Specific embodiment
In order that the purpose of the present invention, technical scheme and beneficial effect become more apparent, below in conjunction with accompanying drawing and implementation
Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair
It is bright, it is not intended to limit the present invention.
Fig. 1 illustrates a kind of applicable safe ipsec protocol encryption system of internet protocol of the embodiment of the present invention
Configuration diagram, the system architecture be applied to include chain of command processor core that at least one pair of chain of command data processed with
The multinuclear heterogeneous network equipment of the user side processor core that at least one pair of user face data is processed;As shown in figure 1, this is
System framework 100 includes chain of command processor core 110, user side processor core 120, hardware encryption module 130 and network interface card 140;Control
Face processor core 110 processed includes network protocol stack 111, trawl performance 112;Network protocol stack 111 connects trawl performance 112;Can
Selection of land, chain of command processor core 110 can connect user side processor core 120, it is also possible to connect network interface card 140;Further, control
Face processor core 110 can connect user side processor core 120 by trawl performance 112, it is also possible to be connected by trawl performance 112
Connect network interface card 140;Alternatively, the connection of user side processor core 120 hardware encryption module 130, it is also possible to connect network interface card 140;Hardware
Encrypting module 130 connects network interface card 140;Wherein, chain of command processor core 110 is used to process chain of command data, user side processor
Core 120 is used to process user face data.Alternatively, chain of command processor core 110 can be POWERPC cores, or ARM
Core;Alternatively, user side processor core 120 can be DSP core.
In the embodiment of the present invention, on the one hand, the treatment chain of command number of network protocol stack 111 in chain of command processor core 110
According to the IP messages for obtaining, determine whether an IP messages need encryption by trawl performance 112, by intercore communication technology
The IP messages for needing to be encrypted are sent to user side processor core 120, then is sent by user side processor core 120
It is encrypted to hardware encryption module 130 and assigned sequence number, is afterwards sent out an IP messages after encryption by network interface card 140
Go;On the other hand, the 2nd IP messages that the user face data of the treatment of user side processor core 120 is obtained, send to hardware encryption
Module 130 is encrypted and assigned sequence number, is afterwards sent an IP messages after encryption by network interface card 140.
Fig. 2 illustrates a kind of safe ipsec protocol encryption method of internet protocol provided in an embodiment of the present invention
Schematic flow sheet.
Based on the system architecture shown in Fig. 1, as shown in Fig. 2 a kind of internet protocol safety provided in an embodiment of the present invention
Ipsec protocol encryption method, it is adaptable to the chain of command processor core that is processed including at least one pair of chain of command data and extremely
Few multinuclear heterogeneous network equipment for the user side processor core processed user face data, the method includes following step
Suddenly:
Step S201:The network equipment obtains an IP messages by chain of command processor core;
Step S202:The network equipment by chain of command processor core determine an IP messages be need to be encrypted first
In the case of IP messages, and the network equipment is determining that an IP messages need to carry out the feelings of hardware encryption according to the information of an IP messages
Under condition:The network equipment is an IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, the after being encrypted
One IP messages;
Step S203:Network equipment IP messages after network interface card sends encryption.
Based on above-described embodiment, in step s 201, alternatively, an IP messages can be the treatment of chain of command processor core
Chain of command data are packaged the IP messages for obtaining.
Based on above-described embodiment, in step S202, alternatively, the information of an IP messages includes:Source IP in message
Address and purpose IP address;Alternatively, chain of command processor core can be the core of operation (SuSE) Linux OS;Determine an IP
Whether message needs to be encrypted various ways, and a kind of optional mode is that the network protocol stack in chain of command processor core is true
Whether a fixed IP messages need to be encrypted;In the case of it is determined that whether an IP messages need to be encrypted, by first
IP messages are sent to trawl performance;Trawl performance is made whether to need the judgement of hardware encryption to the IP messages for needing encryption;
In the case that one IP messages need hardware encryption, it would be desirable to which an IP messages of hardware encryption pass through intercore communication (Inter-
Processsor Communication, abbreviation IPC) technology sent to user side processor core, then by hardware encryption module
For an IP messages assigned sequence number and carry out hardware encryption.
Based on above-described embodiment, in step S203, an IP messages are sent out by network interface card after hardware encryption module will be encrypted
See off.
In the embodiment of the present invention, because the network equipment obtains an IP messages by chain of command processor core;The network equipment
In the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to first
In the case that the information of IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is first by hardware encryption module
IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is after network interface card sends encryption
First IP messages.It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed, and need to be added
Message that is close and need to carrying out hardware encryption is encrypted by hardware encryption module, that is to say, that only passed through in the embodiment of the present invention
One encrypting module is encrypted to message, in this way, can ensure the purpose of the sequence number order-preserving of message in the embodiment of the present invention, keeps away
Asking for the sequence number not order-preserving as being encrypted caused message to message by two encrypting modules is in the prior art exempted from
Topic.
Alternatively, the network equipment determines that an IP messages need to carry out hardware encryption, it is necessary to full according to the information of an IP messages
Any one in the following two situations of foot:The first, the network equipment it is determined that an IP messages be tunnel mode in the case of, and
Determine that the source IP address in an IP messages is the IP address held consultation based on ipsec protocol, it is determined that an IP messages are needed
Carry out hardware encryption;Second, the network equipment it is determined that an IP messages be transmission mode in the case of, obtain cloud server in
The default IP address set in guard mode, in it is determined that the purpose IP address in an IP messages are IP address set
In the case of one, determine that an IP messages need to carry out hardware encryption.
In the embodiment of the present invention, alternatively, the information of an IP messages includes:Source IP address and purpose IP ground in message
Location;For example, two network equipments are respectively client and cloud server, wherein, the IP address of client is IP11, cloud
The IP address for holding server is IP21, before client and cloud server start communication, first set up IPSec links and received and dispatched
Message, so that client sends an IP messages to cloud server as an example:
For the first situation in above-described embodiment:In the case of tunnel mode, client and cloud server it
Between set up ipsec tunnel, and consult to send the IP address of message based on ipsec protocol, client is based on the negotiation of ipsec protocol
IP address is IP12, the negotiation IP address that cloud server is based on ipsec protocol is IP22, sent out to cloud server in client
When sending the IP messages for needing to encrypt, source IP address in the first message is set to IP12;Client is it is determined that in the first message
Source IP address is IP12, it is determined that an IP messages need to carry out hardware encryption.
Second situation in for above-described embodiment:In the case of transmission mode, client and cloud server it
Between set up IPSec links, the IP address set in guard mode has been preset in cloud server:IP31、IP32、IP33、IP34、
IP35、IP36, one network equipment of each IP address correspondence in IP address set;A net in client and IP address set
Network equipment is communicated, and IP address set is obtained first, and being sent to cloud server in client needs an IP of encryption to report
Wen Shi, for example, the network protocol stack of client is set into IP by the purpose IP address in an IP messages34, then in client
Trawl performance determines the purpose IP address IP in an IP messages34In IP address set:IP31、IP32、IP33、IP34、IP35、IP36
In, it is determined that an IP messages need to carry out hardware encryption.
Alternatively, the network equipment is it is determined that an IP messages are not required to carry out hardware encryption includes two kinds of situations:The first situation,
The network equipment determines that the source IP address in an IP messages is not base in the case of it is determined that an IP messages are tunnel mode
In the IP address that ipsec protocol is held consultation, determine that an IP messages need not carry out hardware encryption;Second situation, network sets
It is standby in the case of it is determined that an IP messages are transmission mode, obtain the default IP ground in guard mode in cloud server
Location is gathered, it is determined that purpose IP address in an IP messages not for IP address set in any one in the case of, determine the
One IP messages need not carry out hardware encryption.
In the embodiment of the present invention, alternatively, the information of the first IP messages can be determined by trawl performance, and then really
Whether a fixed IP messages need hardware encryption, in this way, the IP messages for needing hardware encryption can be determined effectively, and send to hardware
Encrypting module is encrypted, and then avoids an IP messages hair that soft encryption brings directly is carried out on chain of command processor core
Deliver newspaper the problem of literary sequence number not order-preserving.
Alternatively, after the network equipment is by chain of command processor core the first IP messages of acquisition, also include:The network equipment exists
Determine that an IP messages are in the case of being not required to the IP messages that are encrypted by chain of command processor core:The network equipment leads to
Cross network interface card and send an IP messages.Alternatively, chain of command processor core determines that an IP messages are be not required to be encrypted first
During IP messages, the first IP messages are sent to trawl performance by the transmission interface of common IP messages;In this way, need not be added
Close IP messages are directly sent by network interface card, it is to avoid the IP messages that will need not be encrypted are sent to trawl performance to be made
Into the wasting of resources.
Alternatively, the network equipment is gone back after it is determined that an IP messages are the situation of the IP messages that need to be encrypted
Including:The network equipment according to the information of an IP messages in the case where determining that an IP messages are not required to carry out hardware encryption:Network
Equipment sends an IP messages by network interface card.Alternatively, can determine whether an IP messages need to carry out firmly by trawl performance
Encryption, network interface card is sent directly to by the IP messages that need not carry out hardware encryption, in this way, avoid carry out adding firmly
A close IP messages send the wasting of resources caused to user side processor core.
Alternatively, the safe ipsec protocol encryption method of internet protocol also includes:The network equipment passes through user side processor
Core obtains the 2nd IP messages;The network equipment is determining that the 2nd IP messages need to carry out the feelings of hardware encryption according to the information of the 2nd IP messages
Under condition:The network equipment is the 2nd IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, the after being encrypted
Two IP messages;The network equipment the 2nd IP messages after network interface card sends encryption.
In the embodiment of the present invention, alternatively, the user face data of user side processor core treatment obtains the 2nd IP messages;
In the case that 2nd IP messages need hardware encryption, it would be desirable to which the 2nd IP messages of hardware encryption send to hardware encryption module and carry out firmly
Encryption;In the case where the 2nd IP messages do not need hardware encryption, the 2nd IP messages are sent by network interface card;Therefore, control
The 2nd IP messages encrypted the need for an IP messages and user side processor core of hardware encryption the need for the processor core of face are all sent out
Deliver to hardware encryption module to be encrypted, in this way, the encryption IP message that multinuclear heterogeneous network equipment is sent out all passes through hardware
Encrypting module assigned sequence number simultaneously carries out hardware encryption, on the one hand, avoid multi-threaded parallel encryption in multinuclear heterogeneous network equipment
The problem of sequence number not order-preserving caused by IP messages;On the other hand, need not appoint between multinuclear in multinuclear heterogeneous network equipment
What shared drive or other mutual exclusions, simultaneously operating, it is to avoid resource problem of mutual exclusion.
Alternatively, determine that an IP messages are the IP messages that need to be encrypted by chain of command processor core, including:
The network equipment determines default security strategy route;Wherein, security strategy route includes at least one IP address;Network sets
It is standby it is determined that in the case of during the purpose IP address in an IP messages belong at least one IP address, determining an IP
Message is the IP messages that need to be encrypted.
Alternatively, chain of command processor core includes the network protocol stack of (SuSE) Linux OS;The present invention is assisted by network
View stack is modified, it is determined that needing an IP messages of encryption;Alternatively, network protocol stack preset security policybased routing is included extremely
The corresponding security strategy route of a few IP address;For example, in preset security policybased routing, IP address is 192.168.10.15
To 192.168.10.30 one Security routing of correspondence, if the purpose IP address in an IP messages are 192.168.10.25,
Network protocol stack finds IP address for the corresponding Security routings of 192.168.10.25 according to security strategy route, it is determined that this
One IP messages are the IP messages that need to be encrypted.In this way, the network equipment can determine an IP by chain of command processor
Whether message needs encryption, and then the message of encryption will be needed to send to trawl performance, and then avoids and will need the of encryption
One IP messages carry out soft encryption in chain of command processor core, and then avoid CPU from consuming excess resource carrying out soft encryption, reached and carried
The effect of systematic function is risen.
Alternatively, the present invention provides a kind of optional realization and the IP messages on chain of command processor core is carried out to add firmly
Close method;By taking ARM cores as an example, user side processor core is by taking DSP core as an example for chain of command processor core:The network association in ARM cores
Xfrm_lookup functions are set in view stack, the xfrm_lookup functions need ipsec protocol to be encrypted encapsulation for identification
Treatment, and return to the transmission interface used required for an IP messages;For example, when network protocol stack sends an IP messages,
The corresponding security strategy of IP address in an IP messages is determined by xfrm_lookup functions, it is determined that an IP messages
Encryption is needed, then the first IP messages is sent to NIC driver by common IP messages transmission interface;Trawl performance journey
Sequence determines whether an IP messages need to carry out hardware encryption, if needing hardware encryption, then will need to carry out an IP of hardware encryption
Message is sent to DSP core by IPC technologies;DSP core sends to hardware encryption module assigned sequence number an IP messages, goes forward side by side
Row hardware encryption;The 2nd IP messages of hardware encryption are carried out the need for simultaneously for being processed on DSP core, DSP core will need add firmly
The 2nd close IP messages are also sent to hardware encryption module assigned sequence number, and carry out hardware encryption;So, it is ensured that core heterogeneous network
The IP messages that network equipment sends all are to be allocated sequence number by hardware encryption module, and carry out hardware encryption, have been reached many
The effect of the single thread encryption IP message of core heterogeneous network equipment so that the sequence number message of the IP messages of hardware encryption increases in order
It is long, it is to avoid the problem that message is abandoned by the anti-replay mechanism of opposite end.
Above method flow is introduced in order to clearer, the embodiment of the present invention provides the example below.
Fig. 3 illustrates the safe ipsec protocol encryption side of another internet protocol provided in an embodiment of the present invention
The schematic flow sheet of method, based on the system architecture shown in Fig. 1, as shown in figure 3, another internet provided in an embodiment of the present invention
Protocol security ipsec protocol encryption method, it is adaptable to including the chain of command treatment that at least one pair of chain of command data is processed
The multinuclear heterogeneous network equipment of the user side processor core that device core and at least one pair of user face data are processed, the method bag
Include following steps:
Step S301:The network equipment obtains an IP messages by chain of command processor core;
Step S302:The network equipment determines whether the purpose IP address in an IP messages belong in chain of command processor core
One at least one of default security strategy route IP address;If so, then performing step S303;If it is not, then performing
Step S313;
Step S303:The network equipment determines that an IP messages are that the IP that need to be encrypted is reported by network protocol stack
Text;
Step S304:The network equipment determines that an IP messages are tunnel mode or transmission mode by trawl performance;If
Tunnel mode, performs step S305;If transmission mode, step S306 is performed;
Step S305:The network equipment by trawl performance determine source IP address in an IP messages whether be based on
The IP address that ipsec protocol is held consultation;If so, then performing step S307;If it is not, then performing step S313;
Step S306:The network equipment obtains the default IP address set in guard mode in cloud server, it is determined that
Whether purpose IP address in the first IP messages are in IP address set;If so, then performing step S307;If it is not, then
Perform step S313;
Step S307:The network equipment determines that an IP messages need to carry out hardware encryption;
Step S308:The first IP messages are sent to user side processor by the trawl performance in chain of command processor core
Core;
Step S309:The network equipment obtains the 2nd IP messages by user side processor core;
Step S310:The network equipment is determining whether the 2nd IP messages need to carry out to add firmly according to the information of the 2nd IP messages
It is close;If so, then performing step S311;If it is not, then performing step S314;
Step S311:The network equipment is sent to hardware the first IP messages and the 2nd IP messages by user side processor core
Encrypting module;
Step S312:The network equipment is respectively an IP messages and the 2nd IP message assigned sequences by hardware encryption module
Number, and hardware encryption is carried out respectively, the 2nd IP messages after an IP messages and encryption after being encrypted;
Step S313:The first IP messages are sent to network interface card by trawl performance;
Step S314:The network equipment the 2nd IP messages after network interface card is by an IP messages and encryption send.
It can be seen from the above:Because the network equipment obtains an IP messages by chain of command processor core;Network
Equipment in the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to
In the case that the information of the first IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is by hardware encryption module
First IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is sent by network interface card and added
An IP messages after close;And, the 2nd IP messages of user side processor core treatment distribute sequence also by hardware encryption module
Row number simultaneously is unified to carry out hardware encryption;It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed,
The message that will need to be encrypted and need to carry out hardware encryption is encrypted by hardware encryption module, that is to say, that the present invention is implemented
Message is encrypted by an encrypting module only in example, in this way, can ensure that the sequence number of message is protected in the embodiment of the present invention
The purpose of sequence, it is to avoid the sequence number as being encrypted caused message to message by two encrypting modules in the prior art
The problem of not order-preserving;And, the problem that IP messages are dropped is avoided in anti-replay detection process, increased the safety of data
Property.Further, the method in the embodiment of the present invention avoids an IP messages and carries out soft encryption in chain of command processor core and causes
Systematic function decline problem, between multinuclear need not do any shared drive in multinuclear heterogeneous network equipment or other are mutual
Reprimand, simultaneously operating, it is to avoid resource problem of mutual exclusion, enormously simplify programming.
Fig. 4 illustrates provided in an embodiment of the present invention a kind of for the safe ipsec protocol encryption of internet protocol
The network equipment structural representation.
It is provided in an embodiment of the present invention a kind of for the encryption of internet protocol safe ipsec protocol based on same idea
The network equipment, for performing above method flow, as shown in figure 4, this is used for the net of the safe ipsec protocol encryption of internet protocol
Network equipment 400 includes chain of command processor core 401, hardware encryption module 403 and network interface card 404, also including user side processor core
402;Wherein:
Chain of command processor core 401, for obtaining an IP messages;
Hardware encryption module 403, for determining an IP messages to need by the chain of command processor core 401
In the case of the IP messages being encrypted, and an IP messages are being determined by the chain of command processor core 401
In the case of hardware encryption need to being carried out:It is the IP message assigned sequences number, and carries out hardware encryption, an IP after being encrypted
Message;
Network interface card 404, for sending an IP messages after the encryption.
Alternatively, the chain of command processor core 401, is used for:It is determined that an IP messages are the feelings of tunnel mode
Under condition, and determine that the source IP address in an IP messages is the IP address held consultation based on ipsec protocol, it is determined that institute
Stating an IP messages need to carry out hardware encryption;In the case of it is determined that an IP messages are transmission mode, cloud service is obtained
The default IP address set in guard mode in device, it is determined that the purpose IP address in an IP messages are the IP
In the case of in address set, determine that an IP messages need to carry out hardware encryption.
Alternatively, the network interface card 404, is additionally operable to:Determining that an IP is reported by the chain of command processor core 401
In the case that text is not required to carry out hardware encryption:Send an IP messages.
Alternatively, the network interface card 404, is additionally operable to:Determining that an IP is reported by the chain of command processor core 401
In the case that text is to be not required to the IP messages being encrypted:The network equipment sends an IP and reports by network interface card 404
Text.
Alternatively, the network equipment also includes:User side processor core 402, for obtaining the 2nd IP messages;
The hardware encryption module 403, is additionally operable to:2nd IP is being determined by the user side processor core 402
In the case that message need to carry out hardware encryption:It is the 2nd IP message assigned sequences number, and carries out hardware encryption, after is encrypted
Two IP messages;The network interface card 404, is additionally operable to:Send the 2nd IP messages after the encryption.
Alternatively, the chain of command processor core 401, is used for:Determine default security strategy route;Wherein, it is described
Security strategy route includes at least one IP address;It is determined that the purpose IP address in an IP messages belong to it is described extremely
In the case of in a few IP address, determine that an IP messages are the IP messages that need to be encrypted.
It can be seen from the above:Because the network equipment obtains an IP messages by chain of command processor core;Network
Equipment in the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to
In the case that the information of the first IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is by hardware encryption module
First IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is sent by network interface card and added
An IP messages after close;And, the 2nd IP messages of user side processor core treatment distribute sequence also by hardware encryption module
Row number simultaneously is unified to carry out hardware encryption;It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed,
The message that will need to be encrypted and need to carry out hardware encryption is encrypted by hardware encryption module, that is to say, that the present invention is implemented
Message is encrypted by an encrypting module only in example, in this way, can ensure that the sequence number of message is protected in the embodiment of the present invention
The purpose of sequence, it is to avoid the sequence number as being encrypted caused message to message by two encrypting modules in the prior art
The problem of not order-preserving;And, the problem that IP messages are dropped is avoided in anti-replay detection process, increased the safety of data
Property.Further, the method in the embodiment of the present invention avoids an IP messages and carries out soft encryption in chain of command processor core and causes
Systematic function decline problem, between multinuclear need not do any shared drive in multinuclear heterogeneous network equipment or other are mutual
Reprimand, simultaneously operating, it is to avoid resource problem of mutual exclusion, enormously simplify programming.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method or computer program product.
Therefore, the present invention can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Form.And, the present invention can be used to be can use in one or more computers for wherein including computer usable program code and deposited
The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product
Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions
The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy
In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger
Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described
Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent
Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention
God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising these changes and modification.