CN102761553A - IPSec SA consultation method and device - Google Patents
IPSec SA consultation method and device Download PDFInfo
- Publication number
- CN102761553A CN102761553A CN2012102555208A CN201210255520A CN102761553A CN 102761553 A CN102761553 A CN 102761553A CN 2012102555208 A CN2012102555208 A CN 2012102555208A CN 201210255520 A CN201210255520 A CN 201210255520A CN 102761553 A CN102761553 A CN 102761553A
- Authority
- CN
- China
- Prior art keywords
- message
- ipsec
- module
- originating side
- negotiates
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an IPSec (Internet Protocol Security) SA (Security Association) consultation method and an IPSec SA consultation device. The method comprises the following steps: generating and issuing a consulted SA when a responder receives a first message sent by an initiator; replying a second message to the initiator by the responder; and when the responder receives the IPSec encrypted message which is sent by the initiator and encrypted by the consulted SA, or receives a third message sent by the initiator, carrying out data flow protection utilizing the consulted SA, wherein the first message, the second message and the third message are three messages which are used to complete the IPSec SA consultation by the initiator and the responder together in a fast mode. According to the invention, through changing the issuing time and effective time of responder's consulted SA, the problems of jitter or interruption of instant flows during the IPSec SA initial consultation or re-consultation process in the prior art are solved.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of IPSec SA machinery of consultation and device.
Background technology
IPSec (IP Security; IP (Internet Protocol; Internet Protocol) safely) be IETF (Internet Engineering Task Force, internet engineering task group) formulate for guaranteeing on Internet, to transmit the framework agreement of the safety encipher performance of data.IPSec is a kind of three layer tunnel cryptographic protocol; That the data that go up transmission for Internet provide is high-quality, interoperable, based on cryptographic safety assurance; It is the safe practice of a kind of traditional realization three-layer VPN (Virtual Private Network, VPN).Through setting up the private data that ipsec tunnel comes transmission user, and following security service is provided between the particular communication side at the IP layer:
Whether
Data Source authentication (Data Authentication): IPSec is legal at the transmitting terminal that receiving terminal can authentication sends the IPSec message.
IPSec comprises authentication of message head (Authentication Header; AH) agreement and encapsulating security payload (esp) (Encapsulating Security Payload; ESP) two agreements, wherein, AH can provide data origin authentication and data integrity verifying function; ESP also provides the encryption function to the IP message except data verification and completeness check function can be provided.
IKE (Internet Key Exchange; Internet key exchange) is the signaling protocol of IPSec; For IPSec provides automatic negotiation interchange key, has set up Security Association (Security Association; SA) service can be simplified using and managing of IPSec, simplifies configuration and the maintenance work of IPSec greatly.IKE directly transmits key on network, but the exchange through a series of data finally calculates cipher key shared by both parties, even and the third party intercepted and captured all swap datas that both sides are used for computation key, also be not enough to calculate real key.IKE has a cover self-protection mechanism, can be on unsafe network the distributed key of safety, identity verification is set up ipsec security alliance.
Fig. 1 is the graph of a relation of IPSec and IKE.Among Fig. 1, IPSec provides secure communication between two end points (like Router A among Fig. 1 and Router B), and end points is called as ipsec peer.SA is to the agreement of some key element between the ipsec peer; Which kind of for example, use the shared key of protected data in the encapsulation mode (transmission mode and tunnel mode), AES, particular stream of agreement (AH, ESP still are that both are used in combination), agreement and life cycle of key etc.IPSec can set up SA through ike negotiation.SA is unidirectional, the two-way communication between two peer-to-peers, and two SA of minimum needs come respectively the data flow of both direction to be carried out safeguard protection.Simultaneously, if two peer-to-peers hope to use simultaneously AH and ESP to carry out secure communication, then each peer-to-peer all can make up an independently SA to each agreement.
The SA that sets up through ike negotiation has life cycle (Life Time).Following two kinds of definition modes are arranged the life cycle of the SA that ike negotiation is set up:
Arrive the time of appointment or the flow of appointment life cycle, SA will lose efficacy.Before SA lost efficacy, IKE will consult to set up new SA for IPSec, and like this, before old SA lost efficacy, new SA just need be ready to.Begin to consult and before not consulting, continue the old SA protection of use and communicate by letter at new SA.After new SA consults, then adopt new SA protection communication.
IKE has used two stages to carry out key agreement and set up SA as IPSec, is called phase I and second stage respectively:
(1) phase I: on network, set up IKE SA, for the negotiation (second stage) of other agreement provides protection and consults fast.Create a communication channel through consultation, and this channel is carried out authentication, for the further IKE communication of both sides provides confidentiality, message integrity and message source authentication service.Mainly contain holotype (Main Mode) and two kinds of IKE exchanged forms of Aggressive Mode (Aggressive Mode).
(2) second stage: under the protection of the IKE SA that in the phase I, sets up,, set up the IPSec SA that is used for final IP Security transmission, adopt quick mode (Quick Mode) to hold consultation for IPSec consults concrete SA.With reference to RFC2409, to consult for the IKE second stage, the reciprocal process under the quick mode defines as follows:
Initiator (initiator) Responder (response party)
----------- -----------
HDR*,HASH(1),SA,Ni
[,KE][,IDci,IDcr] →
← HDR*,HASH(2),SA,Nr
[,KE][,IDci,IDcr]
HDR*,HASH(3) →
By on can know that under the quick mode, communicating pair (initiator and response party) is accomplished the negotiation of IPSec SA through 3 messages:
Article one, message: by all information that initiator's transmission needs the opposite end to consult, for example the agreement of IPSec policy definition (AH, ESP), AES, identifying algorithm etc. also include hash (Hash) summary that can supply verify; That is:
HDR*,HASH(1),SA,Ni
[,KE][,IDci,IDcr]
Second message: send selected ipsec protocol (AH, ESP), AES, identifying algorithm etc. by response party, include the hash summary that supply to verify; That is:
HDR*,HASH(2),SA,Nr
[,KE][,IDci,IDcr]
Article three, message: send a hash summary of having encrypted by the initiator, consult to accomplish in order to confirming.That is:
HDR*,HASH(3)
Prior art is carried out in the negotiations process of IPSec SA under quick mode; The initiator of ike negotiation is after sending the 3rd message; At once the SA that negotiates is handed down to IPSec and carries out the data flow protection; And the response party of ike negotiation is after receiving the 3rd message, SA is handed down to IPSec carries out the data flow protection.Like this, just possibly cause following problem:
When consulting IPSec SA for the first time, the initiator at once the SA that negotiates is handed down to IPSec, and response party is after receiving the 3rd message after sending the 3rd message, SA is handed down to IPSec.If the 3rd message has time-delay or packet loss occurs when transmission over networks; So; The ipsec encryption message that the initiator sends may not received under the situation of the 3rd message in response party as yet, just arrived response party, and this moment, response party is not handed down to IPSec with SA as yet; Thereby cause the IPSec of response party can't decipher the ipsec encryption message, cause instantaneous delivery shake or flow interrupt.
In addition, in that the SA life cycle is overtime when consulting SA again, the initiator replaces old SA with new SA after sending the 3rd message, and response party is replaced old SA with new SA after receiving the 3rd message.If the 3rd message has time-delay or packet loss occurs when transmission over networks; So; The ipsec encryption message that the initiator uses new SA to encrypt may not received under the situation of the 3rd message in response party as yet, just arrived response party, and this moment, response party is not handed down to IPSec with new SA as yet; Thereby can't decipher the initiator and use new SA encrypted messages, cause heavily flow jitter or the flow interrupt in the negotiations process of SA.
Summary of the invention
The invention provides a kind of IPSec SA machinery of consultation and device; Be applied to the IPSec SA negotiations process under the quick mode of ike negotiation second stage; Be intended to solve prior art and consult and heavily in the negotiations process instantaneous delivery shake of existence or the problem of flow interrupt in that IPSec SA is first.
Technical scheme of the present invention is following:
On the one hand, a kind of IPSec SA machinery of consultation that is applied to the ike negotiation second stage is provided, comprising: response party generates and issues the SA that this negotiates after receiving article one message of originating side sent; Response party is replied the second message and is given the initiator; Response party after the ipsec encryption message that this SA that negotiates of the use that receives originating side sent encrypts, or receiving the 3rd message of originating side sent after; Use this SA that negotiates to carry out the data flow protection; Wherein, Article one, message, second message and the 3rd message are under the quick mode, and initiator and response party are accomplished IPSecSA and consulted employed three messages.
On the other hand, a kind of IPSec SA consulting device is provided also, has comprised: receiver module, the ipsec encryption message that is used to receive article one message, the 3rd message of originating side sent and uses this SA that negotiates to encrypt; SA generates and issues module, is used for after receiver module receives article one message of originating side sent, generating and issue the SA that this negotiates; Sending module is used for generating at SA and issues after module issued this SA that negotiates, and replys the second message and gives the initiator; The IPSec module; Be used for after receiver module receives the ipsec encryption message that this SA that negotiates of use of originating side sent encrypts, or after receiver module receives the 3rd message of originating side sent; Use this SA that negotiates to carry out the data flow protection; Wherein, article one message, second message and the 3rd message are under the quick mode of internet key exchange ike negotiation second stage, accomplish IPSec SA and consult employed three messages.
In the above technical scheme of the present invention; Response party is after receiving quick mode article one message of originating side sent and sending quick mode second message to before the initiator; Just generate SA and be handed down to IPSec, follow-up, when the IPSec message of encrypting at the SA of this negotiation of use that receives originating side sent or the 3rd message of quick mode; The above-mentioned SA that issues that comes into force uses this SA to carry out the data flow protection.Like this; Even the IPSec message of encrypting at the SA that postpones owing to the 3rd message transmissions or packet loss causes this negotiation of use of originating side sent midway arrives under the situation of response party prior to the 3rd message; Response party also can normally be used this IPSec message of SA deciphering of this negotiation that issues, can guarantee that the bidirectional traffics between initiator and the response party continue to flow.Through changing the opportunity of issuing and the opportunity of coming into force of this SA that negotiates of response party, solved prior art and consulted and heavily in the negotiations process instantaneous delivery shake of existence or the problem of flow interrupt in that IPSec SA is first.
Description of drawings
Fig. 1 is the graph of a relation of IPSec and IKE in the correlation technique;
Fig. 2 is the flow chart according to the IPSec SA machinery of consultation of embodiments of the invention one;
Fig. 3 is the mutual sequential chart during according to the first negotiation IPSec SA of embodiments of the invention two;
Fig. 4 be according to embodiments of the invention three because of the soft overtime mutual sequential chart when consulting IPSec SA again of SA;
Fig. 5 is a kind of structural representation according to the IPSec SA consulting device of embodiments of the invention four;
Fig. 6 is the another kind of structural representation according to the IPSec SA consulting device of embodiments of the invention four.
Embodiment
Embodiment one
Consult and heavily in the negotiations process in that IPSec SA is first in order to solve prior art; The response party instantaneous delivery shake that exists or the problem of flow interrupt; The embodiment of the invention provides the IPSec SA machinery of consultation under a kind of quick mode of ike negotiation second stage, and this method is carried out by the response party of consulting.As shown in Figure 2, may further comprise the steps:
Step S202, response party generates and issues the SA that this negotiates after receiving article one message of originating side sent;
In the negotiations process of IKE second stage; At first send article one message and give response party by the initiator who consults; Wherein, carry all security parameters that need response party to consult, for example; The agreement of IPSec policy definition (AH, ESP), AES, identifying algorithm etc. also include the hash summary that can supply verify.
Response party is after receiving article one message; All security parameters according to the needs response party negotiation of carrying in article one message; Select and the security parameter that oneself matees, for example selected protocol type, AES, verification algorithm etc., then; According to the security parameter of oneself selecting, generate SA and be handed down to IPSec.Because after receiving article one message, send before the second message; Protocol type, AES, verification algorithm and the key materials that response party in fact can have been chosen according to oneself etc. have generated SA; Therefore; Response party can be after receiving article one message, send and just generate and issue SA before the second message and give IPSec, and just issue SA after need not to have received by the time the 3rd message.
Wherein,, consult SA that generates and the SA that is using this moment, this SA that consults to generate is called new SA, and the SA that will use this moment is called old SA in order to distinguish this to the situation of heavily consulting.
Step S204, response party is replied the second message and is given the initiator;
After generating and having issued SA, response party is just replied the second message to the initiator, wherein, carries the security parameter that response party is selected, for example selected protocol type (AH, ESP or both combinations), AES, verification algorithm etc.The initiator will generate SA according to the security parameter that response party is selected after receiving the second message, reply the 3rd message to response party, then, the SA that generates is handed down to IPSec.
Step S206; Response party after the ipsec encryption message that this SA that negotiates of the use that receives originating side sent encrypts, or receiving the 3rd message of originating side sent after, use this SA that negotiates to carry out data flow protection (comprise the ipsec encryption message that uses this SA that this SA that negotiates of use of originating side sent is encrypted decipher and/or use this SA encrypting traffic and send to the initiator).
When first the negotiation; The IPSec of response party after the ipsec encryption message that this SA of the use that receives originating side sent encrypts, or receiving the 3rd message of this originating side sent after, use the ipsec encryption message that this SA deciphering receives or encrypt the data flow that will send to the initiator.
When heavily consulting; The IPSec of response party after the ipsec encryption message that the new SA of the use that receives this originating side sent encrypts, or receiving the 3rd message of this originating side sent after, old SA is switched to new SA and uses the ipsec encryption message that new SA deciphering receives or encrypt the data flow that will send to the initiator.
Article one message in the present embodiment, second message and the 3rd message are under the quick mode of ike negotiation second stage, and initiator and response party are accomplished IPSec SA and consulted employed three messages.The form of these three messages is all identical with prior art with implication, repeats no more here.
In the embodiment of the invention; Response party is after receiving quick mode article one message of originating side sent and sending quick mode second message to before the initiator; Just generate SA and be handed down to IPSec, follow-up, when the IPSec message of encrypting at the SA of this negotiation of use that receives originating side sent or the 3rd message of quick mode; The above-mentioned SA that issues that comes into force uses this SA to carry out the data flow protection.Like this; Even the IPSec message of encrypting at the SA that postpones owing to the 3rd message transmissions or packet loss causes this negotiation of use of originating side sent midway arrives under the situation of response party prior to the 3rd message; Response party also can normally be used this IPSec message of SA deciphering of this negotiation that issues, can guarantee that the bidirectional traffics between initiator and the response party continue to flow.Through changing the opportunity of issuing and the opportunity of coming into force of this SA that negotiates of response party, solved prior art and consulted and heavily in the negotiations process instantaneous delivery shake of existence or the problem of flow interrupt in that IPSec SA is first.
In addition, because being the IKE SA that negotiated by the IKE phase I, the negotiations process of ike negotiation second stage protects, so the embodiment of the invention can't reduce the fail safe that the IKE second stage is consulted.
Embodiment two
As shown in Figure 3, under the quick mode that the IKE second stage is consulted, initiator and the response party interaction flow when consulting IPSec SA for the first time can be following:
Step S302, the initiator of ike negotiation send article one message and give the response party of consulting;
Step S304, response party according to the security parameter that carries in the message, is selected and the security parameter that oneself matees, and is generated SA according to selected security parameter after receiving article one message;
Step S306, response party is handed down to IPSec with the SA that generates;
Step S308, response party is sent the second message and is given the initiator, carries the security parameter that response party is selected in step S304 in this message;
Step S310, initiator according to the selected security parameter of the response party of carrying in the message, generate SA after receiving the second message;
Step S312, the initiator sends the 3rd message to response party, to finish negotiations process;
Step S314, the SA that the initiator will generate in step S310 is handed down to IPSec;
Step S316, initiator's IPSec uses the SA encrypting traffic that issues among the step S314, and the ipsec encryption message that encryption obtains is sent to response party;
Step S318; The IPSec of response party receive the 3rd message that the initiator sends in step S312, or receiving the ipsec encryption message that the initiator sends in step S316 after; The SA that in step S306, issues is come into force, and use the ipsec encryption message of this SA deciphering originating side sent.
First negotiations process for SA; After the initiator who consults uses IPSec SA encrypted messages to arrive response party; Response party had just issued SA to IPSec before sending quick mode second message; Even the 3rd message of quick mode postpones to arrive response party or packet loss midway, response party also can normally be deciphered the ipsec encryption message.
Embodiment three
As shown in Figure 4, under the quick mode that the IKE second stage is consulted, initiator and the response party interaction flow when consulting IPSec SA again can be following:
Step S402, old SA is soft overtime, triggers the initiator who consults and carries out the negotiation again of IPSec SA;
Step S404, initiator send article one message and give the response party of consulting;
Step S406, response party according to the security parameter that carries in the message, is selected and the security parameter that oneself matees, and is generated new SA according to selected security parameter after receiving article one message;
Step S408, the new SA that response party will generate is handed down to IPSec;
Step S410, response party is sent the second message and is given the initiator, carries the security parameter that response party is selected in step S406 in this message;
Step S412, initiator according to the selected security parameter of the response party of carrying in the message, generate new SA after receiving the second message;
Step S414, the initiator sends the 3rd message to response party, to finish negotiations process;
Step S416, the new SA that the initiator will generate in step S412 is handed down to IPSec, and uses this new SA;
Step S418, initiator's IPSec uses the new SA encrypting traffic that issues among the step S416, and the new ipsec encryption message that will use new SA encryption to obtain sends to response party;
Encrypt the IPSec message that obtains in order to distinguish the IPSec message that uses old SA encryption to obtain with using new SA; Be called old ipsec encryption message with using old SA to encrypt the IPSec message that obtains, be called new ipsec encryption message using new SA to encrypt the IPSec message that obtains.
Step S420, the IPSec of response party receive the 3rd message that the initiator sends in step S414, or receiving the new ipsec encryption message that the initiator sends in step S418 after, old SA is switched to the new SA that in step S408, issues;
Step S422, response party is used the new ipsec encryption message of this new SA deciphering originating side sent.
Before step S420, still use old SA encryption and decryption data flow to carry out communication between initiator and the response party.
For heavily negotiations process, relate to the switching time of new and old SA, the initiator of negotiation issues new SA after sending the 3rd message of quick mode, and notice IPSec to switch old SA be new SA, use new SA to encrypt message, old SA waits for hard overtime deletion.The response party of consulting was handed down to IPSec with new SA before sending quick mode second message; But do not switch old SA immediately is new SA; Because this moment, the initiator was not switched new SA as yet,, then still use old SA to encrypt message if response party has data flow to mail to the initiator.Response party need be waited for and just carry out the switching of new and old SA when in following two opportunitys any one satisfies:
(1) received the ipsec encryption message that the initiator uses new SA to encrypt;
(2) received the 3rd message of quick mode.
The heavily negotiations process of IPSec SA issues opportunity and new and old SA switching time through adopting above-mentioned new SA, just can guarantee that the bidirectional traffics between initiator and the response party continue to flow.
Embodiment four
To the method among the foregoing description one and three; The embodiment of the invention provides a kind of IPSec SA consulting device; This device can be to carry out the device that the IPSec SA under the quick mode of ike negotiation second stage consults arbitrarily, for example can be router, fire compartment wall, gateway device etc.
Of Fig. 5, this device comprises: receiver module 10, SA generate and issue module 20, sending module 30 and IPSec module 40, wherein:
The ipsec encryption message that receiver module 10 is used to receive article one message, the 3rd message of originating side sent and uses this SA that negotiates to encrypt;
The SA generation issues module 20 and is used for after receiver module 10 receives article one message of originating side sent, generates and issues this SA that negotiates and give IPSec module 40;
Sending module 30 is used for generating at SA and issues after module 20 issued this SA that negotiates, and replys the second message and gives the initiator;
Wherein, as shown in Figure 6, SA generates and to issue module 20 and may further include: matching module 202, generation module 204 and issue module 206, wherein:
First when consulting IPSec SA, all security parameters that this device of needs that carries in article one message that matching module 202 receives according to receiver module 10 is consulted are selected the security parameter that matees with this device; Then, the security parameter that generation module 204 is selected according to matching module 202 generates SA; And the SA that generation module 204 generates is handed down to IPSec module 40 by issuing module 206.
When consulting IPSec SA again because of old SA is overtime; In order to distinguish with old SA; This SA that negotiates that the security parameter that generation module 204 is selected according to matching module 202 generates can be called new SA, issues module 206 the new SA that generation module 204 generates is handed down to IPSec module 40.
Afterwards; IPSec module 40 at this SA that negotiates of the use that receives originating side sent (when heavily consulting; Be new SA) after the ipsec encryption message encrypted, or after receiving the 3rd message of originating side sent, use this SA (when heavily consulting, promptly to be equivalent to old SA is switched to new SA; And this new SA of use) carries out the data flow protection, promptly decipher the ipsec encryption message or the encryption of originating side sent and will issue initiator's message.
To sum up, the above embodiment of the present invention can reach following technique effect:
Response party is after receiving quick mode article one message of originating side sent and sending quick mode second message to before the initiator; Just generate SA and be handed down to IPSec; Follow-up; When the IPSec message of encrypting at the SA of this negotiation of use that receives originating side sent or the 3rd message of quick mode, the above-mentioned SA that issues that comes into force uses this SA to carry out the data flow protection.Like this; Even the IPSec message of encrypting at the SA that postpones owing to the 3rd message transmissions or packet loss causes this negotiation of use of originating side sent midway arrives under the situation of response party prior to the 3rd message; Response party also can normally be used this IPSec message of SA deciphering of this negotiation that issues, can guarantee that the bidirectional traffics between initiator and the response party continue to flow.Through changing the opportunity of issuing and the opportunity of coming into force of this SA that negotiates of response party, solved prior art and consulted and heavily in the negotiations process instantaneous delivery shake of existence or the problem of flow interrupt in that IPSec SA is first.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (10)
1. the internet protocol secure ipsec security SA of alliance machinery of consultation is applied to internet key exchange ike negotiation second stage, it is characterized in that, comprising:
Response party generates and issues the SA that this negotiates after receiving article one message of originating side sent;
Said response party is replied the second message and is given said initiator;
Said response party after the ipsec encryption message that the said SA that this negotiates of the use that receives said originating side sent encrypts, or receiving the 3rd message of said originating side sent after; Use the said SA that this negotiates to carry out the data flow protection; Wherein, Said article one message, second message and the 3rd message are under the quick mode, and initiator and response party are accomplished IPSec SA and consulted employed three messages.
2. method according to claim 1 is characterized in that, said generation also issues this SA that negotiates and comprises:
When consulting IPSec SA for the first time, all security parameters that said response party is consulted according to the said response party of the needs that carry in said article one message are selected and the security parameter that oneself matees;
Said response party generates SA and is handed down to IPSec according to the security parameter of oneself selecting.
3. method according to claim 2; It is characterized in that; Said response party after the ipsec encryption message that the said SA that this negotiates of the use that receives said originating side sent encrypts, or receiving the 3rd message of said originating side sent after, uses the said SA that this negotiates to carry out data flow protection and comprises:
The IPSec of said response party after the ipsec encryption message that the said SA of the use that receives said originating side sent encrypts, or receiving the 3rd message of said originating side sent after, use said SA to carry out the data flow protection.
4. method according to claim 1 is characterized in that, said generation also issues this SA that negotiates and comprises:
When consulting IPSec SA again because of old SA is overtime, all security parameters that said response party is consulted according to the said response party of the needs that carry in said article one message are selected the security parameter with oneself coupling;
Said response party generates new SA and is handed down to IPSec according to the security parameter of oneself selecting.
5. method according to claim 4; It is characterized in that; Said response party after the ipsec encryption message that the said SA that this negotiates of the use that receives said originating side sent encrypts, or receiving the 3rd message of said originating side sent after, uses the said SA that this negotiates to carry out data flow protection and comprises:
The IPSec of said response party after the ipsec encryption message that the said new SA of the use that receives said originating side sent encrypts, or receiving the 3rd message of said originating side sent after, said old SA is switched to said new SA;
Use said new SA to carry out the data flow protection.
6. the internet protocol secure ipsec security SA of an alliance consulting device is characterized in that, comprising:
Receiver module, the ipsec encryption message that is used to receive article one message, the 3rd message of originating side sent and uses this SA that negotiates to encrypt;
SA generates and issues module, is used for after said receiver module receives article one message of originating side sent, generating and issue the said SA that this negotiates;
Sending module is used for generating at said SA and issues after module issued the said SA that this negotiates, and replys the second message and gives said initiator;
The IPSec module; Be used for after said receiver module receives the ipsec encryption message that the said SA that this negotiates of the use of said originating side sent encrypts, or after said receiver module receives said the 3rd message of said originating side sent; Use the said SA that this negotiates to carry out the data flow protection; Wherein, Said article one message, second message and the 3rd message are under the quick mode of internet key exchange ike negotiation second stage, accomplish IPSec SA and consult employed three messages.
7. device according to claim 6 is characterized in that, said SA generation issues module and comprises:
Matching module is used for when consulting IPSec SA for the first time, according to all security parameters that this device of needs that carries in said article one message is consulted, selecting the security parameter that matees with this device;
Generation module is used for the security parameter according to said matching module selection, generates SA;
Issue module, be used for the SA that said generation module generates is handed down to said IPSec module.
8. device according to claim 7; It is characterized in that; Said IPSec module uses said SA to carry out the data flow protection after specifically being used for after the ipsec encryption message that the said SA of the use that receives said originating side sent encrypts, perhaps receiving said the 3rd message of said originating side sent.
9. device according to claim 6 is characterized in that, said SA generation issues module and comprises:
Matching module is used for when consulting IPSec SA again because of old SA is overtime, according to all security parameters that said device of the needs that carry in said article one message consulted, selects the security parameter with this device coupling;
Generation module is used for the security parameter according to said matching module selection, generates new SA;
Issue module, be used for the new SA that said generation module generates is handed down to said IPSec module.
10. device according to claim 9; It is characterized in that; Said IPSec module specifically is used for after said receiver module receives the ipsec encryption message that the said new SA of the use of said originating side sent encrypts, or after said receiver module receives said the 3rd message of said originating side sent; Said old SA is switched to said new SA, and use said new SA to carry out the data flow protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012102555208A CN102761553A (en) | 2012-07-23 | 2012-07-23 | IPSec SA consultation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012102555208A CN102761553A (en) | 2012-07-23 | 2012-07-23 | IPSec SA consultation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102761553A true CN102761553A (en) | 2012-10-31 |
Family
ID=47055874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012102555208A Pending CN102761553A (en) | 2012-07-23 | 2012-07-23 | IPSec SA consultation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102761553A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312713A (en) * | 2013-06-13 | 2013-09-18 | 北京星网锐捷网络技术有限公司 | Security association negotiation method and device, and network equipment |
| WO2014100967A1 (en) * | 2012-12-25 | 2014-07-03 | 华为技术有限公司 | Method, apparatus, device and system for ipsec negotiation |
| CN104219217A (en) * | 2013-06-05 | 2014-12-17 | 中国移动通信集团公司 | SA (security association) negotiation method, device and system |
| CN105610577A (en) * | 2016-01-07 | 2016-05-25 | 成都卫士通信息产业股份有限公司 | System and method for preventing IPSec (Internet Protocol Security) VPN (Virtual Private Network) device from multi-tunnel IKE (Internet Key Exchange) negotiation failure |
| CN107171786A (en) * | 2017-05-19 | 2017-09-15 | 成都极玩网络技术有限公司 | Network agent account control method |
| CN112910893A (en) * | 2021-02-01 | 2021-06-04 | 武汉思普崚技术有限公司 | Method, device, equipment and storage medium for preventing packet loss after IPsec SA aging |
| CN113364811A (en) * | 2021-07-05 | 2021-09-07 | 北京慧橙信息科技有限公司 | Network layer safety protection system and method based on IKE protocol |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040049585A1 (en) * | 2000-04-14 | 2004-03-11 | Microsoft Corporation | SERVER SIDE CONFIGURATION OF CLIENT IPSec LIFETIME SECURITY PARAMETERS |
| CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
| CN1777094A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Key reconsul tation trigger method in general pilot system |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
-
2012
- 2012-07-23 CN CN2012102555208A patent/CN102761553A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040049585A1 (en) * | 2000-04-14 | 2004-03-11 | Microsoft Corporation | SERVER SIDE CONFIGURATION OF CLIENT IPSec LIFETIME SECURITY PARAMETERS |
| CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
| CN1777094A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Key reconsul tation trigger method in general pilot system |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
Non-Patent Citations (1)
| Title |
|---|
| 黄永锋: "《IKE协议的改进及其实现框架》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014100967A1 (en) * | 2012-12-25 | 2014-07-03 | 华为技术有限公司 | Method, apparatus, device and system for ipsec negotiation |
| CN104219217A (en) * | 2013-06-05 | 2014-12-17 | 中国移动通信集团公司 | SA (security association) negotiation method, device and system |
| CN103312713A (en) * | 2013-06-13 | 2013-09-18 | 北京星网锐捷网络技术有限公司 | Security association negotiation method and device, and network equipment |
| CN103312713B (en) * | 2013-06-13 | 2016-08-10 | 北京星网锐捷网络技术有限公司 | Security association negotiation method, device and the network equipment |
| CN105610577A (en) * | 2016-01-07 | 2016-05-25 | 成都卫士通信息产业股份有限公司 | System and method for preventing IPSec (Internet Protocol Security) VPN (Virtual Private Network) device from multi-tunnel IKE (Internet Key Exchange) negotiation failure |
| CN105610577B (en) * | 2016-01-07 | 2018-09-14 | 成都卫士通信息产业股份有限公司 | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure |
| CN107171786A (en) * | 2017-05-19 | 2017-09-15 | 成都极玩网络技术有限公司 | Network agent account control method |
| CN112910893A (en) * | 2021-02-01 | 2021-06-04 | 武汉思普崚技术有限公司 | Method, device, equipment and storage medium for preventing packet loss after IPsec SA aging |
| CN113364811A (en) * | 2021-07-05 | 2021-09-07 | 北京慧橙信息科技有限公司 | Network layer safety protection system and method based on IKE protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107453869B (en) | A method of realizing the IPSecVPN of quantum safety | |
| Dragomir et al. | A survey on secure communication protocols for IoT systems | |
| CN102761553A (en) | IPSec SA consultation method and device | |
| CN101980558B (en) | Method for encryption authentication on Ad hoc network transmission layer protocol | |
| CN102065016B (en) | Message method of sending and receiving and device, message processing method and system | |
| CN102045210B (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| CN101155026B (en) | Protection method and apparatus for communication security | |
| CN104219217A (en) | SA (security association) negotiation method, device and system | |
| CN101442403B (en) | Self-adapting method for exchanging composite cipher key and managing session cipher key | |
| CN102100030A (en) | Method of encrypting control signaling | |
| CN102111273B (en) | Pre-sharing-based secure data transmission method for electric load management system | |
| CN110784321B (en) | Novel secure anonymous communication method based on public-private key cipher mechanism | |
| CN107104977A (en) | A kind of block chain data safe transmission method based on Stream Control Transmission Protocol | |
| CN101150533B (en) | A secure system and method for multi-point mail push | |
| CN105337969A (en) | Safety communication method between two mobile terminals | |
| CN101478388B (en) | Multi-stage security mobile IPSec access authentication method | |
| CN103220279A (en) | Safe data transmission method and system | |
| CN100594691C (en) | Data transmission encryption method of MANET network | |
| CN108923917A (en) | A kind of Virtual Private Network encryption method based on quantum communications | |
| CN106411715A (en) | Cloud-based secure instant messaging method and system | |
| CN113364811A (en) | Network layer safety protection system and method based on IKE protocol | |
| CN101917712A (en) | Data encryption/decryption method and system for mobile communication network | |
| CN103227742A (en) | Method for IPSec (Internet protocol security) tunnel to rapidly process messages | |
| CN109802831A (en) | A kind of method that IKEv1 negotiation uses quantum key | |
| CN102413144A (en) | Secure access system for C/S architecture service and related access method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20121031 |