CN106170949A - Inefficacy peer-to-peer detection method, IPsec peer-to-peer and the network equipment - Google Patents

Inefficacy peer-to-peer detection method, IPsec peer-to-peer and the network equipment Download PDF

Info

Publication number
CN106170949A
CN106170949A CN201480035206.6A CN201480035206A CN106170949A CN 106170949 A CN106170949 A CN 106170949A CN 201480035206 A CN201480035206 A CN 201480035206A CN 106170949 A CN106170949 A CN 106170949A
Authority
CN
China
Prior art keywords
ipsec
peer
detected
peers
dpd
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201480035206.6A
Other languages
Chinese (zh)
Other versions
CN106170949B (en
Inventor
周桓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN106170949A publication Critical patent/CN106170949A/en
Application granted granted Critical
Publication of CN106170949B publication Critical patent/CN106170949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of inefficacy peer-to-peer detection method, IPsec peer-to-peer and the network equipment, and the method includes: an IPsec peer-to-peer determines whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;If existing, oneth IPsec peer-to-peer to the 2nd IPsec peer-to-peer send respectively with each corresponding for IPsec SA inefficacy peer-to-peer detection DPD message to be detected, each DPD message uses the encryption key corresponding with IKE SA to be encrypted and including the identification information of IPsec SA to be detected;According to the DPD response message received, oneth IPsec peer-to-peer determines that each IPsec SA to be detected is the most abnormal.Oneth IPsec peer-to-peer can be according to determining the state of each IPsec SA to be detected timely and accurately, to improve the reliability of IPsec inter-peer communication.

Description

The reciprocity body detecting method of failure, IPsec peer-to-peers and the network equipment Technical field
The present embodiments relate to wireless communication technology field, more particularly to a kind of reciprocity body detecting method of failure, IPsec peer-to-peers and the network equipment.
Background technology
In order to ensure the communications security between communication-peers, a kind of universal mode is that internet protocol secure (Internet Protocol Security are used between communication-peers, IPsec) agreement, now, the communication-peers are referred to as IPsec peer-to-peers.The use of IPsec agreements needs the Internet Key Exchange (Internet Key Exchange, IKE) the support of agreement, need IP packets to be encrypted required IPsec Security Associations (IPsec Security Association, IPsec SA) corresponding encryption key when setting up IPsec equity body communications by IKE.In simple terms, IKE is divided into two stages to set up IPsec SA, first stage is to consult to set up a secure transmission tunnel IKE SA between reciprocity IKE between communication-peers, and second stage is for the IPsec SA needed for IPsec peer-to-peers set up actual encrypted packet based on the IKE SA.
Because IKE agreements are based on udp protocol, there is connectionless characteristic, so as to, when the unexpected network flash of a side such as PEER2 in communication-peers cause the opposing party's peer-to-peer such as PEER1 reach the PEER2 link it is unreachable, now, due to connectionless characteristic, PEER1 does not know the inaccessible situation, so that its IKE SA still being based between PEER2 carries out the transmission of data message, but data message sending action now is invalid in fact, because destination unreachable.In order to avoid carrying out above-mentioned invalid data communication between IPsec peer-to-peers, a kind of failure peer-to-peer detection (Dead Peer Detection, DPD) mechanism is employed in the prior art come carry out between IPsec peer-to-peers IKE SA whether abnormal detection.The DPD mechanism is briefly described as follows:Assuming that PEER1 is at the end of the timing of idle timers, the encryption data message that peer-to-peer PEER2 transmissions are not received yet then starts DPD, and DPD detection message (are u there) is sent to PEER2.If PEER1 does not receive the confirmation response of PEER2 feedbacks within the period of another default settings, it is determined that the IKE SA between PEER2 are abnormal, so as to renegotiate IKE SA.
But, often exist in actual applications, between IPsec peer-to-peers multiple communication process or Say it is multiple business, each business correspond to different IPsec SA respectively, and these IPsec SA are probably to correspond to same IKE SA, i.e. IKE SA and IPsec SA to there is one-to-many corresponding relation.In fact, multiple IPsec SA are there may be between PEER1 and PEER2, when transmission link for example transmits flash extremely, in fact it could happen that IPsec SA in part are normal between PEER1 and PEER2, and part IPsec SA are abnormal.But, based on above-mentioned existing DPD mechanism, in this case, it is normal for the IKE SA between PEER2 due to there is normal part IPsec SA, PEER1 DPD testing results, it is impossible to realize the detection for IPsec SA, so as to which PEER1 still causes communication failure using the communication with the corresponding business of IPsec SA progress abnormal between PEER2, so that PEER1 can mistakenly take corresponding processing strategy, such as business trustship causes communication reliability to substantially reduce.
The content of the invention
In view of this, the embodiments of the invention provide the reciprocity body detecting method of one kind failure, IPsec peer-to-peers and the network equipment, the detection for the Ipsec SA between IPsec peer-to-peers can not be realized in existing DPD modes to overcome, so as to be easily caused the relatively low defect of IPsec inter-peer communication reliabilities.
In a first aspect, the embodiments of the invention provide the reciprocity body detecting method of one kind failure, including:
First internet protocol secure IPsec peer-to-peers determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;
When it is present, then the first IPsec peer-to-peers send the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to the 2nd IPsec peer-to-peers;Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
In the first possible implementation of first aspect, the first IPsec peer-to-peers determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition, including:
The first IPsec peer-to-peers determine whether the corresponding idle timers timing of each inbound IPsec SA reaches the second preset time;
When reaching second preset time, the first IPsec peer-to-peers all do not receive the data message that the 2nd IPsec peer-to-peers use the inbound IPsec SA to be encrypted, then the first IPsec peer-to-peers determine that the inbound IPsec SA are an IPsec SA to be detected.
In the first possible implementation with reference to first aspect or first aspect, in second of possible implementation of first aspect, the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time, including:
When the first IPsec peer-to-peers receive at least one DPD response message in the first preset time, then the first IPsec peer-to-peers determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determine that other IPsec SA in the IPsec SA to be detected are abnormal;
Or, the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time, including:
When the first IPsec peer-to-peers do not receive DPD response messages in the first preset time, then the first IPsec peer-to-peers determine that each IPsec SA to be detected are abnormal.
Second aspect, the embodiments of the invention provide the reciprocity body detecting method of one kind failure, including:
2nd IPsec peer-to-peers receive the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that the first IPsec peer-to-peers are sent;
Wherein, sent when the DPD message the first IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The 2nd IPsec peer-to-peers parsing obtains the IPsec SA to be detected included in each DPD message identification information, and determines whether each IPsec SA to be detected are effective;
When there is effective IPsec SA to be detected, then the 2nd IPsec peer-to-peers send corresponding with effective IPsec SA difference to be detected in the first preset time to the first IPsec peer-to-peers DPD response messages, so that the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to each DPD response messages.
The third aspect, the embodiments of the invention provide a kind of IPsec peer-to-peers, including:
Determining module, for determining to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;
Sending module, for when the determining module determines to exist at least one IPsec SA to be detected, the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to be sent to another IPsec peer-to-peers;Wherein, each inbound IPsec SA are that the IPsec peer-to-peers are generated with another IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another IPsec peer-to-peers to the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The determining module is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
In the first possible implementation of the third aspect, the determining module is additionally operable to:
It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
When reaching second preset time, the IPsec peer-to-peers all do not receive the data message that another IPsec peer-to-peers use the inbound IPsec SA to be encrypted, it is determined that the inbound IPsec SA are an IPsec SA to be detected.
With reference to the first possible implementation of the third aspect or the third aspect, in second of possible implementation of the third aspect, the determining module is additionally operable to:
When the IPsec peer-to-peers receive at least one DPD response message in the first preset time, then determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determine that other IPsec SA in the IPsec SA to be detected are abnormal;
Or, the determining module is additionally operable to:
When the IPsec peer-to-peers do not receive DPD response messages in the first preset time, it is determined that each IPsec SA to be detected are abnormal.
Fourth aspect, the embodiments of the invention provide another IPsec peer-to-peers, including:
Receiving module, for receive that another IPsec peer-to-peers send respectively with each IPsec to be detected The corresponding failure peer-to-peer detection DPD message of SA;
Wherein, sent when the DPD message another IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that another IPsec peer-to-peers are generated with the IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another IPsec peer-to-peers from the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
Processing module, the IPsec SA to be detected included in each DPD message identification information is obtained for parsing, and determines whether each IPsec SA to be detected are effective;
Sending module, for when the processing module determines to exist effective IPsec SA to be detected, DPD response messages corresponding with effectively IPsec SA difference to be detected then are sent to another IPsec peer-to-peers in the first preset time, so that another IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to each DPD response messages.
5th aspect, the embodiments of the invention provide a kind of network equipment, including:
Memory, transmitter and processor, the memory, the transmitter and the processor are connected by bus;Wherein, the memory is used to store batch processing code, the processor calls the program code stored in the memory, to determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition, and it is determined that during in the presence of at least one IPsec SA to be detected, control instruction is sent to the transmitter;
The transmitter, for sending the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to another network equipment according to the control instruction;Wherein, each inbound IPsec SA are that the network equipment is generated with another network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another network equipment to the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The processor is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
In the first possible implementation of the 5th aspect, the processor is additionally operable to:
It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
When reaching second preset time, the network equipment does not all receive the data message that another network equipment uses the inbound IPsec SA to be encrypted, it is determined that the inbound IPsec SA are an IPsec SA to be detected.
With reference to the 5th aspect or the first possible implementation of the 5th aspect, in second of possible implementation of the 5th aspect, the described network equipment also includes:
Receiver, on the bus, the receiver is used to receive at least one DPD response message that another network equipment is sent in the first preset time for the receiver connection;
The processor is additionally operable to determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determines that other IPsec SA in the IPsec SA to be detected are abnormal;
Or, the processor is additionally operable to:
When the receiver does not receive DPD response messages in the first preset time, it is determined that each IPsec SA to be detected are abnormal.
6th aspect, the embodiments of the invention provide another network equipment, including:
Memory, transmitter, receiver and processor, the memory, the transmitter, the receiver and the processor are connected by bus;
The receiver, for receiving the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that another network equipment is sent;
Wherein, sent when the DPD message another network equipment determines according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that another network equipment is generated with the network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another network equipment from the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The memory is used to store batch processing code, the processor calls the program code stored in the memory, to parse the identification information for obtaining the IPsec SA to be detected included in each DPD message, and determine whether each IPsec SA to be detected are effective, and when it is determined that there is effective IPsec SA to be detected, control instruction is sent to the transmitter;
The transmitter, for sending DPD response messages corresponding with effectively IPsec SA difference to be detected to another network equipment in the first preset time, so that another network equipment is according to each DPD response messages determine whether each IPsec SA to be detected are abnormal.
The reciprocity body detecting method of failure provided in an embodiment of the present invention, IPsec peer-to-peers and the network equipment, first IPsec peer-to-peers determine to meet with the presence or absence of at least one after the IPsec SA to be detected of detection trigger condition in each inbound IPsec SA, the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively is sent to the 2nd IPsec peer-to-peers, also, the encryption key corresponding to the IKE SA that each DPD message is common based on using each IPsec SA to be detected is encrypted.Due to carrying its targeted IPsec SA to be detected identification information in each DPD message, so that the 2nd IPsec peer-to-peers are after parsing obtains each IPsec SA to be detected identification information, it can realize to determination whether abnormal each IPsec SA to be detected, so as to which the DPD response messages that the first IPsec peer-to-peers can feed back according to the 2nd IPsec peer-to-peers timely and accurately determine each IPsec SA to be detected state, to be repaired in time for abnormal IPsec SA, to improve the reliability of IPsec inter-peer communications.
Brief description of the drawings
Fig. 1 is the flow chart of the reciprocity body detecting method of failure provided in an embodiment of the present invention;
Fig. 2 is Cleaning Principle schematic diagram corresponding with embodiment illustrated in fig. 1;
Fig. 3 is the Cleaning Principle schematic diagram of existing DPD methods;
Fig. 4 is the structural representation of DPD message in embodiment illustrated in fig. 1;
The flow chart for the failure equity body detecting method that Fig. 5 provides for another embodiment of the present invention;
Fig. 6 is the structural representation of IPsec peer-to-peers provided in an embodiment of the present invention;
The structural representation for the IPsec peer-to-peers that Fig. 7 provides for another embodiment of the present invention;
Fig. 8 is the structural representation of the network equipment provided in an embodiment of the present invention;
The structural representation for the network equipment that Fig. 9 provides for another embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, all other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
Fig. 1 is the flow chart of the reciprocity body detecting method of failure provided in an embodiment of the present invention, first, is tied Close the cardinal principle that Fig. 2 introduces the DPD methods institute foundation described in the present embodiment.Fig. 2 is Cleaning Principle schematic diagram corresponding with embodiment illustrated in fig. 1, as shown in Fig. 2 between the PEER1 and PEER2 during two IPsec peer-to-peers are Fig. 2, multiple IPsec SA are there are, than three as shown in Figure 2, respectively SA1, SA2 and SA3.By taking the application scenarios of a reality as an example, assuming that PEER1 is enhanced base station eNodeB, it passes through complete gateway (the Security Gateway as PEER2, SeGW) communicated with other equipment, the other equipment such as can be equipment of the core network such as mobility management entity (Mobility Management Entity, MME), network management device, another base station etc., are not particularly limited.Assuming that SA1, SA2 and SA3 in Fig. 2 represent eNodeB and SeGW respectively carries out IPsec SA produced by signaling, business and maintenance protocol respectively.In practical application, due to network flash such as PEER1 to PEER2 transmission link exception or PEER2 failures, it is possible to cause a pair of IPsec SA between PEER1 and PEER2 normal, other IPsec SA exceptions.
Still by taking the application scenarios of the example above as an example, eNodeB will set up connection between equipment of the core network such as MME, network management device, base station plurality of devices, if (such as Fig. 2 unreachable between eNodeB to MME, for example correspond to SA1), but eNodeB to reachable (such as Fig. 2 between network management device, for example correspond to SA2), eNodeB to (such as Fig. 2 for example corresponds to SA3) reachable between another base station.
Now, based on DPD modes of the prior art, the DPD detections between eNodeB to SeGW are normal, because even MME is unreachable, but miscellaneous equipment is reachable, for eNodeB, it can not learn that some IPsec SA is abnormal, as shown in Figure 3, Fig. 3 is the Cleaning Principle schematic diagram of existing DPD methods, in existing DPD methods, although have multiple IPsec SA between PEER1 and PEER2, but only one DPD detects path, it is impossible to know which specific IPsec SA is abnormal.Now the existing DPD testing results based on PEER are indicated normally, and actually eNodeB business or maintenance is abnormal, causes eNodeB therefore to carry out business trustship or feedback traffic exception.
Therefore, as shown in Fig. 2 methods described provided in an embodiment of the present invention is to realize purpose that whether state for detecting each IPsec SA between PEER1 and PEER2 is abnormal.Its main thought is:The state of every a pair of IPsec SA between PEER1 and PEER2 is all separate, such as when PEER1 needs to detect the when marquis of every a pair of IPsec SA states between PEER2, separate DPD message (are u there) is sent on every a pair of IPsec SA, so as to quickly and accurately detect whether to have between PEER1 and PEER2 IPsec SA abnormal.Still with above-mentioned, for example eNodeB can accurately detect out the signaling that is respectively used between SeGW, business and SA1, SA2 for safeguarding Which is abnormal with SA3, so as to based on the accurate testing result, for abnormal IPsec SA, can quickly be repaired, it is to avoid cause eNodeB trustship, cause the accident.
The detailed process for the DPD methods based on IPsec SA that the present embodiment explained below is provided, as shown in figure 1, this method includes:
Step 101, the first IPsec peer-to-peers determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition, if in the presence of otherwise execution step 102 terminates.
Step 102, the first IPsec peer-to-peers send the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to the 2nd IPsec peer-to-peers;
Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
Step 103, the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
In the present embodiment, the first IPsec peer-to-peers are represented with PEER1, such as can be eNodeB;It such as can be SeGW that 2nd IPsec peer-to-peers are represented with PEER2, and exemplified by shown in Fig. 2, assuming that there are tri- inbound IPsec SA of SA1, SA2 and SA3 between PEER1 and PEER2, and in illustrating as described above, it is assumed that SA1, SA2 and SA3 represent eNodeB and SeGW and carry out inbound IPsec SA produced by signaling, business and maintenance protocol respectively respectively.That is, SeGW uses SA1 to being encrypted to the eNodeB signaling messages sent, SeGW to the eNodeB business datums sent using SA2 to being encrypted, and the maintenance message sent to eNodeB is encrypted using SA3 by SeGW.Also, above three inbound IPsec SA are all based on same IKE SA generations.IKE SA negotiations are carried out between peer-to-peer to set up IPsec SA process as prior art, the present embodiment is not repeated.
What deserves to be explained is, not only there is inbound IPsec SA between PEER1 and PEER2, can also there are outbound IPsec SA, be i.e. PEER1 is different from the IPsec SA that the bidirectional data communication between PEER2 is used.In the present embodiment, using PEER1 as the executive agent of detection method exemplified by illustrate, it is to be understood that similar therewith during when PEER2 is as executive agent, not repeat specification.Further it will be understood that for PEER1, it need not detect outbound direction, i.e., outbound IPsec SA need not be detected, because if PEER1 such as breaks down and causes current outbound IPsec SA invalid, then its Process is set up in the negotiation that itself can re-start new outbound IPsec SA, therefore, and PEER1 is only to need detection inbound IPsec SA.
In order to realize PEER1 can detect determine PEER2 between each inbound IPsec SA state, and as far as possible reduce detection caused by expense, PEER1 firstly the need of determine when start detection.Detection trigger condition is provided with the present embodiment, when only PEER1 determines to there is at least one IPsec SA to be detected in each inbound IPsec SA according to the detection trigger condition, just starts detection and sends DPD message to PEER2.
PEER1 can determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA in the following way:
PEER1 determines whether the corresponding idle timers timing of each inbound IPsec SA reaches the second preset time;
If reach second preset time, PEER1 does not receive the data message that PEER2 uses certain inbound IPsec SA to be encrypted, then PEER1 determines that inbound IPsec SA are an IPsec SA to be detected.
Specifically, each inbound IPsec SA are to that should have an idle timers, and the effect of the idle timers is to be used to judge whether to need to initiate DPD message.For example, by taking SA1 as an example, if receiving the data message that transmission is encrypted using SA1 by PEER2 in certain moment PEER1, so when it receives the data message, reset the corresponding idle timers of SA1, timing from this moment on, if all not receiving the data message that transmission is encrypted using SA1 by PEER2 again in preset time, then PEER1 determines the SA1 for an IPsec SA to be detected, it is necessary to send the DPD message for the SA1 to PEER2 to detect whether SA1 is abnormal.What deserves to be explained is, the timing length i.e. length of preset time that the corresponding idle timers of each inbound IPsec SA are used can be same or different.
For above-mentioned SA1, SA2 and SA3, it is assumed that PEER1 shows according to the analysis result of the data message received, at the end of corresponding idle timer timing respectively, PEER1 determines to need to detect SA2 and SA3.
Now, PEER1 need to send two DPD message to PEER2, and two DPD message are corresponding with SA2 and SA3 respectively, it is assumed that for detect SA2 states for DPD message 2, for detect SA3 states for DPD message 3.In the present embodiment, DPD message uses structure as shown in Figure 4, wherein, Security Parameter Index (Security Parameter Index, SPI) field is used for each IPsec SA of unique mark, it is assumed that SA2's is designated SPI2, and SA3's is designated SPI3.Due in the SPI fields of DPD message With the IPsec SA corresponding to the current DPD message of unique mark, so that when PEER2 receives the DPD message, can recognize that the DPD message is for which IPsec SA to be detected, to realize determinations of the PEER2 to correspondence IPsec SA states.In addition, in the present embodiment, each DPD message is encrypted send, i.e. ciphertext is sent, specifically, the key corresponding to IKE SA being based on when being and generate each inbound IPsec SA to encryption key used in DPD message encryptions, i.e., the encryption key generated in the first negotiation phase.
In the message structure shown in Fig. 4, next load and reserved field are all set to zero, the domain of interpretation is set to IPsec-DoI, protocol number field is set to the protocol number of Internet Security Association and IKMP (Internet Security Association and Key Management Protocol, ISAKMP);Type of notification message field is set to R-U-THERE, the effect for describing the DPD message, the i.e. detection for carrying out IPsec SA states;Notification message data field is set to the sequence number of DPD message.
After DPD message 2 and DPD message 3 are sent to PEER2 by PEER1, PEER2 parsings obtain the IPsec SA to be detected included in each DPD message identification information, SA2 and SA3 to be detected is parsed from DPD message 2 and DPD message 3 respectively, and then PEER2 determines whether SA2 and SA3 is effective, in simple terms, PEER2 determines whether SA2 and SA3 is effectively to determine locally with the presence or absence of SA2 and SA3.Assuming that PEER2 local search determines there is SA2, and SA3 is not present, then PEER2 feeds back the DPD response messages (are u there ack) for being directed to SA2, i.e. feedback acknowledgment to PEER1 and responded, because SA3 is not present, then the DPD response messages for SA3 are not fed back.So as to PEER1 in certain first preset time if having received PEER2 feedback DPD response messages, than the DPD response messages described above for being directed to SA2, then determine that the corresponding IPsec SA of the IPsec SA carried in each DPD response messages marks are normal, so that it is determined that the IPsec SA not being carried in IPsec SA to be detected in DPD response messages are abnormal, than SA3 described above.So as to, IPsec SA, such as SA3 of PEER1 meeting suppressing exceptions, and start the process for renegotiating and setting up new IPsec SA.It is understood that in the example above, if PEER2 does not have DPD response message of the feedback for SA2 and SA3 in preset time, i.e. PEER1 is not received by any DPD response messages, then illustrates that SA2 and SA3 are not present, and startup renegotiates process.
What deserves to be explained is, in actual applications, the length of above-mentioned second preset time is typically much deeper than the first predetermined time period.And, in a kind of optional embodiment, if PEER1 is not received by the DPD response messages of PEER2 feedbacks in the first preset time, it is assumed that be not received by the DPD response messages for SA2, DPD message 2 can be then resend, preset times ratio is seemingly carried out Such as 3 times, if performing the DPD response messages being all not received by after 3 times for SA2, it is determined that SA2 is abnormal.
The flow chart for the failure equity body detecting method that Fig. 5 provides for another embodiment of the present invention, as shown in figure 5, this method includes:
Step 201, the 2nd IPsec peer-to-peers receive the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that the first IPsec peer-to-peers are sent;
Wherein, sent when the DPD message the first IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
Step 202, the parsing of the 2nd IPsec peer-to-peers obtain the IPsec SA to be detected included in each DPD message identification information, and determine whether each IPsec SA to be detected are effective, if there is effective IPsec SA to be detected, step 203 is performed, is otherwise terminated.
Step 203, the 2nd IPsec peer-to-peers send DPD response messages corresponding with effectively IPsec SA difference to be detected in the first preset time to the first IPsec peer-to-peers, so that the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to each DPD response messages.
In the present embodiment, first IPsec peer-to-peers are represented with PEER1,2nd IPsec peer-to-peers are represented with PEER2, the application scenarios that the present embodiment is applicable are identical with the scene illustrated in embodiment of the method shown in Fig. 1, mainly illustrate it after each DPD message of PEER1 transmissions is received from PEER2 angle, the process step carried out, its specific implementation can also refer to the description in embodiment described in Fig. 1, not repeat specification.
In above-described embodiment, first IPsec peer-to-peers determine to meet with the presence or absence of at least one after the IPsec SA to be detected of detection trigger condition in each inbound IPsec SA, the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively is sent to the 2nd IPsec peer-to-peers, and, the encryption key corresponding to IKE SA that each DPD message is common based on using each IPsec SA to be detected is encrypted, to ensure the security of DPD message.Due to carrying its targeted IPsec SA to be detected identification information in each DPD message, so that the 2nd IPsec peer-to-peers obtain each to be checked in parsing After the identification information for surveying IPsec SA, it can realize to determination whether abnormal each IPsec SA to be detected, so as to which the DPD response messages that the first IPsec peer-to-peers can feed back according to the 2nd IPsec peer-to-peers timely and accurately determine each IPsec SA to be detected state, to be repaired in time for abnormal IPsec SA, to improve the reliability of IPsec inter-peer communications.
Fig. 6 is the structural representation of IPsec peer-to-peers provided in an embodiment of the present invention, as shown in fig. 6, the IPsec peer-to-peers include:
Determining module 11, for determining to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;
Sending module 12, for when the determining module 11 determines to exist at least one IPsec SA to be detected, the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to be sent to another IPsec peer-to-peers;Wherein, each inbound IPsec SA are that the IPsec peer-to-peers are generated with another IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another IPsec peer-to-peers to the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The determining module 11 is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
Specifically, the determining module 11 is used for:
It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
If reach second preset time, the IPsec peer-to-peers all do not receive the data message that another IPsec peer-to-peers use the inbound IPsec SA to be encrypted, it is determined that the inbound IPsec SA are an IPsec SA to be detected.
Further, the determining module 11 is additionally operable to:
If the IPsec peer-to-peers receive at least one DPD response message in the first preset time, then determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determine that other IPsec SA in the IPsec SA to be detected are abnormal;
Or it is optional, the determining module 11 is additionally operable to:
If the IPsec peer-to-peers do not receive DPD response messages in the first preset time, it is determined that each IPsec SA to be detected are abnormal.
The IPsec peer-to-peers of the present embodiment can be used for the technical scheme for performing the first IPsec peer-to-peers in embodiment of the method shown in Fig. 1, and its implementing principle and technical effect is similar, and here is omitted.
The structural representation for the IPsec peer-to-peers that Fig. 7 provides for another embodiment of the present invention, as shown in fig. 7, the IPsec peer-to-peers include:
Receiving module 21, for receiving the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that another IPsec peer-to-peers are sent;
Wherein, sent when the DPD message another IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that another IPsec peer-to-peers are generated with the IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another IPsec peer-to-peers from the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
Processing module 22, the IPsec SA to be detected included in each DPD message identification information is obtained for parsing, and determines whether each IPsec SA to be detected are effective;
Sending module 23, if determining there is effective IPsec SA to be detected for the processing module 22, DPD response messages corresponding with effectively IPsec SA difference to be detected then are sent to another IPsec peer-to-peers in the first preset time, so that another IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to each DPD response messages.
The IPsec peer-to-peers of the present embodiment can be used for the technical scheme for performing the 2nd IPsec peer-to-peers in embodiment of the method shown in Fig. 1 or Fig. 5, and its implementing principle and technical effect is similar, and here is omitted.
Fig. 8 is the structural representation of the network equipment provided in an embodiment of the present invention, as shown in figure 8, the network equipment includes:
Memory 31, transmitter 32 and processor 33, the memory 31, the transmitter 32 and the processor 33 are connected by bus;Wherein, the memory 31 is used to store batch processing code, the processor 33 calls the program code stored in the memory 31, to determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition, and it is determined that during in the presence of at least one IPsec SA to be detected, control instruction is sent to the transmitter 32;
The transmitter 32, for according to the control instruction to another network equipment send respectively with it is each The corresponding peer-to-peer detection DPD message that fails of IPsec SA to be detected;Wherein, each inbound IPsec SA are that the network equipment is generated with another network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another network equipment to the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The processor 33 is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
Further, the processor 33 is additionally operable to:
It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
If reach second preset time, the network equipment does not all receive the data message that another network equipment uses the inbound IPsec SA to be encrypted, it is determined that the inbound IPsec SA are an IPsec SA to be detected.
Further, the network equipment also includes:
Receiver 34, the receiver 34 is connected on the bus, and the receiver 34 is used to receive at least one DPD response message that another network equipment is sent in the first preset time;
Accordingly, the processor 33 is additionally operable to determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determines that other IPsec SA in the IPsec SA to be detected are abnormal;
Or it is optional, the processor 33 is additionally operable to:
If the receiver does not receive DPD response messages in the first preset time, it is determined that each IPsec SA to be detected are abnormal.
It is corresponding with the IPsec peer-to-peers shown in Fig. 6 in the network equipment of the present embodiment, network equipment equipment such as can be base station, security gateway, server.
The structural representation for the network equipment that Fig. 9 provides for another embodiment of the present invention, as shown in figure 9, the network equipment includes:
Memory 41, transmitter 42, receiver 43 and processor 44, the memory 41, the transmitter 42, the receiver 43 and the processor 44 are connected by bus;
The receiver 43, for receiving the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that another network equipment is sent;
Wherein, the DPD message is that another network equipment determines each inbound according to detection trigger condition Sent when there is at least one IPsec SA to be detected in IPsec SA;Wherein, each inbound IPsec SA are that another network equipment is generated with the network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another network equipment from the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
The memory 41 is used to store batch processing code, the processor 44 calls the program code stored in the memory 41, to parse the identification information for obtaining the IPsec SA to be detected included in each DPD message, and determine whether each IPsec SA to be detected are effective, and when it is determined that there is effective IPsec SA to be detected, control instruction is sent to the transmitter 42;
The transmitter 42, for sending DPD response messages corresponding with effectively IPsec SA difference to be detected to another network equipment in the first preset time, so that another network equipment determines whether each IPsec SA to be detected are abnormal according to each DPD response messages.
It is corresponding with the IPsec peer-to-peers shown in Fig. 7 in the network equipment of the present embodiment, network equipment equipment such as can be base station, security gateway, server.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can be completed by the related hardware of programmed instruction, and foregoing program can be stored in a computer read/write memory medium, and the program upon execution, performs the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD etc. are various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although the present invention is described in detail with reference to foregoing embodiments, it will be understood by those within the art that:It can still modify to the technical scheme described in foregoing embodiments, or carry out equivalent substitution to which part or all technical characteristic;And these modifications or replacement, the essence of appropriate technical solution is departed from the scope of various embodiments of the present invention technical scheme.

Claims (12)

  1. The reciprocity body detecting method of one kind failure, it is characterised in that including:
    First internet protocol secure IPsec peer-to-peers determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;
    When it is present, the first IPsec peer-to-peers send the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to the 2nd IPsec peer-to-peers;Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    The first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
  2. According to the method described in claim 1, it is characterised in that the first IPsec peer-to-peers according to detection trigger condition determine in each inbound IPsec SA whether there is at least one IPsec SA to be detected, including:
    The first IPsec peer-to-peers determine whether the corresponding idle timers timing of each inbound IPsec SA reaches the second preset time;
    When reaching second preset time, the first IPsec peer-to-peers all do not receive the data message that the 2nd IPsec peer-to-peers use the inbound IPsec SA to be encrypted, then the first IPsec peer-to-peers determine that the inbound IPsec SA are an IPsec SA to be detected.
  3. Method according to claim 1 or 2, it is characterised in that the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time, including:
    When the first IPsec peer-to-peers receive at least one DPD response message in the first preset time, the first IPsec peer-to-peers determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determine that other IPsec SA in the IPsec SA to be detected are abnormal;
    Or, the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time, including:
    When the first IPsec peer-to-peers do not receive DPD response messages in the first preset time, the first IPsec peer-to-peers determine that each IPsec SA to be detected are abnormal.
  4. The reciprocity body detecting method of one kind failure, it is characterised in that including:
    2nd IPsec peer-to-peers receive the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that the first IPsec peer-to-peers are sent;
    Wherein, sent when the DPD message the first IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that the first IPsec peer-to-peers are generated with the 2nd IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to the first IPsec peer-to-peers from the 2nd IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    The 2nd IPsec peer-to-peers parsing obtains the IPsec SA to be detected included in each DPD message identification information, and determines whether each IPsec SA to be detected are effective;
    When there is effective IPsec SA to be detected, the 2nd IPsec peer-to-peers send DPD response messages corresponding with effectively IPsec SA difference to be detected in the first preset time to the first IPsec peer-to-peers, so that the first IPsec peer-to-peers determine whether each IPsec SA to be detected are abnormal according to each DPD response messages.
  5. A kind of IPsec peer-to-peers, it is characterised in that including:
    Determining module, for determining to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition;
    Sending module, for when the determining module determines to exist at least one IPsec SA to be detected, the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to be sent to another IPsec peer-to-peers;Wherein, each inbound IPsec SA are that the IPsec peer-to-peers are generated with another IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another IPsec peer-to-peers to the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    The determining module is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
  6. IPsec peer-to-peers according to claim 5, it is characterised in that the determining module is additionally operable to:
    It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
    When reaching second preset time, the IPsec peer-to-peers all do not receive the data message that another IPsec peer-to-peers use the inbound IPsec SA to be encrypted, it is determined that the inbound IPsec SA are an IPsec SA to be detected.
  7. IPsec peer-to-peers according to claim 5 or 6, it is characterised in that the determining module is additionally operable to:
    When the IPsec peer-to-peers receive at least one DPD response message in the first preset time, determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determine that other IPsec SA in the IPsec SA to be detected are abnormal;
    Or, the determining module is additionally operable to:
    When the IPsec peer-to-peers do not receive DPD response messages in the first preset time, determine that each IPsec SA to be detected are abnormal.
  8. A kind of IPsec peer-to-peers, it is characterised in that including:
    Receiving module, for receiving the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that another IPsec peer-to-peers are sent;
    Wherein, sent when the DPD message another IPsec peer-to-peers determine according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that another IPsec peer-to-peers are generated with the IPsec peer-to-peers by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another IPsec peer-to-peers from the IPsec peer-to-peers is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    Processing module, the IPsec SA to be detected included in each DPD message identification information is obtained for parsing, and determines whether each IPsec SA to be detected are effective;
    Sending module, for when the processing module determines to exist effective IPsec SA to be detected, DPD response messages corresponding with effectively IPsec SA difference to be detected are sent to another IPsec peer-to-peers in the first preset time, so that another IPsec peer-to-peers are determined according to each DPD response messages Whether each IPsec SA to be detected are abnormal.
  9. A kind of network equipment, it is characterised in that including:
    Memory, transmitter and processor, the memory, the transmitter and the processor are connected by bus;Wherein, the memory is used to store batch processing code, the processor calls the program code stored in the memory, to determine to whether there is at least one IPsec SA to be detected in each inbound IPsec SA according to detection trigger condition, and it is determined that during in the presence of at least one IPsec SA to be detected, control instruction is sent to the transmitter;
    The transmitter, for sending the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively to another network equipment according to the control instruction;Wherein, each inbound IPsec SA are that the network equipment is generated with another network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent from another network equipment to the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    The processor is additionally operable to determine whether each IPsec SA to be detected are abnormal according to the DPD response messages received in the first preset time.
  10. The network equipment according to claim 9, it is characterised in that the processor is additionally operable to:
    It is determined that each whether the corresponding idle timers timing of inbound IPsec SA reaches the second preset time;
    When reaching second preset time, the network equipment does not all receive the data message that another network equipment uses the inbound IPsec SA to be encrypted, and it is an IPsec SA to be detected to determine the inbound IPsec SA.
  11. The network equipment according to claim 9 or 10, it is characterised in that also include:
    Receiver, on the bus, the receiver is used to receive at least one DPD response message that another network equipment is sent in the first preset time for the receiver connection;
    The processor is additionally operable to determine that each IPsec SA consistent with the IPsec SA identification informations carried respectively at least one described DPD response message in the IPsec SA to be detected are normal, and determines that other IPsec SA in the IPsec SA to be detected are abnormal;
    Or, the processor is additionally operable to:
    When the receiver does not receive DPD response messages in the first preset time, determine that each IPsec SA to be detected are abnormal.
  12. A kind of network equipment, it is characterised in that including:
    Memory, transmitter, receiver and processor, the memory, the transmitter, the receiver and the processor are connected by bus;
    The receiver, for receiving the peer-to-peer detection DPD message that fails corresponding with each IPsec SA to be detected respectively that another network equipment is sent;
    Wherein, sent when the DPD message another network equipment determines according to detection trigger condition and there is at least one IPsec SA to be detected in each inbound IPsec SA;Wherein, each inbound IPsec SA are that another network equipment is generated with the network equipment by the IKE SA for consulting to determine in advance, and the inbound IPsec SA are used to each corresponding data message sent to another network equipment from the network equipment is encrypted;The DPD message includes to be detected IPsec SA corresponding with DPD message identification information, and the DPD message is encrypted using encryption key corresponding with the IKE SA;
    The memory is used to store batch processing code, the processor calls the program code stored in the memory, to parse the identification information for obtaining the IPsec SA to be detected included in each DPD message, and determine whether each IPsec SA to be detected are effective, and when it is determined that there is effective IPsec SA to be detected, control instruction is sent to the transmitter;
    The transmitter, for sending DPD response messages corresponding with effectively IPsec SA difference to be detected to another network equipment in the first preset time, so that another network equipment determines whether each IPsec SA to be detected are abnormal according to each DPD response messages.
CN201480035206.6A 2014-12-30 2014-12-30 Fail reciprocity body detecting method, IPsec peer-to-peer and the network equipment Active CN106170949B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/095636 WO2016106589A1 (en) 2014-12-30 2014-12-30 Dead peer detection method, ipsec peer and network device

Publications (2)

Publication Number Publication Date
CN106170949A true CN106170949A (en) 2016-11-30
CN106170949B CN106170949B (en) 2019-10-15

Family

ID=56283865

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480035206.6A Active CN106170949B (en) 2014-12-30 2014-12-30 Fail reciprocity body detecting method, IPsec peer-to-peer and the network equipment

Country Status (2)

Country Link
CN (1) CN106170949B (en)
WO (1) WO2016106589A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429253A (en) * 2017-07-17 2019-03-05 展讯通信(上海)有限公司 WiFi access point falls the method, apparatus and terminal of net detection under VoWiFi business
CN109962821A (en) * 2017-12-22 2019-07-02 迈普通信技术股份有限公司 Connection relationship detection method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487802B (en) * 2016-11-07 2019-09-17 杭州迪普科技股份有限公司 The method for detecting abnormal and device of IPSec SA based on DPD agreement
CN110061965B (en) * 2019-03-13 2022-08-26 北京华为数字技术有限公司 Method, device and equipment for updating security alliance and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845549A (en) * 2006-05-17 2006-10-11 杭州华为三康技术有限公司 Method for enquiring IPSec tunnel state
CN101521602A (en) * 2008-02-29 2009-09-02 上海博达数据通信有限公司 Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN
CN102946333A (en) * 2012-10-31 2013-02-27 杭州华三通信技术有限公司 DPD method and equipment based on IPsec
CN103227777A (en) * 2013-03-26 2013-07-31 汉柏科技有限公司 Method for preventing ipsec (Internet Protocol Security) tunnel oscillation caused by failed dpd (Dead Peer Detection)
CN103716196A (en) * 2012-09-28 2014-04-09 杭州华三通信技术有限公司 Network device and detection method
WO2014056528A1 (en) * 2012-10-10 2014-04-17 Nokia Solutions And Networks Oy Peer revival detection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401751B (en) * 2013-07-17 2016-08-10 北京星网锐捷网络技术有限公司 Internet safety protocol tunnel establishing method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845549A (en) * 2006-05-17 2006-10-11 杭州华为三康技术有限公司 Method for enquiring IPSec tunnel state
CN101521602A (en) * 2008-02-29 2009-09-02 上海博达数据通信有限公司 Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN
CN103716196A (en) * 2012-09-28 2014-04-09 杭州华三通信技术有限公司 Network device and detection method
WO2014056528A1 (en) * 2012-10-10 2014-04-17 Nokia Solutions And Networks Oy Peer revival detection
CN102946333A (en) * 2012-10-31 2013-02-27 杭州华三通信技术有限公司 DPD method and equipment based on IPsec
CN103227777A (en) * 2013-03-26 2013-07-31 汉柏科技有限公司 Method for preventing ipsec (Internet Protocol Security) tunnel oscillation caused by failed dpd (Dead Peer Detection)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429253A (en) * 2017-07-17 2019-03-05 展讯通信(上海)有限公司 WiFi access point falls the method, apparatus and terminal of net detection under VoWiFi business
CN109429253B (en) * 2017-07-17 2022-04-29 展讯通信(上海)有限公司 Method, device and terminal for detecting network disconnection of WiFi access point under VoWiFi service
CN109962821A (en) * 2017-12-22 2019-07-02 迈普通信技术股份有限公司 Connection relationship detection method and device

Also Published As

Publication number Publication date
WO2016106589A1 (en) 2016-07-07
CN106170949B (en) 2019-10-15

Similar Documents

Publication Publication Date Title
RU2623197C2 (en) Methods, devices and systems for creation of cross-secure safety connections and for safe transmission of data packages
RU2436250C2 (en) Method and apparatus for efficient routing in communication networks
CN101582856B (en) Session setup method of portal server and BAS (broadband access server) device and system thereof
CN104811462B (en) A kind of access gateway reorientation method and access gateway
CN110999257B (en) Delivery method selection for delivery of server notifications
US20190141141A1 (en) Dynamic detection of inactive virtual private network clients
CN106170949A (en) Inefficacy peer-to-peer detection method, IPsec peer-to-peer and the network equipment
EP2875664A1 (en) Higher layer compression with lower layer signaling
CN111355695B (en) Security agent method and device
CN107277058B (en) Interface authentication method and system based on BFD protocol
WO2017190467A1 (en) Adjustment method and apparatus for maximum transmission unit of terminal, and terminal device
CN103227777B (en) A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake
US11637874B2 (en) Communications apparatus, systems, and methods for preventing and/or minimizing session data clipping
CN104468265A (en) Method and device for detecting online states of local area network terminals
CN104539587A (en) Thing access and group interaction method used for Internet of things
CN113810427B (en) Penetration testing method, terminal equipment and storage medium
US20240039759A1 (en) Systems and methods for control channel tunneling
US9288740B2 (en) Communication apparatus, control method for the same, communication system, and non-transitory computer-readable storage medium
CN102769552A (en) Method and apparatus for transmitting BFD (bidirectional forwarding detection) message during LSP (label switched path) detection by BFD
WO2019165803A1 (en) Message processing method and apparatus, and message encapsulating method, apparatus and system
CN107872309A (en) A kind of adaptive approach, device and the equipment of Network Transfer Media and speed
CN103036984B (en) One-way flow detection method and network equipment
US11178542B1 (en) Method and system for secure device-to-device data communications
CN102118773B (en) Method for detecting link connection state between network nodes and relevant device
CN108370369B (en) Gateway, client device and method for facilitating secure communication between a client device and an application server using redirection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant