CN106549850A - Virtual special network server and its message transmitting method - Google Patents
Virtual special network server and its message transmitting method Download PDFInfo
- Publication number
- CN106549850A CN106549850A CN201611110306.8A CN201611110306A CN106549850A CN 106549850 A CN106549850 A CN 106549850A CN 201611110306 A CN201611110306 A CN 201611110306A CN 106549850 A CN106549850 A CN 106549850A
- Authority
- CN
- China
- Prior art keywords
- vpn
- modules
- message
- information
- user space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of virtual special network server and its message transmitting method, the technical problem relatively low for the treatment effeciency of non-VPN ciphertexts bag for solving existing virtual special network server.The VPN (virtual private network) vpn server cross-platform operation on the first platform and the second platform, methods described include:The vpn server receives message according to User space fast-forwarding UFAST modules, and the UFAST modules are operate on the module in the User space of first platform;According to the first security association SA information of the UFAST module stores, the vpn server determines whether the message is VPN ciphertext bags;The message is sent to the destination of the message according to the UFAST modules when it is determined that the message is non-VPN ciphertexts bag for the vpn server.
Description
Technical field
The present invention relates to computer realm, in particular it relates to a kind of virtual special network server and its message transmissions side
Method.
Background technology
Mesh Neteye VPN (Virtual Private Network, VPN (virtual private network)) are fire wall Formula V PN, and
Firewall functionality is used in combination with, by setting up tunnel with gateway, mobile terminal or personal computer, using encryption technology
And authentication techniques ensure end and end, end and select between the safety of data transfer, integrity, confidentiality.
Existing VPN can be with cross-platform operation.For example, DPDK (Data Plane Development Kit, datum plane
Development kit) platform and x86 platforms.But, based on the architecture design of fire wall, it is deployed in DPDK platforms and x86 platforms
The partial function of vpn system can not be transplanted to the module of User space completely, which is remained in for the process of VPN messages
The kernel state of x86 is processed.In this case, in prior art, the User space of DPDK platforms is receiving network interface card transmission
Message after, simply judge whether the message is VPN ciphertext bags, if not VPN ciphertext bags, then directly in User space to the message
Processed, for the message that cannot determine whether as VPN ciphertext bags, DPDK User spaces send it to kernel state, kernel state
The kernel state of x86 is sent it to by KFAST modules, message is accurately judged by the kernel state of x86, if the message is
It is VPN ciphertext bags, then the kernel state in x86 is directly processed, if the message is not VPN ciphertext bags, the message is returned
The kernel state of DPDK, the message is beamed back the User space of DPDK by the kernel state of the DPDK, which is carried out in the User space of DPDK
Process.
Above-mentioned flow process can cause the message of non-VPN ciphertexts bag to be sent to kernel, cause User space to the passage pressure of kernel state
Power increases.Also, non-VPN ciphertexts coating transfers to kernel, is sent at User space by passage after VPN parsings again
Reason, result in the delay of Message processing, reduces Message processing efficiency.
The content of the invention
It is an object of the invention to provide a kind of virtual special network server and its message transmitting method, existing to solve
The virtual special network server technical problem relatively low for the treatment effeciency of non-VPN ciphertexts bag.
To achieve these goals, the present invention provides the message biography that first aspect provides a kind of virtual special network server
Transmission method, the VPN (virtual private network) vpn server cross-platform operation on the first platform and the second platform, methods described bag
Include:
The vpn server receives message according to User space fast-forwarding UFAST modules, and the UFAST modules are work
Module in the User space of first platform;
According to the first security association SA information of the UFAST module stores, the vpn server determines that the message is
It is no for VPN ciphertext bags;
The vpn server when it is determined that the message is non-VPN ciphertexts bag, according to the UFAST modules by the report
Text is sent to the destination of the message.
In above-mentioned first aspect, the first platform and the second platform can be:DPDK platforms, x86 platforms, ARM
The different platform of any two in (Advanced RISC Machine, advanced reduced instruction set machine) platform, wherein, it is right
Can carry out in the kernel state of the second platform in the process of the message for belonging to VPN ciphertext bags.
Alternatively, methods described also includes:
The vpn server when it is determined that the message is VPN ciphertext bags, according to the UFAST modules by the message
Kernel state fast-forwarding KFSAT modules are sent to, the KFAST modules are operate on the mould in the kernel state of first platform
Block;
The message is sent to according to the KFSAT modules for the VPN modules of the kernel state for working in second platform;
The message is processed according to kernel state of the VPN modules in second platform.
Alternatively, methods described also includes:
The vpn server sends SA new information to the KFAST modules according to the VPN modules, and the SA updates
Message includes the SA information of the VPN module stores;
The SA new informations are sent to the UFAST modules according to the KFAST modules by the vpn server;
The vpn server updates a SA information of the UFAST module stores according to the SA new informations.
Alternatively, the vpn server according to the VPN modules to the KFAST modules send SA new informations it
Before, including:
The vpn server is cut out to the 2nd SA information of the VPN module stores;
SA information after what the SA new informations included cut out, wherein, the SA information of the VPN module stores has included
Whole security association information.
Alternatively, the vpn server is concrete to KFAST modules transmission SA new informations according to the VPN modules
Including:
The vpn server is called to the VPN module stores according to the process in the User space of second platform
SA information be modified;
After the SA information to the VPN module stores is modified, according to the VPN modules to the KFAST modules
Send the SA new informations.
Alternatively, a SA information includes the SA information tables of each User space core of correspondence, the User space core
The heart is operate on the central processor CPU core of described first User space, and the vpn server is according to the SA new informations
The SA information for updating the UFAST module stores is specifically included:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA new informations
The heart;
Notify the SA information tables of User space core User space core according to the SA information updatings.
Alternatively, the first security association SA letter for storing in User space of the vpn server according to first platform
Breath determines whether the message is VPN ciphertext bags, including:
Corresponding User space core is calculated by RSS algorithms according to the message;
Determine whether the message is VPN ciphertext bags according to the SA information tables of the User space core.
Second aspect present invention provides a kind of virtual special network server, and the VPN (virtual private network) vpn server exists
Cross-platform operation on first platform and the second platform, the vpn server include:
The User space fast-forwarding UFAST modules in the User space of first platform are worked in, described first is worked in
Kernel state fast-forwarding KFAST modules in the kernel state of platform, and work in the VPN in the kernel state of second platform
Module;
Wherein, the UFAST modules are used to receive message, and according to the first security association of the UFAST module stores
SA information determines whether the message is VPN ciphertext bags, and when it is determined that the message is non-VPN ciphertexts bag, by the message
It is sent to the destination of the message.
Alternatively, the UFAST modules are additionally operable to:
When it is determined that the message is VPN ciphertext bags, the message is sent to into the KFSAT modules;
The KFSAT modules are used for, and the message is sent to the VPN modules;
The VPN modules are used for, and the message are processed in the kernel state of second platform.
Alternatively, the VPN modules are additionally operable to, and send SA new informations, the SA new informations to the KFAST modules
Including the SA information of the VPN module stores;
The KFAST modules are additionally operable to, and the SA new informations are sent to the UFAST modules;
The UFAST modules are additionally operable to, and update described the first of the UFAST module stores according to the SA new informations
SA information.
Alternatively, the VPN modules are additionally operable to, before SA new informations are sent to the KFAST modules, to described
2nd SA information of VPN module stores is cut out;
Wherein, the SA information after what the SA new informations included cut out, wherein, the SA information of the VPN module stores
Including complete security association information.
Alternatively, the VPN modules are additionally operable to, according to calling to itself for the process in the User space of second platform
The SA information of storage is modified;
After the SA information stored to itself is modified, the SA new informations are sent to the KFAST modules.
Alternatively, a SA information includes the SA information tables of each User space core of correspondence, the User space core
The heart is operate on the central processor CPU core of described first User space, and the UFAST modules are used for:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA new informations
The heart;
Notify the SA information tables of User space core User space core according to the SA information updatings.
Alternatively, a SA information includes the SA information tables of each User space core of correspondence, the User space core
The heart is operate on the central processor CPU core of described first User space, and the UFAST modules are used for:
Corresponding User space core is calculated by RSS algorithms according to the message;
Determine whether the message is VPN ciphertext bags according to the SA information tables of the User space core.
Using above-mentioned technical proposal, the UFAST module stores in the User space of the first platform of vpn server have a SA
Information, so, vpn server is after message is received, you can accurately to judge the report based on security association information in User space
Whether text is VPN ciphertext bags, as non-VPN ciphertexts bag does not need vpn server to be processed, therefore, it is determined that the message is
During non-VPN ciphertexts bag, the message is directly forwarded to this in User space without the need for the message is sent to kernel state by vpn server
The destination of message, alleviates the pressure of the transmission channel between vpn server User space and kernel state, also, accelerate it is right
In the processing speed of non-VPN ciphertexts bag, Message processing efficiency is improve.
Other features and advantages of the present invention will be described in detail in subsequent specific embodiment part.
Description of the drawings
Accompanying drawing is, for providing a further understanding of the present invention, and to constitute the part of description, with following tool
Body embodiment is used for explaining the present invention together, but is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is a kind of structural representation of existing vpn server;
Fig. 2 is that a kind of flow process of the message transmitting method of virtual special network server provided in an embodiment of the present invention is illustrated
Figure;
Fig. 3 is the method and step biography utilized in the vpn server shown in Fig. 1 shown in Fig. 2 provided in an embodiment of the present invention
The schematic diagram of the method for defeated message;
Fig. 4 is that a kind of flow process of the method for kernel state provided in an embodiment of the present invention SA information synchronous with User space is illustrated
Figure;
Fig. 5 is a kind of structural representation of virtual special network server provided in an embodiment of the present invention.
Specific embodiment
The specific embodiment of the present invention is described in detail below in conjunction with accompanying drawing.It should be appreciated that this place is retouched
The specific embodiment stated is merely to illustrate and explains the present invention, is not limited to the present invention.
In order that those skilled in the art is easier to understand technical scheme provided in an embodiment of the present invention, it is right first below
The present invention relates to relational language simply introduced.
SA (Security Association, Security Association) is for compiling to the policy protocol between two computers
Code, it is intended which algorithm and what kind of key length, and the key of reality itself will be used between computer.
SA information records per bar based on ip agreements escape way strategy and policing parameter, SA information is specifically by communicating
Both sides' auto negotiation or manual creation, which includes the tunneling for using, key and key effect duration, compress mode, anti-
The relevant informations such as playback, NAT (Network Address Translation, network address translation).For fire wall is received
Message, by dip (Dynamic IP Pool, dynamic ip address pools), protocol (tunneling), spi (Serial
Peripheral Interface, peripheral interface) etc. key message can find corresponding SA information.
That is, being based on SA information, can accurately judge whether the message that fire wall is received is encrypted message, for
VPN ciphertext bags, fire wall can find corresponding SA information by dip, sip, protocol, and close to this according to SA information
Text bag is processed, and for the message of non-VPN ciphertexts bag, fire wall cannot find corresponding SA information.
Those skilled in the art should know, in describing below the embodiment of the present invention, " the first platform " and " the second platform "
It is served only for distinguishing different platforms, should not be understood as the additional qualification caused to platform.Specifically, the first platform and second flat
Platform can be:The different platform of any two in DPDK platforms, x86 platforms, ARM platforms.For example, the first platform is flat for DPDK
Platform, the second platform are x86 platforms.Or first platform be x86 platforms, the second platform be DPDK platforms.Or first platform be
DPDK platforms, the second platform are ARM platforms.The present invention is not limited to this.
The problem that prior art is present is illustrated with the cross-platform vpn server for operating in DPDK platforms and x86 platforms.
With reference to Fig. 1, during Fig. 1 is prior art, cross-platform operation has the structural representation of the vpn server 100 of DPDK platforms and x86 platforms
Figure, wherein, the vpn server 100 includes the UFAST modules 101 for working in DPDK User spaces, works in DPDK kernel states
KFAST modules 102, and work in the VPN modules 103 of x86 platform kernel states.
Transmission of the message in vpn server in explanation prior art is indicated below according to the arrow in Fig. 1.Wherein, scheme
Middle U->K represent User space (User mode) to kernel state (Kernel mode) send message, K->U represent kernel state to
Family state sends message.So, as shown in figure 1, UFAST modules 101 are after the message for receiving network interface card transmission, vpn server meeting
The whether non-VPN ciphertext bags of the message are judged according to protocol port, if the message is non-VPN ciphertexts bag, in the use of DPDK platforms
The message is forwarded directly to destination by family state.What deserves to be explained is, the non-VPN ciphertexts in part can only be distinguished according to protocol port
The message of bag, other messages need just to be capable of determining whether as VPN ciphertext bags through SA information searchings, as SA information is present in
VPN modules 103, therefore, UFAST modules 101 by the message that the not confirmed after Port Profile judges is non-VPN ciphertexts bag,
The kernel of DPDK platforms is sent to by UK passages, the message is passed through into hook by the KFAST modules 102 in the kernel of DPDK platforms
Sub- hook interfaces send the VPN modules 103 into x86 platform kernels, are determined whether by 103 pairs of messages of VPN modules,
Determine whether message is VPN ciphertext bags according to SA information, if the message is VPN ciphertext bags, VPN solutions are carried out to the message
It is close, if the message is non-VPN ciphertexts bag, the message is beamed back again by UFAST modules 101 by KU passages.
From above-mentioned flow process, in prior art, the message of the non-VPN ciphertexts bag in part needs to enter into kernel state, both increases
Add User space to the channel pressure of kernel state, reduce the treatment effeciency of message again.
The embodiment of the present invention provides a kind of message transmitting method of virtual special network server, wherein, the virtual private
Network vpn server cross-platform operation on the first platform and the second platform, as shown in Fig. 2 the method includes:
S201, the vpn server receive message according to User space fast-forwarding UFAST modules, and the UFAST modules are
Work in the module in the User space of first platform.
Wherein, the message can be the message that network interface card is sent to the vpn server.
S202, the vpn server determine the report according to the first security association SA information of the UFAST module stores
Whether text is VPN ciphertext bags.
The explanation of value, the SA information in User space can be that vpn server is according to kernel state in system initialization
In the SA synchronizing informations of VPN module stores be stored in the UFAST modules of User space.
With reference to the above-mentioned introduction to SA information, vpn server can accurately distinguish out the message for receiving according to SA information
It is VPN ciphertext bags, is also non-VPN ciphertexts bag.
S203, the vpn server when it is determined that the message is non-VPN ciphertexts bag, according to the UFAST modules by institute
State the destination that message is sent to the message.
The explanation of value, non-VPN ciphertexts bag refer to the ciphertext bag allowed by fire wall, that is, do not need vpn system to enter
The ciphertext bag that row is processed.That is, vpn server is after the message for receiving non-VPN ciphertexts bag, can be according in message
Destination address forwards the packet to destination, and without the need for processing to the message.
Using said method, the UFAST module stores in the User space of the first platform of vpn server have a SA to believe
Breath, so, vpn server is after message is received, you can accurately to judge the message based on security association information in User space
Whether it is VPN ciphertext bags, as non-VPN ciphertexts bag does not need vpn server to be processed, therefore, it is determined that the message is non-
During VPN ciphertext bags, the message is directly forwarded to the report in User space without the need for the message is sent to kernel state by vpn server
The destination of text, alleviates the pressure of the transmission channel between vpn server User space and kernel state, also, accelerate for
The processing speed of non-VPN ciphertexts bag, improves Message processing efficiency.
In order that those skilled in the art more understand technical scheme provided in an embodiment of the present invention, below to said method
Step is described in detail.
Specifically, in above-mentioned steps S202, the vpn server it is determined that the message be VPN ciphertext bags when, according to
The message is sent to kernel state fast-forwarding KFSAT modules by the UFAST modules, and the KFAST modules are operate on institute
State the module in the kernel state of the first platform;The message is sent to according to the KFSAT modules to work in described second flat
The VPN modules of the kernel state of platform;The message is processed according to kernel state of the VPN modules in second platform.
With the first platform as DPDK platforms, the second platform is illustrated for x86 platforms.As shown in figure 3, VPN services
Device 300 includes the UFAST modules 301 for working in DPDK User spaces, works in the KFAST modules 302, Yi Jigong of DPDK kernel states
Make in the VPN modules 303 of x86 platform kernel states.Wherein, U in Fig. 3->K represent User space to kernel state send message, K->U
Represent that kernel state sends message to User space.Specifically, vpn server 300 receives network interface card transmission according to UFAST modules 301
Message after, can according to UFAST modules 301 storage a SA information judge whether the message is VPN ciphertext bags.If the report
Text is not VPN ciphertext bags, i.e., described non-VPN ciphertexts bag, then the User space in DPDK platforms forwards the packet to destination.If
The message is VPN ciphertext bags, then the kernel of DPDK platforms is sent to by UK passages.By the KFAST in the kernel of DPDK platforms
The message is sent the VPN modules 303 into x86 platform kernels by hook interfaces by module 302, by 303 pairs of reports of VPN modules
Text carries out VPN decryption.So, vpn server can accurately judge whether the message for receiving is VPN ciphertexts in DPDK User spaces
Bag.Therefore, the message of non-VPN ciphertexts bag need not be issued to kernel state, reduce the pressure of User space to passage between kernel state.
Also, improve the treatment effeciency of the message to non-VPN ciphertexts bag.
Above-mentioned to be merely illustrative, in the specific implementation, vpn server is after message is received, it is also possible to first pass through association
View port determines whether the message is non-VPN ciphertexts bag, determines whether the message is VPN ciphertext bags further according to SA information.This
It is bright that this is not limited.
In addition, in order to ensure the accuracy of SA information, the SA information of UFAST module stores should be with the SA of VPN module stores
Information is consistent.The embodiment of the present invention can adopt following method and step synchronization User space and the SA information in kernel state, such as
Shown in Fig. 4, the method includes:
S401, the vpn server send SA new information, the SA to the KFAST modules according to the VPN modules
New information includes the SA information of the VPN module stores.
Wherein, the SA new informations are used to change, the SA information stored in state of deleting or Add User.
What deserves to be explained is, kernel state can send information to User space by MSG message, work in the first of User space
MSG threads in individual CPU (Central Processing Unit, central processing unit) core are mainly for the treatment of receiving
MSG message.Therefore, in above-mentioned steps S401, the SA new informations can be specifically to include being updated a SA information
Instruction MSG message.
The SA new informations are sent to the UFAST moulds according to the KFAST modules by S402, the vpn server
Block.
S403, the vpn server update a SA of the UFAST module stores according to the SA new informations
Information.
Specifically, a SA information includes the SA information tables of each User space core of correspondence, the User space core
It is operate on the central processor CPU core of the User space of first platform, the operation queue storage of each User space core
There is the operation carried out to SA information tables, each User space core has corresponding management thread, the management thread is according to operation team
The information of row, performs corresponding operation.So, after MSG message is received, it is right to be put into corresponding information for MSG threads
In the operation queue of the User space core answered, and notify that the management thread of the User space core is processed.
The explanation of value, vpn server can reserve memory headroom for storing when initialization or startup
SA information, the size of the reserved memory headroom can be MAX (SA_NUM) * sizeof (SA), wherein, SA_NUM represents SA information
Number, sizeof (SA) represents the size of single SA information.Wherein, reserved memory headroom will not disappear with the termination of process
Lose.So, the foundation of the SA information tables of each User space core is referred to above-mentioned steps S401 to step S403, kernel state to
User space sends the MSG message for including SA information, and the UFAST modules in core cpu are after MSG message is received according to SA information
Set up SA information tables.In follow-up operation, the VPN modules in x86 kernel states can periodically initiate the synchronization of SA information,
To maintain the SA information of UFAST module stores consistent with the SA information of VPN module stores.
As SA information is specifically by communicating pair auto negotiation or manual creation, therefore, vpn server can also
Be the process in the User space according to second platform call the SA information to VPN module stores to be modified after, root
The SA new information is sent to the KFAST modules according to the VPN modules.In this case, each User space core pair
The ageing time of every SA information can also be included in the SA information tables answered, also, the ageing time is believed with the SA in VPN modules
The ageing time of breath can be consistent, and so, vpn server only can need to occur change in the SA information of VPN module stores
Afterwards, initiate the synchronization of the SA information to UFAST module stores.
What deserves to be explained is, the uniqueness of MSG threads, the spy of operation queue each User space core corresponding with management thread
Property so that the current access to operation queue is not in concurrently to access, therefore during whole SA synchronizing informations, need not
It is related to the operation locked.Also, the ageing time set by intervalometer manages the effectiveness of SA information, and system can be avoided different
The SA information that should be deleted for often resulting in retains always to be sent out by mistake so as to caused message.
In a kind of possible implementation of the embodiment of the present invention, in order to save the memory space of User space, VPN services
Device the first platform User space initially set up for each User space core SA information tables and it is follow-up to information table more
During new, the 2nd SA information of VPN module stores can be cut out, wherein, the 2nd SA information is complete peace
Fully associative information, the SA information that above-mentioned SA new informations include are the SA information after the 2nd SA information is cut out.
That is, in embodiments of the present invention, the SA information in the corresponding SA information tables of User space core only can be wrapped
Include the information that can accurately judge that whether message is VPN ciphertext bags, such as dip, dport (destination interface), sip (Session
Initiation Protocol, session initiation protocol), the information such as spi, lifetime (life span).So, compare second
The complete security association information of the VPN module stores in platform kernel state, it is left that User space about saves 400 bytes than kernel state
Right memory space.
Further, above-mentioned steps S403 include:RSS (Reduced are passed through according to the SA information in the SA new informations
Space symbology, reduce space code) the corresponding User space core of algorithm calculating;Notify the User space core according to institute
State the SA information tables of User space core described in SA information updatings.
So, in above-mentioned steps S202, the vpn server, can be according to the message after the message is received
Corresponding User space core is calculated by RSS algorithms, and the report is determined according to the corresponding SA information tables of the User space core
Whether text is VPN ciphertext bags.
Due to the User space core obtained by RSS algorithms when adding SA information, pass through RSS algorithms with when receiving message
The User space core for obtaining is consistent.So as to ensure that the SA information tables of message that active user's state core receives and User space core
Concordance, if message is VPN ciphertext bags, corresponding SA letter can be found in the SA information tables of active user's state core
Breath, if corresponding SA information cannot be found, shows that the message is non-VPN ciphertexts bag.
Using above-mentioned technical proposal, SA information tables are each User space cores of correspondence, in every SA information tables
The addition that SA information is carried out, deleting or searching all is carried out by same User space core, and while only one of which action
SA information tables are conducted interviews, therefore, there is no resource contention, it is ensured that the realization without lock search.Also, vpn server connects
The message for receiving after RSS algorithms determine corresponding User space core, for VPN ciphertext bags, can be in the User space core
Corresponding SA information is found in the SA information tables of the heart, for the message for not finding SA information, is then the report of non-VPN ciphertexts bag
Text, directly can be forwarded to destination in User space, need not be issued to kernel state, so as to improve Message processing efficiency, and subtract
Light channel pressure of the User space to kernel state.
The embodiment of the present invention also provides a kind of virtual special network server 500, and the server 500 is in the first platform and
Cross-platform operation on two platforms, the message for implementing a kind of virtual special network server of said method embodiment offer are passed
Transmission method, as shown in figure 5, the server 500 includes:
The User space fast-forwarding UFAST modules 501 in the User space of first platform are worked in, described is worked in
Kernel state fast-forwarding KFAST modules 502 in the kernel state of one platform, and work in the kernel state of second platform
VPN modules 503;
Wherein, the UFAST modules 501 are used to receive message, and are deposited according to the UFAST modules 501 of first platform
First security association SA information of storage determines whether the message is VPN ciphertext bags, and it is determined that the message is non-VPN ciphertexts
The message is sent to the destination of the message by Bao Shi.
Using above-mentioned vpn server, the UFAST module stores in the User space of the first platform of the vpn server have
One SA information, so, vpn server is after message is received, you can accurately to be judged based on security association information in User space
Whether the message is VPN ciphertext bags, as non-VPN ciphertexts bag does not need vpn server to be processed, therefore, it is determined that the report
During Wen Weifei VPN ciphertext bags, the message is directly forwarded in User space by vpn server without the need for the message is sent to kernel state
To the destination of the message, the pressure of the transmission channel between vpn server User space and kernel state is alleviated, also, is accelerated
For the processing speed of non-VPN ciphertexts bag, Message processing efficiency is improve.
Alternatively, the UFAST modules 501 are additionally operable to:When it is determined that the message is VPN ciphertext bags, by the message
It is sent to the KFSAT modules;The KFSAT modules 502 are used for, and the message is sent to the VPN modules;The VPN
Module 503 is used for, and the message is processed in the kernel state of second platform.Specifically, the first platform be DPDK
Platform, in the case that the second platform is x86 platforms, the process of vpn server transmitting message is referred to said method embodiment
In description to Fig. 3, here is omitted.
Alternatively, the VPN modules 503 are additionally operable to, and send SA new informations to the KFAST modules 502, and the SA is more
New information includes the SA information of the VPN module stores;The KFAST modules 502 are additionally operable to, and the SA new informations are sent
To the UFAST modules;The UFAST modules 501 are additionally operable to, and update the UFAST modules 501 according to the SA new informations
The first SA information of storage.
Specifically, a SA information includes the SA information tables of each User space core of correspondence, the User space core
It is operate on the central processor CPU core of described first User space.So, User space of the vpn server in the first platform
After initially setting up the SA information tables for each User space core, can keep depositing in kernel state and User space by update mechanism
The SA information of storage it is consistent.
Alternatively, the VPN modules 503 are additionally operable to, before SA new informations are sent to the KFAST modules, to institute
The 2nd SA information for stating VPN module stores is cut out;Wherein, the SA information after what the SA new informations included cut out, its
In, the SA information of the VPN module stores includes complete security association information.
That is, in embodiments of the present invention, the SA information in the corresponding SA information tables of User space core only can be wrapped
Include the information such as the information that can accurately judge that whether message is VPN ciphertext bags, such as dip, dport, sip, spi, lifetime.
So, the complete security association information stored in comparing the second platform kernel state, User space about save 400 words than kernel state
The memory space of section left and right.
Alternatively, the VPN modules 503 are additionally operable to, right according to calling for the process in the User space of second platform
The SA information of itself storage is modified;After the SA information stored to itself is modified, institute is sent to the KFAST modules
State SA new informations.
Alternatively, a SA information includes the SA information tables of each User space core of correspondence, the User space core
The heart is operate on the central processor CPU core of described first User space, and the UFAST modules 501 are used for:According to the SA
SA information in new information calculates corresponding User space core by reducing space code RSS algorithm;Notify the User space core
The SA information tables of heart User space core according to the SA information updatings.
So, the UFAST modules 501 are used for:Corresponding User space core is calculated by RSS algorithms according to the message
The heart;Determine whether the message is VPN ciphertext bags according to the SA information tables of the User space core.
Due to the User space core obtained by RSS algorithms when adding SA information, pass through RSS algorithms with when receiving message
The User space core for obtaining is consistent.So as to ensure that the SA information tables of message that active user's state core receives and User space core
Concordance, if message is VPN ciphertext bags, corresponding SA letter can be found in the SA information tables of active user's state core
Breath, if corresponding SA information cannot be found, shows that the message is non-VPN ciphertexts bag.
Using above-mentioned technical proposal, SA information tables are each User space cores of correspondence, in every SA information tables
The addition that SA information is carried out, deleting or searching all is carried out by same User space core, and while only one of which action
SA information tables are conducted interviews, therefore, there is no resource contention, it is ensured that the realization without lock search.Also, vpn server connects
The message for receiving after RSS algorithms determine corresponding User space core, for VPN ciphertext bags, can be in the User space core
Corresponding SA information is found in the SA information tables of the heart, for the message for not finding SA information, is then the report of non-VPN ciphertexts bag
Text, directly can be forwarded to destination in User space, need not be issued to kernel state, so as to improve Message processing efficiency, and subtract
Light channel pressure of the User space to kernel state.
What deserves to be explained is, division of the above to system 500, only a kind of division of logic function can be with when actually realizing
There is other dividing mode.Also, the physics realization of above-mentioned each functional module has been likely to various implementations.Specifically, on
State each functional module to be implemented in combination with becoming some or all of of core cpu by software, hardware or both.
In addition, it is affiliated it will be apparent to those skilled in the art ground recognize, for convenience and simplicity of description, foregoing description
Each module specific work process, may be referred to the corresponding process in preceding method embodiment, here is omitted.Also,
In the specific implementation, vpn server can also include other modules, and Fig. 5 is not illustrated one by one.
In embodiment provided herein, it should be understood that disclosed server and method, other can be passed through
Mode realize.For example, each functional module in each embodiment of the invention can be integrated in a processing unit, also may be used
Being that unit is individually physically present.Above-mentioned integrated unit both can be realized in the form of hardware, for example, the process list
Unit can be multi-core CPU, it would however also be possible to employ hardware adds the form of SFU software functional unit to realize.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in an embodied on computer readable and deposit
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, is used so that a computer including some instructions
Equipment (can be personal computer, server, or network equipment etc.) performs the portion of each embodiment methods described of the invention
Step by step.And aforesaid storage medium includes:(Random Access Memory, random access memory are deposited for USB flash disk, portable hard drive, RAM
Reservoir), magnetic disc or CD etc. are various can be with the medium of data storage.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, the change or replacement that can be readily occurred in all are answered
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.
Claims (10)
1. a kind of message transmitting method of virtual special network server, it is characterised in that the VPN (virtual private network) VPN service
Device cross-platform operation on the first platform and the second platform, methods described include:
The vpn server receives message according to User space fast-forwarding UFAST modules, and the UFAST modules are operate on institute
State the module in the User space of the first platform;
According to the first security association SA information of the UFAST module stores, the vpn server determines that whether the message is
VPN ciphertext bags;
The message is sent out when it is determined that the message is non-VPN ciphertexts bag by the vpn server according to the UFAST modules
Give the destination of the message.
2. method according to claim 1, it is characterised in that methods described also includes:
The message is sent when it is determined that the message is VPN ciphertext bags by the vpn server according to the UFAST modules
It is operate on the module in the kernel state of first platform to kernel state fast-forwarding KFSAT modules, the KFAST modules;
The message is sent to according to the KFSAT modules for the VPN modules of the kernel state for working in second platform;
The message is processed according to kernel state of the VPN modules in second platform.
3. method according to claim 1 and 2, it is characterised in that methods described also includes:
The vpn server sends SA new information, the SA new information to the KFAST modules according to the VPN modules
Including the SA information of the VPN module stores;
The SA new informations are sent to the UFAST modules according to the KFAST modules by the vpn server;
The vpn server updates a SA information of the UFAST module stores according to the SA new informations.
4. method according to claim 3, it is characterised in that in the vpn server according to the VPN modules to described
Before KFAST modules send SA new informations, including:
The vpn server is cut out to the 2nd SA information of the VPN module stores;
SA information after what the SA new informations included cut out, wherein, the SA information of the VPN module stores includes complete
Security association information.
5. method according to claim 3, it is characterised in that the vpn server is according to the VPN modules to described
KFAST modules send SA new informations and specifically include:
The SA that call to the VPN module stores of the vpn server according to the process in the User space of second platform
Information is modified;
After the SA information to the VPN module stores is modified, sent to the KFAST modules according to the VPN modules
The SA new informations.
6. method according to claim 3, it is characterised in that a SA information includes correspondence each User space core
The SA information tables of the heart, the User space core are operate on the central processor CPU core of described first User space, described
Vpn server is specifically included according to the SA information that the SA new informations update the UFAST module stores:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA new informations;
Notify the SA information tables of User space core User space core according to the SA information updatings.
7. method according to claim 3, it is characterised in that a SA information includes correspondence each User space core
The SA information tables of the heart, the User space core are operate on the central processor CPU core of described first User space, described
According to the first security association SA information of the UFAST module stores, vpn server determines whether the message is VPN ciphertexts
Bag, including:
Corresponding User space core is calculated by RSS algorithms according to the message;
Determine whether the message is VPN ciphertext bags according to the SA information tables of the User space core.
8. a kind of virtual special network server, it is characterised in that the VPN (virtual private network) vpn server in the first platform and
Cross-platform operation on second platform, the vpn server include:
The User space fast-forwarding UFAST modules in the User space of first platform are worked in, first platform is worked in
Kernel state in kernel state fast-forwarding KFAST modules, and work in the VPN moulds in the kernel state of second platform
Block;
Wherein, the UFAST modules are used to receive message, and are believed according to the first security association SA of the UFAST module stores
Breath determines whether the message is VPN ciphertext bags, and when it is determined that the message is non-VPN ciphertexts bag, the message is sent
To the destination of the message.
9. virtual special network server according to claim 8, it is characterised in that the UFAST modules are additionally operable to:
When it is determined that the message is VPN ciphertext bags, the message is sent to into the KFSAT modules;
The KFSAT modules are used for, and the message is sent to the VPN modules;
The VPN modules are used for, and the message are processed in the kernel state of second platform.
10. virtual special network server according to claim 8 or claim 9, it is characterised in that the VPN modules are additionally operable to,
SA new informations are sent to the KFAST modules, the SA new informations include the SA information of the VPN module stores;
The KFAST modules are additionally operable to, and the SA new informations are sent to the UFAST modules;
The UFAST modules are additionally operable to, and update the SA letters of the UFAST module stores according to the SA new informations
Breath.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611110306.8A CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611110306.8A CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106549850A true CN106549850A (en) | 2017-03-29 |
| CN106549850B CN106549850B (en) | 2019-09-17 |
Family
ID=58397067
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611110306.8A Active CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106549850B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494744A (en) * | 2018-03-07 | 2018-09-04 | 杭州迪普科技股份有限公司 | A kind of IPsec VPN clients message processing method and device |
| CN110098993A (en) * | 2019-04-02 | 2019-08-06 | 视联动力信息技术股份有限公司 | A kind for the treatment of method and apparatus of signaling message |
| CN110808975A (en) * | 2019-10-31 | 2020-02-18 | 广州润铂晟信息技术有限公司 | Sensitive data transmission method and device, computer equipment and storage medium |
| CN111371723A (en) * | 2018-12-07 | 2020-07-03 | 网宿科技股份有限公司 | Method and device for realizing PPTP VPN network isolation under DPDK framework |
| CN115379028A (en) * | 2022-08-19 | 2022-11-22 | 深圳市东进银通电子有限公司 | DPDK-based high-performance password service method, device, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1515107A (en) * | 2001-06-29 | 2004-07-21 | 英特尔公司 | Dynamic configuration of IPSEC tunnels |
| CN1682197A (en) * | 2002-09-06 | 2005-10-12 | 美国凹凸微系有限公司 | VPN and firewall integrated system |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
| US20120324067A1 (en) * | 2011-06-17 | 2012-12-20 | Adiseshu Hari | Method and apparatus for remote delivery of managed usb services via a mobile computing device |
-
2016
- 2016-12-06 CN CN201611110306.8A patent/CN106549850B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1515107A (en) * | 2001-06-29 | 2004-07-21 | 英特尔公司 | Dynamic configuration of IPSEC tunnels |
| CN1682197A (en) * | 2002-09-06 | 2005-10-12 | 美国凹凸微系有限公司 | VPN and firewall integrated system |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
| US20120324067A1 (en) * | 2011-06-17 | 2012-12-20 | Adiseshu Hari | Method and apparatus for remote delivery of managed usb services via a mobile computing device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494744A (en) * | 2018-03-07 | 2018-09-04 | 杭州迪普科技股份有限公司 | A kind of IPsec VPN clients message processing method and device |
| CN111371723A (en) * | 2018-12-07 | 2020-07-03 | 网宿科技股份有限公司 | Method and device for realizing PPTP VPN network isolation under DPDK framework |
| CN111371723B (en) * | 2018-12-07 | 2022-06-17 | 网宿科技股份有限公司 | Method and device for realizing PPTP VPN network isolation under DPDK framework |
| CN110098993A (en) * | 2019-04-02 | 2019-08-06 | 视联动力信息技术股份有限公司 | A kind for the treatment of method and apparatus of signaling message |
| CN110098993B (en) * | 2019-04-02 | 2020-12-18 | 视联动力信息技术股份有限公司 | Method and device for processing signaling message |
| CN110808975A (en) * | 2019-10-31 | 2020-02-18 | 广州润铂晟信息技术有限公司 | Sensitive data transmission method and device, computer equipment and storage medium |
| CN110808975B (en) * | 2019-10-31 | 2021-11-19 | 广州润铂晟信息技术有限公司 | Sensitive data transmission method and device, computer equipment and storage medium |
| CN115379028A (en) * | 2022-08-19 | 2022-11-22 | 深圳市东进银通电子有限公司 | DPDK-based high-performance password service method, device, equipment and medium |
| CN115379028B (en) * | 2022-08-19 | 2024-06-25 | 深圳市东进银通电子有限公司 | DPDK-based high-performance password service method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106549850B (en) | 2019-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106549850A (en) | Virtual special network server and its message transmitting method | |
| EP3242437A1 (en) | Light-weight key update mechanism with blacklisting based on secret sharing algorithm in wireless sensor networks | |
| US20140248887A1 (en) | Closed Communication System | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| WO2006086721A2 (en) | Context limited shared secret | |
| JP4692776B2 (en) | Method for protecting SIP-based applications | |
| US11706618B2 (en) | Data packet verification method and device | |
| CN108234522A (en) | Prevent Address Resolution Protocol ARP attack method, device, computer equipment and storage medium | |
| CN105262737B (en) | A method of based on defending against DDOS attack for jump channel pattern | |
| CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
| CN109271801A (en) | Injecting products approaches to IM, server, injection molding machine based on block chain | |
| US9756504B2 (en) | Security authentication method, device, and system | |
| CN108401273A (en) | A kind of method for routing and device | |
| CN102195887B (en) | Message processing method, device and network security equipment | |
| CN112806041A (en) | Key generation method, device and system | |
| EP3599751A1 (en) | Maintaining internet protocol security tunnels | |
| CN109413123A (en) | Session keeping method and relevant device | |
| WO2020070371A1 (en) | Method and apparatus for security context handling during inter-system change | |
| CN106878302B (en) | Cloud platform system and setting method | |
| Zha et al. | Security improvements of IEEE 802.11 i 4-way handshake scheme | |
| US9954876B2 (en) | Automatic tunnels routing loop attack defense | |
| US12010088B2 (en) | Data sending method and apparatus, and method and system for establishing P2P connection | |
| US9560173B2 (en) | Techniques for improving SYN cache performance | |
| CN104380686B (en) | Method and system, NG Fire-walled Clients and NG SOCKS servers for implementing NG fire walls | |
| CN114679303B (en) | Source address verification method and device for satellite Internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |