation in IPsec tunnel, next heading of described data message is packaged into the sign of configured tunneling technique.
Send submodule 822, electrically connect, be used for the message after described encapsulation submodule 821 encapsulation is sent to described second equipment with described encapsulation submodule 821.
Decapsulation submodule 823 is used for the message of decapsulation after from the encapsulation of described second equipment, obtains original data message, and according to the sign of described configured tunneling technique described data message is sent to described configured tunneling technique module.
By equipment provided by the invention, add encapsulation owing to be not configured the tunnel, the message after the encapsulation has reduced length (for example, gre tunneling has reduced the length of 32 bytes), thereby has improved the efficient that IPsec encrypts; Because original message does not need to be configured the tunnel and adds encapsulation in tunnel local terminal equipment, do not carry out the tunnel decapsulation process in the tunnel opposite equip., thereby the processing links in the middle of having reduced has improved message forwarding efficient, has reduced apparatus of load; Owing to do not carry out the encapsulation that adds in tunnel, also corresponding minimizing of message length after IPsec encrypts reduced the bandwidth consumption of go-between.
Wherein, each module of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise that some instructions are with so that a computer equipment (can be personal computer, server, perhaps network equipment etc.) is carried out method of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1. data encapsulation method, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, between described first equipment and described second equipment, there are configured tunneling technique and IPsec tunnel, it is characterized in that, said method comprising the steps of:
Described first equipment judges whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel;
Described first equipment is held consultation according to judged result and described second equipment, and determines whether that according to negotiation result needs are configured tunnel encapsulation;
When not needing to be configured tunnel encapsulation, the data message that described first equipment interconnection is received carries out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
2. the method for claim 1 is characterized in that, whether the end points that described first equipment is judged described configured tunneling technique and the end points in described IPsec tunnel be identical specifically comprises:
Described first equipment judges whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel;
Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or
When the source address of described configured tunneling technique identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
3. the method for claim 1 is characterized in that, described first equipment also comprises before holding consultation according to described judged result and described second equipment:
Described first equipment judges whether and need carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation;
Described first equipment is held consultation according to described judged result and described second equipment and is specifically comprised:
Described first equipment is provided with different signs in the configured tunneling technique heading of the first instruction message, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment;
Described first equipment receives the second instruction message from described second equipment, obtains the sign of configured tunneling technique heading in the described second instruction message;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation;
When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation.
4. method as claimed in claim 3 is characterized in that, describedly determines whether that according to negotiation result needs are configured tunnel encapsulation and specifically comprise:
When the sign of carrying in the described first instruction message and the second instruction message was all represented not need to be configured the encapsulation in tunnel, described first equipment determined not need to be configured the encapsulation in tunnel; Otherwise described first equipment determines to be configured the encapsulation in tunnel.
5. the method for claim 1 is characterized in that, before whether the end points that described first equipment is judged described configured tunneling technique and the end points in described IPsec tunnel be identical, also comprises:
Described configured tunneling technique triggers described IPsec tunnel and carries out the negotiations process of IPsec, so that described first equipment judges according to negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
6. the method for claim 1 is characterized in that, the data message that described first equipment interconnection is received carries out the IPsec tunnel encapsulation and specifically comprises:
Described first equipment is packaged into next heading of described data message the sign of configured tunneling technique; According to the sign of described configured tunneling technique described data message is sent to the configured tunneling technique of described second equipment by the IPsec tunnel of described second equipment.
7. data encapsulation equipment, be applied to comprise in the system of first equipment and second equipment, described first equipment and described second equipment are the IPsec peer-to-peer, all be applicable to the IPsec agreement, between described first equipment and described second equipment, there are configured tunneling technique and IPsec tunnel, it is characterized in that described equipment comprises:
The configured tunneling technique module is used to judge whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel, holds consultation according to judged result and described second equipment, and determines whether that according to negotiation result needs are configured tunnel encapsulation;
IPsec tunnel module electrically connects with described configured tunneling technique module, is used for when not needing to be configured tunnel encapsulation, the data message that receives is carried out the IPsec tunnel encapsulation, and the message after will encapsulating sends to described second equipment.
8. equipment as claimed in claim 7 is characterized in that, described configured tunneling technique module comprises:
First judges submodule, is used to judge whether the source address of described configured tunneling technique is identical with the local address in described IPsec tunnel; Whether identical with the destination address of described configured tunneling technique with the far-end address in described IPsec tunnel; Described judged result is specially: when the local address in the source address of described configured tunneling technique and described IPsec tunnel inequality, and/or the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel is when inequality, and the judged result of described first equipment is that the end points in the end points of described configured tunneling technique and described IPsec tunnel is inequality; Or the source address of working as described configured tunneling technique is identical with the local address in described IPsec tunnel, and when the far-end address in the destination address of described configured tunneling technique and described IPsec tunnel was identical, the judged result of described first equipment was that the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel;
Second judges submodule, is used to judge whether to carry out the IPsec data encryption to the message after the described configured tunneling technique encapsulation;
Consult submodule, judge that with the described first judgement submodule and described second submodule electrically connects respectively, be used at the configured tunneling technique heading of the first instruction message different signs being set, described different sign represents whether to need to be configured the encapsulation in tunnel; And with described first the instruction message send to described second equipment; Reception is obtained the sign of configured tunneling technique heading in the described second instruction message from the second instruction message of described second equipment;
When the end points in the end points of described configured tunneling technique and described IPsec tunnel inequality, and/or, when not needing that the message after the encapsulation of described configured tunneling technique carried out the IPsec data encryption, the described information that whether needs to be configured tunnel encapsulation is specially and need be configured tunnel encapsulation;
When the end points of described configured tunneling technique identical with the end points in described IPsec tunnel, and in the time of need carrying out the IPsec data encryption to the message after the encapsulation of described configured tunneling technique, the described information that whether needs to be configured tunnel encapsulation is specially and does not need to be configured tunnel encapsulation;
Determine submodule, electrically connect, be used for when described first sign of instructing the message and the second instruction message to carry is all represented not need to be configured the encapsulation in tunnel, determining not need to be configured the encapsulation in tunnel with the negotiation submodule; Otherwise, determine to be configured the encapsulation in tunnel.
9. equipment as claimed in claim 7 is characterized in that, described configured tunneling technique module also comprises:
Trigger submodule, be used to trigger described IPsec tunnel and carry out the negotiations process of IPsec, so that described configured tunneling technique module judges according to negotiation result whether the end points of described configured tunneling technique is identical with the end points in described IPsec tunnel.
10. equipment as claimed in claim 7 is characterized in that, described IPsec tunnel module comprises:
The encapsulation submodule is used for described data message is carried out the encapsulation in IPsec tunnel, next heading of described data message is packaged into the sign of configured tunneling technique;
Send submodule, electrically connect, be used for the message after the described encapsulation submodule encapsulation is sent to described second equipment with described encapsulation submodule;
The decapsulation submodule is used for the message of decapsulation after from the encapsulation of described second equipment, and according to the sign of described configured tunneling technique described data message is sent to described configured tunneling technique module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101477854A CN101572644B (en) | 2009-06-19 | 2009-06-19 | Data encapsulation method and equipment thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101477854A CN101572644B (en) | 2009-06-19 | 2009-06-19 | Data encapsulation method and equipment thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101572644A CN101572644A (en) | 2009-11-04 |
| CN101572644B true CN101572644B (en) | 2011-06-08 |
Family
ID=41231883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101477854A Active CN101572644B (en) | 2009-06-19 | 2009-06-19 | Data encapsulation method and equipment thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101572644B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102170434A (en) * | 2011-04-02 | 2011-08-31 | 京信通信系统(中国)有限公司 | Multi-core-processor-based Internet protocol security (IPSEC) realization method and device |
| CN102904792B (en) * | 2012-09-21 | 2015-03-25 | 北京华为数字技术有限公司 | Service carrying method and router |
| CN108989311A (en) * | 2013-05-31 | 2018-12-11 | 华为技术有限公司 | Generate the method and apparatus of input parameter |
| EP3758307A1 (en) | 2013-07-10 | 2020-12-30 | Huawei Technologies Co., Ltd. | Method for implementing gre tunnel, access point and gateway |
| ES2757505T3 (en) | 2013-07-12 | 2020-04-29 | Huawei Tech Co Ltd | Method to implement GRE tunnel, access device and aggregation gate |
| CN105656882A (en) * | 2015-12-25 | 2016-06-08 | 深圳中兴网信科技有限公司 | Soft and hardware decoding method and device and soft and hardware coding method and device |
| CN108134794A (en) * | 2017-12-26 | 2018-06-08 | 南京航空航天大学 | A kind of method of business datum encrypted transmission in intelligence manufacture Internet of Things based on GRE and IPSEC |
| CN111614538B (en) * | 2020-04-30 | 2022-03-29 | 网络通信与安全紫金山实验室 | Message forwarding method based on IPsec encapsulation protocol |
| CN111614463B (en) * | 2020-04-30 | 2023-04-14 | 网络通信与安全紫金山实验室 | Key updating method and device based on IPsec encapsulation function |
-
2009
- 2009-06-19 CN CN2009101477854A patent/CN101572644B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101572644A (en) | 2009-11-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101572644B (en) | Data encapsulation method and equipment thereof | |
| KR100989769B1 (en) | Wireless router assisted security handoffwrash in a multi-hop wireless network | |
| US9509663B2 (en) | Secure distribution of session credentials from client-side to server-side traffic management devices | |
| EP1774750B1 (en) | Method, apparatuses and computer readable medium for establishing secure end-to-end connections by binding IPSec Security Associations | |
| US9838873B2 (en) | Secure wireless local area network (WLAN) for data and control traffic | |
| US8112622B2 (en) | Chaining port scheme for network security | |
| CN102882789B (en) | A kind of data message processing method, system and equipment | |
| US10897509B2 (en) | Dynamic detection of inactive virtual private network clients | |
| TW201624960A (en) | User-plane security for next generation cellular networks | |
| CA2437894A1 (en) | Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols | |
| US8990892B2 (en) | Adapting extensible authentication protocol for layer 3 mesh networks | |
| CN101499972A (en) | IP security packet forwarding method and apparatus | |
| US11924248B2 (en) | Secure communications using secure sessions | |
| CN105471827A (en) | Message transmission method and device | |
| US11006346B2 (en) | X2 service transmission method and network device | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN112104601A (en) | Data transmission method, device, terminal equipment and storage medium | |
| US20120216036A1 (en) | Encryption methods and systems | |
| CN115733683A (en) | Method for realizing Ethernet link self-organizing encryption tunnel by adopting quantum key distribution | |
| WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
| Hohendorf et al. | Secure End-to-End Transport Over SCTP. | |
| WO2011023010A1 (en) | Method, device and system for data security transmission and reception in a pseudo-wire network | |
| JP2005244379A (en) | Vpn system, vpn apparatus, and encryption key distribution method used for them | |
| CN111866865B (en) | Data transmission method, 5G private network establishment method and system | |
| JP3651424B2 (en) | Large-scale IPSec VPN construction method, large-scale IPSec VPN system, program, and key sharing information processing apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |