CN102761494B - A kind of ike negotiation processing method and device - Google Patents
A kind of ike negotiation processing method and device Download PDFInfo
- Publication number
- CN102761494B CN102761494B CN201210272081.1A CN201210272081A CN102761494B CN 102761494 B CN102761494 B CN 102761494B CN 201210272081 A CN201210272081 A CN 201210272081A CN 102761494 B CN102761494 B CN 102761494B
- Authority
- CN
- China
- Prior art keywords
- ike
- message
- subprocess
- ike negotiation
- negotiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of ike negotiation processing method, be applied on the network equipment, comprising: in host process, intercept the ike negotiation message that UDP receiving port sends to obtain opposite end, and the ike negotiation message that needs are sent sends to IKE opposite end; On multiple subprocess, respectively the IKE message receiving is carried out to ike negotiation processing, when subprocess need to send IKE message, message is submitted to host process; Host process is searched message allocation table according to the origin marking of ike negotiation message, if find corresponding subprocess, distributes to this subprocess; Otherwise from multiple subprocess, select one according to pre-defined rule. The present invention separates the monitoring of ike negotiation message and processing, makes system to process ike negotiation process by more resources, has improved the handling property of system to ike negotiation, can tackle calmly the processing of a large amount of ike negotiations of burst.
Description
Technical field
The present invention relates to network technology, relate in particular to a kind of ike negotiation processing method and device.
Background technology
VPN(VirtualPrivateNetwork: Virtual Private Network) be defined as by a common networkNetwork (normally internet) is set up interim, a safe connection, is one and passes the public of confusionSafe, the stable tunnel of network. Virtual Private Network be to branch of enterprise-like corporation, business parnter andSupplier sets up believable safety with the in-house network of company and connects, and ensures the safe transmission of data.
IPSec(InternetProtocolSecurity, Internet protocol safety) be a kind of open markAccurate frame structure, the security service of encrypting by use is maintained secrecy and is pacified guaranteeing on IP networkFull communication. Ipsec protocol is not an independent agreement, and it has provided and has been applied to network number on IP layerAccording to a whole set of architecture of safety, comprise network authenticating protocol AuthenticationHeader(AH),Encapsulating security payload (esp) EncapsulatingSecurityPayload(ESP), IKMPInternetKeyExchange(IKE) with for some algorithms of network authentication and encryption etc. IPSec ruleDetermine how between peer layer, to select security protocol, determine security algorithm and cipher key change, upwards provideThe Network Security Service such as access control, data source authentication, data encryption.
Existing RFC standard regulation adopts UDP mode, is undertaken by well-known port number 500 and 4500IKE(internet key exchange protocol) to consult, the message format of consulting to adopt is ISAKMP(InternetSecurityAssociationandKeyManagementProtocol, internet security association and key pipeReason agreement). Wherein IKE agreement is responsible for key management, defined between communication entity, carry out authentication,Consulted encryption algorithm and generate the method for shared session key. IKE retains the result of key agreementIn Security Association (SA), for AH(AuthenticationHeader, authentication header) and ESPWhile communication after (EncapsulatingSecurityPayload, ESP), use.
Ike negotiation process is divided into two stages, and wherein there are again two kinds of patterns the first stage: holotype and long-pendingUtmost point pattern (also referred to as Aggressive Mode), the object that the first stage consults is set up IKESA, and foundation was verifiedKey is the precondition of other exchanges. Second stage is quick mode, for IPSec consults security service,Set up IPSecSA, for real applied data communications provides protection. In actual use, most applicationsBe to adopt holotype and quick mode to carry out ike negotiation, and consult like this process once, forInitiator and responder, at least need 9 UDP messages to come just can complete, wherein main mould of first stageFormula needs 6 UDP messages, and second stage quick mode needs 3 UDP messages. At existing meterIn calculation machine program implementation, realize ike negotiation and typically use Socket P rogramming, by creating UDPThe socket listening port 500 of datagram type and port 4500, receive and send each stage of ike negotiationMessage, realize IPSecVPN function.
But UDP Socket P rogramming, in existing IKE realizes, is all generally to only have individual processReceive and dispatch ike negotiation message. As the both sides that consult, local terminal and opposite end are all individual process, Ji YaoshouThe literary composition of transmitting messages, also carries out concrete operational processes etc. to message. As previously mentioned, complete holotype andQuick mode is consulted at least to need 9 UDP messages, is all processed by individual process. Both sides itBetween in the fewer situation of linking number of configuration, individual process still can be competent at.
If but in big-and-middle-sized network, IKE networking is also star-like networking mostly, You Yige centerGateway and multiple branches gateway form stelliform connection topology configuration. Again may be by between each branch and centerService needed, sets up many tunnels. In order to ensure the safety in tunnel, IKE also has timeout mechanism, every mistakeWithin several hours, again consult new tunnel etc. In the IPSec of center gateway location, its performance requirement mustMust be very high, it is fast that ike negotiation speed is wanted, and it is fast that the encryption/decryption speed after negotiation is also wanted, and guarantee is wholeIn network, communication data is safe and reliable. And branch is more, processed IKE association at center by individual processBusiness's drawback also will more highlight. In addition,, under the C/S model of IPSecVPN, user passes throughIPSecVPN client on the mobile device such as PC or mobile phone connects center gateway, works as a large number of usersWhen some time period all almost connects to come in because of working principle simultaneously, IPSecVPN median planeFace the peak of ike negotiation, if negotiation speed is fast not, will directly affects user job and use and experience.
Summary of the invention
In view of this, the invention provides a kind of ike negotiation treating apparatus, be applied on the network equipment, bagDraw together and monitor Transmit-Receive Unit and multiple IKE processing unit; Wherein:
Monitor Transmit-Receive Unit, for intercept predetermined UDP receiving port with obtain IKE opposite end sendIke negotiation message, and send to IKE for the ike negotiation message that IKE processing unit need to be sentOpposite end;
IKE processing unit, carries out ike negotiation processing for the IKE message to receiving, and at needsWhile sending ike negotiation message, ike negotiation message to be sent is submitted to monitoring Transmit-Receive Unit;
Wherein this monitoring unit is further used for searching according to the origin marking of the ike negotiation message receivingMessage allocation table, if find the IKE processing unit corresponding with this origin marking, by this ike negotiation reportThe IKE processing unit finding distributed in literary composition; If do not find corresponding IKE processing unit, according toPre-defined rule is selected one from multiple IKE processing units, and this ike negotiation message is distributed to selectedThe IKE processing unit of selecting.
The present invention also provides a kind of ike negotiation processing method, is applied on the network equipment, and the method comprisesFollowing steps:
A, in host process, intercept predetermined UDP receiving port with obtain IKE opposite end send IKENegotiation packet, and send to IKE opposite end for the ike negotiation message that needs are sent;
B, on multiple subprocess, respectively the IKE message receiving is carried out to ike negotiation processing, andNeed to send ike negotiation message time, ike negotiation message to be sent is submitted to host process;
Wherein steps A further comprises: search report according to the origin marking of the ike negotiation message receivingLiterary composition allocation table, if find the subprocess corresponding with this origin marking, distributes to this ike negotiation messageThe subprocess finding; If do not find corresponding subprocess, according to pre-defined rule from multiple subprocessOne of middle selection, and this ike negotiation message is distributed to the subprocess being chosen to.
The present invention separates the monitoring of ike negotiation message and processing, system can be used moreResource (such as multiple processes) is processed ike negotiation process, has improved the processing of system to ike negotiationPerformance, can tackle calmly the processing of a large amount of ike negotiations of burst.
Brief description of the drawings
Fig. 1 is the building-block of logic of a kind of ike negotiation device of the present invention.
Fig. 2 is the frame diagram of a kind of ike negotiation method of the present invention.
Detailed description of the invention
Please refer to Fig. 1 and Fig. 2, be embodied as example with computer program and introduce realization of the present invention. ThisInvent a kind of ike negotiation treating apparatus, be applied on the network equipment, comprise and monitor Transmit-Receive Unit and manyIndividual IKE processing unit; In its running, once receive and dispatch the common following steps of IKE message:
Step 101, monitors Transmit-Receive Unit and intercepts predetermined UDP receiving port to obtain the transmission of IKE opposite endIke negotiation message.
Step 102, monitoring Transmit-Receive Unit is searched message according to the origin marking of described ike negotiation message and is dividedJoin table, if find the IKE processing unit corresponding with this origin marking, go to step 103, otherwise turn stepRapid 104;
Step 103, distributes to this ike negotiation message the IKE processing unit finding;
Step 104 is selected one according to pre-defined rule from multiple IKE processing units, and by this IKENegotiation packet is distributed to the IKE processing unit being chosen to;
Step 105, IKE processing unit carries out ike negotiation processing to the IKE message receiving, andNeed to send ike negotiation message time, ike negotiation message to be sent is submitted to monitoring Transmit-Receive Unit;
Step 106, monitors Transmit-Receive Unit ike negotiation message to be sent is sent to ike negotiation opposite end.
Please refer to Fig. 2, in a preferred embodiment, IKE processing unit is by the prison as host processThe subprocess of listening Transmit-Receive Unit to create, wherein host process is that each subprocess distributes a sub-process identification (PID)(ID), be used for distinguishing each subprocess. As stated in the Background Art, as the net of center gatewayNetwork equipment may be connected to multiple branches gateway (such as 1~n), cell-phone customer terminal (k, j) and PCClient (m, g); So the ike negotiation device that central network is shut need to be processed a large amount of simultaneouslyThe different ike negotiation message of originating. The present invention has benefited from distributed Business Processing model, will monitor withProcess the tupe that two business processions separate to realize multi-process, avoid prior art to makeWith the restriction of one process, make full use of the processing resource on the network equipment.
Host process is responsible for receiving and dispatching ike negotiation message, and wherein the reception of message is by monitoring predetermined UDPPort (normally well-known port 500) is realized. After host process is received negotiation packet, search at onceMessage allocation table, initial time, message allocation table is blank, it is mainly the negotiation of recording separate sourcesCorresponding relation between message and multiple subprocess. Please refer to table 1, the ground taking origin marking as message source IPLocation is example, and host process is the source IP address look-up table 1 of message through consultation, if can not hit any oneList item, is considered as receiving the ike negotiation message in a new source, or can be understood as a new IKEThe literary composition of reporting for the first time of session, now host process can select a son to enter from multiple subprocess according to pre-defined ruleJourney is responsible for processing current I KE negotiation packet. Host process can adopt polling algorithm or random algorithm etc. pre-Set pattern is carried out chooser process.
| Origin marking | Subprocess ID |
| 192.168.1.5 | 1 |
| 10.10.1.5 | 2 |
| 123.123.101.12 | 7 |
| ...... | ...... |
Table 1
Furthermore, host process can be monitored the business load of all subprocess, when all subprocessWhen business load all exceedes the upper limit, such as each subprocess is all assigned to the IKE in 20 sourcesWhen negotiation, host process can continue to create new subprocess, then by IKE message to be processed current needDistributing to the subprocess of new establishment processes. So host process can dynamically be adjusted network in real timeEquipment is processed the distribution of resource to ike negotiation, the restriction of avoiding processing the not enough of resource or processing resourceProblem. In multiple nucleus system, each subprocess can also be bound and operate on different CPU core, fullyPerformance utilizes the advantage of multiple nucleus system to carry out ike negotiation, and host process just only need to be absorbed in receiving literary composition andThe literary composition of transmitting messages, such Design Mode was was both received and dispatched than individual process (can only run on some CPU core)Message carries out again the traditional mode of IKE protocol processes, in performance performance, has great raising.
Subprocess is responsible for the ike negotiation message being assigned to process, and this part can be with reference to maturationTechnology realize, the present invention is to processing procedure and have no special requirements. Conventionally IPSec consults to be divided into twoThe individual stage: first stage negotiation authenticates the other side's identity, and provide for the negotiation of second stage, a safe and reliable passage. Second stage is mainly held consultation to the security performance of IPSEC, produces trueJust can be used for the key of encrypting traffic. Unlike the prior art: subprocess of the present invention is eachStage need to not directly send to opposite end in the time sending negotiation packet to IKE opposite end, but sends to masterProcess, by the unified transmission of being responsible for message of host process.
Please continue to refer to Fig. 1, when enabling the C/S model of IPSec, there is client to be linked into center gatewayTime, now need to distribute virtual ip address to client. All subprocess of shutting due to whole central networkTo share same virtual ip address pond. Therefore the present invention need to do corresponding special processing at this, allowsEach subprocess is shared virtual ip address pond information, avoids the same virtual IP address of different subprocess duplicate allocationAddress. Such as the shared drive mode of communicating by letter between employing multi-process, the IP in virtual ip address pondAddress is all mapped on one section of shared drive, and each subprocess is found and can be used from shared driveVirtual ip address, be masked as and use, then distribute to client. After client exits, correspondenceProcess the subprocess of this client ike negotiation message this virtual ip address of distributing to this client regained,Be put back in shared drive, mark is updated to this address can be used. So reclaim afterwards virtualIP address can have been used by other subprocess again. In addition, in actual use, can also be according to equipment instituteActual conditions in the network topology structure at place and the actual demand of linking number, manual configuration subprocess numberThe upper limit of amount, thus realization regulates the object of the disposal ability of ike negotiation.
The present invention separates the monitoring of ike negotiation message and processing, system can be used moreResource (such as multiple processes) is processed ike negotiation process, has improved the processing of system to ike negotiationPerformance, can tackle calmly the processing of a large amount of ike negotiations of burst.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.
Claims (10)
1. an ike negotiation treating apparatus, is applied on the network equipment, comprise monitor Transmit-Receive Unit andMultiple IKE processing units; It is characterized in that:
Monitor Transmit-Receive Unit, for intercept predetermined UDP receiving port with obtain IKE opposite end sendIke negotiation message, and send to IKE for the ike negotiation message that IKE processing unit need to be sentOpposite end;
IKE processing unit, carries out ike negotiation processing for the IKE message to receiving, and at needsWhile sending ike negotiation message, ike negotiation message to be sent is submitted to monitoring Transmit-Receive Unit;
Wherein this monitoring Transmit-Receive Unit is host process, is further used for according to the ike negotiation message receivingOrigin marking search message allocation table, if find the IKE processing unit corresponding with this origin marking,This ike negotiation message is distributed to the IKE processing unit finding; If do not find corresponding IKEProcessing unit is selected one according to pre-defined rule from multiple IKE processing units, and by this ike negotiationMessage is distributed to the IKE processing unit being chosen to, and described IKE processing unit is that described host process createsSubprocess.
2. device as claimed in claim 1, is characterized in that, described origin marking is ike negotiation reportThe source IP address of literary composition.
3. device as claimed in claim 1, is characterized in that, wherein at least two subprocess are bundled inOn different CPU cores.
4. device as claimed in claim 1, is characterized in that, described monitoring Transmit-Receive Unit is further usedAll reach preset upper limit and do not find correspondence searching message allocation table in the business load at all subprocessWhen subprocess, create new subprocess and process the current ike negotiation message receiving.
5. device as claimed in claim 1, is characterized in that, described IKE processing unit is further usedIn sharing virtual ip address pond with other IKE processing units, and in the time that needs distribute virtual ip address,The virtual ip address of distributing to client is labeled as and is used, regaining when virtual ip address this voidIntend IP address mark for using.
6. an ike negotiation processing method, is applied on the network equipment, it is characterized in that the method bagDraw together following steps:
A, in host process, intercept predetermined UDP receiving port with obtain IKE opposite end send IKENegotiation packet, and send to IKE opposite end for the ike negotiation message that needs are sent;
B, on multiple subprocess, respectively the IKE message receiving is carried out to ike negotiation processing, andNeed to send ike negotiation message time, ike negotiation message to be sent is submitted to host process;
Wherein steps A further comprises: host process is according to the origin marking of the ike negotiation message receivingSearch message allocation table, if find the subprocess corresponding with this origin marking, by this ike negotiation messageDistribute to the subprocess finding; If do not find corresponding subprocess, according to pre-defined rule from multipleIn subprocess, select one, and this ike negotiation message is distributed to the subprocess being chosen to.
7. method as claimed in claim 6, is characterized in that, described origin marking is ike negotiation reportThe source IP address of literary composition.
8. method as claimed in claim 6, is characterized in that, wherein at least two subprocess are bundled inOn different CPU cores.
9. method as claimed in claim 6, is characterized in that, described steps A further comprises:The business load of all subprocess all reaches preset upper limit and does not find corresponding son to enter searching message allocation tableCheng Shi, creates new subprocess and processes the current ike negotiation message receiving.
10. method as claimed in claim 6, is characterized in that, described step B further comprises:Subprocess and other subprocess are shared virtual ip address pond, and in the time that needs distribute virtual ip address, willThe virtual ip address of distributing to client is labeled as and uses, in the time regaining virtual ip address, this is virtualIP address mark is for using.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210272081.1A CN102761494B (en) | 2012-08-01 | 2012-08-01 | A kind of ike negotiation processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210272081.1A CN102761494B (en) | 2012-08-01 | 2012-08-01 | A kind of ike negotiation processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102761494A CN102761494A (en) | 2012-10-31 |
| CN102761494B true CN102761494B (en) | 2016-05-11 |
Family
ID=47055820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210272081.1A Active CN102761494B (en) | 2012-08-01 | 2012-08-01 | A kind of ike negotiation processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102761494B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| CN103746977A (en) * | 2013-12-27 | 2014-04-23 | 东软熙康健康科技有限公司 | Connection method and device for Linux server |
| CN105991636B (en) * | 2015-05-27 | 2019-04-09 | 杭州迪普科技股份有限公司 | Port negotiation method and device based on IKE agreement |
| CN105279036B (en) * | 2015-12-04 | 2019-10-25 | 上海斐讯数据通信技术有限公司 | Inter-process communication methods, device and electronic equipment |
| CN105915511A (en) * | 2016-04-13 | 2016-08-31 | 深圳市融钞科技有限公司 | Wireless communication method based on VPDN private network |
| CN107204994B (en) * | 2017-07-24 | 2019-09-17 | 杭州迪普科技股份有限公司 | A kind of method and apparatus that protection network segment is determined based on IKEv2 |
| CN112702338B (en) * | 2020-12-22 | 2022-07-01 | 杭州迪普科技股份有限公司 | IKE message acquisition method and device |
| CN113472817B (en) * | 2021-09-03 | 2021-12-03 | 杭州网银互联科技股份有限公司 | Gateway access method and device for large-scale IPSec and electronic equipment |
| CN114285571A (en) * | 2022-03-03 | 2022-04-05 | 成都量安区块链科技有限公司 | Method, gateway device and system for using quantum key in IPSec protocol |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101179412A (en) * | 2007-12-13 | 2008-05-14 | 华为技术有限公司 | Multi-multicast carrying network access equipment, system and method |
| CN101668036A (en) * | 2009-09-22 | 2010-03-10 | 成都市华为赛门铁克科技有限公司 | Simulating system of distributed device and method for processing service by simulating distributed device |
-
2012
- 2012-08-01 CN CN201210272081.1A patent/CN102761494B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101179412A (en) * | 2007-12-13 | 2008-05-14 | 华为技术有限公司 | Multi-multicast carrying network access equipment, system and method |
| CN101668036A (en) * | 2009-09-22 | 2010-03-10 | 成都市华为赛门铁克科技有限公司 | Simulating system of distributed device and method for processing service by simulating distributed device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102761494A (en) | 2012-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102761494B (en) | A kind of ike negotiation processing method and device | |
| CN105577637B (en) | Calculating equipment, method and machine readable storage medium for being communicated between secured virtual network function | |
| EP3785412A1 (en) | Dynamic scaling of virtual private network connections | |
| CN110971626B (en) | Enterprise branch office access request processing method, device and system | |
| US9015825B2 (en) | Method and device for network communication management | |
| CN112738200B (en) | Convenient operation and maintenance tool and method based on closed public network system | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| Pan et al. | Privacy-preserving multilayer in-band network telemetry and data analytics: For safety, please do not report plaintext data | |
| CN104519055A (en) | VPN (virtual private network) service implementation method, VPN service implementation device and VPN server | |
| Davoli et al. | Internet of things on power line communications: An experimental performance analysis | |
| Saksonov et al. | Organization of information security in Industrial Internet of Things systems | |
| Gupta et al. | End-to-end encryption for securing communications in industry 4.0 | |
| Cho et al. | Secure open fronthaul interface for 5G networks | |
| CN110086750A (en) | A kind of encryption system based on optical fiber data link road network and satellite communication network | |
| CN115378578B (en) | SD-WAN (secure digital-to-Wide area network) implementation method and system based on SM4 cryptographic key | |
| Bays et al. | A toolset for efficient privacy-oriented virtual network embedding and its instantiation on SDN/OpenFlow-based substrates | |
| CN113259347B (en) | Equipment safety system and equipment behavior management method in industrial Internet | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
| CN114124514A (en) | Electric power universe thing networking safety protection system | |
| Sukumar et al. | Enhancing security and privacy implications in 5G network slicing | |
| JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
| US20080222693A1 (en) | Multiple security groups with common keys on distributed networks | |
| Hong | Security vulnerability and countermeasure on 5G networks: survey | |
| CN106789318B (en) | Network power supply safety management system | |
| Kushko et al. | Efficiency evaluation of secure data communication protocols stack based on dynamic network topology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Patentee before: Hangzhou Dipu Technology Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181105 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Depp Information Technology Co., Ltd. Address before: 310051, 6 floor, Chung Cai mansion, 68 Tong he road, Binjiang District, Hangzhou, Zhejiang. Patentee before: Hangzhou Dipu Polytron Technologies Inc |