A kind of ike negotiation processing method and device
Technical field
The present invention relates to network technology, relate in particular to a kind of ike negotiation processing method and device.
Background technology
VPN(VirtualPrivateNetwork: Virtual Private Network) be defined as by a common networkNetwork (normally internet) is set up interim, a safe connection, is one and passes the public of confusionSafe, the stable tunnel of network. Virtual Private Network be to branch of enterprise-like corporation, business parnter andSupplier sets up believable safety with the in-house network of company and connects, and ensures the safe transmission of data.
IPSec(InternetProtocolSecurity, Internet protocol safety) be a kind of open markAccurate frame structure, the security service of encrypting by use is maintained secrecy and is pacified guaranteeing on IP networkFull communication. Ipsec protocol is not an independent agreement, and it has provided and has been applied to network number on IP layerAccording to a whole set of architecture of safety, comprise network authenticating protocol AuthenticationHeader(AH),Encapsulating security payload (esp) EncapsulatingSecurityPayload(ESP), IKMPInternetKeyExchange(IKE) with for some algorithms of network authentication and encryption etc. IPSec ruleDetermine how between peer layer, to select security protocol, determine security algorithm and cipher key change, upwards provideThe Network Security Service such as access control, data source authentication, data encryption.
Existing RFC standard regulation adopts UDP mode, is undertaken by well-known port number 500 and 4500IKE(internet key exchange protocol) to consult, the message format of consulting to adopt is ISAKMP(InternetSecurityAssociationandKeyManagementProtocol, internet security association and key pipeReason agreement). Wherein IKE agreement is responsible for key management, defined between communication entity, carry out authentication,Consulted encryption algorithm and generate the method for shared session key. IKE retains the result of key agreementIn Security Association (SA), for AH(AuthenticationHeader, authentication header) and ESPWhile communication after (EncapsulatingSecurityPayload, ESP), use.
Ike negotiation process is divided into two stages, and wherein there are again two kinds of patterns the first stage: holotype and long-pendingUtmost point pattern (also referred to as Aggressive Mode), the object that the first stage consults is set up IKESA, and foundation was verifiedKey is the precondition of other exchanges. Second stage is quick mode, for IPSec consults security service,Set up IPSecSA, for real applied data communications provides protection. In actual use, most applicationsBe to adopt holotype and quick mode to carry out ike negotiation, and consult like this process once, forInitiator and responder, at least need 9 UDP messages to come just can complete, wherein main mould of first stageFormula needs 6 UDP messages, and second stage quick mode needs 3 UDP messages. At existing meterIn calculation machine program implementation, realize ike negotiation and typically use Socket P rogramming, by creating UDPThe socket listening port 500 of datagram type and port 4500, receive and send each stage of ike negotiationMessage, realize IPSecVPN function.
But UDP Socket P rogramming, in existing IKE realizes, is all generally to only have individual processReceive and dispatch ike negotiation message. As the both sides that consult, local terminal and opposite end are all individual process, Ji YaoshouThe literary composition of transmitting messages, also carries out concrete operational processes etc. to message. As previously mentioned, complete holotype andQuick mode is consulted at least to need 9 UDP messages, is all processed by individual process. Both sides itBetween in the fewer situation of linking number of configuration, individual process still can be competent at.
If but in big-and-middle-sized network, IKE networking is also star-like networking mostly, You Yige centerGateway and multiple branches gateway form stelliform connection topology configuration. Again may be by between each branch and centerService needed, sets up many tunnels. In order to ensure the safety in tunnel, IKE also has timeout mechanism, every mistakeWithin several hours, again consult new tunnel etc. In the IPSec of center gateway location, its performance requirement mustMust be very high, it is fast that ike negotiation speed is wanted, and it is fast that the encryption/decryption speed after negotiation is also wanted, and guarantee is wholeIn network, communication data is safe and reliable. And branch is more, processed IKE association at center by individual processBusiness's drawback also will more highlight. In addition,, under the C/S model of IPSecVPN, user passes throughIPSecVPN client on the mobile device such as PC or mobile phone connects center gateway, works as a large number of usersWhen some time period all almost connects to come in because of working principle simultaneously, IPSecVPN median planeFace the peak of ike negotiation, if negotiation speed is fast not, will directly affects user job and use and experience.
Summary of the invention
In view of this, the invention provides a kind of ike negotiation treating apparatus, be applied on the network equipment, bagDraw together and monitor Transmit-Receive Unit and multiple IKE processing unit; Wherein:
Monitor Transmit-Receive Unit, for intercept predetermined UDP receiving port with obtain IKE opposite end sendIke negotiation message, and send to IKE for the ike negotiation message that IKE processing unit need to be sentOpposite end;
IKE processing unit, carries out ike negotiation processing for the IKE message to receiving, and at needsWhile sending ike negotiation message, ike negotiation message to be sent is submitted to monitoring Transmit-Receive Unit;
Wherein this monitoring unit is further used for searching according to the origin marking of the ike negotiation message receivingMessage allocation table, if find the IKE processing unit corresponding with this origin marking, by this ike negotiation reportThe IKE processing unit finding distributed in literary composition; If do not find corresponding IKE processing unit, according toPre-defined rule is selected one from multiple IKE processing units, and this ike negotiation message is distributed to selectedThe IKE processing unit of selecting.
The present invention also provides a kind of ike negotiation processing method, is applied on the network equipment, and the method comprisesFollowing steps:
A, in host process, intercept predetermined UDP receiving port with obtain IKE opposite end send IKENegotiation packet, and send to IKE opposite end for the ike negotiation message that needs are sent;
B, on multiple subprocess, respectively the IKE message receiving is carried out to ike negotiation processing, andNeed to send ike negotiation message time, ike negotiation message to be sent is submitted to host process;
Wherein steps A further comprises: search report according to the origin marking of the ike negotiation message receivingLiterary composition allocation table, if find the subprocess corresponding with this origin marking, distributes to this ike negotiation messageThe subprocess finding; If do not find corresponding subprocess, according to pre-defined rule from multiple subprocessOne of middle selection, and this ike negotiation message is distributed to the subprocess being chosen to.
The present invention separates the monitoring of ike negotiation message and processing, system can be used moreResource (such as multiple processes) is processed ike negotiation process, has improved the processing of system to ike negotiationPerformance, can tackle calmly the processing of a large amount of ike negotiations of burst.
Brief description of the drawings
Fig. 1 is the building-block of logic of a kind of ike negotiation device of the present invention.
Fig. 2 is the frame diagram of a kind of ike negotiation method of the present invention.
Detailed description of the invention
Please refer to Fig. 1 and Fig. 2, be embodied as example with computer program and introduce realization of the present invention. ThisInvent a kind of ike negotiation treating apparatus, be applied on the network equipment, comprise and monitor Transmit-Receive Unit and manyIndividual IKE processing unit; In its running, once receive and dispatch the common following steps of IKE message:
Step 101, monitors Transmit-Receive Unit and intercepts predetermined UDP receiving port to obtain the transmission of IKE opposite endIke negotiation message.
Step 102, monitoring Transmit-Receive Unit is searched message according to the origin marking of described ike negotiation message and is dividedJoin table, if find the IKE processing unit corresponding with this origin marking, go to step 103, otherwise turn stepRapid 104;
Step 103, distributes to this ike negotiation message the IKE processing unit finding;
Step 104 is selected one according to pre-defined rule from multiple IKE processing units, and by this IKENegotiation packet is distributed to the IKE processing unit being chosen to;
Step 105, IKE processing unit carries out ike negotiation processing to the IKE message receiving, andNeed to send ike negotiation message time, ike negotiation message to be sent is submitted to monitoring Transmit-Receive Unit;
Step 106, monitors Transmit-Receive Unit ike negotiation message to be sent is sent to ike negotiation opposite end.
Please refer to Fig. 2, in a preferred embodiment, IKE processing unit is by the prison as host processThe subprocess of listening Transmit-Receive Unit to create, wherein host process is that each subprocess distributes a sub-process identification (PID)(ID), be used for distinguishing each subprocess. As stated in the Background Art, as the net of center gatewayNetwork equipment may be connected to multiple branches gateway (such as 1~n), cell-phone customer terminal (k, j) and PCClient (m, g); So the ike negotiation device that central network is shut need to be processed a large amount of simultaneouslyThe different ike negotiation message of originating. The present invention has benefited from distributed Business Processing model, will monitor withProcess the tupe that two business processions separate to realize multi-process, avoid prior art to makeWith the restriction of one process, make full use of the processing resource on the network equipment.
Host process is responsible for receiving and dispatching ike negotiation message, and wherein the reception of message is by monitoring predetermined UDPPort (normally well-known port 500) is realized. After host process is received negotiation packet, search at onceMessage allocation table, initial time, message allocation table is blank, it is mainly the negotiation of recording separate sourcesCorresponding relation between message and multiple subprocess. Please refer to table 1, the ground taking origin marking as message source IPLocation is example, and host process is the source IP address look-up table 1 of message through consultation, if can not hit any oneList item, is considered as receiving the ike negotiation message in a new source, or can be understood as a new IKEThe literary composition of reporting for the first time of session, now host process can select a son to enter from multiple subprocess according to pre-defined ruleJourney is responsible for processing current I KE negotiation packet. Host process can adopt polling algorithm or random algorithm etc. pre-Set pattern is carried out chooser process.
Origin marking |
Subprocess ID |
192.168.1.5 |
1 |
10.10.1.5 |
2 |
123.123.101.12 |
7 |
...... |
...... |
Table 1
Furthermore, host process can be monitored the business load of all subprocess, when all subprocessWhen business load all exceedes the upper limit, such as each subprocess is all assigned to the IKE in 20 sourcesWhen negotiation, host process can continue to create new subprocess, then by IKE message to be processed current needDistributing to the subprocess of new establishment processes. So host process can dynamically be adjusted network in real timeEquipment is processed the distribution of resource to ike negotiation, the restriction of avoiding processing the not enough of resource or processing resourceProblem. In multiple nucleus system, each subprocess can also be bound and operate on different CPU core, fullyPerformance utilizes the advantage of multiple nucleus system to carry out ike negotiation, and host process just only need to be absorbed in receiving literary composition andThe literary composition of transmitting messages, such Design Mode was was both received and dispatched than individual process (can only run on some CPU core)Message carries out again the traditional mode of IKE protocol processes, in performance performance, has great raising.
Subprocess is responsible for the ike negotiation message being assigned to process, and this part can be with reference to maturationTechnology realize, the present invention is to processing procedure and have no special requirements. Conventionally IPSec consults to be divided into twoThe individual stage: first stage negotiation authenticates the other side's identity, and provide for the negotiation of second stage, a safe and reliable passage. Second stage is mainly held consultation to the security performance of IPSEC, produces trueJust can be used for the key of encrypting traffic. Unlike the prior art: subprocess of the present invention is eachStage need to not directly send to opposite end in the time sending negotiation packet to IKE opposite end, but sends to masterProcess, by the unified transmission of being responsible for message of host process.
Please continue to refer to Fig. 1, when enabling the C/S model of IPSec, there is client to be linked into center gatewayTime, now need to distribute virtual ip address to client. All subprocess of shutting due to whole central networkTo share same virtual ip address pond. Therefore the present invention need to do corresponding special processing at this, allowsEach subprocess is shared virtual ip address pond information, avoids the same virtual IP address of different subprocess duplicate allocationAddress. Such as the shared drive mode of communicating by letter between employing multi-process, the IP in virtual ip address pondAddress is all mapped on one section of shared drive, and each subprocess is found and can be used from shared driveVirtual ip address, be masked as and use, then distribute to client. After client exits, correspondenceProcess the subprocess of this client ike negotiation message this virtual ip address of distributing to this client regained,Be put back in shared drive, mark is updated to this address can be used. So reclaim afterwards virtualIP address can have been used by other subprocess again. In addition, in actual use, can also be according to equipment instituteActual conditions in the network topology structure at place and the actual demand of linking number, manual configuration subprocess numberThe upper limit of amount, thus realization regulates the object of the disposal ability of ike negotiation.
The present invention separates the monitoring of ike negotiation message and processing, system can be used moreResource (such as multiple processes) is processed ike negotiation process, has improved the processing of system to ike negotiationPerformance, can tackle calmly the processing of a large amount of ike negotiations of burst.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.