CN107547479A - IPsec implementation method and device - Google Patents

IPsec implementation method and device Download PDF

Info

Publication number
CN107547479A
CN107547479A CN201610487849.5A CN201610487849A CN107547479A CN 107547479 A CN107547479 A CN 107547479A CN 201610487849 A CN201610487849 A CN 201610487849A CN 107547479 A CN107547479 A CN 107547479A
Authority
CN
China
Prior art keywords
business board
ipsec
response message
specific field
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610487849.5A
Other languages
Chinese (zh)
Inventor
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201610487849.5A priority Critical patent/CN107547479A/en
Publication of CN107547479A publication Critical patent/CN107547479A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses IPsec implementation method and device, it is related to communication technical field.In order to solve to preserve all IPsec SA list items of all LPU in whole network on each LPU present in prior art, the problem of taking LPU larger internal memories and invent.This method includes:First business board receives the response message that opposite equip. is sent;The value of the specific field carried in response message is obtained, the value of specific field is used for the mark for representing business board;According to the value of specific field, it is determined that the target service plate for handling response message;If target service plate is the second business board, to the second business board transparent transmission response message, in order to which the second business board carries out IPsec decapsulation operations to the response message.The present invention is applied under distributed processing framework in IPsec implementation process.

Description

IPsec implementation method and device
Technical field
The present invention relates to the implementation method and device of communication technical field, more particularly to a kind of IPsec.
Background technology
Procotol safety (Internet Protocol Security, IPsec) is Internet engineering task force The three layer tunnel cryptographic protocol that (The Internet Engineering Task Force, IETF) is formulated, is a kind of traditional Realize three-layer virtual special network (Virtual Private Network, VPN) safe practice.IPsec passes through specific logical Between letter side (such as:Between two security gateways) passage (passage is commonly referred to as IPsec tunnels) is established, to protect communication double The user data transmitted between side, can provide high quality, safety based on cryptography guarantor to interconnect the data of transfers on network Card.
Development with network and the raising to device functionality requirement, centralized device are often difficult to meet actual need Ask, therefore distributed processing framework arises at the historic moment.Under distributed processing framework, the equipment in network generally includes a master control Plate (Main Processing Unit, MPU) and multiple business boards (Line interface Processing Unit, LPU), Master control borad is used for business configuration and the management for carrying out business board, and business board is used to handle different business.In distributed treatment frame When realizing IPsec under structure, each LPU is enabled to realize IPsec functions by interface configuration.It may be deposited in practical application The problem of be that if request message passes through equipment, IPsec business has been done on LPU1, has generated IPsec Security Associations (Security Association, SA) list item, response message corresponding with request message is but received by LPU2, then due to LPU2 Not IPsec SA information corresponding to the response message, causes LPU2 to abandon response message.
In order to solve the above problems, the solution provided in the prior art is:Each LPU, which is preserved in network, to be owned The IPsec SA list items of LPU generations.So, when LPU receives response message, by the IPsec SA tables for searching its preservation , the LPU for handling the response message is can determine, and response message is pass-through to the LPU processing found.So And this implementation requires to preserve all IPsec SA list items of all LPU in whole network on each LPU, this will The larger internal memories of LPU are taken, especially, when LPU quantity in network and more IPsec SA list items, memory cost linearly increases Add, extreme influence LPU performance.
The content of the invention
The present invention provides a kind of IPsec implementation method and device, to solve present in prior art on each LPU All IPsec SA list items of all LPU in whole network are preserved, the problem of taking LPU larger internal memories.
To meet above-mentioned purpose, the present invention adopts the following technical scheme that:
In a first aspect, the present invention provides the safe IPsec of procotol implementation method, including:The reception pair of first business board The response message that end equipment is sent;The value of the specific field carried in the response message is obtained, the specific field takes It is worth the mark for representing business board;According to the value of the specific field, it is determined that the target for handling the response message Business board, the preset relation table include the value of the specific field and the corresponding relation of business panel sign;If the mesh Mark business board is the second business board, then to response message described in the second business board transparent transmission, in order to second business board IPsec decapsulation operations are carried out to the response message.
Second aspect, the present invention provide a kind of safe IPsec of procotol realization device, and described device is applied to first Business board, described device include:Receiving module, for receiving the response message of opposite equip. transmission;Processing module, for obtaining The value of the specific field carried in the response message, the value of the specific field are used for the mark for representing business board;Root According to the value of the specific field, it is determined that the target service plate for handling the response message, the preset relation table include The value of the specific field and the corresponding relation of business panel sign;Sending module, for being second when the target service plate Business board, to response message described in the second business board transparent transmission, in order to which second business board enters to the response message Row IPsec decapsulation operations.
IPsec provided by the invention implementation method and device, after the first business board receives response message, obtain response report The value of the specific field carried in text, by the value of the specific field, it can determine the mesh for handling the response message Business board is marked, and when the target service plate is the second business board namely other business boards, the response message is sent to the The processing of two business boards, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, work as reception During to response message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, this In invention, LPU can determine the target for handling the response message according to the value of the specific field carried in response message Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy LPU internal memory, and then improve LPU performance.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of structural representation of communication network provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet of IPsec implementation method provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of another IPsec provided in an embodiment of the present invention implementation method;
Fig. 4 is the schematic flow sheet of another IPsec provided in an embodiment of the present invention implementation method;
Fig. 5 is a kind of structural representation of IPsec realization device provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the present embodiment, the technical scheme in the present embodiment is clearly and completely described, Obviously, described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Based in the present invention Embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made, all Belong to the scope of protection of the invention.
As shown in figure 1, the embodiment of the present invention provides a kind of communication network, including:Main frame (Host) 101, main frame 102, net Network equipment 103, server (Server) 104.Wherein, the network equipment 103 is specifically as follows the equipment such as interchanger, and it uses distribution Formula processing framework, it includes MPU, LPU1 and LPU2, can realize IPsec functions.When realizing IPsec functions, the network equipment IPsec tunnels can be established between 103 and server 104, main frame 101 and main frame 102 can pass through IPsec tunnels and server 104 communications, to ensure the security of data transfer.
It should be noted that Fig. 1 is merely illustrative, the quantity of equipment is not limited.Such as:It illustrate only in Fig. 1 102 two main frames of main frame 101 and main frame, but be not limited to only include two main frames in practical application, in network.The network equipment 103 Inside is also not necessarily limited to only include two business boards of LPU1 and LPU2.
In communication network as shown in Figure 1, as a result of distributed processing framework, therefore, request message and with Response message corresponding to request message is needed by same LPU processing.IPsec provided in an embodiment of the present invention implementation method And device, it can be applied in the communication system shown in Fig. 1, specifically can be applied to any business board and the response message of reception is entered During row processing.
As shown in Fig. 2 the embodiment of the present invention provides a kind of IPsec implementation method, this method includes:
201:First business board receives the response message that opposite equip. is sent.
Wherein, the first signified business board of the embodiment of the present invention is any business board;Second business board is different from first Other business boards of business board." first ", " second " in the embodiment of the present invention are used to represent different business boards, do not specify Specific business board or the order for limiting business board.Exemplary, the first business board can be the LPU1 in Fig. 1, can also For the LPU2 in Fig. 1.
Opposite equip. is to establish the equipment that IPsec communicates, energy between the first business board and opposite equip. with the first business board It is enough to realize data transfer by establishing IPsec tunnels;Exemplary, opposite equip. can be the server 104 shown in Fig. 1.
202:Obtain the value of the specific field carried in the response message.
Wherein, the value of the specific field is used for the mark for representing business board.The value of specific field is different, its table The business board shown is also different, such as:The value of specific field is 1, and its corresponding business board is identified as mark 1, the correspondence of mark 1 Business board be LPU1;The value of specific field is 2, and its corresponding business board is identified as mark 2, business corresponding to the mark 2 Plate is LPU2.
In the prior art, response message in itself can not be associated with business board.Unlike the prior art, the present invention is real Apply in example and specific field is carried in response message and the value of the specific field can be identified for that business board, therefore, specified by this The value of field can determine the business board for handling the response message.
Optionally, the specific field can be Security Parameter Index (Security Parameters Index, SPI), SPI is to carry out IPsec to message to seal up in dress operating process, and the field newly increased in the heading for seal up dress, it is specific real Existing process sees below literary detailed description.
Optionally, the specific field is also possible to as other spare fields.The signified spare field of the embodiment of the present invention is not Although being assigned or the field assignment, currency is without any practical significance, namely the inoperative field in message forwarding. For example, the spare field can be multiplexed some fields in existing message, the reserved field in TCP header, if internal layer message is GRE messages, the reserved field in GRE heads can be utilized, or directly expand IP agreement, increased an Option Field item and use In preservation business panel sign.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
In the prior art, because response message in itself can not be interrelated with the business board for handling the response message, It is only capable of associated with IPsec SA list items, therefore the first business board can only determine mesh by way of searching IPsec SA list items Business board is marked, this also requires the first business board to preserve the IPsec SA list items of all business boards, and this will be greatly increased IPsec SA list items take the internal memory of business board.
In the embodiment of the present invention, first business board receives response message, can be taken according to specific field in response message Value, directly determines the target service plate for handling the response message, without by way of searching IPsec SA list items To determine target service plate, therefore the first business board IPsec SA list items that also just unnecessary other business boards of preservation generate, energy Enough reduce the EMS memory occupation of business board.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
Wherein, as it was noted above, the second business board is the business board different from the first business board.
Transparent transmission, refer to that the first business board does not carry out any processing to response message, will directly be rung by intercard communication mechanism Message is answered to send to the second business board.
During the specific implementation of this step, if target service plate is the second business board, the first business board is direct The response message is transparent to the second business board;Second business board receives response message, is encapsulated according in response message heading Destination address, SPI, the lookup such as security protocol be used to carry out the IPsec SA list items for decapsulating operation, and according to the IPsec SA list items carry out decapsulation operation to response message, and after completing decapsulation operation, the message obtained after decapsulation is sent to phase The main frame answered.
It should be noted that the second business board carries out the treated of IPsec decapsulation operations after response message is received Journey refers to prior art, and the embodiment of the present invention repeats no more.
205:If the target service plate is first business board, first business board is to the response message Carry out IPsec decapsulation operations.
If target service plate is the first business board, the first business board to other business boards without forwarding the response, directly Connect and IPsec decapsulation operations are carried out to response message.
It should be noted that the first business board carries out the treated of IPsec decapsulation operations after response message is received Journey refers to prior art, and the embodiment of the present invention repeats no more.
IPsec provided in an embodiment of the present invention implementation method, after the first business board receives response message, obtain response report The value of the specific field carried in text, by the value of the specific field, it can determine the mesh for handling the response message Business board is marked, and when the target service plate is the second business board namely other business boards, the response message is sent to the The processing of two business boards, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, work as reception During to response message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, this In invention, LPU can determine the target for handling the response message according to the value of the specific field carried in response message Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy LPU internal memory, and then improve LPU performance.
IPsec agreements are not a single agreements, and it provides a whole set of safety for the network data security on IP layers Architecture, including AH (Authentication Header, authentication header) agreement, ESP (Encapsulating Security Payload, ESP) agreement, IKE (Internet Key Exchange, internet key exchange) agreements and use In some of network authentication and encryption algorithms etc..Wherein, AH agreements and ESP agreements are used to provide security service, and IKE agreements are used for Key exchanges.IPsec is packaged with two ways, transmission mode and tunnel mode to message.
IPsec SA are the bases for realizing ipsec protocol function, are a kind of agreements that communicating pair is established, determine communication Both sides be used for protect packet agreement (such as:AH agreements or ESP agreements), Transportation Model (such as:Transmission mode or tunnel Road pattern), verification algorithm, AES, encryption key, cipher key lifetimes etc..Message is carried out using IPsec agreements to seal up dress Before decapsulation, it is necessary to which first establishing IPsec SA, IPsec a SA can be established with manual creation or dynamic.
The triple that IPsec SA are made up of SPI, purpose IP address and IPsec agreements is come unique mark.
Wherein, SPI is the Security Parameter Index of 32, is usually located in AH or ESP heads, can be identified for that with identical purpose The different SA of IP address and identical security protocol, that is, even if purpose IP address it is identical with the security protocol of use, but pass through SPI can determine unique SA.Purpose IP address is for the purpose IP that after sealing up dress to original message, is carried in outer layer heading Location, such as:The purpose IP address can be the IP address of the first business board or the IP address of opposite equip..IPsec agreements can Think AH agreements or ESP agreements.
Before message transmissions are carried out, need to consult to generate between communicating pair and preserve IPsec SA to (some technologies Also by IPsec SA to being referred to as IPsec SA beams in document), the IPsec SA are to including entering direction IPsec SA and outgoing direction IPsec SA, enter direction IPsec SA and be used to handle the message of reception, outgoing direction IPsec SA are used for to be sent Message is handled.What is preserved between communicating pair enters the relation that direction SA and outgoing direction SA is mutual " symmetrical ".Exemplary, Communication equipment 1 and communication equipment 2 are communicating pair, and communication equipment 1 is when sending message 1, according to outgoing direction IPsec SA to report Text carries out sealing up dress, after communication equipment 2 receives the message 1, enters direction IPsec SA using it and is decapsulated, but communication equipment 2 to enter direction IPsec SA identical with the outgoing direction IPsec SA at communication equipment 1;Similarly, communication equipment 2 is sending message 1 Response message (message 2 is named as in the embodiment of the present invention) when, message is carried out using its outgoing direction IPsec SA to seal up dress, After communication equipment 1 receives the message 2, enter direction IPsec SA using it and decapsulated, but communication equipment 1 enters direction IPsec SA are identical with the outgoing direction IPsec SA at communication equipment 2.
It should be noted that the specific implementation principle of IPsec agreements refers to prior art, here is omitted.
As shown in figure 3, the embodiment of the present invention also provides a kind of IPsec implementation method, this method provide to respond The message specific implementation process associated with the mark of business board, this method include:
301:First business board generate first business board enter direction IPsec security alliance SAs during, will The specified location of the mark write-in specific field of first business board.
As it was noted above, before the first business board and opposite equip. carry out message transmissions, the first business board is set with opposite end Standby to need to establish IPsec tunnels and generation IPsec SA couple, the IPsec SA are to including entering direction IPsec SA and outgoing direction IPsec SA, enter direction IPsec SA and be used to handle the message of reception, outgoing direction IPsec SA are used for to be sent Message is handled.
The outgoing direction IPsec for entering direction IPsec SA and opposite equip. of the first signified business board in the embodiment of the present invention SA is identical.Therefore, generate the first business board enter direction IPsec SA during, the write-in of the mark of the first business board is referred to The specified location of field is determined, in the specified location for also implying that the specific field in the outgoing direction IPsec SA of opposite equip. Preserve the mark of the first business board.Therefore, opposite equip., can be according to first industry during response message is built The direction IPsec SA (namely outgoing direction IPsec SA at opposite equip.) that enter of business plate seal up message progress IPsec life after dress Into the response message, then the value of the specific field of the response message can be used in representing the mark of the first business board.
It is exemplary, field 1 totally 16, then by high 5 of the field 1 marks for being used to preserve the first business board, due to The mark of different business plate is different, then the value of the field 1 is also different because its high 5 value is different, then the value of field 1 Different business plate can be represented.
201:First business board receives the response message that opposite equip. is sent.
202:Obtain the value of the specific field carried in the response message.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
205:If the target service plate is first business board, first business board is to the response message Carry out IPsec decapsulation operations.
The specific implementation process of step 201 to step 205 refers to abovementioned steps 101 to step 105, no longer superfluous herein State.
IPsec provided in an embodiment of the present invention implementation method, the first business board are consulting generation first with opposite equip. During the outgoing direction IPsec SA for entering direction IPsec SA namely opposite equip. of business board, by the mark of the first business board The specified location of specific field is write, so, when opposite equip. enters according to outgoing direction IPsec SA to sent response message During row seals up dress, the mark of the first business board can be write to the specified location of specific field, the first business board receives After response message, the target for handling the response message can be determined according to the value of the specific field carried in response message Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy LPU internal memory, and then improve LPU performance.
As shown in figure 4, the embodiment of the present invention additionally provides a kind of IPsec implementation method, and in this method, described first The numbering for being identified as first business board of business board;The specific field is Security Parameter Index SPI, step 301, can be with It is further refined as the numbering write-in SPI of the first business board specified location, therefore, this method includes:
401:First business board generate first business board enter direction IPsec SA during, by described first The numbering of business board writes the specified location of the SPI.
Wherein, SPI is located in the AH agreements or ESP agreements in encapsulation header.
Optionally, the specified location of the SPI is the highest 5 of the SPI.
Exemplary, numbered to all master control borads and business board, since 0, it is generally the case that the quantity of business board is not Therefore, the bit of highest 5 for entering direction SPI of 4 bytes can be completely used for the numbering of identification service plate more than 32, be left Bit just random generation.
201:First business board receives the response message that opposite equip. is sent.
202:Obtain the value of the specific field carried in the response message.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
205:If the target service plate is first business board, first business board is to the response message Carry out IPsec decapsulation operations.
The specific implementation process of step 201 to step 205 refers to abovementioned steps 101 to step 105, no longer superfluous herein State.
For the implementation method of the IPsec shown in clearer explanation Fig. 1 to Fig. 4 any embodiments, with reference to shown in Fig. 1 Communication network, with main frame 101 to server 104 send request message, server 104 to main frame 101 reply response message, first Exemplified by business board is LPU1, the embodiment of the present invention additionally provides a kind of IPsec implementation method, and this method includes:
To the processing procedure of the request message sent from main frame 101 to server 104:
Step 1:After the request message that main frame 101 is sent reaches the network equipment 103, the MPU of the network equipment 103 searches road By finding that the request message needs to route to the global mouth processing on LPU1.
Step 2:The upper global mouths of LPU1 are configured with IPsec agreements, trigger the IPsec negotiations processes between server 104, Generation IPsec encryption and decryption needs that uses to enter direction IPsec SA and outgoing direction IPsec SA;Wherein, when generating into direction SPI, By in high 5 of LPU1 identification record to SPI.
Step 3:LPU1 sends the progress IPsec messages sealed up after filling to server 104.
To the processing procedure of the response message sent from server 104 to main frame 101:
Step 1:The response message that LPU1 the reception servers 104 are sent, high 5 (bit) of the SPI fields of the response message Identify the mark of the business board for handling the response message.
Step 2:LPU1 is according to the value of high 5 of SPI fields in response message, it is determined that the mesh for handling response message Mark business board.
Step 3:If the target service plate is this plate, LPU1 carries out IPsec decapsulation operations to the response message.
Step 4:If the target service plate is LPU2, the response message is pass-through to LPU2 by LPU1, by LPU2 to this Response message carries out IPsec decapsulation operations.
IPsec provided in an embodiment of the present invention implementation method, LPU1 are consulting the generation LPU1 side of entering with server 104 During the outgoing direction IPsec SA of IPsec SA namely server 104, LPU1 mark is write into the high 5 of SPI, this Sample, during server 104 carries out sealing up dress according to outgoing direction IPsec SA to sent response message, it can incite somebody to action LPU1 mark write-in SPI's is high 5, can be according to the high by 5 of the SPI carried in response message after LPU1 receives response message The value of position determines the target service plate for handling the response message, if target service plate is this plate, directly to response Message carries out IPsec decapsulation operations, if target service plate is other business boards, response message is pass-through into target service After plate, IPsec decapsulation operations are carried out to response message by target service plate, therefore, LPU1, which need not be preserved in network, to be owned The IPsec SA list items of LPU generations, the internal memory that IPsec SA list items take LPU can be reduced, and then improve LPU performance.
As shown in figure 5, the embodiment of the present invention provides a kind of safe IPsec of procotol realization device, described device should For the first business board, described device includes:
Receiving module 501, for receiving the response message of opposite equip. transmission.
Processing module 502, for obtaining the value of the specific field carried in the response message, the specific field Value is used for the mark for representing business board;According to the value of the specific field, it is determined that the mesh for handling the response message Mark business board.
Sending module 503, for being the second business board when the target service plate, to described in the second business board transparent transmission Response message, in order to which second business board carries out IPsec decapsulation operations to the response message.
Further, the processing module 502, it is additionally operable to enter direction IPsec safety in generation first business board During alliance SA, by the first business board mark write specific field specified location in order to the opposite equip. according to The direction IPsec SA that enter of first business board carry out generating the response message after IPsec seals up dress to message.
Optionally, the processing module 502, it is additionally operable to first business board of being identified as when first business board The numbering and specific field is when be Security Parameter Index SPI, the specified of the SPI is write by the numbering of first business board Position.
Optionally, the specified location of the SPI is the highest 5 of the SPI.
Further, the sending module 503, it is additionally operable to when the target service plate is first business board, it is right The response message carries out IPsec decapsulation operations.
IPsec provided by the invention realization device, after the first business board receives response message, obtain and taken in response message The value of the specific field of band, by the value of the specific field, it can determine the target service for handling the response message Plate, and when the target service plate is the second business board namely other business boards, the response message is sent to the second business Plate processing, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, are responded when receiving During message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, in the present invention, LPU can determine the target service plate for handling the response message according to the value of the specific field carried in response message, IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items and take the interior of LPU Deposit, and then improve LPU performance.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for device For applying example, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to embodiment of the method Part explanation.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow Software is helped to add the mode of required common hardware to realize, naturally it is also possible to which by hardware, but the former is more preferably in many cases Embodiment.Based on such understanding, portion that technical scheme substantially contributes to prior art in other words Dividing can be embodied in the form of software product, and the computer software product is stored in the storage medium that can be read, and such as be counted The floppy disk of calculation machine, hard disk or CD etc., including some instructions to cause a computer equipment (can be personal computer, Server, or network equipment etc.) perform method described in each embodiment of the present invention.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.

Claims (10)

1. a kind of safe IPsec of procotol implementation method, it is characterised in that methods described includes:
First business board receives the response message that opposite equip. is sent;
The value of the specific field carried in the response message is obtained, the value of the specific field is used to represent business board Mark;
According to the value of the specific field, it is determined that the target service plate for handling the response message;
If the target service plate is the second business board, to response message described in the second business board transparent transmission, in order to Second business board carries out IPsec decapsulation operations to the response message.
2. according to the method for claim 1, it is characterised in that receive the response report of opposite equip. transmission in the first business board Before text, methods described also includes:
First business board generate first business board enter direction IPsec security alliance SAs during, by the first business The specified location of the mark write-in specific field of plate enters direction in order to the opposite equip. according to first business board IPsec SA carry out generating the response message after IPsec seals up dress to message.
3. according to the method for claim 2, it is characterised in that first business board is identified as first business board Numbering;The specific field is Security Parameter Index SPI;
The specified location that the mark of first business board is write to the specific field, including:
The numbering of first business board is write into the specified location of the SPI.
4. according to the method for claim 3, it is characterised in that
The specified location of the SPI is the highest 5 of the SPI.
5. according to the method described in any one of Claims 1-4, it is characterised in that methods described also includes:
If the target service plate is first business board, first business board is carried out to the response message IPsec decapsulation operations.
6. a kind of safe IPsec of procotol realization device, it is characterised in that described device is applied to the first business board, institute Stating device includes:
Receiving module, for receiving the response message of opposite equip. transmission;
Processing module, for obtaining the value of the specific field carried in the response message, the value of the specific field is used In the mark for representing business board;According to the value of the specific field, it is determined that the target service for handling the response message Plate;
Sending module, for being the second business board when the target service plate, reported to being responded described in the second business board transparent transmission Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
7. device according to claim 6, it is characterised in that
The processing module, be additionally operable to generate first business board enter direction IPsec security alliance SAs during, will The specified location of the mark write-in specific field of first business board is in order to which the opposite equip. is according to first business board Enter direction IPsec SA message is carried out to generate the response message after IPsec seals up dress.
8. device according to claim 7, it is characterised in that the processing module, be additionally operable to work as first business board The numbering for being identified as first business board and specific field when being Security Parameter Index SPI, by first business The numbering of plate writes the specified location of the SPI.
9. device according to claim 8, it is characterised in that
The specified location of the SPI is the highest 5 of the SPI.
10. according to the device described in any one of claim 6 to 9, it is characterised in that
The sending module, it is additionally operable to when the target service plate is first business board, the response message is carried out IPsec decapsulation operations.
CN201610487849.5A 2016-06-29 2016-06-29 IPsec implementation method and device Pending CN107547479A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610487849.5A CN107547479A (en) 2016-06-29 2016-06-29 IPsec implementation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610487849.5A CN107547479A (en) 2016-06-29 2016-06-29 IPsec implementation method and device

Publications (1)

Publication Number Publication Date
CN107547479A true CN107547479A (en) 2018-01-05

Family

ID=60962454

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610487849.5A Pending CN107547479A (en) 2016-06-29 2016-06-29 IPsec implementation method and device

Country Status (1)

Country Link
CN (1) CN107547479A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106450A (en) * 2007-08-16 2008-01-16 杭州华三通信技术有限公司 Secure protection device and method for distributed packet transfer
CN103546497A (en) * 2012-07-09 2014-01-29 杭州华三通信技术有限公司 Method and device for distributed firewall IPSec (internet protocol security) business load sharing
CN104994022A (en) * 2015-05-15 2015-10-21 杭州华三通信技术有限公司 Message transmission method and service board
CN105471768A (en) * 2014-08-26 2016-04-06 华为技术有限公司 CAPWAP message transmission method and network switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101106450A (en) * 2007-08-16 2008-01-16 杭州华三通信技术有限公司 Secure protection device and method for distributed packet transfer
CN103546497A (en) * 2012-07-09 2014-01-29 杭州华三通信技术有限公司 Method and device for distributed firewall IPSec (internet protocol security) business load sharing
CN105471768A (en) * 2014-08-26 2016-04-06 华为技术有限公司 CAPWAP message transmission method and network switch
CN104994022A (en) * 2015-05-15 2015-10-21 杭州华三通信技术有限公司 Message transmission method and service board

Similar Documents

Publication Publication Date Title
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US10904217B2 (en) Encryption for gateway tunnel-based VPNs independent of wan transport addresses
CN104601432B (en) A kind of message transmitting method and equipment
CN103685467B (en) A kind of Internet of Things interconnects platform and its communication means
US10091102B2 (en) Tunnel sub-interface using IP header field
CN103188351B (en) IPSec VPN traffic method for processing business and system under IPv6 environment
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
CN101030935B (en) Method for crossing NAT-PT by IPSec
CN108769292A (en) Message data processing method and processing device
CN106992917A (en) Message forwarding method and device
CN110290093A (en) The SD-WAN network architecture and network-building method, message forwarding method
CN111385259B (en) Data transmission method, device, related equipment and storage medium
CN110086798B (en) Method and device for communication based on public virtual interface
CN109525477A (en) Communication means, device and system in data center between virtual machine
CN108964880A (en) A kind of data transmission method and device
CN105471827A (en) Message transmission method and device
US20210281442A1 (en) Managing transmission control protocol (tcp) maximum segment size (mss) values for multiple tunnels supported by a computing site gateway
CN101222412B (en) Network address commutation traversing method and system
CN106878278A (en) A kind of message processing method and device
CN112449751A (en) Data transmission method, switch and station
CN1984131A (en) Method for processing distributed IPSec
CN101309270B (en) Method, system, gateway and network node implementing internet security protocol
CN103747019B (en) A kind of method and device of data transfer
CN103139189B (en) Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment
CN105610672B (en) A kind of method and device of information transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180105

RJ01 Rejection of invention patent application after publication