CN105025004B - A kind of double stack IPSec VPN devices - Google Patents
A kind of double stack IPSec VPN devices Download PDFInfo
- Publication number
- CN105025004B CN105025004B CN201510307310.2A CN201510307310A CN105025004B CN 105025004 B CN105025004 B CN 105025004B CN 201510307310 A CN201510307310 A CN 201510307310A CN 105025004 B CN105025004 B CN 105025004B
- Authority
- CN
- China
- Prior art keywords
- vpn
- outgoing
- double stack
- message
- ipsec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Abstract
The invention discloses a kind of double stack IPSec VPN devices, belong to Network Communicate Security technical field.Double stack IPSec VPN devices of the invention include double stack VPN process parts, safety database structure and search part, security protocol process part, data stream transmitting machined part and CPU part.Compared with prior art, the present invention can be good at offer IPv4 and realize that VPN technologies need the Network Security Service provided into IPv6 transition processes, all using hardware circuits which process, CPU is used for safeguarding database and tables of data the process part of data flow, adapts to express network information security application.
Description
Technical field
The present invention relates to Network Communicate Security technical field, more particularly to a kind of double stack IPSec VPN devices.
Background technology
Network have in itself it is open on the one hand enjoy its convenience to causing any user to access, another angle
If network service does not take safety precautions that communication data will be caused to enter the user of network all to any one for degree
It is retrievable, communication process does not possess security.For now with the development and network emerging service of network technology
It is a large amount of to emerge, particularly the security requirement of network service has been reached in government, telecommunications, finance and data communication companies
One unprecedented height, these mechanisms drastically increase the information category of secrecy.And IPv4 address resource shortage is current
The Tough questions that IP network faces, industry generally acknowledge that to IPv6 migrations be thorough solution IPv4 address depletion most efficient methods, separately
One side IPv4 can run into the problem of influenceing the VPN disposed again to IPv6 migrations.In addition, with express network
Popularization, 10G and 40G networks have begun to popularize, and 100G networks start to dispose in more flourishing area, 400G net
Network also walking out laboratory start it is application-oriented, how under the network of such high speed ensure data security, also turn into
One unusual urgent problems.
The problem of for network security, Internet Engineering Task Force(IETF)Propose the safety association of one group of protection IP layer data
View, as ipsec protocol.Ipsec protocol is a kind of standard, healthy and strong and the extensive mechanism of containing, agreement itself provides
A set of acquiescence, the security algorithm that enforces to ensure that different IPSec implementations can realize intercommunication, its be IPv4 and
IPv6 IP layer datas provide safety, and this security includes data source authentication, data integrity certification, data confidentiality
Property and anti-Replay Protection.
Migration phase problems of the IPv4 to IPv6 will be chronically at for future, existing transitional technology includes double stack skills
Art, tunneling technique, NAT-PT technologies.Double-stack technology be communicate node be dual stack node, communicated with IPv4 nodes when
Candidate selects IPv4 protocol stacks, and IPv6 protocol stacks are selected when communication with IPv6 nodes.Tunneling technique realizes two IPv6
Website between communicated by IPv4 networks, including a variety of manual tunneling techniques and automatic tunnel technology.NAT-PT technologies
IPv4 networks and IPv6 network interworkings are realized by the mutual conversion between IPv4 and IPv6 addresses.For now, double stacks
Technical scheme is the most ripe, the scope of application is wider, is Present Global operator deployment IPv6 main flow selection scheme.
Cause equipment that there is the very strong scope of application combination in dual-stack network technology, ipsec technology and VPN technologies,
The target of procotol migration, internet security protection and VPN structure can be reached.
Realizing double stack IPSec VPN realization at present mainly has three kinds of modes, the mode of general processor+pure software, leads to
With the implementation of processor+hardware algorithm accelerating module and integrated network processing unit.First way flexibility is maximum, speed
Degree is most slow, is not suitable for the application under express network, and second flexibly relatively low, and CPU still bears very big data flow, equally also not
The application being adapted under express network, the third flexibility is moderate, and CPU nonintervention data flow flowings, CPU is used only to configuration management
Operate, CPU bus is divided into bus architecture and message data stream enters and outgoing bus three-bus, independently of each other.
Ipsec protocol realizes that whole hardware circuits realize that scalability is strong, speed highest, is adapted to express network scene.
The content of the invention
The technical problems to be solved by the invention are to overcome prior art insufficient, there is provided a kind of double stack IPSec VPN dresses
Put, can meet to dispose providing security service to IPv6 express networks to IPv4 of future generation, data processing and efficiency of transmission are high, can
Autgmentability is strong.
It is of the invention specifically to solve above-mentioned technical problem using following technical scheme:
A kind of double stack IPSec VPN devices, including double stack VPN process parts, safety database structure and lookup part, peace
Full protocol handling part, data stream transmitting machined part and CPU part;
Double stack VPN process parts, processing, the processing of VPN heads for dual stack, including outgoing double stack VPN are pre-
Processing module, outgoing VPN manage table and enter double stack VPN pretreatment modules;
The safety database structure and lookup part, for completing the two kinds of policy datas of IPv4 and IPv6
Storehouse maintenance, matched and searched and a type of security association database are safeguarded, matched and searched;It includes outgoing double stack safe handlings
Module, data message cache module, outgoing safety database operate interface, outgoing double stack secure data library modules, into double stacks
Secure processing module, into safety database operate interface and enter double stack secure data library modules;
Encapsulation process and right is conciliate in the security protocol process part, the encapsulation for completing IPSec AH and ESP agreements
Data message encryption, decryption, identifying algorithm processing, it includes ipsec protocol processing module and algorithm processing module;
The data stream transmitting machined part, for controlling entrance and outgoing bearing data stream sequentially to flow through not
Same module and network communication interface;The go out message data of outer net of Intranet passes through outgoing double stack secure processing modules, outgoing double
After the processing of stack VPN pretreatment modules, security parameter and VPN parameters are encapsulated into the head of original message respectively;In outer net enters
For the message data of net by will peel VPN header information off after entering double stack VPN pretreatments, this peels VPN information off
After message is handled by double stack secure processing modules, security parameter is encapsulated into this header;
The CPU part, including a CPU and the bus architecture with its work of arranging in pairs or groups, for manage safety database and
The transportation level and the upper-layer protocol of the above that VPN data table and the necessary osi model of analysis define, and do not intervene normal message
Flow processing;
Wherein, CPU, into safety database operate interface, outgoing VPN management tables and outgoing safety database operate interface
It is connected with each other by bus on chip, is connected between outbound communication interface and outgoing double stack secure processing modules by dual-port buffer
Connect, outgoing double stack secure processing modules are connected with outgoing safety database operate interface and data packet buffer module, are gone out double
Stack secure data library module is connected with outgoing database manipulation interface, and outgoing double stack secure processing modules and outgoing double stack VPN are pre-
Connected between processing module by dual-port buffer, outgoing double stack VPN pretreatment modules are connected with outgoing VPN management tables, outside
Go out it is double connected between stack VPN pretreatment modules and ipsec protocol processing module by dual-port buffer, ipsec protocol processing
Connected between module and algorithm processing module by dual-port buffer, ipsec protocol processing module and outbound communication interface it
Between connected by dual-port buffer, Intranet communication interface and entering between double stack VPN pretreatment modules is buffered by dual-port
Device connects, and is connected, entered by dual-ported memory into double stack VPN pretreatment modules and between double stack secure processing modules
Enter double stack secure processing modules to be connected with into safety database operate interface, assisted into double stack secure processing modules and IPSec
Connected between view processing module by dual-port buffer, by double between ipsec protocol processing module and Intranet communication interface
Port buffer connects.
As one of preferred scheme, outgoing double stack secure data library modules include:For Saving Safe Strategy
The outgoing Security Policy Database of entry, for storing the outgoing security association database of outgoing Security Association entry, and it is right
The read-write logic conversion interface of two kinds of databases;
The outgoing Security Policy Database includes two databases for corresponding respectively to IPv4 and IPv6:Outgoing IPv4 plans
Slightly database and outgoing IPv6 policy databases, IPv4 policy databases of going out are used for matching inquiry IPv4 type message flows
Strategy, IPv6 policy databases of going out are used for the strategy of matching inquiry IPv6 type message flows;
The outgoing security association database is a memory cell for being used for storing Security Association items for information, and it is deposited
The information put selects field, sequence number Overflow handling selection field including transmission mode selection field, the protocol type taken, added
Close algorithms selection field, identifying algorithm selection field, encryption IV whether need select field, encryption algorithm key length field,
Identifying algorithm key length field, PMTU fields, Security Parameter Index field and sequence number counter field.
As other in which preferred scheme, the algorithm processing module includes AES arithmetic unit, decipherment algorithm is transported
Calculate device, identifying algorithm arithmetic unit, solution identifying algorithm arithmetic unit;Wherein, gone out in intranet data bag on outer net direction, AES
The AES processing output interface of the input interface connection ipsec protocol processing module of arithmetic unit, identifying algorithm arithmetic unit
Input interface connects the output interface of an alternative selector, and two input interfaces of the alternative selector connect respectively
The identifying algorithm processing output interface of ipsec protocol processing module and the output interface of AES arithmetic unit, identifying algorithm fortune
Calculate the identifying algorithm result input interface of the output interface connection ipsec protocol processing module of device;Enter in outer network data bag
Enter on Intranet direction, the solution identifying algorithm processing of the input interface connection ipsec protocol processing module of solution identifying algorithm arithmetic unit
As a result output interface, the output interface of the output interface and decipherment algorithm arithmetic unit that solve identifying algorithm arithmetic unit connect one respectively
Two input interfaces of alternative selector, the calculation of the output interface connection ipsec protocol processing module of the alternative selector
Method result input interface, solve input interface of the output interface of identifying algorithm arithmetic unit also with decipherment algorithm arithmetic unit and connect
Connect.
Further, the encryption/decryption algorithm arithmetic unit include at least two using different encryption/decryption algorithms plus/
Decipherment algorithm arithmetic unit;The certification/solution identifying algorithm arithmetic unit includes at least two and uses different authentication/solution identifying algorithm
Certification/solution identifying algorithm arithmetic unit.
As further optimisation of the present invention, the ipsec protocol processing module includes:
Ipsec protocol encapsulates front processor, for analyzing the security strategy and safety alliance information of outer outgoing packet, certainly
Determining message needs cryptographic calculation and authentication algorithm or simply needs to do authentication algorithm processing, is then sent to the message accordingly
Arithmetic unit;
Ipsec protocol encapsulates preprocessor, for by have been subjected to cryptographic calculation and/or authentication algorithm device it is treated after report
Text carries out protocol encapsulation processing, and the dual-port buffering between the message write-in that encapsulation process is terminated and outbound communication interface
Device;
Anti- Replay Protection device, the message for the approach axis to being received carry out anti-replay detection and according to testing results
Carry out anti-replay processing;
Ipsec protocol decapsulates front processor, for analyzing the security strategy and safety alliance information of approach axis message,
Determine that message needs to decrypt computing reconciliation authentication algorithm or simply needs do solution authentication algorithm processing, be then sent to the message
Corresponding arithmetic unit;
Ipsec protocol decapsulates preprocessor, for will have been subjected to decryption computing and/or solution authentication algorithm device it is treated after
Message carry out multi-protocol decapsulation processing, then check whether the security strategy of the message and safety alliance information legal, if not
Both-end legal, that the packet loss, the message for terminating decapsulation processing if legal are write between Intranet communication interface
Mouth buffer;
Ipsec protocol encapsulation front processor, ipsec protocol encapsulate preprocessor, ipsec protocol decapsulates preprocessor,
Ipsec protocol decapsulates preprocessor, and this four parts work independently, belong to concurrent working, are connected between each other without circuit,
And each via independent data path with being connected respectively with each arithmetic unit in algorithm processing module.
Compared with prior art, in double stack IPSec VPN devices proposed by the invention, double stack VPN pipe is introduced
Reason, the maintenance and use of double stack safety databases, maintenances of the CPU to database and tables of data and to necessary IP upper-layer protocols
Processing;Connected between the modules that message of the present invention flows through by dual-port buffer, reduce the coupling between module
Property, can be with Speeding up development progress;Using the data message method for stream processing of multibus so that there is the present invention extremely strong processing to imitate
Rate and scalability.In technical solution of the present invention, the processing of message data stream has very high completely by the realization of hardware circuit
Treatment effeciency, and reduce the complexity of system, be advantageous to system design realizability.
Brief description of the drawings
Fig. 1 is a kind of preferred structure of the double stack IPSec VPN devices of the present invention;
Fig. 2 is basic handling flow of the double stack IPSec VPN devices of the present invention for bearing data of going out;
Fig. 3 is basic handling flow of the double stack IPSec VPN devices of the present invention for approach axis data;
Fig. 4 is the maintenance of double stack safety databases and application method flow in the double stack IPSec VPN devices of the present invention;
Fig. 5 is the workflow of double stack VPN process parts in the double stack IPSec VPN devices of the present invention;
Fig. 6 is a kind of typical deployed mode of the double stack IPSec VPN devices of the present invention.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
Fig. 1 shows the basic structure of a preferred embodiment of double stack IPSec VPN devices of the invention.This pair of stack
IPSec VPN devices 100 include double stack VPN process parts, safety database structure and search part, security protocol processing unit
Point, data stream transmitting machined part and CPU part;Wherein, double stack VPN process parts include outgoing double stack VPN pretreatment modules
112nd, outgoing VPN manages table 105 and enters double stack VPN pretreatment modules 115;Safety database builds and searched part including outer
Go out double stack secure processing modules 110, data message cache module 111, outgoing safety database operate interface 103, outgoing double stacks
Secure data library module 104, into double stack secure processing modules 114, into safety database operate interface 107 and enter double stacks
Secure data library module 108;Security protocol process part includes ipsec protocol processing module 113 and algorithm processing module 106;
Data stream transmitting machined part includes entering and outgoing bearing data stream sequentially flows through different modules and network leads to
Believe interface 109 and 116;CPU part includes the CPU101 and the bus architecture 102 of its work of arranging in pairs or groups of an insertion type;
Network communication interface 109 or 116, refer to the physical interface of network communication interface, can select Ethernet interface and
Pos interface, the network communication interface 109 and 116 can be supported to encapsulate and decapsulate IPv4 and IPv6 message frame.Network service
The one side of interface 109, which is used to receive, is sent to the Intranet end data link layer data of oneself, and the decapsulation of its data frame is turned into net
Network layers data message and the FIFO being written between outgoing double stack secure processing modules, are on the other hand used to be stored in
FIFO network layer data message encapsulation framing is sent to the data link layer at Intranet end between ipsec protocol processing module.Net
The network layer data message for being stored in FIFO between ipsec protocol processing module is encapsulated framing by the one side of network communication interface 116
The data link layer at outer net end is sent to, outer net end on the other hand will be received and issues the data in link layer of oneself and counted
According to frame decapsulation as network layer data message and write-in and the FIFO entered between double stack VPN pretreatment modules 115.
CPU101 and bus on chip 102, CPU can be increased income or the CPU of the embedded type of business type, its digit are preferably
The universal cpu of 32 or 64, bus on chip 102 is can be with the bus type of the CPU collocation work of selected type, CPU101
As the main equipment in bus, other equipment hung in bus are all used as slave unit, so CPU101 passes through bus on chip 102
Access all devices hung in bus.Described this access is CPU101 to entering safety database operate interface 107, outer
Go out VPN management table 105 and outgoing safety database operate interface 103 is safeguarded, this safeguard includes increasing, delete and inquiring about
Operation.Concrete behavior is described as:CPU101 sends out instruction and parameter is sent in bus, and bus carries out analysis and translated to instruction and parameter
Code, the slave unit for choosing CPU to be accessed, the slave unit read the instruction in bus and parameter and reacted.
Outgoing double stack secure data library modules 104 and the double stack Security Associations 108 of entrance are used for Saving Safe Strategy database
(That is SPD)And security association database(That is SAD)And the read-write logic conversion interface to two kinds of databases, policy data
Storehouse is the memory cell for Saving Safe Strategy items for information, includes IPv4 and IPv6 two databases, IPv4 strategy numbers
According to storehouse(That is SPD_V4)For the strategy of matching inquiry IPv4 type message flows, IPv6 policy databases(That is SPD_V6)It is used for
The strategy of matching inquiry IPv6 type message flows.Security Policy Database module matched and searched function is to realize it is by CAM/
All there is the RAM in piece in the realization of TCAM structure designs, policy information and SA pointer informations, safety alliance information is present in piece
In SRAM.And CAM/TCAM match address output is corresponded in the presence of the policy information and SA pointer informations in ram in slice,
If policy mandates are effective using IPSec and SA pointers, then SA pointers is defeated as Security Association access unit address
Enter, SA information is read out and is sent out to corresponding Security Association operate interface 103 or 107 using IPSec policy informations;If
Strategy is using IPSec but SA pointers are invalid, for approach axis, then IPSec policy informations and SA pointers will be applied invalid
Information is sent out to safety operation interface 103, for outer outgoing direction, then drop policy information is sent out into safety operation interface 107;
If strategy is to bypass IPSec, corresponding safety operation interface 103 or 107 will be sent out to around IPSec policy informations;If plan
Slightly it is to abandon data message, then policy information is sent out to corresponding safety operation interface 103 or 107;
Outgoing safety operation interface 103 and entrance safety operation interface 107, are initially used for parsing secure processing module 110
Or 114 and the instruction that accesses of bus 102 and Parameter analysis of electrochemical, the instruction after parsing and parameter are secondly converted into paired data library storage
The operation logic of unit;
Outgoing double stack secure processing modules 110 and enter double stack secure processing modules 114, received first from respective FIFO slow
Rush device and read IP messages, matching inquiry security strategy SP is removed until all selectors are read out into feeding safety database operate interface
With security alliance SA information, after the information for receiving security strategy SP and security alliance SA, following four kinds of situations are had:
If a) all existing using IPSec and SA, double stack secure processing modules 110 or 114 will be SA Information encapsulations
In header, first SA information and the double stack secure processing modules of IP headers encapsulation write-in can be sent FIFO, then by more than
Stay in the message that the double stack secure processing modules of write-in receive FIFO and read out its transmission of write-in FIFO;
If b) using IPSec and thering is SA to be not present, for outgoing double stack secure processing modules 110, invalid SA
Pointer and IP headers write-in data message cache module 111, it then will remain in it and receive FIFO message and read out and write
Enter data message cache module 111, for entering double stack secure processing modules 114, then IP headers information can be abandoned simultaneously
The message that its reception FIFO will be remained in reads out discarding.
If c) being to bypass IPSec processing, double stack secure processing modules 110 or 114 will be around IPSec control information
Header is encapsulated in, the header of encapsulation then is write into it sends FIFO, then the message for remaining in reception FIFO
Also write it and send FIFO;
If d) abandoning, whole IP messages are read out discarding by double stack secure processing modules 110 or 114;
Outgoing VPN manages table, and the VPN heads that the message needs to send are inquired about when the message flow for Intranet is to outer net
Portion.There is the ram memory cell in piece in VPN tables, it, which inquires about realization, is realized by CAM/TCAM structures.When its receive source IP and
During purpose IP, by the use of it as VPN selectors, CAM/TCAM is sent into, then can draw institute of the VPN entry in ram memory cell
In address, VPN table ram memory cells are then sent into the address, read VPN information, and VPN information is sent out to outgoing pair
Stack VPN pretreatment modules;Outgoing double stack VPN pretreatment modules 112, receive from it FIFO and read source, purpose IP, then will first
Outgoing VPN management table is sent into source, purpose IP, and it is pre- to outgoing VPN that VPN management table of then going out can send out the source of VPN heads, purpose IP
Processing module, the heading that the VPN pretreatment modules of then going out can be VPN Information encapsulation to header and after being encapsulated
Portion writes it and sent among FIFO, and the message that then will remain in its reception FIFO reads out its transmission of write-in FIFO;
Into double stack VPN pretreatment modules 115, read it and receive FIFO message, then shell the VPN heads of message
Fall, the message for peeling header off then is write into it sends FIFO;
Algorithm processing module 106, it is used to encrypt, decrypted, the realization of certification reconciliation four kinds of arithmetic units of certification, wherein encrypting
Algorithm has DES, 3DES and AES encryption device, and decipherment algorithm has DES, 3DES and AES decipher, and identifying algorithm has HMAC-SHA-96
And HMAC-MD5-96.For outgoing direction outside message, receiving ipsec protocol processing module 113 needs the message of encryption and certification
Afterwards, message can be sent into cryptographic calculation device either authentication algorithm device is encrypted or authentication processing, the message encrypted also need
It is sent among authentication algorithm device and does identifying algorithm processing, the message input of authentication algorithm device is selected by an outgoing scheduler
Selecting the message of processing AES arithmetic unit or ipsec protocol processing module 113 needs the message of certification, by algorithm of going out
Processing terminate after, message is returned into ipsec protocol processing module;For message approach axis, ipsec protocol encapsulation is received
After the message of processing module, message is sent into solution identifying algorithm arithmetic unit and carries out solution authentication processing, will report if solution authentification failure
Text abandons, if solution certification success, FIFO message being sent into before decipherment algorithm arithmetic unit or the FIFO entered before scheduler, solution
Close arithmetic unit processing needs the message decrypted, and FIFO message write-in entered before scheduler, selects to recognize solution into scheduler
Card algorithm arithmetic unit or decipherment algorithm arithmetic unit result output FIFO message are sent out to ipsec protocol processing module 113.
Ipsec protocol processing module 113, the realization for ESP and AH agreements in the IPSec to message.For outgoing side
To, have ipsec protocol encapsulation front processor and ipsec protocol encapsulation preprocessor, ipsec protocol encapsulate pre-treatment by message from
Data FIFO into double stack VPN pretreatment modules 112 reads message, analyzes the security strategy and safety alliance information of message,
Select the input of the input FIFO of the AES arithmetic unit in message input algorithm processing module 106 still outgoing scheduler
FIFO, then writes message the input FIFO of selection, and ipsec protocol encapsulation post processing is read in algorithm processing module 106
Identifying algorithm arithmetic unit exports FIFO message, carries out the ipsec protocol encapsulation process of message, adds IPSec heads, is packaged into IP
Network communication interface 116 is given after layer message;For approach axis, there are anti-Replay Protection device, ipsec protocol decapsulation pre-treatment
Device and ipsec protocol encapsulation preprocessor, anti-Replay Protection device, which is read, enters the report that double stack secure processing modules 114 export FIFO
Text, the SN on IPSec heads is then read, carry out anti-replay protected processing, if being the discovery that playback message, by packet loss, if
It is not to reset message, then gives message to ipsec protocol encapsulation front processor, ipsec protocol encapsulation front processor analysis message
Security strategy and safety alliance information, by message write algorithm processing module 106 in solution identifying algorithm arithmetic unit input
FIFO, ipsec protocol decapsulation preprocessor read the message that the algorithmic dispatching device in algorithm processing module is sent into, check message
Security Association corresponding to security strategy legitimacy, if discovery is illegal, by packet loss, if legal, peel off message
IPSec heads, by Message processing into IP layer messages, then give network communication interface 109.The outgoing scheduler and entrance scheduling
Device can use alternative selector to realize.
Fig. 2 shows basic handling flow of the double stack IPSec VPN devices of the invention for bearing data of going out, including such as
Lower step:
OS00:The data in link layer that Intranet end network communication interface receives inner-mesh network will decapsulate to it,
It is converted into the data message of IP layers;
OS01:Extraction goes outgoing security strategy selector to be sent to safety database matched and searched, obtains security policy information
And safety alliance information, outgoing security strategy selector here be preferably source IP, purpose IP, upper-layer protocol number, source port and
Destination interface forms;
OS02:Security policy information and safety alliance information are analyzed, the processing mode of data message stream is selected, if contaminating
IPSec, the policy information around IPSec is just dealt into it and sends fifo buffer, if drop policy, just by data message stream
Discarding is read out, if using IPSec, whether further SA is effective, if invalid, message is sent into data message buffering mould
Block, if effectively, being sent to it and sending fifo buffer;
OS03:VPN selectors, are then sent into outgoing by the VPN selectors of outgoing double stack VPN pretreatment modules extraction messages
VPN manages table;
OS04:Outgoing double stack VPN pretreatment modules by VPN information it is packaged after, message is write into its next mould
Transmission FIFO between block;
OS05:The FIFO that ipsec protocol processing module is read between outgoing double stack VPN pretreatment modules has data message
Handle, just read out message, ipsec protocol encapsulation pre-treatment is carried out to message;
OS06:Algorithm processing module reads in the message that carry out algorithm process, and message is carried out at corresponding algorithm computing
Reason;
OS07:By the message of algorithm process, ipsec protocol encapsulation post processing is carried out to message.
OS08:The data frame that outbound communication interface Reseals into packaged IP layer data messages data link layer is sent out
See off.
Fig. 3 shows basic handling flow of the double stack IPSec VPN devices of the invention for approach axis data, including such as
Lower step:
IS00:Outer net end network communication interface receives the data frame of data link layer, is decapsulated the number as IP layers
According to message, the fifo buffer between write-in and next module;
IS01:After reading message into double stack VPN pretreatment modules, the VPN heads of message are peeled off, then write message
Enter the fifo buffer between next module;
IS02:Extract the entrance security strategy selector of message and enter Security Association selector, be sent to safe number
Matched and searched security strategy and the information of Security Association, preferably described entrance security strategy selector, source IP, mesh are removed according to storehouse
IP, last layer protocol number composition, it is described to enter Security Association selector, preferably source IP, purpose IP, last layer agreement
Number, SPI values composition;
IS03:Security strategy and the information of Security Association are analyzed, if being to bypass IPSec, by the information envelope around IPSec
Header, and the fifo buffer that message is write between next module are attached to, analyzes security strategy:If using
IPSec strategies and SA is effective, then be encapsulated in header by security policy information and safety alliance information, write-in with it is next
Fifo buffer between module;If using IPSec but SA is invalid or the strategy of dropping packets, then message is read out
Directly abandon;If being to bypass IPSec, message is bypassed into IPSec processing;
IS04:Ipsec protocol processing module is read and had into the fifo buffer between double stack VPN secure processing modules
Data message needs to handle, and carries out anti-Replay Protection according to the secure serial number SN information of message first, whether analyzes the message
It is replay message, if being the discovery that replay message, directly abandons, if not replay message is then further processed;
IS05:Ipsec protocol processing module carries out ipsec protocol decapsulation pretreatment to message, then incorporates message
In algoritic module;
IS06:Algoritic module, which has read data message, to be needed to handle, and message is sent into decryption or identifying algorithm arithmetic unit
Middle carry out algorithm process, the analytic solution authentication result after certification is solved, if finding solution authentification failure, by packet loss, if
Certification success is solved, then message is sent into and handled in next step;
IS07:Ipsec protocol decapsulation preprocessor in ipsec protocol processing module reads message, to the peace of message
Full alliance and security strategy do validity checking, if validity checking fails, by packet loss, and if inspection result is legal,
Message is sent into next step;
IS08:Ipsec protocol decapsulation preprocessor in ipsec protocol processing module is located after message is decapsulated
Reason, peels IPSec heads off, is processed into IP layer messages and gives Intranet end communication interface;
IS07:The data message of IP layers is packaged into data link layer frame by Intranet end data communication interface, is sent.
Fig. 4 shows the maintenance of double stack safety databases and application method flow in double stack IPSec VPN devices of the invention.
It is significant to note that it is not that each step is required for a timeticks to complete, those skilled in the art should manage
A step can at least be done for a timeticks by solving, and outgoing database manipulation interface or entrance safety database operation connect
Mouthful(Hereinafter referred to as safety operation interface 103 or 111)Access request is received, CPU access or secure processing module can be distinguished
113 or 106 lookup accesses, and wherein CPU access process is as follows:CPU by sending instruction and parameter on bus on chip 102,
Safety database operate interface receives order and parameter and it is parsed, and then selects the storehouse of Security Association or security strategy,
If security policy database, further selection is IPv4 or IPv6 storehouse, then selects IPv4 or IPv6 databases, will parse
The order and parameter crossed are converted into the read-write operation to the Security Policy Database of one of them;The visit of double stack secure processing modules
Ask as follows:Double stack secure processing modules send matched and searched request command and parameter, safety operation interface 103 or 111 pairs of receptions
To order and parameter parsed, the order after parsing and parameter then are converted into reading to Security Policy Database grasps
Make, judge whether to need access safety association database SAD, if desired, order and parameter are further converted into Security Association
Database SAD read operation, then output safety information result, if need not if direct output data security information result,
Finally terminate.
Fig. 5 is a kind of currently preferred double stack VPN processing methods, including outgoing double stack VPN pre-process and entered double stacks
VPN is pre-processed.For outgoing VPN pretreatments, read the VPN selectors of message first, this selector be header source,
The match circuit that selector can be sent into the inside by purpose IP, VPN table module searches VPN information, and described match circuit is preferably
CAM structure realizes that the information of VPN tables is present inside the RAM in piece, then exports the information of VPN heads, VPN pretreatments of going out
After module reads VPN headers, VPN headers are encapsulated in header, message write-in and ipsec protocol processing module
Between FIFO;For entering double stack VPN pretreatments, read message, the classification for analyzing message is IPv4 or IPv6, and by this
The VPN heads of individual classification are peeled off, the FIFO for then writing and entering between double stack secure processing modules.
Fig. 6 shows a kind of typical deployed mode of double stack IPSec VPN devices.As shown in fig. 6, some tissue have it is scattered
A main office network and Liang Ge branches network in different offices:Branch 1, branch 2, main office network be an IPv4 and
IPv6 dual-stack network, branch 1 are an IPv4 networks, and branch 2 is an IPv6 network, in main office network and branch's network
Main frame is all the node for supporting double stacks, and there are an IPv4 servers and IPv6 servers in the inside, and the interchanger in main office network is to support
The interchanger of double stacks, when the host node of main office network accesses the node of main office network, branch 1 and the IPv4 of branch 2, just
Using IPv4 address, IPv6 address is just used when accessing IPv6 node, as illustrated, three double stacks of the invention
IPSec VPN devices are respectively as main office network and the VPN nodes of Liang Ge branches network default, each double stack IPSec VPN dresses
Put all has two IP address of IPv4 and IPv6 with the port at outer net end, and this IP address whole world is unique, double stack IPSec VPN dresses
Put the IPv4 for having the Intranet network segment with Intranet end and IPv6 two IP address.VPN traffic process is for example, when the main frame a profits of general headquarters
When removing to access the main frame a of the network of branch 1 with IPv4 address, data message can flow through interchanger, double stack IPSec VPN are set
Standby 1, internet, double stack IPSec VPN devices 2 and then the main frame a to the network of branch 1, in this process, double stack IPSec
An IPSec VPN passage can be established to protect data to communicate between VPN device 1 and double stack IPSec VPN devices 2, due to hair
The IP address for playing the both sides of communication is to use IPv4 addresses, so when double stack IPSec VPN devices handle message, is just used
IPv4 processing method;In another example when branch 2 main frame b using IPv6 address go access main office network IPv6 servers
When, the meeting of data message flows through double stack IPSec VPN devices 3, internet, double stack VPN devices 1, interchanger and IPv6 clothes
It is engaged in device, due to initiating communication and receiving the address that the both sides of communication use IPv6, so in double stack IPSec VPN devices 1 and double
Stack IPSec VPN devices 3 will use IPv6 processing method, but for double stack IPSec VPN devices 3, outgoing
When VPN is pre-processed, IPv4 VPN header informations can be added so that IPv6 message can pass through the interconnection of IPv4 types
Net network.
Claims (6)
1. a kind of double stack IPSec VPN devices, it is characterised in that including double stack VPN process parts, safety database structure and look into
Look for part, security protocol process part, data stream transmitting machined part and CPU part;
Double stack VPN process parts, processing, the processing of VPN heads for dual stack, including outgoing double stack VPN pretreatments
Module, outgoing VPN manage table and enter double stack VPN pretreatment modules;
The safety database structure and lookup part, for completing the two kinds of Security Policy Database dimensions of IPv4 and IPv6
Shield, matched and searched and a type of security association database are safeguarded, matched and searched;It includes outgoing double stack safe handling moulds
Block, data message cache module, outgoing safety database operate interface, outgoing double stack secure data library modules, pacify into double stacks
Full processing module, into safety database operate interface and enter double stack secure data library modules;
The security protocol process part, the encapsulation for completing IPSec AH and ESP agreements conciliate encapsulation process and to data
Message encryption, decryption, identifying algorithm processing, it includes ipsec protocol processing module and algorithm processing module;
The data stream transmitting machined part, sequentially flowed through for control entrance and outgoing bearing data stream different
Module and network communication interface;The message data of the outgoing outer net of Intranet passes through outgoing double stack secure processing modules, outgoing double stack VPN
After pretreatment module processing, security parameter and VPN parameters are encapsulated into the head of original message respectively;Outer net enters the report of Intranet
By will peel VPN header information off after entering double stack VPN pretreatments, this message for peeling VPN information off leads to literary data
After crossing double stack secure processing module processing, security parameter is encapsulated into this header;
The CPU part, including a CPU and the bus architecture with its work of arranging in pairs or groups, for managing safety database and VPN numbers
The transportation level and the upper-layer protocol of the above defined according to table and analysis osi model, and do not intervene normal message flow processing;
Wherein, CPU, pass through into safety database operate interface, outgoing VPN management table and outgoing safety database operate interface
Bus on chip is connected with each other, and is connected between outbound communication interface and outgoing double stack secure processing modules by dual-port buffer,
Outgoing double stack secure processing modules are connected with outgoing safety database operate interface and data packet buffer module, double stack peaces of going out
Full database module is connected with outgoing database manipulation interface, and double stack secure processing modules of going out pre-process with outgoing double stack VPN
Connected between module by dual-port buffer, outgoing double stack VPN pretreatment modules are connected with outgoing VPN management tables, are gone out double
Connected between stack VPN pretreatment modules and ipsec protocol processing module by dual-port buffer, ipsec protocol processing module
It is connected by dual-port buffer between algorithm processing module, is led between ipsec protocol processing module and outbound communication interface
The connection of dual-port buffer is crossed, is connected between Intranet communication interface and the double stack VPN pretreatment modules of entrance by dual-port buffer
Connect, connected into double stack VPN pretreatment modules and entering between double stack secure processing modules by dual-ported memory, into double
Stack secure processing module is connected with into safety database operate interface, at double stack secure processing modules and ipsec protocol
Connected between reason module by dual-port buffer, pass through dual-port between ipsec protocol processing module and Intranet communication interface
Buffer connects.
2. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that outgoing double stack secure data library modules
Including:For the outgoing Security Policy Database of Saving Safe Strategy entry, for storing the outgoing of outgoing Security Association entry
Security association database, and the read-write logic conversion interface to two kinds of databases;
The outgoing Security Policy Database includes two databases for corresponding respectively to IPv4 and IPv6:Outgoing IPv4 strategy numbers
According to storehouse and outgoing IPv6 policy databases, IPv4 policy databases of going out are used for the plan of matching inquiry IPv4 type message flows
Slightly, outgoing IPv6 policy databases are used for the strategy of matching inquiry IPv6 type message flows;
The outgoing security association database is a memory cell for being used for storing Security Association items for information, what it was deposited
Information is calculated including transmission mode selection field, the protocol type taken selection field, sequence number Overflow handling selection field, encryption
Whether method selection field, identifying algorithm selection field, encryption IV need to select field, encryption algorithm key length field, certification
Algorithm secret key length field, PMTU fields, Security Parameter Index field and sequence number counter field.
3. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the outgoing VPN management table include IPv4 and
The two kinds of VPN tables memory cell of IPv6 and control access logic controller, and the control, which accesses logic controller, to be included:
CPU manages VPN the inquiry, addition, the control logic circuit of deletion action of table list item, double stack VPN pretreatment modules pair of going out
The control logic circuit of the inquiry operation of VPN management tables.
4. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the algorithm processing module includes encryption and calculated
Method arithmetic unit, decipherment algorithm arithmetic unit, identifying algorithm arithmetic unit, solution identifying algorithm arithmetic unit;Wherein, gone out in intranet data bag
On outer net direction, the AES processing output of the input interface connection ipsec protocol processing module of AES arithmetic unit connects
Mouthful, the output interface of input interface one alternative selector of connection of identifying algorithm arithmetic unit, the two of the alternative selector
Individual input interface connect respectively ipsec protocol processing module identifying algorithm processing output interface and AES arithmetic unit it is defeated
Outgoing interface, the identifying algorithm result input of the output interface connection ipsec protocol processing module of identifying algorithm arithmetic unit connect
Mouthful;Enter in outer network data bag on Intranet direction, the input interface connection ipsec protocol processing module of solution identifying algorithm arithmetic unit
Solution identifying algorithm result output interface, solve identifying algorithm arithmetic unit output interface and decipherment algorithm arithmetic unit output
Interface connects two input interfaces of an alternative selector, the output interface connection IPSec of the alternative selector respectively
The algorithm process result input interface of protocol process module, solve identifying algorithm arithmetic unit output interface also with decipherment algorithm computing
The input interface connection of device.
5. double stack IPSec VPN devices as claimed in claim 3, it is characterised in that the encryption/decryption algorithm arithmetic unit includes
At least two use the encryption/decryption algorithm arithmetic unit of different encryption/decryption algorithms;Wrapped in the certification/solution identifying algorithm arithmetic unit
Include at least two certification/solution identifying algorithm arithmetic units using different authentication/solution identifying algorithm.
6. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the ipsec protocol processing module includes:
Ipsec protocol encapsulates front processor, for analyzing the security strategy and safety alliance information of outer outgoing packet, determines report
Text needs cryptographic calculation and authentication algorithm or simply needs to do authentication algorithm processing, and the message then is sent into corresponding computing
Device;
Ipsec protocol encapsulates preprocessor, for by have been subjected to cryptographic calculation and/or authentication algorithm device it is treated after message enter
The processing of row protocol encapsulation, and the dual-port buffer between the message write-in that encapsulation process is terminated and outbound communication interface;
Anti- Replay Protection device, the message for the approach axis to being received carry out anti-replay and detect and carried out according to testing result
Anti- replay processing;
Ipsec protocol decapsulates front processor, for analyzing the security strategy and safety alliance information of approach axis message, determines
Message needs to decrypt computing reconciliation authentication algorithm or simply needs do solution authentication algorithm processing, is then sent to the message accordingly
Arithmetic unit;
Ipsec protocol decapsulates preprocessor, for will have been subjected to decryption computing and/or solve the report after authentication algorithm device treats
Text carries out multi-protocol decapsulation processing, then checks whether the security strategy of the message and safety alliance information are legal, if illegal,
By the packet loss, the dual-port that the message for terminating decapsulation processing if legal is write between Intranet communication interface buffers
Device;
Ipsec protocol encapsulation front processor, ipsec protocol encapsulation preprocessor, ipsec protocol decapsulation preprocessor, IPSec
Multi-protocol decapsulation preprocessor, this four parts work independently, belong to concurrent working, are connected between each other without circuit, and
Each via independent data path with being connected respectively with each arithmetic unit in algorithm processing module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510307310.2A CN105025004B (en) | 2015-07-16 | 2015-07-16 | A kind of double stack IPSec VPN devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510307310.2A CN105025004B (en) | 2015-07-16 | 2015-07-16 | A kind of double stack IPSec VPN devices |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105025004A CN105025004A (en) | 2015-11-04 |
CN105025004B true CN105025004B (en) | 2018-01-02 |
Family
ID=54414710
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510307310.2A Active CN105025004B (en) | 2015-07-16 | 2015-07-16 | A kind of double stack IPSec VPN devices |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105025004B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180091556A1 (en) * | 2016-09-29 | 2018-03-29 | Futurewei Technologies, Inc. | System and method for packet classification using multiple security databases |
CN111585986A (en) * | 2020-04-24 | 2020-08-25 | 广东纬德信息科技股份有限公司 | Safe transmission method, device, medium and terminal equipment based on power gateway |
CN111614538B (en) * | 2020-04-30 | 2022-03-29 | 网络通信与安全紫金山实验室 | Message forwarding method based on IPsec encapsulation protocol |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005025141A1 (en) * | 2003-09-05 | 2005-03-17 | Ntt Docomo, Inc. | Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet |
CN101043411A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Method and system for realizing mobile VPN service in hybrid network |
CN101043410A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Method and system for realizing mobile VPN service |
CN102932767A (en) * | 2011-08-11 | 2013-02-13 | 中兴通讯股份有限公司 | Information transmission method, packet data network gateway as well as policy and charging rules function |
-
2015
- 2015-07-16 CN CN201510307310.2A patent/CN105025004B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005025141A1 (en) * | 2003-09-05 | 2005-03-17 | Ntt Docomo, Inc. | Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet |
CN101043411A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Method and system for realizing mobile VPN service in hybrid network |
CN101043410A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Method and system for realizing mobile VPN service |
CN102932767A (en) * | 2011-08-11 | 2013-02-13 | 中兴通讯股份有限公司 | Information transmission method, packet data network gateway as well as policy and charging rules function |
Also Published As
Publication number | Publication date |
---|---|
CN105025004A (en) | 2015-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE112005000523B4 (en) | Two parallel machines for high-speed transmission IPSEC processing | |
CN101262405B (en) | High-speed secure virtual private network channel based on network processor and its realization method | |
US7159109B2 (en) | Method and apparatus to manage address translation for secure connections | |
US7017042B1 (en) | Method and circuit to accelerate IPSec processing | |
CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
US7398386B2 (en) | Transparent IPSec processing inline between a framer and a network component | |
CN100358280C (en) | A network security appliance and realizing method thereof | |
CN109756501B (en) | High-privacy network proxy method and system based on HTTP (hyper text transport protocol) | |
WO2019092593A1 (en) | Nic with programmable pipeline | |
CN104410541B (en) | The method and device that VXLAN internal layer virtual machine traffics are counted in intermediary switch | |
CN104394148B (en) | The outgoing processing system for implementing hardware of ipsec protocol under IPv6 | |
CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
JP2002287620A (en) | Security communication packet processor and security communication packet processing method | |
US8949578B2 (en) | Sharing of internal pipeline resources of a network processor with external devices | |
CN100499451C (en) | Network communication safe processor and its data processing method | |
CN106685826B (en) | Switchboard stacked system, from equipment, exchange chip and processing protocol message method | |
CA2432322A1 (en) | Packet encrypton system and method | |
CN104137508B (en) | Network node with the network-attached safe discharge mechanism of stateless | |
CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
CN108964880A (en) | A kind of data transmission method and device | |
CN105025004B (en) | A kind of double stack IPSec VPN devices | |
US8438641B2 (en) | Security protocol processing for anti-replay protection | |
Schuehler et al. | Architecture for a hardware-based, TCP/IP content-processing system | |
US20080028210A1 (en) | Packet cipher processor and method | |
CN1984131A (en) | Method for processing distributed IPSec |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |