CN103237015A - IPSec (internet protocol security) security association storage method - Google Patents
IPSec (internet protocol security) security association storage method Download PDFInfo
- Publication number
- CN103237015A CN103237015A CN2013101088138A CN201310108813A CN103237015A CN 103237015 A CN103237015 A CN 103237015A CN 2013101088138 A CN2013101088138 A CN 2013101088138A CN 201310108813 A CN201310108813 A CN 201310108813A CN 103237015 A CN103237015 A CN 103237015A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- security association
- deciphering
- message
- ipsec security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IPSec (internet protocol security) security association storage method. The method includes: when updating an IPSec tunnel, generating second enciphering IPSec security association and second deciphering IPSec security association and respectively storing the same into an IPSec tunnel matching rule and a security association database; when a message needs to be enciphered, searching corresponding enciphering IPSec security association in the IPSec tunnel matching rule to encipher the message; and when a message needs to be deciphered, searching corresponding deciphering IPSec security association in the security association database to decipher the message. By the IPSec security association storage method, the security association database is optimized, only the deciphering IPSec security association is stored, and the enciphering IPSec security association is recorded on the IPSec tunnel matching rule, so that time for searching the IPSec security association during enciphering and deciphering is reduced, and the speed of message enciphering and deciphering is greatly increased.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of ipsec security association storage means.
Background technology
IPSec(Internet Protocol Security is by the safety standard framework of ietf definition) agreement is to realize a kind of VPN technologies of long-range access, in order to provide public and end to end security and the service for checking credentials dedicated network.Ipsec protocol is not an independent agreement, comprise network authenticating protocol AH(Authentication Header, authentication header), ESP(Encapsulating Security Payload, ESP), IKE(Internet Key Exchange, the Internet Key Exchange) and be used for some algorithms etc. of network authentication and encryption.Wherein, AH agreement and ESP agreement are used for providing security service.
The operation principle of IPSec is to decide the processing of the IP bag that receives by query safe policy database SPD, and wherein the processing method of the IP packet of IPSec is carried out the processing of IPSec in addition except abandoning, directly transmitting (walking around IPSec).Carrying out IPSec handles and to mean the IP packet is encrypted and authenticates, security association (Security Association, SA) in the mechanism that IP encrypts and authenticates, be a key, association is the unidirectional relationship between transmit leg and the recipient, and this stream that is associated as on it provides security service.If a bidirectional safe exchange needs the relation of an equity, will set up two security associations so.Security service offers SA by AH or ESP, but they can not provide simultaneously.The parameter of wherein determining security association SA comprises: security protocol sign (Security Protocol Identifier, SPI): its sign association is an AH security association or an ESP security association, therefore, in any IP bag, security association is by the destination address unique identification of IP header, and SPI is identified in the encapsulation extension header (AH head or ESP head).
IPsec is under tunnel mode, and user's entire I P packet is used to calculate AH or ESP head, and the user data that AH or ESP head and ESP encrypt is encapsulated in the new IP packet.In the process of ipsec tunnel foundation and renewal, can generate pair of IP Sec SA, i.e. encryption IP Sec SA and deciphering IPSec SA.After setting up, also to upgrade ipsec tunnel ipsec tunnel, just beginning to carry out ipsec tunnel before IPSec SA life cycle finishes about 30 seconds upgrades, the situation that new IPSec SA exists with old IPSec SA will appear in this moment, the a pair of encryption IP Sec SA that ipsec tunnel negotiation is come out and deciphering IPSec SA information all can be loaded into security association database (Security Association Database, SADB) in, be used for message is decrypted and encryption is searched.If there is this moment the message of encryption to need deciphering, can extract the tlv triple that deciphering is used according to IP head and the ESP head of message so: IP destination address, the safe index of SPI, protocol number (AH or ESP), search the deciphering IPSec SA of coupling fully, and use this deciphering IPSec SA to be decrypted.In the ipsec tunnel negotiation process, also can preserve one and encrypt SPI information to the ipsec tunnel matched rule, when being encrypted, message encrypting the SPI that ipsec tunnel finds the IPSec SA of up-to-date generation, and according to the purpose IP address of this SPI and ipsec tunnel record, protocol number is searched corresponding IPSec SA in the SADB storehouse, and is encrypted according to the message of this IPSec SA.
In said process, both preserved encryption IP Sec SA among the SADB, preserved deciphering IPSec SA again, in the encryption and decryption process, all need to use visit SADB, remove to search corresponding encryption IP Sec SA and deciphering IPSec SA.Because data volume is very big among the SADB, therefore search and will expend the more time, influence the speed of encryption and decryption message.
Summary of the invention
(1) technical problem that will solve
At above-mentioned defective, the technical problem to be solved in the present invention is how to reduce searching in message encryption, the decrypting process time of IPSec SA, improves the speed that network equipment is handled the encryption and decryption message.
(2) technical scheme
For addressing the above problem, the invention provides a kind of ipsec security association storage means, described method specifically comprises:
When S1:IPSec upgrades in the tunnel, generate second and encrypt ipsec security association and the second deciphering ipsec security association;
S2: encrypt ipsec security association with described second and add in the ipsec tunnel matched rule, the described second deciphering ipsec security association is kept in the security association database;
S3: when message need be encrypted, in described ipsec tunnel matched rule, search corresponding encryption ipsec security association described message is encrypted;
S4: when message need be deciphered, in described security association database, search corresponding deciphering ipsec security association described message is decrypted.
Further, also comprise before the described step S1: ipsec tunnel negotiation generates first and encrypts ipsec security association and the first deciphering ipsec security association.
Further, described step S2 also comprises before adding the described second encryption ipsec security association to the ipsec tunnel matched rule:
Judge whether existed described first to encrypt ipsec security association in the described ipsec tunnel matched rule, then directly ipsec security association is encrypted in deletion described first, encrypt ipsec security association with described second again and add in the ipsec tunnel matched rule, add in the ipsec tunnel matched rule otherwise directly encrypt ipsec security association with described second.
Further, described step S2 also comprises after the described second deciphering ipsec security association is kept at security association database:
Be kept at directly deletion of first in described security association database deciphering ipsec security association, wait for that nature is overtime, time-out time to after delete again.
(3) beneficial effect
The invention provides a kind of ipsec security association storage means, by security association database is optimized, only record the ipsec security association that deciphering is used at security association database, encrypt the ipsec security association of using and only be recorded on the ipsec tunnel matched rule.By this optimization, significantly reduced searching the time of corresponding ipsec security association in message encryption and the decrypting process, will reduce half search time, improve the speed that network equipment is handled the encryption and decryption message.
Description of drawings
Fig. 1 is the flow chart of steps of a kind of ipsec security association storage means in the embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for explanation the present invention, but are not used for limiting the scope of the invention.
A kind of ipsec security association storage means is provided in the embodiment of the invention, and steps flow chart specifically may further comprise the steps as shown in Figure 1:
When step S1:IPSec upgrades in the tunnel, generate second and encrypt ipsec security association and the second deciphering ipsec security association.
Also comprise before the step S1: ipsec tunnel negotiation generates pair of IP Sec SA, and one is used for encrypting, and one is used for deciphering.Ipsec tunnel negotiation generates is that old IPSec SA is right, comprises that namely first encrypts ipsec security association and the first deciphering ipsec security association; And what carry out generating when the tunnel upgrades in step S1 is that new IPSec SA is right.
Step S2: encrypt ipsec security association with second and add in the ipsec tunnel matched rule, the second deciphering ipsec security association is kept in the security association database.
Wherein, adding the second encryption ipsec security association to the ipsec tunnel matched rule also comprises before:
Judge whether existed first to encrypt ipsec security association in the ipsec tunnel matched rule, then directly delete first and encrypt ipsec security association, encrypt ipsec security association with second again and add in the ipsec tunnel matched rule, add in the ipsec tunnel matched rule otherwise directly encrypt ipsec security association with second.
The second deciphering ipsec security association is kept at security association database also to be comprised afterwards:
With deletion encrypt ipsec security association different be, be kept at directly deletion of the deciphering of first in security association database ipsec security association, wait for that nature is overtime, time-out time to after delete again.Because the situation of message confusion may appear in network, in the tunnel negotiation process, there have been some to encrypt ipsec security association, just having the encryption message is sent out, if old deciphering ipsec security association deletion too early can cause and can't decipher, therefore to wait for when the deciphering ipsec security association is overtime naturally and just it can be deleted.
Step S3: when message need be encrypted, in the ipsec tunnel matched rule, search corresponding encryption ipsec security association message is encrypted.
Wherein encrypt and comprise IP address, the safe index of SPI and protocol number in the ipsec security association.Can be in the safe index of SPI be kept at encryption ipsec security association in the ipsec tunnel matched rule in the tunnel negotiation process.Basis is searched corresponding encryption ipsec security association at purpose IP address and the protocol number of the safe index of SPI, record in the ipsec tunnel matched rule on the encryption ipsec tunnel when message is encrypted, and according to it message is encrypted.
Step S4: when message need be deciphered, in security association database, search corresponding deciphering ipsec security association message is decrypted.
With encrypting the message process, IP head and ESP head according to message extract the tlv triple that the decrypted message needs use, be purpose IP address, the safe index of SPI and protocol number (AH or ESP), search the ipsec security association of coupling fully, and according to it message is decrypted.
By said method, by security association database is optimized, only record the ipsec security association that deciphering is used at security association database, encrypt the ipsec security association of using and only be recorded on the ipsec tunnel matched rule.By this optimization, significantly reduced searching the time of corresponding ipsec security association in message encryption and the decrypting process, will reduce half search time, improve the speed that network equipment is handled the encryption and decryption message.
Above execution mode only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (4)
1. an ipsec security association storage means is characterized in that, described method specifically comprises:
When S1:IPSec upgrades in the tunnel, generate second and encrypt ipsec security association and the second deciphering ipsec security association;
S2: encrypt ipsec security association with described second and add in the ipsec tunnel matched rule, the described second deciphering ipsec security association is kept in the security association database;
S3: when message need be encrypted, in described ipsec tunnel matched rule, search corresponding encryption ipsec security association described message is encrypted;
S4: when message need be deciphered, in described security association database, search corresponding deciphering ipsec security association described message is decrypted.
2. the method for claim 1 is characterized in that, also comprises before the described step S1: ipsec tunnel negotiation generates first and encrypts ipsec security association and the first deciphering ipsec security association.
3. the method for claim 1 is characterized in that, described step S2 also comprises before adding the described second encryption ipsec security association to the ipsec tunnel matched rule:
Judge whether existed described first to encrypt ipsec security association in the described ipsec tunnel matched rule, then directly ipsec security association is encrypted in deletion described first, encrypt ipsec security association with described second again and add in the ipsec tunnel matched rule, add in the ipsec tunnel matched rule otherwise directly encrypt ipsec security association with described second.
4. the method for claim 1 is characterized in that, described step S2 also comprises after the described second deciphering ipsec security association is kept at security association database:
Be kept at directly deletion of first in described security association database deciphering ipsec security association, wait for that nature is overtime, time-out time to after delete again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310108813.8A CN103237015B (en) | 2013-03-29 | 2013-03-29 | A kind of ipsec security association storage method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310108813.8A CN103237015B (en) | 2013-03-29 | 2013-03-29 | A kind of ipsec security association storage method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103237015A true CN103237015A (en) | 2013-08-07 |
| CN103237015B CN103237015B (en) | 2016-08-31 |
Family
ID=48885032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310108813.8A Expired - Fee Related CN103237015B (en) | 2013-03-29 | 2013-03-29 | A kind of ipsec security association storage method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103237015B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112714069A (en) * | 2021-01-06 | 2021-04-27 | 上海交通大学 | Method for lowering shunting module to network card hardware in IPSec security gateway environment |
| CN114301632A (en) * | 2021-12-02 | 2022-04-08 | 北京天融信网络安全技术有限公司 | IPsec data processing method, terminal and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744565A (en) * | 2005-09-22 | 2006-03-08 | 武汉思为同飞网络技术有限公司 | System and method for solving VPN sub-net address collision |
| CN1949705A (en) * | 2005-10-14 | 2007-04-18 | 上海贝尔阿尔卡特股份有限公司 | Dynamic tunnel construction method for safety access special LAN and apparatus therefor |
-
2013
- 2013-03-29 CN CN201310108813.8A patent/CN103237015B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744565A (en) * | 2005-09-22 | 2006-03-08 | 武汉思为同飞网络技术有限公司 | System and method for solving VPN sub-net address collision |
| CN1949705A (en) * | 2005-10-14 | 2007-04-18 | 上海贝尔阿尔卡特股份有限公司 | Dynamic tunnel construction method for safety access special LAN and apparatus therefor |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112714069A (en) * | 2021-01-06 | 2021-04-27 | 上海交通大学 | Method for lowering shunting module to network card hardware in IPSec security gateway environment |
| CN114301632A (en) * | 2021-12-02 | 2022-04-08 | 北京天融信网络安全技术有限公司 | IPsec data processing method, terminal and storage medium |
| CN114301632B (en) * | 2021-12-02 | 2023-11-10 | 北京天融信网络安全技术有限公司 | IPsec data processing method, terminal and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103237015B (en) | 2016-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101834840B (en) | There is efficient key derivation system, the method and apparatus for end-to-end network security of business visuality | |
| WO2018137488A1 (en) | Security implementation method, device and system | |
| US9246876B1 (en) | Anti-replay mechanism for group virtual private networks | |
| CN100488168C (en) | Method for safety packaging network message | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| TW201624960A (en) | User-plane security for next generation cellular networks | |
| CN104038934B (en) | The Non-Access Stratum decryption method of the real-time monitoring signaling of LTE core network | |
| CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
| CN102333236A (en) | Video content encryption and decryption system | |
| US8745381B2 (en) | Methods, systems, and computer readable media for performing encapsulating security payload (ESP) rehashing | |
| CN107104977A (en) | A kind of block chain data safe transmission method based on Stream Control Transmission Protocol | |
| JP2017085559A (en) | System and method for efficient and semantically secure symmetric encryption over channels with limited bandwidth | |
| CN101931947A (en) | WSN (Wireless Sensor Network) data safety processing method based on searchable cryptograph | |
| CN102594842A (en) | Device-fingerprint-based network management message authentication and encryption scheme | |
| CN102970228B (en) | A kind of message transmitting method based on IPsec and equipment | |
| CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
| CN102891848A (en) | Method for carrying out encryption and decryption by using IPSec security association | |
| WO2015131609A1 (en) | Method for implementing l2tp over ipsec access | |
| JP2012010254A (en) | Communication device, communication method and communication system | |
| Bagci et al. | Fusion: coalesced confidential storage and communication framework for the IoT | |
| CN106899606A (en) | A kind of message processing method and device | |
| US20180176230A1 (en) | Data packet transmission method, apparatus, and system, and node device | |
| CN103237015A (en) | IPSec (internet protocol security) security association storage method | |
| CN113972999A (en) | Method and device for carrying out MACSec communication based on PSK | |
| CN105471831B (en) | The method and apparatus that a kind of pair of Realtime Transport Protocol data packet is encrypted |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160831 Termination date: 20180329 |