CN101917294B - Method and equipment for updating anti-replay parameter during master and slave switching - Google Patents
Method and equipment for updating anti-replay parameter during master and slave switching Download PDFInfo
- Publication number
- CN101917294B CN101917294B CN2010102608206A CN201010260820A CN101917294B CN 101917294 B CN101917294 B CN 101917294B CN 2010102608206 A CN2010102608206 A CN 2010102608206A CN 201010260820 A CN201010260820 A CN 201010260820A CN 101917294 B CN101917294 B CN 101917294B
- Authority
- CN
- China
- Prior art keywords
- ipsec
- replay
- sequence number
- inbound
- host apparatus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and equipment for updating an anti-replay parameter during master and slave switching. During master and slave switching, new master equipment sets IPSec SA to be invalid, acquires an anti-replay window and an anti-replay sequence number from opposite-end equipment of an IPSec tunnel to update the anti-replay window and the anti-replay sequence number of the IPSec SA per se, and sets the corresponding IPSec SA to be valid after the update is finished to process data so that the new master equipment can acquire the real and reliable anti-replay window and anti-replay sequence number and the security of data transmission is ensured.
Description
Technical field
The present invention relates to the communications field, upgrade the method and apparatus of anti-replay parameter when relating in particular to a kind of active and standby switch.
Background technology
IPSec (IP Security, Internet Protocol Security) agreement is the IP layer security framework agreement of an opening of IETF (Internet Engineering Task Force, Internet engineering duty group) formulation.Ipsec protocol is a Layer 3 Tunneling Protocol, and the IP packet that transmits between the equipment of participating in IPSec is protected and authentication, can safeguard protection be provided for the transmission sensitive data.
The ipsec protocol protecting data is to realize through SA (Security Association, Security Association), and IPSec SA has determined how to protect communication data, protects which type of communication data and whom carries out the problem of protection by.IPSec SA is the basis of ipsec protocol, also is the essence of ipsec protocol.Defined the agreement of communicating pair among the IPSecSA, for example, used the shared key of protected data in the operator scheme, cryptographic algorithm, particular stream of which kind of agreement, agreement and life cycle of key etc. some key element.IPSecSA is identified by a tlv triple uniquely, and this tlv triple comprises: Security Parameter Index, purpose IP address and security protocol.
Ipsec protocol provides multiple security service, is included in confidentiality, integrality, the authenticity of packet and puts the security service of playback aspect, and anti-replay function wherein is a critical function of ipsec protocol.The playback message is meant the message of having handled.Ipsec protocol detects the playback message through sliding window (anti-playback window) mechanism; If receive that the sequence of message of sequence number of message and decapsulation is number identical; Or sequence number of message occurs early, promptly surpassed the scope of anti-playback window, thinks that then this message is the playback message.Because the decapsulation of playback message is not had practical function; And decapsulation process relates to cryptography arithmetic, and a large amount of resource of meeting consumer device causes service availability to descend; In fact constituted Denial of Service attack; Through enabling the anti-playback measuring ability of IPSec, detected playback message, is abandoned before handling in decapsulation, can reduce the consumption of device resource.
The anti-replay function of ipsec protocol relates generally to two parameters: anti-replay sequence number (Sequence Number Counter) and anti-replay window (Anti-Replay Window).Wherein, when the anti-replay sequence number is used to send the IPsec message, insert heading.The anti-replay sequence number increases progressively each IPSec message anti-replay sequence number difference since 1.According to the definition of RFC 4301 4.4.2.1., as shown in Figure 1, the anti-replay window is one 64 a bit map, is used to receive the IPSec message and judges whether the IPSec message is the playback message.When receiving the IPSec message of a specific anti-replay sequence number; Equipment is 1 with bit set relevant in the anti-replay window, if the follow-up message of receiving an identical anti-replay sequence number is again checked related bits position in the anti-replay window; Because bit set is 1; Received that this message of device learns was a playback message before this message is described, will carry out anti-replay and handle.If the anti-replay sequence number of the IPSec message that receives is outside anti-replay window right margin, then anti-replay window right margin slides into up-to-date anti-replay sequence number place.If the anti-replay sequence number that receives the IPSec message shows the situation that packet out-ordering occurs outside anti-replay window left margin, explain that also such message is chronic in transmission over networks simultaneously, the danger of being distorted is arranged, therefore such message also can be dropped.
The anti-replay function of ipsec protocol is extensively adopted, and comprises being applied to two-node cluster hot backup.The application of ipsec protocol in two-node cluster hot backup is divided into dual mode: active/standby mode and load balancing mode.Active/standby mode is meant that an equipment is as host apparatus in the two-shipper, and one is had only host apparatus ability process IP Sec data traffic as stand-by equipment, and when host apparatus broke down, stand-by equipment upgraded to main equipment, substituted original host apparatus and carried out work.A kind of in addition mode is the load balancing mode, but the equal process IP Sec data traffic of two-shipper.For active/standby mode, ipsec protocol need be between two-shipper IPSec SA information synchronously.Main equipment IPSec SA need be synchronized to stand-by equipment with IPSec SA after generating.During IPSec SA deal with data flow, anti-replay window and anti-replay sequence number can real-time update, and these two parameters all need in time be synchronized on the stand-by equipment, so that stand-by equipment can operate as normal when upgrading to main equipment.If the anti-replay window is untimely synchronously, can cause the IPSec message that needs new host apparatus to handle after the active and standby switching can't correctly judge whether to be the playback message, influence its fail safe; If the anti-replay sequence number is untimely synchronously, can cause active and standbyly switching IPSec message that the new host apparatus in back adds encapsulation and being filled in and it seems on the branch equipment and to cause the IPSec message to be dropped in the sequence number in anti-replay window left side, cause data forwarding to be interrupted.
In order to realize synchronous anti-replay window and anti-replay sequence number in the IPSec two-node cluster hot backup; The mode of a kind of synchronous anti-replay window and anti-replay sequence number is provided in the prior art; Be that window of the every renewal of host apparatus and sequence number are just carried out synchronously to stand-by equipment; It is huge for the influence of IPSec forwarding performance that but each message all need carry out synchronous mechanism, also very big for the pressure of two-node cluster hot backup passage, so in the prior art this mode is improved; Regularly (for example every at a distance from 0.5 second) or every separated fixedly message number (for example whenever at a distance from 10000 separated messages) carry out synchronously, alleviate and back up pressure.
For fear of causing the anti-replay sequence number also to rest on the once situation of synchronization value in the active and standby switching of generation between synchronizing cycle; After active and standby switching; The anti-replay sequence number of the new main equipment IPSec SA frequency values (as 10000) that initiatively adds up; The anti-replay window be owing to can't initiatively add up, so numerical value equals last synchronization value, and the IPSec message that gets into new main equipment can upgrade the anti-replay window.
But; Under the synchronous anti-replay window that prior art provides and the mode of anti-replay sequence number, owing to the backup messages between active and standby possibly lost, after the active and standby switching; The anti-replay sequence number that new main equipment adds up behind the frequency values may be outside the anti-replay window left margin of branch equipment; The message that causes new main equipment to send can't detect on branch equipment and pass through, and the new main equipment anti-replay window in active and standby switching back upgrades untimely, brings potential safety hazard; The IPSec message that receives possibly can't judge whether to be the playback message, so data transmission security is low.
Summary of the invention
Upgrade the method and apparatus of anti-replay parameter when the invention provides a kind of active and standby switch, it is said that solved the defeated low problem of fail safe of active and standby switching in the IPSec two-node cluster hot backup.
Upgrade the method for anti-replay parameter when the invention provides a kind of active and standby switch; Be applied to comprise in the system of host apparatus and stand-by equipment; This system supports the Internet Protocol Security ipsec protocol, and when stand-by equipment switched to new host apparatus, this method comprised:
It is invalid that the SA of ipsec security alliance of said new host apparatus Inbound and outgoing direction is set to;
Said new host apparatus is inquired about the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. to the opposite equip. of ipsec tunnel;
The outgoing direction IPSec SA anti-replay sequence number that said new host apparatus basis inquires is upgraded the Inbound IPSec SA anti-replay window right margin of said new the above ipsec tunnel of host apparatus, upgrades the anti-replay sequence number of the outgoing direction IPSec SA of said new the above ipsec tunnel of host apparatus according to the Inbound IPSec SA anti-replay window right margin that inquires;
Said new host apparatus the anti-replay sequence number of the anti-replay window right margin of Inbound IPSec SA and/or outgoing direction IPSec SA upgrade finish after, corresponding IPSec SA is set for effectively.
Said new host apparatus sends internet key exchange protocol IKE query message through the opposite equip. to ipsec tunnel; Opposite equip. to ipsec tunnel inquires direction IPSec SA anti-replay sequence number and Inbound IPSec SA anti-replay window right margin, carries the field of sign anti-replay window and anti-replay sequence number in the said IKE query message;
Said opposite equip. is inquired about the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. according to said field, and the information that inquires is carried on the IKE response message returns to said new host apparatus.
It is invalid that the SA of ipsec security alliance of new host apparatus Inbound and outgoing direction is set to, and comprising:
It is invalid that the Inbound of said all ipsec tunnels of new host apparatus or part ipsec tunnel and the IPSec SA of outgoing direction are set to.
The SA of ipsec security alliance of said new host apparatus Inbound and outgoing direction be set to invalid after, said this IPSec SA of new host apparatus buffer memory data to be sent on data that receive on the Inbound and outgoing direction.
Also comprise:
Host apparatus arrives stand-by equipment according to collocation strategy with the IPSec SA information synchronization outside IPSec SA anti-replay sequence number and the anti-replay window right margin.
Upgrade the equipment of anti-replay parameter during a kind of active and standby switch, be applied to comprise in the system of host apparatus and stand-by equipment as stand-by equipment, this system's support Internet Protocol Security ipsec protocol, this equipment comprises:
The unit is set, is used for when this equipment switches to new host apparatus, it is invalid that the SA of ipsec security alliance of Inbound and outgoing direction is set to; The anti-replay sequence number of the anti-replay window right margin of Inbound IPSec SA and/or outgoing direction IPSec SA upgrade finish after, corresponding IPSec SA is set for effectively;
Query unit is connected with the said unit that is provided with, and is used for inquiring about to the opposite equip. of ipsec tunnel the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip.;
Updating block; With said query unit with the unit be set be connected; The outgoing direction IPSec SA anti-replay sequence number that is used for inquiring according to said query unit is upgraded the Inbound IPSec SA anti-replay window right margin of said ipsec tunnel, and the Inbound IPSec SA anti-replay window right margin that inquires according to said query unit upgrades the anti-replay sequence number of the outgoing direction IPSec SA of said ipsec tunnel.
Said query unit also is used for:
Opposite equip. to ipsec tunnel sends the IKE query message, carries the type field of sign anti-replay window and anti-replay sequence number in the said IKE query message;
Receive the IKE response message that said opposite equip. sends, carry the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. in the said IKE response message.
The said unit that is provided with also is used for:
It is invalid that the IPSec SA of the Inbound of all ipsec tunnels or part ipsec tunnel and outgoing direction is set to.
Also comprise memory cell, be connected with the said unit that is provided with, be used for the said SA of ipsec security alliance that unit Inbound and outgoing direction are set be set to invalid after, store the data of this IPSec SA at Inbound and outgoing direction.
Also comprise response unit; After being used to receive the IKE query message that the opposite equip. of ipsec tunnel sends; According to the type field of sign anti-replay window that carries in the IKE query message and anti-replay sequence number, send the IKE response message carry self outgoing direction IPSec SA anti-replay sequence number and Inbound IPSec SA anti-replay window right margin.
Compared with prior art, the present invention has the following advantages at least:
Among the present invention; It is invalid that new host apparatus after when active and standby the switching is changed to IPSec SA; Obtain anti-replay window and the anti-replay sequence number of anti-replay window and anti-replay sequence number renewal self IPSec SA to the opposite equip. of ipsec tunnel; And corresponding IPSec SA is set after renewal finishes effectively carries out data processing, thereby make new host apparatus can obtain true and reliable anti-replay window and anti-replay sequence number, guaranteed safety of data transmission; In addition; Owing to can obtain true and reliable anti-replay window and anti-replay sequence number from opposite equip. at all equipment of the stylish master of active and standby switching; Therefore; At former host apparatus just often, former host apparatus does not need periodicity to synchronous anti-replay window of stand-by equipment and anti-replay sequence number, thereby saves Internet resources.
Description of drawings
Fig. 1 is the anti-replay window sketch map of ipsec protocol in the prior art;
Fig. 2 upgrades the applied IPSec dual-machine hot backup system of the method sketch map of anti-replay parameter when being active and standby switching that the embodiment of the invention provides;
Fig. 3 upgrades the method flow sketch map of anti-replay parameter when being active and standby switching that the embodiment of the invention provides;
Fig. 4 upgrades the structural representation of the equipment of anti-replay parameter when being active and standby switching that the embodiment of the invention provides.
Embodiment
When providing a kind of active and standby switch, the safety problem that synchronous anti-replay window and sequence number possibly cause during to prior art IPSec two-node cluster hot backup, the embodiment of the invention upgrade the scheme of anti-replay parameter.In this scheme; The anti-replay window of IPSec SA and sequence number are not carried out synchronously in real time; But when active and standby switching, obtain by the opposite equip. of new host apparatus to ipsec tunnel; Thereby make new host apparatus can obtain true and reliable anti-replay window and anti-replay sequence number, guaranteed safety of data transmission.
When providing a kind of active and standby switch, the embodiment of the invention upgrades the method for anti-replay parameter; Being applied to the IPSec dual-machine hot backup system with this method below is that example is introduced; As shown in Figure 2; This IPSec dual-machine hot backup system comprises host apparatus Router A, stand-by equipment Router B and branch equipment Router C etc., under the normal condition, carries out transfer of data through ipsec tunnel between Router A and the Router C.At this moment; Router A can arrive stand-by equipment with the IPSec SA information synchronization outside IPSec SA anti-replay sequence number and the anti-replay window right margin according to collocation strategy; For example adopt the mode of cycle synchronisation in the prior art, but do not need synchronous IPSec SA anti-replay window and anti-replay sequence number synchronously the time.When active and standby switching took place, new host apparatus was Router B, need between Router B and Router C, carry out transfer of data through ipsec tunnel.Concrete, as shown in Figure 3, this method may further comprise the steps:
Concrete, on the Router B a plurality of ipsec tunnels can be arranged, each ipsec tunnel is corresponding Inbound and outgoing direction IPSec SA on equipment, comprises the anti-replay window in the parameter of Inbound IPSec SA, is used at message Inbound anti-replay; Comprise the anti-replay sequence number in the parameter of outgoing direction IPSec SA, be used at message outgoing direction anti-replay.
When IPSec two-node cluster hot backup master/slave switchover; It is invalid that the IPSec SA that Router B ipsec tunnel is gone into out both direction is set to; The temporary transient processing that stops ipsec tunnel to the data flow finishes up to the anti-replay window of Inbound IPSec SA and/or the anti-replay sequence number renewal of outgoing direction IPSec SA.Here; Router B simultaneously the IPSec SA of all ipsec tunnels be set to invalid; Perhaps according to preset strategy selectively the IPSec SA of part ipsec tunnel be set to invalidly, for example adopt the mode of poll to upgrade the IPSec SA parameter of all ipsec tunnels.
In order to inquire about anti-replay window and anti-replay sequence number to the pairing branch equipment of ipsec tunnel; A kind of IKE is provided in the embodiment of the invention (Internet Key Exchange; Internet key exchange protocol) query message, query message and the response message of Router B and Router C are following alternately:
Sender (transmit leg) Responder (response party)
-------- -----------
HDR*,NOTIFY(HA-REPLAY-WINDOW),
NOTIFY(HA-SEQ-NUM),
HASH ------>
<------HDR*,NOTIFY(HA-REPLAY-WINDOW),
NOTIFY(HA-SEQ-NUM),
HASH
Use existing IKE query message form in the embodiment of the invention; The type field of sign anti-replay window and anti-replay sequence number is set in the query argument field therein: HA-REPLAY-WINDOW identifies this query message requesting query anti-replay window (the for example right margin of anti-replay window), and HA-SEQ-NUM identifies this query message requesting query anti-replay sequence number.
Concrete; The Router C that receives query message knows that the parameter of opposite end requesting query is self outgoing direction IPSec SA anti-replay sequence number and Inbound IPSec SA anti-replay window right margin; Parameter value is transmitted through notice load (Notification Payload); The notice load type is: HA-REPLAY-WINDOW (carrying anti-replay window right margin), HA-SEQ-NUM (carrying the anti-replay sequence number), and shown in the response message of Responder in the step 301 (response party).
Need to prove; Query message that the embodiment of the invention provides and response message are merely the message mode of a kind of concrete realization of obtaining anti-replay window and anti-replay sequence number, and the message mode that other message formats of the use that those of ordinary skills can expect in view of the above obtain anti-replay window and anti-replay sequence number still belongs to the scope that the embodiment of the invention is protected.
After renewal finished, Router B can be changed to Inbound IPSec SA effectively, and Router B can begin to receive and handles the relevant data traffic of IPSec SA therewith.
After renewal finished, Router B can be changed to outgoing direction IPSec SA effectively, and Router B can send the relevant data traffic of IPSec SA therewith.
Need to prove, preferably, Router B in step 303 in anti-replay window and the step 204 the anti-replay sequence number all upgrade finish after, corresponding Inbound IPSec SA and outgoing direction IPSec SA are set to effectively, Router B begins the deal with data flow.Perhaps, after one of them renewal of anti-replay sequence number finishes in anti-replay window and the step 304 in the step 303, Router B also can the counterparty to IPSecSA be set to effectively, Router B begins folk prescription to the deal with data flow.Optional, Router B Inbound IPSec SA and outgoing direction IPSec SA be set to invalid after, buffer memory can be set be used for buffer memory and be set to the data of invalid IPSec SA at Inbound and outgoing direction.
In addition; On the Router B a plurality of ipsec tunnels can be arranged; Preferably; Router B upgrades in the Inbound IPSec of each ipsec tunnel SA anti-replay window and outgoing direction IPSec SA anti-replay sequence number and the outgoing direction IPSec SA that goes into of this ipsec tunnel is changed to effectively after finishing, and carries out data processing through this ipsec tunnel.
In the embodiment of the invention; It is invalid at the stylish host apparatus of active and standby switching IPSec SA to be changed to; Obtain anti-replay window and the anti-replay sequence number of anti-replay window and anti-replay sequence number renewal self IPSec SA to the opposite equip. of ipsec tunnel; And corresponding IPSec SA is set after renewal finishes effectively carries out data processing, thereby make new host apparatus can obtain true and reliable anti-replay window and anti-replay sequence number, guaranteed safety of data transmission.In addition; Because the stylish host apparatus of active and standby switching can obtain true and reliable anti-replay window and anti-replay sequence number from opposite equip. in the embodiment of the invention; Therefore; At former host apparatus just often, former host apparatus does not need periodicity to synchronous anti-replay window of stand-by equipment and anti-replay sequence number, thereby saves Internet resources.
Upgrade the equipment of anti-replay parameter when the embodiment of the invention provides a kind of active and standby switch, be applied to comprise in the system of host apparatus and stand-by equipment as stand-by equipment, this system's support Internet Protocol Security ipsec protocol, as shown in Figure 4, this equipment comprises:
Unit 11 is set, is used for when this equipment switches to new host apparatus, it is invalid that the SA of ipsec security alliance of Inbound and outgoing direction is set to; The anti-replay sequence number of the anti-replay window right margin of Inbound IPSec SA and/or outgoing direction IPSec SA upgrade finish after, corresponding IPSec SA is set for effectively;
Query unit 12 is connected with the said unit 11 that is provided with, and is used for inquiring about to the opposite equip. of ipsec tunnel the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip.;
Updating block 13; With said query unit 12 with unit 11 be set be connected; The outgoing direction IPSec SA anti-replay sequence number that is used for inquiring according to said query unit 12 is upgraded the Inbound IPSec SA anti-replay window right margin of said ipsec tunnel, and the Inbound IPSecSA anti-replay window right margin that inquires according to said query unit 12 upgrades the anti-replay sequence number of the outgoing direction IPSec SA of said ipsec tunnel.
Said query unit 12 also is used for:
Opposite equip. to ipsec tunnel sends the IKE query message, carries the type field of sign anti-replay window and anti-replay sequence number in the said IKE query message;
Receive the IKE response message that said opposite equip. sends, carry the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. in the said IKE response message.
The said unit 11 that is provided with also is used for:
It is invalid that the IPSec SA of the Inbound of all ipsec tunnels or part ipsec tunnel and outgoing direction is set to.
This equipment also comprises memory cell 14, is connected with the said unit 11 that is provided with, be used for the said SA of ipsec security alliance that unit 11 Inbound and outgoing direction are set be set to invalid after, store the data of this IPSec SA at Inbound and outgoing direction.
This equipment also comprises response unit 15; After being used to receive the IKE query message that the opposite equip. of ipsec tunnel sends; According to the type field of sign anti-replay window that carries in the IKE query message and anti-replay sequence number, send the IKE response message carry self outgoing direction IPSec SA anti-replay sequence number and Inbound IPSec SA anti-replay window right margin.
In the embodiment of the invention; It is invalid at the stylish host apparatus of active and standby switching IPSec SA to be changed to; Obtain anti-replay window and the anti-replay sequence number of anti-replay window and anti-replay sequence number renewal self IPSec SA to the opposite equip. of ipsec tunnel; And corresponding IPSec SA is set after renewal finishes effectively carries out data processing, thereby make new host apparatus can obtain true and reliable anti-replay window and anti-replay sequence number, guaranteed safety of data transmission; In addition; Owing to can obtain true and reliable anti-replay window and anti-replay sequence number from opposite equip. at the stylish host apparatus of active and standby switching; Therefore; At former host apparatus just often, former host apparatus does not need periodicity to synchronous anti-replay window of stand-by equipment and anti-replay sequence number, thereby saves Internet resources.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product is stored in the storage medium; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosedly be merely several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1. upgrade the method for anti-replay parameter during active and standby switch; Be applied to comprise in the system of host apparatus and stand-by equipment that this system supports the Internet Protocol Security ipsec protocol, under the normal condition; Host apparatus carries out transfer of data through ipsec tunnel and opposite equip.; It is characterized in that when stand-by equipment switched to new host apparatus, this method comprised:
It is invalid that the SA of ipsec security alliance of said new host apparatus Inbound and outgoing direction is set to;
Said new host apparatus is inquired about the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. to the said opposite equip. of said ipsec tunnel;
The outgoing direction IPSec SA anti-replay sequence number that said new host apparatus basis inquires is upgraded the Inbound IPSec SA anti-replay window right margin of said new the above ipsec tunnel of host apparatus, upgrades the anti-replay sequence number of the outgoing direction IPSec SA of said new the above ipsec tunnel of host apparatus according to the Inbound IPSec SA anti-replay window right margin that inquires;
Said new host apparatus the anti-replay sequence number of the anti-replay window right margin of Inbound IPSec SA and/or outgoing direction IPSec SA upgrade finish after, be provided with the counterparty to IPSec SA for effectively.
2. the method for claim 1; It is characterized in that; Said new host apparatus sends internet key exchange protocol IKE query message through the opposite equip. to ipsec tunnel; Inquire about the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. to the opposite equip. of ipsec tunnel, carry the field of sign anti-replay window and anti-replay sequence number in the said IKE query message;
Said opposite equip. is inquired about the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. according to said field, and the information that inquires is carried on the IKE response message returns to said new host apparatus.
3. according to claim 1 or claim 2 method is characterized in that, it is invalid that the SA of ipsec security alliance of new host apparatus Inbound and outgoing direction is set to, and comprising:
It is invalid that the Inbound of said all ipsec tunnels of new host apparatus or part ipsec tunnel and the IPSec SA of outgoing direction are set to.
4. according to claim 1 or claim 2 method; It is characterized in that; The SA of ipsec security alliance of said new host apparatus Inbound and outgoing direction be set to invalid after, said this IPSec SA of new host apparatus buffer memory data to be sent on data that receive on the Inbound and outgoing direction.
5. according to claim 1 or claim 2 method is characterized in that, also comprises:
Host apparatus arrives stand-by equipment according to collocation strategy with the IPSec SA information synchronization outside IPSec SA anti-replay sequence number and the anti-replay window right margin.
6. upgrade the equipment of anti-replay parameter during active and standby switch; Be applied to comprise in the system of host apparatus and stand-by equipment; This system supports the Internet Protocol Security ipsec protocol, and under the normal condition, host apparatus carries out transfer of data through ipsec tunnel and opposite equip.; It is characterized in that this equipment comprises:
The unit is set, is used for when this equipment switches to new host apparatus, it is invalid that the SA of ipsec security alliance of Inbound and outgoing direction is set to; The anti-replay sequence number of the anti-replay window right margin of Inbound IPSec SA and/or outgoing direction IPSec SA upgrade finish after, be provided with the counterparty to IPSec SA for effectively;
Query unit is connected with the said unit that is provided with, and is used for inquiring about to the said opposite equip. of said ipsec tunnel the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip.;
Updating block; With said query unit with the unit be set be connected; The outgoing direction IPSec SA anti-replay sequence number that is used for inquiring according to said query unit is upgraded the Inbound IPSec SA anti-replay window right margin of the ipsec tunnel of this equipment self, and the Inbound IPSec SA anti-replay window right margin that inquires according to said query unit upgrades the anti-replay sequence number of outgoing direction IPSec SA of the ipsec tunnel of this equipment self.
7. equipment as claimed in claim 6 is characterized in that, said query unit also is used for:
Opposite equip. to ipsec tunnel sends internet key exchange protocol IKE query message, carries the type field of sign anti-replay window and anti-replay sequence number in the said IKE query message;
Receive the IKE response message that said opposite equip. sends, carry the outgoing direction IPSec SA anti-replay sequence number and the Inbound IPSec SA anti-replay window right margin of said opposite equip. in the said IKE response message.
8. like claim 6 or 7 described equipment, it is characterized in that the said unit that is provided with also is used for:
It is invalid that the IPSec SA of the Inbound of all ipsec tunnels or part ipsec tunnel and outgoing direction is set to.
9. like claim 6 or 7 described equipment; It is characterized in that, also comprise memory cell, be connected with the said unit that is provided with; Be used for the said SA of ipsec security alliance that unit Inbound and outgoing direction are set be set to invalid after, store the data of this IPSec SA at Inbound and outgoing direction.
10. like claim 6 or 7 described equipment; It is characterized in that; Also comprise response unit; After being used to receive the IKE query message that the opposite equip. of ipsec tunnel sends, according to the type field of the sign anti-replay window that carries in the IKE query message and anti-replay sequence number, the IKE response message of self outgoing direction IPSec SA anti-replay sequence number and Inbound IPSec SA anti-replay window right margin is carried in transmission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102608206A CN101917294B (en) | 2010-08-24 | 2010-08-24 | Method and equipment for updating anti-replay parameter during master and slave switching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102608206A CN101917294B (en) | 2010-08-24 | 2010-08-24 | Method and equipment for updating anti-replay parameter during master and slave switching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101917294A CN101917294A (en) | 2010-12-15 |
| CN101917294B true CN101917294B (en) | 2012-03-14 |
Family
ID=43324691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102608206A Active CN101917294B (en) | 2010-08-24 | 2010-08-24 | Method and equipment for updating anti-replay parameter during master and slave switching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101917294B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN102769572B (en) * | 2012-07-30 | 2014-12-24 | 福建星网锐捷网络有限公司 | Message anti-replay method, message anti-replay device and network device |
| CN102891850A (en) * | 2012-09-25 | 2013-01-23 | 汉柏科技有限公司 | Method for preventing parameter resetting in IPSec (IP Security) channel updating |
| CN103118017B (en) * | 2013-01-21 | 2016-02-03 | 杭州华三通信技术有限公司 | Safeguard that the local terminal of IKE SA sends method and the device of the MessageID of message |
| CN104935597B (en) * | 2015-06-17 | 2018-08-24 | 新华三技术有限公司 | Replay Window control method and device |
| CN106487802B (en) * | 2016-11-07 | 2019-09-17 | 杭州迪普科技股份有限公司 | The method for detecting abnormal and device of IPSec SA based on DPD agreement |
| CN107332885A (en) * | 2017-06-19 | 2017-11-07 | 杭州迪普科技股份有限公司 | The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup |
| CN107733807B (en) * | 2017-09-20 | 2020-04-03 | 新华三信息安全技术有限公司 | Message anti-replay method and device |
| CN108322330B (en) * | 2017-12-26 | 2021-03-02 | 成都卫士通信息产业股份有限公司 | IPSEC VPN serial number and anti-replay window synchronization method and device |
| CN116192412A (en) * | 2021-11-26 | 2023-05-30 | 华为技术有限公司 | Method and device for preventing replay of message |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442471A (en) * | 2008-12-31 | 2009-05-27 | 杭州华三通信技术有限公司 | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8065726B2 (en) * | 2007-05-14 | 2011-11-22 | Intel Corporation | Scalable anti-replay windowing |
-
2010
- 2010-08-24 CN CN2010102608206A patent/CN101917294B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442471A (en) * | 2008-12-31 | 2009-05-27 | 杭州华三通信技术有限公司 | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture |
| CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101917294A (en) | 2010-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101917294B (en) | Method and equipment for updating anti-replay parameter during master and slave switching | |
| CN101442471B (en) | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture | |
| EP3182324B1 (en) | System and method for secure communications between a computer test tool and a cloud-based server | |
| CN103475655A (en) | Method for achieving IPSecVPN main link and backup link dynamic switching | |
| CN105704747A (en) | Method and device for base station to transmit control/service data reliably | |
| CN101572644B (en) | Data encapsulation method and equipment thereof | |
| CN101183935A (en) | Cipher key negotiation method, device and system of RTP packet | |
| CN102347831B (en) | Time message processing method, device and system | |
| JP2013118500A (en) | Authentication device, authentication method, and authentication program | |
| CN102970277B (en) | Method and system for building multi-source safety relevance | |
| US11006346B2 (en) | X2 service transmission method and network device | |
| JP5464232B2 (en) | Secure communication system and communication apparatus | |
| US20170201506A1 (en) | Communication Method, Apparatus, and System | |
| CN100499649C (en) | Method for realizing safety coalition backup and switching | |
| CN104243504A (en) | Safety communication implementation of next generation wireless network | |
| CN104580258B (en) | A kind of method and system of quick detection ipsec peer failure | |
| CN103200191B (en) | Communicator and wireless communications method | |
| CN103139189A (en) | Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment | |
| WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
| CN104618211A (en) | Tunnel based message processing method and headquarters gateway device | |
| Burgstaller et al. | Anonymous communication in the browser via onion-routing | |
| CN105391565A (en) | Method for achieving synchronization of backup business configuration | |
| CN109361684B (en) | Dynamic encryption method and system for VXLAN tunnel | |
| CN101541001A (en) | Method and system for updating base key | |
| JP6362424B2 (en) | Relay device and relay method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |