CN105471848B - A kind of ethernet controller enhances safely design method - Google Patents

A kind of ethernet controller enhances safely design method Download PDF

Info

Publication number
CN105471848B
CN105471848B CN201510789678.7A CN201510789678A CN105471848B CN 105471848 B CN105471848 B CN 105471848B CN 201510789678 A CN201510789678 A CN 201510789678A CN 105471848 B CN105471848 B CN 105471848B
Authority
CN
China
Prior art keywords
data
module
ethernet
encryption
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510789678.7A
Other languages
Chinese (zh)
Other versions
CN105471848A (en
Inventor
徐毅
韩文燕
张琦滨
汪争
叶维
刘亮
毕小建
张亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuxi Jiangnan Computing Technology Institute
Original Assignee
Wuxi Jiangnan Computing Technology Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuxi Jiangnan Computing Technology Institute filed Critical Wuxi Jiangnan Computing Technology Institute
Priority to CN201510789678.7A priority Critical patent/CN105471848B/en
Publication of CN105471848A publication Critical patent/CN105471848A/en
Application granted granted Critical
Publication of CN105471848B publication Critical patent/CN105471848B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a kind of ethernet controllers to enhance safely design method.Under encryption and decryption pattern so that ethernet controller performs operations described below:Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;Realize the transmission for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module;The ethernet frame data for sending and receiving direction is parsed and filtered respectively by protocol filtering package module, it would be desirable to which the link layer or Network layer Protocol Data of encryption and decryption are sent to data encrypting and deciphering module, and the data of return are Resealed;Data are handled using hardware algorithm by data encrypting and deciphering module;Data buffering is sent and received by MAC transaction modules;By phy interface module and external PHY chip into row data communication.

Description

A kind of ethernet controller enhances safely design method
Technical field
The present invention relates to electronic information fields, are related to a kind of towards link layer, network layer and transport layer protocol safe handling Gigabit Ethernet controller IP kernel safety enhancing design method.
Background technology
At present, network-termination device is usually real using special protection wall software, antivirus software or data encrypting and deciphering software Existing secure communication, this mode need that the various agreements that network controller transmits are parsed and handled, and have occupancy system The shortcomings that resource, higher CPU usage, and security risk may be caused due to Software for Design loophole.
Invention content
In order to overcome the disadvantages mentioned above of existing network protection capacity of safety protection software mechanism, the present invention is provided based on hardware enciphering and deciphering net The enhancing design method of the Gigabit Ethernet controller IP kernel of network agreement, wherein devising AMBA bus interface modules, DMA engine Module, protocol filtering package module, data encrypting and deciphering module, MAC transaction modules, security management and control module and phy interface module Mutual cooperation.The data encrypting and deciphering process of the ethernet controller can ensure without system intervention, no overhead Network data security does not lose network link transmission performance while transmission.
According to the present invention, a kind of ethernet controller enhancing design method safely is provided, including:Pass through security management and control mould Block is pre-configured with the operating mode of ethernet controller, and wherein operating mode includes general mode and encryption and decryption pattern;So that with Too net controller is in the normal mode without the processing of the encryption and decryption of procotol.
Preferably, under encryption and decryption pattern so that ethernet controller performs operations described below:
Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;
Realize the biography for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module It is defeated;
The ethernet frame data for sending and receiving direction is parsed and is filtered respectively by protocol filtering package module, The link layer for needing encryption and decryption or Network layer Protocol Data are sent to data encrypting and deciphering module, and the data of return are sealed again Dress;
Data are handled using hardware algorithm by data encrypting and deciphering module;
Data buffering is sent and received by MAC transaction modules;
By phy interface module and external PHY chip into row data communication.
Preferably, in the ciphering process under encryption and decryption pattern, ethernet frame data is passed through into DMA from AMBA bus modules Engine modules are transmitted to protocol filtering package module, and filtering package module carries out agreement solution to different types of ethernet frame data Analysis, it would be desirable to which encrypted data are sent to encryption/decryption module, in encryption/decryption module to needing encrypted data encryption close to be formed After literary data, ciphertext data are returned into protocol filtering package module and are re-packaged into the form of ethernet frame data by by ciphertext data Ciphertext data, then the ciphertext data transmission of ethernet frame data form is connect to MAC transaction modules, and finally by PHY The ciphertext data of ethernet frame data form are sent to PHY chip by mouth mold block.
Preferably, in the decrypting process under encryption and decryption pattern, phy interface module receives the Ethernet from PHY chip Frame data, and the ethernet frame data of reception is forwarded to MAC transaction modules, pass through synchronization process causing ethernet frame data After transmit it to protocol filtering package module, protocol filtering package module carries out protocol analysis to different types of frame, need to Data to be decrypted is sent to encryption/decryption module, in encryption/decryption module to the data deciphering decrypted of needs to form clear data Afterwards, the clear data for clear data being returned into protocol filtering package module to be re-packaged into the form of ethernet frame data, hereafter The clear data of ethernet frame data form is transmitted to external host system by sending DMA engine module and AMBA bus modules System.
Preferably, operating mode further includes disabling pattern, wherein too net controller only supports system IO in the disable mode Access the other configurations operation sent out without response system.
Preferably, which can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Network layer protocol based on IPv4/IPv6;
Transport layer protocol based on IPv4/IPv6.
Preferably, the data for accessing configuration for different bus have variable data granularity.
The present invention provides a kind of Gigabit Ethernet controller IP kernels that can realize hardware enciphering and deciphering.The present invention passes through hard Part design, the different agreement of ethernet link layer, network layer and transport layer is bypassed, filter or encryption and decryption processing, add solution Close process is not take up overhead without system intervention.
Description of the drawings
With reference to attached drawing, and by reference to following detailed description, it will more easily have more complete understanding to the present invention And be more easily understood its with the advantages of and feature, wherein:
Fig. 1 schematically shows the circuit structure diagram used according to the preferred embodiment of the present invention.
Fig. 2 schematically shows the ciphering process of ethernet frame data according to the preferred embodiment of the invention.
Fig. 3 schematically shows the decrypting process of ethernet frame data according to the preferred embodiment of the invention.
It should be noted that attached drawing is not intended to limit the present invention for illustrating the present invention.Note that represent that the attached drawing of structure can It can be not necessarily drawn to scale.Also, in attached drawing, same or similar element indicates same or similar label.
Specific embodiment
In order to make present disclosure more clear and understandable, with reference to specific embodiments and the drawings in the present invention Appearance is described in detail.
The operating mode of ethernet controller is pre-configured with (for example, operating mode is included commonly by security management and control module Pattern, disabling pattern and encryption and decryption pattern).
Wherein, ethernet controller is in the normal mode without the processing of the encryption and decryption of procotol.
In there are the example of disabling pattern, it can so that too net controller only supports system I O access in the disable mode The other configurations operation sent out without response system.
Moreover, under encryption and decryption pattern, ethernet controller by AMBA bus interface modules and external host system into Row control stream and data flow communication realize that send and receive direction matches for different bus access by DMA engine module respectively The transmission of data (data can have variable data granularity) put, by protocol filtering package module respectively to the side of sending and receiving To ethernet frame data parsed and filtered, it would be desirable to the link layer or Network layer Protocol Data of encryption and decryption are sent to data Encryption/decryption module, and the data of return are Resealed, data are handled using hardware algorithm by data encrypting and deciphering module, are passed through MAC transaction modules send and receive data buffering, and by phy interface module and external PHY chip into row data communication.
The ethernet controller can realize the safe handling of following agreement:
(1) all kinds of mac frame agreements of link layer;
(2) the disparate networks layer protocol based on IPv4/IPv6;
(3) all kinds of transport layer protocols based on IPv4/IPv6.
Specifically, as shown in Figure 1, AMBA bus interface modules 1 connect external host system by AMBA buses, internally connect Connect DMA engine module 2;Protocol filtering package module 3 switches different working modes under the configuration of security management and control module 5, is adding Under decryption mode respectively to sending, frames received is according to carrying out parsing filtering and encapsulation;Data encrypting and deciphering module 4 passes through hardware algorithm Encrypt transmission data, decryption receives data;The buffering of MAC transaction modules 6 sends, receives data;Phy interface module 7 is to interior connection MAC transaction modules, external connection PHY chip.
In fig. 2, in the ciphering process under encryption and decryption pattern, ethernet frame data is passed through from AMBA bus modules 1 DMA engine module 2 is transmitted to protocol filtering package module 3, and filtering package module 3 carries out different types of ethernet frame data Protocol analysis, it would be desirable to which encrypted data are sent to encryption/decryption module 4, in encryption/decryption module 4 to needing encrypted data encryption After forming ciphertext data, ciphertext data are returned into protocol filtering package module 3 so that ciphertext data are re-packaged into Ethernet The ciphertext data of frame data form, then by the ciphertext data transmission of ethernet frame data form to MAC transaction modules 6, and most The ciphertext data of ethernet frame data form are sent to by PHY chip by phy interface module 7 afterwards.
In figure 3, in the decrypting process under encryption and decryption pattern, phy interface module 7 receives the ether from PHY chip Net frame data, and the ethernet frame data of reception is forwarded to MAC transaction modules 6, causing ethernet frame data by synchronizing Protocol filtering package module 3 is transmitted it to after processing, protocol filtering package module 3 carries out agreement solution to different types of frame Analysis, it would be desirable to which the data of decryption are sent to encryption/decryption module 4, in encryption/decryption module 4 to the data deciphering decrypted of needs to be formed After clear data, plaintext that clear data is returned into protocol filtering package module 3 to be re-packaged into the form of ethernet frame data Hereafter data are transmitted the clear data of ethernet frame data form by sending DMA engine module 2 and AMBA bus modules 1 To external host system.
The present invention can be related for link layer, network layer and transport layer towards the TCP/IP protocol suite based on Ethernet Agreement carries out safe handling.Moreover, the present invention is pre-configured with ethernet controller Working mould by independent security management and control module Formula supports three kinds of different patterns of common, encryption and decryption and disabling.
The most important of the present invention has the technical effect that, is handled by the real-time encryption and decryption of hardware realization ethernet frame data, Ensure that link data transfer is safe and reliable, and is not take up overhead.
It should be noted that unless otherwise indicated, otherwise the term in specification " first ", " second ", " third " etc. are retouched Various components, element, step being used only in differentiation specification etc. is stated, without being intended to indicate that various components, element, step Between logical relation or ordinal relation etc..
It is understood that although the present invention has been disclosed in the preferred embodiments as above, above-described embodiment not to Limit the present invention.For any those skilled in the art, without departing from the scope of the technical proposal of the invention, Many possible changes and modifications are all made to technical solution of the present invention using the technology contents of the disclosure above or are revised as With the equivalent embodiment of variation.Therefore, every content without departing from technical solution of the present invention, technical spirit pair according to the present invention Any simple modifications, equivalents, and modifications made for any of the above embodiments still fall within the range of technical solution of the present invention protection It is interior.

Claims (6)

1. a kind of ethernet controller enhances safely design method, it is characterised in that including:Matched in advance by security management and control module The operating mode of ethernet controller is put, wherein operating mode includes general mode and encryption and decryption pattern;So that Ethernet control Device is in the normal mode without the processing of the encryption and decryption of procotol;Wherein, under encryption and decryption pattern so that ethernet controller Perform operations described below:
Control stream and data flow communication are carried out by AMBA bus interface modules and external host system;
Realize the transmission for sending and receiving the data that direction accesses configuration for different bus respectively by DMA engine module;
The ethernet frame data for sending and receiving direction is parsed and filtered respectively by protocol filtering package module, it need to The link layer of encryption and decryption or Network layer Protocol Data is wanted to be sent to data encrypting and deciphering module, and Reseal to the data of return;
Data are handled using hardware algorithm by data encrypting and deciphering module;
Data buffering is sent and received by MAC transaction modules;
By phy interface module and external PHY chip into row data communication.
2. ethernet controller according to claim 1 enhances safely design method, which is characterized in that in encryption and decryption pattern Under ciphering process in, by ethernet frame data from AMBA bus modules by DMA engine module transfer to protocol filtering encapsulate Module, filtering package module carry out protocol analysis to different types of ethernet frame data, it would be desirable to which encrypted data are sent to Encryption/decryption module after encryption/decryption module is to needing encrypted data encryption to form ciphertext data, ciphertext data is returned and are assisted Ciphertext data of the view filtering package module to be re-packaged into ciphertext data in the form of ethernet frame data, then by ethernet frame The ciphertext data transmission of data mode is to MAC transaction modules, and finally by phy interface module by ethernet frame data form Ciphertext data are sent to PHY chip.
3. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that in encryption and decryption In decrypting process under pattern, phy interface module receives the ethernet frame data from PHY chip, and by the Ethernet of reception Frame data are forwarded to MAC transaction modules, and protocol filtering envelope is transmitted it to after synchronization process causing ethernet frame data Die-filling piece, protocol filtering package module carries out protocol analysis to different types of frame, it would be desirable to which the data of decryption are sent to plus solution Clear data after the data deciphering decrypted in encryption/decryption module to needs is to form clear data, is returned to agreement mistake by close module Clear data of the filter package module to be re-packaged into the form of ethernet frame data, hereafter by the plaintext of ethernet frame data form Data are transmitted to external host system by sending DMA engine module and AMBA bus modules.
4. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that operating mode Disabling pattern is further included, wherein too net controller only supports its that system I O access sent out without response system in the disable mode Operation is configured in he.
5. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that the Ethernet Controller can realize the safe handling of following agreement:
The mac frame agreement of link layer;
Network layer protocol based on IPv4/IPv6;
Transport layer protocol based on IPv4/IPv6.
6. ethernet controller according to claim 1 or 2 enhances safely design method, which is characterized in that for difference The data of bus access configuration have variable data granularity.
CN201510789678.7A 2015-11-17 2015-11-17 A kind of ethernet controller enhances safely design method Active CN105471848B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510789678.7A CN105471848B (en) 2015-11-17 2015-11-17 A kind of ethernet controller enhances safely design method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510789678.7A CN105471848B (en) 2015-11-17 2015-11-17 A kind of ethernet controller enhances safely design method

Publications (2)

Publication Number Publication Date
CN105471848A CN105471848A (en) 2016-04-06
CN105471848B true CN105471848B (en) 2018-07-03

Family

ID=55609119

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510789678.7A Active CN105471848B (en) 2015-11-17 2015-11-17 A kind of ethernet controller enhances safely design method

Country Status (1)

Country Link
CN (1) CN105471848B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017219770B4 (en) 2017-11-07 2019-06-19 Continental Automotive Gmbh Method for operating an Ethernet communication device and Ethernet communication device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808317A (en) * 2009-02-18 2010-08-18 联想(北京)有限公司 Computer device and method for realizing wireless local area network security measure
CN102291405A (en) * 2011-08-12 2011-12-21 曙光信息产业(北京)有限公司 Network card supporting filtration and encryption of network data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101930864B1 (en) * 2012-02-16 2019-03-11 삼성전자주식회사 Method and apparatus for protecting digital content using device authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808317A (en) * 2009-02-18 2010-08-18 联想(北京)有限公司 Computer device and method for realizing wireless local area network security measure
CN102291405A (en) * 2011-08-12 2011-12-21 曙光信息产业(北京)有限公司 Network card supporting filtration and encryption of network data

Also Published As

Publication number Publication date
CN105471848A (en) 2016-04-06

Similar Documents

Publication Publication Date Title
CN109842585B (en) Network information safety protection unit and protection method for industrial embedded system
US10095634B2 (en) In-vehicle network (IVN) device and method for operating an IVN device
EP3235166B1 (en) Security plugin for a system-on-a-chip platform
CN100594690C (en) Method and device for safety strategy uniformly treatment in safety gateway
CN105656883A (en) Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
EP1668816B1 (en) Method and apparatus of communicating security/encryption information to a physical layer transceiver
CN106341404A (en) IPSec VPN system based on many-core processor and encryption and decryption processing method
US9094375B2 (en) WAN transport of frames with MAC security
CN103139222A (en) Internet protocol security (IPSEC) tunnel data transmission method and device thereof
CN101222512A (en) Enciphering and deciphering card, enciphering and deciphering method
CN112910932B (en) Data processing method, device and system
CA2543236C (en) Method and apparatus to provide inline encryption and decryption for a wireless station
CN107832248A (en) A kind of data ferry-boat module and its data processing method with encryption and decryption functions
CN105471848B (en) A kind of ethernet controller enhances safely design method
CN103763301B (en) A kind of system and method for use ppp protocol encapsulations IPsec frame structures
CN112699397A (en) Software encryption and decryption method and system based on virtual environment
CN107979608A (en) The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure
CN106385423A (en) Data encrypting transmission method and system
CN111464550A (en) HTTPS transparent protection method for message processing equipment
KR100687749B1 (en) Packet processing apparatus for general purpose
CN112910646B (en) Data processing method and device of server cipher machine and server cipher machine
CN110995726B (en) Network isolation system of FPGA chip based on embedded ARM
CN113037706A (en) Data encryption and decryption transmission method and data transmission system for camera and server
CN206894689U (en) A kind of data encryption and decrypted transport device
CN103220273A (en) Method and system for central processing unit (CPU) to forward message rapidly

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant