CN108322330A - A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus - Google Patents

A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus Download PDF

Info

Publication number
CN108322330A
CN108322330A CN201711435535.1A CN201711435535A CN108322330A CN 108322330 A CN108322330 A CN 108322330A CN 201711435535 A CN201711435535 A CN 201711435535A CN 108322330 A CN108322330 A CN 108322330A
Authority
CN
China
Prior art keywords
ipsec vpn
sequence number
playback window
reset
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711435535.1A
Other languages
Chinese (zh)
Other versions
CN108322330B (en
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201711435535.1A priority Critical patent/CN108322330B/en
Publication of CN108322330A publication Critical patent/CN108322330A/en
Application granted granted Critical
Publication of CN108322330B publication Critical patent/CN108322330B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/22Arrangements for detecting or preventing errors in the information received using redundant apparatus to increase reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Abstract

The invention discloses a kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus, the equipment includes principal and subordinate's IPSEC VPN devices of dual-computer redundancy deployment, includes also SA synchronization modules, send cache module, receive cache module, the resetting module that transmits Sequence Number, anti-playback window reset module, averagely wraps long detection module;SA synchronization modules are used for the synchronization of SA data;Cache module is sent for caching data packet to be sent;Receive cache module for caching data packet to be received;Resetting module transmit Sequence Number for resetting the counter that transmits Sequence Number;Anti- playback window reset module is for resetting anti-playback window;The average data packet that long detection module is averagely wrapped for calculating matching SA is long;A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed simultaneously.The real-time synchronization and being switched fast after failure that the present invention realizes principal and subordinate's IPSEC VPN devices.

Description

A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus
Technical field
The present invention relates to information security field more particularly to a kind of IPSEC VPN sequence numbers and anti-playback window synchronization sides Method and equipment.
Background technology
IPESC:The abbreviation of Internet Protocol Security indicates Internet protocol safeties.It is a kind of The frame structure of open standard, it is enterprising in Internet agreements (IP) network to ensure by using encrypted security service The communication of row secrecy and safety;
VPN:Virtual Private Network(Virtual Private Network, abbreviation VPN) it refers to establishing in common network The technology of dedicated network.Why it is known as virtual net, the company being primarily due between any two node of entire VPN network It connects there is no the physical link end to end needed for traditional private network, but the network that framework is provided in common network service provider is flat Platform, such as Internet, ATM (asynchronous transfer mode >, Frame Relay(Frame relay)Logical network Deng on, user data It is transmitted in logical links.It is covered across the special of encapsulation, encryption and the authentication link for sharing network or public network The extension of network.VPN mainly uses tunneling technique, encryption and decryption technology, key management technology and user and equipment identities are recognized Card technology.
Security strategy (SP):For security strategy generally by the selector unique designation of quintuple form, which includes source IP address, purpose IP address, source transport layer port, purpose transport layer port, transport layer protocol number, indicate clear data message Processing mode:It abandons, handled around IPSec or using ipsec security alliance.
Security Association (SA):Security Association includes Security Parameter Index by triple unique mark, the triple(SPI)、 Purpose IP address(Unicast address)And security protocol(AH or ESP)Identifier indicates the algorithm, close of IPSec processing data packets The specific parameters such as key, anti-playback window, packaged type.
Sequence number(Sequence Number):32 monotone-increasing sequences number do not allow to repeat, and uniquely identify every One transmission data packet provides anti-Replay Protection for security association.Receiving terminal verification sequence number obtains data packet for the field value It is no to be received, reject the data packet received.
Anti- playback window:The anti-operation principle for resetting window is limited the data packet sequence row number range received, Avoid processing Replay Attack message that forwarding performance is caused to decline even cisco unity malfunction.If anti-playback window size is W, window Mouthful left boundary value be N, right boundary value N+W-1, if the sequence of message number received, within the scope of this, while message is New, then it is assumed that message is legal, and continues with.If the anti-playback window right boundary value that sequence of message number is more than is M, to Anti- playback window is moved right, right boundary value becomes M, and left boundary value becomes M-W+1.If at this moment it is small to retransmit test serial number by attacker It will be identified as resetting message in left boundary value, be dropped.As VPN device persistently receives flow, anti-playback window will Constantly slide to the right.
IKE :Internet Key Exchange, for exchanging and managing the encryption key used in VPN.
ISAKMP:Internet Security Association and Key Management Protocol, in Literary fame claims:Internet security associations and Key Management Protocol.
FIFO:First in first out, is a kind of method for handling the program work requirement sent out from queue or storehouse, it makes earliest Requirement handled at first.
Data are handled since IPSEC VPN use a variety of safe practices, and are deployed in user network At entrance, the requirement to equipment process performance and reliability is very high, and IPSEC VPN device dual-computer redundancies portion may be used The technology of administration solves the problems, such as Performance And Reliability.
But the IPSEC VPN technical characterstics of itself are provided with barrier for the realization of IPSEC VPN device dual-computer redundancies deployment Hinder, because sequence number and anti-playback window are updated with each data message, sequence number and anti-is cannot achieve between distinct device The instant synchronization for resetting window, there are problems for hot-swap when failure.
Invention content
To solve the above-mentioned problems, the present invention proposes a kind of a kind of IPSEC VPN master-slave equipments disposed for dual-computer redundancy Between synchronization serial number and it is anti-reset window method and apparatus so that principal and subordinate's IPSEC VPN devices may be implemented fast failure and cut It changes.
Specific technical solution is a kind of IPSEC VPN sequence numbers and anti-playback window synchronization equipment, including dual-computer redundancy portion Principal and subordinate's IPSEC VPN devices of administration include also SA synchronization modules, send cache module, receive cache module, transmit Sequence Number weight It sets module, anti-playback window reset module, averagely wrap long detection module;
The SA synchronization modules whole process runs on principal and subordinate's IPSEC VPN devices, is used for the synchronization of SA data;
The transmission cache module is used for after active-standby switch, before the sequence number resetting confirmation message for receiving opposite equip., caching The data packet of outer net is sent to after this equipment needs encrypted encapsulation;
The cache module that receives is used for after active-standby switch, before the anti-playback window reset confirmation message for receiving opposite equip., Cache the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation;
The resetting module that transmits Sequence Number is used for after active-standby switch, resets the counter that transmits Sequence Number;It is simultaneously emitted by transmission Sequence number reset notification message is to opposite end IPSEC VPN devices;Wait for and receive the sequence number resetting of opposite end IPSEC VPN devices Confirmation message;
The anti-playback window reset module is used for after active-standby switch, resets anti-playback window;Send anti-playback window simultaneously Reset notification message is to opposite end IPSEC VPN devices;It waits for and the anti-playback window reset for receiving opposite end IPSEC VPN devices is true Recognize message;
It is described averagely to wrap long detection module and operate in main IPSEC VPN devices, for calculates match SA average data packet it is long;
It is described receive cache module, send cache module, anti-playbacks window reset module, transmit Sequence Number reset module only from The switching of IPSEC VPN devices is that the equipment after main IPSEC VPN devices to switching is completed the sequence number counter of all SA and resisted Reset operation this period between window reset.
Preferably, the SA data, including current Security Parameter Index(SPI), purpose IP address(Unicast address)With Security protocol(AH or ESP)Identifier, and transmit Sequence Number, anti-playback window value and average packet long message, the data refer to The specific security parameters such as algorithm, key, anti-playback window, the packaged type of IPSec processing data packets are shown.
Preferably, the transmission cache module and to receive cache module be fifo queue, that is, press the priority entered Sequence is handled successively.
Preferably, described averagely to wrap long detection module as each security alliance SA one package counting facility of maintenance and average packet It is long.
Preferably, the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset are logical Know that message, anti-playback window reset confirmation message are to notify increased four type of messages of load in IKE-ISAKMP.
A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed in the present invention, which is characterized in that includes Following steps:
S1, principal and subordinate's IPSEC VPN devices run SA synchronization modules, every time after main IPSEC VPN devices arranging key success, i.e., main The dynamic newest SA data of push are to from IPSEC VPN devices;Meanwhile from IPSEC VPN device log-on data packets receive cache module, Data packet sends cache module, anti-playback window reset module, transmit Sequence Number resetting module, and sets just these modules to Thread-waiting state;
S2, the primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to outer net from Intranet, It is cached to transmission cache module;The counter that transmits Sequence Number is reset, while transmitting Sequence Number reset notification message extremely Corresponding opposite end IPSEC VPN devices;
Primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to Intranet from outer net, will It is cached to receiving cache module;Anti- playback window is reset, while triggering anti-playback window reset notification message to corresponding right Hold IPSEC VPN devices;
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN devices Sequence number reset confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, until receiving pair Hold the anti-playback window reset confirmation message of IPSEC VPN devices;
S4 after receiving sequence number resetting confirmation message, by first-in first-out, will send the data packet in cache module by resetting It is sent to opposite end IPSEC VPN devices after sequence number encapsulation afterwards;After receiving anti-playback window reset confirmation message, by advanced elder generation Go out mode, the data packet received in cache module is honored as a queen by the sequence number solution after resetting and is forwarded to Intranet;
S5 is synchronously completed.
Preferably, the resetting described in S2 transmits Sequence Number counter, and remapping method is as follows:Transmit Sequence Number reset value Transmitting Sequence Number in=synchronous recently SA data+((Switching time-nearest synchronization time)× network interface card rate) averagely wrap Long, 32 positive integers of Serial No. in formula, the unit of event is the second, and network interface card rate unit is megabit averagely to wrap long unit For bit;The long calculation formula of wherein average packet is as follows:
1) after ike negotiation succeeds and updates SA every time, package counting facility is reset;
2) the first packet received after being updated if SA is then directly wrapped length and is assigned to average packet length;
3) average packet length is calculated as follows thereafter:((Previous average packet length × package counting facility)The data packet of+this receiving It is long)(Package counting facility+1).
Preferably, the anti-playback window of resetting described in S2, remapping method are as follows:By the sequence of the data packet received Number it is set as anti-playback window left boundary value, anti-playback window right boundary value is:Left boundary value+anti-playback window size -1.
The method can both rely on hardware above-mentioned and implemented, and can not also rely on hardware above-mentioned and be implemented. The beneficial effects of the present invention are:Realize dual-computer redundancy deployment IPSEC VPN master-slave equipments between sequence number and anti-playback window Mouth real-time synchronization so that fast failure switching may be implemented in principal and subordinate's IPSEC VPN devices, and does not increase added flow and resource Consumption.
Description of the drawings
Fig. 1 is sequence number and anti-playback window synchronization schematic diagram.
Specific implementation mode
For a clearer understanding of the technical characteristics, objects and effects of the present invention, now control illustrates this hair Bright specific implementation mode.
After each IKE key agreements success, main IPSEC VPN devices synchronize SA to from IPSEC VPN devices, including work as Preceding triple message, i.e. Security Parameter Index(SPI), purpose IP address(Unicast address)And security protocol(AH or ESP)Mark Information, the guarantees such as security parameters and the sequence numbers such as symbol and anti-playback window, average packet are long have nearest sequence number from equipment It is backed up with anti-playback window.After master-slave swap occurs, from equipment according to peaces such as SA settings session key synchronous recently, SPI Population parameter and sequence number and anti-playback window, the data packet for being then directed to sending and receiving both direction are handled respectively:For from Intranet The data packet of outer net is sent to by IPSEC VPN devices, trigger its matched security alliance SA IKE message informings and sequence The resetting of number counter(It is updated to SA sequence numbers+offset synchronous recently before switching), according to the data packet matched safe plan Slightly SP and security alliance SA send out message informing data packet to corresponding opposite end IPSEC VPN devices, which includes most New sequence number, notice opposite end IPSEC VPN devices reset anti-playback window(Window left margin is updated to latest sequence number), and It receives data pack buffer before confirmation message, once receiving confirmation message, i.e., presses the data packet of caching according to latest sequence number The sequencing of entrance is sent out successively;For the data packet that the opposite end IPSEC VPN received from outer net are sended over, triggering IKE message informings confirm the sequence number of the data packet to opposite end IPSEC VPN, and will be counted before receiving confirmation message It is cached according to packet, once receiving confirmation message, i.e., resets the anti-playback window of matched security alliance SA according to the sequence number of data packet Mouthful, and the data packet of caching is sent out successively by the sequencing of entrance.
As shown in Figure 1, specific technical solution is, the present invention provides a kind of IPSEC VPN sequence numbers and anti-playback windows Synchronizer, includes principal and subordinate's IPSEC VPN devices of dual-computer redundancy deployment, also includes SA synchronization modules, sends cache module, connects By cache module, the resetting module that transmits Sequence Number, anti-playback window reset module, averagely wrap long detection module;
The function of its module and the method for operation are as follows:
SA synchronization modules whole will be run in principal and subordinate's IPSEC VPN devices, is averagely wrapped long detection module and is operated in main IPSEC VPN device, data packet receives cache module, data packet sends cache module, anti-playback window reset module, transmit Sequence Number weight Set the sequence that equipment of the module only after being main IPSEC VPN devices to switching from the switching of IPSEC VPN devices completes all SA Number counter and anti-operation this period reset between window reset.
Data packet sends the data packet that cache module will be sent to outer net from Intranet by IPSEC VPN devices, in data packet Before the matched security alliance SA of institute not yet completes sequence number counter resetting, pass through FIFO(First in first out)Queue caches Come, the data packet that sequence number counter will cache after resetting successfully is sequentially completed normal IPSEC VPN datas packet encryption It is sent with encapsulation process process and to outer net.
Data packet receives the data packet that cache module sends over the opposite end IPSEC VPN received from outer net, in number Before not yet completing anti-playback window reset according to the matched security alliance SA of packet institute, pass through FIFO(First in first out)Queue caches Come, the anti-data packet that will be cached after window reset success of resetting is sequentially completed normal IPSEC VPN datas packet decapsulation It is sent with decryption processes and to Intranet.
The resetting module that transmits Sequence Number is responsible for after principal and subordinate's IPSEC VPN devices switch, and Intranet is set by IPSEC VPN The sequence number counter that the security alliance SA corresponding to the data packet of outer net is sent to after standby encryption encapsulation is reset, specific mistake Journey is as follows:For the data packet that the need received from Intranet are encapsulated by the encryption of IPSEC VPN devices, if data packet institute The security alliance SA matched not yet resets sequence number counter success, which triggers IKE message informings and sequence number Counter is reset(It is updated to SA sequence numbers+offset synchronous recently before switching), according to the data packet matched security strategy SP and security alliance SA send out message informing data packet to corresponding opposite end IPSEC VPN devices, which includes newest Sequence number, notice opposite end IPSEC VPN devices reset anti-playback window(Window left margin is updated to latest sequence number), and receiving Data packet is put into data packet before to confirmation message and sends cache module caching, receives i.e. complete cost process after confirmation message, and Caching and subsequent data packet are handled by newest sequence number counter, processing sequence is suitable according to the priority for entering caching Sequence carries out.The calculation formula of sequence number counter reset value is as follows:
The SA sequence numbers synchronized recently+((Switching time-nearest synchronization time)× network interface card rate) averagely wrap length
32 positive integers of Serial No. in formula, the unit of event are the second, and network interface card rate unit is M-bit, generally have 10,100, 1000,10000 etc. 4 kinds of rates, it is bit averagely to wrap long unit.
It is that each security alliance SA maintains a package counting facility and average packet to grow averagely to wrap long detection module, and calculating matching should The average data packet of Security Association is long.Calculation is after each ike negotiation succeeds and updates SA, and package counting facility is reset, often Receive a data packet for matching the security alliance SA, after package counting facility adds 1, SA to update the first packet indirect assignment for receiving its Packet is long to be grown to average packet, calculates average packet length as follows thereafter:
((Previous average packet length × package counting facility)The long data packet of+this receiving) ((Package counting facility+1))
Anti- playback window reset module is responsible for after principal and subordinate's IPSEC VPN devices switch, the opposite end IPSEC that will be received from outer net The anti-playback window for the security alliance SA corresponding to data packet that VPN is sended over is reset, and detailed process is as follows:For from The needs that the opposite end IPSEC VPN that outer net receives are sended over decrypt the data packet of decapsulation, if the data packet is matched Security alliance SA not yet reset the success of anti-playback window, which triggers IKE message informings and anti-playback window Resetting(The anti-sequence number reset window left boundary value and be updated to the data packet), pass through IKE message informings to opposite end IPSEC VPN The sequence number of the data packet is confirmed, and before receiving confirmation message data packet is put into data packet and receives cache module and delayed It deposits, once receive the i.e. complete cost process of confirmation message.And caching and subsequent data packet are carried out by newest anti-playback window Processing, processing sequence are carried out according to the sequencing for entering caching.The SA synchronization modules whole process runs on principal and subordinate IPSEC VPN Equipment is used for the synchronization of SA data.
Preferably, the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset are logical Know that message, anti-playback window reset confirmation message are to notify increased four type of messages of load in IKE-ISAKMP.
A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method is also disclosed in the present invention, which is characterized in that includes Following steps:
S1, main IPSEC VPN devices run SA synchronization modules and averagely wrap long detection module, and SA is run from IPSEC VPN devices Synchronization module, every time after the success of main IPSEC VPN devices arranging key the i.e. newest SA related datas of active push to from IPSEC VPN device(Including the information such as the security parameters such as session key, SPI and sequence number and anti-playback window, average packet length), from IPSEC VPN device log-on data packets receive cache module, data packet sends cache module, anti-playback window reset module, hair It send sequence number resetting module and sets these modules to ready-waiting state.;
S2, the IPSEC VPN that major state is operated in after switching are received and are passed through IPSEC VPN devices from Intranet and need encrypted encapsulation It is sent to the data packet of outer net afterwards, the resetting module start sequence counter reset process that transmits Sequence Number disappears with IKE is sent The sequence number counter of security alliance SA corresponding to the data packet is carried out resetting and by corresponding opposite end IPSEC by breath notice VPN device is confirmed that the data packet sends cache module by data packet and cached;Major state is operated in after switching IPSEC VPN receive the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation, trigger anti-playback Window reset module starts anti-playback window reset process and sends IKE message informings, and the safety corresponding to the data packet is joined The anti-playback window of alliance SA reset and is confirmed that the data packet passes through data by corresponding opposite end IPSEC VPN devices Packet receives cache module and is cached.
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN The sequence number of equipment resets confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, Zhi Daoshou To the anti-playback window reset confirmation message of opposite end IPSEC VPN devices;
S4, the IPSEC VPN that major state is operated in after switching receive the sequence number confirmation packet of opposite end IPSEC VPN, complete hair It send sequence number reset process and caching and subsequent data packet is handled by newest sequence number counter;It works after switching The anti-playback window that opposite end IPSEC VPN are received in the IPSEC VPN of major state confirms packet, completes anti-playback window reset mistake Journey is simultaneously handled caching and subsequent data packet by newest anti-playback window.
S5 is synchronously completed.
Increase by four type of messages in IKE-ISAKMP notice load, is used for sequence number reset notification and confirmation, anti-playback Window reset notifies and confirms:
Sequence number resets message:SEQUENCE_NOTIFICATION, sequence number confirmation message:SEQUENCE_ CONFIRMATION, anti-playback window reset message:WINDOW_NOTIFICATION, anti-playback window confirmation message: WINDOW_ CONFIRMATION。
By the implementation of above method, sequence number and anti-is realized between the IPSEC VPN master-slave equipments of dual-computer redundancy deployment Reset window real-time synchronization so that fast failure switching may be implemented in principal and subordinate's IPSEC VPN devices.
The method can both rely on hardware above-mentioned and implemented, and can not also rely on hardware above-mentioned and be implemented.
It should be noted that for each embodiment of the method above-mentioned, for simple description, therefore it is all expressed as to a system The combination of actions of row, but those skilled in the art should understand that, the application is not limited by the described action sequence, because For according to the application, certain some step can be performed in other orders or simultaneously.Secondly, those skilled in the art also should Know, embodiment described in this description belongs to preferred embodiment, involved action and unit not necessarily this Shen It please be necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in some embodiment Part, may refer to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in computer read/write memory medium In, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, ROM, RAM etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.

Claims (8)

1. a kind of IPSEC VPN sequence numbers and anti-playback window synchronization equipment include the principal and subordinate IPSEC VPN of dual-computer redundancy deployment Equipment, which is characterized in that also include SA synchronization modules, send cache module, receive cache module, transmit Sequence Number resetting mould Block, averagely wraps long detection module at anti-playback window reset module;
The SA synchronization modules whole process runs on principal and subordinate's IPSEC VPN devices, is used for the synchronization of SA data;
The transmission cache module is used for after active-standby switch, and the sequence number resetting confirmation for receiving opposite end IPSEC VPN devices disappears Before breath, the data packet that outer net is sent to after this equipment needs encrypted encapsulation is cached;
The cache module that receives is for after active-standby switch, the anti-playback window reset for receiving opposite end IPSEC VPN devices to be true Before recognizing message, the data packet that the needs sended over from outer net opposite end IPSEC VPN decrypt decapsulation is cached;
The resetting module that transmits Sequence Number is used for after active-standby switch, resets the counter that transmits Sequence Number;It is simultaneously emitted by transmission Sequence number reset notification message waits for and receives the sequence number resetting of opposite end IPSEC VPN devices to opposite end IPSEC VPN devices Confirmation message;
The anti-playback window reset module is used for after active-standby switch, resets anti-playback window;Send anti-playback window simultaneously Reset notification message waits for opposite end IPSEC VPN devices and the anti-playback window reset for receiving opposite end IPSEC VPN devices is true Recognize message;
Described averagely to wrap long detection module and operate in main IPSEC VPN devices, the average data packet for calculating matching SA is long, this New sequence number calculating of the average data packet length for transmitting Sequence Number when resetting;
The transmission cache module, receive cache module, transmit Sequence Number resetting module, anti-playback window reset module only from The switching of IPSEC VPN devices is that the equipment after main IPSEC VPN devices to switching is completed the sequence number counter of all SA and resisted Reset operation in the period between window reset.
2. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute SA data are stated, including current Security Parameter Index, purpose IP address and security protocol identifier, and transmit Sequence Number, resist Reset window and average packet long message.
3. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute It is fifo queue to state transmission cache module and receive cache module.
4. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute It is that each security alliance SA maintains a package counting facility and average packet to grow to state the average long detection module of packet.
5. a kind of IPSEC VPN sequence numbers as described in claim 1 and anti-playback window synchronization equipment, which is characterized in that institute State the reset notification message that transmits Sequence Number, sequence number resetting confirmation message, anti-playback window reset notification message, anti-playback window Resetting confirmation message is to notify increased four type of messages of load in IKE-ISAKMP.
6. a kind of IPSEC VPN sequence numbers and anti-playback window synchronization method, which is characterized in that comprise the steps of:
S1, principal and subordinate's IPSEC VPN devices run SA synchronization modules, every time after main IPSEC VPN devices arranging key success, i.e., main The dynamic newest SA data of push are to from IPSEC VPN devices;Meanwhile from IPSEC VPN device log-on data packets receive cache module, Data packet sends cache module, anti-playback window reset module, transmit Sequence Number resetting module, and sets just these modules to Thread-waiting state;
S2, the primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to outer net from Intranet, It is cached to transmission cache module;The counter that transmits Sequence Number is reset, while transmitting Sequence Number reset notification message extremely Corresponding opposite end IPSEC VPN devices;
Primary IPSEC VPN devices after switching receive the data packet that first this equipment of process is sent to Intranet from outer net, will It is cached to receiving cache module;Anti- playback window is reset, while triggering anti-playback window reset notification message to corresponding right Hold IPSEC VPN devices;
S3, to the data packet persistent cache to be sent that receives to cache module is sent, until receiving opposite end IPSEC VPN devices Sequence number reset confirmation message;To the data packet persistent cache to be received that receives to receiving cache module, until receiving pair Hold the anti-playback window reset confirmation message of IPSEC VPN devices;
S4 after receiving sequence number resetting confirmation message, by first-in first-out, will send the data packet in cache module by resetting It is sent to opposite end IPSEC VPN devices after sequence number encapsulation afterwards;After receiving anti-playback window reset confirmation message, by advanced elder generation Go out mode, the data packet received in cache module is honored as a queen by the sequence number solution after resetting and is forwarded to Intranet;
S5 is synchronously completed.
7. a kind of IPSEC VPN sequence numbers as claimed in claim 6 and anti-playback window synchronization method, which is characterized in that S2 Described in resetting transmit Sequence Number counter, remapping method is as follows:The synchronous SA data of the reset value=recently of transmitting Sequence Number In transmit Sequence Number+((Switching time-nearest synchronization time)× network interface card rate) it averagely wraps and grows, Serial No. 32 in formula Position positive integer, the unit of event are the second, and network interface card rate unit is megabit that it is bit averagely to wrap long unit;Wherein average packet length Calculation formula it is as follows:
1) after ike negotiation succeeds and updates SA every time, package counting facility is reset;
2) the first packet received after being updated if SA is then directly wrapped length and is assigned to average packet length;
3) average packet length is calculated as follows thereafter:((Previous average packet length × package counting facility)The data packet of+this receiving It is long)(Package counting facility+1).
8. a kind of IPSEC VPN sequence numbers as claimed in claim 6 and anti-playback window synchronization method, which is characterized in that S2 Described in the anti-playback window of resetting, remapping method is as follows:Set the sequence number of the data packet received to anti-playback window Mouth left boundary value, anti-playback window right boundary value are:Left boundary value+anti-playback window size -1.
CN201711435535.1A 2017-12-26 2017-12-26 IPSEC VPN serial number and anti-replay window synchronization method and device Active CN108322330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711435535.1A CN108322330B (en) 2017-12-26 2017-12-26 IPSEC VPN serial number and anti-replay window synchronization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711435535.1A CN108322330B (en) 2017-12-26 2017-12-26 IPSEC VPN serial number and anti-replay window synchronization method and device

Publications (2)

Publication Number Publication Date
CN108322330A true CN108322330A (en) 2018-07-24
CN108322330B CN108322330B (en) 2021-03-02

Family

ID=62892900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711435535.1A Active CN108322330B (en) 2017-12-26 2017-12-26 IPSEC VPN serial number and anti-replay window synchronization method and device

Country Status (1)

Country Link
CN (1) CN108322330B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239088A (en) * 2021-04-12 2021-08-10 上海沐融信息科技有限公司 Asynchronous pre-fetch adjustable sequence number generator acquisition method and device
CN116319093A (en) * 2023-05-18 2023-06-23 湖北微源卓越科技有限公司 IPsec anti-replay method based on FPGA

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205332A1 (en) * 2003-04-12 2004-10-14 Bouchard Gregg A. IPsec performance optimization
CN101577725A (en) * 2009-06-26 2009-11-11 杭州华三通信技术有限公司 Message synchronization method of anti-replay mechanism, device and system thereof
CN101605060A (en) * 2009-07-14 2009-12-16 中兴通讯股份有限公司 Active and standby method of a kind of IPSec of single-plate grade and device
CN101917294A (en) * 2010-08-24 2010-12-15 杭州华三通信技术有限公司 Method and equipment for updating anti-replay parameter during master and slave switching
CN102769572A (en) * 2012-07-30 2012-11-07 福建星网锐捷网络有限公司 Message anti-replay method, message anti-replay device and network device
CN104092697A (en) * 2014-07-18 2014-10-08 杭州华三通信技术有限公司 Anti-replaying method and device based on time
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205332A1 (en) * 2003-04-12 2004-10-14 Bouchard Gregg A. IPsec performance optimization
CN101577725A (en) * 2009-06-26 2009-11-11 杭州华三通信技术有限公司 Message synchronization method of anti-replay mechanism, device and system thereof
CN101605060A (en) * 2009-07-14 2009-12-16 中兴通讯股份有限公司 Active and standby method of a kind of IPSec of single-plate grade and device
CN101917294A (en) * 2010-08-24 2010-12-15 杭州华三通信技术有限公司 Method and equipment for updating anti-replay parameter during master and slave switching
CN102769572A (en) * 2012-07-30 2012-11-07 福建星网锐捷网络有限公司 Message anti-replay method, message anti-replay device and network device
CN104092697A (en) * 2014-07-18 2014-10-08 杭州华三通信技术有限公司 Anti-replaying method and device based on time
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239088A (en) * 2021-04-12 2021-08-10 上海沐融信息科技有限公司 Asynchronous pre-fetch adjustable sequence number generator acquisition method and device
CN116319093A (en) * 2023-05-18 2023-06-23 湖北微源卓越科技有限公司 IPsec anti-replay method based on FPGA

Also Published As

Publication number Publication date
CN108322330B (en) 2021-03-02

Similar Documents

Publication Publication Date Title
Lau et al. Layer two tunneling protocol-version 3 (L2TPv3)
CN103475655B (en) A kind of method realizing IPSecVPN main/slave link switching at runtime
JP5801175B2 (en) Packet communication apparatus and method
CN101820383B (en) Method and device for restricting remote access of switcher
US9832175B2 (en) Group member recovery techniques
CN103152260B (en) Message forwarding system, method and device
KR20080077235A (en) A dual proxy approach to tcp performance improvements over a wireless interface
US20200351715A1 (en) Message Cache Management in a Mesh Network
CN102546658A (en) Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN106576108B (en) Communication method, equipment and system in communication system
JP5264966B2 (en) Communication device
Abdullaziz et al. Network packet payload parity based steganography
CN108322330A (en) A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus
KR101189673B1 (en) Gateway system for ipsec session transmission and redundancy providing method thereof
JP4645839B2 (en) Security communication apparatus and sequence number management method
CN116074401B (en) Method for realizing transmission layer protocol on programmable exchanger
JP3678200B2 (en) Route distribution device for improving confidentiality of communication contents
CN105610577B (en) A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure
EP2600569A1 (en) Method, apparatus and system for processing a tunnel packet
CN103297348A (en) Method for preventing ESP/AH (encapsulating security payload/ authentication header) packet fragmentation
CN106506461A (en) A kind of implementation method of the safe DNP agreements based on SCADA system
CN207869118U (en) Data transmission system based on quantum cryptography exchange apparatus
JP5119184B2 (en) Relay device, terminal device, and secret communication system
WO2015022809A1 (en) Communication device and transmission band control method
JP4268200B2 (en) Redundant data relay device and encrypted communication method using redundant data relay device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.