CN108322330A - A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus - Google Patents
A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus Download PDFInfo
- Publication number
- CN108322330A CN108322330A CN201711435535.1A CN201711435535A CN108322330A CN 108322330 A CN108322330 A CN 108322330A CN 201711435535 A CN201711435535 A CN 201711435535A CN 108322330 A CN108322330 A CN 108322330A
- Authority
- CN
- China
- Prior art keywords
- ipsec vpn
- sequence number
- playback window
- reset
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/22—Arrangements for detecting or preventing errors in the information received using redundant apparatus to increase reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Abstract
The invention discloses a kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus, the equipment includes principal and subordinate's IPSEC VPN devices of dual-computer redundancy deployment, includes also SA synchronization modules, send cache module, receive cache module, the resetting module that transmits Sequence Number, anti-playback window reset module, averagely wraps long detection module;SA synchronization modules are used for the synchronization of SA data;Cache module is sent for caching data packet to be sent;Receive cache module for caching data packet to be received;Resetting module transmit Sequence Number for resetting the counter that transmits Sequence Number;Anti- playback window reset module is for resetting anti-playback window;The average data packet that long detection module is averagely wrapped for calculating matching SA is long;A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed simultaneously.The real-time synchronization and being switched fast after failure that the present invention realizes principal and subordinate's IPSEC VPN devices.
Description
Technical field
The present invention relates to information security field more particularly to a kind of IPSEC VPN sequence numbers and anti-playback window synchronization sides
Method and equipment.
Background technology
IPESC:The abbreviation of Internet Protocol Security indicates Internet protocol safeties.It is a kind of
The frame structure of open standard, it is enterprising in Internet agreements (IP) network to ensure by using encrypted security service
The communication of row secrecy and safety;
VPN:Virtual Private Network(Virtual Private Network, abbreviation VPN) it refers to establishing in common network
The technology of dedicated network.Why it is known as virtual net, the company being primarily due between any two node of entire VPN network
It connects there is no the physical link end to end needed for traditional private network, but the network that framework is provided in common network service provider is flat
Platform, such as Internet, ATM (asynchronous transfer mode >, Frame Relay(Frame relay)Logical network Deng on, user data
It is transmitted in logical links.It is covered across the special of encapsulation, encryption and the authentication link for sharing network or public network
The extension of network.VPN mainly uses tunneling technique, encryption and decryption technology, key management technology and user and equipment identities are recognized
Card technology.
Security strategy (SP):For security strategy generally by the selector unique designation of quintuple form, which includes source
IP address, purpose IP address, source transport layer port, purpose transport layer port, transport layer protocol number, indicate clear data message
Processing mode:It abandons, handled around IPSec or using ipsec security alliance.
Security Association (SA):Security Association includes Security Parameter Index by triple unique mark, the triple(SPI)、
Purpose IP address(Unicast address)And security protocol(AH or ESP)Identifier indicates the algorithm, close of IPSec processing data packets
The specific parameters such as key, anti-playback window, packaged type.
Sequence number(Sequence Number):32 monotone-increasing sequences number do not allow to repeat, and uniquely identify every
One transmission data packet provides anti-Replay Protection for security association.Receiving terminal verification sequence number obtains data packet for the field value
It is no to be received, reject the data packet received.
Anti- playback window:The anti-operation principle for resetting window is limited the data packet sequence row number range received,
Avoid processing Replay Attack message that forwarding performance is caused to decline even cisco unity malfunction.If anti-playback window size is W, window
Mouthful left boundary value be N, right boundary value N+W-1, if the sequence of message number received, within the scope of this, while message is
New, then it is assumed that message is legal, and continues with.If the anti-playback window right boundary value that sequence of message number is more than is M, to
Anti- playback window is moved right, right boundary value becomes M, and left boundary value becomes M-W+1.If at this moment it is small to retransmit test serial number by attacker
It will be identified as resetting message in left boundary value, be dropped.As VPN device persistently receives flow, anti-playback window will
Constantly slide to the right.
IKE :Internet Key Exchange, for exchanging and managing the encryption key used in VPN.
ISAKMP:Internet Security Association and Key Management Protocol, in
Literary fame claims:Internet security associations and Key Management Protocol.
FIFO:First in first out, is a kind of method for handling the program work requirement sent out from queue or storehouse, it makes earliest
Requirement handled at first.
Data are handled since IPSEC VPN use a variety of safe practices, and are deployed in user network
At entrance, the requirement to equipment process performance and reliability is very high, and IPSEC VPN device dual-computer redundancies portion may be used
The technology of administration solves the problems, such as Performance And Reliability.
But the IPSEC VPN technical characterstics of itself are provided with barrier for the realization of IPSEC VPN device dual-computer redundancies deployment
Hinder, because sequence number and anti-playback window are updated with each data message, sequence number and anti-is cannot achieve between distinct device
The instant synchronization for resetting window, there are problems for hot-swap when failure.
Invention content
To solve the above-mentioned problems, the present invention proposes a kind of a kind of IPSEC VPN master-slave equipments disposed for dual-computer redundancy
Between synchronization serial number and it is anti-reset window method and apparatus so that principal and subordinate's IPSEC VPN devices may be implemented fast failure and cut
It changes.
Specific technical solution is a kind of IPSEC VPN sequence numbers and anti-playback window synchronization equipment, including dual-computer redundancy portion
Principal and subordinate's IPSEC VPN devices of administration include also SA synchronization modules, send cache module, receive cache module, transmit Sequence Number weight
It sets module, anti-playback window reset module, averagely wrap long detection module;
The SA synchronization modules whole process runs on principal and subordinate's IPSEC VPN devices, is used for the synchronization of SA data;
The transmission cache module is used for after active-standby switch, before the sequence number resetting confirmation message for receiving opposite equip., caching
The data packet of outer net is sent to after this equipment needs encrypted encapsulation;
The cache module that receives is used for after active-standby switch, before the anti-playback window reset confirmation message for receiving opposite equip.,
Cache the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation;
The resetting module that transmits Sequence Number is used for after active-standby switch, resets the counter that transmits Sequence Number;It is simultaneously emitted by transmission
Sequence number reset notification message is to opposite end IPSEC VPN devices;Wait for and receive the sequence number resetting of opposite end IPSEC VPN devices
Confirmation message;
The anti-playback window reset module is used for after active-standby switch, resets anti-playback window;Send anti-playback window simultaneously
Reset notification message is to opposite end IPSEC VPN devices;It waits for and the anti-playback window reset for receiving opposite end IPSEC VPN devices is true
Recognize message;
It is described averagely to wrap long detection module and operate in main IPSEC VPN devices, for calculates match SA average data packet it is long;
It is described receive cache module, send cache module, anti-playbacks window reset module, transmit Sequence Number reset module only from
The switching of IPSEC VPN devices is that the equipment after main IPSEC VPN devices to switching is completed the sequence number counter of all SA and resisted
Reset operation this period between window reset.
Preferably, the SA data, including current Security Parameter Index(SPI), purpose IP address(Unicast address)With
Security protocol(AH or ESP)Identifier, and transmit Sequence Number, anti-playback window value and average packet long message, the data refer to
The specific security parameters such as algorithm, key, anti-playback window, the packaged type of IPSec processing data packets are shown.
Preferably, the transmission cache module and to receive cache module be fifo queue, that is, press the priority entered
Sequence is handled successively.
Preferably, described averagely to wrap long detection module as each security alliance SA one package counting facility of maintenance and average packet
It is long.
Preferably, the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset are logical
Know that message, anti-playback window reset confirmation message are to notify increased four type of messages of load in IKE-ISAKMP.
A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed in the present invention, which is characterized in that includes
Following steps:
S1, principal and subordinate's IPSEC VPN devices run SA synchronization modules, every time after main IPSEC VPN devices arranging key success, i.e., main
The dynamic newest SA data of push are to from IPSEC VPN devices;Meanwhile from IPSEC VPN device log-on data packets receive cache module,
Data packet sends cache module, anti-playback window reset module, transmit Sequence Number resetting module, and sets just these modules to
Thread-waiting state;
S2, the primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to outer net from Intranet,
It is cached to transmission cache module;The counter that transmits Sequence Number is reset, while transmitting Sequence Number reset notification message extremely
Corresponding opposite end IPSEC VPN devices;
Primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to Intranet from outer net, will
It is cached to receiving cache module;Anti- playback window is reset, while triggering anti-playback window reset notification message to corresponding right
Hold IPSEC VPN devices;
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN devices
Sequence number reset confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, until receiving pair
Hold the anti-playback window reset confirmation message of IPSEC VPN devices;
S4 after receiving sequence number resetting confirmation message, by first-in first-out, will send the data packet in cache module by resetting
It is sent to opposite end IPSEC VPN devices after sequence number encapsulation afterwards;After receiving anti-playback window reset confirmation message, by advanced elder generation
Go out mode, the data packet received in cache module is honored as a queen by the sequence number solution after resetting and is forwarded to Intranet;
S5 is synchronously completed.
Preferably, the resetting described in S2 transmits Sequence Number counter, and remapping method is as follows:Transmit Sequence Number reset value
Transmitting Sequence Number in=synchronous recently SA data+((Switching time-nearest synchronization time)× network interface card rate) averagely wrap
Long, 32 positive integers of Serial No. in formula, the unit of event is the second, and network interface card rate unit is megabit averagely to wrap long unit
For bit;The long calculation formula of wherein average packet is as follows:
1) after ike negotiation succeeds and updates SA every time, package counting facility is reset;
2) the first packet received after being updated if SA is then directly wrapped length and is assigned to average packet length;
3) average packet length is calculated as follows thereafter:((Previous average packet length × package counting facility)The data packet of+this receiving
It is long)(Package counting facility+1).
Preferably, the anti-playback window of resetting described in S2, remapping method are as follows:By the sequence of the data packet received
Number it is set as anti-playback window left boundary value, anti-playback window right boundary value is:Left boundary value+anti-playback window size -1.
The method can both rely on hardware above-mentioned and implemented, and can not also rely on hardware above-mentioned and be implemented.
The beneficial effects of the present invention are:Realize dual-computer redundancy deployment IPSEC VPN master-slave equipments between sequence number and anti-playback window
Mouth real-time synchronization so that fast failure switching may be implemented in principal and subordinate's IPSEC VPN devices, and does not increase added flow and resource
Consumption.
Description of the drawings
Fig. 1 is sequence number and anti-playback window synchronization schematic diagram.
Specific implementation mode
For a clearer understanding of the technical characteristics, objects and effects of the present invention, now control illustrates this hair
Bright specific implementation mode.
After each IKE key agreements success, main IPSEC VPN devices synchronize SA to from IPSEC VPN devices, including work as
Preceding triple message, i.e. Security Parameter Index(SPI), purpose IP address(Unicast address)And security protocol(AH or ESP)Mark
Information, the guarantees such as security parameters and the sequence numbers such as symbol and anti-playback window, average packet are long have nearest sequence number from equipment
It is backed up with anti-playback window.After master-slave swap occurs, from equipment according to peaces such as SA settings session key synchronous recently, SPI
Population parameter and sequence number and anti-playback window, the data packet for being then directed to sending and receiving both direction are handled respectively:For from Intranet
The data packet of outer net is sent to by IPSEC VPN devices, trigger its matched security alliance SA IKE message informings and sequence
The resetting of number counter(It is updated to SA sequence numbers+offset synchronous recently before switching), according to the data packet matched safe plan
Slightly SP and security alliance SA send out message informing data packet to corresponding opposite end IPSEC VPN devices, which includes most
New sequence number, notice opposite end IPSEC VPN devices reset anti-playback window(Window left margin is updated to latest sequence number), and
It receives data pack buffer before confirmation message, once receiving confirmation message, i.e., presses the data packet of caching according to latest sequence number
The sequencing of entrance is sent out successively;For the data packet that the opposite end IPSEC VPN received from outer net are sended over, triggering
IKE message informings confirm the sequence number of the data packet to opposite end IPSEC VPN, and will be counted before receiving confirmation message
It is cached according to packet, once receiving confirmation message, i.e., resets the anti-playback window of matched security alliance SA according to the sequence number of data packet
Mouthful, and the data packet of caching is sent out successively by the sequencing of entrance.
As shown in Figure 1, specific technical solution is, the present invention provides a kind of IPSEC VPN sequence numbers and anti-playback windows
Synchronizer, includes principal and subordinate's IPSEC VPN devices of dual-computer redundancy deployment, also includes SA synchronization modules, sends cache module, connects
By cache module, the resetting module that transmits Sequence Number, anti-playback window reset module, averagely wrap long detection module;
The function of its module and the method for operation are as follows:
SA synchronization modules whole will be run in principal and subordinate's IPSEC VPN devices, is averagely wrapped long detection module and is operated in main IPSEC
VPN device, data packet receives cache module, data packet sends cache module, anti-playback window reset module, transmit Sequence Number weight
Set the sequence that equipment of the module only after being main IPSEC VPN devices to switching from the switching of IPSEC VPN devices completes all SA
Number counter and anti-operation this period reset between window reset.
Data packet sends the data packet that cache module will be sent to outer net from Intranet by IPSEC VPN devices, in data packet
Before the matched security alliance SA of institute not yet completes sequence number counter resetting, pass through FIFO(First in first out)Queue caches
Come, the data packet that sequence number counter will cache after resetting successfully is sequentially completed normal IPSEC VPN datas packet encryption
It is sent with encapsulation process process and to outer net.
Data packet receives the data packet that cache module sends over the opposite end IPSEC VPN received from outer net, in number
Before not yet completing anti-playback window reset according to the matched security alliance SA of packet institute, pass through FIFO(First in first out)Queue caches
Come, the anti-data packet that will be cached after window reset success of resetting is sequentially completed normal IPSEC VPN datas packet decapsulation
It is sent with decryption processes and to Intranet.
The resetting module that transmits Sequence Number is responsible for after principal and subordinate's IPSEC VPN devices switch, and Intranet is set by IPSEC VPN
The sequence number counter that the security alliance SA corresponding to the data packet of outer net is sent to after standby encryption encapsulation is reset, specific mistake
Journey is as follows:For the data packet that the need received from Intranet are encapsulated by the encryption of IPSEC VPN devices, if data packet institute
The security alliance SA matched not yet resets sequence number counter success, which triggers IKE message informings and sequence number
Counter is reset(It is updated to SA sequence numbers+offset synchronous recently before switching), according to the data packet matched security strategy
SP and security alliance SA send out message informing data packet to corresponding opposite end IPSEC VPN devices, which includes newest
Sequence number, notice opposite end IPSEC VPN devices reset anti-playback window(Window left margin is updated to latest sequence number), and receiving
Data packet is put into data packet before to confirmation message and sends cache module caching, receives i.e. complete cost process after confirmation message, and
Caching and subsequent data packet are handled by newest sequence number counter, processing sequence is suitable according to the priority for entering caching
Sequence carries out.The calculation formula of sequence number counter reset value is as follows:
The SA sequence numbers synchronized recently+((Switching time-nearest synchronization time)× network interface card rate) averagely wrap length
32 positive integers of Serial No. in formula, the unit of event are the second, and network interface card rate unit is M-bit, generally have 10,100,
1000,10000 etc. 4 kinds of rates, it is bit averagely to wrap long unit.
It is that each security alliance SA maintains a package counting facility and average packet to grow averagely to wrap long detection module, and calculating matching should
The average data packet of Security Association is long.Calculation is after each ike negotiation succeeds and updates SA, and package counting facility is reset, often
Receive a data packet for matching the security alliance SA, after package counting facility adds 1, SA to update the first packet indirect assignment for receiving its
Packet is long to be grown to average packet, calculates average packet length as follows thereafter:
((Previous average packet length × package counting facility)The long data packet of+this receiving) ((Package counting facility+1))
Anti- playback window reset module is responsible for after principal and subordinate's IPSEC VPN devices switch, the opposite end IPSEC that will be received from outer net
The anti-playback window for the security alliance SA corresponding to data packet that VPN is sended over is reset, and detailed process is as follows:For from
The needs that the opposite end IPSEC VPN that outer net receives are sended over decrypt the data packet of decapsulation, if the data packet is matched
Security alliance SA not yet reset the success of anti-playback window, which triggers IKE message informings and anti-playback window
Resetting(The anti-sequence number reset window left boundary value and be updated to the data packet), pass through IKE message informings to opposite end IPSEC VPN
The sequence number of the data packet is confirmed, and before receiving confirmation message data packet is put into data packet and receives cache module and delayed
It deposits, once receive the i.e. complete cost process of confirmation message.And caching and subsequent data packet are carried out by newest anti-playback window
Processing, processing sequence are carried out according to the sequencing for entering caching.The SA synchronization modules whole process runs on principal and subordinate IPSEC VPN
Equipment is used for the synchronization of SA data.
Preferably, the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset are logical
Know that message, anti-playback window reset confirmation message are to notify increased four type of messages of load in IKE-ISAKMP.
A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed in the present invention, which is characterized in that includes
Following steps:
S1, main IPSEC VPN devices run SA synchronization modules and averagely wrap long detection module, and SA is run from IPSEC VPN devices
Synchronization module, every time after the success of main IPSEC VPN devices arranging key the i.e. newest SA related datas of active push to from IPSEC
VPN device(Including the information such as the security parameters such as session key, SPI and sequence number and anti-playback window, average packet length), from
IPSEC VPN device log-on data packets receive cache module, data packet sends cache module, anti-playback window reset module, hair
It send sequence number resetting module and sets these modules to ready-waiting state.;
S2, the IPSEC VPN that major state is operated in after switching are received and are passed through IPSEC VPN devices from Intranet and need encrypted encapsulation
It is sent to the data packet of outer net afterwards, the resetting module start sequence counter reset process that transmits Sequence Number disappears with IKE is sent
The sequence number counter of security alliance SA corresponding to the data packet is carried out resetting and by corresponding opposite end IPSEC by breath notice
VPN device is confirmed that the data packet sends cache module by data packet and cached;Major state is operated in after switching
IPSEC VPN receive the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation, trigger anti-playback
Window reset module starts anti-playback window reset process and sends IKE message informings, and the safety corresponding to the data packet is joined
The anti-playback window of alliance SA reset and is confirmed that the data packet passes through data by corresponding opposite end IPSEC VPN devices
Packet receives cache module and is cached.
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN
The sequence number of equipment resets confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, Zhi Daoshou
To the anti-playback window reset confirmation message of opposite end IPSEC VPN devices;
S4, the IPSEC VPN that major state is operated in after switching receive the sequence number confirmation packet of opposite end IPSEC VPN, complete hair
It send sequence number reset process and caching and subsequent data packet is handled by newest sequence number counter;It works after switching
The anti-playback window that opposite end IPSEC VPN are received in the IPSEC VPN of major state confirms packet, completes anti-playback window reset mistake
Journey is simultaneously handled caching and subsequent data packet by newest anti-playback window.
S5 is synchronously completed.
Increase by four type of messages in IKE-ISAKMP notice load, is used for sequence number reset notification and confirmation, anti-playback
Window reset notifies and confirms:
Sequence number resets message:SEQUENCE_NOTIFICATION, sequence number confirmation message:SEQUENCE_
CONFIRMATION, anti-playback window reset message:WINDOW_NOTIFICATION, anti-playback window confirmation message:
WINDOW_ CONFIRMATION。
By the implementation of above method, sequence number and anti-is realized between the IPSEC VPN master-slave equipments of dual-computer redundancy deployment
Reset window real-time synchronization so that fast failure switching may be implemented in principal and subordinate's IPSEC VPN devices.
The method can both rely on hardware above-mentioned and implemented, and can not also rely on hardware above-mentioned and be implemented.
It should be noted that for each embodiment of the method above-mentioned, for simple description, therefore it is all expressed as to a system
The combination of actions of row, but those skilled in the art should understand that, the application is not limited by the described action sequence, because
For according to the application, certain some step can be performed in other orders or simultaneously.Secondly, those skilled in the art also should
Know, embodiment described in this description belongs to preferred embodiment, involved action and unit not necessarily this Shen
It please be necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in some embodiment
Part, may refer to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in computer read/write memory medium
In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, ROM, RAM etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly
It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.
Claims (8)
1. a kind of IPSEC VPN sequence numbers and anti-playback window synchronization equipment include the principal and subordinate IPSEC VPN of dual-computer redundancy deployment
Equipment, which is characterized in that also include SA synchronization modules, send cache module, receive cache module, transmit Sequence Number resetting mould
Block, averagely wraps long detection module at anti-playback window reset module;
The SA synchronization modules whole process runs on principal and subordinate's IPSEC VPN devices, is used for the synchronization of SA data;
The transmission cache module is used for after active-standby switch, and the sequence number resetting confirmation for receiving opposite end IPSEC VPN devices disappears
Before breath, the data packet that outer net is sent to after this equipment needs encrypted encapsulation is cached;
The cache module that receives is for after active-standby switch, the anti-playback window reset for receiving opposite end IPSEC VPN devices to be true
Before recognizing message, the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation is cached;
The resetting module that transmits Sequence Number is used for after active-standby switch, resets the counter that transmits Sequence Number;It is simultaneously emitted by transmission
Sequence number reset notification message waits for and receives the sequence number resetting of opposite end IPSEC VPN devices to opposite end IPSEC VPN devices
Confirmation message;
The anti-playback window reset module is used for after active-standby switch, resets anti-playback window;Send anti-playback window simultaneously
Reset notification message waits for opposite end IPSEC VPN devices and the anti-playback window reset for receiving opposite end IPSEC VPN devices is true
Recognize message;
Described averagely to wrap long detection module and operate in main IPSEC VPN devices, the average data packet for calculating matching SA is long, this
New sequence number calculating of the average data packet length for transmitting Sequence Number when resetting;
The transmission cache module, receive cache module, transmit Sequence Number resetting module, anti-playback window reset module only from
The switching of IPSEC VPN devices is that the equipment after main IPSEC VPN devices to switching is completed the sequence number counter of all SA and resisted
Reset operation in the period between window reset.
2. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute
SA data are stated, including current Security Parameter Index, purpose IP address and security protocol identifier, and transmit Sequence Number, resist
Reset window and average packet long message.
3. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute
It is fifo queue to state transmission cache module and receive cache module.
4. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute
It is that each security alliance SA maintains a package counting facility and average packet to grow to state the average long detection module of packet.
5. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute
State the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset notification message, anti-playback window
Resetting confirmation message is to notify increased four type of messages of load in IKE-ISAKMP.
6. a kind of IPSEC VPN sequence numbers and anti-playback window synchronization method, which is characterized in that comprise the steps of:
S1, principal and subordinate's IPSEC VPN devices run SA synchronization modules, every time after main IPSEC VPN devices arranging key success, i.e., main
The dynamic newest SA data of push are to from IPSEC VPN devices;Meanwhile from IPSEC VPN device log-on data packets receive cache module,
Data packet sends cache module, anti-playback window reset module, transmit Sequence Number resetting module, and sets just these modules to
Thread-waiting state;
S2, the primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to outer net from Intranet,
It is cached to transmission cache module;The counter that transmits Sequence Number is reset, while transmitting Sequence Number reset notification message extremely
Corresponding opposite end IPSEC VPN devices;
Primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to Intranet from outer net, will
It is cached to receiving cache module;Anti- playback window is reset, while triggering anti-playback window reset notification message to corresponding right
Hold IPSEC VPN devices;
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN devices
Sequence number reset confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, until receiving pair
Hold the anti-playback window reset confirmation message of IPSEC VPN devices;
S4 after receiving sequence number resetting confirmation message, by first-in first-out, will send the data packet in cache module by resetting
It is sent to opposite end IPSEC VPN devices after sequence number encapsulation afterwards;After receiving anti-playback window reset confirmation message, by advanced elder generation
Go out mode, the data packet received in cache module is honored as a queen by the sequence number solution after resetting and is forwarded to Intranet;
S5 is synchronously completed.
7. a kind of IPSEC VPN sequence numbers as claimed in claim 6 and anti-playback window synchronization method, which is characterized in that S2
Described in resetting transmit Sequence Number counter, remapping method is as follows:The synchronous SA data of the reset value=recently of transmitting Sequence Number
In transmit Sequence Number+((Switching time-nearest synchronization time)× network interface card rate) it averagely wraps and grows, Serial No. 32 in formula
Position positive integer, the unit of event are the second, and network interface card rate unit is megabit that it is bit averagely to wrap long unit;Wherein average packet length
Calculation formula it is as follows:
1) after ike negotiation succeeds and updates SA every time, package counting facility is reset;
2) the first packet received after being updated if SA is then directly wrapped length and is assigned to average packet length;
3) average packet length is calculated as follows thereafter:((Previous average packet length × package counting facility)The data packet of+this receiving
It is long)(Package counting facility+1).
8. a kind of IPSEC VPN sequence numbers as claimed in claim 6 and anti-playback window synchronization method, which is characterized in that S2
Described in the anti-playback window of resetting, remapping method is as follows:Set the sequence number of the data packet received to anti-playback window
Mouth left boundary value, anti-playback window right boundary value are:Left boundary value+anti-playback window size -1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711435535.1A CN108322330B (en) | 2017-12-26 | 2017-12-26 | IPSEC VPN serial number and anti-replay window synchronization method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711435535.1A CN108322330B (en) | 2017-12-26 | 2017-12-26 | IPSEC VPN serial number and anti-replay window synchronization method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108322330A true CN108322330A (en) | 2018-07-24 |
CN108322330B CN108322330B (en) | 2021-03-02 |
Family
ID=62892900
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711435535.1A Active CN108322330B (en) | 2017-12-26 | 2017-12-26 | IPSEC VPN serial number and anti-replay window synchronization method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108322330B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113239088A (en) * | 2021-04-12 | 2021-08-10 | 上海沐融信息科技有限公司 | Asynchronous pre-fetch adjustable sequence number generator acquisition method and device |
CN116319093A (en) * | 2023-05-18 | 2023-06-23 | 湖北微源卓越科技有限公司 | IPsec anti-replay method based on FPGA |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205332A1 (en) * | 2003-04-12 | 2004-10-14 | Bouchard Gregg A. | IPsec performance optimization |
CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
CN101605060A (en) * | 2009-07-14 | 2009-12-16 | 中兴通讯股份有限公司 | Active and standby method of a kind of IPSec of single-plate grade and device |
CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
CN102769572A (en) * | 2012-07-30 | 2012-11-07 | 福建星网锐捷网络有限公司 | Message anti-replay method, message anti-replay device and network device |
CN104092697A (en) * | 2014-07-18 | 2014-10-08 | 杭州华三通信技术有限公司 | Anti-replaying method and device based on time |
CN104184675A (en) * | 2014-09-12 | 2014-12-03 | 成都卫士通信息产业股份有限公司 | Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system |
-
2017
- 2017-12-26 CN CN201711435535.1A patent/CN108322330B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205332A1 (en) * | 2003-04-12 | 2004-10-14 | Bouchard Gregg A. | IPsec performance optimization |
CN101577725A (en) * | 2009-06-26 | 2009-11-11 | 杭州华三通信技术有限公司 | Message synchronization method of anti-replay mechanism, device and system thereof |
CN101605060A (en) * | 2009-07-14 | 2009-12-16 | 中兴通讯股份有限公司 | Active and standby method of a kind of IPSec of single-plate grade and device |
CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
CN102769572A (en) * | 2012-07-30 | 2012-11-07 | 福建星网锐捷网络有限公司 | Message anti-replay method, message anti-replay device and network device |
CN104092697A (en) * | 2014-07-18 | 2014-10-08 | 杭州华三通信技术有限公司 | Anti-replaying method and device based on time |
CN104184675A (en) * | 2014-09-12 | 2014-12-03 | 成都卫士通信息产业股份有限公司 | Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113239088A (en) * | 2021-04-12 | 2021-08-10 | 上海沐融信息科技有限公司 | Asynchronous pre-fetch adjustable sequence number generator acquisition method and device |
CN116319093A (en) * | 2023-05-18 | 2023-06-23 | 湖北微源卓越科技有限公司 | IPsec anti-replay method based on FPGA |
Also Published As
Publication number | Publication date |
---|---|
CN108322330B (en) | 2021-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Lau et al. | Layer two tunneling protocol-version 3 (L2TPv3) | |
CN103475655B (en) | A kind of method realizing IPSecVPN main/slave link switching at runtime | |
JP5801175B2 (en) | Packet communication apparatus and method | |
CN101820383B (en) | Method and device for restricting remote access of switcher | |
US9832175B2 (en) | Group member recovery techniques | |
CN103152260B (en) | Message forwarding system, method and device | |
KR20080077235A (en) | A dual proxy approach to tcp performance improvements over a wireless interface | |
US20200351715A1 (en) | Message Cache Management in a Mesh Network | |
CN102546658A (en) | Method and system for preventing address resolution protocol (ARP) gateway spoofing | |
CN106576108B (en) | Communication method, equipment and system in communication system | |
JP5264966B2 (en) | Communication device | |
Abdullaziz et al. | Network packet payload parity based steganography | |
CN108322330A (en) | A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus | |
KR101189673B1 (en) | Gateway system for ipsec session transmission and redundancy providing method thereof | |
JP4645839B2 (en) | Security communication apparatus and sequence number management method | |
CN116074401B (en) | Method for realizing transmission layer protocol on programmable exchanger | |
JP3678200B2 (en) | Route distribution device for improving confidentiality of communication contents | |
CN105610577B (en) | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure | |
EP2600569A1 (en) | Method, apparatus and system for processing a tunnel packet | |
CN103297348A (en) | Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation | |
CN106506461A (en) | A kind of implementation method of the safe DNP agreements based on SCADA system | |
CN207869118U (en) | Data transmission system based on quantum cryptography exchange apparatus | |
JP5119184B2 (en) | Relay device, terminal device, and secret communication system | |
WO2015022809A1 (en) | Communication device and transmission band control method | |
JP4268200B2 (en) | Redundant data relay device and encrypted communication method using redundant data relay device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |