CN105991636B - Port negotiation method and device based on IKE agreement - Google Patents

Port negotiation method and device based on IKE agreement Download PDF

Info

Publication number
CN105991636B
CN105991636B CN201510278332.0A CN201510278332A CN105991636B CN 105991636 B CN105991636 B CN 105991636B CN 201510278332 A CN201510278332 A CN 201510278332A CN 105991636 B CN105991636 B CN 105991636B
Authority
CN
China
Prior art keywords
port
negotiation
message
port information
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510278332.0A
Other languages
Chinese (zh)
Other versions
CN105991636A (en
Inventor
孔伟政
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201510278332.0A priority Critical patent/CN105991636B/en
Publication of CN105991636A publication Critical patent/CN105991636A/en
Application granted granted Critical
Publication of CN105991636B publication Critical patent/CN105991636B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides the port negotiation method and device based on IKE agreement, this method comprises: the first port information in network segment is protected in configuration, which includes first port section or first port range when negotiating the protection network segment in the IKE agreement;The negotiation initiation message for carrying first port information is generated according to preset extension load data format, it will negotiate initiation message and be sent to negotiation response apparatus, so that negotiating response apparatus judges whether the second port information negotiating to initiate the first port information of message carrying and itself configuring is identical, and is generated according to judgement result and negotiate response message;It receives and negotiates the negotiation response message that response apparatus returns;When negotiating response message is to negotiate response apparatus accept port to negotiate, then the corresponding security association of first port information is issued to kernel.The negotiation of segment port and port range can be supported using the embodiment of the present invention, to reduce the performance consumption of consulting device, facilitate user configuration and management.

Description

Port negotiation method and device based on IKE agreement
Technical field
The present invention relates to network communication technology fields, more particularly to the port negotiation method and device based on IKE agreement.
Background technique
The Internet Key Exchange (Internet Key Exchange, IKE) agreement is a kind of Key Management Protocol.This is close Key management agreement participates in the identity of each side for dynamically certification, negotiate security service and generate shared key etc..Wherein, The negotiation of IKE is divided into two stages, and the first stage is used to negotiate the public key for being used to protect second stage of both sides, second-order Section is for negotiating to protect the key of data and protecting network segment.
In the prior art, for the negotiation of IKE, 11 kinds of identity (Identification, ID) types are defined, wherein 6 Kind ID type is used for the protection network segment of second stage, and only supports the negotiation of single port.
But when needing port to be protected more when the negotiation of IKE, then port basis is needed to hold consultation, and will Multiple security associations (security association, SA) is negotiated, to increase the complexity of negotiation, reduces negotiation Efficiency.
Summary of the invention
The present invention provides the port negotiation method and device based on IKE agreement, to solve in the prior art when the negotiation of IKE When needing port to be protected more, then need port basis to hold consultation, and multiple Security Associations will be negotiated, to increase The problem of having added the complexity negotiated, having reduced the efficiency of negotiation.
According to a first aspect of the embodiments of the present invention, a kind of port negotiation method based on IKE agreement, the method are provided Applied on negotiation initiating equipment, comprising:
When negotiating the protection network segment in the IKE agreement, the first port information in the protection network segment is configured, it is described Port information includes segment port or port range;
The negotiation initiation message for carrying the first port information is generated according to preset extension load data format, and Negotiation initiation message is sent to negotiation response apparatus, so that the negotiation response apparatus judges that message is initiated in the negotiation Whether the first port information of carrying and the second port information itself configured are identical, and negotiate response according to determining that result generates Message;
Receive the negotiation response message that the negotiation response apparatus returns;
When the negotiation response message is that the negotiation response apparatus accept port is negotiated, then by the first end message It ceases corresponding security association and is issued to kernel.
According to a second aspect of the embodiments of the present invention, a kind of port negotiation method based on IKE agreement, the method are provided Applied on negotiation response apparatus, comprising:
When negotiating the protection network segment in the IKE agreement, the first port information in the protection network segment is configured, it is described First port information includes first port section or first port range;
It receives and negotiates the negotiation initiation message that initiating equipment is sent, the negotiation initiation message carries the negotiation and initiates The second port information of device configuration, the second port information include second port section or second port range;
Judge it is described negotiate to initiate the first port information that is configured with itself of second port information that message carries whether phase Together, and according to determining that result generates negotiate response message;
The negotiation response message is sent to the negotiation initiating equipment, and when itself accept port is negotiated, then The corresponding Security Association of the first port information is issued to kernel.According to a third aspect of the embodiments of the present invention, one is provided Port negotiation device of the kind based on IKE agreement, described device are applied to negotiate on initiating equipment, comprising:
Configuration unit, for when negotiating the protection network segment in the IKE agreement, configuring first in the protection network segment Port information, the port information include segment port or port range;
Negotiation element, for generating the negotiation for carrying the first port information according to preset extension load data format Message is initiated, and negotiation initiation message is sent to negotiation response apparatus, so that the negotiation response apparatus judges institute It whether identical states the second port information negotiating to initiate the first port information of message carrying and itself configuring, and is tied according to judgement Fruit, which generates, negotiates response message;
Receiving unit, the negotiation response message returned for receiving the negotiation response apparatus;
Issuance unit, with when the negotiation response message be the negotiations response apparatus accept port negotiation when, then by institute It states the corresponding security association of first port information and is issued to kernel.
According to a fourth aspect of the embodiments of the present invention, a kind of port negotiation device based on IKE agreement, described device are provided Applied on negotiation response apparatus, comprising:
Configuration unit, for when negotiating the protection network segment in the IKE agreement, configuring first in the protection network segment Port information, the first port information include first port section or first port range;
Receiving unit, for receiving the negotiation initiation message negotiating initiating equipment and sending, the negotiation is initiated message and is carried There is the second port information of the negotiation initiating equipment configuration, the second port information includes second port section or second port Range;
Negotiation element, for judging the first end for negotiating to initiate second port information and itself configuration that message carries Whether message breath is identical, and negotiates response message according to determining that result generates;
Issuance unit, for the negotiation response message to be sent to the negotiation initiating equipment, and when itself receives When port negotiation, then the corresponding Security Association of the first port information is issued to kernel.
Using the embodiment of the present invention, the negotiation of segment port and port range can be supported, to reduce consulting device Performance consumption facilitates user configuration and management.
Detailed description of the invention
Fig. 1 is the application scenarios schematic diagram using port negotiation of the embodiment of the present invention based on IKE agreement;
Fig. 2 is the corresponding extension load data format of port negotiation method middle port section the present invention is based on IKE agreement Schematic diagram;
Fig. 3 is the corresponding extension load data format of port negotiation method middle port range the present invention is based on IKE agreement Schematic diagram;
Fig. 4 is one embodiment flow chart of the port negotiation method the present invention is based on IKE agreement;
Fig. 5 is another embodiment flow chart of the port negotiation method the present invention is based on IKE agreement;
Fig. 6 is that the present invention is based on a kind of hardware structure diagrams of equipment where the port negotiation device of IKE agreement;
Fig. 7 is one embodiment block diagram of the port negotiation device the present invention is based on IKE agreement;
Fig. 8 is another embodiment block diagram of the port negotiation device the present invention is based on IKE agreement.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention real The above objects, features, and advantages for applying example can be more obvious and easy to understand, with reference to the accompanying drawing to technical side in the embodiment of the present invention Case is described in further detail.
Referring to Fig. 1, for using the application scenarios schematic diagram of port negotiation of the embodiment of the present invention based on IKE agreement:
A kind of group of Internet Protocol Security (Internet Protocol Security, IPSec) is shown in Fig. 1 Planar network architecture, including negotiate initiating equipment and negotiate response apparatus.
Wherein, IPSec is a kind of frame structure of open standard, by using the security service of encryption to ensure in IP network It is maintained secrecy on network and the communication of safety.Ipsec protocol is not individual agreement, including network authenticating protocol (Authentication Header, AH), encapsulating security payload (esp) (Encapsulating SecurityPayload, ESP), IKE agreement and for network authentication and some algorithms of encryption etc..IPSec is specified how to select between peer layer Security protocol determines security algorithm and key exchange, provides the networks such as access control, data source authentication, data encryption upwards Security service.
Above-mentioned IKE agreement is a kind of Key Management Protocol.The Key Management Protocol participates in each side for dynamically certification Identity, negotiate security service and generate shared key etc..Wherein, the negotiation of IKE is divided into two stages, and the first stage is for assisting The public key for being used to protect second stage of quotient both sides, the key and protection network segment that second stage is used to negotiate to protect data.
In addition, security association (Security Association, SA) records the strategy and strategy of every IP security path Parameter.SA is the basis of IPSec, is a kind of agreement that communicating pair is established, it is resolved that for protecting agreement, the transcoding of data packet Mode, key and key validity period etc..
In the prior art, the ID and the of ike negotiation first stage is defined in " IPsec DOI " 4.6.2 of RFC 2407 section The ID of two-stage (second stage protects network segment).Wherein ID type has determined the concrete type and analysis mode of ID data.Association 11 kinds of ID types are defined in view altogether.Wherein type can be used for negotiating the protection network segment of second stage in 6.11 kinds of ID types are such as Shown in table 1.
Table 1
ID type Serial number Effect
RESERVED 0
ID_IPV4_ADDR 1 Protection single ip address is indicated for second stage
ID_FQDN 2 Negotiate for the first stage
ID_USER_FQDN 3 Negotiate for the first stage
ID_IPV4_ADDR_SUBNET 4 It indicates to protect some network segment for second stage
ID_IPV6_ADDR 5 It indicates to protect the single address IPv6 for second stage
ID_IPV6_ADDR_SUBNET 6 The network segment of some IPv6 of protection is indicated for second stage
ID_IPV4_ADDR_RANGE 7 Protection Ipv4 address range is indicated for second stage
ID_IPV6_ADDR_RANGE 8 Protection IPv6 address range is indicated for second stage
ID_DER_ASN1_DN 9 Negotiate for the first stage
ID_DER_ASN1_GN 10 Negotiate for the first stage
ID_KEY_ID 11 Negotiate for the first stage
Wherein, 6 kinds of load types are used for the protection network segment of second stage, and only support the negotiation of single port.
But when needing port to be protected more when the negotiation of IKE, for example, a port section or a port Range then needs port basis to hold consultation, and will negotiate multiple security associations (security association, SA), To increase the complexity of negotiation, the efficiency of negotiation is reduced.
In the embodiment of the present invention, in order to support the negotiation of segment port and port range, two kinds of ID types are defined, both ID type is as shown in table 2.
Table 2
Wherein, the corresponding extension load data format of segment port is as shown in Figure 2.Address in Fig. 2 is it is possible that standard 32 bit address of fourth edition, that is, IPv4 of Internet protocol (Internet Protocol, IP), subnet mask (net mask) are The integer of 0-32, illegal more than the numerical value of the range, port (Port) is an integer of 0-65535, port mask (Port Mask) an integer for being 0-16.
The corresponding extension load data format of port range is as shown in Figure 3.Address in Fig. 3 it is possible that standard interconnection 32 bit address of fourth edition, that is, IPv4 of fidonetFido (Internet Protocol, IP), subnet mask (net mask) are 0-32 Integer, it is illegal more than the numerical value of the range, both port of origination (Start Port) be 0-65535 an integer, terminate port (End Port) is an integer of 0-65535.
Therefore, in the embodiment of the present invention, the negotiation of segment port and port range can be supported, to reduce consulting device Performance consumption, facilitate user configuration and management.
With reference to the accompanying drawing to the present invention is based on the embodiments of the port negotiation of IKE agreement to be described in detail.
Referring to fig. 4, for the present invention is based on one embodiment flow chart of the port negotiation method of IKE agreement, the embodiments It is described from initiating equipment side is negotiated, comprising the following steps:
Step 410: when negotiating the protection network segment in IKE agreement, the first port information in network segment, the end are protected in configuration Message breath includes first port section or first port range.Wherein, a port range can split into multiple segment ports.
In the present embodiment, in order to distinguish the port information negotiated initiating equipment and negotiate each self-configuring of response apparatus, therefore assist The port information of quotient's initiating equipment configuration is properly termed as first port information, which may include first port section Or first port range, and the port information for negotiating response apparatus configuration is properly termed as second port information, the second end message Breath may include second port section or second port range.
Step 420: the negotiation initiation message for carrying port information is generated according to preset extension load data format, and It will negotiate initiation message and be sent to negotiation response apparatus, and negotiate to initiate the port letter of message carrying so as to negotiate response apparatus judgement Whether breath is identical as the port information of itself configuration, and negotiates response message according to determining that result generates.
In the present embodiment, according to judging result difference, the content of the negotiation response message of generation is also different, specific as follows:
When judging result is that first port information is identical as second port information, i.e. negotiation initiating equipment and negotiation response is set When the protection network segment of standby each self-configuring is consistent, then negotiate response message as accept port negotiation;
When the judgement result is different from second port information for first port information, i.e. negotiation initiating equipment and negotiation is rung When answering the protection network segment of each self-configuring of equipment inconsistent, then negotiate response message as refusal port negotiation, so negotiating to initiate to set Port negotiation that is standby and negotiating between response apparatus terminates.
Step 430: receiving and negotiate the negotiation response message that response apparatus returns.
Step 440: when the negotiation response message received is to negotiate response apparatus accept port to negotiate, then matching itself The corresponding security association of the port information set (SA) is issued to kernel.
In addition, showing to negotiate to initiate when the negotiation response message received is to negotiate response apparatus to refuse port negotiation Equipment and the protection network segment for negotiating each self-configuring of response apparatus are inconsistent, then terminate negotiation.
Optionally, in the above-described embodiments, when port information is segment port, corresponding preset extension load data Format is as shown in Fig. 2, generate the negotiation initiation report for carrying segment port according to the corresponding extension load data format of the segment port Text.Wherein, the corresponding extension load data format of segment port includes port and port mask.
Optionally, in the above-described embodiments, when port information is port range, corresponding preset extension charge number According to format as shown in figure 3, generating the negotiation hair for carrying port range according to the corresponding extension load data format of the segment port Play message.Wherein, the corresponding extension load data format of port range includes both port of origination and end port.
For example, what 192.168.0.1/32-192.168.1.1/32-1024,2048-1024,2048-TCP needed to negotiate Network segment is protected, needs to fill the corresponding extension load data format of 2 port range ID.
Specifically: 192.168.0.1 is filled into the position of address, 32 are filled into the position of subnet mask, reserved field Retain, 1024 are filled into the position of both port of origination, and 2048 are filled into the position for terminating port.
And 192.168.1.1 is filled into the position of address, 32 are filled into the position of subnet mask, and reserved field is protected It stays, 1024 are filled into the position of both port of origination, and 2048 are filled into the position for terminating port.
As seen from the above-described embodiment, when negotiating to protect network segment, the negotiation of segment port and port range can be supported, thus Reduce the performance consumption for negotiating initiating equipment, facilitates user configuration and management.
Referring to Fig. 5, for the present invention is based on another embodiment flow chart of the port negotiation method of IKE agreement, the implementations Example is described from response apparatus side is negotiated, comprising the following steps:
Step 510: when negotiating the protection network segment in IKE agreement, the first port information in network segment is protected in configuration, described First port information includes first port section or first port range.
In the present embodiment, in order to distinguish the port information negotiated initiating equipment and negotiate each self-configuring of response apparatus, therefore assist The port information of quotient's initiating equipment configuration is properly termed as second port information, which may include second port section Or second port range, and the port information for negotiating response apparatus configuration is properly termed as first port information, the first end message Breath may include first port section or first port range.
Step 520: receiving and negotiate the negotiation initiation message that initiating equipment is sent, which initiates message and carry negotiation hair The second port information of device configuration is played, which includes second port section or second port range.
Step 530: the first port information that the second port information that initiation message carries is configured with itself is negotiated in judgement is It is no identical, and negotiate response message according to determining that result generates.In the present embodiment, according to judging result difference, the negotiation of generation The content of response message is also different, specific as follows:
When judging result is that second port information is identical as first port information, i.e. negotiation initiating equipment and negotiation response is set When the protection network segment of standby each self-configuring is consistent, then negotiate response message as accept port negotiation;
When the judgement result is different from first port information for second port information, i.e. negotiation initiating equipment and negotiation is rung When answering the protection network segment of each self-configuring of equipment inconsistent, then negotiate response message as refusal port negotiation, so negotiating to initiate to set Port negotiation that is standby and negotiating between response apparatus terminates.
Step 540: response message will be negotiated and be sent to negotiation initiating equipment, and when itself accept port is negotiated, then The corresponding security association of first port information (SA) that itself is configured is issued to kernel.
Optionally, in the above-described embodiments, according to the specific following two of process for determining result generation negotiation response message Situation:
(1) when the second port information and the first port information of itself configuration for determining that result carries for negotiation response message It is then the negotiation of itself accept port according to the negotiation response message that judgement result generates when identical.
(2) when the port information for determining that result carries for the negotiation response message is different from the port information that itself is configured When, then it is itself refusal port negotiation according to the negotiation response message that judgement result generates.
As seen from the above-described embodiment, when negotiating to protect network segment, the negotiation of segment port and port range can be supported, thus Reduce the performance consumption for negotiating response apparatus, facilitates user configuration and management.
Corresponding with the aforementioned port negotiation embodiment of the method based on IKE agreement, the present invention also provides be based on IKE agreement Port negotiation device embodiment.
The present invention is based on the embodiments of the port negotiation device of IKE agreement can apply in the network equipment or terminal device On.Installation practice can also be realized by software realization by way of hardware or software and hardware combining.With software reality For existing, as the device on a logical meaning, being will be right in nonvolatile memory by the processor of equipment where it The computer program instructions answered are read into memory what operation was formed.For hardware view, as shown in fig. 6, being base of the present invention A kind of hardware structure diagram of equipment where the port negotiation device of IKE agreement, in addition to processor shown in fig. 6, network interface, Except memory and nonvolatile memory, the equipment in embodiment where device usually can also include other hardware, such as negative The forwarding chip etc. of duty processing message;The equipment is also possible to be distributed equipment from hardware configuration, may include Multiple interface cards, to carry out the extension of Message processing in hardware view.
Referring to Fig. 7, for the present invention is based on one embodiment block diagram of the port negotiation device of IKE agreement, described device can To apply on negotiating response apparatus, described device includes: configuration unit 71, negotiation element 72, receiving unit 73 and lower bill Member 74.
Wherein, configuration unit 71 is used to configure in the protection network segment when negotiating the protection network segment in the IKE agreement First port information, the port information includes segment port or port range;
Negotiation element 72 is used to generate the negotiation for carrying the first port information according to preset extension load data format Message is initiated, and negotiation initiation message is sent to negotiation response apparatus, so that the negotiation response apparatus judges institute It whether identical states the second port information negotiating to initiate the first port information of message carrying and itself configuring, and is tied according to judgement Fruit, which generates, negotiates response message;
Receiving unit 73 is used to receive the negotiation response message that the negotiation response apparatus returns.
Issuance unit 74 is used to then will when the negotiation response message is that the negotiation response apparatus accept port is negotiated The corresponding security association of the first port information is issued to kernel.
In an optional implementation, the port information is segment port, and the negotiation element 72 is also used to basis The corresponding load data format that extends of the segment port generates the negotiation initiation message for carrying the segment port, the segment port Corresponding extension load data format includes port and port mask.
In another optional implementation, the port information is port range, and the negotiation element 72 is also used to The negotiation initiation message for carrying the port range is generated according to the corresponding extension load data format of the port range, it is described The corresponding extension load data format of port range includes both port of origination and end port.
Referring to Fig. 8, for the present invention is based on another embodiment block diagram of the port negotiation device of IKE agreement, described devices It can apply on negotiating response apparatus, described device includes: configuration unit 81, receiving unit 82, negotiation element 83 and issues Unit 84.
Wherein, configuration unit 81 is used to configure in the protection network segment when negotiating the protection network segment in the IKE agreement First port information, the first port information includes first port section or first port range.
Receiving unit 82, which is used to receive, negotiates the negotiation initiation message that initiating equipment is sent, and the negotiation is initiated message and carried There is the second port information of the negotiation initiating equipment configuration, the second port information includes second port section or second port Range.
Negotiation element 83 is used to judge the second port information and the first of itself configuration for negotiating to initiate that message carries Whether port information is identical, and negotiates response message according to determining that result generates.
Issuance unit 84 is used to for the negotiation response message being sent to the negotiation initiating equipment, and when itself receives When port negotiation, then the corresponding Security Association of the first port information is issued to kernel.
In an optional implementation, the negotiation element 83 is also used to when the judgement result be negotiation sound When the second port information for answering message to carry is identical as the first port information that itself is configured, then according to the association for determining that result generates Quotient's response message is the negotiation of itself accept port;When it is described judgement result be it is described negotiation response message carry port information with It is then itself refusal port negotiation according to the negotiation response message that judgement result generates when the port information difference of itself configuration.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
As seen from the above-described embodiment, when negotiating to protect network segment, the negotiation of segment port and port range can be supported, thus The performance consumption for reducing consulting device, facilitates user configuration and management.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.

Claims (10)

1. a kind of port negotiation method based on the Internet Key Exchange IKE agreement, which is characterized in that the method is applied to association On quotient's initiating equipment, comprising:
When negotiating the protection network segment in the IKE agreement, the first port information in the protection network segment, the port are configured Information includes first port section or first port range, wherein a port range can split into multiple segment ports;
It is generated according to preset extension load data format and carries the negotiation of the first port information and initiate message, and by institute It states negotiation initiation message and is sent to negotiation response apparatus, so that the negotiation response apparatus judges that the negotiation is initiated message and carried First port information and the second port information that itself configures it is whether identical, and negotiate response report according to determining that result generates Text;
Receive the negotiation response message that the negotiation response apparatus returns;
When the negotiation response message is that the negotiation response apparatus accept port is negotiated, then by the first port information pair The security association answered is issued to kernel.
2. the method according to claim 1, wherein the port information be segment port, it is described according to preset The negotiation that extension load data format generates the carrying port information is initiated message and is specifically included:
The negotiation initiation message for carrying the segment port, institute are generated according to the corresponding extension load data format of the segment port Stating the corresponding extension load data format of segment port includes port and port mask.
3. the basis is default the method according to claim 1, wherein the port information is port range Extension load data format generate and carry the negotiation of the port information and initiate message and specifically include:
The negotiation initiation message for carrying the port range is generated according to the corresponding extension load data format of the port range, The corresponding extension load data format of the port range includes both port of origination and terminates port.
4. a kind of port negotiation method based on IKE agreement, which is characterized in that the method is applied to negotiate on response apparatus, Include:
When negotiating the protection network segment in the IKE agreement, the configuration first port information protected in network segment, described first Port information includes first port section or first port range, wherein a first port range can split into multiple first ends Mouth section;
It receives and negotiates the negotiation initiation message that initiating equipment is sent, the negotiation initiates message and carries the negotiation initiating equipment The second port information of configuration, the second port information include second port section or second port range, wherein one second Port range can split into multiple second port sections;
Judge whether the second port information for negotiating to initiate message carrying and the first port information itself configured are identical, and Negotiate response message according to determining that result generates;
The negotiation response message is sent to the negotiation initiating equipment, and when itself accept port is negotiated, then by institute It states the corresponding Security Association of first port information and is issued to kernel.
5. according to the method described in claim 4, it is characterized in that, described specific according to judgement result generation negotiation response message Include:
When the judgement result is the second port information that the negotiation response message carries and the first end message of itself configuration Manner of breathing is then the negotiation of itself accept port according to the negotiation response message that judgement result generates simultaneously;
When the judgement result is the port information difference of the port information that the negotiation response message carries and itself configuration, It is then itself refusal port negotiation according to the negotiation response message that judgement result generates.
6. a kind of port negotiation device based on IKE agreement, which is characterized in that described device is applied to negotiate on initiating equipment, Include:
Configuration unit, for when negotiating the protection network segment in the IKE agreement, configuring the first port in the protection network segment Information, the port information include segment port or port range, wherein a port range can split into multiple segment ports;
Negotiation element, for generating the negotiation initiation for carrying the first port information according to preset extension load data format Message, and negotiation initiation message is sent to negotiation response apparatus, so that the negotiation response apparatus judges the association Whether the second port information that quotient initiates the first port information of message carrying and itself configures is identical, and raw according to judgement result At negotiation response message;
Receiving unit, the negotiation response message returned for receiving the negotiation response apparatus;
Issuance unit is used for when the negotiation response message is that the negotiation response apparatus accept port is negotiated, then will be described The corresponding security association of first port information is issued to kernel.
7. device according to claim 6, which is characterized in that the port information is segment port, and the negotiation element is also For generating the negotiation initiation message for carrying the segment port, institute according to the corresponding extension load data format of the segment port Stating the corresponding extension load data format of segment port includes port and port mask.
8. device according to claim 6, which is characterized in that the port information is port range, the negotiation element It is also used to generate the negotiation for carrying the port range according to the corresponding extension load data format of the port range and initiates report Text, the corresponding extension load data format of the port range include both port of origination and terminate port.
9. a kind of port negotiation device based on IKE agreement, which is characterized in that described device is applied to negotiate on response apparatus, Include:
Configuration unit, for when negotiating the protection network segment in the IKE agreement, configuring the first port in the protection network segment Information, the first port information include first port section or first port range, wherein a first port range can be torn open At multiple first port sections;
Receiving unit, for receiving the negotiation initiation message negotiating initiating equipment and sending, the negotiation is initiated message and is carried The second port information for negotiating initiating equipment configuration is stated, the second port information includes second port section or second port model It encloses, wherein a second port range can split into multiple second port sections;
Negotiation element, for judging the first end message for negotiating to initiate second port information and itself configuration that message carries Whether breath is identical, and negotiates response message according to determining that result generates;
Issuance unit for the negotiation response message to be sent to the negotiation initiating equipment, and works as itself accept port When negotiation, then the corresponding Security Association of the first port information is issued to kernel.
10. device according to claim 9, which is characterized in that the negotiation element is also used to work as the judgement result and is When the second port information that the negotiation response message carries is identical as the first port information that itself is configured, then tied according to judgement The negotiation response message that fruit generates is the negotiation of itself accept port;When the judgement result is that the negotiation response message carries It is then itself refusal according to the negotiation response message that judgement result generates when port information and the port information difference of itself configuration Port negotiation.
CN201510278332.0A 2015-05-27 2015-05-27 Port negotiation method and device based on IKE agreement Active CN105991636B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510278332.0A CN105991636B (en) 2015-05-27 2015-05-27 Port negotiation method and device based on IKE agreement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510278332.0A CN105991636B (en) 2015-05-27 2015-05-27 Port negotiation method and device based on IKE agreement

Publications (2)

Publication Number Publication Date
CN105991636A CN105991636A (en) 2016-10-05
CN105991636B true CN105991636B (en) 2019-04-09

Family

ID=57040154

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510278332.0A Active CN105991636B (en) 2015-05-27 2015-05-27 Port negotiation method and device based on IKE agreement

Country Status (1)

Country Link
CN (1) CN105991636B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107204994B (en) * 2017-07-24 2019-09-17 杭州迪普科技股份有限公司 A kind of method and apparatus that protection network segment is determined based on IKEv2
CN111800413B (en) * 2020-07-03 2022-06-28 Ut斯达康通讯有限公司 Ethernet port self-adapting method, communication equipment and storage medium
CN113438230B (en) * 2021-06-23 2022-08-30 中移(杭州)信息技术有限公司 Protocol negotiation method, device, proxy server and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624734A (en) * 2012-03-15 2012-08-01 汉柏科技有限公司 NAT (Network Address Translation) equipment discovery processing method in IKE (Internet Key Exchange) message negotiation process
CN102761494A (en) * 2012-08-01 2012-10-31 杭州迪普科技有限公司 IKE (Internet Key Exchange) negotiation processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624734A (en) * 2012-03-15 2012-08-01 汉柏科技有限公司 NAT (Network Address Translation) equipment discovery processing method in IKE (Internet Key Exchange) message negotiation process
CN102761494A (en) * 2012-08-01 2012-10-31 杭州迪普科技有限公司 IKE (Internet Key Exchange) negotiation processing method and device

Also Published As

Publication number Publication date
CN105991636A (en) 2016-10-05

Similar Documents

Publication Publication Date Title
US8275989B2 (en) Method of negotiating security parameters and authenticating users interconnected to a network
US20170359317A1 (en) Cloud storage using encryption gateway with certificate authority identification
CN102055733B (en) Method, device and system for negotiating business bearing tunnels
US20070283430A1 (en) Negotiating vpn tunnel establishment parameters on user's interaction
US20050149732A1 (en) Use of static Diffie-Hellman key with IPSec for authentication
US20080137863A1 (en) Method and system for using a key management facility to negotiate a security association via an internet key exchange on behalf of another device
CN107079023A (en) User plane safety for next generation cellular network
US20100313023A1 (en) Method, apparatus and system for internet key exchange negotiation
EP2159988B1 (en) Authentication and authorisation of a remote client
CN108418782A (en) Granularity unloading through agent security session
CN105763318B (en) A kind of wildcard obtains, distribution method and device
Dhall et al. Implementation of IPSec protocol
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
CN105991636B (en) Port negotiation method and device based on IKE agreement
CN105471827B (en) A kind of message transmitting method and device
CN108964880A (en) A kind of data transmission method and device
CN110086798B (en) Method and device for communication based on public virtual interface
Touil et al. Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges
CN109525514A (en) A kind of information transferring method and information carrying means
CN103312731B (en) The processing method and system and equipment of the short connections of TLS and long connection are supported simultaneously
CN105592030B (en) IP packet processing method and processing device
WO2016165277A1 (en) Ipsec diversion implementing method and apparatus
CN105591748B (en) A kind of authentication method and device
CN108259157A (en) Identity authentication method and the network equipment in a kind of ike negotiation
CN106027387B (en) A kind of processing method of voice service, gateway and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant