CN105025004A - A dual stack IPSec VPN apparatus - Google Patents

Abstract

The invention discloses a dual stack IPSec VPN apparatus, and belongs to the technical field of network communication safety. The dual stack IPSec VPN apparatus of the invention comprises a dual stack VPN processing portion, a safety database construction and searching portion, a safety protocol processing portion, a stream data transmission mechanism portion and a CPU portion. Compared with VPN apparatuses in the prior art, the dual stack IPSec VPN apparatus in the invention can well provide network safety service which needs to be provided to realize VPN technology in a process of migration from IPv4 to IPv6. The data flow processing portion all employs hardware circuit processing. The CPU is used for maintaining databases and data lists. The dual stack IPSec VPN apparatus is applicable to high speed network information safety application.

Description

A kind of two stack IPSec VPN device

Technical field

The present invention relates to Network Communicate Security technical field, particularly relate to a kind of two stack IPSec VPN device.

Background technology

The open one side that network itself has enjoys its convenience to making any user to access; if the user that another angle network service does not take safety precautions that communication data will be made to enter network to any one is retrievable, communication process does not possess fail safe.For now along with the development of network technology and a large amount of emergences of network emerging service, particularly reached a unprecedented height in government, telecommunications, finance and data communication companies to the security requirement of network service, these mechanisms sharply increase the information category of maintaining secrecy.And the shortage of IPv4 address resource is the Tough questions that current IP networks faces, it is thoroughly solve the most effective method of IPv4 address depletion that industry is generally acknowledged to IPv6 migration, and IPv4 can run into again the problem that can affect the VPN of having disposed to IPv6 migration on the other hand.In addition, along with popularizing of express network, 10G and 40G network has started to popularize, 100G network starts to dispose in comparatively flourishing area, the network of 400G is also being walked out laboratory and is being started application-oriented, under network so at a high speed, how to ensure the fail safe of data, also become a very urgent problems.

For the problem of network security, Internet Engineering Task Force (IETF) proposes the security protocol of one group of protection IP layer data, is ipsec protocol.Ipsec protocol is a kind of standard, healthy and strong with containing mechanism widely; security algorithm that agreement itself provides a set of acquiescence, that enforce is to ensure that different IPSec implementations can realize intercommunication; the IP layer data that it is IPv4 and IPv6 provides safety, and this fail safe comprises data source authentication, data integrity certification, data security and anti-Replay Protection.

To be in the migration phase problem of IPv4 to IPv6 for a long time for future, existing transitional technology comprises double-stack technology, tunneling technique, NAT-PT technology.The node that namely double-stack technology communicates is dual stack node, selects IPv4 protocol stack with when IPv4 node communication, selects IPv6 protocol stack with when IPv6 node communication.Communicated by IPv4 network between the website that namely tunneling technique achieves two IPv6, comprise multiple manual tunneling technique and automatic tunnel technology.Namely NAT-PT technology realizes IPv4 network and IPv6 network interworking by the mutual conversion between IPv4 and IPv6 address.For now, double-stack technology scheme is the most ripe, the scope of application is wider, is the main flow selection scheme of Present Global operator deployment IPv6.

Make equipment have the very strong scope of application combination in dual-stack network technology, ipsec technology and VPN technologies, the target that procotol migration, internet security protection and VPN build can be reached.

The realization of the two stack IPSec VPN of current realization mainly contains three kinds of modes, the implementation of the mode of general processor+pure software, general processor+hardware algorithm accelerating module and integrated network processing unit.First kind of way flexibility is maximum, speed is the slowest, be not suitable for the application under express network, the second is lower flexibly, and CPU still bears very large data flow, equally also be not suitable for the application under express network, the third flexibility is moderate, and CPU nonintervention data flow flows, and CPU is only used to configuration management operation, the bus three-bus being divided into the bus of CPU and message data stream to enter in bus architecture and going out, separate.Ipsec protocol realizes whole hardware circuit and realizes, and extensibility is strong, and speed is the highest, is applicable to express network scene.

Summary of the invention

Technical problem to be solved by this invention is to overcome prior art deficiency, provides a kind of two stack IPSec VPN device, and can meet to dispose to IPv6 express network to IPv4 of future generation provides security service, data processing and efficiency of transmission high, extensibility is strong.

The present invention specifically solves the problems of the technologies described above by the following technical solutions:

A kind of two stack IPSec VPN device, comprises two stack VPN processing section, safety database structure and searches part, security protocol processing section, data stream transmitting machined part and CPU part;

Described pair of stack VPN processing section, for the process of dual stack, the process of VPN head, comprises two stack VPN pretreatment module of going out, the VPN management table and enter two stack VPN pretreatment module of going out;

Described safety database builds and searches part, safeguards, the security association database of matched and searched and a type is safeguarded, matched and searched for the Security Policy Database completing IPv4 and IPv6 two type; It comprises go out two stack secure processing module, data message cache module, safety database operation-interface of going out, pair stack secure data library module of going out, enters two stack secure processing module, enters safety database operation-interface and enter two stack secure data library module;

Described security protocol processing section, encapsulation process is conciliate in the encapsulation for completing IPSec AH and ESP agreement and to data message encryption, deciphering, identifying algorithm process, it comprises ipsec protocol processing module and algorithm processing module;

Described data stream transmitting machined part, for controlling to enter and go out, bearing data stream flows through different modules and network communication interface sequentially; Intranet goes out the message data of outer net by after two stack secure processing module of going out, two stack VPN pretreatment module process of going out, and respectively security parameter and VPN parameter is encapsulated into the head of original message; The header information of VPN will be peeled off by the message data that outer net enters Intranet after entering two stack VPN preliminary treatment, and security parameter, by after two stack secure processing module process, is encapsulated into this header by this message peeling VPN information off;

Described CPU part, comprises a CPU and the bus architecture with its collocation work, the transport layer that the osi model being used for managing secure data storehouse and VPN data table and analysis necessity defines and above upper-layer protocol, and the normal message flow process of nonintervention;

Wherein, CPU, enter safety database operation-interface, go out VPN management table and safety database operation-interface of going out is interconnected by bus on chip, outbound communication interface with go out to be connected by dual-port buffer between two stack secure processing module, two stack secure processing module of going out is connected with go out safety database operation-interface and data message cache module, two stack secure data library module of going out is connected with database manipulation interface of going out, go out two stack secure processing module with go out to be connected by dual-port buffer between two stack VPN pretreatment module, two stack VPN pretreatment module of going out is connected with VPN management table of going out, two stack VPN pretreatment module of going out is connected by dual-port buffer with between ipsec protocol processing module, ipsec protocol processing module is connected by dual-port buffer with between algorithm processing module, be connected by dual-port buffer between ipsec protocol processing module with outbound communication interface, Intranet communication interface is connected by dual-port buffer with entering between two stack VPN pretreatment module, entering two stack VPN pretreatment module with entering between two stack secure processing module is connected by dual-ported memory, enter two stack secure processing module and enter safety database operation-interface and be connected, enter and two to be connected by dual-port buffer between stack secure processing module with ipsec protocol processing module, be connected by dual-port buffer between ipsec protocol processing module with Intranet communication interface.

As one of them preferred version, described two stack secure data library module of going out comprises: for the Security Policy Database of going out of Saving Safe Strategy entry, for storing the security association database of going out of Security Association entry of going out, and the read-write logic conversion interface to two kinds of databases;

Described Security Policy Database of going out comprises two databases corresponding respectively to IPv4 and IPv6: go out IPv4 policy database and IPv6 policy database of going out, to go out the strategy of IPv4 policy database for matching inquiry IPv4 type message flow, the strategy of IPv6 policy database for matching inquiry IPv6 type message flow of going out;

Described security association database of going out is a memory cell being used for storage security alliance items for information, and its information deposited comprises transmission mode selection field, the protocol type taked selects field, sequence number Overflow handling to select field, cryptographic algorithm to select field, identifying algorithm to select field, encryption IV the need of selection field, encryption algorithm key length field, identifying algorithm key length field, PMTU field, Security Parameter Index field and sequence number counter field.

As wherein another preferred version, described algorithm processing module comprises cryptographic algorithm arithmetic unit, decipherment algorithm arithmetic unit, identifying algorithm arithmetic unit, separates identifying algorithm arithmetic unit; Wherein, go out on outer net direction at intranet data bag, the input interface of cryptographic algorithm arithmetic unit connects the cryptographic algorithm process output interface of ipsec protocol processing module, the input interface of identifying algorithm arithmetic unit connects the output interface of an alternative selector, two input interfaces of this alternative selector connect the identifying algorithm process output interface of ipsec protocol processing module and the output interface of cryptographic algorithm arithmetic unit respectively, and the output interface of identifying algorithm arithmetic unit connects the identifying algorithm result input interface of ipsec protocol processing module; Network data bag enters on Intranet direction outside, the input interface separating identifying algorithm arithmetic unit connects the solution identifying algorithm result output interface of ipsec protocol processing module, output interface and the output interface of decipherment algorithm arithmetic unit of solution identifying algorithm arithmetic unit are connected two input interfaces of an alternative selector respectively, the output interface of this alternative selector connects the algorithm process result input interface of ipsec protocol processing module, and the output interface separating identifying algorithm arithmetic unit is also connected with the input interface of decipherment algorithm arithmetic unit.

Further, described encryption/decryption algorithm arithmetic unit comprises the encryption/decryption algorithm arithmetic unit that at least two kinds adopt different encryption/decryption algorithm; Described certification/solution identifying algorithm arithmetic unit comprises certification/solution identifying algorithm arithmetic unit that at least two kinds adopt different authentication/solution identifying algorithm.

As the present invention's preferred version again, described ipsec protocol processing module comprises:

Ipsec protocol encapsulation front processor, for analyzing security strategy and the safety alliance information of outer outgoing packet, determining that message needs cryptographic calculation and authentication algorithm or just needs to do authentication algorithm process, then this message being mail to corresponding arithmetic unit;

Ipsec protocol encapsulation preprocessor, for the message after cryptographic calculation and/or the process of authentication algorithm device is carried out protocol encapsulation process, and the dual-port buffer between the message that encapsulation process is terminated write and outbound communication interface;

Anti-Replay Protection device, detects for carrying out anti-replay to the message of received approach axis and carries out anti-replay process according to testing result;

Ipsec protocol decapsulation front processor, for analyzing security strategy and the safety alliance information of approach axis message, determine that message needs decrypt operation to conciliate authentication algorithm or just needs do the process of solution authentication algorithm, then this message is mail to corresponding arithmetic unit;

Ipsec protocol decapsulation preprocessor, for multi-protocol decapsulation process will be carried out through decrypt operation and/or the message after separating the process of authentication algorithm device, then check that whether security strategy and the safety alliance information of this message be legal, if illegal, by this packet loss, if legal, the dual-port buffer between the message write that decapsulation process is terminated and Intranet communication interface;

Ipsec protocol encapsulation front processor, ipsec protocol encapsulation preprocessor, ipsec protocol decapsulation preprocessor, ipsec protocol decapsulation preprocessor, these four some works are independent, belong to concurrent working, do not have circuit to connect each other, and each via independently data path be connected with each arithmetic unit in algorithm processing module respectively.

Compared with prior art, in two stack IPSec VPN devices proposed by the invention, introduce the management of two stack VPN, the maintenance of two stack safety database and use, CPU is to the process of database and the maintenance of tables of data and the IP upper-layer protocol to necessity; Connected by dual-port buffer between the modules of message flow warp of the present invention, reduce the coupling between module, can Speeding up development progress; Adopt the data message method for stream processing of multibus, make the present invention have extremely strong treatment effeciency and extensibility.In technical solution of the present invention, the process of message data stream, completely by the realization of hardware circuit, has very high treatment effeciency, and decreases the complexity of system, is conducive to system realizability.

Accompanying drawing explanation

Fig. 1 is a kind of preferred structure of the two stack IPSec VPN device of the present invention;

Fig. 2 is the basic handling flow process of the two stack IPSec VPN device of the present invention for bearing data of going out;

Fig. 3 is the basic handling flow process of the two stack IPSec VPN device of the present invention for approach axis data;

Fig. 4 is maintenance and the using method flow process of two stack safety database in the two stack IPSec VPN device of the present invention;

Fig. 5 is the workflow of two stack VPN processing section in the two stack IPSec VPN device of the present invention;

Fig. 6 is a kind of typical deployed mode of the two stack IPSec VPN device of the present invention.

Embodiment

Below in conjunction with accompanying drawing, technical scheme of the present invention is described in detail:

Fig. 1 shows the basic structure of a preferred embodiment of the two stack IPSec VPN device of the present invention.This pair of stack IPSec VPN device 100 comprises two stack VPN processing section, safety database structure and searches part, security protocol processing section, data stream transmitting machined part and CPU part; Wherein, two stack VPN processing section comprise two stack VPN pretreatment module 112 of going out, the VPN management table 105 and enter two stack VPN pretreatment module 115 of going out; Safety database builds and searches part and comprises go out two stack secure processing module 110, data message cache module 111, safety database operation-interface 103 of going out, pair stack secure data library module 104 of going out, enters two stack secure processing module 114, enters safety database operation-interface 107 and enter two stack secure data library module 108; Security protocol processing section comprises ipsec protocol processing module 113 and algorithm processing module 106; Data stream transmitting machined part comprises the bearing data stream that enters and go out and flows through different modules and network communication interface 109 and 116 sequentially; CPU part comprises the CPU101 of an insertion type and the bus architecture 102 of its collocation work;

Network communication interface 109 or 116, refers to the physical interface of network communication interface, can select Ethernet interface and pos interface, and this network communication interface 109 and 116 can support the message frame of encapsulation and decapsulation IPv4 and IPv6.Network communication interface 109 1 aspect is for receiving the Intranet end data link layer data sending to oneself, its Frame decapsulation is become network layer data message and the FIFO being write and go out between two stack secure processing module, be used for the data link layer network layer data message encapsulation framing being stored in FIFO between ipsec protocol processing module being sent to Intranet end on the other hand.The network layer data message encapsulation framing being stored in FIFO between ipsec protocol processing module is sent to the data link layer of outer net end by network communication interface 116 1 aspect, issues the data in link layer of oneself and its Frame decapsulation is become network layer data message and writes and enter the FIFO between two stack VPN pretreatment module 115 on the other hand by receiving outer net end.

CPU101 and bus on chip 102, CPU increases income or the CPU of the embedded type of business type, its figure place is preferably the universal cpu of 32 or 64, bus on chip 102 can be arranged in pairs or groups the bus type of work with the CPU of selected type, CPU101 is as the main equipment in bus, other hangs over equipment in bus all as from equipment, so CPU101 accesses all devices hung in bus by bus on chip 102.Described this access is CPU101 to entering safety database operation-interface 107, go out VPN management table 105 and safety database operation-interface 103 of going out are safeguarded, this maintenance comprises and increases, deletes and query manipulation.Concrete behavior is described as: CPU101 sends instruction and parameter is delivered in bus, and bus carries out analysis decoding to instruction and parameter, choose CPU to access from equipment, should instruction bus and parameter be read from equipment and react.

To go out two stack secure data library module 104 and enter two stack Security Association 108 for Saving Safe Strategy database (i.e. SPD) and security association database (i.e. SAD) and the read-write logic conversion interface to two kinds of databases, Security Policy Database is used to the memory cell of Saving Safe Strategy items for information, comprise two databases of IPv4 and IPv6, IPv4 policy database (i.e. SPD_V4) is used for the strategy of matching inquiry IPv4 type message flow, and IPv6 policy database (i.e. SPD_V6) is used for the strategy of matching inquiry IPv6 type message flow.Security Policy Database module matched and searched function be realize be realized by CAM/TCAM structural design, all there is the RAM in sheet in policy information and SA pointer information, safety alliance information exists in the SRAM in sheet.And the match address of CAM/TCAM exports to correspond to and exists at a policy information of ram in slice and SA pointer information, if policy mandates is application IPSec and SA pointer is effective, then SA pointer is inputted as Security Association access unit address, SA information is read out and applies IPSec policy information and send to the Security Association operation-interface 103 or 107 of correspondence; If but strategy is application IPSec SA, pointer is invalid, for approach axis, then sends to safety operation interface 103 by application IPSec policy information and SA pointer invalid information, for outer outgoing direction, then sends to safety operation interface 107 by drop policy information; If strategy is to bypass IPSec, then send to the safety operation interface 103 or 107 of correspondence by walking around IPSec policy information; If strategy abandons data message, then policy information is sent to the safety operation interface 103 or 107 of correspondence;

To go out safety operation interface 103 and enter safety operation interface 107, first for resolving instruction and the Parameter analysis of electrochemical of secure processing module 110 or 114 and bus 102 access, secondly the instruction after parsing and parameter are transformed the operation logic of paired data library storage unit;

To go out two stack secure processing module 110 and enter two stack secure processing module 114, first IP message is read from respective FIFO reception buffer, until all selectors are read out feeding safety database operation-interface to go matching inquiry security strategy SP and security alliance SA information, after receiving the information of security strategy SP and security alliance SA, have following four kinds of situations:

If a) apply IPSec and SA all to exist, two stack secure processing module 110 or 114 will SA Information encapsulation at header, first SA information and the encapsulation of IP header can be write two stack secure processing module and send FIFO, it sends FIFO then the message remaining in write two stack secure processing module reception FIFO to be read out write;

If b) apply IPSec and have SA not exist, for two stack secure processing module 110 of going out, invalid SA pointer and IP header write data message cache module 111, then write data message cache module 111 is read out by remaining in its message receiving FIFO, for entering two stack secure processing module 114, then IP header information can be abandoned and read out abandon remaining in its message receiving FIFO.

If c) walk around IPSec process, two stack secure processing module 110 or 114 will be encapsulated in header walking around IPSec control information, then the header of encapsulation being write it and send FIFO, then also writing its transmission FIFO remaining in the message receiving FIFO;

If d) abandon, two stack secure processing module 110 or 114 reads out whole IP message and abandons;

To go out VPN management table, for the message flow of Intranet to the VPN head inquired about this message when outer net and need to send.VPN shows the ram memory cell existed in sheet, and its inquiry realization is realized by CAM/TCAM structure.When it receives source IP and object IP, with it as VPN selector, send into CAM/TCAM, then can draw the address of a VPN entry at ram memory cell, then VPN is sent in this address and show ram memory cell, read the information of VPN, and VPN information is sent to two stack VPN pretreatment module of going out; To go out two stack VPN pretreatment module 112, first receive FIFO from it and read source, object IP, then source, object IP are sent into VPN management table of going out, then VPN management table of going out can send the source of VPN head, object IP to VPN pretreatment module of going out, then VPN pretreatment module of going out can write it the header of the Information encapsulation of VPN to header and after being encapsulated and send in the middle of FIFO, then reads out write by remaining in its message receiving FIFO it sends FIFO;

Enter two stack VPN pretreatment module 115, read the message that it receives FIFO, then the VPN head of message is peeled off, then the message peeling header off is write it and send FIFO;

Algorithm processing module 106, its for encrypting, deciphering, certification conciliates the realization of certification four kinds of arithmetic units, wherein cryptographic algorithm has DES, 3DES and AES encryption device, and decipherment algorithm has DES, 3DES and AES decipher, and identifying algorithm has HMAC-SHA-96 and HMAC-MD5-96.For the outer outgoing direction of message, after receiving the message of the encryption of ipsec protocol processing module 113 needs and certification, message is sent into cryptographic calculation device in meeting or authentication algorithm device is encrypted or authentication processing, the message encrypted also needs to deliver in the middle of authentication algorithm device and does identifying algorithm process, the message input of authentication algorithm device selects the message of process cryptographic algorithm arithmetic unit or ipsec protocol processing module 113 to need the message of certification by a scheduler of going out, after the process of algorithm of going out terminates, message is returned to ipsec protocol processing module; For message approach axis, after receiving the message of ipsec protocol encapsulation process module, message is sent into solution identifying algorithm arithmetic unit and carry out solution authentication processing, if solution authentification failure, then by packet loss, if solution authentication success, FIFO before then message being sent into decipherment algorithm arithmetic unit or enter the FIFO before scheduler, the process of decrypt operation device needs the message of deciphering, message write is entered the FIFO before scheduler, enters scheduler and select the message separating identifying algorithm arithmetic unit or decipherment algorithm arithmetic unit result output FIFO to send to ipsec protocol processing module 113.

Ipsec protocol processing module 113, for the realization to ESP and AH agreement in the IPSec of message.For outer outgoing direction, ipsec protocol is had to encapsulate front processor and ipsec protocol encapsulation preprocessor, message is read message from the data FIFO entering two stack VPN pretreatment module 112 by ipsec protocol encapsulation pre-treatment, analyze security strategy and the safety alliance information of message, the input FIFO of cryptographic algorithm arithmetic unit in message input algorithm processing module 106 is selected still to go out the input FIFO of scheduler, then by the input FIFO of message write selection, the ipsec protocol encapsulation reprocessing identifying algorithm arithmetic unit read in algorithm processing module 106 exports the message of FIFO, carry out the ipsec protocol encapsulation process of message, add IPSec head, network communication interface 116 is given after being packaged into IP layer message, for approach axis, there is anti-Replay Protection device, ipsec protocol decapsulation front processor and ipsec protocol encapsulation preprocessor, anti-Replay Protection device reads and enters the message that two stack secure processing module 114 exports FIFO, then the SN of IPSec head is read, carry out anti-playback conservation treatment, if find it is playback message, then by packet loss, if not playback message, then message is given ipsec protocol encapsulation front processor, ipsec protocol encapsulation front processor analyzes security strategy and the safety alliance information of message, message is write the input FIFO of the solution identifying algorithm arithmetic unit in algorithm processing module 106, ipsec protocol decapsulation preprocessor reads the message that the algorithmic dispatching device in algorithm processing module is sent into, check the legitimacy of the security strategy that the Security Association of message is corresponding, if find illegal, then by packet loss, if legal, peel off the IPSec head of message, Message processing is become IP layer message, then network communication interface 109 is given.The described scheduler and enter scheduler alternative selector all can be adopted to realize of going out.

Fig. 2 shows the two stack IPSec VPN device of the present invention for the basic handling flow process of bearing data of going out, and comprises the steps:

OS00: the data in link layer that Intranet end network communication interface receives inner-mesh network to its decapsulation, will be converted into the data message of IP layer;

OS01: extract the security strategy selector that goes to go out and deliver to safety database matched and searched, obtain security policy information and safety alliance information, security strategy selector of going out here is preferably source IP, object IP, upper-layer protocol number, source port and destination interface composition;

OS02: analyze security policy information and safety alliance information, select the processing mode of data message stream, if contaminated IPSec, just the policy information walking around IPSec is dealt into it and sends fifo buffer, if drop policy, just read out by data message stream and abandon, if application IPSec, whether further SA is effective, if invalid, then message is sent into data message buffer module, if effectively, be then sent to it and send fifo buffer;

OS03: two stack VPN pretreatment module of going out extracts the VPN selector of message, then VPN selector is sent into VPN management table of going out;

OS04: after two stack VPN pretreatment module of going out is good by VPN Information encapsulation, message is write the transmission FIFO between its next module;

OS05:IPSec protocol process module is read and the FIFO gone out between two stack VPN pretreatment module has data message to process, and is just read out by message, carries out ipsec protocol encapsulation pre-treatment to message;

OS06: algorithm processing module reads in the message that will carry out algorithm process, carries out corresponding algorithm calculation process to message;

OS07: through the message of algorithm process, carries out ipsec protocol encapsulation reprocessing to message.

OS08: packaged IP layer data message Reseal becomes the dataframe of data link layer to go out by outbound communication interface.

Fig. 3 shows the two stack IPSec VPN device of the present invention for the basic handling flow process of approach axis data, comprises the steps:

IS00: outer net end network communication interface receives the Frame of data link layer, its decapsulation is become the data message of IP layer, the fifo buffer between write and next module;

IS01: enter after two stack VPN pretreatment module reads message, the VPN head of message is peeled off, then by the fifo buffer between message write with next module;

IS02: extract entering security strategy selector and entering Security Association selector of message, sent into the information that safety database removes matched and searched security strategy and Security Association, described enters security strategy selector, be preferably source IP, object IP, last layer protocol number composition, described enters Security Association selector, is preferably source IP, object IP, last layer protocol number, SPI value composition;

IS03: the information analyzing security strategy and Security Association, if walk around IPSec, then will walk around the Information encapsulation of IPSec to header, and by the fifo buffer between message write and next module, analyze security strategy: if application IPSec strategy and SA is effective, then security policy information and safety alliance information are encapsulated in header, the fifo buffer between write and next module; If but application IPSec SA is invalid or the strategy of dropping packets, then message is read out and directly abandon; If walk around IPSec, then message is walked around IPSec process;

The fifo buffer that IS04:IPSec protocol process module is read and entered between two stack VPN secure processing module has data message to need to process, first anti-Replay Protection is carried out according to the secure serial number SN information of message, whether analyze this message is replay message, if find it is replay message, then directly abandon, if not replay message is then for further processing;

IS05:IPSec protocol process module carries out ipsec protocol decapsulation preliminary treatment to message, then incorporates in algoritic module by message;

IS06: algoritic module has read data message needs process, message is sent in deciphering or identifying algorithm arithmetic unit and carries out algorithm process, analytic solution authentication result after solution certification, authentification failure is separated if find, then by packet loss, if solution authentication success, then message is sent into next step process;

Message read by ipsec protocol decapsulation preprocessor in IS07:IPSec protocol process module, validity checking is done to the Security Association of message and security strategy, if validity checking failure, then by packet loss, if check result is legal, then message is sent into next step;

Message is carried out decapsulation reprocessing by the ipsec protocol decapsulation preprocessor in IS08:IPSec protocol process module, peels IPSec head off, is processed into IP layer message and gives Intranet end communication interface;

IS07: the data message of IP layer is packaged into data link layer frame by Intranet end data communication interface, sends.

Fig. 4 shows maintenance and the using method flow process of two stack safety database in the two stack IPSec VPN device of the present invention.It is significant to note that, be not that each step needs a timeticks, those skilled in the art should understand that to be that a timeticks at least can do a step, to go out database manipulation interface or enter safety database operation-interface (hereinafter referred to as safety operation interface 103 or 111) and receive access request, can distinguish CPU access or secure processing module 113 or 106 search access, wherein CPU access process is as follows: CPU is by sending instruction and parameter on bus on chip 102, safety database operation-interface receives orders with parameter and resolves it, then Security Association or the storehouse of security strategy is selected, if security policy database, further selection is the storehouse of IPv4 or IPv6, then IPv4 or IPv6 database is selected, parsed order and parameter are converted into the read-write operation of the Security Policy Database to one of them, the access of two stack secure processing module is as follows: two stack secure processing module sends matched and searched request command and parameter, safety operation interface 103 or 111 is resolved the order received and parameter, then the order after parsing and parameter are converted into the read operation to Security Policy Database, judge whether to need access security association database SAD, if desired, further order and parameter are converted into the read operation of security association database SAD, then output safety information result, if do not needed, directly export data security information result, finally terminate.

Fig. 5 is the preferred a kind of two stack VPN processing method of the present invention, comprises and goes out two stack VPN preliminary treatment and enter two stack VPN preliminary treatment.For VPN preliminary treatment of going out, first the VPN selector of message is read, this selector is source, the object IP of header, VPN shows module can search VPN information by the match circuit of selector feeding the inside, described match circuit is preferably CAM structure to realize, the information of VPN table exists inside the RAM in sheet, then the information of VPN head is exported, after VPN pretreatment module of going out reads VPN header, VPN header is encapsulated in header, the FIFO between message write and ipsec protocol processing module; For entering two stack VPN preliminary treatment, read message, the classification analyzing message is IPv4 or IPv6, and is peeled off by the VPN head of this classification, then writes and enter the FIFO between two stack secure processing module.

Fig. 6 shows a kind of typical deployed mode of two stack IPSec VPN device.As shown in Figure 6, certain tissue has the main office network and Liang Ge branch network that are dispersed in different offices: branch 1, branch 2, main office network is the dual-stack network of IPv4 and IPv6, branch 1 is an IPv4 network, branch 2 is IPv6 networks, main frame in main office network and branch's network is all the node supporting two stack, there are IPv4 server and IPv6 server in the inside, switch in main office network is the switch supporting two stack, the host node access main office network of main office network, when the node of the IPv4 of branch 1 and branch 2, just utilize the address of IPv4, the address of IPv6 is just used when accessing the node of IPv6, as shown in the figure, three the of the present invention pair stack IPSec VPN device is respectively as the VPN node of main office network and Liang Ge branch network default, the port of each pair of stack IPSec VPN device and outer net end has IPv4 and IPv6 two IP addresses, the whole world, this IP address is unique, two stack IPSec VPN device and Intranet end have two IP addresses of IPv4 and IPv6 of the Intranet network segment.VPN traffic process such as, when the main frame a of general headquarters utilizes the address of IPv4 to remove the main frame a accessing branch 1 network time, data message can flow through switch, two stack IPSec VPN device 1, the Internet, then two stack IPSec VPN device 2 arrive the main frame a of branch 1 network, in this process, an IPSec VPN passage can be set up between two stack IPSec VPN device 1 and two stack IPSec VPN device 2 and carry out protected data communication, IP address due to the both sides of initiating communication adopts IPv4 address, so when two stack IPSec VPN device process message, just adopt the processing method of IPv4, again such as, when the main frame b of branch 2 utilizes the address of IPv6 to go to access the IPv6 server of main office network time, the meeting of data message flows through two stack IPSec VPN device 3, the Internet, two stack VPN device 1, switch and IPv6 server, both sides due to initiating communication and received communication adopt the address of IPv6, so the processing method of IPv6 will be adopted in two stack IPSec VPN device 1 and two stack IPSec VPN device 3, but for two stack IPSec VPN device 3, when the VPN that goes out is pretreated, the VPN header information of IPv4 can be added, make the message of IPv6 can by the Internet of IPv4 type.

Claims (6)

1. a two stack IPSec VPN device, is characterized in that, comprises two stack VPN processing section, safety database structure and searches part, security protocol processing section, data stream transmitting machined part and CPU part;

Described pair of stack VPN processing section, for the process of dual stack, the process of VPN head, comprises two stack VPN pretreatment module of going out, the VPN management table and enter two stack VPN pretreatment module of going out;

Described safety database builds and searches part, safeguards, the security association database of matched and searched and a type is safeguarded, matched and searched for the Security Policy Database completing IPv4 and IPv6 two type; It comprises go out two stack secure processing module, data message cache module, safety database operation-interface of going out, pair stack secure data library module of going out, enters two stack secure processing module, enters safety database operation-interface and enter two stack secure data library module;

Described security protocol processing section, encapsulation process is conciliate in the encapsulation for completing IPSec AH and ESP agreement and to data message encryption, deciphering, identifying algorithm process, it comprises ipsec protocol processing module and algorithm processing module;

Described data stream transmitting machined part, for controlling to enter and go out, bearing data stream flows through different modules and network communication interface sequentially; Intranet goes out the message data of outer net by after two stack secure processing module of going out, two stack VPN pretreatment module process of going out, and respectively security parameter and VPN parameter is encapsulated into the head of original message; The header information of VPN will be peeled off by the message data that outer net enters Intranet after entering two stack VPN preliminary treatment, and security parameter, by after two stack secure processing module process, is encapsulated into this header by this message peeling VPN information off;

Described CPU part, comprises a CPU and the bus architecture with its collocation work, the transport layer that the osi model being used for managing secure data storehouse and VPN data table and analysis necessity defines and above upper-layer protocol, and the normal message flow process of nonintervention;

Wherein, CPU, enter safety database operation-interface, go out VPN management table and safety database operation-interface of going out is interconnected by bus on chip, outbound communication interface with go out to be connected by dual-port buffer between two stack secure processing module, two stack secure processing module of going out is connected with go out safety database operation-interface and data message cache module, two stack secure data library module of going out is connected with database manipulation interface of going out, go out two stack secure processing module with go out to be connected by dual-port buffer between two stack VPN pretreatment module, two stack VPN pretreatment module of going out is connected with VPN management table of going out, two stack VPN pretreatment module of going out is connected by dual-port buffer with between ipsec protocol processing module, ipsec protocol processing module is connected by dual-port buffer with between algorithm processing module, be connected by dual-port buffer between ipsec protocol processing module with outbound communication interface, Intranet communication interface is connected by dual-port buffer with entering between two stack VPN pretreatment module, entering two stack VPN pretreatment module with entering between two stack secure processing module is connected by dual-ported memory, enter two stack secure processing module and enter safety database operation-interface and be connected, enter and two to be connected by dual-port buffer between stack secure processing module with ipsec protocol processing module, be connected by dual-port buffer between ipsec protocol processing module with Intranet communication interface.

2. two stack IPSec VPN device as claimed in claim 1, it is characterized in that, described two stack secure data library module of going out comprises: for the Security Policy Database of going out of Saving Safe Strategy entry, for storing the security association database of going out of Security Association entry of going out, and the read-write logic conversion interface to two kinds of databases;

Described Security Policy Database of going out comprises two databases corresponding respectively to IPv4 and IPv6: go out IPv4 policy database and IPv6 policy database of going out, to go out the strategy of IPv4 policy database for matching inquiry IPv4 type message flow, the strategy of IPv6 policy database for matching inquiry IPv6 type message flow of going out;

Described security association database of going out is a memory cell being used for storage security alliance items for information, and its information deposited comprises transmission mode selection field, the protocol type taked selects field, sequence number Overflow handling to select field, cryptographic algorithm to select field, identifying algorithm to select field, encryption IV the need of selection field, encryption algorithm key length field, identifying algorithm key length field, PMTU field, Security Parameter Index field and sequence number counter field.

3. two stack IPSec VPN device as claimed in claim 1, it is characterized in that, the VPN that the described VPN of going out management table comprises IPv4 and IPv6 two type shows memory cell and access control logic controller, described access control logic controller comprises: CPU is to the control logic circuit of the inquiry of VPN management table list item, interpolation, deletion action, and two stack VPN pretreatment module of going out is to the control logic circuit of the query manipulation of VPN management table.

4. two stack IPSec VPN device as claimed in claim 1, is characterized in that, described algorithm processing module comprises cryptographic algorithm arithmetic unit, decipherment algorithm arithmetic unit, identifying algorithm arithmetic unit, separates identifying algorithm arithmetic unit; Wherein, go out on outer net direction at intranet data bag, the input interface of cryptographic algorithm arithmetic unit connects the cryptographic algorithm process output interface of ipsec protocol processing module, the input interface of identifying algorithm arithmetic unit connects the output interface of an alternative selector, two input interfaces of this alternative selector connect the identifying algorithm process output interface of ipsec protocol processing module and the output interface of cryptographic algorithm arithmetic unit respectively, and the output interface of identifying algorithm arithmetic unit connects the identifying algorithm result input interface of ipsec protocol processing module; Network data bag enters on Intranet direction outside, the input interface separating identifying algorithm arithmetic unit connects the solution identifying algorithm result output interface of ipsec protocol processing module, output interface and the output interface of decipherment algorithm arithmetic unit of solution identifying algorithm arithmetic unit are connected two input interfaces of an alternative selector respectively, the output interface of this alternative selector connects the algorithm process result input interface of ipsec protocol processing module, and the output interface separating identifying algorithm arithmetic unit is also connected with the input interface of decipherment algorithm arithmetic unit.

5. two stack IPSec VPN device as claimed in claim 3, is characterized in that, described encryption/decryption algorithm arithmetic unit comprises the encryption/decryption algorithm arithmetic unit that at least two kinds adopt different encryption/decryption algorithm; Described certification/solution identifying algorithm arithmetic unit comprises certification/solution identifying algorithm arithmetic unit that at least two kinds adopt different authentication/solution identifying algorithm.

6. two stack IPSec VPN device as claimed in claim 1, it is characterized in that, described ipsec protocol processing module comprises:

Ipsec protocol encapsulation front processor, for analyzing security strategy and the safety alliance information of outer outgoing packet, determining that message needs cryptographic calculation and authentication algorithm or just needs to do authentication algorithm process, then this message being mail to corresponding arithmetic unit;

Ipsec protocol encapsulation preprocessor, for the message after cryptographic calculation and/or the process of authentication algorithm device is carried out protocol encapsulation process, and the dual-port buffer between the message that encapsulation process is terminated write and outbound communication interface;

Anti-Replay Protection device, detects for carrying out anti-replay to the message of received approach axis and carries out anti-replay process according to testing result;

Ipsec protocol decapsulation front processor, for analyzing security strategy and the safety alliance information of approach axis message, determine that message needs decrypt operation to conciliate authentication algorithm or just needs do the process of solution authentication algorithm, then this message is mail to corresponding arithmetic unit;

Ipsec protocol decapsulation preprocessor, for multi-protocol decapsulation process will be carried out through decrypt operation and/or the message after separating the process of authentication algorithm device, then check that whether security strategy and the safety alliance information of this message be legal, if illegal, by this packet loss, if legal, the dual-port buffer between the message write that decapsulation process is terminated and Intranet communication interface;

Ipsec protocol encapsulation front processor, ipsec protocol encapsulation preprocessor, ipsec protocol decapsulation preprocessor, ipsec protocol decapsulation preprocessor, these four some works are independent, belong to concurrent working, do not have circuit to connect each other, and each via independently data path be connected with each arithmetic unit in algorithm processing module respectively.