CN106790221A - A kind of safe ipsec protocol encryption method of internet protocol and the network equipment - Google Patents

A kind of safe ipsec protocol encryption method of internet protocol and the network equipment Download PDF

Info

Publication number
CN106790221A
CN106790221A CN201710021178.8A CN201710021178A CN106790221A CN 106790221 A CN106790221 A CN 106790221A CN 201710021178 A CN201710021178 A CN 201710021178A CN 106790221 A CN106790221 A CN 106790221A
Authority
CN
China
Prior art keywords
messages
network equipment
processor core
chain
hardware encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710021178.8A
Other languages
Chinese (zh)
Other versions
CN106790221B (en
Inventor
邹远鹏
刘家晓
刘福元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Comba Network Systems Co Ltd
Original Assignee
Comba Telecom Technology Guangzhou Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comba Telecom Technology Guangzhou Ltd filed Critical Comba Telecom Technology Guangzhou Ltd
Priority to CN201710021178.8A priority Critical patent/CN106790221B/en
Publication of CN106790221A publication Critical patent/CN106790221A/en
Priority to PCT/CN2017/119487 priority patent/WO2018130079A1/en
Application granted granted Critical
Publication of CN106790221B publication Critical patent/CN106790221B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present embodiments relate to communication technical field, more particularly to a kind of safe ipsec protocol encryption method of internet protocol and the network equipment, for effectively solving the problems, such as that the IP sequence of message number that multinuclear heterogeneous network equipment sends in the prior art cannot order-preserving.The network equipment obtains an IP messages by chain of command processor core;The network equipment by chain of command processor core in the case where determining that an IP messages are the IP messages that need to be encrypted, and the network equipment according to the information of an IP messages in the case where determining that an IP messages need to carry out hardware encryption:The network equipment is an IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, an IP messages after being encrypted;Network equipment IP messages after network interface card sends encryption;And then effectively solve the problems, such as the IP sequence of message number not order-preservings that multinuclear heterogeneous network equipment sends in the prior art.

Description

A kind of safe ipsec protocol encryption method of internet protocol and the network equipment
Technical field
The present embodiments relate to the communications field, more particularly to a kind of safe ipsec protocol encryption method of internet protocol And the network equipment.
Background technology
Network is more and more universal, and thing followed network security problem receives much concern, and the replay that such as client is subjected to is attacked Hit:Transmitting terminal have sent agreement (Internet Protocol, the abbreviation IP) message interconnected between a network to receiving terminal, If the IP messages are captured by malicious user, malicious user is repeating to send the IP messages to receiving terminal, causes network application to receive To the bombing of the continuous packet replayed.Internet protocol safety (Internet Protocol Security, abbreviation IPSec) The appearance of agreement solves this problem, defined in ipsec protocol a sequence number (Sequence Number, abbreviation SN) Field, the sequence number for recording the IP messages, any transmitting terminal in the case where must assure that same group of SA information, send message when SN It is unique, for example, receiving terminal have received the IP messages of Serial No. 5, when the IP messages of Serial No. 5 are received again, Reject the message of repetition transmission.
In the prior art, during the single repeated line journey of monokaryon equipment, message is encapsulated, sent successively according to sequence series, is received The sequence number of the IPSec encapsulated messages that end receives is not in out of order situation.For multinuclear heterogeneous network equipment, for example, counting Word signal transacting (Digital Signal Process, abbreviation DSP) technology+advanced reduced instruction set machine (Advanced Reduced Instruction Set Computer Machine, abbreviation ARM), the centre of DSP+ reduced instruction set computer frameworks Reason device (Performance Optimization With Enhanced RISC-Performance Computing, referred to as ) etc. POWERPC in the integrated chip of multinuclear isomery, Business Processing is made usually using DSP, uses POWERPC or ARM cores to run (SuSE) Linux OS is used as control business;For the chain of command data of POWERPC or ARM cores treatment, generally using integrated chip Central processing unit (Central Processing Unit, abbreviation CPU) core runs software encipheror is encrypted, and DSP The user face data of core treatment is generally encrypted using hardware encryption module.Because multinuclear heterogeneous network equipment is in processing data Multiple thread parallels process message, during transmission IP messages are encrypted in different encrypting modules, are easily caused receiving terminal The sequence number appearance of the IP messages of the ipsec protocol encapsulation for receiving is out of order, is easily caused the IP messages and is identified as playback message, And by the discarding of mistake.
In the prior art, in order to solve the problems, such as the sequence number not order-preserving of IP messages in multinuclear heterogeneous network equipment, use Shared drive between carrying out multinuclear in multinuclear heterogeneous network equipment, but the extra place of the synchronization and mutual exclusion between isomery CPU Reason is bothered very much, increases the complexity of programming.Therefore, a kind of method of ipsec encryption is needed badly, it is existing effectively to solve The problem of the IP sequence of message number not order-preservings that multinuclear heterogeneous network equipment sends in technology.
The content of the invention
The embodiment of the present invention provides a kind of safe ipsec protocol encryption method of internet protocol and the network equipment, for having Effect solves the problems, such as that the IP sequence of message number that multinuclear heterogeneous network equipment sends in the prior art cannot order-preserving.
The embodiment of the present invention provides a kind of safe ipsec protocol encryption method of internet protocol, it is adaptable to including at least one The user plane that the individual chain of command processor core processed chain of command data and at least one pair of user face data are processed The multinuclear heterogeneous network equipment of processor core, the method includes:The network equipment obtains an IP and reports by chain of command processor core Text;The network equipment is determining situation that an IP messages are the IP messages that need to be encrypted by chain of command processor core Under, and the network equipment according to the information of an IP messages in the case where determining that an IP messages need to carry out hardware encryption:Network sets Standby is an IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, an IP messages after being encrypted;Net Network equipment IP messages after network interface card sends encryption.
The embodiment of the present invention provides a kind of network equipment for the safe ipsec protocol encryption of internet protocol, including extremely The use that a few chain of command processor core processed chain of command data and at least one pair of user face data are processed Family face processor core, the network equipment includes:Chain of command processor core, for obtaining an IP messages;Hardware encryption module, uses In in the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and passing through In the case that chain of command processor core determines that an IP messages need to carry out hardware encryption:It is an IP message assigned sequences number, goes forward side by side Row hardware encryption, an IP messages after being encrypted;Network interface card, for an IP messages after transmission encryption.
In the embodiment of the present invention, because the network equipment obtains an IP messages by chain of command processor core;The network equipment In the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to first In the case that the information of IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is first by hardware encryption module IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is after network interface card sends encryption First IP messages.It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed, and need to be added Message that is close and need to carrying out hardware encryption is encrypted by hardware encryption module, that is to say, that only passed through in the embodiment of the present invention One encrypting module is encrypted to message, in this way, can ensure the purpose of the sequence number order-preserving of message in the embodiment of the present invention, keeps away Asking for the sequence number not order-preserving as being encrypted caused message to message by two encrypting modules is in the prior art exempted from Topic.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be to that will make needed for embodiment description Accompanying drawing is briefly introduced.
Fig. 1 is that a kind of framework of the safe ipsec protocol encryption system of internet protocol provided in an embodiment of the present invention is illustrated Figure;
Fig. 2 is that a kind of flow of the safe ipsec protocol encryption method of internet protocol provided in an embodiment of the present invention is illustrated Figure;
Fig. 3 is the flow in the safe ipsec protocol encryption method of another internet protocol provided in an embodiment of the present invention Schematic diagram;
Fig. 4 is a kind of network equipment for the safe ipsec protocol encryption of internet protocol provided in an embodiment of the present invention Structural representation.
Specific embodiment
In order that the purpose of the present invention, technical scheme and beneficial effect become more apparent, below in conjunction with accompanying drawing and implementation Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair It is bright, it is not intended to limit the present invention.
Fig. 1 illustrates a kind of applicable safe ipsec protocol encryption system of internet protocol of the embodiment of the present invention Configuration diagram, the system architecture be applied to include chain of command processor core that at least one pair of chain of command data processed with The multinuclear heterogeneous network equipment of the user side processor core that at least one pair of user face data is processed;As shown in figure 1, this is System framework 100 includes chain of command processor core 110, user side processor core 120, hardware encryption module 130 and network interface card 140;Control Face processor core 110 processed includes network protocol stack 111, trawl performance 112;Network protocol stack 111 connects trawl performance 112;Can Selection of land, chain of command processor core 110 can connect user side processor core 120, it is also possible to connect network interface card 140;Further, control Face processor core 110 can connect user side processor core 120 by trawl performance 112, it is also possible to be connected by trawl performance 112 Connect network interface card 140;Alternatively, the connection of user side processor core 120 hardware encryption module 130, it is also possible to connect network interface card 140;Hardware Encrypting module 130 connects network interface card 140;Wherein, chain of command processor core 110 is used to process chain of command data, user side processor Core 120 is used to process user face data.Alternatively, chain of command processor core 110 can be POWERPC cores, or ARM Core;Alternatively, user side processor core 120 can be DSP core.
In the embodiment of the present invention, on the one hand, the treatment chain of command number of network protocol stack 111 in chain of command processor core 110 According to the IP messages for obtaining, determine whether an IP messages need encryption by trawl performance 112, by intercore communication technology The IP messages for needing to be encrypted are sent to user side processor core 120, then is sent by user side processor core 120 It is encrypted to hardware encryption module 130 and assigned sequence number, is afterwards sent out an IP messages after encryption by network interface card 140 Go;On the other hand, the 2nd IP messages that the user face data of the treatment of user side processor core 120 is obtained, send to hardware encryption Module 130 is encrypted and assigned sequence number, is afterwards sent an IP messages after encryption by network interface card 140.
Fig. 2 illustrates a kind of safe ipsec protocol encryption method of internet protocol provided in an embodiment of the present invention Schematic flow sheet.
Based on the system architecture shown in Fig. 1, as shown in Fig. 2 a kind of internet protocol safety provided in an embodiment of the present invention Ipsec protocol encryption method, it is adaptable to the chain of command processor core that is processed including at least one pair of chain of command data and extremely Few multinuclear heterogeneous network equipment for the user side processor core processed user face data, the method includes following step Suddenly:
Step S201:The network equipment obtains an IP messages by chain of command processor core;
Step S202:The network equipment by chain of command processor core determine an IP messages be need to be encrypted first In the case of IP messages, and the network equipment is determining that an IP messages need to carry out the feelings of hardware encryption according to the information of an IP messages Under condition:The network equipment is an IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, the after being encrypted One IP messages;
Step S203:Network equipment IP messages after network interface card sends encryption.
Based on above-described embodiment, in step s 201, alternatively, an IP messages can be the treatment of chain of command processor core Chain of command data are packaged the IP messages for obtaining.
Based on above-described embodiment, in step S202, alternatively, the information of an IP messages includes:Source IP in message Address and purpose IP address;Alternatively, chain of command processor core can be the core of operation (SuSE) Linux OS;Determine an IP Whether message needs to be encrypted various ways, and a kind of optional mode is that the network protocol stack in chain of command processor core is true Whether a fixed IP messages need to be encrypted;In the case of it is determined that whether an IP messages need to be encrypted, by first IP messages are sent to trawl performance;Trawl performance is made whether to need the judgement of hardware encryption to the IP messages for needing encryption; In the case that one IP messages need hardware encryption, it would be desirable to which an IP messages of hardware encryption pass through intercore communication (Inter- Processsor Communication, abbreviation IPC) technology sent to user side processor core, then by hardware encryption module For an IP messages assigned sequence number and carry out hardware encryption.
Based on above-described embodiment, in step S203, an IP messages are sent out by network interface card after hardware encryption module will be encrypted See off.
In the embodiment of the present invention, because the network equipment obtains an IP messages by chain of command processor core;The network equipment In the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to first In the case that the information of IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is first by hardware encryption module IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is after network interface card sends encryption First IP messages.It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed, and need to be added Message that is close and need to carrying out hardware encryption is encrypted by hardware encryption module, that is to say, that only passed through in the embodiment of the present invention One encrypting module is encrypted to message, in this way, can ensure the purpose of the sequence number order-preserving of message in the embodiment of the present invention, keeps away Asking for the sequence number not order-preserving as being encrypted caused message to message by two encrypting modules is in the prior art exempted from Topic.
Alternatively, the network equipment determines that an IP messages need to carry out hardware encryption, it is necessary to full according to the information of an IP messages Any one in the following two situations of foot:The first, the network equipment it is determined that an IP messages be tunnel mode in the case of, and Determine that the source IP address in an IP messages is the IP address held consultation based on ipsec protocol, it is determined that an IP messages are needed Carry out hardware encryption;Second, the network equipment it is determined that an IP messages be transmission mode in the case of, obtain cloud server in The default IP address set in guard mode, in it is determined that the purpose IP address in an IP messages are IP address set In the case of one, determine that an IP messages need to carry out hardware encryption.
In the embodiment of the present invention, alternatively, the information of an IP messages includes:Source IP address and purpose IP ground in message Location;For example, two network equipments are respectively client and cloud server, wherein, the IP address of client is IP11, cloud The IP address for holding server is IP21, before client and cloud server start communication, first set up IPSec links and received and dispatched Message, so that client sends an IP messages to cloud server as an example:
For the first situation in above-described embodiment:In the case of tunnel mode, client and cloud server it Between set up ipsec tunnel, and consult to send the IP address of message based on ipsec protocol, client is based on the negotiation of ipsec protocol IP address is IP12, the negotiation IP address that cloud server is based on ipsec protocol is IP22, sent out to cloud server in client When sending the IP messages for needing to encrypt, source IP address in the first message is set to IP12;Client is it is determined that in the first message Source IP address is IP12, it is determined that an IP messages need to carry out hardware encryption.
Second situation in for above-described embodiment:In the case of transmission mode, client and cloud server it Between set up IPSec links, the IP address set in guard mode has been preset in cloud server:IP31、IP32、IP33、IP34、 IP35、IP36, one network equipment of each IP address correspondence in IP address set;A net in client and IP address set Network equipment is communicated, and IP address set is obtained first, and being sent to cloud server in client needs an IP of encryption to report Wen Shi, for example, the network protocol stack of client is set into IP by the purpose IP address in an IP messages34, then in client Trawl performance determines the purpose IP address IP in an IP messages34In IP address set:IP31、IP32、IP33、IP34、IP35、IP36 In, it is determined that an IP messages need to carry out hardware encryption.
Alternatively, the network equipment is it is determined that an IP messages are not required to carry out hardware encryption includes two kinds of situations:The first situation, The network equipment determines that the source IP address in an IP messages is not base in the case of it is determined that an IP messages are tunnel mode In the IP address that ipsec protocol is held consultation, determine that an IP messages need not carry out hardware encryption;Second situation, network sets It is standby in the case of it is determined that an IP messages are transmission mode, obtain the default IP ground in guard mode in cloud server Location is gathered, it is determined that purpose IP address in an IP messages not for IP address set in any one in the case of, determine the One IP messages need not carry out hardware encryption.
In the embodiment of the present invention, alternatively, the information of the first IP messages can be determined by trawl performance, and then really Whether a fixed IP messages need hardware encryption, in this way, the IP messages for needing hardware encryption can be determined effectively, and send to hardware Encrypting module is encrypted, and then avoids an IP messages hair that soft encryption brings directly is carried out on chain of command processor core Deliver newspaper the problem of literary sequence number not order-preserving.
Alternatively, after the network equipment is by chain of command processor core the first IP messages of acquisition, also include:The network equipment exists Determine that an IP messages are in the case of being not required to the IP messages that are encrypted by chain of command processor core:The network equipment leads to Cross network interface card and send an IP messages.Alternatively, chain of command processor core determines that an IP messages are be not required to be encrypted first During IP messages, the first IP messages are sent to trawl performance by the transmission interface of common IP messages;In this way, need not be added Close IP messages are directly sent by network interface card, it is to avoid the IP messages that will need not be encrypted are sent to trawl performance to be made Into the wasting of resources.
Alternatively, the network equipment is gone back after it is determined that an IP messages are the situation of the IP messages that need to be encrypted Including:The network equipment according to the information of an IP messages in the case where determining that an IP messages are not required to carry out hardware encryption:Network Equipment sends an IP messages by network interface card.Alternatively, can determine whether an IP messages need to carry out firmly by trawl performance Encryption, network interface card is sent directly to by the IP messages that need not carry out hardware encryption, in this way, avoid carry out adding firmly A close IP messages send the wasting of resources caused to user side processor core.
Alternatively, the safe ipsec protocol encryption method of internet protocol also includes:The network equipment passes through user side processor Core obtains the 2nd IP messages;The network equipment is determining that the 2nd IP messages need to carry out the feelings of hardware encryption according to the information of the 2nd IP messages Under condition:The network equipment is the 2nd IP message assigned sequences number by hardware encryption module, and carries out hardware encryption, the after being encrypted Two IP messages;The network equipment the 2nd IP messages after network interface card sends encryption.
In the embodiment of the present invention, alternatively, the user face data of user side processor core treatment obtains the 2nd IP messages; In the case that 2nd IP messages need hardware encryption, it would be desirable to which the 2nd IP messages of hardware encryption send to hardware encryption module and carry out firmly Encryption;In the case where the 2nd IP messages do not need hardware encryption, the 2nd IP messages are sent by network interface card;Therefore, control The 2nd IP messages encrypted the need for an IP messages and user side processor core of hardware encryption the need for the processor core of face are all sent out Deliver to hardware encryption module to be encrypted, in this way, the encryption IP message that multinuclear heterogeneous network equipment is sent out all passes through hardware Encrypting module assigned sequence number simultaneously carries out hardware encryption, on the one hand, avoid multi-threaded parallel encryption in multinuclear heterogeneous network equipment The problem of sequence number not order-preserving caused by IP messages;On the other hand, need not appoint between multinuclear in multinuclear heterogeneous network equipment What shared drive or other mutual exclusions, simultaneously operating, it is to avoid resource problem of mutual exclusion.
Alternatively, determine that an IP messages are the IP messages that need to be encrypted by chain of command processor core, including: The network equipment determines default security strategy route;Wherein, security strategy route includes at least one IP address;Network sets It is standby it is determined that in the case of during the purpose IP address in an IP messages belong at least one IP address, determining an IP Message is the IP messages that need to be encrypted.
Alternatively, chain of command processor core includes the network protocol stack of (SuSE) Linux OS;The present invention is assisted by network View stack is modified, it is determined that needing an IP messages of encryption;Alternatively, network protocol stack preset security policybased routing is included extremely The corresponding security strategy route of a few IP address;For example, in preset security policybased routing, IP address is 192.168.10.15 To 192.168.10.30 one Security routing of correspondence, if the purpose IP address in an IP messages are 192.168.10.25, Network protocol stack finds IP address for the corresponding Security routings of 192.168.10.25 according to security strategy route, it is determined that this One IP messages are the IP messages that need to be encrypted.In this way, the network equipment can determine an IP by chain of command processor Whether message needs encryption, and then the message of encryption will be needed to send to trawl performance, and then avoids and will need the of encryption One IP messages carry out soft encryption in chain of command processor core, and then avoid CPU from consuming excess resource carrying out soft encryption, reached and carried The effect of systematic function is risen.
Alternatively, the present invention provides a kind of optional realization and the IP messages on chain of command processor core is carried out to add firmly Close method;By taking ARM cores as an example, user side processor core is by taking DSP core as an example for chain of command processor core:The network association in ARM cores Xfrm_lookup functions are set in view stack, the xfrm_lookup functions need ipsec protocol to be encrypted encapsulation for identification Treatment, and return to the transmission interface used required for an IP messages;For example, when network protocol stack sends an IP messages, The corresponding security strategy of IP address in an IP messages is determined by xfrm_lookup functions, it is determined that an IP messages Encryption is needed, then the first IP messages is sent to NIC driver by common IP messages transmission interface;Trawl performance journey Sequence determines whether an IP messages need to carry out hardware encryption, if needing hardware encryption, then will need to carry out an IP of hardware encryption Message is sent to DSP core by IPC technologies;DSP core sends to hardware encryption module assigned sequence number an IP messages, goes forward side by side Row hardware encryption;The 2nd IP messages of hardware encryption are carried out the need for simultaneously for being processed on DSP core, DSP core will need add firmly The 2nd close IP messages are also sent to hardware encryption module assigned sequence number, and carry out hardware encryption;So, it is ensured that core heterogeneous network The IP messages that network equipment sends all are to be allocated sequence number by hardware encryption module, and carry out hardware encryption, have been reached many The effect of the single thread encryption IP message of core heterogeneous network equipment so that the sequence number message of the IP messages of hardware encryption increases in order It is long, it is to avoid the problem that message is abandoned by the anti-replay mechanism of opposite end.
Above method flow is introduced in order to clearer, the embodiment of the present invention provides the example below.
Fig. 3 illustrates the safe ipsec protocol encryption side of another internet protocol provided in an embodiment of the present invention The schematic flow sheet of method, based on the system architecture shown in Fig. 1, as shown in figure 3, another internet provided in an embodiment of the present invention Protocol security ipsec protocol encryption method, it is adaptable to including the chain of command treatment that at least one pair of chain of command data is processed The multinuclear heterogeneous network equipment of the user side processor core that device core and at least one pair of user face data are processed, the method bag Include following steps:
Step S301:The network equipment obtains an IP messages by chain of command processor core;
Step S302:The network equipment determines whether the purpose IP address in an IP messages belong in chain of command processor core One at least one of default security strategy route IP address;If so, then performing step S303;If it is not, then performing Step S313;
Step S303:The network equipment determines that an IP messages are that the IP that need to be encrypted is reported by network protocol stack Text;
Step S304:The network equipment determines that an IP messages are tunnel mode or transmission mode by trawl performance;If Tunnel mode, performs step S305;If transmission mode, step S306 is performed;
Step S305:The network equipment by trawl performance determine source IP address in an IP messages whether be based on The IP address that ipsec protocol is held consultation;If so, then performing step S307;If it is not, then performing step S313;
Step S306:The network equipment obtains the default IP address set in guard mode in cloud server, it is determined that Whether purpose IP address in the first IP messages are in IP address set;If so, then performing step S307;If it is not, then Perform step S313;
Step S307:The network equipment determines that an IP messages need to carry out hardware encryption;
Step S308:The first IP messages are sent to user side processor by the trawl performance in chain of command processor core Core;
Step S309:The network equipment obtains the 2nd IP messages by user side processor core;
Step S310:The network equipment is determining whether the 2nd IP messages need to carry out to add firmly according to the information of the 2nd IP messages It is close;If so, then performing step S311;If it is not, then performing step S314;
Step S311:The network equipment is sent to hardware the first IP messages and the 2nd IP messages by user side processor core Encrypting module;
Step S312:The network equipment is respectively an IP messages and the 2nd IP message assigned sequences by hardware encryption module Number, and hardware encryption is carried out respectively, the 2nd IP messages after an IP messages and encryption after being encrypted;
Step S313:The first IP messages are sent to network interface card by trawl performance;
Step S314:The network equipment the 2nd IP messages after network interface card is by an IP messages and encryption send.
It can be seen from the above:Because the network equipment obtains an IP messages by chain of command processor core;Network Equipment in the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to In the case that the information of the first IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is by hardware encryption module First IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is sent by network interface card and added An IP messages after close;And, the 2nd IP messages of user side processor core treatment distribute sequence also by hardware encryption module Row number simultaneously is unified to carry out hardware encryption;It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed, The message that will need to be encrypted and need to carry out hardware encryption is encrypted by hardware encryption module, that is to say, that the present invention is implemented Message is encrypted by an encrypting module only in example, in this way, can ensure that the sequence number of message is protected in the embodiment of the present invention The purpose of sequence, it is to avoid the sequence number as being encrypted caused message to message by two encrypting modules in the prior art The problem of not order-preserving;And, the problem that IP messages are dropped is avoided in anti-replay detection process, increased the safety of data Property.Further, the method in the embodiment of the present invention avoids an IP messages and carries out soft encryption in chain of command processor core and causes Systematic function decline problem, between multinuclear need not do any shared drive in multinuclear heterogeneous network equipment or other are mutual Reprimand, simultaneously operating, it is to avoid resource problem of mutual exclusion, enormously simplify programming.
Fig. 4 illustrates provided in an embodiment of the present invention a kind of for the safe ipsec protocol encryption of internet protocol The network equipment structural representation.
It is provided in an embodiment of the present invention a kind of for the encryption of internet protocol safe ipsec protocol based on same idea The network equipment, for performing above method flow, as shown in figure 4, this is used for the net of the safe ipsec protocol encryption of internet protocol Network equipment 400 includes chain of command processor core 401, hardware encryption module 403 and network interface card 404, also including user side processor core 402;Wherein:
Chain of command processor core 401, for obtaining an IP messages;
Hardware encryption module 403, for determining an IP messages to need by the chain of command processor core 401 In the case of the IP messages being encrypted, and an IP messages are being determined by the chain of command processor core 401 In the case of hardware encryption need to being carried out:It is the IP message assigned sequences number, and carries out hardware encryption, an IP after being encrypted Message;
Network interface card 404, for sending an IP messages after the encryption.
Alternatively, the chain of command processor core 401, is used for:It is determined that an IP messages are the feelings of tunnel mode Under condition, and determine that the source IP address in an IP messages is the IP address held consultation based on ipsec protocol, it is determined that institute Stating an IP messages need to carry out hardware encryption;In the case of it is determined that an IP messages are transmission mode, cloud service is obtained The default IP address set in guard mode in device, it is determined that the purpose IP address in an IP messages are the IP In the case of in address set, determine that an IP messages need to carry out hardware encryption.
Alternatively, the network interface card 404, is additionally operable to:Determining that an IP is reported by the chain of command processor core 401 In the case that text is not required to carry out hardware encryption:Send an IP messages.
Alternatively, the network interface card 404, is additionally operable to:Determining that an IP is reported by the chain of command processor core 401 In the case that text is to be not required to the IP messages being encrypted:The network equipment sends an IP and reports by network interface card 404 Text.
Alternatively, the network equipment also includes:User side processor core 402, for obtaining the 2nd IP messages;
The hardware encryption module 403, is additionally operable to:2nd IP is being determined by the user side processor core 402 In the case that message need to carry out hardware encryption:It is the 2nd IP message assigned sequences number, and carries out hardware encryption, after is encrypted Two IP messages;The network interface card 404, is additionally operable to:Send the 2nd IP messages after the encryption.
Alternatively, the chain of command processor core 401, is used for:Determine default security strategy route;Wherein, it is described Security strategy route includes at least one IP address;It is determined that the purpose IP address in an IP messages belong to it is described extremely In the case of in a few IP address, determine that an IP messages are the IP messages that need to be encrypted.
It can be seen from the above:Because the network equipment obtains an IP messages by chain of command processor core;Network Equipment in the case where determining that an IP messages are the IP messages that need to be encrypted by chain of command processor core, and according to In the case that the information of the first IP messages determines that an IP messages need to carry out hardware encryption:The network equipment is by hardware encryption module First IP message assigned sequences number, and hardware encryption is carried out, an IP messages after being encrypted;The network equipment is sent by network interface card and added An IP messages after close;And, the 2nd IP messages of user side processor core treatment distribute sequence also by hardware encryption module Row number simultaneously is unified to carry out hardware encryption;It can be seen that, in the embodiment of the present invention, the message to that need to be encrypted is further processed, The message that will need to be encrypted and need to carry out hardware encryption is encrypted by hardware encryption module, that is to say, that the present invention is implemented Message is encrypted by an encrypting module only in example, in this way, can ensure that the sequence number of message is protected in the embodiment of the present invention The purpose of sequence, it is to avoid the sequence number as being encrypted caused message to message by two encrypting modules in the prior art The problem of not order-preserving;And, the problem that IP messages are dropped is avoided in anti-replay detection process, increased the safety of data Property.Further, the method in the embodiment of the present invention avoids an IP messages and carries out soft encryption in chain of command processor core and causes Systematic function decline problem, between multinuclear need not do any shared drive in multinuclear heterogeneous network equipment or other are mutual Reprimand, simultaneously operating, it is to avoid resource problem of mutual exclusion, enormously simplify programming.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method or computer program product. Therefore, the present invention can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Form.And, the present invention can be used to be can use in one or more computers for wherein including computer usable program code and deposited The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (12)

1. the safe ipsec protocol encryption method of a kind of internet protocol, it is characterised in that suitable for including at least one pair of control The user side processor core that the chain of command processor core and at least one pair of user face data that face data are processed are processed Multinuclear heterogeneous network equipment, methods described includes:
The network equipment obtains an IP messages by the chain of command processor core;
The network equipment by the chain of command processor core determine an IP messages be need to be encrypted first In the case of IP messages:
The network equipment is determining that an IP messages need to carry out the feelings of hardware encryption according to the information of an IP messages Under condition:
The network equipment is the IP message assigned sequences number by the hardware encryption module, and carries out hardware encryption, An IP messages after being encrypted;
Network equipment IP messages after network interface card sends the encryption.
2. the method for claim 1, it is characterised in that the network equipment is true according to the information of an IP messages A fixed IP messages need to carry out hardware encryption, including:
The network equipment determines the IP messages in the case of it is determined that an IP messages are tunnel mode Source IP address be the IP address held consultation based on ipsec protocol, it is determined that an IP messages need to carry out hardware encryption;
The network equipment is default in acquisition cloud server in the case of it is determined that an IP messages are transmission mode IP address set in guard mode, in it is determined that the purpose IP address in an IP messages are the IP address set One in the case of, determine that an IP messages need to carry out hardware encryption.
3. the method for claim 1, it is characterised in that the network equipment is it is determined that an IP messages are need to enter After the situation of the first IP messages of row encryption, also include:
The network equipment is determining that an IP messages are not required to carry out hardware encryption according to the information of an IP messages In the case of:
The network equipment sends an IP messages by the network interface card.
4. the method for claim 1, it is characterised in that the network equipment is obtained by the chain of command processor core After first IP messages, also include:
The network equipment by the chain of command processor core determine an IP messages be not required to be encrypted In the case of one IP messages:
The network equipment sends an IP messages by network interface card.
5. the method as described in Claims 1-4 any claim, it is characterised in that methods described also includes:
The network equipment obtains the 2nd IP messages by the user side processor core;
The network equipment is determining that the 2nd IP messages need to carry out the feelings of hardware encryption according to the information of the 2nd IP messages Under condition:
The network equipment is the 2nd IP message assigned sequences number by the hardware encryption module, and carries out hardware encryption, 2nd IP messages after being encrypted;
The network equipment the 2nd IP messages after network interface card sends the encryption.
6. the method as described in Claims 1-4 any claim, it is characterised in that described by chain of command processor core Determine that an IP messages are the IP messages that need to be encrypted, including:
The network equipment determines default security strategy route;Wherein, the security strategy route includes at least one IP address;
The network equipment is in it is determined that the purpose IP address in an IP messages belong at least one IP address In the case of one, determine that an IP messages are the IP messages that need to be encrypted.
7. a kind of network equipment for the encryption of internet protocol safe ipsec protocol, it is characterised in that including at least one pair The user plane treatment that the chain of command processor core and at least one pair of user face data that chain of command data are processed are processed Device core, the network equipment includes:
Chain of command processor core, for obtaining an IP messages;
Hardware encryption module, for determining that an IP messages need to be encrypted by the chain of command processor core In the case of first IP messages:Determining that an IP messages need to carry out the feelings of hardware encryption by the chain of command processor core Under condition:It is the IP message assigned sequences number, and carries out hardware encryption, an IP messages after being encrypted;
Network interface card, for sending an IP messages after the encryption.
8. the network equipment as claimed in claim 7, it is characterised in that the chain of command processor core, is used for:
In the case of it is determined that an IP messages are tunnel mode, and determine that the source IP address in an IP messages is Based on the IP address that ipsec protocol is held consultation, it is determined that an IP messages need to carry out hardware encryption;
It is default in guard mode in acquisition cloud server in the case of it is determined that an IP messages are transmission mode IP address set, it is determined that the situation of during the purpose IP address in an IP messages are the IP address set Under, determine that an IP messages need to carry out hardware encryption.
9. the network equipment as claimed in claim 7, it is characterised in that the network interface card, is additionally operable to:
In the case where determining that an IP messages are not required to carry out hardware encryption by the chain of command processor core:Send described First IP messages.
10. the network equipment as claimed in claim 7, it is characterised in that the network interface card, is additionally operable to:
Determining that an IP messages are the feelings of an IP messages that are not required to be encrypted by the chain of command processor core Under condition:The network equipment sends an IP messages by network interface card.
11. network equipment as described in claim 7 to 10 any claim, it is characterised in that the network equipment is also wrapped Include:
User side processor core, for obtaining the 2nd IP messages;
The hardware encryption module, is additionally operable to:Determining that the 2nd IP messages need to be carried out by the user side processor core In the case of hardware encryption:It is the 2nd IP message assigned sequences number, and carries out hardware encryption, the 2nd IP messages after being encrypted;
The network interface card, is additionally operable to:Send the 2nd IP messages after the encryption.
12. network equipment as described in claim 7 to 10 any claim, it is characterised in that the chain of command processor Core, is used for:
Determine default security strategy route;Wherein, the security strategy route includes at least one IP address;
It is determined that in the case of during the purpose IP address in an IP messages belong at least one IP address, Determine that an IP messages are the IP messages that need to be encrypted.
CN201710021178.8A 2017-01-11 2017-01-11 Internet protocol security IPSec protocol encryption method and network equipment Active CN106790221B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710021178.8A CN106790221B (en) 2017-01-11 2017-01-11 Internet protocol security IPSec protocol encryption method and network equipment
PCT/CN2017/119487 WO2018130079A1 (en) 2017-01-11 2017-12-28 Method for encrypting internet protocol security (ipsec) protocol and network device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710021178.8A CN106790221B (en) 2017-01-11 2017-01-11 Internet protocol security IPSec protocol encryption method and network equipment

Publications (2)

Publication Number Publication Date
CN106790221A true CN106790221A (en) 2017-05-31
CN106790221B CN106790221B (en) 2020-11-03

Family

ID=58949241

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710021178.8A Active CN106790221B (en) 2017-01-11 2017-01-11 Internet protocol security IPSec protocol encryption method and network equipment

Country Status (2)

Country Link
CN (1) CN106790221B (en)
WO (1) WO2018130079A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018130079A1 (en) * 2017-01-11 2018-07-19 京信通信系统(中国)有限公司 Method for encrypting internet protocol security (ipsec) protocol and network device
CN109714292A (en) * 2017-10-25 2019-05-03 华为技术有限公司 The method and apparatus of transmitting message
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN112015564A (en) * 2019-05-28 2020-12-01 普天信息技术有限公司 Encryption and decryption processing method and device

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049758B (en) * 2019-11-22 2022-12-09 东软集团股份有限公司 Method, system and equipment for realizing QoS processing of message
CN112543197B (en) * 2020-12-04 2022-09-06 中船重工(武汉)凌久电子有限责任公司 Method for realizing hardware encryption and decryption of IPSEC under XFRM framework
CN113422753B (en) * 2021-02-09 2023-06-13 阿里巴巴集团控股有限公司 Data processing method, device, electronic equipment and computer storage medium
CN115378764B (en) * 2022-08-19 2024-04-05 山石网科通信技术股份有限公司 Communication method, device, storage medium and electronic device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030169877A1 (en) * 2002-03-05 2003-09-11 Liu Fang-Cheng Pipelined engine for encryption/authentication in IPSEC
US7526641B2 (en) * 2004-08-04 2009-04-28 Panasonic Corporation IPsec communication method, communication control apparatus, and network camera
CN102023935A (en) * 2009-09-22 2011-04-20 三星电子株式会社 Data storage apparatus having cryption and method thereof
CN102263794A (en) * 2011-08-25 2011-11-30 北京星网锐捷网络技术有限公司 Security processing method, device, processing chip and network equipment
CN102968399A (en) * 2012-10-22 2013-03-13 华为技术有限公司 Multi-core processor and multiplexing method of network management portinterface thereof
CN104468309A (en) * 2014-10-31 2015-03-25 成都卫士通信息产业股份有限公司 Efficient adaptation method for low-speed SMP and high-speed password card

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843235A (en) * 2012-09-06 2012-12-26 汉柏科技有限公司 Message encrypting/decrypting method
US9992223B2 (en) * 2015-03-20 2018-06-05 Nxp Usa, Inc. Flow-based anti-replay checking
CN106341404A (en) * 2016-09-09 2017-01-18 西安工程大学 IPSec VPN system based on many-core processor and encryption and decryption processing method
CN106790221B (en) * 2017-01-11 2020-11-03 京信通信系统(中国)有限公司 Internet protocol security IPSec protocol encryption method and network equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030169877A1 (en) * 2002-03-05 2003-09-11 Liu Fang-Cheng Pipelined engine for encryption/authentication in IPSEC
US7526641B2 (en) * 2004-08-04 2009-04-28 Panasonic Corporation IPsec communication method, communication control apparatus, and network camera
CN102023935A (en) * 2009-09-22 2011-04-20 三星电子株式会社 Data storage apparatus having cryption and method thereof
CN102263794A (en) * 2011-08-25 2011-11-30 北京星网锐捷网络技术有限公司 Security processing method, device, processing chip and network equipment
CN102968399A (en) * 2012-10-22 2013-03-13 华为技术有限公司 Multi-core processor and multiplexing method of network management portinterface thereof
CN104468309A (en) * 2014-10-31 2015-03-25 成都卫士通信息产业股份有限公司 Efficient adaptation method for low-speed SMP and high-speed password card

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018130079A1 (en) * 2017-01-11 2018-07-19 京信通信系统(中国)有限公司 Method for encrypting internet protocol security (ipsec) protocol and network device
CN109714292A (en) * 2017-10-25 2019-05-03 华为技术有限公司 The method and apparatus of transmitting message
CN109714292B (en) * 2017-10-25 2021-05-11 华为技术有限公司 Method and device for transmitting message
CN112015564A (en) * 2019-05-28 2020-12-01 普天信息技术有限公司 Encryption and decryption processing method and device
CN112015564B (en) * 2019-05-28 2024-05-17 普天信息技术有限公司 Encryption and decryption processing method and device
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN111800436B (en) * 2020-07-29 2022-04-08 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method

Also Published As

Publication number Publication date
WO2018130079A1 (en) 2018-07-19
CN106790221B (en) 2020-11-03

Similar Documents

Publication Publication Date Title
CN106790221A (en) A kind of safe ipsec protocol encryption method of internet protocol and the network equipment
EP3603001B1 (en) Hardware-accelerated payload filtering in secure communication
US10841243B2 (en) NIC with programmable pipeline
CN109450852B (en) Network communication encryption and decryption method and electronic equipment
JP6858749B2 (en) Devices and methods for establishing connections in load balancing systems
CN104601550B (en) Reverse isolation file transmission system and method based on cluster array
US11729042B2 (en) IPSec acceleration method, apparatus, and system
US20230118375A1 (en) Secure communication session resumption in a service function chain
CN107342861A (en) A kind of data processing method, apparatus and system
CN108964880A (en) A kind of data transmission method and device
CN110535742A (en) Message forwarding method, device, electronic equipment and machine readable storage medium
CN110071802A (en) Data processing method and device suitable for block chain
US11005732B1 (en) Methods for improved service chain classification and management and devices thereof
CN109962913A (en) Proxy server and Proxy Method based on secure socket layer protocol
CN107800723A (en) CC attack guarding methods and equipment
CN106656484B (en) A kind of PCI cipher card drive system and its implementation
CN106161224A (en) Method for interchanging data, device and equipment
CN114499913B (en) Encrypted message detection method and protection equipment
CN107819888A (en) A kind of method, apparatus and network element for distributing relay address
CN115022012B (en) Data transmission method, device, system, equipment and storage medium
CN109145620A (en) Data flow diversion processing method and device
CN108462681B (en) Communication method, device and system of heterogeneous network
CN114611129A (en) Data privacy protection method and system
CN107343001A (en) Data processing method and device
CN107592294A (en) Data reporting method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20180223

Address after: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou, Guangzhou economic and Technological Development Zone, Guangdong Province, No. 10

Applicant after: Comba Telecom System (China) Co., Ltd.

Applicant after: Comba Telecom Systems (Guangzhou) Co., Ltd.

Applicant after: Jingxin Communication Technology (Guangzhou) Co., Ltd.

Applicant after: TIANJIN COMBA TELECOM SYSTEMS CO., LTD.

Address before: 510663 Guangdong city of Guangzhou Province Economic and Technological Development Zone Jinbi Road No. 6

Applicant before: Jingxin Communication Technology (Guangzhou) Co., Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200103

Address after: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong

Applicant after: Jingxin Communication System (China) Co., Ltd.

Address before: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou, Guangzhou economic and Technological Development Zone, Guangdong Province, No. 10

Applicant before: Jingxin Communication System (China) Co., Ltd.

Applicant before: Jingxin Communication System (Guangzhou) Co., Ltd.

Applicant before: Jingxin Communication Technology (Guangzhou) Co., Ltd.

Applicant before: TIANJIN COMBA TELECOM SYSTEMS CO., LTD.

GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong

Patentee after: Jingxin Network System Co.,Ltd.

Address before: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong

Patentee before: Comba Telecom System (China) Ltd.