CN106549850B - Virtual special network server and its message transmitting method - Google Patents
Virtual special network server and its message transmitting method Download PDFInfo
- Publication number
- CN106549850B CN106549850B CN201611110306.8A CN201611110306A CN106549850B CN 106549850 B CN106549850 B CN 106549850B CN 201611110306 A CN201611110306 A CN 201611110306A CN 106549850 B CN106549850 B CN 106549850B
- Authority
- CN
- China
- Prior art keywords
- module
- vpn
- message
- information
- user space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The present invention provides a kind of virtual special network server and its message transmitting method, for solving the existing virtual special network server technical problem lower for the treatment effeciency of non-VPN ciphertext packet.The Virtual Private Network vpn server cross-platform operation on the first platform and the second platform, the described method includes: the vpn server receives message according to User space fast-forwarding UFAST module, the UFAST module is operate on the module in the User space of first platform;The vpn server determines whether the message is VPN ciphertext packet according to the first security association SA information that the UFAST module stores;The message is sent to the destination of the message according to the UFAST module when determining the message is non-VPN ciphertext packet by the vpn server.
Description
Technical field
The present invention relates to computer fields, and in particular, to a kind of virtual special network server and its message transmissions side
Method.
Background technique
Mesh NeteyeVPN (VirtualPrivateNetwork, Virtual Private Network) is firewall Formula V PN, and fire prevention
Wall function is used in combination with, and by establishing tunnel with gateway, mobile terminal or personal computer, using encryption technology and is recognized
Card technology guarantees the safety of data transmission, integrality, confidentiality between end and end, end and point.
Existing VPN cross-platform can be run.For example, DPDK (DataPlaneDevelopmentKit, data plane
Development kit) platform and x86 platform.But the architecture design based on firewall, it is deployed in DPDK platform and x86 platform
The partial function of vpn system can not be transplanted to the module of User space completely, remain in x86 for the processing of VPN message
Kernel state handled.In this case, in the prior art, the User space of DPDK platform is in the report for receiving network interface card transmission
Wen Hou simply judges whether the message is VPN ciphertext packet, if not VPN ciphertext packet, then directly carry out the message in User space
Processing, for cannot determine whether as the message of VPN ciphertext packet, DPDK User space sends it to kernel state, and kernel state passes through
KFAST module sends it to the kernel state of x86, accurate judgement is carried out to message by the kernel state of x86, if the message is
VPN ciphertext packet is then directly handled in the kernel state of x86, if the message is not VPN ciphertext packet, which is returned
The message is sent back to the User space of DPDK by the kernel state of the DPDK by the kernel state of DPDK, is carried out in the User space of DPDK to it
Processing.
The message that above-mentioned process will lead to non-VPN ciphertext packet is sent to kernel, and User space is caused to be pressed to the channel of kernel state
Power increases.Also, non-VPN ciphertext coating transfers to kernel, is sent at User space by channel again after VPN is parsed
Reason, results in the delay of Message processing, reduces Message processing efficiency.
Summary of the invention
The object of the present invention is to provide a kind of virtual special network server and its message transmitting methods, existing to solve
The virtual special network server technical problem lower for the treatment effeciency of non-VPN ciphertext packet.
To achieve the goals above, the present invention provides first aspect and provides a kind of message biography of virtual special network server
Transmission method, the Virtual Private Network vpn server cross-platform operation on the first platform and the second platform, the method packet
It includes:
The vpn server receives message according to User space fast-forwarding UFAST module, and the UFAST module is work
Module in the User space of first platform;
The vpn server determines that the message is according to the first security association SA information that the UFAST module stores
No is VPN ciphertext packet;
The vpn server is when determining the message is non-VPN ciphertext packet, according to the UFAST module by the report
Text is sent to the destination of the message.
In above-mentioned first aspect, the first platform and the second platform may is that DPDK platform, x86 platform, ARM
The different platform of any two in (AdvancedRISCMachine, advanced reduced instruction set machine) platform, wherein for
Belong to the message of VPN ciphertext packet processing can be the second platform kernel state progress.
Optionally, the method also includes:
The vpn server is when determining the message is VPN ciphertext packet, according to the UFAST module by the message
It is sent to kernel state fast-forwarding KFAST module, the KFAST module is operate on the mould in the kernel state of first platform
Block;
The message is sent to the VPN module for working in the kernel state of second platform according to the KFAST module;
Kernel state according to the VPN module in second platform handles the message.
Optionally, the method also includes:
The vpn server sends SA update message to the KFAST module according to the VPN module, and the SA updates
Message includes the SA information of the VPN module storage;
The SA update message is sent to the UFAST module according to the KFAST module by the vpn server;
The vpn server is closed according to first safety that the SA update message updates the UFAST module storage
Join SA information.
Optionally, the vpn server according to the VPN module to the KFAST module send SA update message it
Before, comprising:
The 2nd SA information that the vpn server stores the VPN module is cut out;
SA information after what the SA update message included cut out, wherein the SA information of the VPN module storage included
Whole security association information.
Optionally, the vpn server is specific to KFAST module transmission SA update message according to the VPN module
Include:
The vpn server stores the VPN module according to the calling of the process in the User space of second platform
SA information be modified;
After the SA information stored to the VPN module is modified, according to the VPN module to the KFAST module
Send the SA update message.
Optionally, the first SA information includes the SA information table of each corresponding User space core, the User space core
The heart is operate on the central processor CPU core of the User space of first platform, and the vpn server is updated according to the SA
The first SA information of the storage of UFAST module described in information updating specifically includes:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA update message
The heart;
Notify the SA information table of User space core User space core according to the SA information update.
Optionally, the first security association SA letter stored in User space of the vpn server according to first platform
Breath determines whether the message is VPN ciphertext packet, comprising:
Corresponding User space core is calculated by RSS algorithm according to the message;
Determine whether the message is VPN ciphertext packet according to the SA information table of the User space core.
Second aspect of the present invention provides a kind of virtual special network server, and the Virtual Private Network vpn server exists
Cross-platform operation on first platform and the second platform, the vpn server include:
The User space fast-forwarding UFAST module in the User space of first platform is worked in, works in described first
Kernel state fast-forwarding KFAST module in the kernel state of platform, and work in the VPN in the kernel state of second platform
Module;
Wherein, the UFAST module is for receiving message, and the first security association stored according to the UFAST module
SA information determines whether the message is VPN ciphertext packet, and when determining the message is non-VPN ciphertext packet, by the message
It is sent to the destination of the message.
Optionally, the UFAST module is also used to:
When determining the message is VPN ciphertext packet, the message is sent to the KFAST module;
The KFAST module is used for, and the message is sent to the VPN module;
The VPN module is used for, and is handled in the kernel state of second platform the message.
Optionally, the VPN module is also used to, and Xiang Suoshu KFAST module sends SA update message, the SA update message
SA information including VPN module storage;
The KFAST module is also used to, and the SA update message is sent to the UFAST module;
The UFAST module is also used to, and updates described the first of the UFAST module storage according to the SA update message
Security association SA information.
Optionally, the VPN module is also used to, before sending SA update message to the KFAST module, to described
2nd SA information of VPN module storage is cut out;
Wherein, the SA information after what the SA update message included cut out, wherein the SA information of the VPN module storage
Including complete security association information.
Optionally, the VPN module is also used to, according to the calling of the process in the User space of second platform to itself
The SA information of storage is modified;
After the SA information stored to itself is modified, Xiang Suoshu KFAST module sends the SA update message.
Optionally, the first SA information includes the SA information table of each corresponding User space core, the User space core
The heart is operate on the central processor CPU core of the User space of first platform, and the UFAST module is used for:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA update message
The heart;
Notify the SA information table of User space core User space core according to the SA information update.
Optionally, the first SA information includes the SA information table of each corresponding User space core, the User space core
The heart is operate on the central processor CPU core of the User space of first platform, and the UFAST module is used for:
Corresponding User space core is calculated by RSS algorithm according to the message;
Determine whether the message is VPN ciphertext packet according to the SA information table of the User space core.
By adopting the above technical scheme, the UFAST module in the User space of the first platform of vpn server is stored with the first SA
Information, in this way, vpn server is after receiving message, it can be based on security association information in User space and accurately judge the report
Whether text is VPN ciphertext packet, is handled since non-VPN ciphertext packet does not need vpn server, determining that the message is
When non-VPN ciphertext packet, vpn server is not necessarily to the message being sent to kernel state, and the message is directly forwarded to this in User space
The destination of message, alleviates the pressure of the transmission channel between vpn server User space and kernel state, also, accelerates pair
In the processing speed of non-VPN ciphertext packet, Message processing efficiency is improved.
Other features and advantages of the present invention will the following detailed description will be given in the detailed implementation section.
Detailed description of the invention
The drawings are intended to provide a further understanding of the invention, and constitutes part of specification, with following tool
Body embodiment is used to explain the present invention together, but is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is a kind of structural schematic diagram of existing vpn server;
Fig. 2 is a kind of process signal of the message transmitting method of virtual special network server provided in an embodiment of the present invention
Figure;
Fig. 3 is to be passed in vpn server shown in Fig. 1 provided in an embodiment of the present invention using method and step shown in Fig. 2
The schematic diagram of the method for defeated message;
Fig. 4 is a kind of process signal of the method for kernel state provided in an embodiment of the present invention SA information synchronous with User space
Figure;
Fig. 5 is a kind of structural schematic diagram of virtual special network server provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with attached drawing, detailed description of the preferred embodiments.It should be understood that this place is retouched
The specific embodiment stated is merely to illustrate and explain the present invention, and is not intended to restrict the invention.
It is right first below in order to make those skilled in the art be easier to understand technical solution provided in an embodiment of the present invention
The present invention relates to relational language simply introduced.
SA (SecurityAssociation, Security Association) is for compiling the policy protocol between two computers
Yard, which algorithm and what kind of key length and actual key itself will be used between designated computer.
SA information has recorded the strategy and policing parameter of every exit passageway based on ip agreement, and SA information is specifically by communicating
Both sides' auto negotiation or manual creation, it includes the tunneling used, key and key validity period, resist compress mode
The relevant informations such as playback, NAT (NetworkAddressTranslation, network address translation).The report received for firewall
Text passes through dip (DynamicIPPool, dynamic ip address pool), protocol (tunneling), spi
Key messages such as (SerialPeripheralInterface, peripheral device interfaces) can find corresponding SA information.
That is, being based on SA information, whether the message that can be received with accurate judgement firewall is encryption message, for
VPN ciphertext packet, firewall can find corresponding SA information by dip, sip, protocol, and close to this according to SA information
Text packet is handled, and for the message of non-VPN ciphertext packet, firewall can not find corresponding SA information.
Those skilled in the art should understand that during the embodiment of the present invention is described below, " the first platform " and " the second platform "
It is served only for distinguishing different platforms, should not be understood as the additional qualification caused by platform.Specifically, the first platform and second flat
Platform may is that the different platform of DPDK platform, x86 platform, any two in ARM platform.For example, the first platform is flat for DPDK
Platform, the second platform are x86 platform.Or first platform be x86 platform, the second platform be DPDK platform.Or first platform be
DPDK platform, the second platform are ARM platform.Which is not limited by the present invention.
Problem of the existing technology is illustrated with the cross-platform vpn server for operating in DPDK platform and x86 platform.
Referring to Fig.1, Fig. 1 is that in the prior art, cross-platform operation has the structural representation of the vpn server 100 of DPDK platform and x86 platform
Figure, wherein the vpn server 100 includes the UFAST module 101 for working in DPDK User space, works in DPDK kernel state
KFAST module 102, and work in the VPN module 103 of x86 platform kernel state.
Below according to arrow instruction explanation transmission of the message in vpn server in the prior art in Fig. 1.Wherein, scheme
Middle U-> K indicates that User space (Usermode) sends message to kernel state (Kernelmode), and K-> U indicates kernel state to user
State sends message.In this way, vpn server can root as shown in Figure 1, UFAST module 101 is after the message for receiving network interface card transmission
The whether non-VPN ciphertext packet of the message is judged according to protocol port, if the message is non-VPN ciphertext packet, in the user of DPDK platform
The message is forwarded directly to destination by state.It is worth noting that the non-VPN ciphertext packet in part can only be distinguished according to protocol port
Message, other messages need just to be capable of determining whether by SA information searching for VPN ciphertext packet, since SA information is present in VPN
Module 103, therefore, UFAST module 101 by after Port Profile judges not confirmed be the message of non-VPN ciphertext packet, pass through
The channel UK is sent to the kernel of DPDK platform, and the message is passed through hook by the KFAST module 102 in the kernel of DPDK platform
Hook interface is sent to the VPN module 103 in x86 platform kernel, is further judged by VPN module 103 message, i.e.,
It determines whether message is VPN ciphertext packet according to SA information, if the message is VPN ciphertext packet, VPN decryption is carried out to the message,
If the message is non-VPN ciphertext packet, which is sent back to again by UFAST module 101 by the channel KU.
By above-mentioned process it is found that in the prior art, the message of the non-VPN ciphertext packet in part needs to enter kernel state, both increased
Add User space to the channel pressure of kernel state, and reduces the treatment effeciency of message.
The embodiment of the present invention provides a kind of message transmitting method of virtual special network server, wherein the virtual private
The cross-platform operation on the first platform and the second platform of network vpn server, as shown in Fig. 2, this method comprises:
S201, the vpn server receive message according to User space fast-forwarding UFAST module, and the UFAST module is
Work in the module in the User space of first platform.
Wherein, the message can be the message that network interface card is sent to the vpn server.
S202, the vpn server determine the report according to the first security association SA information that the UFAST module stores
Whether text is VPN ciphertext packet.
The explanation of value, the SA information in User space can be in system initialization, and vpn server is according to kernel state
In VPN module storage SA synchronizing information be stored in the UFAST module of User space.
Referring to the above-mentioned introduction to SA information, vpn server can accurately distinguish out the message received according to SA information
It is VPN ciphertext packet, is also non-VPN ciphertext packet.
S203, the vpn server are when determining the message is non-VPN ciphertext packet, according to the UFAST module by institute
State the destination that message is sent to the message.
The explanation of value, non-VPN ciphertext packet refer to the ciphertext packet allowed through firewall, that is, do not need vpn system into
The ciphertext packet of row processing.That is, vpn server is after the message for receiving non-VPN ciphertext packet, it can be according in message
Destination address forwards the packet to destination, without handling the message.
Using the above method, the UFAST module in the User space of the first platform of vpn server is stored with the first SA letter
Breath, in this way, vpn server is after receiving message, it can be based on security association information in User space and accurately judge the message
Whether it is VPN ciphertext packet, is handled since non-VPN ciphertext packet does not need vpn server, determining that the message is non-
When VPN ciphertext packet, vpn server is not necessarily to the message being sent to kernel state, and the message is directly forwarded to the report in User space
Text destination, alleviate the pressure of the transmission channel between vpn server User space and kernel state, also, accelerate for
The processing speed of non-VPN ciphertext packet, improves Message processing efficiency.
In order to make those skilled in the art more understand technical solution provided in an embodiment of the present invention, below to the above method
Step is described in detail.
Specifically, in above-mentioned steps S202, the vpn server determine the message be VPN ciphertext packet when, according to
The message is sent to kernel state fast-forwarding KFAST module by the UFAST module, and the KFAST module is operate on institute
State the module in the kernel state of the first platform;The message is sent to to work in described second flat according to the KFAST module
The VPN module of the kernel state of platform;Kernel state according to the VPN module in second platform handles the message.
With the first platform for DPDK platform, the second platform is that x86 platform is illustrated.As shown in figure 3, VPN is serviced
Device 300 includes the UFAST module 301 for working in DPDK User space, works in the KFAST module 302, Yi Jigong of DPDK kernel state
Make in the VPN module 303 of x86 platform kernel state.Wherein, U-> K indicates that User space sends message, K-> U to kernel state in Fig. 3
Indicate that kernel state sends message to User space.Specifically, vpn server 300 receives network interface card according to UFAST module 301 and sends
Message after, can according to UFAST module 301 store the first SA information judge whether the message is VPN ciphertext packet.If the report
Text is not VPN ciphertext packet, i.e., the described non-VPN ciphertext packet then forwards the packet to destination in the User space of DPDK platform.If
The message is VPN ciphertext packet, then the kernel of DPDK platform is sent to by the channel UK.By the KFAST in the kernel of DPDK platform
The message is sent to the VPN module 303 in x86 platform kernel by hook interface by module 302, by VPN module 303 to the report
Text carries out VPN decryption.In this way, vpn server DPDK User space can the message that receives of accurate judgement whether be VPN ciphertext
Packet.Therefore, the message of non-VPN ciphertext packet reduces the pressure of User space to channel between kernel state without being issued to kernel state.
Also, improve the treatment effeciency of the message to non-VPN ciphertext packet.
Above-mentioned to be merely illustrative, in the specific implementation, vpn server can also first pass through association after receiving message
View port determines whether the message is non-VPN ciphertext packet, determines whether the message is VPN ciphertext packet further according to SA information.This hair
It is bright not limit this.
In addition, the SA information of UFAST module storage should be with the SA of VPN module storage in order to ensure the accuracy of SA information
Information is consistent.The embodiment of the present invention step can synchronize the SA information in User space and kernel state with the following method, such as
Shown in Fig. 4, this method comprises:
S401, the vpn server send SA update message, the SA to the KFAST module according to the VPN module
Update message includes the SA information of the VPN module storage.
Wherein, the SA update message for modifying, close by first safety stored in state of deleting or Add User
Join SA information.
It is worth noting that kernel state can send information to User space by MSG message, the first of User space is worked in
MSG thread in a CPU (CentralProcessingUnit, central processing unit) core is mainly for the treatment of the MSG received
Message.Therefore, in above-mentioned steps S401, the SA update message specifically can be the finger including being updated to the first SA information
The MSG message of order.
The SA update message is sent to the UFAST mould according to the KFAST module by S402, the vpn server
Block.
S403, the vpn server update the first SA of the UFAST module storage according to the SA update message
Information.
Specifically, the first SA information includes the SA information table of corresponding each User space core, the User space core
It is operate on the central processor CPU core of the User space of first platform, the operation queue storage of each User space core
There is the operation carried out to SA information table, each User space core has corresponding management thread, and the management thread is according to operation team
The information of column executes corresponding operation.In this way, MSG thread after receiving MSG message, corresponding information can be put into pair
In the operation queue for the User space core answered, and notify that the management thread of the User space core is handled.
The explanation of value, vpn server can reserve memory headroom for storing when initialization or starting
The size of SA information, the reserved memory headroom can be MAX (SA_NUM) * sizeof (SA), wherein SA_NUM indicates SA information
Number, sizeof (SA) indicates the size of single SA information.Wherein, reserved memory headroom will not disappear with the termination of process
It loses.In this way, the foundation of the SA information table of each User space core is referred to above-mentioned steps S401 to step S403, kernel state to
User space sends the MSG message including SA information, and the UFAST module in core cpu is after receiving MSG message according to SA information
Establish SA information table.In follow-up operation, the VPN module in x86 kernel state can periodically initiate the synchronization of SA information,
With the consistent of the SA information that maintains UFAST module to store and the SA information that stores of VPN module.
Due to SA information be specifically by communicating pair auto negotiation or manual creation, vpn server can also be with
It is the root after the calling of the process in the User space according to second platform is modified the SA information that VPN module stores
The SA update message is sent to the KFAST module according to the VPN module.In this case, each User space core pair
It can also include the ageing time of every SA information in the SA information table answered, also, the SA in the ageing time and VPN module believes
The ageing time of breath can be consistent, in this way, vpn server need to only can be changed in the SA information that VPN module stores
Afterwards, the synchronization of the SA information stored to UFAST module is initiated.
It is worth noting that the uniqueness of MSG thread, operation queue corresponds to the spy of each User space core with management thread
Property, so that being currently not in concurrently to access, therefore during entire SA synchronizing information, be not necessarily to the access of operation queue
It is related to the operation of lock.Also, the validity that SA information is managed by the ageing time that timer is set, can be different to avoid system
The SA information that should be deleted often resulted in retain always so as to cause message accidentally send out.
In a kind of possible implementation of the embodiment of the present invention, in order to save the memory space of User space, VPN service
Device the User space of the first platform initially set up state core for each user SA information table and it is subsequent to information table more
During new, the 2nd SA information that can be stored to VPN module is cut out, wherein the 2nd SA information is completely to pacify
Fully associative information, the SA information that above-mentioned SA update message includes are the SA information after the 2nd SA information is cut out.
That is, in embodiments of the present invention, the SA information in the corresponding SA information table of User space core can be wrapped only
Include can accurate judgement message whether be VPN ciphertext packet information, such as dip, dport (destination port), sip
The information such as (SessionInitiationProtocol, session initiation protocol), spi, lifetime (life span).In this way, phase
Than the complete security association information of the VPN module storage in the second platform kernel state, User space about saves 400 than kernel state
The memory space of byte or so.
Further, above-mentioned steps S403 includes: to pass through RSS according to the SA information in the SA update message
(Reducedspacesymbology reduces space code) algorithm calculates corresponding User space core;Notify the User space core
According to the SA information table of User space core described in the SA information update.
In this way, the vpn server, can be according to the message after receiving the message in above-mentioned steps S202
Corresponding User space core is calculated by RSS algorithm, and the report is determined according to the corresponding SA information table of the User space core
Whether text is VPN ciphertext packet.
Due to the User space core obtained when addition SA information by RSS algorithm, pass through RSS algorithm with when receiving message
Obtained User space core is consistent.To ensure that the SA information table of the message that active user's state core receives and User space core
Consistency corresponding SA letter can be found in the SA information table of active user's state core if message is VPN ciphertext packet
Breath shows that the message is non-VPN ciphertext packet if corresponding SA information can not be found.
By adopting the above technical scheme, SA information table is each corresponding User space core, in every SA information table
The addition that SA information carries out, deleting or searching all is to be carried out by the same User space core, and only one is acted simultaneously
It accesses to SA information table, thus, there is no resource contentions, ensure that the realization of no lock search.Also, vpn server connects
It, can be in the User space core for VPN ciphertext packet after the message received determines corresponding User space core by RSS algorithm
Corresponding SA information is found in the SA information table of the heart, is then the report of non-VPN ciphertext packet for not finding the message of SA information
Text directly can be forwarded to destination in User space, without being issued to kernel state, to improve Message processing efficiency, and subtract
Light channel pressure of the User space to kernel state.
The embodiment of the present invention also provides a kind of virtual special network server 500, and the server 500 is in the first platform and
Cross-platform operation on two platforms is passed for implementing a kind of message of virtual special network server of above method embodiment offer
Transmission method, as shown in figure 5, the server 500 includes:
The User space fast-forwarding UFAST module 501 in the User space of first platform is worked in, works in described
Kernel state fast-forwarding KFAST module 502 in the kernel state of one platform, and work in the kernel state of second platform
VPN module 503;
Wherein, the UFAST module 501 is for receiving message, and is deposited according to the UFAST module 501 of first platform
First security association SA information of storage determines whether the message is VPN ciphertext packet, and is determining that the message is non-VPN ciphertext
The message is sent to the destination of the message by Bao Shi.
Using above-mentioned vpn server, the UFAST module in the User space of the first platform of the vpn server is stored with
One SA information, in this way, vpn server is after receiving message, it can be based on security association information in User space and accurately judge
Whether the message is VPN ciphertext packet, is handled since non-VPN ciphertext packet does not need vpn server, determining the report
When Wen Weifei VPN ciphertext packet, vpn server is not necessarily to the message being sent to kernel state, directly forwards the message in User space
To the destination of the message, the pressure of the transmission channel between vpn server User space and kernel state is alleviated, also, is accelerated
For the processing speed of non-VPN ciphertext packet, Message processing efficiency is improved.
Optionally, the UFAST module 501 is also used to: when determining the message is VPN ciphertext packet, by the message
It is sent to the KFAST module;The KFAST module 502 is used for, and the message is sent to the VPN module;The VPN
Module 503 is used for, and is handled in the kernel state of second platform the message.It specifically, is DPDK in the first platform
Platform, in the case that the second platform is x86 platform, the process of vpn server transmitting message is referred to above method embodiment
In description to Fig. 3, details are not described herein again.
Optionally, the VPN module 503 is also used to, and Xiang Suoshu KFAST module 502 sends SA update message, and the SA is more
New information includes the SA information of the VPN module storage;The KFAST module 502 is also used to, and the SA update message is sent
To the UFAST module;The UFAST module 501 is also used to, and updates the UFAST module 501 according to the SA update message
The first SA information of storage.
Specifically, the first SA information includes the SA information table of corresponding each User space core, the User space core
It is operate on the central processor CPU core of described first User space.In this way, User space of the vpn server in the first platform
After initially setting up the SA information table of state core for each user, it can keep depositing in kernel state and User space by update mechanism
The SA information of storage it is consistent.
Optionally, the VPN module 503 is also used to, before sending SA update message to the KFAST module, to institute
The 2nd SA information for stating the storage of VPN module is cut out;Wherein, the SA information after what the SA update message included cut out,
In, the SA information of the VPN module storage includes complete security association information.
That is, in embodiments of the present invention, the SA information in the corresponding SA information table of User space core can be wrapped only
Include can accurate judgement message whether be the information such as the information, such as dip, dport, sip, spi, lifetime of VPN ciphertext packet.
In this way, User space about saves 400 words than kernel state compared to the complete security association information stored in the second platform kernel state
Save the memory space of left and right.
Optionally, the VPN module 503 is also used to, according to the calling pair of the process in the User space of second platform
The SA information of itself storage is modified;After the SA information stored to itself is modified, Xiang Suoshu KFAST module sends institute
State SA update message.
Optionally, the first SA information includes the SA information table of each corresponding User space core, the User space core
The heart is operate on the central processor CPU core of described first User space, and the UFAST module 501 is used for: according to the SA
SA information in update message calculates corresponding User space core by reducing space code RSS algorithm;Notify the User space core
The SA information table of heart User space core according to the SA information update.
In this way, the UFAST module 501 is used for: calculating corresponding User space core by RSS algorithm according to the message
The heart;Determine whether the message is VPN ciphertext packet according to the SA information table of the User space core.
Due to the User space core obtained when addition SA information by RSS algorithm, pass through RSS algorithm with when receiving message
Obtained User space core is consistent.To ensure that the SA information table of the message that active user's state core receives and User space core
Consistency corresponding SA letter can be found in the SA information table of active user's state core if message is VPN ciphertext packet
Breath shows that the message is non-VPN ciphertext packet if corresponding SA information can not be found.
By adopting the above technical scheme, SA information table is each corresponding User space core, in every SA information table
The addition that SA information carries out, deleting or searching all is to be carried out by the same User space core, and only one is acted simultaneously
It accesses to SA information table, thus, there is no resource contentions, ensure that the realization of no lock search.Also, vpn server connects
It, can be in the User space core for VPN ciphertext packet after the message received determines corresponding User space core by RSS algorithm
Corresponding SA information is found in the SA information table of the heart, is then the report of non-VPN ciphertext packet for not finding the message of SA information
Text directly can be forwarded to destination in User space, without being issued to kernel state, to improve Message processing efficiency, and subtract
Light channel pressure of the User space to kernel state.
It is worth noting that the above division to system 500, only a kind of logical function partition in actual implementation can be with
There is other division mode.Also, the physics realization of above-mentioned each functional module may also be there are many implementation.Specifically, on
Stating each functional module can be implemented in combination with by software, hardware or both as some or all of of core cpu.
In addition, affiliated, it will be apparent to those skilled in the art ground to recognize, for convenience and simplicity of description, foregoing description
Each module specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein again.Also,
In the specific implementation, vpn server can also include other modules, and Fig. 5 is not shown one by one.
In embodiment provided herein, it should be understood that disclosed server and method, it can be by other
Mode realize.For example, each functional module in each embodiment of the present invention can integrate in one processing unit, it can also
To be that each unit physically exists alone.Above-mentioned integrated unit both can take the form of hardware realization, for example, the processing list
Member can be multi-core CPU, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the portion of each embodiment the method for the present invention
Step by step.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, RAM (RandomAccessMemory, random access memory
Device), the various media that can store data such as magnetic or disk.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (14)
1. a kind of message transmitting method of virtual special network server, which is characterized in that the Virtual Private Network VPN service
Device cross-platform operation on the first platform and the second platform, which comprises
The vpn server receives message according to User space fast-forwarding UFAST module, and the UFAST module is operate on institute
State the module in the User space of the first platform;
The vpn server according to the first security association SA information that the UFAST module stores determine the message whether be
VPN ciphertext packet;
The vpn server sends out the message according to the UFAST module when determining the message is non-VPN ciphertext packet
Give the destination of the message.
2. the method according to claim 1, wherein the method also includes:
The vpn server sends the message according to the UFAST module when determining the message is VPN ciphertext packet
Kernel state fast-forwarding KFAST module is given, the KFAST module is operate on the module in the kernel state of first platform;
The message is sent to the VPN module for working in the kernel state of second platform according to the KFAST module;
Kernel state according to the VPN module in second platform handles the message.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
The vpn server sends SA update message, the SA update message to the KFAST module according to the VPN module
SA information including VPN module storage;
The SA update message is sent to the UFAST module according to the KFAST module by the vpn server;
The vpn server updates first security association SA of the UFAST module storage according to the SA update message
Information.
4. according to the method described in claim 3, it is characterized in that, in the vpn server according to the VPN module to described
KFAST module is sent before SA update message, comprising:
The 2nd SA information that the vpn server stores the VPN module is cut out;
SA information after what the SA update message included cut out, wherein the SA information of the VPN module storage includes complete
Security association information.
5. according to the method described in claim 3, it is characterized in that, the vpn server is according to the VPN module to described
KFAST module sends SA update message and specifically includes:
The SA that the vpn server stores the VPN module according to the calling of the process in the User space of second platform
Information is modified;
After the SA information stored to the VPN module is modified, sent according to the VPN module to the KFAST module
The SA update message.
6. according to the method described in claim 3, it is characterized in that, the first SA information includes each corresponding User space core
The SA information table of the heart, the User space core are operate on the central processor CPU core of the User space of first platform, institute
Vpn server is stated to be specifically included according to the first SA information that the SA update message updates the UFAST module storage:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA update message;
Notify the SA information table of User space core User space core according to the SA information update.
7. according to the method described in claim 3, it is characterized in that, the first SA information includes each corresponding User space core
The SA information table of the heart, the User space core are operate on the central processor CPU core of the User space of first platform, institute
It states vpn server and determines whether the message is VPN ciphertext according to the first security association SA information that the UFAST module stores
Packet, comprising:
Corresponding User space core is calculated by RSS algorithm according to the message;
Determine whether the message is VPN ciphertext packet according to the SA information table of the User space core.
8. a kind of virtual special network server, which is characterized in that the Virtual Private Network vpn server in the first platform and
Cross-platform operation on second platform, the vpn server include:
The User space fast-forwarding UFAST module in the User space of first platform is worked in, first platform is worked in
Kernel state in kernel state fast-forwarding KFAST module, and work in the VPN mould in the kernel state of second platform
Block;
Wherein, the UFAST module is believed for receiving message, and according to the first security association SA of UFAST module storage
Breath determines whether the message is VPN ciphertext packet, and when determining the message is non-VPN ciphertext packet, the message is sent
To the destination of the message.
9. virtual special network server according to claim 8, which is characterized in that the UFAST module is also used to:
When determining the message is VPN ciphertext packet, the message is sent to the KFAST module;
The KFAST module is used for, and the message is sent to the VPN module;
The VPN module is used for, and is handled in the kernel state of second platform the message.
10. virtual special network server according to claim 8 or claim 9, which is characterized in that the VPN module is also used to,
SA update message is sent to the KFAST module, the SA update message includes the SA information of the VPN module storage;
The KFAST module is also used to, and the SA update message is sent to the UFAST module;
The UFAST module is also used to, and first safety of the UFAST module storage is updated according to the SA update message
It is associated with SA information.
11. virtual special network server according to claim 10, which is characterized in that the VPN module is also used to,
Before sending SA update message to the KFAST module, the 2nd SA information of VPN module storage is cut out;Wherein,
SA information after what the SA update message included cut out, wherein the SA information of the VPN module storage includes complete safety
Related information.
12. virtual special network server according to claim 10, which is characterized in that the VPN module is also used to, root
The SA information itself stored is modified according to the calling of the process in the User space of second platform;
After the SA information stored to itself is modified, Xiang Suoshu KFAST module sends the SA update message.
13. virtual special network server according to claim 10, which is characterized in that the first SA information includes pair
The SA information table of each User space core is answered, the User space core is operate on the center of the User space of first platform
Processor core cpu, the UFAST module are used for:
Corresponding User space core is calculated by reducing space code RSS algorithm according to the SA information in the SA update message;
Notify the SA information table of User space core User space core according to the SA information update.
14. virtual special network server according to claim 10, which is characterized in that the first SA information includes pair
The SA information table of each User space core is answered, the User space core is operate on the center of the User space of first platform
Processor core cpu, the UFAST module are used for:
Corresponding User space core is calculated by RSS algorithm according to the message;
Determine whether the message is VPN ciphertext packet according to the SA information table of the User space core.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611110306.8A CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611110306.8A CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106549850A CN106549850A (en) | 2017-03-29 |
| CN106549850B true CN106549850B (en) | 2019-09-17 |
Family
ID=58397067
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611110306.8A Active CN106549850B (en) | 2016-12-06 | 2016-12-06 | Virtual special network server and its message transmitting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106549850B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494744B (en) * | 2018-03-07 | 2021-08-24 | 杭州迪普科技股份有限公司 | IPsec VPN client message processing method and device |
| CN111371723B (en) * | 2018-12-07 | 2022-06-17 | 网宿科技股份有限公司 | Method and device for realizing PPTP VPN network isolation under DPDK framework |
| CN110098993B (en) * | 2019-04-02 | 2020-12-18 | 视联动力信息技术股份有限公司 | Method and device for processing signaling message |
| CN110808975B (en) * | 2019-10-31 | 2021-11-19 | 广州润铂晟信息技术有限公司 | Sensitive data transmission method and device, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1515107A (en) * | 2001-06-29 | 2004-07-21 | 英特尔公司 | Dynamic configuration of IPSEC tunnels |
| CN1682197A (en) * | 2002-09-06 | 2005-10-12 | 美国凹凸微系有限公司 | VPN and firewall integrated system |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9619417B2 (en) * | 2011-06-17 | 2017-04-11 | Alcatel Lucent | Method and apparatus for remote delivery of managed USB services via a mobile computing device |
-
2016
- 2016-12-06 CN CN201611110306.8A patent/CN106549850B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1515107A (en) * | 2001-06-29 | 2004-07-21 | 英特尔公司 | Dynamic configuration of IPSEC tunnels |
| CN1682197A (en) * | 2002-09-06 | 2005-10-12 | 美国凹凸微系有限公司 | VPN and firewall integrated system |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | High-speed secure virtual private network channel based on network processor and its realization method |
| CN101651597A (en) * | 2009-09-23 | 2010-02-17 | 北京交通大学 | Deployment method of IPSec-VPN in address discrete mapping network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106549850A (en) | 2017-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106549850B (en) | Virtual special network server and its message transmitting method | |
| CN106209490B (en) | Select and monitor the method and system of multiple service key performance indicators | |
| US8495738B2 (en) | Stealth network node | |
| US20140248887A1 (en) | Closed Communication System | |
| EP3021549A1 (en) | Terminal authentication apparatus and method | |
| US9491157B1 (en) | SSL secured NTLM acceleration | |
| US20160308904A1 (en) | Integrative network management method and apparatus for supplying connection between networks based on policy | |
| US10764243B2 (en) | Method and apparatus for keeping network address translation mapping alive | |
| US10855721B2 (en) | Security system, security method, and recording medium for storing program | |
| CN106878199B (en) | Configuration method and device of access information | |
| US10868830B2 (en) | Network security system, method, recording medium and program for preventing unauthorized attack using dummy response | |
| CN108234522A (en) | Prevent Address Resolution Protocol ARP attack method, device, computer equipment and storage medium | |
| CN109314701A (en) | It is detected using the network path that available network connects | |
| US20120084368A1 (en) | Data channel set up latency reduction | |
| CN103795622A (en) | Message forwarding method and device using same | |
| CN103166960A (en) | Access control method and access control device | |
| WO2017107623A1 (en) | User registration information processing method and apparatus, and evolved packet data gateway (epdg) device | |
| US20180183584A1 (en) | IKE Negotiation Control Method, Device and System | |
| CN105282112A (en) | Terminal and method for detecting security of data interaction in terminal | |
| CN103520922A (en) | Method, system and device for conducting game control through mobile internet | |
| US20080244262A1 (en) | Enhanced supplicant framework for wireless communications | |
| CN104380686B (en) | Method and system, NG Fire-walled Clients and NG SOCKS servers for implementing NG fire walls | |
| US9231951B2 (en) | Probabilistically expedited secure connections via connection parameter reuse | |
| US20240064124A1 (en) | Data sending method and apparatus, and method and system for establishing p2p connection | |
| US9560173B2 (en) | Techniques for improving SYN cache performance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |