CN107547479A - IPsec implementation method and device - Google Patents
IPsec implementation method and device Download PDFInfo
- Publication number
- CN107547479A CN107547479A CN201610487849.5A CN201610487849A CN107547479A CN 107547479 A CN107547479 A CN 107547479A CN 201610487849 A CN201610487849 A CN 201610487849A CN 107547479 A CN107547479 A CN 107547479A
- Authority
- CN
- China
- Prior art keywords
- business board
- ipsec
- response message
- specific field
- business
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses IPsec implementation method and device, it is related to communication technical field.In order to solve to preserve all IPsec SA list items of all LPU in whole network on each LPU present in prior art, the problem of taking LPU larger internal memories and invent.This method includes:First business board receives the response message that opposite equip. is sent;The value of the specific field carried in response message is obtained, the value of specific field is used for the mark for representing business board;According to the value of specific field, it is determined that the target service plate for handling response message;If target service plate is the second business board, to the second business board transparent transmission response message, in order to which the second business board carries out IPsec decapsulation operations to the response message.The present invention is applied under distributed processing framework in IPsec implementation process.
Description
Technical field
The present invention relates to the implementation method and device of communication technical field, more particularly to a kind of IPsec.
Background technology
Procotol safety (Internet Protocol Security, IPsec) is Internet engineering task force
The three layer tunnel cryptographic protocol that (The Internet Engineering Task Force, IETF) is formulated, is a kind of traditional
Realize three-layer virtual special network (Virtual Private Network, VPN) safe practice.IPsec passes through specific logical
Between letter side (such as:Between two security gateways) passage (passage is commonly referred to as IPsec tunnels) is established, to protect communication double
The user data transmitted between side, can provide high quality, safety based on cryptography guarantor to interconnect the data of transfers on network
Card.
Development with network and the raising to device functionality requirement, centralized device are often difficult to meet actual need
Ask, therefore distributed processing framework arises at the historic moment.Under distributed processing framework, the equipment in network generally includes a master control
Plate (Main Processing Unit, MPU) and multiple business boards (Line interface Processing Unit, LPU),
Master control borad is used for business configuration and the management for carrying out business board, and business board is used to handle different business.In distributed treatment frame
When realizing IPsec under structure, each LPU is enabled to realize IPsec functions by interface configuration.It may be deposited in practical application
The problem of be that if request message passes through equipment, IPsec business has been done on LPU1, has generated IPsec Security Associations
(Security Association, SA) list item, response message corresponding with request message is but received by LPU2, then due to LPU2
Not IPsec SA information corresponding to the response message, causes LPU2 to abandon response message.
In order to solve the above problems, the solution provided in the prior art is:Each LPU, which is preserved in network, to be owned
The IPsec SA list items of LPU generations.So, when LPU receives response message, by the IPsec SA tables for searching its preservation
, the LPU for handling the response message is can determine, and response message is pass-through to the LPU processing found.So
And this implementation requires to preserve all IPsec SA list items of all LPU in whole network on each LPU, this will
The larger internal memories of LPU are taken, especially, when LPU quantity in network and more IPsec SA list items, memory cost linearly increases
Add, extreme influence LPU performance.
The content of the invention
The present invention provides a kind of IPsec implementation method and device, to solve present in prior art on each LPU
All IPsec SA list items of all LPU in whole network are preserved, the problem of taking LPU larger internal memories.
To meet above-mentioned purpose, the present invention adopts the following technical scheme that:
In a first aspect, the present invention provides the safe IPsec of procotol implementation method, including:The reception pair of first business board
The response message that end equipment is sent;The value of the specific field carried in the response message is obtained, the specific field takes
It is worth the mark for representing business board;According to the value of the specific field, it is determined that the target for handling the response message
Business board, the preset relation table include the value of the specific field and the corresponding relation of business panel sign;If the mesh
Mark business board is the second business board, then to response message described in the second business board transparent transmission, in order to second business board
IPsec decapsulation operations are carried out to the response message.
Second aspect, the present invention provide a kind of safe IPsec of procotol realization device, and described device is applied to first
Business board, described device include:Receiving module, for receiving the response message of opposite equip. transmission;Processing module, for obtaining
The value of the specific field carried in the response message, the value of the specific field are used for the mark for representing business board;Root
According to the value of the specific field, it is determined that the target service plate for handling the response message, the preset relation table include
The value of the specific field and the corresponding relation of business panel sign;Sending module, for being second when the target service plate
Business board, to response message described in the second business board transparent transmission, in order to which second business board enters to the response message
Row IPsec decapsulation operations.
IPsec provided by the invention implementation method and device, after the first business board receives response message, obtain response report
The value of the specific field carried in text, by the value of the specific field, it can determine the mesh for handling the response message
Business board is marked, and when the target service plate is the second business board namely other business boards, the response message is sent to the
The processing of two business boards, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, work as reception
During to response message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, this
In invention, LPU can determine the target for handling the response message according to the value of the specific field carried in response message
Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy
LPU internal memory, and then improve LPU performance.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is a kind of structural representation of communication network provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet of IPsec implementation method provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of another IPsec provided in an embodiment of the present invention implementation method;
Fig. 4 is the schematic flow sheet of another IPsec provided in an embodiment of the present invention implementation method;
Fig. 5 is a kind of structural representation of IPsec realization device provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the present embodiment, the technical scheme in the present embodiment is clearly and completely described,
Obviously, described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Based in the present invention
Embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made, all
Belong to the scope of protection of the invention.
As shown in figure 1, the embodiment of the present invention provides a kind of communication network, including:Main frame (Host) 101, main frame 102, net
Network equipment 103, server (Server) 104.Wherein, the network equipment 103 is specifically as follows the equipment such as interchanger, and it uses distribution
Formula processing framework, it includes MPU, LPU1 and LPU2, can realize IPsec functions.When realizing IPsec functions, the network equipment
IPsec tunnels can be established between 103 and server 104, main frame 101 and main frame 102 can pass through IPsec tunnels and server
104 communications, to ensure the security of data transfer.
It should be noted that Fig. 1 is merely illustrative, the quantity of equipment is not limited.Such as:It illustrate only in Fig. 1
102 two main frames of main frame 101 and main frame, but be not limited to only include two main frames in practical application, in network.The network equipment 103
Inside is also not necessarily limited to only include two business boards of LPU1 and LPU2.
In communication network as shown in Figure 1, as a result of distributed processing framework, therefore, request message and with
Response message corresponding to request message is needed by same LPU processing.IPsec provided in an embodiment of the present invention implementation method
And device, it can be applied in the communication system shown in Fig. 1, specifically can be applied to any business board and the response message of reception is entered
During row processing.
As shown in Fig. 2 the embodiment of the present invention provides a kind of IPsec implementation method, this method includes:
201:First business board receives the response message that opposite equip. is sent.
Wherein, the first signified business board of the embodiment of the present invention is any business board;Second business board is different from first
Other business boards of business board." first ", " second " in the embodiment of the present invention are used to represent different business boards, do not specify
Specific business board or the order for limiting business board.Exemplary, the first business board can be the LPU1 in Fig. 1, can also
For the LPU2 in Fig. 1.
Opposite equip. is to establish the equipment that IPsec communicates, energy between the first business board and opposite equip. with the first business board
It is enough to realize data transfer by establishing IPsec tunnels;Exemplary, opposite equip. can be the server 104 shown in Fig. 1.
202:Obtain the value of the specific field carried in the response message.
Wherein, the value of the specific field is used for the mark for representing business board.The value of specific field is different, its table
The business board shown is also different, such as:The value of specific field is 1, and its corresponding business board is identified as mark 1, the correspondence of mark 1
Business board be LPU1;The value of specific field is 2, and its corresponding business board is identified as mark 2, business corresponding to the mark 2
Plate is LPU2.
In the prior art, response message in itself can not be associated with business board.Unlike the prior art, the present invention is real
Apply in example and specific field is carried in response message and the value of the specific field can be identified for that business board, therefore, specified by this
The value of field can determine the business board for handling the response message.
Optionally, the specific field can be Security Parameter Index (Security Parameters Index, SPI),
SPI is to carry out IPsec to message to seal up in dress operating process, and the field newly increased in the heading for seal up dress, it is specific real
Existing process sees below literary detailed description.
Optionally, the specific field is also possible to as other spare fields.The signified spare field of the embodiment of the present invention is not
Although being assigned or the field assignment, currency is without any practical significance, namely the inoperative field in message forwarding.
For example, the spare field can be multiplexed some fields in existing message, the reserved field in TCP header, if internal layer message is
GRE messages, the reserved field in GRE heads can be utilized, or directly expand IP agreement, increased an Option Field item and use
In preservation business panel sign.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
In the prior art, because response message in itself can not be interrelated with the business board for handling the response message,
It is only capable of associated with IPsec SA list items, therefore the first business board can only determine mesh by way of searching IPsec SA list items
Business board is marked, this also requires the first business board to preserve the IPsec SA list items of all business boards, and this will be greatly increased
IPsec SA list items take the internal memory of business board.
In the embodiment of the present invention, first business board receives response message, can be taken according to specific field in response message
Value, directly determines the target service plate for handling the response message, without by way of searching IPsec SA list items
To determine target service plate, therefore the first business board IPsec SA list items that also just unnecessary other business boards of preservation generate, energy
Enough reduce the EMS memory occupation of business board.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission
Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
Wherein, as it was noted above, the second business board is the business board different from the first business board.
Transparent transmission, refer to that the first business board does not carry out any processing to response message, will directly be rung by intercard communication mechanism
Message is answered to send to the second business board.
During the specific implementation of this step, if target service plate is the second business board, the first business board is direct
The response message is transparent to the second business board;Second business board receives response message, is encapsulated according in response message heading
Destination address, SPI, the lookup such as security protocol be used to carry out the IPsec SA list items for decapsulating operation, and according to the IPsec
SA list items carry out decapsulation operation to response message, and after completing decapsulation operation, the message obtained after decapsulation is sent to phase
The main frame answered.
It should be noted that the second business board carries out the treated of IPsec decapsulation operations after response message is received
Journey refers to prior art, and the embodiment of the present invention repeats no more.
205:If the target service plate is first business board, first business board is to the response message
Carry out IPsec decapsulation operations.
If target service plate is the first business board, the first business board to other business boards without forwarding the response, directly
Connect and IPsec decapsulation operations are carried out to response message.
It should be noted that the first business board carries out the treated of IPsec decapsulation operations after response message is received
Journey refers to prior art, and the embodiment of the present invention repeats no more.
IPsec provided in an embodiment of the present invention implementation method, after the first business board receives response message, obtain response report
The value of the specific field carried in text, by the value of the specific field, it can determine the mesh for handling the response message
Business board is marked, and when the target service plate is the second business board namely other business boards, the response message is sent to the
The processing of two business boards, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, work as reception
During to response message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, this
In invention, LPU can determine the target for handling the response message according to the value of the specific field carried in response message
Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy
LPU internal memory, and then improve LPU performance.
IPsec agreements are not a single agreements, and it provides a whole set of safety for the network data security on IP layers
Architecture, including AH (Authentication Header, authentication header) agreement, ESP (Encapsulating Security
Payload, ESP) agreement, IKE (Internet Key Exchange, internet key exchange) agreements and use
In some of network authentication and encryption algorithms etc..Wherein, AH agreements and ESP agreements are used to provide security service, and IKE agreements are used for
Key exchanges.IPsec is packaged with two ways, transmission mode and tunnel mode to message.
IPsec SA are the bases for realizing ipsec protocol function, are a kind of agreements that communicating pair is established, determine communication
Both sides be used for protect packet agreement (such as:AH agreements or ESP agreements), Transportation Model (such as:Transmission mode or tunnel
Road pattern), verification algorithm, AES, encryption key, cipher key lifetimes etc..Message is carried out using IPsec agreements to seal up dress
Before decapsulation, it is necessary to which first establishing IPsec SA, IPsec a SA can be established with manual creation or dynamic.
The triple that IPsec SA are made up of SPI, purpose IP address and IPsec agreements is come unique mark.
Wherein, SPI is the Security Parameter Index of 32, is usually located in AH or ESP heads, can be identified for that with identical purpose
The different SA of IP address and identical security protocol, that is, even if purpose IP address it is identical with the security protocol of use, but pass through
SPI can determine unique SA.Purpose IP address is for the purpose IP that after sealing up dress to original message, is carried in outer layer heading
Location, such as:The purpose IP address can be the IP address of the first business board or the IP address of opposite equip..IPsec agreements can
Think AH agreements or ESP agreements.
Before message transmissions are carried out, need to consult to generate between communicating pair and preserve IPsec SA to (some technologies
Also by IPsec SA to being referred to as IPsec SA beams in document), the IPsec SA are to including entering direction IPsec SA and outgoing direction
IPsec SA, enter direction IPsec SA and be used to handle the message of reception, outgoing direction IPsec SA are used for to be sent
Message is handled.What is preserved between communicating pair enters the relation that direction SA and outgoing direction SA is mutual " symmetrical ".Exemplary,
Communication equipment 1 and communication equipment 2 are communicating pair, and communication equipment 1 is when sending message 1, according to outgoing direction IPsec SA to report
Text carries out sealing up dress, after communication equipment 2 receives the message 1, enters direction IPsec SA using it and is decapsulated, but communication equipment
2 to enter direction IPsec SA identical with the outgoing direction IPsec SA at communication equipment 1;Similarly, communication equipment 2 is sending message 1
Response message (message 2 is named as in the embodiment of the present invention) when, message is carried out using its outgoing direction IPsec SA to seal up dress,
After communication equipment 1 receives the message 2, enter direction IPsec SA using it and decapsulated, but communication equipment 1 enters direction
IPsec SA are identical with the outgoing direction IPsec SA at communication equipment 2.
It should be noted that the specific implementation principle of IPsec agreements refers to prior art, here is omitted.
As shown in figure 3, the embodiment of the present invention also provides a kind of IPsec implementation method, this method provide to respond
The message specific implementation process associated with the mark of business board, this method include:
301:First business board generate first business board enter direction IPsec security alliance SAs during, will
The specified location of the mark write-in specific field of first business board.
As it was noted above, before the first business board and opposite equip. carry out message transmissions, the first business board is set with opposite end
Standby to need to establish IPsec tunnels and generation IPsec SA couple, the IPsec SA are to including entering direction IPsec SA and outgoing direction
IPsec SA, enter direction IPsec SA and be used to handle the message of reception, outgoing direction IPsec SA are used for to be sent
Message is handled.
The outgoing direction IPsec for entering direction IPsec SA and opposite equip. of the first signified business board in the embodiment of the present invention
SA is identical.Therefore, generate the first business board enter direction IPsec SA during, the write-in of the mark of the first business board is referred to
The specified location of field is determined, in the specified location for also implying that the specific field in the outgoing direction IPsec SA of opposite equip.
Preserve the mark of the first business board.Therefore, opposite equip., can be according to first industry during response message is built
The direction IPsec SA (namely outgoing direction IPsec SA at opposite equip.) that enter of business plate seal up message progress IPsec life after dress
Into the response message, then the value of the specific field of the response message can be used in representing the mark of the first business board.
It is exemplary, field 1 totally 16, then by high 5 of the field 1 marks for being used to preserve the first business board, due to
The mark of different business plate is different, then the value of the field 1 is also different because its high 5 value is different, then the value of field 1
Different business plate can be represented.
201:First business board receives the response message that opposite equip. is sent.
202:Obtain the value of the specific field carried in the response message.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission
Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
205:If the target service plate is first business board, first business board is to the response message
Carry out IPsec decapsulation operations.
The specific implementation process of step 201 to step 205 refers to abovementioned steps 101 to step 105, no longer superfluous herein
State.
IPsec provided in an embodiment of the present invention implementation method, the first business board are consulting generation first with opposite equip.
During the outgoing direction IPsec SA for entering direction IPsec SA namely opposite equip. of business board, by the mark of the first business board
The specified location of specific field is write, so, when opposite equip. enters according to outgoing direction IPsec SA to sent response message
During row seals up dress, the mark of the first business board can be write to the specified location of specific field, the first business board receives
After response message, the target for handling the response message can be determined according to the value of the specific field carried in response message
Business board, the IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items occupancy
LPU internal memory, and then improve LPU performance.
As shown in figure 4, the embodiment of the present invention additionally provides a kind of IPsec implementation method, and in this method, described first
The numbering for being identified as first business board of business board;The specific field is Security Parameter Index SPI, step 301, can be with
It is further refined as the numbering write-in SPI of the first business board specified location, therefore, this method includes:
401:First business board generate first business board enter direction IPsec SA during, by described first
The numbering of business board writes the specified location of the SPI.
Wherein, SPI is located in the AH agreements or ESP agreements in encapsulation header.
Optionally, the specified location of the SPI is the highest 5 of the SPI.
Exemplary, numbered to all master control borads and business board, since 0, it is generally the case that the quantity of business board is not
Therefore, the bit of highest 5 for entering direction SPI of 4 bytes can be completely used for the numbering of identification service plate more than 32, be left
Bit just random generation.
201:First business board receives the response message that opposite equip. is sent.
202:Obtain the value of the specific field carried in the response message.
203:According to the value of the specific field, it is determined that the target service plate for handling the response message.
204:If the target service plate is the second business board, reported to being responded described in the second business board transparent transmission
Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
205:If the target service plate is first business board, first business board is to the response message
Carry out IPsec decapsulation operations.
The specific implementation process of step 201 to step 205 refers to abovementioned steps 101 to step 105, no longer superfluous herein
State.
For the implementation method of the IPsec shown in clearer explanation Fig. 1 to Fig. 4 any embodiments, with reference to shown in Fig. 1
Communication network, with main frame 101 to server 104 send request message, server 104 to main frame 101 reply response message, first
Exemplified by business board is LPU1, the embodiment of the present invention additionally provides a kind of IPsec implementation method, and this method includes:
To the processing procedure of the request message sent from main frame 101 to server 104:
Step 1:After the request message that main frame 101 is sent reaches the network equipment 103, the MPU of the network equipment 103 searches road
By finding that the request message needs to route to the global mouth processing on LPU1.
Step 2:The upper global mouths of LPU1 are configured with IPsec agreements, trigger the IPsec negotiations processes between server 104,
Generation IPsec encryption and decryption needs that uses to enter direction IPsec SA and outgoing direction IPsec SA;Wherein, when generating into direction SPI,
By in high 5 of LPU1 identification record to SPI.
Step 3:LPU1 sends the progress IPsec messages sealed up after filling to server 104.
To the processing procedure of the response message sent from server 104 to main frame 101:
Step 1:The response message that LPU1 the reception servers 104 are sent, high 5 (bit) of the SPI fields of the response message
Identify the mark of the business board for handling the response message.
Step 2:LPU1 is according to the value of high 5 of SPI fields in response message, it is determined that the mesh for handling response message
Mark business board.
Step 3:If the target service plate is this plate, LPU1 carries out IPsec decapsulation operations to the response message.
Step 4:If the target service plate is LPU2, the response message is pass-through to LPU2 by LPU1, by LPU2 to this
Response message carries out IPsec decapsulation operations.
IPsec provided in an embodiment of the present invention implementation method, LPU1 are consulting the generation LPU1 side of entering with server 104
During the outgoing direction IPsec SA of IPsec SA namely server 104, LPU1 mark is write into the high 5 of SPI, this
Sample, during server 104 carries out sealing up dress according to outgoing direction IPsec SA to sent response message, it can incite somebody to action
LPU1 mark write-in SPI's is high 5, can be according to the high by 5 of the SPI carried in response message after LPU1 receives response message
The value of position determines the target service plate for handling the response message, if target service plate is this plate, directly to response
Message carries out IPsec decapsulation operations, if target service plate is other business boards, response message is pass-through into target service
After plate, IPsec decapsulation operations are carried out to response message by target service plate, therefore, LPU1, which need not be preserved in network, to be owned
The IPsec SA list items of LPU generations, the internal memory that IPsec SA list items take LPU can be reduced, and then improve LPU performance.
As shown in figure 5, the embodiment of the present invention provides a kind of safe IPsec of procotol realization device, described device should
For the first business board, described device includes:
Receiving module 501, for receiving the response message of opposite equip. transmission.
Processing module 502, for obtaining the value of the specific field carried in the response message, the specific field
Value is used for the mark for representing business board;According to the value of the specific field, it is determined that the mesh for handling the response message
Mark business board.
Sending module 503, for being the second business board when the target service plate, to described in the second business board transparent transmission
Response message, in order to which second business board carries out IPsec decapsulation operations to the response message.
Further, the processing module 502, it is additionally operable to enter direction IPsec safety in generation first business board
During alliance SA, by the first business board mark write specific field specified location in order to the opposite equip. according to
The direction IPsec SA that enter of first business board carry out generating the response message after IPsec seals up dress to message.
Optionally, the processing module 502, it is additionally operable to first business board of being identified as when first business board
The numbering and specific field is when be Security Parameter Index SPI, the specified of the SPI is write by the numbering of first business board
Position.
Optionally, the specified location of the SPI is the highest 5 of the SPI.
Further, the sending module 503, it is additionally operable to when the target service plate is first business board, it is right
The response message carries out IPsec decapsulation operations.
IPsec provided by the invention realization device, after the first business board receives response message, obtain and taken in response message
The value of the specific field of band, by the value of the specific field, it can determine the target service for handling the response message
Plate, and when the target service plate is the second business board namely other business boards, the response message is sent to the second business
Plate processing, the IPsec SA list items of all LPU generations in network are preserved with each LPU in the prior art, are responded when receiving
During message, by searching the IPsec SA list items of its preservation, it is determined that compared for the LPU for handling the response message, in the present invention,
LPU can determine the target service plate for handling the response message according to the value of the specific field carried in response message,
IPsec SA list items without preserving all LPU generations in network, can reduce IPsec SA list items and take the interior of LPU
Deposit, and then improve LPU performance.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for device
For applying example, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to embodiment of the method
Part explanation.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow
Software is helped to add the mode of required common hardware to realize, naturally it is also possible to which by hardware, but the former is more preferably in many cases
Embodiment.Based on such understanding, portion that technical scheme substantially contributes to prior art in other words
Dividing can be embodied in the form of software product, and the computer software product is stored in the storage medium that can be read, and such as be counted
The floppy disk of calculation machine, hard disk or CD etc., including some instructions to cause a computer equipment (can be personal computer,
Server, or network equipment etc.) perform method described in each embodiment of the present invention.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.
Claims (10)
1. a kind of safe IPsec of procotol implementation method, it is characterised in that methods described includes:
First business board receives the response message that opposite equip. is sent;
The value of the specific field carried in the response message is obtained, the value of the specific field is used to represent business board
Mark;
According to the value of the specific field, it is determined that the target service plate for handling the response message;
If the target service plate is the second business board, to response message described in the second business board transparent transmission, in order to
Second business board carries out IPsec decapsulation operations to the response message.
2. according to the method for claim 1, it is characterised in that receive the response report of opposite equip. transmission in the first business board
Before text, methods described also includes:
First business board generate first business board enter direction IPsec security alliance SAs during, by the first business
The specified location of the mark write-in specific field of plate enters direction in order to the opposite equip. according to first business board
IPsec SA carry out generating the response message after IPsec seals up dress to message.
3. according to the method for claim 2, it is characterised in that first business board is identified as first business board
Numbering;The specific field is Security Parameter Index SPI;
The specified location that the mark of first business board is write to the specific field, including:
The numbering of first business board is write into the specified location of the SPI.
4. according to the method for claim 3, it is characterised in that
The specified location of the SPI is the highest 5 of the SPI.
5. according to the method described in any one of Claims 1-4, it is characterised in that methods described also includes:
If the target service plate is first business board, first business board is carried out to the response message
IPsec decapsulation operations.
6. a kind of safe IPsec of procotol realization device, it is characterised in that described device is applied to the first business board, institute
Stating device includes:
Receiving module, for receiving the response message of opposite equip. transmission;
Processing module, for obtaining the value of the specific field carried in the response message, the value of the specific field is used
In the mark for representing business board;According to the value of the specific field, it is determined that the target service for handling the response message
Plate;
Sending module, for being the second business board when the target service plate, reported to being responded described in the second business board transparent transmission
Text, in order to which second business board carries out IPsec decapsulation operations to the response message.
7. device according to claim 6, it is characterised in that
The processing module, be additionally operable to generate first business board enter direction IPsec security alliance SAs during, will
The specified location of the mark write-in specific field of first business board is in order to which the opposite equip. is according to first business board
Enter direction IPsec SA message is carried out to generate the response message after IPsec seals up dress.
8. device according to claim 7, it is characterised in that the processing module, be additionally operable to work as first business board
The numbering for being identified as first business board and specific field when being Security Parameter Index SPI, by first business
The numbering of plate writes the specified location of the SPI.
9. device according to claim 8, it is characterised in that
The specified location of the SPI is the highest 5 of the SPI.
10. according to the device described in any one of claim 6 to 9, it is characterised in that
The sending module, it is additionally operable to when the target service plate is first business board, the response message is carried out
IPsec decapsulation operations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610487849.5A CN107547479A (en) | 2016-06-29 | 2016-06-29 | IPsec implementation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610487849.5A CN107547479A (en) | 2016-06-29 | 2016-06-29 | IPsec implementation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107547479A true CN107547479A (en) | 2018-01-05 |
Family
ID=60962454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610487849.5A Pending CN107547479A (en) | 2016-06-29 | 2016-06-29 | IPsec implementation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547479A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115766625A (en) * | 2022-09-07 | 2023-03-07 | 迈普通信技术股份有限公司 | Interface resource synchronization method and device and distributed switch |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101106450A (en) * | 2007-08-16 | 2008-01-16 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
| CN103546497A (en) * | 2012-07-09 | 2014-01-29 | 杭州华三通信技术有限公司 | Method and device for distributed firewall IPSec (internet protocol security) business load sharing |
| CN104994022A (en) * | 2015-05-15 | 2015-10-21 | 杭州华三通信技术有限公司 | Message transmission method and service board |
| CN105471768A (en) * | 2014-08-26 | 2016-04-06 | 华为技术有限公司 | CAPWAP message transmission method and network switch |
-
2016
- 2016-06-29 CN CN201610487849.5A patent/CN107547479A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101106450A (en) * | 2007-08-16 | 2008-01-16 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
| CN103546497A (en) * | 2012-07-09 | 2014-01-29 | 杭州华三通信技术有限公司 | Method and device for distributed firewall IPSec (internet protocol security) business load sharing |
| CN105471768A (en) * | 2014-08-26 | 2016-04-06 | 华为技术有限公司 | CAPWAP message transmission method and network switch |
| CN104994022A (en) * | 2015-05-15 | 2015-10-21 | 杭州华三通信技术有限公司 | Message transmission method and service board |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115766625A (en) * | 2022-09-07 | 2023-03-07 | 迈普通信技术股份有限公司 | Interface resource synchronization method and device and distributed switch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10904217B2 (en) | Encryption for gateway tunnel-based VPNs independent of wan transport addresses | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN106878138B (en) | A kind of message transmitting method and device | |
| US10091102B2 (en) | Tunnel sub-interface using IP header field | |
| US9369550B2 (en) | Protocol for layer two multiple network links tunnelling | |
| CN101030935B (en) | Method for crossing NAT-PT by IPSec | |
| CN108769292A (en) | Message data processing method and processing device | |
| CN106992917A (en) | Message forwarding method and device | |
| CN111385259B (en) | Data transmission method, device, related equipment and storage medium | |
| CN109525477A (en) | Communication means, device and system in data center between virtual machine | |
| WO2020258302A1 (en) | Method, switch, and sites for data transmission | |
| CN108964880A (en) | A kind of data transmission method and device | |
| CN110086798B (en) | Method and device for communication based on public virtual interface | |
| CN106878278A (en) | A kind of message processing method and device | |
| CN105471827A (en) | Message transmission method and device | |
| US20240205205A1 (en) | Packet sending method, network device, storage medium, and program product | |
| CN105516062A (en) | L2TP over IPsec access realizing method | |
| CN101222412B (en) | Network address commutation traversing method and system | |
| US11424958B2 (en) | Managing transmission control protocol (TCP) maximum segment size (MSS) values for multiple tunnels supported by a computing site gateway | |
| CN101309270B (en) | Method, system, gateway and network node implementing internet security protocol | |
| CN103747019B (en) | A kind of method and device of data transfer | |
| CN103139189B (en) | Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment | |
| CN107547479A (en) | IPsec implementation method and device | |
| CN105610672B (en) | A kind of method and device of information transmission | |
| WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180105 |
|
| RJ01 | Rejection of invention patent application after publication |