CN101616084A - A kind of distributed IPSec load sharing device and method - Google Patents
A kind of distributed IPSec load sharing device and method Download PDFInfo
- Publication number
- CN101616084A CN101616084A CN200910109059A CN200910109059A CN101616084A CN 101616084 A CN101616084 A CN 101616084A CN 200910109059 A CN200910109059 A CN 200910109059A CN 200910109059 A CN200910109059 A CN 200910109059A CN 101616084 A CN101616084 A CN 101616084A
- Authority
- CN
- China
- Prior art keywords
- message
- ipsec
- association
- ply
- yarn drill
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present invention relates to a kind of distributed IPSec load sharing device and method, described device comprises ply-yarn drill and association's transaction card; Described method is: the peer IP address and the corresponding association that set up ipsec tunnel on ply-yarn drill handle the card number mapping table, when ply-yarn drill receives the IPSec message, by inquiring about described mapping table, find the association of the described message of corresponding processing to handle card number, and association's transaction card that described message is transmitted to described card number correspondence is carried out IPSec handle.The present invention can locate association's transaction card fast, and the load sharing algorithm is simple, and ply-yarn drill forwarding performance height is lacked in communication alternately between plate.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of distributed IPSec (InternetProtocol Security, Internet protocol security) load sharing device and method.
Background technology
At present, Internet has become the information infrastructure of the whole society, and enterprises end is used also mostly based on IP (Internet Protocol, Internet agreement), and constructing application system on Internet has become inexorable trend.At present, VPN (Virtual Private Network, Virtual Private Network) in the technology based on the VPN protocol IP Sec of IP layer owing to use independence, become the best solution that wide area network is built, it not only can save the construction and the operation and maintenance cost of wide area network greatly, and has strengthened the reliability and the fail safe of network.
Ipsec protocol comprises: IKE (Internet Key Exchange), AH (authentication header), ESP (ESP) etc., be by IETF (Internet Engineering Task Force, Internet engineering work group) Ding Yi one group of agreement that security service is provided at the IP layer, it makes system can select security protocol as required, and decision employed algorithm of service and placement demand are served required key to the relevant position.IPSec is used for protecting between one or more main frame and main frame, the path between security gateway and security gateway, between security gateway and main frame.
In the VPN based on IPSec realizes, the router that need carry out the IPSec processing is in usually in network and inserts and convergence-level, need to support a large amount of users, when carrying out routing forwarding, also need to carry out encryption and decryption and the checking work of IPSec, and these work are very time-consuming operations, and consume system resources is huge, and are far longer than common IP forwarding.
There is following problem in the implementation method of at present main ipsec router:
1, the ipsec router of transmitting based on CPU software is owing to take cpu resource, causes that operational efficiency is low, disposal ability is poor, and the normal IP of image transmits;
Though 2, realize that based on hardware-accelerated or network processing unit the router disposal ability that IPSec transmits has a certain upgrade, but be subjected to the hardware performance restriction, exist and realize complexity, poor expandability, and equipment can not be realized upgrading synchronously with ipsec user's traffic growth;
3, based on distributed treatment, usually handling common IP at ply-yarn drill transmits, association's transaction card carries out IPSec to be handled, after carrying out the analysis of complexity to the data message and to the SPDB (Security Policy Database) of IPSec and SADB (security association database), produce the load sharing algorithm, because algorithm is too complicated, and is big to the ply-yarn drill consumption of natural resource of basic forwarding capability, influence the common IP forwarding performance of ply-yarn drill.
Summary of the invention
Technical problem to be solved by this invention is, a kind of distributed IPSec load sharing device and method are provided, and the present invention can locate association's transaction card fast, and the load sharing algorithm is simple, between plate communication few alternately, ply-yarn drill forwarding performance height.
The invention discloses a kind of distributed IPSec load sharing device, described device comprises ply-yarn drill and association's transaction card, and is described
Ply-yarn drill is used to set up and safeguard the peer IP address and the corresponding mapping table of handling card number of assisting of ipsec tunnel; Be used for when receiving the IPSec message, from described mapping table, search the association that handles described IPSec message and handle card number, and described message is transmitted to association's transaction card of the card number correspondence that finds;
Association's transaction card is used for that the message that receives is carried out IPSec to be handled.
Described ply-yarn drill also is used for when the IPSec message that receives is clear text, is described message Match IP Sec tunnel configuration; Be used for being clear text and not finding the association that handles described message when handling card number, abandon described message, and trigger arbitrary association transaction card and carry out ike negotiation at the IPSec message that receives; And to be used at the IPSec message that receives be to treat decrypted message and do not find the association that handles described message when handling card number, abandons described message;
Described association transaction card also is used to carry out the Internet Key Exchange ike negotiation; Be used to preserve the security alliance SA of the local ipsec tunnel of consulting generation; The peer IP address that is used for the local ipsec tunnel that will consult generate sends to all ply-yarn drills with the corresponding relation list item of this association processing card number.
The list item that the described association transaction card that described ply-yarn drill also is used for receiving sends is saved in described mapping table.
The present invention further discloses a kind of distributed IPSec load sharing method, on ply-yarn drill, set up the peer IP address of ipsec tunnel and the mapping table that corresponding association handles card number, when ply-yarn drill receives the IPSec message, by inquiring about described mapping table, find the association of the described message of corresponding processing to handle card number, and association's transaction card that described message is transmitted to described card number correspondence is carried out IPSec handle.
If the IPSec message that described ply-yarn drill receives is a clear text, then described ply-yarn drill is described message Match IP Sec tunnel configuration earlier, then according to the peer IP address in the described configuration, searches corresponding association and handle card number in described mapping table.
If the IPSec message that described ply-yarn drill receives is for treating decrypted message, then the source address of described message is its peer IP address in this locality, and described ply-yarn drill is searched corresponding association and handled card number directly according to the source address of described message in described mapping table.
If the IPSec message that described ply-yarn drill receives is a clear text, and in described mapping table, do not find corresponding association to handle card number, then abandon described message, and trigger arbitrary association transaction card and carry out ike negotiation.
After described association transaction card is triggered, at first carry out ike negotiation, generate the peer IP address of SA and ipsec tunnel and the corresponding relation list item that this association handles card number; Preserve described SA then, and described list item is sent to all ply-yarn drills;
Ply-yarn drill is saved in the list item that receives in the mapping table.
Described association transaction card safeguard SA with and life cycle, when SA deletes, delete the corresponding relation list item that the peer IP address of SA and ipsec tunnel and this association handle card number synchronously, and described deletion information sent to all ply-yarn drills;
Corresponding list item when ply-yarn drill receives deletion information in the deletion mapping table.
If the IPSec message that described ply-yarn drill receives is to treat decrypted message, and in described mapping table, do not find corresponding association to handle card number, then abandon described message.
Behind the message that described association transaction card receives, described message is carried out IPSec handles, be specially:
Search SADB, find the SA of coupling, the message that receives is carried out encryption/decryption process, and the message through encrypt/decrypt is carried out encapsulation/decapsulation according to described SA.
The present invention utilizes the difference of ipsec tunnel peer IP address according to the characteristics of IPSec, by peer IP address and the corresponding mapping table of assisting transaction card of preserving ipsec tunnel in ply-yarn drill, has realized IPSec load sharing in distributed system.Ply-yarn drill of the present invention is transmitted and is handled simply, can locate association's transaction card fast, and the load sharing algorithm is simple, and communication is lacked alternately between plate, and the ply-yarn drill forwarding performance is efficient.
Description of drawings
Fig. 1 is a principle of device block diagram of the present invention;
Fig. 2 is the flow chart of the method for the invention.
Embodiment
Below in conjunction with accompanying drawing is preferred embodiment, the present invention is done being described in further detail.
As shown in Figure 1, be principle of device block diagram of the present invention, in the present embodiment, suppose that described device comprises N ply-yarn drill and M association's transaction card;
Ply-yarn drill is used to set up and safeguard the peer IP address and the corresponding mapping table map table that handles card number that assists of ipsec tunnel; Be used for when receiving the IPSec message, from described map table, search the association that handles described IPSec message and handle card number, and described message is transmitted to association's transaction card of the card number correspondence that finds; Be used for when the IPSec message that receives is clear text, be described message Match IP Sec tunnel configuration; Be used for being clear text and not finding the association that handles described message when handling card number, abandon described message, and trigger arbitrary association transaction card and carry out the Internet Key Exchange ike negotiation at the IPSec message that receives; Being used at the IPSec message that receives is to treat decrypted message and do not find the association that handles described message when handling card number, abandons described message; And the list item that the described association transaction card that is used for receiving sends is saved in described map table.
Association's transaction card is used for that the message that receives is carried out IPSec to be handled; Be used to carry out ike negotiation; Be used to preserve the SA of the local ipsec tunnel of consulting generation; The peer IP address that is used for the local ipsec tunnel that will consult generate sends to all ply-yarn drills with the corresponding relation list item of this association processing card number, assists transaction card by communication between plates described list item to be sent to ply-yarn drill.
As shown in Figure 2, be the flow chart of the method for the invention, suppose to have set up in the ply-yarn drill peer IP address of ipsec tunnel and the mapping table maptable of corresponding association processing card number, this method comprises the steps:
Step 201: ply-yarn drill receives the IPSec message;
Step 202: judge the type of described message, if clear text, then execution in step 203; If treat decrypted message, then execution in step 205;
Step 203: be described message Match IP Sec tunnel configuration;
Step 204: according to the peer IP address in the described configuration, the association of searching the described message of corresponding processing in local map table handles card number, if find, then execution in step 206; Otherwise, execution in step 207;
Step 205: according to the source address of described message, the association of searching the described message of corresponding processing in local map table handles card number, if find, then execution in step 206; Otherwise, execution in step 208;
Step 206: the association's transaction card that described message is transmitted to the card number correspondence that finds carries out the IPSec processing;
After association's transaction card receives message, described message is carried out IPSec handles, be specially:
Search SADB, find the SA of coupling, the message that receives is carried out encryption/decryption process, and the message through encrypt/decrypt is carried out encapsulation/decapsulation, two kinds of selections are arranged afterwards according to described SA:
(1) described message is directly returned to the ply-yarn drill of transmitting described message; By described ply-yarn drill described message is carried out route querying;
(2) directly described message is carried out route querying, and described message is sent to the ply-yarn drill of the output interface that finds, described ply-yarn drill is the message of handling through IPSec that receives of output directly.
Step 207: abandon described message, and trigger arbitrary association transaction card and carry out ike negotiation;
After association's transaction card is triggered, ike negotiation be can carry out, the peer IP address of SA and ipsec tunnel and the corresponding relation list item that this association handles card number generated; Preserve described SA then, and described list item is sent to all ply-yarn drills;
Ply-yarn drill is saved in the list item that receives in the mapping table, uses when receiving message for next time.
Step 208: abandon described message.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1, a kind of distributed I nternet protocol security IPSec load sharing device is characterized in that, described device comprises ply-yarn drill and association's transaction card, and is described
Ply-yarn drill is used to set up and safeguard the Internet protocol IP address, opposite end and the corresponding mapping table of handling card number of assisting of ipsec tunnel; Be used for when receiving the IPSec message, from described mapping table, search the association that handles described IPSec message and handle card number, and described message is transmitted to association's transaction card of the card number correspondence that finds;
Association's transaction card is used for that the message that receives is carried out IPSec to be handled.
2, distributed IPSec load sharing device as claimed in claim 1 is characterized in that, described ply-yarn drill also is used for when the IPSec message that receives is clear text, is described message Match IP Sec tunnel configuration; Be used for being clear text and not finding the association that handles described message when handling card number, abandon described message, and trigger arbitrary association transaction card and carry out the Internet Key Exchange ike negotiation at the IPSec message that receives; And to be used at the IPSec message that receives be to treat decrypted message and do not find the association that handles described message when handling card number, abandons described message;
Described association transaction card also is used to carry out the Internet Key Exchange ike negotiation; Be used to preserve the security alliance SA of the local ipsec tunnel of consulting generation; The peer IP address that is used for the local ipsec tunnel that will consult generate sends to all ply-yarn drills with the corresponding relation list item of this association processing card number.
3, distributed IPSec load sharing device as claimed in claim 2 is characterized in that, the list item that the described association transaction card that described ply-yarn drill also is used for receiving sends is saved in described mapping table.
4, a kind of distributed IPSec load sharing method, it is characterized in that, the peer IP address and the corresponding association that set up ipsec tunnel on ply-yarn drill handle the card number mapping table, when ply-yarn drill receives the IPSec message, by inquiring about described mapping table, find the association of the described message of corresponding processing to handle card number, and association's transaction card that described message is transmitted to described card number correspondence is carried out IPSec handle.
5, distributed IPSec load sharing method as claimed in claim 4, it is characterized in that, if the IPSec message that described ply-yarn drill receives is a clear text, then described ply-yarn drill is described message Match IP Sec tunnel configuration earlier, according to the peer IP address in the described configuration, in described mapping table, search corresponding association and handle card number then.
6, distributed IPSec load sharing method as claimed in claim 4, it is characterized in that, if the IPSec message that described ply-yarn drill receives is for treating decrypted message, then the source address of described message is its peer IP address in this locality, described ply-yarn drill is searched corresponding association and is handled card number directly according to the source address of described message in described mapping table.
7, as claim 4 or 5 described distributed IPSec load sharing methods, it is characterized in that, if the IPSec message that described ply-yarn drill receives is a clear text, and in described mapping table, do not find corresponding association to handle card number, then abandon described message, and trigger arbitrary association transaction card and carry out ike negotiation.
8, distributed IPSec load sharing method as claimed in claim 7 is characterized in that, after described association transaction card is triggered, at first carries out ike negotiation, generates the peer IP address of SA and ipsec tunnel and the corresponding relation list item that this association handles card number; Preserve described SA then, and described list item is sent to all ply-yarn drills;
Ply-yarn drill is saved in the list item that receives in the mapping table.
9, as claim 4 or 6 described distributed IPSec load sharing methods, it is characterized in that,, and in described mapping table, do not find corresponding association to handle card number, then abandon described message if the IPSec message that described ply-yarn drill receives is to treat decrypted message.
10, distributed IPSec load sharing method as claimed in claim 4 is characterized in that, behind the message that described association transaction card receives, described message is carried out IPSec handle, and is specially:
Search security association database SADB, find the SA of coupling, the message that receives is carried out encryption/decryption process, and the message through encrypt/decrypt is carried out encapsulation/decapsulation according to described SA.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910109059A CN101616084A (en) | 2009-07-29 | 2009-07-29 | A kind of distributed IPSec load sharing device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910109059A CN101616084A (en) | 2009-07-29 | 2009-07-29 | A kind of distributed IPSec load sharing device and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101616084A true CN101616084A (en) | 2009-12-30 |
Family
ID=41495503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910109059A Pending CN101616084A (en) | 2009-07-29 | 2009-07-29 | A kind of distributed IPSec load sharing device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101616084A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025625A (en) * | 2010-12-08 | 2011-04-20 | 中兴通讯股份有限公司 | Method and device for supporting multiple line cards by three layers of pseudo wires |
| CN102970191A (en) * | 2012-12-12 | 2013-03-13 | 中兴通讯股份有限公司 | Method and device for realizing detection protocol in distribution type system |
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| CN103457952A (en) * | 2013-09-05 | 2013-12-18 | 杭州华三通信技术有限公司 | IPSec processing method and device based on encrypting engine |
| WO2017173806A1 (en) * | 2016-04-07 | 2017-10-12 | 烽火通信科技股份有限公司 | Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet |
| CN107360566A (en) * | 2017-07-25 | 2017-11-17 | 深圳市盛路物联通讯技术有限公司 | Upstream data control extension method and device of the internet-of-things terminal based on type |
| CN115766172A (en) * | 2022-11-09 | 2023-03-07 | 中科驭数(北京)科技有限公司 | Message forwarding method, device, equipment and medium based on DPU and national password |
-
2009
- 2009-07-29 CN CN200910109059A patent/CN101616084A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025625A (en) * | 2010-12-08 | 2011-04-20 | 中兴通讯股份有限公司 | Method and device for supporting multiple line cards by three layers of pseudo wires |
| CN102970191A (en) * | 2012-12-12 | 2013-03-13 | 中兴通讯股份有限公司 | Method and device for realizing detection protocol in distribution type system |
| WO2014090098A1 (en) * | 2012-12-12 | 2014-06-19 | 中兴通讯股份有限公司 | Method and device for implementing detection protocol in distributed system |
| CN102970191B (en) * | 2012-12-12 | 2018-08-14 | 中兴通讯股份有限公司 | The implementation method and device of detection protocol in a kind of distributed system |
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| CN103457952A (en) * | 2013-09-05 | 2013-12-18 | 杭州华三通信技术有限公司 | IPSec processing method and device based on encrypting engine |
| CN103457952B (en) * | 2013-09-05 | 2017-09-01 | 新华三技术有限公司 | A kind of IPSec processing methods and equipment based on crypto engine |
| WO2017173806A1 (en) * | 2016-04-07 | 2017-10-12 | 烽火通信科技股份有限公司 | Method and system using cooperation of switch chip or np and cpu to perform ipsec encryption on packet |
| CN107360566A (en) * | 2017-07-25 | 2017-11-17 | 深圳市盛路物联通讯技术有限公司 | Upstream data control extension method and device of the internet-of-things terminal based on type |
| WO2019019279A1 (en) * | 2017-07-25 | 2019-01-31 | 深圳市盛路物联通讯技术有限公司 | Type-based uplink data encryption control method and apparatus for internet of things terminal |
| CN115766172A (en) * | 2022-11-09 | 2023-03-07 | 中科驭数(北京)科技有限公司 | Message forwarding method, device, equipment and medium based on DPU and national password |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4707992B2 (en) | Encrypted communication system | |
| WO2019128753A1 (en) | Quantum key mobile service method with low delay | |
| CN101616084A (en) | A kind of distributed IPSec load sharing device and method | |
| CN202206418U (en) | Traffic management device, system and processor | |
| CN1949765B (en) | Method and system for obtaining SSH host computer public key of device being managed | |
| US7917939B2 (en) | IPSec processing device, network system, and IPSec processing program | |
| CN102035845B (en) | Switching equipment for supporting link layer secrecy transmission and data processing method thereof | |
| CN208986966U (en) | A kind of ciphering terminal and corresponding data transmission system | |
| CN102761494B (en) | A kind of ike negotiation processing method and device | |
| CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
| CN102088352B (en) | Data encryption transmission method and system for message-oriented middleware | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN1984131A (en) | Method for processing distributed IPSec | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN102437966A (en) | Layer-3 switching system and method based on layer-2 DHCP (Dynamic Host Configuration Protocol) SNOOPING | |
| CN101442470A (en) | Method, system and equipment for establishing tunnel | |
| CN104519055A (en) | VPN (virtual private network) service implementation method, VPN service implementation device and VPN server | |
| CN103327020A (en) | Security access method and system based on region dividing | |
| CN100539537C (en) | A kind of IPSec of utilization expands to the network route in the method and the device of telecommunication network | |
| CN101471839A (en) | Method for asynchronously implementing IPSec vpn through multi-nuclear | |
| CN103139189B (en) | Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment | |
| CN101997875B (en) | Secure multi-party network communication platform and construction method and communication method thereof | |
| US7864770B1 (en) | Routing messages in a zero-information nested virtual private network | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20091230 |