CN105471848B - A kind of ethernet controller enhances safely design method - Google Patents
A kind of ethernet controller enhances safely design method Download PDFInfo
- Publication number
- CN105471848B CN105471848B CN201510789678.7A CN201510789678A CN105471848B CN 105471848 B CN105471848 B CN 105471848B CN 201510789678 A CN201510789678 A CN 201510789678A CN 105471848 B CN105471848 B CN 105471848B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- ethernet
- encryption
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention provides a kind of ethernet controllers to enhance safely design method.Under encryption and decryption pattern so that ethernet controller performs operations described below:Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;Realize the transmission for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module;The ethernet frame data for sending and receiving direction is parsed and filtered respectively by protocol filtering package module, it would be desirable to which the link layer or Network layer Protocol Data of encryption and decryption are sent to data encrypting and deciphering module, and the data of return are Resealed;Data are handled using hardware algorithm by data encrypting and deciphering module;Data buffering is sent and received by MAC transaction modules;By phy interface module and external PHY chip into row data communication.
Description
Technical field
The present invention relates to electronic information fields, are related to a kind of towards link layer, network layer and transport layer protocol safe handling
Gigabit Ethernet controller IP kernel safety enhancing design method.
Background technology
At present, network-termination device is usually real using special protection wall software, antivirus software or data encrypting and deciphering software
Existing secure communication, this mode need that the various agreements that network controller transmits are parsed and handled, and have occupancy system
The shortcomings that resource, higher CPU usage, and security risk may be caused due to Software for Design loophole.
Invention content
In order to overcome the disadvantages mentioned above of existing network protection capacity of safety protection software mechanism, the present invention is provided based on hardware enciphering and deciphering net
The enhancing design method of the Gigabit Ethernet controller IP kernel of network agreement, wherein devising AMBA bus interface modules, DMA engine
Module, protocol filtering package module, data encrypting and deciphering module, MAC transaction modules, security management and control module and phy interface module
Mutual cooperation.The data encrypting and deciphering process of the ethernet controller can ensure without system intervention, no overhead
Network data security does not lose network link transmission performance while transmission.
According to the present invention, a kind of ethernet controller enhancing design method safely is provided, including:Pass through security management and control mould
Block is pre-configured with the operating mode of ethernet controller, and wherein operating mode includes general mode and encryption and decryption pattern;So that with
Too net controller is in the normal mode without the processing of the encryption and decryption of procotol.
Preferably, under encryption and decryption pattern so that ethernet controller performs operations described below:
Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;
Realize the biography for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module
It is defeated;
The ethernet frame data for sending and receiving direction is parsed and is filtered respectively by protocol filtering package module,
The link layer for needing encryption and decryption or Network layer Protocol Data are sent to data encrypting and deciphering module, and the data of return are sealed again
Dress;
Data are handled using hardware algorithm by data encrypting and deciphering module;
Data buffering is sent and received by MAC transaction modules;
By phy interface module and external PHY chip into row data communication.
Preferably, in the ciphering process under encryption and decryption pattern, ethernet frame data is passed through into DMA from AMBA bus modules
Engine modules are transmitted to protocol filtering package module, and filtering package module carries out agreement solution to different types of ethernet frame data
Analysis, it would be desirable to which encrypted data are sent to encryption/decryption module, in encryption/decryption module to needing encrypted data encryption close to be formed
After literary data, ciphertext data are returned into protocol filtering package module and are re-packaged into the form of ethernet frame data by by ciphertext data
Ciphertext data, then the ciphertext data transmission of ethernet frame data form is connect to MAC transaction modules, and finally by PHY
The ciphertext data of ethernet frame data form are sent to PHY chip by mouth mold block.
Preferably, in the decrypting process under encryption and decryption pattern, phy interface module receives the Ethernet from PHY chip
Frame data, and the ethernet frame data of reception is forwarded to MAC transaction modules, pass through synchronization process causing ethernet frame data
After transmit it to protocol filtering package module, protocol filtering package module carries out protocol analysis to different types of frame, need to
Data to be decrypted is sent to encryption/decryption module, in encryption/decryption module to the data deciphering decrypted of needs to form clear data
Afterwards, the clear data for clear data being returned into protocol filtering package module to be re-packaged into the form of ethernet frame data, hereafter
The clear data of ethernet frame data form is transmitted to external host system by sending DMA engine module and AMBA bus modules
System.
Preferably, operating mode further includes disabling pattern, wherein too net controller only supports system IO in the disable mode
Access the other configurations operation sent out without response system.
Preferably, which can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Network layer protocol based on IPv4/IPv6;
Transport layer protocol based on IPv4/IPv6.
Preferably, the data for accessing configuration for different bus have variable data granularity.
The present invention provides a kind of Gigabit Ethernet controller IP kernels that can realize hardware enciphering and deciphering.The present invention passes through hard
Part design, the different agreement of ethernet link layer, network layer and transport layer is bypassed, filter or encryption and decryption processing, add solution
Close process is not take up overhead without system intervention.
Description of the drawings
With reference to attached drawing, and by reference to following detailed description, it will more easily have more complete understanding to the present invention
And be more easily understood its with the advantages of and feature, wherein:
Fig. 1 schematically shows the circuit structure diagram used according to the preferred embodiment of the present invention.
Fig. 2 schematically shows the ciphering process of ethernet frame data according to the preferred embodiment of the invention.
Fig. 3 schematically shows the decrypting process of ethernet frame data according to the preferred embodiment of the invention.
It should be noted that attached drawing is not intended to limit the present invention for illustrating the present invention.Note that represent that the attached drawing of structure can
It can be not necessarily drawn to scale.Also, in attached drawing, same or similar element indicates same or similar label.
Specific embodiment
In order to make present disclosure more clear and understandable, with reference to specific embodiments and the drawings in the present invention
Appearance is described in detail.
The operating mode of ethernet controller is pre-configured with (for example, operating mode is included commonly by security management and control module
Pattern, disabling pattern and encryption and decryption pattern).
Wherein, ethernet controller is in the normal mode without the processing of the encryption and decryption of procotol.
In there are the example of disabling pattern, it can so that too net controller only supports system I O access in the disable mode
The other configurations operation sent out without response system.
Moreover, under encryption and decryption pattern, ethernet controller by AMBA bus interface modules and external host system into
Row control stream and data flow communication realize that send and receive direction matches for different bus access by DMA engine module respectively
The transmission of data (data can have variable data granularity) put, by protocol filtering package module respectively to the side of sending and receiving
To ethernet frame data parsed and filtered, it would be desirable to the link layer or Network layer Protocol Data of encryption and decryption are sent to data
Encryption/decryption module, and the data of return are Resealed, data are handled using hardware algorithm by data encrypting and deciphering module, are passed through
MAC transaction modules send and receive data buffering, and by phy interface module and external PHY chip into row data communication.
The ethernet controller can realize the safe handling of following agreement:
(1) all kinds of mac frame agreements of link layer;
(2) the disparate networks layer protocol based on IPv4/IPv6;
(3) all kinds of transport layer protocols based on IPv4/IPv6.
Specifically, as shown in Figure 1, AMBA bus interface modules 1 connect external host system by AMBA buses, internally connect
Connect DMA engine module 2;Protocol filtering package module 3 switches different working modes under the configuration of security management and control module 5, is adding
Under decryption mode respectively to sending, frames received is according to carrying out parsing filtering and encapsulation;Data encrypting and deciphering module 4 passes through hardware algorithm
Encrypt transmission data, decryption receives data;The buffering of MAC transaction modules 6 sends, receives data;Phy interface module 7 is to interior connection
MAC transaction modules, external connection PHY chip.
In fig. 2, in the ciphering process under encryption and decryption pattern, ethernet frame data is passed through from AMBA bus modules 1
DMA engine module 2 is transmitted to protocol filtering package module 3, and filtering package module 3 carries out different types of ethernet frame data
Protocol analysis, it would be desirable to which encrypted data are sent to encryption/decryption module 4, in encryption/decryption module 4 to needing encrypted data encryption
After forming ciphertext data, ciphertext data are returned into protocol filtering package module 3 so that ciphertext data are re-packaged into Ethernet
The ciphertext data of frame data form, then by the ciphertext data transmission of ethernet frame data form to MAC transaction modules 6, and most
The ciphertext data of ethernet frame data form are sent to by PHY chip by phy interface module 7 afterwards.
In figure 3, in the decrypting process under encryption and decryption pattern, phy interface module 7 receives the ether from PHY chip
Net frame data, and the ethernet frame data of reception is forwarded to MAC transaction modules 6, causing ethernet frame data by synchronizing
Protocol filtering package module 3 is transmitted it to after processing, protocol filtering package module 3 carries out agreement solution to different types of frame
Analysis, it would be desirable to which the data of decryption are sent to encryption/decryption module 4, in encryption/decryption module 4 to the data deciphering decrypted of needs to be formed
After clear data, plaintext that clear data is returned into protocol filtering package module 3 to be re-packaged into the form of ethernet frame data
Hereafter data are transmitted the clear data of ethernet frame data form by sending DMA engine module 2 and AMBA bus modules 1
To external host system.
The present invention can be related for link layer, network layer and transport layer towards the TCP/IP protocol suite based on Ethernet
Agreement carries out safe handling.Moreover, the present invention is pre-configured with ethernet controller Working mould by independent security management and control module
Formula supports three kinds of different patterns of common, encryption and decryption and disabling.
The most important of the present invention has the technical effect that, is handled by the real-time encryption and decryption of hardware realization ethernet frame data,
Ensure that link data transfer is safe and reliable, and is not take up overhead.
It should be noted that unless otherwise indicated, otherwise the term in specification " first ", " second ", " third " etc. are retouched
Various components, element, step being used only in differentiation specification etc. is stated, without being intended to indicate that various components, element, step
Between logical relation or ordinal relation etc..
It is understood that although the present invention has been disclosed in the preferred embodiments as above, above-described embodiment not to
Limit the present invention.For any those skilled in the art, without departing from the scope of the technical proposal of the invention,
Many possible changes and modifications are all made to technical solution of the present invention using the technology contents of the disclosure above or are revised as
With the equivalent embodiment of variation.Therefore, every content without departing from technical solution of the present invention, technical spirit pair according to the present invention
Any simple modifications, equivalents, and modifications made for any of the above embodiments still fall within the range of technical solution of the present invention protection
It is interior.
Claims (6)
1. a kind of ethernet controller enhances safely design method, it is characterised in that including:Matched in advance by security management and control module
The operating mode of ethernet controller is put, wherein operating mode includes general mode and encryption and decryption pattern;So that Ethernet control
Device is in the normal mode without the processing of the encryption and decryption of procotol;Wherein, under encryption and decryption pattern so that ethernet controller
Perform operations described below:
Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;
Realize the transmission for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module;
The ethernet frame data for sending and receiving direction is parsed and filtered respectively by protocol filtering package module, it need to
The link layer of encryption and decryption or Network layer Protocol Data is wanted to be sent to data encrypting and deciphering module, and Reseal to the data of return;
Data are handled using hardware algorithm by data encrypting and deciphering module;
Data buffering is sent and received by MAC transaction modules;
By phy interface module and external PHY chip into row data communication.
2. ethernet controller according to claim 1 enhances safely design method, which is characterized in that in encryption and decryption pattern
Under ciphering process in, by ethernet frame data from AMBA bus modules by DMA engine module transfer to protocol filtering encapsulate
Module, filtering package module carry out protocol analysis to different types of ethernet frame data, it would be desirable to which encrypted data are sent to
Encryption/decryption module after encryption/decryption module is to needing encrypted data encryption to form ciphertext data, ciphertext data is returned and are assisted
Ciphertext data of the view filtering package module to be re-packaged into ciphertext data in the form of ethernet frame data, then by ethernet frame
The ciphertext data transmission of data mode is to MAC transaction modules, and finally by phy interface module by ethernet frame data form
Ciphertext data are sent to PHY chip.
3. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that in encryption and decryption
In decrypting process under pattern, phy interface module receives the ethernet frame data from PHY chip, and by the Ethernet of reception
Frame data are forwarded to MAC transaction modules, and protocol filtering envelope is transmitted it to after synchronization process causing ethernet frame data
Die-filling piece, protocol filtering package module carries out protocol analysis to different types of frame, it would be desirable to which the data of decryption are sent to plus solution
Clear data after the data deciphering decrypted in encryption/decryption module to needs is to form clear data, is returned to agreement mistake by close module
Clear data of the filter package module to be re-packaged into the form of ethernet frame data, hereafter by the plaintext of ethernet frame data form
Data are transmitted to external host system by sending DMA engine module and AMBA bus modules.
4. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that operating mode
Disabling pattern is further included, wherein too net controller only supports its that system I O access sent out without response system in the disable mode
Operation is configured in he.
5. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that the Ethernet
Controller can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Network layer protocol based on IPv4/IPv6;
Transport layer protocol based on IPv4/IPv6.
6. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that for difference
The data of bus access configuration have variable data granularity.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510789678.7A CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510789678.7A CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105471848A CN105471848A (en) | 2016-04-06 |
CN105471848B true CN105471848B (en) | 2018-07-03 |
Family
ID=55609119
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510789678.7A Active CN105471848B (en) | 2015-11-17 | 2015-11-17 | A kind of ethernet controller enhances safely design method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105471848B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102017219770B4 (en) | 2017-11-07 | 2019-06-19 | Continental Automotive Gmbh | Method for operating an Ethernet communication device and Ethernet communication device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101808317A (en) * | 2009-02-18 | 2010-08-18 | 联想(北京)有限公司 | Computer device and method for realizing wireless local area network security measure |
CN102291405A (en) * | 2011-08-12 | 2011-12-21 | 曙光信息产业(北京)有限公司 | Network card supporting filtration and encryption of network data |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101930864B1 (en) * | 2012-02-16 | 2019-03-11 | 삼성전자주식회사 | Method and apparatus for protecting digital content using device authentication |
-
2015
- 2015-11-17 CN CN201510789678.7A patent/CN105471848B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101808317A (en) * | 2009-02-18 | 2010-08-18 | 联想(北京)有限公司 | Computer device and method for realizing wireless local area network security measure |
CN102291405A (en) * | 2011-08-12 | 2011-12-21 | 曙光信息产业(北京)有限公司 | Network card supporting filtration and encryption of network data |
Also Published As
Publication number | Publication date |
---|---|
CN105471848A (en) | 2016-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
US10095634B2 (en) | In-vehicle network (IVN) device and method for operating an IVN device | |
EP3235166B1 (en) | Security plugin for a system-on-a-chip platform | |
CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
CN105656883A (en) | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network | |
EP1668816B1 (en) | Method and apparatus of communicating security/encryption information to a physical layer transceiver | |
CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
US9094375B2 (en) | WAN transport of frames with MAC security | |
CN103139222A (en) | Internet protocol security (IPSEC) tunnel data transmission method and device thereof | |
CN101222512A (en) | Enciphering and deciphering card, enciphering and deciphering method | |
CN112910932B (en) | Data processing method, device and system | |
CA2543236C (en) | Method and apparatus to provide inline encryption and decryption for a wireless station | |
CN107832248A (en) | A kind of data ferry-boat module and its data processing method with encryption and decryption functions | |
CN105471848B (en) | A kind of ethernet controller enhances safely design method | |
CN103763301B (en) | A kind of system and method for use ppp protocol encapsulations IPsec frame structures | |
CN112699397A (en) | Software encryption and decryption method and system based on virtual environment | |
CN107979608A (en) | The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure | |
CN106385423A (en) | Data encrypting transmission method and system | |
CN111464550A (en) | HTTPS transparent protection method for message processing equipment | |
KR100687749B1 (en) | Packet processing apparatus for general purpose | |
CN112910646B (en) | Data processing method and device of server cipher machine and server cipher machine | |
CN110995726B (en) | Network isolation system of FPGA chip based on embedded ARM | |
CN113037706A (en) | Data encryption and decryption transmission method and data transmission system for camera and server | |
CN206894689U (en) | A kind of data encryption and decrypted transport device | |
CN103220273A (en) | Method and system for central processing unit (CPU) to forward message rapidly |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |