CN105025004B - A kind of double stack IPSec VPN devices - Google Patents

A kind of double stack IPSec VPN devices Download PDF

Info

Publication number
CN105025004B
CN105025004B CN201510307310.2A CN201510307310A CN105025004B CN 105025004 B CN105025004 B CN 105025004B CN 201510307310 A CN201510307310 A CN 201510307310A CN 105025004 B CN105025004 B CN 105025004B
Authority
CN
China
Prior art keywords
vpn
outgoing
double stack
message
ipsec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510307310.2A
Other languages
Chinese (zh)
Other versions
CN105025004A (en
Inventor
李冰
郭安
朱卫卫
涂云晶
刘勇
陈帅
董乾
赵霞
王刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201510307310.2A priority Critical patent/CN105025004B/en
Publication of CN105025004A publication Critical patent/CN105025004A/en
Application granted granted Critical
Publication of CN105025004B publication Critical patent/CN105025004B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Abstract

The invention discloses a kind of double stack IPSec VPN devices, belong to Network Communicate Security technical field.Double stack IPSec VPN devices of the invention include double stack VPN process parts, safety database structure and search part, security protocol process part, data stream transmitting machined part and CPU part.Compared with prior art, the present invention can be good at offer IPv4 and realize that VPN technologies need the Network Security Service provided into IPv6 transition processes, all using hardware circuits which process, CPU is used for safeguarding database and tables of data the process part of data flow, adapts to express network information security application.

Description

A kind of double stack IPSec VPN devices
Technical field
The present invention relates to Network Communicate Security technical field, more particularly to a kind of double stack IPSec VPN devices.
Background technology
Network have in itself it is open on the one hand enjoy its convenience to causing any user to access, another angle If network service does not take safety precautions that communication data will be caused to enter the user of network all to any one for degree It is retrievable, communication process does not possess security.For now with the development and network emerging service of network technology It is a large amount of to emerge, particularly the security requirement of network service has been reached in government, telecommunications, finance and data communication companies One unprecedented height, these mechanisms drastically increase the information category of secrecy.And IPv4 address resource shortage is current The Tough questions that IP network faces, industry generally acknowledge that to IPv6 migrations be thorough solution IPv4 address depletion most efficient methods, separately One side IPv4 can run into the problem of influenceing the VPN disposed again to IPv6 migrations.In addition, with express network Popularization, 10G and 40G networks have begun to popularize, and 100G networks start to dispose in more flourishing area, 400G net Network also walking out laboratory start it is application-oriented, how under the network of such high speed ensure data security, also turn into One unusual urgent problems.
The problem of for network security, Internet Engineering Task Force(IETF)Propose the safety association of one group of protection IP layer data View, as ipsec protocol.Ipsec protocol is a kind of standard, healthy and strong and the extensive mechanism of containing, agreement itself provides A set of acquiescence, the security algorithm that enforces to ensure that different IPSec implementations can realize intercommunication, its be IPv4 and IPv6 IP layer datas provide safety, and this security includes data source authentication, data integrity certification, data confidentiality Property and anti-Replay Protection.
Migration phase problems of the IPv4 to IPv6 will be chronically at for future, existing transitional technology includes double stack skills Art, tunneling technique, NAT-PT technologies.Double-stack technology be communicate node be dual stack node, communicated with IPv4 nodes when Candidate selects IPv4 protocol stacks, and IPv6 protocol stacks are selected when communication with IPv6 nodes.Tunneling technique realizes two IPv6 Website between communicated by IPv4 networks, including a variety of manual tunneling techniques and automatic tunnel technology.NAT-PT technologies IPv4 networks and IPv6 network interworkings are realized by the mutual conversion between IPv4 and IPv6 addresses.For now, double stacks Technical scheme is the most ripe, the scope of application is wider, is Present Global operator deployment IPv6 main flow selection scheme.
Cause equipment that there is the very strong scope of application combination in dual-stack network technology, ipsec technology and VPN technologies, The target of procotol migration, internet security protection and VPN structure can be reached.
Realizing double stack IPSec VPN realization at present mainly has three kinds of modes, the mode of general processor+pure software, leads to With the implementation of processor+hardware algorithm accelerating module and integrated network processing unit.First way flexibility is maximum, speed Degree is most slow, is not suitable for the application under express network, and second flexibly relatively low, and CPU still bears very big data flow, equally also not The application being adapted under express network, the third flexibility is moderate, and CPU nonintervention data flow flowings, CPU is used only to configuration management Operate, CPU bus is divided into bus architecture and message data stream enters and outgoing bus three-bus, independently of each other. Ipsec protocol realizes that whole hardware circuits realize that scalability is strong, speed highest, is adapted to express network scene.
The content of the invention
The technical problems to be solved by the invention are to overcome prior art insufficient, there is provided a kind of double stack IPSec VPN dresses Put, can meet to dispose providing security service to IPv6 express networks to IPv4 of future generation, data processing and efficiency of transmission are high, can Autgmentability is strong.
It is of the invention specifically to solve above-mentioned technical problem using following technical scheme:
A kind of double stack IPSec VPN devices, including double stack VPN process parts, safety database structure and lookup part, peace Full protocol handling part, data stream transmitting machined part and CPU part;
Double stack VPN process parts, processing, the processing of VPN heads for dual stack, including outgoing double stack VPN are pre- Processing module, outgoing VPN manage table and enter double stack VPN pretreatment modules;
The safety database structure and lookup part, for completing the two kinds of policy datas of IPv4 and IPv6 Storehouse maintenance, matched and searched and a type of security association database are safeguarded, matched and searched;It includes outgoing double stack safe handlings Module, data message cache module, outgoing safety database operate interface, outgoing double stack secure data library modules, into double stacks Secure processing module, into safety database operate interface and enter double stack secure data library modules;
Encapsulation process and right is conciliate in the security protocol process part, the encapsulation for completing IPSec AH and ESP agreements Data message encryption, decryption, identifying algorithm processing, it includes ipsec protocol processing module and algorithm processing module;
The data stream transmitting machined part, for controlling entrance and outgoing bearing data stream sequentially to flow through not Same module and network communication interface;The go out message data of outer net of Intranet passes through outgoing double stack secure processing modules, outgoing double After the processing of stack VPN pretreatment modules, security parameter and VPN parameters are encapsulated into the head of original message respectively;In outer net enters For the message data of net by will peel VPN header information off after entering double stack VPN pretreatments, this peels VPN information off After message is handled by double stack secure processing modules, security parameter is encapsulated into this header;
The CPU part, including a CPU and the bus architecture with its work of arranging in pairs or groups, for manage safety database and The transportation level and the upper-layer protocol of the above that VPN data table and the necessary osi model of analysis define, and do not intervene normal message Flow processing;
Wherein, CPU, into safety database operate interface, outgoing VPN management tables and outgoing safety database operate interface It is connected with each other by bus on chip, is connected between outbound communication interface and outgoing double stack secure processing modules by dual-port buffer Connect, outgoing double stack secure processing modules are connected with outgoing safety database operate interface and data packet buffer module, are gone out double Stack secure data library module is connected with outgoing database manipulation interface, and outgoing double stack secure processing modules and outgoing double stack VPN are pre- Connected between processing module by dual-port buffer, outgoing double stack VPN pretreatment modules are connected with outgoing VPN management tables, outside Go out it is double connected between stack VPN pretreatment modules and ipsec protocol processing module by dual-port buffer, ipsec protocol processing Connected between module and algorithm processing module by dual-port buffer, ipsec protocol processing module and outbound communication interface it Between connected by dual-port buffer, Intranet communication interface and entering between double stack VPN pretreatment modules is buffered by dual-port Device connects, and is connected, entered by dual-ported memory into double stack VPN pretreatment modules and between double stack secure processing modules Enter double stack secure processing modules to be connected with into safety database operate interface, assisted into double stack secure processing modules and IPSec Connected between view processing module by dual-port buffer, by double between ipsec protocol processing module and Intranet communication interface Port buffer connects.
As one of preferred scheme, outgoing double stack secure data library modules include:For Saving Safe Strategy The outgoing Security Policy Database of entry, for storing the outgoing security association database of outgoing Security Association entry, and it is right The read-write logic conversion interface of two kinds of databases;
The outgoing Security Policy Database includes two databases for corresponding respectively to IPv4 and IPv6:Outgoing IPv4 plans Slightly database and outgoing IPv6 policy databases, IPv4 policy databases of going out are used for matching inquiry IPv4 type message flows Strategy, IPv6 policy databases of going out are used for the strategy of matching inquiry IPv6 type message flows;
The outgoing security association database is a memory cell for being used for storing Security Association items for information, and it is deposited The information put selects field, sequence number Overflow handling selection field including transmission mode selection field, the protocol type taken, added Close algorithms selection field, identifying algorithm selection field, encryption IV whether need select field, encryption algorithm key length field, Identifying algorithm key length field, PMTU fields, Security Parameter Index field and sequence number counter field.
As other in which preferred scheme, the algorithm processing module includes AES arithmetic unit, decipherment algorithm is transported Calculate device, identifying algorithm arithmetic unit, solution identifying algorithm arithmetic unit;Wherein, gone out in intranet data bag on outer net direction, AES The AES processing output interface of the input interface connection ipsec protocol processing module of arithmetic unit, identifying algorithm arithmetic unit Input interface connects the output interface of an alternative selector, and two input interfaces of the alternative selector connect respectively The identifying algorithm processing output interface of ipsec protocol processing module and the output interface of AES arithmetic unit, identifying algorithm fortune Calculate the identifying algorithm result input interface of the output interface connection ipsec protocol processing module of device;Enter in outer network data bag Enter on Intranet direction, the solution identifying algorithm processing of the input interface connection ipsec protocol processing module of solution identifying algorithm arithmetic unit As a result output interface, the output interface of the output interface and decipherment algorithm arithmetic unit that solve identifying algorithm arithmetic unit connect one respectively Two input interfaces of alternative selector, the calculation of the output interface connection ipsec protocol processing module of the alternative selector Method result input interface, solve input interface of the output interface of identifying algorithm arithmetic unit also with decipherment algorithm arithmetic unit and connect Connect.
Further, the encryption/decryption algorithm arithmetic unit include at least two using different encryption/decryption algorithms plus/ Decipherment algorithm arithmetic unit;The certification/solution identifying algorithm arithmetic unit includes at least two and uses different authentication/solution identifying algorithm Certification/solution identifying algorithm arithmetic unit.
As further optimisation of the present invention, the ipsec protocol processing module includes:
Ipsec protocol encapsulates front processor, for analyzing the security strategy and safety alliance information of outer outgoing packet, certainly Determining message needs cryptographic calculation and authentication algorithm or simply needs to do authentication algorithm processing, is then sent to the message accordingly Arithmetic unit;
Ipsec protocol encapsulates preprocessor, for by have been subjected to cryptographic calculation and/or authentication algorithm device it is treated after report Text carries out protocol encapsulation processing, and the dual-port buffering between the message write-in that encapsulation process is terminated and outbound communication interface Device;
Anti- Replay Protection device, the message for the approach axis to being received carry out anti-replay detection and according to testing results Carry out anti-replay processing;
Ipsec protocol decapsulates front processor, for analyzing the security strategy and safety alliance information of approach axis message, Determine that message needs to decrypt computing reconciliation authentication algorithm or simply needs do solution authentication algorithm processing, be then sent to the message Corresponding arithmetic unit;
Ipsec protocol decapsulates preprocessor, for will have been subjected to decryption computing and/or solution authentication algorithm device it is treated after Message carry out multi-protocol decapsulation processing, then check whether the security strategy of the message and safety alliance information legal, if not Both-end legal, that the packet loss, the message for terminating decapsulation processing if legal are write between Intranet communication interface Mouth buffer;
Ipsec protocol encapsulation front processor, ipsec protocol encapsulate preprocessor, ipsec protocol decapsulates preprocessor, Ipsec protocol decapsulates preprocessor, and this four parts work independently, belong to concurrent working, are connected between each other without circuit, And each via independent data path with being connected respectively with each arithmetic unit in algorithm processing module.
Compared with prior art, in double stack IPSec VPN devices proposed by the invention, double stack VPN pipe is introduced Reason, the maintenance and use of double stack safety databases, maintenances of the CPU to database and tables of data and to necessary IP upper-layer protocols Processing;Connected between the modules that message of the present invention flows through by dual-port buffer, reduce the coupling between module Property, can be with Speeding up development progress;Using the data message method for stream processing of multibus so that there is the present invention extremely strong processing to imitate Rate and scalability.In technical solution of the present invention, the processing of message data stream has very high completely by the realization of hardware circuit Treatment effeciency, and reduce the complexity of system, be advantageous to system design realizability.
Brief description of the drawings
Fig. 1 is a kind of preferred structure of the double stack IPSec VPN devices of the present invention;
Fig. 2 is basic handling flow of the double stack IPSec VPN devices of the present invention for bearing data of going out;
Fig. 3 is basic handling flow of the double stack IPSec VPN devices of the present invention for approach axis data;
Fig. 4 is the maintenance of double stack safety databases and application method flow in the double stack IPSec VPN devices of the present invention;
Fig. 5 is the workflow of double stack VPN process parts in the double stack IPSec VPN devices of the present invention;
Fig. 6 is a kind of typical deployed mode of the double stack IPSec VPN devices of the present invention.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
Fig. 1 shows the basic structure of a preferred embodiment of double stack IPSec VPN devices of the invention.This pair of stack IPSec VPN devices 100 include double stack VPN process parts, safety database structure and search part, security protocol processing unit Point, data stream transmitting machined part and CPU part;Wherein, double stack VPN process parts include outgoing double stack VPN pretreatment modules 112nd, outgoing VPN manages table 105 and enters double stack VPN pretreatment modules 115;Safety database builds and searched part including outer Go out double stack secure processing modules 110, data message cache module 111, outgoing safety database operate interface 103, outgoing double stacks Secure data library module 104, into double stack secure processing modules 114, into safety database operate interface 107 and enter double stacks Secure data library module 108;Security protocol process part includes ipsec protocol processing module 113 and algorithm processing module 106; Data stream transmitting machined part includes entering and outgoing bearing data stream sequentially flows through different modules and network leads to Believe interface 109 and 116;CPU part includes the CPU101 and the bus architecture 102 of its work of arranging in pairs or groups of an insertion type;
Network communication interface 109 or 116, refer to the physical interface of network communication interface, can select Ethernet interface and Pos interface, the network communication interface 109 and 116 can be supported to encapsulate and decapsulate IPv4 and IPv6 message frame.Network service The one side of interface 109, which is used to receive, is sent to the Intranet end data link layer data of oneself, and the decapsulation of its data frame is turned into net Network layers data message and the FIFO being written between outgoing double stack secure processing modules, are on the other hand used to be stored in FIFO network layer data message encapsulation framing is sent to the data link layer at Intranet end between ipsec protocol processing module.Net The network layer data message for being stored in FIFO between ipsec protocol processing module is encapsulated framing by the one side of network communication interface 116 The data link layer at outer net end is sent to, outer net end on the other hand will be received and issues the data in link layer of oneself and counted According to frame decapsulation as network layer data message and write-in and the FIFO entered between double stack VPN pretreatment modules 115.
CPU101 and bus on chip 102, CPU can be increased income or the CPU of the embedded type of business type, its digit are preferably The universal cpu of 32 or 64, bus on chip 102 is can be with the bus type of the CPU collocation work of selected type, CPU101 As the main equipment in bus, other equipment hung in bus are all used as slave unit, so CPU101 passes through bus on chip 102 Access all devices hung in bus.Described this access is CPU101 to entering safety database operate interface 107, outer Go out VPN management table 105 and outgoing safety database operate interface 103 is safeguarded, this safeguard includes increasing, delete and inquiring about Operation.Concrete behavior is described as:CPU101 sends out instruction and parameter is sent in bus, and bus carries out analysis and translated to instruction and parameter Code, the slave unit for choosing CPU to be accessed, the slave unit read the instruction in bus and parameter and reacted.
Outgoing double stack secure data library modules 104 and the double stack Security Associations 108 of entrance are used for Saving Safe Strategy database (That is SPD)And security association database(That is SAD)And the read-write logic conversion interface to two kinds of databases, policy data Storehouse is the memory cell for Saving Safe Strategy items for information, includes IPv4 and IPv6 two databases, IPv4 strategy numbers According to storehouse(That is SPD_V4)For the strategy of matching inquiry IPv4 type message flows, IPv6 policy databases(That is SPD_V6)It is used for The strategy of matching inquiry IPv6 type message flows.Security Policy Database module matched and searched function is to realize it is by CAM/ All there is the RAM in piece in the realization of TCAM structure designs, policy information and SA pointer informations, safety alliance information is present in piece In SRAM.And CAM/TCAM match address output is corresponded in the presence of the policy information and SA pointer informations in ram in slice, If policy mandates are effective using IPSec and SA pointers, then SA pointers is defeated as Security Association access unit address Enter, SA information is read out and is sent out to corresponding Security Association operate interface 103 or 107 using IPSec policy informations;If Strategy is using IPSec but SA pointers are invalid, for approach axis, then IPSec policy informations and SA pointers will be applied invalid Information is sent out to safety operation interface 103, for outer outgoing direction, then drop policy information is sent out into safety operation interface 107; If strategy is to bypass IPSec, corresponding safety operation interface 103 or 107 will be sent out to around IPSec policy informations;If plan Slightly it is to abandon data message, then policy information is sent out to corresponding safety operation interface 103 or 107;
Outgoing safety operation interface 103 and entrance safety operation interface 107, are initially used for parsing secure processing module 110 Or 114 and the instruction that accesses of bus 102 and Parameter analysis of electrochemical, the instruction after parsing and parameter are secondly converted into paired data library storage The operation logic of unit;
Outgoing double stack secure processing modules 110 and enter double stack secure processing modules 114, received first from respective FIFO slow Rush device and read IP messages, matching inquiry security strategy SP is removed until all selectors are read out into feeding safety database operate interface With security alliance SA information, after the information for receiving security strategy SP and security alliance SA, following four kinds of situations are had:
If a) all existing using IPSec and SA, double stack secure processing modules 110 or 114 will be SA Information encapsulations In header, first SA information and the double stack secure processing modules of IP headers encapsulation write-in can be sent FIFO, then by more than Stay in the message that the double stack secure processing modules of write-in receive FIFO and read out its transmission of write-in FIFO;
If b) using IPSec and thering is SA to be not present, for outgoing double stack secure processing modules 110, invalid SA Pointer and IP headers write-in data message cache module 111, it then will remain in it and receive FIFO message and read out and write Enter data message cache module 111, for entering double stack secure processing modules 114, then IP headers information can be abandoned simultaneously The message that its reception FIFO will be remained in reads out discarding.
If c) being to bypass IPSec processing, double stack secure processing modules 110 or 114 will be around IPSec control information Header is encapsulated in, the header of encapsulation then is write into it sends FIFO, then the message for remaining in reception FIFO Also write it and send FIFO;
If d) abandoning, whole IP messages are read out discarding by double stack secure processing modules 110 or 114;
Outgoing VPN manages table, and the VPN heads that the message needs to send are inquired about when the message flow for Intranet is to outer net Portion.There is the ram memory cell in piece in VPN tables, it, which inquires about realization, is realized by CAM/TCAM structures.When its receive source IP and During purpose IP, by the use of it as VPN selectors, CAM/TCAM is sent into, then can draw institute of the VPN entry in ram memory cell In address, VPN table ram memory cells are then sent into the address, read VPN information, and VPN information is sent out to outgoing pair Stack VPN pretreatment modules;Outgoing double stack VPN pretreatment modules 112, receive from it FIFO and read source, purpose IP, then will first Outgoing VPN management table is sent into source, purpose IP, and it is pre- to outgoing VPN that VPN management table of then going out can send out the source of VPN heads, purpose IP Processing module, the heading that the VPN pretreatment modules of then going out can be VPN Information encapsulation to header and after being encapsulated Portion writes it and sent among FIFO, and the message that then will remain in its reception FIFO reads out its transmission of write-in FIFO;
Into double stack VPN pretreatment modules 115, read it and receive FIFO message, then shell the VPN heads of message Fall, the message for peeling header off then is write into it sends FIFO;
Algorithm processing module 106, it is used to encrypt, decrypted, the realization of certification reconciliation four kinds of arithmetic units of certification, wherein encrypting Algorithm has DES, 3DES and AES encryption device, and decipherment algorithm has DES, 3DES and AES decipher, and identifying algorithm has HMAC-SHA-96 And HMAC-MD5-96.For outgoing direction outside message, receiving ipsec protocol processing module 113 needs the message of encryption and certification Afterwards, message can be sent into cryptographic calculation device either authentication algorithm device is encrypted or authentication processing, the message encrypted also need It is sent among authentication algorithm device and does identifying algorithm processing, the message input of authentication algorithm device is selected by an outgoing scheduler Selecting the message of processing AES arithmetic unit or ipsec protocol processing module 113 needs the message of certification, by algorithm of going out Processing terminate after, message is returned into ipsec protocol processing module;For message approach axis, ipsec protocol encapsulation is received After the message of processing module, message is sent into solution identifying algorithm arithmetic unit and carries out solution authentication processing, will report if solution authentification failure Text abandons, if solution certification success, FIFO message being sent into before decipherment algorithm arithmetic unit or the FIFO entered before scheduler, solution Close arithmetic unit processing needs the message decrypted, and FIFO message write-in entered before scheduler, selects to recognize solution into scheduler Card algorithm arithmetic unit or decipherment algorithm arithmetic unit result output FIFO message are sent out to ipsec protocol processing module 113.
Ipsec protocol processing module 113, the realization for ESP and AH agreements in the IPSec to message.For outgoing side To, have ipsec protocol encapsulation front processor and ipsec protocol encapsulation preprocessor, ipsec protocol encapsulate pre-treatment by message from Data FIFO into double stack VPN pretreatment modules 112 reads message, analyzes the security strategy and safety alliance information of message, Select the input of the input FIFO of the AES arithmetic unit in message input algorithm processing module 106 still outgoing scheduler FIFO, then writes message the input FIFO of selection, and ipsec protocol encapsulation post processing is read in algorithm processing module 106 Identifying algorithm arithmetic unit exports FIFO message, carries out the ipsec protocol encapsulation process of message, adds IPSec heads, is packaged into IP Network communication interface 116 is given after layer message;For approach axis, there are anti-Replay Protection device, ipsec protocol decapsulation pre-treatment Device and ipsec protocol encapsulation preprocessor, anti-Replay Protection device, which is read, enters the report that double stack secure processing modules 114 export FIFO Text, the SN on IPSec heads is then read, carry out anti-replay protected processing, if being the discovery that playback message, by packet loss, if It is not to reset message, then gives message to ipsec protocol encapsulation front processor, ipsec protocol encapsulation front processor analysis message Security strategy and safety alliance information, by message write algorithm processing module 106 in solution identifying algorithm arithmetic unit input FIFO, ipsec protocol decapsulation preprocessor read the message that the algorithmic dispatching device in algorithm processing module is sent into, check message Security Association corresponding to security strategy legitimacy, if discovery is illegal, by packet loss, if legal, peel off message IPSec heads, by Message processing into IP layer messages, then give network communication interface 109.The outgoing scheduler and entrance scheduling Device can use alternative selector to realize.
Fig. 2 shows basic handling flow of the double stack IPSec VPN devices of the invention for bearing data of going out, including such as Lower step:
OS00:The data in link layer that Intranet end network communication interface receives inner-mesh network will decapsulate to it, It is converted into the data message of IP layers;
OS01:Extraction goes outgoing security strategy selector to be sent to safety database matched and searched, obtains security policy information And safety alliance information, outgoing security strategy selector here be preferably source IP, purpose IP, upper-layer protocol number, source port and Destination interface forms;
OS02:Security policy information and safety alliance information are analyzed, the processing mode of data message stream is selected, if contaminating IPSec, the policy information around IPSec is just dealt into it and sends fifo buffer, if drop policy, just by data message stream Discarding is read out, if using IPSec, whether further SA is effective, if invalid, message is sent into data message buffering mould Block, if effectively, being sent to it and sending fifo buffer;
OS03:VPN selectors, are then sent into outgoing by the VPN selectors of outgoing double stack VPN pretreatment modules extraction messages VPN manages table;
OS04:Outgoing double stack VPN pretreatment modules by VPN information it is packaged after, message is write into its next mould Transmission FIFO between block;
OS05:The FIFO that ipsec protocol processing module is read between outgoing double stack VPN pretreatment modules has data message Handle, just read out message, ipsec protocol encapsulation pre-treatment is carried out to message;
OS06:Algorithm processing module reads in the message that carry out algorithm process, and message is carried out at corresponding algorithm computing Reason;
OS07:By the message of algorithm process, ipsec protocol encapsulation post processing is carried out to message.
OS08:The data frame that outbound communication interface Reseals into packaged IP layer data messages data link layer is sent out See off.
Fig. 3 shows basic handling flow of the double stack IPSec VPN devices of the invention for approach axis data, including such as Lower step:
IS00:Outer net end network communication interface receives the data frame of data link layer, is decapsulated the number as IP layers According to message, the fifo buffer between write-in and next module;
IS01:After reading message into double stack VPN pretreatment modules, the VPN heads of message are peeled off, then write message Enter the fifo buffer between next module;
IS02:Extract the entrance security strategy selector of message and enter Security Association selector, be sent to safe number Matched and searched security strategy and the information of Security Association, preferably described entrance security strategy selector, source IP, mesh are removed according to storehouse IP, last layer protocol number composition, it is described to enter Security Association selector, preferably source IP, purpose IP, last layer agreement Number, SPI values composition;
IS03:Security strategy and the information of Security Association are analyzed, if being to bypass IPSec, by the information envelope around IPSec Header, and the fifo buffer that message is write between next module are attached to, analyzes security strategy:If using IPSec strategies and SA is effective, then be encapsulated in header by security policy information and safety alliance information, write-in with it is next Fifo buffer between module;If using IPSec but SA is invalid or the strategy of dropping packets, then message is read out Directly abandon;If being to bypass IPSec, message is bypassed into IPSec processing;
IS04:Ipsec protocol processing module is read and had into the fifo buffer between double stack VPN secure processing modules Data message needs to handle, and carries out anti-Replay Protection according to the secure serial number SN information of message first, whether analyzes the message It is replay message, if being the discovery that replay message, directly abandons, if not replay message is then further processed;
IS05:Ipsec protocol processing module carries out ipsec protocol decapsulation pretreatment to message, then incorporates message In algoritic module;
IS06:Algoritic module, which has read data message, to be needed to handle, and message is sent into decryption or identifying algorithm arithmetic unit Middle carry out algorithm process, the analytic solution authentication result after certification is solved, if finding solution authentification failure, by packet loss, if Certification success is solved, then message is sent into and handled in next step;
IS07:Ipsec protocol decapsulation preprocessor in ipsec protocol processing module reads message, to the peace of message Full alliance and security strategy do validity checking, if validity checking fails, by packet loss, and if inspection result is legal, Message is sent into next step;
IS08:Ipsec protocol decapsulation preprocessor in ipsec protocol processing module is located after message is decapsulated Reason, peels IPSec heads off, is processed into IP layer messages and gives Intranet end communication interface;
IS07:The data message of IP layers is packaged into data link layer frame by Intranet end data communication interface, is sent.
Fig. 4 shows the maintenance of double stack safety databases and application method flow in double stack IPSec VPN devices of the invention. It is significant to note that it is not that each step is required for a timeticks to complete, those skilled in the art should manage A step can at least be done for a timeticks by solving, and outgoing database manipulation interface or entrance safety database operation connect Mouthful(Hereinafter referred to as safety operation interface 103 or 111)Access request is received, CPU access or secure processing module can be distinguished 113 or 106 lookup accesses, and wherein CPU access process is as follows:CPU by sending instruction and parameter on bus on chip 102, Safety database operate interface receives order and parameter and it is parsed, and then selects the storehouse of Security Association or security strategy, If security policy database, further selection is IPv4 or IPv6 storehouse, then selects IPv4 or IPv6 databases, will parse The order and parameter crossed are converted into the read-write operation to the Security Policy Database of one of them;The visit of double stack secure processing modules Ask as follows:Double stack secure processing modules send matched and searched request command and parameter, safety operation interface 103 or 111 pairs of receptions To order and parameter parsed, the order after parsing and parameter then are converted into reading to Security Policy Database grasps Make, judge whether to need access safety association database SAD, if desired, order and parameter are further converted into Security Association Database SAD read operation, then output safety information result, if need not if direct output data security information result, Finally terminate.
Fig. 5 is a kind of currently preferred double stack VPN processing methods, including outgoing double stack VPN pre-process and entered double stacks VPN is pre-processed.For outgoing VPN pretreatments, read the VPN selectors of message first, this selector be header source, The match circuit that selector can be sent into the inside by purpose IP, VPN table module searches VPN information, and described match circuit is preferably CAM structure realizes that the information of VPN tables is present inside the RAM in piece, then exports the information of VPN heads, VPN pretreatments of going out After module reads VPN headers, VPN headers are encapsulated in header, message write-in and ipsec protocol processing module Between FIFO;For entering double stack VPN pretreatments, read message, the classification for analyzing message is IPv4 or IPv6, and by this The VPN heads of individual classification are peeled off, the FIFO for then writing and entering between double stack secure processing modules.
Fig. 6 shows a kind of typical deployed mode of double stack IPSec VPN devices.As shown in fig. 6, some tissue have it is scattered A main office network and Liang Ge branches network in different offices:Branch 1, branch 2, main office network be an IPv4 and IPv6 dual-stack network, branch 1 are an IPv4 networks, and branch 2 is an IPv6 network, in main office network and branch's network Main frame is all the node for supporting double stacks, and there are an IPv4 servers and IPv6 servers in the inside, and the interchanger in main office network is to support The interchanger of double stacks, when the host node of main office network accesses the node of main office network, branch 1 and the IPv4 of branch 2, just Using IPv4 address, IPv6 address is just used when accessing IPv6 node, as illustrated, three double stacks of the invention IPSec VPN devices are respectively as main office network and the VPN nodes of Liang Ge branches network default, each double stack IPSec VPN dresses Put all has two IP address of IPv4 and IPv6 with the port at outer net end, and this IP address whole world is unique, double stack IPSec VPN dresses Put the IPv4 for having the Intranet network segment with Intranet end and IPv6 two IP address.VPN traffic process is for example, when the main frame a profits of general headquarters When removing to access the main frame a of the network of branch 1 with IPv4 address, data message can flow through interchanger, double stack IPSec VPN are set Standby 1, internet, double stack IPSec VPN devices 2 and then the main frame a to the network of branch 1, in this process, double stack IPSec An IPSec VPN passage can be established to protect data to communicate between VPN device 1 and double stack IPSec VPN devices 2, due to hair The IP address for playing the both sides of communication is to use IPv4 addresses, so when double stack IPSec VPN devices handle message, is just used IPv4 processing method;In another example when branch 2 main frame b using IPv6 address go access main office network IPv6 servers When, the meeting of data message flows through double stack IPSec VPN devices 3, internet, double stack VPN devices 1, interchanger and IPv6 clothes It is engaged in device, due to initiating communication and receiving the address that the both sides of communication use IPv6, so in double stack IPSec VPN devices 1 and double Stack IPSec VPN devices 3 will use IPv6 processing method, but for double stack IPSec VPN devices 3, outgoing When VPN is pre-processed, IPv4 VPN header informations can be added so that IPv6 message can pass through the interconnection of IPv4 types Net network.

Claims (6)

1. a kind of double stack IPSec VPN devices, it is characterised in that including double stack VPN process parts, safety database structure and look into Look for part, security protocol process part, data stream transmitting machined part and CPU part;
Double stack VPN process parts, processing, the processing of VPN heads for dual stack, including outgoing double stack VPN pretreatments Module, outgoing VPN manage table and enter double stack VPN pretreatment modules;
The safety database structure and lookup part, for completing the two kinds of Security Policy Database dimensions of IPv4 and IPv6 Shield, matched and searched and a type of security association database are safeguarded, matched and searched;It includes outgoing double stack safe handling moulds Block, data message cache module, outgoing safety database operate interface, outgoing double stack secure data library modules, pacify into double stacks Full processing module, into safety database operate interface and enter double stack secure data library modules;
The security protocol process part, the encapsulation for completing IPSec AH and ESP agreements conciliate encapsulation process and to data Message encryption, decryption, identifying algorithm processing, it includes ipsec protocol processing module and algorithm processing module;
The data stream transmitting machined part, sequentially flowed through for control entrance and outgoing bearing data stream different Module and network communication interface;The message data of the outgoing outer net of Intranet passes through outgoing double stack secure processing modules, outgoing double stack VPN After pretreatment module processing, security parameter and VPN parameters are encapsulated into the head of original message respectively;Outer net enters the report of Intranet By will peel VPN header information off after entering double stack VPN pretreatments, this message for peeling VPN information off leads to literary data After crossing double stack secure processing module processing, security parameter is encapsulated into this header;
The CPU part, including a CPU and the bus architecture with its work of arranging in pairs or groups, for managing safety database and VPN numbers The transportation level and the upper-layer protocol of the above defined according to table and analysis osi model, and do not intervene normal message flow processing;
Wherein, CPU, pass through into safety database operate interface, outgoing VPN management table and outgoing safety database operate interface Bus on chip is connected with each other, and is connected between outbound communication interface and outgoing double stack secure processing modules by dual-port buffer, Outgoing double stack secure processing modules are connected with outgoing safety database operate interface and data packet buffer module, double stack peaces of going out Full database module is connected with outgoing database manipulation interface, and double stack secure processing modules of going out pre-process with outgoing double stack VPN Connected between module by dual-port buffer, outgoing double stack VPN pretreatment modules are connected with outgoing VPN management tables, are gone out double Connected between stack VPN pretreatment modules and ipsec protocol processing module by dual-port buffer, ipsec protocol processing module It is connected by dual-port buffer between algorithm processing module, is led between ipsec protocol processing module and outbound communication interface The connection of dual-port buffer is crossed, is connected between Intranet communication interface and the double stack VPN pretreatment modules of entrance by dual-port buffer Connect, connected into double stack VPN pretreatment modules and entering between double stack secure processing modules by dual-ported memory, into double Stack secure processing module is connected with into safety database operate interface, at double stack secure processing modules and ipsec protocol Connected between reason module by dual-port buffer, pass through dual-port between ipsec protocol processing module and Intranet communication interface Buffer connects.
2. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that outgoing double stack secure data library modules Including:For the outgoing Security Policy Database of Saving Safe Strategy entry, for storing the outgoing of outgoing Security Association entry Security association database, and the read-write logic conversion interface to two kinds of databases;
The outgoing Security Policy Database includes two databases for corresponding respectively to IPv4 and IPv6:Outgoing IPv4 strategy numbers According to storehouse and outgoing IPv6 policy databases, IPv4 policy databases of going out are used for the plan of matching inquiry IPv4 type message flows Slightly, outgoing IPv6 policy databases are used for the strategy of matching inquiry IPv6 type message flows;
The outgoing security association database is a memory cell for being used for storing Security Association items for information, what it was deposited Information is calculated including transmission mode selection field, the protocol type taken selection field, sequence number Overflow handling selection field, encryption Whether method selection field, identifying algorithm selection field, encryption IV need to select field, encryption algorithm key length field, certification Algorithm secret key length field, PMTU fields, Security Parameter Index field and sequence number counter field.
3. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the outgoing VPN management table include IPv4 and The two kinds of VPN tables memory cell of IPv6 and control access logic controller, and the control, which accesses logic controller, to be included: CPU manages VPN the inquiry, addition, the control logic circuit of deletion action of table list item, double stack VPN pretreatment modules pair of going out The control logic circuit of the inquiry operation of VPN management tables.
4. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the algorithm processing module includes encryption and calculated Method arithmetic unit, decipherment algorithm arithmetic unit, identifying algorithm arithmetic unit, solution identifying algorithm arithmetic unit;Wherein, gone out in intranet data bag On outer net direction, the AES processing output of the input interface connection ipsec protocol processing module of AES arithmetic unit connects Mouthful, the output interface of input interface one alternative selector of connection of identifying algorithm arithmetic unit, the two of the alternative selector Individual input interface connect respectively ipsec protocol processing module identifying algorithm processing output interface and AES arithmetic unit it is defeated Outgoing interface, the identifying algorithm result input of the output interface connection ipsec protocol processing module of identifying algorithm arithmetic unit connect Mouthful;Enter in outer network data bag on Intranet direction, the input interface connection ipsec protocol processing module of solution identifying algorithm arithmetic unit Solution identifying algorithm result output interface, solve identifying algorithm arithmetic unit output interface and decipherment algorithm arithmetic unit output Interface connects two input interfaces of an alternative selector, the output interface connection IPSec of the alternative selector respectively The algorithm process result input interface of protocol process module, solve identifying algorithm arithmetic unit output interface also with decipherment algorithm computing The input interface connection of device.
5. double stack IPSec VPN devices as claimed in claim 3, it is characterised in that the encryption/decryption algorithm arithmetic unit includes At least two use the encryption/decryption algorithm arithmetic unit of different encryption/decryption algorithms;Wrapped in the certification/solution identifying algorithm arithmetic unit Include at least two certification/solution identifying algorithm arithmetic units using different authentication/solution identifying algorithm.
6. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the ipsec protocol processing module includes:
Ipsec protocol encapsulates front processor, for analyzing the security strategy and safety alliance information of outer outgoing packet, determines report Text needs cryptographic calculation and authentication algorithm or simply needs to do authentication algorithm processing, and the message then is sent into corresponding computing Device;
Ipsec protocol encapsulates preprocessor, for by have been subjected to cryptographic calculation and/or authentication algorithm device it is treated after message enter The processing of row protocol encapsulation, and the dual-port buffer between the message write-in that encapsulation process is terminated and outbound communication interface;
Anti- Replay Protection device, the message for the approach axis to being received carry out anti-replay and detect and carried out according to testing result Anti- replay processing;
Ipsec protocol decapsulates front processor, for analyzing the security strategy and safety alliance information of approach axis message, determines Message needs to decrypt computing reconciliation authentication algorithm or simply needs do solution authentication algorithm processing, is then sent to the message accordingly Arithmetic unit;
Ipsec protocol decapsulates preprocessor, for will have been subjected to decryption computing and/or solve the report after authentication algorithm device treats Text carries out multi-protocol decapsulation processing, then checks whether the security strategy of the message and safety alliance information are legal, if illegal, By the packet loss, the dual-port that the message for terminating decapsulation processing if legal is write between Intranet communication interface buffers Device;
Ipsec protocol encapsulation front processor, ipsec protocol encapsulation preprocessor, ipsec protocol decapsulation preprocessor, IPSec Multi-protocol decapsulation preprocessor, this four parts work independently, belong to concurrent working, are connected between each other without circuit, and Each via independent data path with being connected respectively with each arithmetic unit in algorithm processing module.
CN201510307310.2A 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices Active CN105025004B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510307310.2A CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510307310.2A CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Publications (2)

Publication Number Publication Date
CN105025004A CN105025004A (en) 2015-11-04
CN105025004B true CN105025004B (en) 2018-01-02

Family

ID=54414710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510307310.2A Active CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Country Status (1)

Country Link
CN (1) CN105025004B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091556A1 (en) * 2016-09-29 2018-03-29 Futurewei Technologies, Inc. System and method for packet classification using multiple security databases
CN111585986A (en) * 2020-04-24 2020-08-25 广东纬德信息科技股份有限公司 Safe transmission method, device, medium and terminal equipment based on power gateway
CN111614538B (en) * 2020-04-30 2022-03-29 网络通信与安全紫金山实验室 Message forwarding method based on IPsec encapsulation protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005025141A1 (en) * 2003-09-05 2005-03-17 Ntt Docomo, Inc. Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet
CN101043411A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service in hybrid network
CN101043410A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service
CN102932767A (en) * 2011-08-11 2013-02-13 中兴通讯股份有限公司 Information transmission method, packet data network gateway as well as policy and charging rules function

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005025141A1 (en) * 2003-09-05 2005-03-17 Ntt Docomo, Inc. Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet
CN101043411A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service in hybrid network
CN101043410A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service
CN102932767A (en) * 2011-08-11 2013-02-13 中兴通讯股份有限公司 Information transmission method, packet data network gateway as well as policy and charging rules function

Also Published As

Publication number Publication date
CN105025004A (en) 2015-11-04

Similar Documents

Publication Publication Date Title
DE112005000523B4 (en) Two parallel machines for high-speed transmission IPSEC processing
CN101262405B (en) High-speed secure virtual private network channel based on network processor and its realization method
US7159109B2 (en) Method and apparatus to manage address translation for secure connections
US7017042B1 (en) Method and circuit to accelerate IPSec processing
CN100594690C (en) Method and device for safety strategy uniformly treatment in safety gateway
US7398386B2 (en) Transparent IPSec processing inline between a framer and a network component
CN100358280C (en) A network security appliance and realizing method thereof
CN109756501B (en) High-privacy network proxy method and system based on HTTP (hyper text transport protocol)
WO2019092593A1 (en) Nic with programmable pipeline
CN104410541B (en) The method and device that VXLAN internal layer virtual machine traffics are counted in intermediary switch
CN104394148B (en) The outgoing processing system for implementing hardware of ipsec protocol under IPv6
CN106341404A (en) IPSec VPN system based on many-core processor and encryption and decryption processing method
JP2002287620A (en) Security communication packet processor and security communication packet processing method
US8949578B2 (en) Sharing of internal pipeline resources of a network processor with external devices
CN100499451C (en) Network communication safe processor and its data processing method
CN106685826B (en) Switchboard stacked system, from equipment, exchange chip and processing protocol message method
CA2432322A1 (en) Packet encrypton system and method
CN104137508B (en) Network node with the network-attached safe discharge mechanism of stateless
CN105812322B (en) The method for building up and device of internet safety protocol safe alliance
CN108964880A (en) A kind of data transmission method and device
CN105025004B (en) A kind of double stack IPSec VPN devices
US8438641B2 (en) Security protocol processing for anti-replay protection
Schuehler et al. Architecture for a hardware-based, TCP/IP content-processing system
US20080028210A1 (en) Packet cipher processor and method
CN1984131A (en) Method for processing distributed IPSec

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant