CN106899606B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN106899606B
CN106899606B CN201710157140.3A CN201710157140A CN106899606B CN 106899606 B CN106899606 B CN 106899606B CN 201710157140 A CN201710157140 A CN 201710157140A CN 106899606 B CN106899606 B CN 106899606B
Authority
CN
China
Prior art keywords
message
sequence number
replay
fast forwarding
entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710157140.3A
Other languages
Chinese (zh)
Other versions
CN106899606A (en
Inventor
王文龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201710157140.3A priority Critical patent/CN106899606B/en
Publication of CN106899606A publication Critical patent/CN106899606A/en
Application granted granted Critical
Publication of CN106899606B publication Critical patent/CN106899606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message processing method and a device, the method is applied to a local GM in a GD VPN, and comprises the following steps: receiving a message sent by an opposite terminal GM in the GD VPN, wherein the message comprises a serial number; inquiring a fast-forwarding table item matched with the message, wherein a new field for indicating an interval of the anti-replay window and a received serial number is added in the fast-forwarding table item; combining the new field of the fast-forwarding table entry and the serial number included in the message to perform anti-replay detection on the message; if the message passes the anti-replay detection, decapsulating the message, and updating the fast forwarding table entry after successful decapsulation; if the message does not pass the anti-replay detection, the message is discarded. Therefore, even if the receiving end cannot identify which GM the message comes from, the message anti-replay function in the GD VPN can be realized according to the fast forwarding table item uniquely corresponding to the message.

Description

Message processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a packet.
Background
Internet protocol Security (IP Security, IPsec) is a three-layer tunnel encryption protocol established by IETF, which provides high-quality, interoperable, and cryptography-based Security guarantee for data transmitted over the Internet, and is a traditional Security technology for implementing a three-layer Virtual Private Network (VPN).
Conventional IPsec VPNs typically support window-based anti-replay techniques, i.e., IPsec receivers can detect and reject to receive stale or duplicate messages, often referred to as replay messages. IPsec detects replay packets through a sliding window (anti-replay window) mechanism. If the serial number of the received message is the same as the serial number of the decapsulated message, or the serial number of the received message appears earlier, that is, the serial number of the received message exceeds the range of the anti-replay window, the message is considered as a replay message, and the replay message is directly abandoned.
However, research finds that the anti-replay technology of the conventional IPsec VPN is only applicable to the IPsec VPN, and is not applicable to Group Members (GM) of a Group Domain virtual private network (GD VPN).
Disclosure of Invention
In view of this, the present application provides a message processing method and apparatus, which can enable anti-replay technology to be supported between GMs of a GD VPN.
Specifically, the method is realized through the following technical scheme:
in a first aspect of the present application, a method for processing a packet is provided, where the method is applied to a local GM in a GD VPN, and the method includes:
receiving a first message sent by an opposite terminal GM in a GD VPN, wherein the first message comprises a serial number;
inquiring a first fast forwarding table item matched with the first message, wherein a new field for indicating an interval of an anti-replay window and a received serial number is added in the first fast forwarding table item;
determining an interval of an anti-replay window and a received serial number according to a new field in the first fast forwarding table item, and performing anti-replay detection on the first message by combining the interval of the anti-replay window, the received serial number and the serial number included in the first message;
if the first message passes anti-replay detection, decapsulating the first message, and updating the first fast forwarding table entry after successful decapsulation;
discarding the first packet if the first packet fails anti-replay detection.
In a second aspect of the present application, a message processing apparatus is provided, where the apparatus is applied to a local GM in a GD VPN, and the apparatus includes:
a receiving unit, configured to receive a first message sent by an opposite-end GM in a GD VPN, where the first message includes a sequence number;
a query unit, configured to query a first fast forwarding entry matched with the first packet, where a new field for indicating an interval of an anti-replay window and a received sequence number is added to the first fast forwarding entry;
the anti-replay detection unit is used for determining an interval of an anti-replay window and a received serial number according to a new field in the first fast-forwarding table item, and performing anti-replay detection on the first message by combining the interval of the anti-replay window, the received serial number and the serial number included in the first message;
the message processing unit is used for de-encapsulating the first message when the first message passes through anti-replay detection; discarding the first packet when the first packet fails anti-replay detection;
and the table item processing unit is used for updating the first fast forwarding table item after the first message is decapsulated successfully.
According to the technical scheme, a new field for indicating the anti-replay window interval and the received message serial number is introduced into the quick-forwarding table item for decapsulation, so that even if a receiving end cannot identify which GM the message comes from, the message serial number received by the receiving end from the sending end corresponding to the message and the current anti-replay window interval can be determined according to the quick-forwarding table item uniquely corresponding to the message, and meanwhile, the message anti-replay function in the GD VPN can be realized by combining the serial number carried by the message.
Drawings
FIG. 1 is a schematic diagram of a networking architecture of a GD VPN;
fig. 2 is a flowchart of a message processing method when a local GM sends a message according to an embodiment of the present application;
fig. 3 is a schematic diagram of a fast forwarding entry used when sending a message according to an embodiment of the present application;
fig. 4A is a schematic diagram of an ESP protocol encapsulation process in a transmission mode and a tunnel mode according to an embodiment of the present application;
fig. 4B is a schematic diagram of an AH protocol encapsulation process in a transport mode and a tunnel mode according to an embodiment of the present application;
fig. 4C is a schematic diagram of an AH-ESP protocol encapsulation process in a transport mode and a tunnel mode according to an embodiment of the present application;
fig. 5 is a flowchart of a message processing method when a local GM receives a message according to an embodiment of the present application;
fig. 6A is a schematic diagram of a fast forwarding entry used when receiving a message according to an embodiment of the present application;
fig. 6B is a schematic diagram of a fast forwarding table used when receiving a packet according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a process for anti-replay detection provided by an embodiment of the present application;
fig. 8 is a schematic networking diagram of message processing in a GD VPN according to an embodiment of the present application;
fig. 9 is a functional block diagram of a message processing apparatus according to an embodiment of the present application;
fig. 10 is a hardware architecture diagram of a message processing apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, a GD VPN will be briefly described below.
The GD VPN provides a group-based IPsec security model. A group is a set of Security policies and keys, all members belonging to the same group share the same Security policies and keys, which may be collectively referred to as an IPsec Security Association (SA), and the IPsec SA defines protected data stream information, encryption algorithm, authentication algorithm, encapsulation mode, and the like.
The networking structure of the GD VPN is shown in fig. 1 and comprises a Key Server (KS) and Group Members (GM), wherein the KS manages different IPsec SAs by dividing different groups, and the GM registers the KS to join a corresponding group, acquires the IPsec SAs from the KS, and encrypts and decrypts data streams by using the acquired IPsec SAs.
The current GD VPN cannot support the anti-replay technology, but the traditional IPsec VPN supports the anti-replay technology, but the anti-replay technology in the traditional IPsec VPN cannot be used in the GD VPN, mainly because the following reasons:
the traditional IPsec VPN is a point-to-point VPN, so that a message can only be sent from a fixed opposite end, and a receiving end can directly realize anti-replay detection by comparing whether the sequence number of the message is in the range of an anti-replay window. In the GD VPN, after a message is encrypted by one GM, an IP head of an original message is reserved, namely an outer layer IP head after encryption is the same as the IP head of the original message, and when the message reaches another GM for decapsulation, the other GM cannot distinguish a specific GM from which the message is sent. For example, both GM1 and GM2 send messages to GM3, and if GM1 sends a message with a sequence number n to GM3 first and then GM2 sends a message with a sequence number n to GM3, GM3 cannot identify which GM the message comes from, and GM3 considers the message with a sequence number n sent later by GM2 as a replay message according to the anti-replay method in IPsec VPN, and discards the message. However, in fact, both messages sent by GM1 and GM2 may be legitimate messages, and it is obviously inappropriate for GM3 to regard the last message with the same sequence number as a replay message.
Therefore, the GM ignores the anti-replay detection of the packet when decapsulating. Thus, when an attacker grabs a certain encapsulated message and forwards a large amount of the encapsulated message to a specific GM, the specific GM can continuously decapsulate the message, which consumes a large amount of resources of the device and even causes the device to reject the service.
In order to realize the anti-replay function on the GM in the GD VPN, the application provides a solution, a new field used for indicating the anti-replay window interval and the received message serial number is introduced into the fast forwarding table item, so that even if the receiving end cannot identify which GM the message comes from, the receiving end can search the message serial number received by the receiving end from the sending end corresponding to the message and the current anti-replay window interval according to the fast forwarding table item uniquely corresponding to the message, and meanwhile, the message anti-replay function in the GD VPN can be realized by combining the serial number carried by the message.
In particular implementations of the present application, an anti-replay configuration may be added to the KS, which may include an anti-replay switch and an anti-replay window size, where the anti-replay switch is used to instruct the GM to turn on or off the anti-replay function. The anti-replay configuration can be issued to all GMs in the same group through the KS, so that the anti-replay function is uniformly started or closed on all the GMs in the same group, and the overall configuration of the GD VPN network can be simplified.
How to implement the anti-replay processing of the message when the GM turns on the anti-replay function provided by the present application according to the anti-replay switch issued by the KS is sequentially described below with reference to the accompanying drawings.
Referring to fig. 2, fig. 2 is a flowchart of a message processing method when a local GM sends a message, and the method may include the following steps:
step 201: before encapsulating the message to be sent to the opposite terminal GM, the local terminal GM inquires the fast forwarding table item matched with the message, and a new field related to the number of the messages sent by the local terminal GM is added in the fast forwarding table item, wherein the new field is the maximum sent sequence number.
The message to be sent to the opposite-end GM by the local-end GM in step 201 may be a message generated by the local-end GM itself, or a message sent to the local-end GM for forwarding by the host, other GM, and other network element devices.
The fast forwarding table entry is a table entry generated based on information such as a message quintuple and an incoming interface, and can guide forwarding of a message, that is, information such as an outgoing interface and a next hop of the message can be found in the fast forwarding table entry. Meanwhile, service information related to message processing, such as an IPsec SA for encapsulation or decapsulation, can also be found in the fast forwarding table entry. The GM may create a fast forwarding entry based on the first packet of a data stream, and subsequent packets belonging to the same data stream may directly search for a corresponding fast forwarding entry for fast forwarding. The same data flow generally refers to a group of packets with similar characteristics, for example, a group of packets with identical five-tuple (including source address, destination address, source port number, destination port number, and protocol number) may be referred to as a flow. The fast forwarding table entry improves the forwarding processing efficiency by associating the flow characteristics with the processing that the flow needs to do.
Step 202: if no matched fast forwarding table entry is found, the local-end GM creates a fast forwarding table entry corresponding to the message, the maximum sent sequence number is added to the created fast forwarding table entry, and the initial value of the maximum sent sequence number is 0; and the local terminal GM accumulates the maximum sent sequence number recorded in the newly-built fast forwarding table item according to a preset step increment, adds the accumulated maximum sent sequence number as the sequence number of the message into the message header of the message, and then encapsulates the message.
When the local end GM does not inquire the fast forwarding entry matching the message to be sent, it indicates that the message may be the first message of a flow, or may be the first message in a subsequent message of a flow protected by the local end GM using the new IPsec SA after the old IPsec SA is aged, and therefore the local end GM encapsulates the message through a slow forwarding process, which includes the specific steps of: matching a message to be sent with an Access Control List (ACL) issued by a KS (key server) in advance, and if the matching result is permission (permit), indicating that the stream to which the message belongs needs to be encrypted and protected; and then searching the corresponding IPsec SA by using the message information (such as the quintuple) of the message, and encapsulating the message according to the searched IPsec SA.
After the local GM finds the IPsec SA in the slow forwarding process, a fast forwarding entry corresponding to the packet may be newly created. The fast forwarding table entry provided in the embodiment of the present application further includes a field of a "maximum sent sequence number" in addition to fields of a quintuple, forwarding information, service information, and the like included in the existing fast forwarding table entry, and a specific form of the fast forwarding table entry provided in the embodiment of the present application can be seen in fig. 3. The field of the 'maximum sent sequence number' is related to the number of messages sent to the destination GM by the local GM, the GM may increment the maximum sent sequence number according to a preset step size, and a simpler accumulation method is to update the value of the maximum sent sequence number by incrementing by 1 each time.
Messages belonging to the same flow and encapsulated by the same IPsec SA should carry different serial numbers, and a message receiving end performs anti-replay detection on the messages based on the serial numbers carried by the messages, and how the message receiving end performs anti-replay detection on the messages will be described below and will not be described again for the moment.
Step 203: if the matched fast forwarding table entry is inquired, the local-end GM accumulates the maximum sent sequence number recorded in the inquired fast forwarding table entry according to a preset step length, adds the accumulated maximum sent sequence number as the sequence number of the message to the message header of the message, and then encapsulates the message.
When the local-end GM can query the fast forwarding entry matched with the message to be sent, it indicates that the message may be a subsequent message of a flow protected by the same IPsec SA, so that the local-end GM can encapsulate the message through the fast forwarding flow, that is, directly encapsulate the message according to the IPsec SA recorded in the queried fast forwarding entry.
In step 202 and step 203, when the local GM encapsulates the packet, a standard Encapsulation Security Payload (ESP) protocol, a standard Authentication Header (AH) protocol, or a combination of the two protocols may be used. The specific protocol used is specified by the IPsec SA issued by the KS.
Referring to fig. 4A, a schematic diagram of an ESP protocol encapsulation process in a transmission mode and a tunnel mode, where the transmission mode is generally used when a start point and an end point of a message for secure transmission are actual start points and end points of the message, and the tunnel mode is generally used when the start point or the end point of the message for secure transmission is not an actual start point and end point of data. In fig. 4A, the GM may add a Sequence Number obtained based on the fast forwarding entry to a Sequence Number (Sequence Number) field of an ESP header of the packet.
Referring to fig. 4B, which is a schematic diagram illustrating an AH protocol encapsulation process in a transmission mode and a tunnel mode, a GM may add a Sequence Number obtained based on a fast forwarding entry to a Sequence Number field of an AH header of a packet.
Referring to fig. 4C, in order to illustrate an encapsulation process combining the AH protocol and the ESP protocol in the transmission mode and the tunnel mode, the GM may add a Sequence Number obtained based on the fast forwarding entry to the Sequence Number field of the AH header of the packet.
Note that both the Security Index Parameter (SPI) and the sequence Number fields contained in the ESP and AH headers are in plaintext.
Based on the encapsulation protocol specified in the IPsec SA, the local GM first expands an ESP header or AH header based on the original packet, fills the ESP header or AH header with the sequence number obtained based on the fast forwarding entry, and encapsulates the packet. When the opposite terminal GM decapsulates the message, the GM needs to carry a sequence number included in the message for data integrity check, and if an attacker intercepts the message and rewrites the sequence number of the message, the decapsulation of the message fails.
After step 202 and step 203, the local-end GM re-searches the matched fast forwarding entry according to the encapsulated packet, and sends the encapsulated packet to the opposite-end GM according to the re-found fast forwarding entry.
This completes the description of the flow shown in fig. 2.
As can be seen from the flow shown in fig. 2, when the local GM sends a packet, based on the fast forwarding table provided in the embodiment of the present application, a corresponding serial number is added to the packet header of the packet according to the maximum sent serial number recorded in the fast forwarding table, while finding out the forwarding information and the service information in the forwarding process, and the packet does not need to distinguish the source of the packet through an additional field.
Next, a method for processing a message when a local GM receives the message is described, and referring to fig. 5, the method may include the following steps:
step 501: and the local terminal GM receives a message sent by an opposite terminal GM in the GD VPN, wherein the message comprises a serial number.
The opposite-end GM may process the packet according to the flow shown in fig. 2 and send the encapsulated packet to the home-end GM.
The message received by the local GM may be a standard ESP protocol message or a standard AH protocol message. The Sequence Number of the packet is carried in the Sequence Number field of the ESP header or the AH header of the packet.
Step 502: the local terminal GM inquires a fast-forwarding table item matched with the received message, and a new field for indicating the interval of the anti-replay window and the received sequence number is added in the fast-forwarding table item.
Step 503: if the matched fast forwarding table entry is not inquired, the local-end GM creates a fast forwarding table entry corresponding to the received message, and a new field for indicating an interval of the anti-replay window and the received serial number is added in the created fast forwarding table entry; and then, the local GM decapsulates the message, and updates the newly-built fast forwarding table entry according to the sequence number included in the message after the decapsulation is successful.
When the local end GM does not inquire the fast forwarding table item matched with the received message, the message is shown to be the first message of a flow possibly, or the first message of a subsequent message of a flow protected by the local end GM by using a new IPsec SA after the old IPsec SA is aged, so that the local end GM defaults that the message is not a replay message, and decapsulates the message through a slow forwarding process, and the specific process is as follows: and matching the received message with an ACL issued by KS in advance, if the matching result is permit, indicating that the message needs to be unpacked through IPsec SA, searching for a corresponding IPsecSA according to an SPI carried in a message header of the message, and unpacking the message according to the searched IPsec SA.
After the local GM finds the IPsec SA in the slow forwarding process, a fast forwarding entry corresponding to the received packet may be newly created. The fast forwarding table entry provided by the embodiment of the present application includes fields such as a quintuple, forwarding information, and service information included in an existing fast forwarding table entry, and a new field for resisting replay detection is added, where the new field may have various forms, and the embodiment of the present application mainly lists the following two types:
the first method comprises the following steps: the new fields may be "left and right end points of the anti-replay window", and "received sequence number", and a specific form of the fast-forwarding entry is shown in fig. 6A; wherein, the field of "left end point and right end point of the anti-replay window" is used to indicate the interval of the anti-replay window, and the field of "received sequence number" is used to indicate the message sequence number that the local GM has received from the source GM. In the newly-created fast-rotation table entry, the initial value of the left end point of the anti-replay window is 0, the initial value of the right end point is the size N of the anti-replay window, and the initial value of the received serial number is null.
And the second method comprises the following steps: the new field may be "maximum received sequence number" and "received sequence number", and the specific form of the fast forwarding entry is shown in fig. 6B; the received sequence number field is used to indicate the message sequence number that the local GM has received from the source GM, and the maximum received sequence number field is used to indicate the maximum value of the message sequence numbers that the local GM has received from the source GM, which can be used to calculate the anti-replay window interval. In the newly-created fast-rotation table entry, the initial value of the maximum received serial number is the size N of the anti-replay window, and the initial value of the received serial number is null.
Step 504: if the matched fast-forwarding table entry is inquired, the local-end GM determines the interval of the anti-replay window and the received serial number according to a new field in the inquired fast-forwarding table entry; combining the determined interval of the anti-replay window, the received serial number and the serial number included in the received message, and carrying out anti-replay detection on the message; if the message passes the anti-replay detection, decapsulating the message, and updating the queried fast forwarding table entry after successful decapsulation; if the message does not pass the anti-replay detection, the message is discarded.
When the local-end GM can inquire the matched fast forwarding table entry, the received message is possibly a subsequent message of a flow protected by the same IPsecSA, so that the local-end GM firstly performs anti-replay detection on the message, and if the message passes the anti-replay detection, the message is unpacked directly according to the IPsec SA recorded in the inquired fast forwarding table entry through the fast forwarding process. If the packet fails anti-replay detection, the packet may be discarded as a replay packet.
Optionally, the specific process of anti-replay detection may be:
1) and determining the interval of the current anti-replay window and the message sequence number received by the local GM according to the inquired fast-forwarding table entry.
Specifically, according to the two forms of fast rotation table entries shown in fig. 6A and 6B, the following two ways can be used in determining the anti-replay window interval:
the first method is as follows: corresponding to the fast forwarding table entry shown in fig. 6A, the local GM may directly determine that the anti-replay window interval is [ L, R ] according to the left end point L and the right end point R of the anti-replay window recorded in the fast forwarding table entry.
The second method comprises the following steps: corresponding to the fast forwarding entry shown in fig. 6B, the local GM may calculate an interval of the anti-replay window according to the maximum received sequence number M recorded in the fast forwarding entry, and if the maximum received sequence number M recorded in the fast forwarding entry is less than or equal to the size N of the anti-replay window, determine that the interval of the anti-replay window is [1, N ]; if the maximum received sequence number M recorded in the fast forwarding entry is greater than the size N of the anti-replay window, the interval of the anti-replay window is determined to be [ M-N +1, M ].
As for the message sequence number received by the local GM, the received message sequence number can be directly determined according to the content of the "received sequence number" field recorded in the fast forwarding entry.
2) And judging the position of the serial number of the received message relative to the interval of the anti-replay window, and determining whether the message passes anti-replay detection or not according to the judged position.
Specifically, if the sequence number of the received packet is on the left side of the section of the anti-replay window, it may be directly determined that the packet does not pass the anti-replay detection.
If the serial number of the message is on the right side of the interval of the anti-replay window, the message can be directly determined to pass the anti-replay detection.
If the serial number of the received message is within the interval of the anti-replay window, further judging whether the serial number of the message is repeated with the serial number of the message received by the local terminal GM; if not, determining that the message passes anti-replay detection; if so, it is determined that the message fails anti-replay detection.
Preferably, the received sequence number field may store the packet sequence number received by the local GM in the current anti-replay window in an array manner, for example, when the size of the anti-replay window is 128, the received sequence number field may be an array with a size of 128 elements, the array subscript is 0 to 127, the array element with a subscript of 0 corresponds to the left end point of the current anti-replay window, and the array element with a subscript of 127 corresponds to the right end point of the current anti-replay window. One way to determine whether a sequence number of a packet is repeated is: and calculating the absolute value of the difference between the serial number of the message and the first element (namely the left end point of the current anti-replay window) in the array, taking the absolute value of the difference as an array subscript, finding the corresponding position in the array according to the array subscript, and recording whether the message with the serial number is received or not.
And after determining that the received message passes anti-replay detection, the local GM decapsulates the message. If the decapsulation fails, the message is discarded, and the interval of the anti-replay window and the received sequence number recorded in the fast forwarding table entry do not need to be updated. The decapsulation failure may be that the message receiving end cannot find the corresponding IPsec SA to decapsulate the message due to aging of the old IPsec SA; it may also be because the message is overwritten during transmission, resulting in a data integrity check failure. For the latter case, the method of adding the serial number for anti-replay detection in the message and then encapsulating the message is adopted at the message sending end in the application; therefore, the message receiving end still needs to carry the sequence number of the message to perform data integrity check when decapsulating the message. Therefore, even if the attacker rewrites the serial number of the message to enable the message to pass the anti-replay detection, the serial number of the message is tampered and the message cannot be decapsulated successfully, so that the message receiving end does not need to update the interval of the local anti-replay window and the received serial number according to the serial number of the message, and the influence on the anti-replay function of the equipment is avoided.
If the local GM decapsulates the received message successfully, the fast forwarding table entry needs to be updated. According to the two forms of the fast forwarding table entries shown in fig. 6A and fig. 6B, there may be the following two updating manners:
the first method is as follows: corresponding to the fast forwarding table entry shown in fig. 6A, if the sequence number X of the received packet is within the interval of the anti-replay window, the local GM only needs to mark the received sequence number X in the received sequence number recorded in the fast forwarding table entry when updating the fast forwarding table entry, and does not need to update the left end point and the right end point of the anti-replay window recorded in the fast forwarding table entry. If the sequence number X of the received message is on the right side of the interval of the anti-replay window, the local-end GM can move the anti-replay window recorded in the fast-forwarding table item to the right, so that the left end point L of the anti-replay window is updated to the sequence number X-N +1 of the message, the right end point L of the anti-replay window is updated to X, and the received sequence number X is marked in the received sequence number recorded in the fast-forwarding table item; where N denotes the size of the anti-replay window. If the sequence number X of the received message is on the left side of the anti-replay window, the message will not pass the anti-replay detection, and the local-end GM does not need to update the fast-forwarding table entry naturally.
The second method comprises the following steps: corresponding to the fast forwarding entry shown in fig. 6B, if the sequence number X of the received packet is within the interval of the anti-replay window, the local GM only needs to mark the received sequence number X in the received sequence number recorded in the fast forwarding entry when updating the forwarding entry, and does not need to update the maximum received sequence number recorded in the fast forwarding entry. If the sequence number X of the received packet is on the right side of the anti-replay window interval, the local GM may update the maximum received sequence number M recorded in the fast forwarding entry to the sequence number X of the packet, and mark the received sequence number X in the received sequence number recorded in the fast forwarding entry. Similarly, for the condition that the sequence number X of the received message is on the left side of the anti-replay window, the local GM does not need to update the fast forwarding entry because the message does not pass the anti-replay detection.
A schematic diagram of the process of anti-replay detection based on the interval of the anti-replay window and the received sequence numbers is shown in fig. 7, where as shown in (1) of fig. 7, the size of the anti-replay window is 64, and no sequence numbers have been marked at first. When the GM initially receives a message with sequence number 1, if the decapsulation is successful, the GM may mark that the message with sequence number 1 has been received, that is, as shown in (2) in fig. 7, the shadow indicates that the GM has processed the message. Thereafter, when the GM receives a message with sequence number 60 again, the sequence number of the message is in the anti-replay window and is not marked, the GM decapsulates the message, and marks that the message with sequence number 60 has been received after the decapsulation is successful, as shown in (3) in fig. 7. If the GM receives the message with the sequence number of 60 again, since 60 is marked, the GM considers that the message is a replay message before decapsulation, and directly discards the message, as shown in (4) in fig. 7. Then, when the GM receives the message with the sequence number of 100, because the message is on the right side of the window, the GM decapsulates the message, and moves the anti-replay window to the right after the decapsulation is successful, so that the right end point of the anti-replay window is the sequence number of 100 of the message, as shown in (5) in fig. 7. Thereafter, if the GM receives a message with a sequence number less than 37 (e.g., 36), the message is discarded as a replay message, as shown in (6) of fig. 7.
After step 503 and step 504, the local GM may re-search the matched fast forwarding entry according to the decapsulated message, and forward the decapsulated message according to the re-found fast forwarding entry.
This completes the description of the flow shown in fig. 5.
As can be seen from the flow shown in fig. 5, in the embodiment of the present application, a new field for indicating an anti-replay window interval and a received packet sequence number is introduced into a fast forwarding entry for decapsulation, so that even if a receiving end cannot identify which GM a packet comes from, the receiving end can determine, according to the fast forwarding entry uniquely corresponding to the packet, a packet sequence number that the receiving end has received from a transmitting end corresponding to the packet and an interval of a current anti-replay window, and at the same time, the packet anti-replay function in the GDVPN can be implemented by combining the sequence numbers carried in the packet. And the message in the application is encapsulated by adopting a standard ESP protocol or a standard AH protocol, and does not need to carry extra information, if a GM mark does not need to be introduced into the message to indicate the GM sending the message, the compatibility is better.
With the increase of data flow processed by the local GM, the fast forwarding entries stored in the local GM will be more and more, in order to save storage resources of the device, the fast forwarding entries provided in the present application may be aged, specific aging strategies may be as follows, and the local GM may age the fast forwarding entries in one of or in combination with multiple ways:
the first method comprises the following steps: and according to the fast forwarding table entry used for encapsulating the message when the message is sent. When the maximum sent sequence number recorded in the fast forwarding entry shown in fig. 3 reaches a set threshold (for example, 90% of the theoretical maximum value of the sequence number), the local GM may notify the KS in the GD VPN to issue a new IPsec SA, and after receiving the notification, the KS will issue a new IPsec SA to the GM and other gmss belonging to the same group as the GM. When a local terminal GM and other GMs receive a new IPsec SA issued by a KS, an aging timer is started, an old IPsec SA is deleted after the aging timer expires, and a fast forwarding table item related to the old IPsec SA is deleted, wherein the fast forwarding table item is used for adding an encapsulation message when a message is sent, and the fast forwarding table item is used for removing the encapsulation message when the message is received.
And the second method comprises the following steps: and according to the fast forwarding table entry used for decapsulating the message when receiving the message. When the right end point of the anti-replay window recorded in the fast-forwarding table entry shown in fig. 6A reaches the set threshold, or when the maximum received sequence number recorded in the fast-forwarding table entry shown in fig. 6B reaches the set threshold, the local GM may notify the KS in the GD VPN to issue a new IPsec SA, and after receiving the notification, the KS may issue a new IPsec SA to the GM and other gmss belonging to the same group as the GM. When a local terminal GM and other GMs receive a new IPsec SA issued by a KS, an aging timer is started, an old IPsec SA is deleted after the aging timer expires, and a fast forwarding table item related to the old IPsec SA is deleted, wherein the fast forwarding table item is used for adding an encapsulation message when a message is sent, and the fast forwarding table item is used for removing the encapsulation message when the message is received.
And the third is that: according to the life cycle of the IPsec SA. An IPsec SA has a soft lifetime (e.g., 20 minutes) and a hard lifetime (e.g., 30 minutes), where the hard lifetime is the true lifetime of the IPsec SA, i.e., the IPsec SA is deleted only after the hard lifetime is over. And the soft life cycle is shorter than the hard life cycle, after the soft life cycle is finished, the IPsec SA cannot be deleted, and the home-end GM informs the KS in the GD VPN to send a new IPsec SA to all GMs. And after the local GM receives the new IPsec SA issued by the KS, the local GM deletes the old IPsec SA and deletes the fast forwarding table items related to the old IPsec SA after waiting for the hard life cycle of the old IPsec SA. After the old IPsec SA is deleted, the home-end GM uses the new IPsec SA to encapsulate the packet and create a new fast forwarding entry.
In practical application, if a 32-bit serial number is used by networking, the theoretical maximum value of the serial number is 2^32 ^ 4294967296, and once the serial number carried by a message exceeds the theoretical maximum value, the accuracy of the anti-replay function of the GM will be affected. In order to avoid overflow of the serial number, under the scene that the 32-bit serial number is used in networking, the first two aging strategies are preferentially used when the message processing method provided by the application is realized, namely, the serial number is turned over in advance before the serial number reaches the theoretical maximum value. In the network supporting the Extended Sequence Number (ESN), the Sequence Number is 64 bits, and the theoretical maximum value is 2^64 ^ 1.844674407371 ^ 10 19This number of sequence numbers is generally sufficient, so that the problem of sequence number overflow may not be considered when implementing, and the third aging strategy may be preferentially used.
It can be seen from the above three aging policies that the fast forwarding entries for encapsulated packets and for decapsulated packets provided in the present application age as the IPsec SA ages, and if the IPsec SA does not age, it indicates that a subsequent flow may continue to use the IPsec SA, so that the fast forwarding entries related to the IPsec SA may also be used. For example, when the GM detects a command, which is input through a command line and indicates to delete a certain fast forwarding entry in the running process, the GM may set a hidden flag for the fast forwarding entry specified by the command, so that the fast forwarding entry is invisible to the outside, and if a subsequent message matches the fast forwarding entry, the fast forwarding entry is activated again so that the fast forwarding entry is visible to the outside, so that the message can be continuously processed using the sequence number recorded in the original fast forwarding entry.
How the application implements message processing in the GD VPN is described below by a specific example.
Referring to fig. 8, three branches of a business are connected to GM1, GM2, and GM3, respectively. All GMs register with KS, which issues the same IPsec SA to all GM. Three GMs use the same IPsec SA to perform encapsulation and decapsulation on flows among the GMs. The KS issued a switch to turn on the anti-replay function and an anti-replay window of size 64 for all GMs. Assume that the message before encapsulation is a UDP (User Datagram Protocol) message, the message after encapsulation is an ESP message, the source port number is 1234, the destination port number is 5678, and the SPI corresponding to the IPsec SA is 65535.
Because the GD VPN adopts an IP header retention technology, the source IP and the destination IP of the encapsulated message are unchanged, but because the encapsulated message is an ESP message and the protocol number is changed, the GM can establish a fast forwarding table entry before and after the encapsulation.
In fig. 8, there are two streams for GM1 to GM 2: 100.1.1.1- >100.1.3.1 and 100.1.1.2- > 100.1.3.1; the fast forwarding entries built on GM1 before and after encapsulation may be as shown in table 1 below. Here, for the GD VPN, the source port and the destination port are abstracted concepts, and the source port and the destination port may be 2 bytes high and low in the SPI.
TABLE 1
Figure BDA0001247406130000151
Figure BDA0001247406130000161
Taking 100.1.1.1- >100.1.3.1 as an example, when a message belonging to the flow enters GM1, and then matches the first entry in table 1 above, GM1 encapsulates the message based on the IPsec SA (not shown in table 1) recorded in the first entry, and sets the sequence number of the message to 101 according to the value 100 of the maximum sent sequence number recorded in the first entry, and updates the value of the maximum sent sequence number recorded in the first entry from 100 to 101. The encapsulated packet will match the second entry in table 1 above, and the GM1 sends the encapsulated packet from the egress interface Eth1/1 according to the forwarding information recorded in the second entry.
There is one flow from GM3 to GM 2: 100.1.2.1- > 100.1.3.1; before and after the encapsulation, a fast-forwarding table entry as shown in table 2 can be established on GM 3.
TABLE 2
Figure BDA0001247406130000162
Accordingly, before and after the flows sent by GM1 and GM3 are decapsulated by GM2, a fast forwarding table entry as shown in table 3 may be established.
TABLE 3
Figure BDA0001247406130000163
Figure BDA0001247406130000171
Taking the flow of 100.1.1.1- >100.1.3.1 as an example, after the message belonging to the flow enters the GM2, it will match the first entry in table 3 above. The GM2, according to the value 100 of the maximum received sequence number recorded in the first entry, in combination with the anti-replay window 64 issued by KS, may calculate that the current anti-replay window interval is [37, 100], and at the same time, in combination with the received sequence number recorded in the fast-forwarding entry, may determine whether the packet has been decapsulated. Assuming that the sequence number carried in the message is 101, the GM2 may determine, according to the above information, that the message passes anti-replay detection, thereby decapsulating the message and marking the received sequence number 101 in the received sequence number field of the first entry. The decapsulated message may match the second entry in table 3 above, and the GM2 sends the decapsulated message from the egress interface Eth1/0 according to the forwarding information recorded in the second entry.
It should be noted that, since the GM2 needs to determine whether the packet is a replay packet before decapsulation, the two fields "maximum received sequence number" and "received sequence number" can only be recorded in the fast forwarding table entry established before decapsulation. In addition, for flexibility, the GM2 may also record the size of the anti-replay window issued by KS in the fast-forwarding entry.
When GM1, GM2, and GM3 receive a new IPsec SA issued by a KS, each GM will age the fast-forwarding entries in the device that include the new field proposed in the present application, that is, GM1 will age the first and third entries in table 1, GM2 will delete the first entry in table 2, and GM3 will delete the first, third, and fifth entries in table 3.
The methods provided herein are described above. The apparatus provided in the present application is described below.
Referring to fig. 9, a functional module block diagram of a message processing apparatus according to an embodiment of the present invention is provided, where the apparatus may be applied to a local GM in a GD VPN, and the apparatus includes:
a receiving unit 901, configured to receive a first message sent by an opposite-end GM in a GD VPN, where the first message includes a sequence number.
A querying unit 902, configured to query a first fast forwarding entry matched with the first packet, where a new field for indicating an interval of an anti-replay window and a received sequence number is added to the first fast forwarding entry.
An anti-replay detection unit 903, configured to determine an interval of an anti-replay window and a received sequence number according to a new field in the first fast forwarding entry, and perform anti-replay detection on the first packet by combining the interval of the anti-replay window, the received sequence number, and a sequence number included in the first packet.
A packet processing unit 904, configured to decapsulate the first packet when the first packet passes through anti-replay detection; discarding the first packet when the first packet fails anti-replay detection.
The table entry processing unit 905 is configured to update the first fast forwarding table entry after the first packet is decapsulated successfully.
Optionally, the new fields may be a left end point L and a right end point R of the anti-replay window, and a received sequence number; thus, when determining the anti-replay window interval according to the first fast forwarding table entry, the anti-replay detection unit 903 is specifically configured to: and determining the interval of the anti-replay window as L and R according to the left end point L and the right end point R of the anti-replay window recorded in the first fast forwarding table entry.
Optionally, the new field may be a maximum received sequence number M, and a received sequence number; thus, when determining the anti-replay window interval according to the first fast forwarding table entry, the anti-replay detection unit 903 is specifically configured to: if the maximum received sequence number M recorded in the first fast forwarding entry is smaller than or equal to the size N of the anti-replay window, determining that the interval of the anti-replay window is [1, N ]; and if the maximum received sequence number M recorded in the first fast forwarding table entry is larger than the size N of the anti-replay window, determining that the interval of the anti-replay window is M-N +1, M.
Optionally, when performing anti-replay detection on the first packet, the anti-replay detection unit 903 is specifically configured to: judging the position of the sequence number of the first message relative to the interval of the anti-replay window; if the sequence number of the first message is within the interval of the anti-replay window, further judging whether the sequence number of the first message is repeated with the received sequence number; if not, determining that the first message passes anti-replay detection; if so, determining that the first message does not pass anti-replay detection; if the sequence number of the first message is on the left side of the interval of the anti-replay window, determining that the first message does not pass anti-replay detection; and if the sequence number of the first message is on the right side of the interval of the anti-replay window, determining that the first message passes anti-replay detection.
Optionally, when the new fields are a left end point L and a right end point R of the anti-replay window, and a received sequence number; when the first fast forwarding entry is updated, the entry processing unit 905 is specifically configured to: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the first fast forwarding entry; if the sequence number X of the first message is on the right side of the interval of the anti-replay window, the anti-replay window recorded in the first fast-forwarding entry is moved to the right, the left end point L of the anti-replay window is updated to be X-N +1, the right end point of the anti-replay window is updated to be X, and the received sequence number X is marked in the first fast-forwarding entry; where N represents the size of the anti-replay window.
Optionally, when the new field is the maximum received sequence number M and the received sequence number; when the first fast forwarding entry is updated, the entry processing unit 905 is specifically configured to: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the received sequence number of the first fast forwarding entry record; if the sequence number X of the first packet is on the right side of the anti-replay window interval, updating the maximum received sequence number M recorded in the first fast forwarding entry to the sequence number X of the first packet, and marking the received sequence number X in the received sequence number recorded in the first fast forwarding entry.
Optionally, the entry processing unit 905 may be further configured to create a new fast forwarding entry corresponding to the first packet when the first fast forwarding entry is not queried by the querying unit 902; adding a left end point and a right end point of an anti-replay window and a received serial number in the newly-built fast-rotation table entry; or, adding the maximum received sequence number and the received sequence number in the newly-built fast-rotation table entry; the initial value of the left end point of the anti-replay window is 0, and the initial value of the right end point is the size N of the anti-replay window; the initial value of the maximum received sequence number is the size N of the anti-replay window; the initial value of the received sequence number is null.
Correspondingly, the packet processing unit 904 is further configured to decapsulate the first packet after the entry processing unit 905 creates a fast forwarding entry corresponding to the first packet.
Correspondingly, the table entry processing unit 905 is further configured to update the newly-created fast forwarding table entry according to the sequence number included in the first packet after the first packet is decapsulated successfully.
Optionally, the querying unit 902 may be further configured to query a second fast forwarding entry matched with a second packet before the local-end GM encapsulates the second packet to be sent to the opposite-end GM, where a new field related to the number of packets sent by the local-end GM is added to the second fast forwarding entry, and the new field is the maximum sent sequence number.
Correspondingly, the table entry processing unit 905 may be further configured to increment, according to a preset step size, the maximum sent sequence number recorded in the second fast forwarding table entry when the querying unit 902 queries the second fast forwarding table entry; when the query unit 902 does not query the second fast forwarding entry, a fast forwarding entry corresponding to the second packet is newly created, a maximum sent sequence number is added to the newly created fast forwarding entry, an initial value of the maximum sent sequence number is 0, and the maximum sent sequence number recorded in the newly created fast forwarding entry is incremented and accumulated according to a preset step size.
Correspondingly, the packet processing unit 904 may be further configured to add the accumulated maximum sent sequence number as the sequence number of the second packet to a packet header of the second packet, and then encapsulate the second packet.
Optionally, when the first packet before decapsulation is a standard ESP protocol packet, the Sequence Number of the first packet may be carried in a Sequence Number field of an ESP header of the first packet; when the first packet before decapsulation is a standard AH protocol packet, the Sequence Number of the first packet may be carried in a Sequence Number field of an AH header of the first packet.
Optionally, the receiving unit 901 may be further configured to receive the size of the anti-replay switch and the anti-replay window issued by the KS before receiving the first message sent by the peer GM.
Accordingly, the anti-replay detection unit 903 may be further configured to turn on an anti-replay function according to an instruction of the anti-replay switch.
Optionally, the apparatus further comprises:
and the sending unit is used for notifying KS in the GD VPN to issue a new IP security IPsec security alliance SA when the maximum sent serial number recorded in the second fast forwarding table item reaches a set threshold value, or when the maximum received serial number recorded in the first fast forwarding table item or a right end point of the anti-replay window reaches the set threshold value.
An aging unit, configured to age the first fast forwarding entry and the second fast forwarding entry when the receiving unit 901 receives a new IPsec SA issued by the KS.
It should be noted that the division of the unit in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation. The functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
As shown in fig. 10, an embodiment of the present application further provides a message processing apparatus, where the apparatus includes a communication interface 1001, a processor 1002, a memory 1003, and a bus 1004; the communication interface 1001, the processor 1002, and the memory 1003 communicate with each other via the bus 1004.
Therein, a communication interface 1001 for communicating with other GMs and KS in the GD VPN. The processor 1002 may be a CPU, the memory 1003 may be a non-volatile memory (non-volatile memory), the memory 1003 stores message processing logic instructions, and the processor 1002 may execute the message processing logic instructions stored in the memory 1003 to implement the message processing method shown in fig. 2 and 5, which may be specifically referred to as the flow shown in fig. 2 and 5.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (18)

1. A message processing method is applied to a local group member GM in a group domain virtual private network GD VPN, and the method comprises the following steps:
receiving a first message sent by an opposite terminal GM in a GD VPN, wherein the first message comprises a serial number;
inquiring a first fast forwarding table item matched with the first message, wherein a new field for indicating an interval of an anti-replay window and a received serial number is added in the first fast forwarding table item;
determining an interval of an anti-replay window and a received serial number according to a new field in the first fast forwarding table item, and performing anti-replay detection on the first message by combining the interval of the anti-replay window, the received serial number and the serial number included in the first message;
if the first message passes anti-replay detection, decapsulating the first message, and updating the first fast forwarding table entry after successful decapsulation;
discarding the first packet if the first packet fails anti-replay detection.
2. The method of claim 1,
the new fields are a left end point L and a right end point R of the anti-replay window, and a received serial number; the determining the anti-replay window interval according to the new field in the first fast forwarding table entry includes: determining the interval of the anti-replay window as [ L, R ] according to the left end point L and the right end point R of the anti-replay window recorded in the first fast-forwarding table entry; or
The new field is the maximum received sequence number M and the received sequence number; the determining the anti-replay window interval according to the new field in the first fast forwarding table entry includes: if the maximum received sequence number M recorded in the first fast forwarding entry is smaller than or equal to the size N of the anti-replay window, determining that the interval of the anti-replay window is [1, N ]; and if the maximum received sequence number M recorded in the first fast forwarding table entry is larger than the size N of the anti-replay window, determining that the interval of the anti-replay window is M-N +1, M.
3. The method of claim 1, wherein the performing anti-replay detection on the first packet comprises:
judging the position of the sequence number of the first message relative to the interval of the anti-replay window;
if the sequence number of the first message is within the interval of the anti-replay window, further judging whether the sequence number of the first message is repeated with the received sequence number; if not, determining that the first message passes anti-replay detection; if so, determining that the first message does not pass anti-replay detection;
if the sequence number of the first message is on the left side of the interval of the anti-replay window, determining that the first message does not pass anti-replay detection;
and if the sequence number of the first message is on the right side of the interval of the anti-replay window, determining that the first message passes anti-replay detection.
4. The method of claim 2,
the new fields are a left end point L and a right end point R of the anti-replay window, and a received serial number; the updating the first fast forwarding table entry includes: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the first fast forwarding entry; if the sequence number X of the first message is on the right side of the interval of the anti-replay window, the anti-replay window recorded in the first fast-forwarding entry is moved to the right, the left end point L of the anti-replay window is updated to be X-N +1, the right end point of the anti-replay window is updated to be X, and the received sequence number X is marked in the first fast-forwarding entry; wherein N represents the size of the anti-replay window; or
The new field is the maximum received sequence number M and the received sequence number; the updating the first fast forwarding table entry includes: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the received sequence number of the first fast forwarding entry record; if the sequence number X of the first packet is on the right side of the anti-replay window interval, updating the maximum received sequence number M recorded in the first fast forwarding entry to the sequence number X of the first packet, and marking the received sequence number X in the received sequence number recorded in the first fast forwarding entry.
5. The method of claim 2, wherein the method further comprises:
if the first fast forwarding table entry is not inquired, a fast forwarding table entry corresponding to the first message is newly established;
adding a left end point and a right end point of an anti-replay window and a received serial number in the newly-built fast-rotation table entry; or, adding the maximum received sequence number and the received sequence number in the newly-built fast-rotation table entry;
the initial value of the left end point of the anti-replay window is 0, and the initial value of the right end point is the size N of the anti-replay window; the initial value of the maximum received sequence number is the size N of the anti-replay window; the initial value of the received sequence number is null;
and then, decapsulating the first message, and updating the newly-built fast forwarding table entry according to the sequence number included in the first message after successful decapsulation.
6. The method of claim 1, wherein the method further comprises:
before a local terminal GM encapsulates a second message to be sent to an opposite terminal GM, a second fast forwarding table item matched with the second message is inquired; a new field related to the number of messages sent by the local GM is added in the second fast forwarding table entry, and the new field is the maximum sent sequence number;
if the second fast forwarding table entry is inquired, the maximum sent sequence number recorded in the second fast forwarding table entry is incrementally accumulated according to a preset step length, the accumulated maximum sent sequence number is used as the sequence number of the second message and added to the message header of the second message, and then the second message is encapsulated;
if the second fast forwarding table entry is not queried, a fast forwarding table entry corresponding to the second message is newly built, a maximum sent sequence number is added to the newly built fast forwarding table entry, and the initial value of the maximum sent sequence number is 0; and accumulating the maximum sent sequence number recorded in the newly-built fast forwarding table entry according to a preset step increment, adding the accumulated maximum sent message sequence number serving as the sequence number of the second message into a message header of the second message, and then encapsulating the second message.
7. The method of claim 1,
when the first message before decapsulation is a standard encapsulating safety load (ESP) protocol message, the Sequence Number of the first message is carried in a Sequence Number field of the Sequence Number of an ESP header of the first message;
when the first packet before decapsulation is a standard Authentication Header (AH) protocol packet, the Sequence Number of the first packet is carried in a Sequence Number field of an AH header of the standard authentication header of the first packet.
8. The method of claim 1, wherein before the receiving the first packet sent by the peer GM, the method further comprises:
receiving the sizes of an anti-replay switch and an anti-replay window issued by a group key server KS;
and starting the anti-replay function according to the indication of the anti-replay switch.
9. The method of claim 6, wherein the method further comprises:
when the maximum sent serial number recorded in the second fast forwarding table entry reaches a set threshold, or when the maximum received serial number recorded in the first fast forwarding table entry or a right end point of an anti-replay window reaches the set threshold, notifying a group key server KS in a GD VPN to issue a new IP security IPsec security alliance SA;
and when a new IPsec SA issued by the KS is received, the first fast forwarding table entry and the second fast forwarding table entry are aged.
10. A message processing apparatus, wherein the apparatus is applied to a local group member GM in a group domain virtual private network GD VPN, and the apparatus comprises:
a receiving unit, configured to receive a first message sent by an opposite-end GM in a GD VPN, where the first message includes a sequence number;
a query unit, configured to query a first fast forwarding entry matched with the first packet, where a new field for indicating an interval of an anti-replay window and a received sequence number is added to the first fast forwarding entry;
the anti-replay detection unit is used for determining an interval of an anti-replay window and a received serial number according to a new field in the first fast-forwarding table item, and performing anti-replay detection on the first message by combining the interval of the anti-replay window, the received serial number and the serial number included in the first message;
the message processing unit is used for de-encapsulating the first message when the first message passes through anti-replay detection; discarding the first packet when the first packet fails anti-replay detection;
and the table item processing unit is used for updating the first fast forwarding table item after the first message is decapsulated successfully.
11. The apparatus of claim 10,
the new fields are a left end point L and a right end point R of the anti-replay window, and a received serial number; when the section of the anti-replay window is determined according to the new field in the first fast forwarding entry, the anti-replay detection unit is specifically configured to: determining the interval of the anti-replay window as [ L, R ] according to the left end point L and the right end point R of the anti-replay window recorded in the first fast-forwarding table entry; or
The new field is the maximum received sequence number M and the received sequence number; when the section of the anti-replay window is determined according to the new field in the first fast forwarding entry, the anti-replay detection unit is specifically configured to: if the maximum received sequence number M recorded in the first fast forwarding entry is smaller than or equal to the size N of the anti-replay window, determining that the interval of the anti-replay window is [1, N ]; and if the maximum received sequence number M recorded in the first fast forwarding table entry is larger than the size N of the anti-replay window, determining that the interval of the anti-replay window is M-N +1, M.
12. The apparatus of claim 10, wherein, in performing anti-replay detection on the first packet, the anti-replay detection unit is specifically configured to:
judging the position of the sequence number of the first message relative to the interval of the anti-replay window;
if the sequence number of the first message is within the interval of the anti-replay window, further judging whether the sequence number of the first message is repeated with the received sequence number; if not, determining that the first message passes anti-replay detection; if so, determining that the first message does not pass anti-replay detection;
if the sequence number of the first message is on the left side of the interval of the anti-replay window, determining that the first message does not pass anti-replay detection;
and if the sequence number of the first message is on the right side of the interval of the anti-replay window, determining that the first message passes anti-replay detection.
13. The apparatus of claim 11,
the new fields are a left end point L and a right end point R of the anti-replay window, and a received serial number; when updating the first fast forwarding entry, the entry processing unit is specifically configured to: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the first fast forwarding entry; if the sequence number X of the first message is on the right side of the interval of the anti-replay window, the anti-replay window recorded in the first fast-forwarding entry is moved to the right, the left end point L of the anti-replay window is updated to be X-N +1, the right end point of the anti-replay window is updated to be X, and the received sequence number X is marked in the first fast-forwarding entry; wherein N represents the size of the anti-replay window; or
The new field is the maximum received sequence number M and the received sequence number; when updating the first fast forwarding entry, the entry processing unit is specifically configured to: if the sequence number X of the first message is within the interval of the anti-replay window, marking the received sequence number X in the received sequence number of the first fast forwarding entry record; if the sequence number X of the first packet is on the right side of the anti-replay window interval, updating the maximum received sequence number M recorded in the first fast forwarding entry to the sequence number X of the first packet, and marking the received sequence number X in the received sequence number recorded in the first fast forwarding entry.
14. The apparatus of claim 11,
the table item processing unit is further configured to create a new fast forwarding table item corresponding to the first packet when the first fast forwarding table item is not queried by the querying unit; adding a left end point and a right end point of an anti-replay window and a received serial number in the newly-built fast-rotation table entry; or, adding the maximum received sequence number and the received sequence number in the newly-built fast-rotation table entry; the initial value of the left end point of the anti-replay window is 0, and the initial value of the right end point is the size N of the anti-replay window; the initial value of the maximum received sequence number is the size N of the anti-replay window; the initial value of the received sequence number is null;
the message processing unit is further configured to decapsulate the first message after the entry processing unit creates a fast forwarding entry corresponding to the first message;
and the table item processing unit is further configured to update the newly-created fast forwarding table item according to the sequence number included in the first packet after the first packet is decapsulated successfully.
15. The apparatus of claim 10,
the query unit is further configured to query a second fast forwarding entry matched with a second message to be sent to an opposite-end GM before the local-end GM encapsulates the second message; a new field related to the number of messages sent by the local GM is added in the second fast forwarding table entry, and the new field is the maximum sent sequence number;
the table item processing unit is further configured to increment the maximum sent sequence number recorded in the second fast forwarding table item according to a preset step length when the query unit queries the second fast forwarding table item; when the query unit does not query the second fast forwarding entry, newly creating a fast forwarding entry corresponding to the second message, adding a maximum sent sequence number to the newly created fast forwarding entry, setting an initial value of the maximum sent sequence number to be 0, and incrementally accumulating the maximum sent sequence number recorded in the newly created fast forwarding entry according to a preset step length;
the message processing unit is further configured to add the accumulated maximum sent sequence number as the sequence number of the second message to a message header of the second message, and then encapsulate the second message.
16. The apparatus of claim 10,
when the first message before decapsulation is a standard encapsulating safety load (ESP) protocol message, the Sequence Number of the first message is carried in a Sequence Number field of the Sequence Number of an ESP header of the first message;
when the first packet before decapsulation is a standard Authentication Header (AH) protocol packet, the Sequence Number of the first packet is carried in a Sequence Number field of an AH header of the standard authentication header of the first packet.
17. The apparatus of claim 10,
the receiving unit is further configured to receive the size of the anti-replay switch and the anti-replay window issued by the group key server KS before receiving the first message sent by the peer GM;
the anti-replay detection unit is also used for starting an anti-replay function according to the indication of the anti-replay switch.
18. The apparatus of claim 15, wherein the apparatus further comprises:
a sending unit, configured to notify a group key server KS in the GD VPN to issue a new IP security IPsec security association SA when the maximum sent sequence number recorded in the second fast forwarding entry reaches a set threshold, or when the maximum received sequence number recorded in the first fast forwarding entry or a right end point of the anti-replay window reaches the set threshold;
and the aging unit is used for aging the first fast forwarding table entry and the second fast forwarding table entry when the receiving unit receives a new IPsec SA issued by the KS.
CN201710157140.3A 2017-03-16 2017-03-16 Message processing method and device Active CN106899606B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710157140.3A CN106899606B (en) 2017-03-16 2017-03-16 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710157140.3A CN106899606B (en) 2017-03-16 2017-03-16 Message processing method and device

Publications (2)

Publication Number Publication Date
CN106899606A CN106899606A (en) 2017-06-27
CN106899606B true CN106899606B (en) 2020-02-11

Family

ID=59192246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710157140.3A Active CN106899606B (en) 2017-03-16 2017-03-16 Message processing method and device

Country Status (1)

Country Link
CN (1) CN106899606B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786336A (en) * 2017-11-01 2018-03-09 中国石油大学(华东) A kind of source port based on client information sequence spreading is hidden from carrying authentication method
CN108173807B (en) * 2017-11-28 2021-12-03 贵阳语玩科技有限公司 Unified message sending and processing method and device
CN109347744B (en) * 2018-09-20 2021-07-23 新华三技术有限公司 Message processing method, device and network equipment
CN110278191B (en) * 2019-05-17 2022-05-20 西门子工厂自动化工程有限公司 User datagram protocol communication method, device, system and computer readable medium
CN113824636A (en) * 2020-06-18 2021-12-21 中兴通讯股份有限公司 Message sending method, message receiving method, electronic device, system and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769572A (en) * 2012-07-30 2012-11-07 福建星网锐捷网络有限公司 Message anti-replay method, message anti-replay device and network device
CN104601459A (en) * 2015-02-10 2015-05-06 杭州华三通信技术有限公司 Method and device for processing messages in group-domain virtual private network
CN104935597A (en) * 2015-06-17 2015-09-23 杭州华三通信技术有限公司 Method and device for controlling anti-replay window
CN105791219A (en) * 2014-12-22 2016-07-20 华为技术有限公司 Anti-replay method and device
CN105791218A (en) * 2014-12-22 2016-07-20 华为数字技术(苏州)有限公司 Anti-replay method and device
CN105939216A (en) * 2016-03-16 2016-09-14 杭州迪普科技有限公司 Message transmission method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596062C (en) * 2007-08-16 2010-03-24 杭州华三通信技术有限公司 Secure protection device and method for distributed packet transfer
US9246876B1 (en) * 2011-10-13 2016-01-26 Juniper Networks, Inc. Anti-replay mechanism for group virtual private networks
US9237015B2 (en) * 2013-07-24 2016-01-12 Cisco Technology, Inc. Compact and efficient communication security through combining anti-replay with encryption

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769572A (en) * 2012-07-30 2012-11-07 福建星网锐捷网络有限公司 Message anti-replay method, message anti-replay device and network device
CN105791219A (en) * 2014-12-22 2016-07-20 华为技术有限公司 Anti-replay method and device
CN105791218A (en) * 2014-12-22 2016-07-20 华为数字技术(苏州)有限公司 Anti-replay method and device
CN104601459A (en) * 2015-02-10 2015-05-06 杭州华三通信技术有限公司 Method and device for processing messages in group-domain virtual private network
CN104935597A (en) * 2015-06-17 2015-09-23 杭州华三通信技术有限公司 Method and device for controlling anti-replay window
CN105939216A (en) * 2016-03-16 2016-09-14 杭州迪普科技有限公司 Message transmission method and device

Also Published As

Publication number Publication date
CN106899606A (en) 2017-06-27

Similar Documents

Publication Publication Date Title
CN106899606B (en) Message processing method and device
US9992310B2 (en) Multi-hop Wan MACsec over IP
CN107995052B (en) Method and apparatus for common control protocol for wired and wireless nodes
US10038766B2 (en) Partial reassembly and fragmentation for decapsulation
US9294302B2 (en) Non-fragmented IP packet tunneling in a network
US7571463B1 (en) Method an apparatus for providing a scalable and secure network without point to point associations
JP6034979B2 (en) Packet transfer method and apparatus, and data center network
US8532107B1 (en) Accepting packets with incomplete tunnel-header information on a tunnel interface
US10791051B2 (en) System and method to bypass the forwarding information base (FIB) for interest packet forwarding in an information-centric networking (ICN) environment
WO2014040411A1 (en) Data message processing method, system and device
US11418434B2 (en) Securing MPLS network traffic
US11888904B2 (en) Packet sending method, packet receiving method, and network device
US9420003B2 (en) Dynamic communication between secure endpoints
CN112448918A (en) Message transmission method and device and computer storage medium
US20170359448A1 (en) Methods and systems for creating protocol header for embedded layer two packets
CN108076066B (en) Method and device for protecting GRE (generic routing encapsulation) message
CN113852552B (en) Network communication method, system and storage medium
WO2016165277A1 (en) Ipsec diversion implementing method and apparatus
WO2018090980A1 (en) Packet forwarding
CN1777174B (en) Internet safety protocol high-speed processing IP burst method
JP6783501B2 (en) Information transmission system, information communication device, information transmission device, and program
US10256992B2 (en) Tunnel encapsulation
CN108111385B (en) Message forwarding method and device
JP2016019066A (en) Packet relay system, packet relay device, and packet relay method
CN115766063A (en) Data transmission method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant