CN103107950B - A kind of method and apparatus of deleting internet protocol secure Security Association - Google Patents
A kind of method and apparatus of deleting internet protocol secure Security Association Download PDFInfo
- Publication number
- CN103107950B CN103107950B CN201310035528.8A CN201310035528A CN103107950B CN 103107950 B CN103107950 B CN 103107950B CN 201310035528 A CN201310035528 A CN 201310035528A CN 103107950 B CN103107950 B CN 103107950B
- Authority
- CN
- China
- Prior art keywords
- ikesa
- ipsecsa
- conditioned
- delete
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Does the application disclose a kind of deletion internet protocol secure Security Association (IPsec SA) method, does the method comprise: local device need to be deleted a certain IKE does what SA was corresponding meet pre-conditioned IPsec when SA, send and delete this IKE to opposite equip. does what SA was corresponding meet pre-conditioned IPsec the message of SA, and delete the local pre-conditioned all IPsec that meet SA; Does local device receive a certain IKE of deletion that opposite equip. sends does what SA was corresponding meet pre-conditioned IPsec do you when the message of SA, delete this IKE does what SA was corresponding meet pre-conditioned all IPsec SA. Can does based on same inventive concept, the application also propose a kind of equipment, be at the IPsec that ensures communication two ends when SA is consistent, reduce taking and the burden of the network bandwidth of cpu resource.
Description
Technical field
The application relates to communication technical field, particularly a kind of method of deleting internet protocol secure Security Association andEquipment.
Background technology
Internet protocol secure (IPSecurity, IPsec) is three layers that Internet Engineering task groups (IETF) is formulatedTunnel cryptographic protocol, it for the data of the upper transmission of Internet provide high-quality, interoperable, based on passwordThe safety assurance of learning is a kind of traditional three-layer virtual special network (VirtualPrivateNetwork, VPN) of realizingSafe practice. Between specific communication party, carry out the private data of transmission user by setting up IPsec tunnel, and at IPLayer provides following security service: data confidentiality (Confidentiality), data integrity (DataIntegrity),Data Source certification (DataAuthentication) and anti-replay (Anti-Replay).
IPsec provides two kinds of security mechanisms: certification and encryption. The data receiver that authentication mechanism is communicated by letter IP canConfirm whether true identity and the data of data receiver are distorted in transmitting procedure. Encryption mechanism passes through dataBe encrypted the confidentiality that computing ensures data, in case data are ravesdropping in transmitting procedure.
IPsec provides secure communication between two end points, and end points is called as IPsec peer-to-peer. Security Association (SA)Being the agreement to some key element between communication-peers, for example, using which kind of agreement, is AH agreement, or ESP associationView, or both are combined with. The encapsulation mode of agreement, as transmission mode, tunnel mode; AES, specificThe shared key of protected data and the life cycle of key etc. in stream.
IPsec can consult to set up SA by the Internet Key Exchange (IKE) and be divided into two stages. First stage, logicalLetter each side has set up one to each other by the passage of authentication and safeguard protection, sets up an internet securityAlliance and IKMP (ISAKMP) SA, for example holotype (MainMode) and Aggressive Mode (AggressiveMode) two kinds of IKE switching methods. First stage, the secure tunnel that is used in first stage foundation is that IPsec consults peaceFull service, is IPsec and consults concrete SA, sets up the IPsecSA for final IP Security transmission.
IPsec is the technology of a kind of peer-to-peer to peer-to-peer, between IPsec peer-to-peer, set up IPsec session, itBetween must have IP connectivity, because routing problem, peer-to-peer such as restart at the reason, between peer-to-peer, may loseGone IP connectivity, IKE and IPsec conventionally cannot perception this point, before life cycle arrives, and peer-to-peerBetween IKE and IPsecSA will exist always, the interruption of IPsec session will cause black hole, cause data flow lose,Peer-to-peer need to be found this black hole as early as possible, and main cause is that a side of session continues the number toward inaccessible peer-to-peerCarry out cryptographic operation according to stream, this will waste valuable cpu resource greatly, secondly, and owing to peer-to-peer cannot being detectedFault, peer-to-peer for subsequent use also cannot activate.
Under normal circumstances, between two equipment, set up an IKESA, but can set up a lot of IPsecSA so as forDifferent flows is taked different protection strategies, namely, on every equipment, has an IKESA and subordinateIn a lot of IPsecSA of this IKESA. In this case, at one end on equipment, can will be with by order lineAll IPsecSA of other end equipment association delete.
In the situation that IPsecSA is less, make to send in this way deletion message, can reach and allow opposite end also deleteThe object of IPsecSA, still, if existed in the situation of a large amount of IPsecSA, due to the transmission buffering of local deviceDistrict's size is limited, may lose the deletion message of transmission, same, because recipient's reception buffer zone size is limited,The message of receiving may be lost in opposite end, causes the IPsecSA at two ends inconsistent. The IPsecSA at two ends is just inconsistentCan cause black hole problem.
Summary of the invention
In view of this, the application provides a kind of method and apparatus of deleting internet protocol secure Security Association, canAt the IPsecSA that ensures communication two ends when consistent, reduce taking and the burden of the network bandwidth of cpu resource.
For solving the problems of the technologies described above, technical scheme of the present invention is achieved in that
A method of deleting internet protocol secure Security Association IPsecSA, is applied to by IPsec safety is providedArbitrary equipment in two equipment of communication, comprising:
This equipment need to delete arbitrary internet cryptographic key exchanging safety IKESA of alliance corresponding meet first pre-conditionedIPsecSA time, to opposite equip. send delete this IKESA corresponding meet the first pre-conditioned IPsecSAMessage, and delete local this IKESA corresponding meet the first pre-conditioned IPsecSA;
This equipment receive the IKESA that set up of deletion that opposite equip. sends corresponding meet first pre-conditionedWhen the message of IPsecSA, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA.
A kind of equipment, can be applicable to provides in the network of secure communication by internet protocol secure IPsec, described in establishStandby comprising: Transmit-Receive Unit and delete cells;
Described Transmit-Receive Unit, for need to delete arbitrary IKESA corresponding meet the first pre-conditioned internet protocolWhile discussing safe Security Association IPsecSA, send and delete the IKESA of this internet cryptographic key exchanging safety alliance to opposite equip.The corresponding message that meets the first pre-conditioned IPsecSA; The IKESA that the deletion that reception opposite equip. sends has been set upThe corresponding message that meets the first pre-conditioned IPsecSA;
Described delete cells, for when need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSATime, what local this IKESA of deletion was corresponding meets the first pre-conditioned IPsecSA; When described Transmit-Receive Unit receivesSend to opposite equip., delete the report that meets the first pre-conditioned IPsecSA that the IKESA that set up is correspondingWen Shi, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA.
In sum, the application by need to delete at local device a certain IKESA corresponding meet pre-conditionedIPsecSA time, to opposite equip. send delete this IKESA corresponding meet pre-conditioned IPsecSAMessage, and delete the local pre-conditioned all IPsecSA that meet; Local device receives opposite equip. and sends outWhen the message that meets pre-conditioned IPsecSA corresponding to a certain IKESA of deletion that send, delete this IKESACorresponding meet pre-conditioned all IPsecSA. Can be at the IPsecSA that ensures communication two ends when consistent,Reduce taking and the burden of the network bandwidth of cpu resource.
Brief description of the drawings
Fig. 1 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention one;
Fig. 2 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention two;
Fig. 3 is the form schematic diagram of ISAKMP head;
Fig. 4 is the form schematic diagram of a kind of load that realizes the first expansion type of providing in the embodiment of the present invention two;
Fig. 5 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention three;
Fig. 6 is the form schematic diagram of deleting load;
Fig. 7 is the method flow schematic diagram of unit deletion IPsecSA in the embodiment of the present invention four;
Fig. 8 is the second expansion type payload format schematic diagram in the embodiment of the present invention three;
Fig. 9 is the method flow schematic diagram of deleting IKESA in the embodiment of the present invention five;
Figure 10 is the structural representation that is applied to the equipment of above-mentioned technology in the specific embodiment of the invention.
Detailed description of the invention
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously,Scheme of the present invention is described in further detail.
A kind of method that proposes IPsecSA of deletion in the specific embodiment of the invention, is applied to by IPsec safety is providedArbitrary equipment in two equipment of communication. This equipment need to delete arbitrary IKESA corresponding meet first defaultWhen the IPsecSA of condition, to opposite equip. send delete this IKESA corresponding meet the first pre-conditioned IPsecSAMessage, make opposite equip. delete this IKESA corresponding meet the first pre-conditioned IPsecSA, and delete localWhat this IKESA was corresponding meets the first pre-conditioned IPsecSA. Can be at the IPsecSA mono-that ensures communication two endsWhile causing, reduce taking and the burden of the network bandwidth of cpu resource.
Embodiment mono-
Referring to Fig. 1, Fig. 1 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention one. Concrete stepsFor:
Step 101, equipment need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSA time, toOpposite equip. sends deletes the message that meets the first pre-conditioned IPsecSA that this IKESA is corresponding, and deletes localWhat this IKESA was corresponding meets the first pre-conditioned IPsecSA.
What in this step, arbitrary IKESA was corresponding meets the first pre-conditioned IPsecSA can be this IKESA correspondenceAll IPsecSA, can be also the part IPsecSA that this IKESA is corresponding.
In existing realization in the time need to deleting more than one IPsecSA corresponding to certain IKESA, need to send withThe message that IPsecSA number is identical, makes opposite end delete corresponding IPsecSA; And pass through in the specific embodiment of the inventionSend a message, notice opposite end is deleted and is met first pre-conditioned all IPsecSA. Opposite equip. is receivingWhen this message, according to message content delete this IKESA corresponding meet the first pre-conditioned IPsecSA.
Step 102, this equipment receives that opposite equip. sends, delete the IKESA that set up corresponding meet firstWhen the message of pre-conditioned IPsecSA, delete in this locality this IKESA corresponding meet first pre-conditionedIPsecSA。
Embodiment bis-
Referring to Fig. 2, Fig. 2 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention two. Concrete stepsFor:
Step 201, equipment need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSA time, toOpposite equip. sends message, and this message comprises: the load of ISAKMP head and the first expansion type, and at ISAKMP headIn the type of next load be filled to the first expansion type, this first expansion type is defined as deletes IKESA correspondenceMeet the first pre-conditioned IPsecSA; In the load of the first expansion type, carry first pre-conditioned.
The first pre-conditioned IPsecSA that meets corresponding to the arbitrary IKESA of deletion sending to opposite end in this step reportsWen Shi, forms this message by the load of ISAKMP head and the first expansion type.
Referring to Fig. 3, Fig. 3 is the form schematic diagram of ISAKMP head. The realization of the present embodiment need be by the class of next loadType is filled to the first expansion type, and be defined as delete IKESA corresponding meet the first pre-conditioned IPsecSA.The value of the first expansion type can be the arbitrary numerical value in 128 to 255 scopes. Value within the scope of this is RFC2408The privately owned purposes value of middle definition.
Referring to Fig. 4, Fig. 4 is the form of a kind of load that realizes the first expansion type of providing in the embodiment of the present invention twoSchematic diagram. In Fig. 4, for opposite equip. can receive the first expansion load of resolving in this message, wherein nextLoad (NextPayload), reserved (RESERVED), loaded length (PayloadLength) and description scope(DOI) field is with deleting form and the content of load, can carry by TLV mode first pre-conditioned, as markKnowledge is that 1 to 10 IPsecSA is filled in Value field.
Step 202, what local this IKESA of this unit deletion was corresponding meets the first pre-conditioned IPsecSA.
Step 203, this equipment receives the message that opposite equip. sends, obtain in the ISAKMP head of this message underThe type of a load, if the type of the next load obtaining is the first expansion type, determines and deletes IKESA coupleThat answers meets the first pre-conditioned IPsecSA, from receive the ISAKMP head of message, obtains IKESA, theIn the load of one expansion type, obtain first pre-conditioned, according to the first pre-conditioned and IKESA obtaining, at thisFind this IKESA corresponding meet first pre-conditioned all IPsecSA, and delete.
In this step, from the ISAKMP head of reception message, obtaining IKESA comprises: the Cookie in ISAKMP headIn field, inquire IKESA, and then know and need to delete the IPsecSA that this IKESA is corresponding. Terminal device is passed throughWhen IPsecSA is set up in ike negotiation, can all safeguard at two ends all IPsecSA that IKESA is corresponding. Therefore obtainingObtain after IKESA, then search and meet pre-conditioned IPsecSA in IPsecSA corresponding to this IKESA.
In the present embodiment, realize and send out message and just can delete and need deletion by newly increasing a load typeIPsecSA, is not subject to the restriction of buffer size, can, in the time that the IPsecSA that ensures communication two ends is consistent, reduce CPUTaking and the burden of the network bandwidth of resource, and then avoid the generation in black hole.
Embodiment tri-
All IPsecSA that need to delete a certain IKESA taking equipment, as example, describe the specific embodiment of the invention in detailIn how to delete IPsecSA.
Referring to Fig. 5, Fig. 5 is the method flow schematic diagram of deleting IPsecSA in the embodiment of the present invention three. Concrete stepsFor:
Step 501, when equipment need to be deleted all IPsecSA of arbitrary IKESA, sends message to opposite equip.,This message comprises: ISAKMP head and Delete load; Wherein in Delete load, configure Security Parameter Index (SPI)Value and SPI number, show that this SPI deletes all IPsecSA corresponding to IKESA.
The message that the oriented opposite equip. of message co-occurrence sending to opposite equip. in this step sends is the same, comprisesISAKMP head and Delete load. Referring to Fig. 6, Fig. 6 is the form schematic diagram of deleting load. The embodiment of the present inventionIn three, do not revise the field information in this load, just in Delete load, configure SPI value and SPI number with existingRealize difference, show that this SPI deletes all IPsecSA corresponding to IKESA.
In the time of specific implementation, as being configured to 0, SPI number, SPI value is configured to 1. Because SPI value be 0 be system protectStay, therefore can utilize this field to realize.
Step 502, all IPsecSA corresponding to local this IKESA of this unit deletion.
Step 503, this equipment receives the message that opposite equip. sends, if according to SPI in the Delete load of this messageValue and SPI number while determining all IPsecSA that delete IKESA, obtain from the ISAKMP head of reception messageObtain IKESA, find all IPsecSA that this IKESA is corresponding in this locality, and delete.
When this equipment receives the message that opposite equip. sends, what carry when this message is to delete load, and SPI in loadValue is that 0, SPI number is 1 o'clock, determines all IPsecSA that delete IKESA.
Embodiment tetra-
All IPsecSA that need to delete a certain IKESA taking equipment, as example, describe the specific embodiment of the invention in detailIn how to delete IPsecSA.
Referring to Fig. 7, Fig. 7 is the method flow schematic diagram of unit deletion IPsecSA in the embodiment of the present invention four. SpecificallyStep is:
Step 701, when equipment need to be deleted all IPsecSA of arbitrary IKESA, sends message to opposite equip.,This message comprises: the load of ISAKMP head and the second expansion type, the type of next load in ISAKMP headBe filled to the second expansion type, this second expansion type is defined as all IPsecSA that delete IKESA.
In the present embodiment, realize and delete corresponding the owning of IKESA of specifying by newly-increased the second expansion type loadIPsecSA. Referring to Fig. 8, Fig. 8 is the second expansion type payload format schematic diagram in the embodiment of the present invention three. Fig. 8In NextPayload(1 byte): next load type has been last load here, thus fillNONE, value is 0; Reserved(1 byte): reserved field, fill 0; PayloadLength(2 byte):The length of this load, value is 8; DOI(4 byte): corresponding IPsecDOI, value is 1. With deleting in Fig. 6The partial content of load type is consistent. The increase of this second expansion type payload content is just in order to remain on message formatOn complete. The value of the second expansion type, in 128 to 255 scopes, and is different from for other yearsThe numerical value of lotus type.
Step 702, all IPsecSA corresponding to local this IKESA of this unit deletion.
Step 703, this equipment receive opposite equip. send message, in the ISAKMP head of this message obtaining underThe type of a load, if the type of next load obtaining is the second expansion type, determines the institute of deleting IKESAThere is IPsecSA, from the ISAKMP head of reception message, obtain IKESA, find this IKESA couple in this localityThe all IPsecSA that answer, and delete.
Embodiment five
In the present embodiment, describe in detail how to delete and meet the second pre-conditioned IKESA.
Referring to Fig. 9, Fig. 9 is the method flow schematic diagram of deleting IKESA in the embodiment of the present invention five. Concrete steps are:
Step 901, equipment need to be deleted while meeting the second pre-conditioned IKESA, to opposite equip. send delete fullThe message of foot the second pre-conditioned IKESA, this message comprises: the load of ISAKMP head and the 3rd expansion type,The type of next load in ISAKMP head is filled to the 3rd expansion type, and the 3rd expansion type is defined as deletionMeet the second pre-conditioned IKESA; In the load of the 3rd expansion type, carry second pre-conditioned.
In specific implementation, in the present embodiment, the load of the 3rd expansion type can adopt as the payload format in Fig. 4,Difference be only fill by new field second pre-conditioned. The value of the 3rd expansion type is at 128 to 255 modelsIn enclosing, and be different from the numerical value for other load type.
Step 902, this unit deletion this locality meets the second pre-conditioned IKESA.
Step 903, this equipment receives opposite equip. and sends when message, obtain in the ISAKMP head of this message underOne load type, if next load type obtaining is the 3rd expansion type, determine delete meet second pre-conditionedIKESA obtains second pre-conditionedly from receive the load of the 3rd expansion type of message, finds full in this localitySecond pre-conditioned all IKESA that foot obtains, and delete.
Be all IKESA that terminal device is set up if meet the second pre-conditioned IKESA, can also be by fixedThe concrete load type of justice realizes, and repeats no more here.
Inventive concept based on same in the specific embodiment of the invention, also proposes a kind of equipment, can be applicable to pass through IPsecProvide in the network of secure communication. Referring to Figure 10, Figure 10 is the above-mentioned technology that is applied in the specific embodiment of the inventionThe structural representation of equipment. This equipment comprises: Transmit-Receive Unit 1001 and delete cells 1002.
Transmit-Receive Unit 1001, for need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSATime, send and delete the message that meets the first pre-conditioned IPsecSA that this IKESA is corresponding to opposite equip.; ReceiveThe message of what the IKESA that set up of deletion that opposite equip. sends was corresponding meet the first pre-conditioned IPsecSA.
Delete cells 1002, for when need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSATime, what local this IKESA of deletion was corresponding meets the first pre-conditioned IPsecSA; When Transmit-Receive Unit 1001 receivesSend to opposite equip., delete the report that meets the first pre-conditioned IPsecSA that the IKESA that set up is correspondingWen Shi, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA.
Preferably,
Transmit-Receive Unit 1001, for this IKESA of deletion of sending to opposite equip. corresponding meet first pre-conditionedThe message of IPsecSA, comprising: the load of ISAKMP head and the first expansion type, in ISAKMP head underThe type of one load is filled to the first expansion type, and this first expansion type is defined as deletes corresponding the meeting of IKESAThe first pre-conditioned IPsecSA; In the load of the first expansion type, carry described first pre-conditioned.
Delete cells 1002, for obtaining the next load of ISAKMP head of the message that described Transmit-Receive Unit receivesType, if the type of next load obtaining is the first expansion type, determines and delete corresponding the meeting of IKESAThe first pre-conditioned IPsecSA obtains IKESA, the first extension class from the ISAKMP head of reception messageIn the load of type, obtain described first pre-conditionedly, according to the first pre-conditioned and IKESA obtaining, look in this localityFind this IKESA corresponding meet first pre-conditioned all IPsecSA, and delete.
Preferably,
Transmit-Receive Unit 1001, for when described when to meet the first pre-conditioned IPsecSA be all IPsecSA,The message that meets the first pre-conditioned IPsecSA corresponding to this IKESA of deletion sending to opposite equip., comprisesISAKMP head and Delete load; Wherein in Delete load, configure SPI value and SPI number, show this SPITo delete all IPsecSA corresponding to IKESA.
Delete cells 1002, for according to Delete load SPI value and the SPI number of this message, if determineDelete all IPsecSA of IKESA, from the ISAKMP head of reception message, obtain IKESA, in this localityFind all IPsecSA that this IKESA is corresponding, and delete.
Preferably,
Transmit-Receive Unit 1001 is all IPsecSA for working as the described first pre-conditioned IPsecSA of meetingTime, the message that meets pre-conditioned IPsecSA corresponding to this IKESA of deletion sending to opposite equip., bagThe load of drawing together ISAKMP head and the second expansion type, the type of next load in ISAKMP head is filled toThe second expansion type, this second expansion type is defined as all IPsecSA that delete IKESA.
Delete cells 1002, obtains next carrying for receive the ISAKMP head of message from Transmit-Receive Unit 1001The type of lotus, if next load type of obtaining is the load of the second expansion type, determines what deletion satisfied conditionAll IPsecSA of IKESA obtain IKESA from the ISAKMP head of reception message, look in this localityFind all IPsecSA that this IKESA is corresponding, and delete.
Preferably,
Transmit-Receive Unit 1001, is further used for needing to delete while meeting the second pre-conditioned IKESA, to opposite endEquipment sends deletes the message that meets the second pre-conditioned IKESA, and the message of transmission comprises: ISAKMP headWith the load of the 3rd expansion type, the type of next load in ISAKMP head is filled to the 3rd expansion type,The 3rd expansion type is defined as to delete and meets the second pre-conditioned IKESA; In the load of the 3rd expansion typeIn carry second pre-conditioned; Receive the report that deletion that opposite equip. sends meets the second pre-conditioned IKESALiterary composition.
Delete cells 1002, is further used for needing to delete while meeting the second pre-conditioned IKESA, deletes thisGround meets the second pre-conditioned IKESA; The deletion that receives opposite equip. transmission when Transmit-Receive Unit 1001 is fullWhen the message of foot the second pre-conditioned IKESA, obtain next load type in the ISAKMP head of message,If next load type of obtaining is the 3rd expansion type, determine to delete to meet the second pre-conditioned IKESA,From receive the load of the 3rd expansion type of message, obtain second pre-conditionedly, find in this locality to meet and obtainSecond pre-conditioned all IKESA, and delete.
The unit of above-described embodiment can be integrated in one, and also can separate deployment; Can merge into a unit,Also can further split into multiple subelements.
In sum, in the specific embodiment of the invention, need to delete corresponding the meeting of a certain IKESA at local deviceWhen pre-conditioned IPsecSA, to opposite equip. send delete this IKESA corresponding meet pre-conditionedThe message of IPsecSA, make opposite equip. delete this IKESA corresponding meet pre-conditioned all IPsecSA,And deletion this locality meets pre-conditioned all IPsecSA; Local device receives the deletion that opposite equip. sendsWhen what a certain IKESA was corresponding meets the message of pre-conditioned IPsecSA, delete corresponding the expiring of this IKESAAll IPsecSA that foot is pre-conditioned. Can, in the time that the IPsecSA that ensures communication two ends is consistent, reduce CPUTaking and the burden of the network bandwidth of resource, avoids the generation in black hole.
In specific embodiments of the invention, give by the message of the single IPsecSA of multiplexing existing deletion, pass throughAmendment SPI value and SPI number realize a certain IKESA of deletion corresponding meet pre-conditioned all IPsecThe technical scheme of SA; And realize and delete the satisfied default bar that a certain IKESA is corresponding by expansion load typeThe technical scheme of all IPsecSA of part.
In specific embodiments of the invention, give and delete the technical scheme that meets pre-conditioned IKESA.
The concrete technical scheme proposing by the present invention, at the two ends of communication equipment, no matter a certain IKESA exists fewIn the situation of amount or a large amount of associated IPsecSA, when IPsecSA or IKESA are deleted in one end, guarantee anotherSection is deleted corresponding IPsecSA or IKESA, thereby ensures that the IPsecSA at communication two ends is consistent with IKESA,Avoid the generation in black hole.
The above, be only preferred embodiment of the present invention, is not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment of doing, be equal to replacement, improvement etc., all should compriseWithin protection scope of the present invention.
Claims (10)
1. a method of deleting internet protocol secure Security Association IPsecSA, is applied to by IPsec peace is providedArbitrary equipment in two equipment of full communication, is characterized in that, comprising:
This equipment need to delete arbitrary internet cryptographic key exchanging safety IKESA of alliance corresponding meet first pre-conditionedIPsecSA time, to opposite equip. send delete this IKESA corresponding meet the first pre-conditioned IPsecSAMessage, and delete local this IKESA corresponding meet the first pre-conditioned IPsecSA; Wherein, this IKESACorresponding satisfied the first pre-conditioned IPsecSA is more than one IPsecSA;
This equipment receive the IKESA that set up of deletion that opposite equip. sends corresponding meet first pre-conditionedWhen the message of IPsecSA, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA.
2. method according to claim 1, is characterized in that, described this IKE of deletion sending to opposite equip.The message that meets the first pre-conditioned IPsecSA that SA is corresponding, comprising: internet security alliance and key managementThe load of agreement ISAKMP head and the first expansion type, the type of next load in ISAKMP head is filled toOne expansion type, this first expansion type be defined as delete IKESA corresponding meet the first pre-conditioned IPsecSA; Carry first pre-conditioned in the load of the first expansion type;
Described this equipment receive the IKESA that set up of deletion that opposite equip. sends corresponding meet the first default barWhen the message of the IPsecSA of part, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA,Comprise:
This equipment receives the message that opposite equip. sends, and obtains next load in the ISAKMP head of this messageType, if next load type obtaining is the first expansion type, determine delete IKESA corresponding meet first pre-If the IPsecSA of condition obtains IKESA from receive the ISAKMP head of message, the carrying of the first expansion typeIn lotus, obtain first pre-conditionedly, according to the first pre-conditioned and IKESA obtaining, find this IKE in this localityWhat SA was corresponding meets first pre-conditioned all IPsecSA, and deletes.
3. method according to claim 1, is characterized in that, meets the first pre-conditioned IPsecSA when describedDuring for all IPsecSA, what described this IKESA of deletion sending to opposite equip. was corresponding meets the first default barThe message of the IPsecSA of part, comprises ISAKMP head and deletes Delete load; Wherein in Delete load, joinPut Security Parameter Index SPI value and SPI number, show that this SPI deletes all IPsecSA corresponding to IKESA;
Described this equipment receive the IKESA that set up of deletion that opposite equip. sends corresponding meet the first default barWhen the message of the IPsecSA of part, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA,Comprise:
This equipment receives the message that opposite equip. sends, if according to SPI value and SPI in the Delete load of this messageNumber while determining all IPsecSA that delete IKESA, obtains IKESA from the ISAKMP head of reception message,Find all IPsecSA that this IKESA is corresponding in this locality, and delete.
4. method according to claim 1, is characterized in that, meets the first pre-conditioned IPsecSA when describedDuring for all IPsecSA, what described this IKESA of deletion sending to opposite equip. was corresponding meets the first default barThe message of the IPsecSA of part, comprising: the load of ISAKMP head and the second expansion type, in ISAKMP headThe type of next load is filled to the second expansion type, and this second expansion type is defined as deletes all of IKESAIPsecSA;
Described this equipment receive the IKESA that set up of deletion that opposite equip. sends corresponding meet the first default barWhen the message of the IPsecSA of part, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA,Comprise:
This equipment receives the message that opposite equip. sends, and obtains next load in the ISAKMP head of this messageType, if next load type obtaining is the second expansion type, determines all IPsecSA that delete IKESA,From the ISAKMP head of reception message, obtain IKESA, find all IPsec that this IKESA is corresponding in this localitySA, and delete.
5. according to the method described in claim 1-4 any one, it is characterized in that, described method further comprises:
This equipment need to be deleted while meeting the second pre-conditioned IKESA, sends to delete to meet second to opposite equip.The message of pre-conditioned IKESA, and delete the local second pre-conditioned IKESA that meets, wherein, transmissionMessage comprises: the load of ISAKMP head and the 3rd expansion type, the type of next load in ISAKMP head is filled outFilling is the 3rd expansion type, and the 3rd expansion type is defined as to delete and meets the second pre-conditioned IKESA; The 3rdIn the load of expansion type, carry second pre-conditioned;
When described this equipment receives the message that opposite equip. sends, next that obtain in the ISAKMP head of this message carriedLotus type, if next load type obtaining is the 3rd expansion type, determines to delete to meet the second pre-conditioned IKESA obtains second pre-conditionedly from receive the load of the 3rd expansion type of message, finds to meet obtain in this localitySecond pre-conditioned all IKESA, and delete.
6. an equipment, can be applicable to provides in the network of secure communication by internet protocol secure IPsec, its spyLevy and be, described equipment comprises: Transmit-Receive Unit and delete cells;
Described Transmit-Receive Unit, for need to delete arbitrary IKESA corresponding meet the first pre-conditioned internet protocolWhile discussing safe Security Association IPsecSA, send and delete the IKESA of this internet cryptographic key exchanging safety alliance to opposite equip.The corresponding message that meets the first pre-conditioned IPsecSA; The IKESA that the deletion that reception opposite equip. sends has been set upThe corresponding message that meets the first pre-conditioned IPsecSA; It is first default that what wherein, this IKESA was corresponding meetThe IPsecSA of condition is more than one IPsecSA;
Described delete cells, for when need to delete arbitrary IKESA corresponding meet the first pre-conditioned IPsecSATime, what local this IKESA of deletion was corresponding meets the first pre-conditioned IPsecSA; When described Transmit-Receive Unit receivesSend to opposite equip., delete the report that meets the first pre-conditioned IPsecSA that the IKESA that set up is correspondingWen Shi, delete in this locality this IKESA corresponding meet the first pre-conditioned IPsecSA.
7. equipment according to claim 6, is characterized in that,
Described Transmit-Receive Unit, for this IKESA of deletion of sending to opposite equip. corresponding meet first pre-conditionedThe message of IPsecSA, comprising: internet security association and key management protocol ISAKMP head and the first extension classThe load of type, the type of next load in ISAKMP head is filled to the first expansion type, this first expansion typeBe defined as delete IKESA corresponding meet the first pre-conditioned IPsecSA; In the load of the first expansion typeCarry first pre-conditioned;
Described delete cells, for obtaining the next load of ISAKMP head of the message that described Transmit-Receive Unit receivesType, if the type of next load obtaining is the first expansion type, determines and delete corresponding the meeting of IKESAThe first pre-conditioned IPsecSA obtains IKESA, the first extension class from the ISAKMP head of reception messageIn the load of type, obtain first pre-conditionedly, according to the first pre-conditioned and IKESA obtaining, find in this localityWhat this IKESA was corresponding meets first pre-conditioned all IPsecSA, and deletes.
8. equipment according to claim 6, is characterized in that,
Described Transmit-Receive Unit, for when described when to meet the first pre-conditioned IPsecSA be all IPsecSA,The message that meets the first pre-conditioned IPsecSA corresponding to this IKESA of deletion sending to opposite equip., comprisesISAKMP head and deletion Delete load; Wherein in Delete load, configure Security Parameter Index SPI value and SPINumber, shows that this SPI deletes all IPsecSA corresponding to IKESA;
Described delete cells, for according to Delete load SPI value and the SPI number of this message, deletes if determineWhen all IPsecSA of IKESA, from receive the ISAKMP head of message, obtain IKESA, find in this localityAll IPsecSA that this IKESA is corresponding, and delete.
9. equipment according to claim 6, is characterized in that,
Described Transmit-Receive Unit, for when described when to meet the first pre-conditioned IPsecSA be all IPsecSA,The message that meets pre-conditioned IPsecSA corresponding to this IKESA of deletion sending to opposite equip., comprisesThe load of ISAKMP head and the second expansion type, the type of next load in ISAKMP head is filled to the second expansionExhibition type, this second expansion type is defined as all IPsecSA that delete IKESA;
Described delete cells, obtains next load for receive the ISAKMP head of message from described Transmit-Receive UnitType, if next load type of obtaining is the load of the second expansion type, determines and deletes the IKESA satisfying conditionAll IPsecSA, from receive the ISAKMP head of message, obtain IKESA, find this IKESA in this localityCorresponding all IPsecSA, and delete.
10. according to the equipment described in claim 6-9 any one, it is characterized in that,
Described Transmit-Receive Unit, is further used for needing to delete while meeting the second pre-conditioned IKESA, establishes to opposite endPreparation is sent and is deleted the message that meets the second pre-conditioned IKESA, and the message of transmission comprises: ISAKMP head and theThe load of three expansion types, the type of next load in ISAKMP head is filled to the 3rd expansion type, the 3rdExpansion type is defined as to delete and meets the second pre-conditioned IKESA; In the load of the 3rd expansion type, carry secondPre-conditioned; Receive the message that deletion that opposite equip. sends meets the second pre-conditioned IKESA;
Described delete cells, is further used for needing to delete while meeting the second pre-conditioned IKESA, deletes localMeet the second pre-conditioned IKESA; Meet second pre-when described Transmit-Receive Unit receives the deletion that opposite equip. sendsIf when the message of the IKESA of condition, obtain next load type in the ISAKMP head of message, if obtain underOne load type is the 3rd expansion type, determines to delete to meet the second pre-conditioned IKESA, from receiving messageIn the load of the 3rd expansion type, obtain second pre-conditionedly, find in this locality and meet obtain second pre-conditionedAll IKESA, and delete.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310035528.8A CN103107950B (en) | 2013-01-28 | 2013-01-28 | A kind of method and apparatus of deleting internet protocol secure Security Association |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310035528.8A CN103107950B (en) | 2013-01-28 | 2013-01-28 | A kind of method and apparatus of deleting internet protocol secure Security Association |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103107950A CN103107950A (en) | 2013-05-15 |
| CN103107950B true CN103107950B (en) | 2016-05-11 |
Family
ID=48315527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310035528.8A Active CN103107950B (en) | 2013-01-28 | 2013-01-28 | A kind of method and apparatus of deleting internet protocol secure Security Association |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103107950B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973687B (en) * | 2014-05-08 | 2017-07-14 | 新华三技术有限公司 | IP Security Associations maintaining method and device |
| CN104168205B (en) * | 2014-08-06 | 2017-08-08 | 新华三技术有限公司 | message processing method and device |
| CN106685701B (en) * | 2016-12-06 | 2019-12-06 | 杭州迪普科技股份有限公司 | IPSec VPN connection disconnection method and device |
| CN107682284B (en) | 2017-08-02 | 2021-06-01 | 华为技术有限公司 | Method and network equipment for sending message |
| CN109547487A (en) * | 2018-12-28 | 2019-03-29 | 北京奇安信科技有限公司 | Message treatment method, apparatus and system |
| CN110061965B (en) * | 2019-03-13 | 2022-08-26 | 北京华为数字技术有限公司 | Method, device and equipment for updating security alliance and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1652502A (en) * | 2004-02-06 | 2005-08-10 | 松下电器产业株式会社 | Communications device and communications program |
| CN1710851A (en) * | 2004-06-16 | 2005-12-21 | 华为技术有限公司 | Internal safety communication method |
| CN101510889A (en) * | 2009-04-03 | 2009-08-19 | 杭州华三通信技术有限公司 | Method and equipment for obtaining dynamic route |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080172582A1 (en) * | 2007-01-12 | 2008-07-17 | David Sinicrope | Method and system for providing peer liveness for high speed environments |
-
2013
- 2013-01-28 CN CN201310035528.8A patent/CN103107950B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1652502A (en) * | 2004-02-06 | 2005-08-10 | 松下电器产业株式会社 | Communications device and communications program |
| CN1710851A (en) * | 2004-06-16 | 2005-12-21 | 华为技术有限公司 | Internal safety communication method |
| CN101510889A (en) * | 2009-04-03 | 2009-08-19 | 杭州华三通信技术有限公司 | Method and equipment for obtaining dynamic route |
Non-Patent Citations (3)
| Title |
|---|
| A Traffic-Based Method of Detecting Dead Internet Key Exchange(IKE) Peers;G.Huang,S.Beaulieu;《RFC 3706》;20040201;全文 * |
| IP安全技术研究与实现;王志敏;《中国优秀硕士学位论文全文数据库信息科技辑》;20050228(第2期);正文第35-39页 * |
| The Internet Key Exchange(IKE);D.HARKINS,etc;《RFC 2409》;19981101;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103107950A (en) | 2013-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103107950B (en) | A kind of method and apparatus of deleting internet protocol secure Security Association | |
| RU2728893C1 (en) | Method of implementing safety, device and system | |
| Raza et al. | Lightweight IKEv2: a key management solution for both the compressed IPsec and the IEEE 802.15. 4 security | |
| JP6924848B2 (en) | Key generation methods, user equipment, devices, computer-readable storage media, and communication systems | |
| RU2621182C1 (en) | Key joint usage device and the system for its configuration | |
| CN102210121B (en) | Method of integrating quantum key distribution with internet key exchange protocol | |
| JP5519633B2 (en) | Method for distributing cryptographic means | |
| CN102946333B (en) | A kind of DPD method based on IPsec and equipment | |
| WO2016114842A1 (en) | End-to-end service layer authentication | |
| CN103618596A (en) | Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel | |
| CN107104977A (en) | A kind of block chain data safe transmission method based on Stream Control Transmission Protocol | |
| Shafagh et al. | Security comes first, a public-key cryptography framework for the internet of things | |
| JP2019533956A (en) | Data transmission method and related device and system | |
| JP2022507488A (en) | Methods and architectures for protecting and managing networks of embedded systems with an optimized public key infrastructure | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN110601825A (en) | Ciphertext processing method and device, storage medium and electronic device | |
| Sciancalepore et al. | On securing IEEE 802.15. 4 networks through a standard compliant framework | |
| JP5464232B2 (en) | Secure communication system and communication apparatus | |
| CN107431691A (en) | A kind of data pack transmission method, device, node device and system | |
| KR102219018B1 (en) | Blockchain based data transmission method in internet of things | |
| CN102917081A (en) | IP (internet protocol) address distribution method for VPN (virtual private network) client, message transmission method, and VPN server | |
| CN102868522B (en) | A kind of processing method of ike negotiation exception | |
| CN109257388A (en) | Pseudo-wire encryption method in a kind of MPLS-TP | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
| CN101938743A (en) | Generation method and device of safe keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |