CN109525534A - A kind of method and system for guaranteeing message in secure network and not being fragmented - Google Patents
A kind of method and system for guaranteeing message in secure network and not being fragmented Download PDFInfo
- Publication number
- CN109525534A CN109525534A CN201710839130.8A CN201710839130A CN109525534A CN 109525534 A CN109525534 A CN 109525534A CN 201710839130 A CN201710839130 A CN 201710839130A CN 109525534 A CN109525534 A CN 109525534A
- Authority
- CN
- China
- Prior art keywords
- message
- encryption
- fragmented
- secure network
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000005540 biological transmission Effects 0.000 claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 239000012634 fragment Substances 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Abstract
The present invention relates to one kind to guarantee that message is not fragmented method and system in secure network.Method of the present invention is the following steps are included: increase separately an encryption and decryption equipment in server and client side, for protecting transmission safety of the data on network;The MTU value of one safety, all messages of encryption and decryption monitoring of tools are set in encryption and decryption equipment in advance, and analyze DHCP ACK message;When there is DHCP ACK message to pass through, device analysis goes out the IP address for distributing to client computer of the message, and the IP address is usually in the domain " yiaddr ";A pseudo- icmp packet is constructed in conjunction with the source IP of server, by " the Next-Hop MTU " in safe MTU value filling icmp packet set in advance, client is allowed to think that PMTU is preset value.It can guarantee that message is not fragmented in secure network, so that more efficient carries out data transmission in the encryption and decryption equipment of no IP using method and system of the present invention.
Description
Technical field
The invention belongs to technical field of network security, and in particular to a kind of to guarantee what message was not fragmented in secure network
Method and system.
Background technique
In the prior art, when carrying out the network transmission of message, it will usually the network device processing report with IP be added
The encryption and decryption of text, while the matters of MTU (maximum transmission unit) are handled, guarantee each message after encrypting
Size is no more than PMTU (Path maximum transmission unit).However, this technical solution has the following problems:
(1) it needs to add the network equipment with IP in a network, original business is had some impact on;(2) SSL VPN is usually used
Or IPSec VPN carries out networking plus NAT technology, the network planning is more complicated.
Data message after encryption, can be bigger than the network message of original unencryption.If legacy network message is big
Small already close to or equal to the maximum message segment size of PMTU will be more than after encryption the limitation of PMTU, in network transmission, meeting
Make fragment processing by other network equipments.I.e. a big message splits into 2 small messages.And the encryption and decryption letter of single message
Breath stores respectively, and such as negotiating the process key information come or random number information or even the MAC value of verification all is to exist
In single message.Since encryption and decryption equipment does not possess IP address, therefore fragment message generally can not be re-assemblied, also just can not
It is decrypted correctly the encryption message being fragmented.
In order to solve the problems, such as to guarantee that message is not fragmented in secure network, legacy network framework is not influenced, is protected again
The safety of network communication is demonstrate,proved, the equipment without IP can respectively be added in server and client side to carry out plus solve to data
It is close.But since encrypted message would generally be bigger than the message not encrypted, and this process is to client and server end
It is transparent, so encrypted message size is be easy to cause to be greater than PMTU, the message after leading to message fragment and fragment is not
It can be properly decrypt.Therefore, it is badly in need of the new technical solution of one kind to solve the above problem deposited in the prior art.
Summary of the invention
In view of the deficiencies in the prior art, the object of the present invention is to provide one kind guarantees message not in secure network
The method and system being fragmented.This method and system can guarantee message in the encryption and decryption equipment of no IP in secure network
It is not fragmented, so that more efficient carries out data transmission.
To achieve the above objectives, the technical solution adopted by the present invention is that:
A method of guaranteeing that message is not fragmented in secure network, comprising the following steps:
An encryption and decryption equipment is increased separately in server and client side, for protecting the transmission of data on internet
Safety;
The MTU value of one safety, all messages of encryption and decryption monitoring of tools are set in encryption and decryption equipment in advance, and are analyzed
DHCP ACK message;
When there is DHCP ACK message to pass through, device analysis goes out the IP address for distributing to client computer of the message, described
IP address is usually in the domain " yiaddr ";
A pseudo- icmp packet is constructed in conjunction with the source IP of server, safe MTU value set in advance is inserted into ICMP
" Next-Hop MTU " in message allows client to think that PMTU is preset value.
Further, the encryption and decryption equipment is the network equipment without IP address;
Further, the safe threshold is 1300-1450 byte.
Further, the safe threshold is 1400 bytes.
The present invention also provides a kind of to guarantee the system that message is not fragmented, including server and client in secure network
End, and an encryption and decryption equipment has been increased separately in server and client side, for protecting the biography of data on internet
Defeated safety, the encryption and decryption equipment are the network equipments without IP address.
Further, the encryption and decryption equipment comprises the following modules:
MTU value setup module, for the MTU value of a safety to be arranged in encryption and decryption equipment in advance;
Monitoring messages module for monitoring all messages, and analyzes DHCP ACK message;
IP address parsing module, for when there is DHCP ACK message to pass through, what device analysis went out the message distributes to visitor
The IP address of family machine, the IP address is usually in the domain " yiaddr ";
Pseudo- icmp packet constructing module, for combining the source IP of server to construct a pseudo- icmp packet, by thing
" Next-HopMTU " in safe MTU value filling icmp packet being first arranged, allows client to think that PMTU is preset
Value.
Effect of the invention is that: use method and system of the present invention, can in the encryption and decryption equipment of no IP,
Guarantee that message is not fragmented in secure network, so that more efficient carries out data transmission.
Detailed description of the invention
Fig. 1 is network architecture diagram in the prior art;
Fig. 2 is using the network architecture diagram after the method for the invention and system;
Fig. 3 is the flow chart of method described in the specific embodiment of the invention;
Fig. 4 is the structural block diagram of the encryption equipment in system described in the specific embodiment of the invention.
Specific embodiment
Present invention will be further described below with reference to the accompanying drawings and specific embodiments.
Core of the invention is all to have added an encryption and decryption to set in server and client side using the new network architecture
It is standby, for protecting the transmission safety of data on internet.The encryption and decryption equipment being newly added, in order to not influence original network
Framework can be the network equipment without IP address.
As shown in Fig. 2, a kind of system for guaranteeing message in secure network and not being fragmented, including server and client side,
And an encryption and decryption equipment is increased separately in server and client side, for protecting the transmission peace of data on internet
Entirely, the encryption and decryption equipment is the network equipment without IP address.
In the present embodiment, the encryption and decryption equipment is comprised the following modules:
MTU value setup module, for the MTU value of a safety to be arranged in encryption and decryption equipment in advance;
Monitoring messages module for monitoring all messages, and analyzes DHCP ACK message;
IP address parsing module, for when there is DHCP ACK message to pass through, what device analysis went out the message distributes to visitor
The IP address of family machine, the IP address is usually in the domain " yiaddr ";
Pseudo- icmp packet constructing module, for combining the source IP of server to construct a pseudo- icmp packet, by thing
" the Next-Hop MTU " in safe MTU value filling icmp packet being first arranged, allows client to think that PMTU is preset
Value.
As shown in figure 3, a kind of method for guaranteeing message in secure network and not being fragmented, comprising the following steps:
Step S1 increases separately an encryption and decryption equipment in server and client side, for protecting data in Internet
On transmission safety;
Step S2, in advance in encryption and decryption equipment be arranged a safety MTU value, all messages of encryption and decryption monitoring of tools,
And analyze DHCP ACK message;
Step S3, when there is DHCP ACK message to pass through, device analysis goes out the IP address for distributing to client computer of the message,
The IP address is usually in the domain " yiaddr ";
Step S4 constructs a pseudo- icmp packet in conjunction with the source IP of server, safe MTU value set in advance is filled out
Enter " the Next-Hop MTU " in icmp packet, client is allowed to think that PMTU is preset value.
The encryption and decryption equipment is the network equipment without IP address, and the safe threshold is 1300-1450
Byte.In the present embodiment, the safe threshold is 1400 bytes.
To solve the problems, such as that message is fragmented, it is necessary to control message size in source, allow the host " thinking " in source
As soon as the value of PMTU is a value more smaller than practical PMTU, in this way from the message size of this host sending within safe threshold,
By that will not be fragmented after encryption equipment.
Since encryption equipment is not possess IP address, so the negotiation and biography of PMTU can not be carried out according to standard agreement
It passs.
Solution proposed by the present invention is: the MTU value (such as 1400) of a safety is arranged in encryption and decryption equipment in advance.
Meanwhile all messages of encryption and decryption monitoring of tools, and analyze DHCP ACK message.When there is DHCP ACK message to pass through, equipment
The IP address for distributing to client computer of the message is analyzed, usually in the domain " yiaddr ".It can structure in conjunction with the source IP of server
A pseudo- icmp packet is produced, by " the Next-Hop MTU " in prefabricated safe MTU value filling icmp packet in advance, allows visitor
Think that PMTU is preset value in family end.
It is exemplified below:
In general, the value of the PMTU in network is 1500, encryption will reserve the redundant space of 100 bytes or so, then pacifying
Full valve value is 1400 bytes.The MTU value that a safety is preset in encryption and decryption equipment is 1400.Encryption and decryption equipment moment monitoring warp
The message crossed just analyzes the IP address for distributing to client computer of the message, usually exists when there is DHCP ACK message to pass through
In the domain " yiaddr ".A pseudo- icmp packet can be constructed in conjunction with the source IP of server, by safe MTU value prefabricated in advance
(1400) " the Next-Hop MTU " in icmp packet is inserted, client is allowed to think that PMTU is preset value (1400).It is modern
The message of client will be less than or equal to 1400 bytes afterwards, so as to avoid in secure network the problem of message fragment.
If the value of the PMTU of some destination address is 1500, encryption will reserve the redundant space of 100 bytes or so, that
Safe threshold is 1400 bytes.Namely if having received the message greater than 1400 bytes, just triggering encryption equipment to
Message source device sends pseudo- icmp packet, by " the Next-Hop MTU " in 1400 filling icmp packets, message source is allowed to set
It is standby to think that PMTU is 1400.Wherein, the destination address in icmp packet and source address use the destination address in former message and source
Address, so that evading encryption and decryption equipment does not have the problem of IP.Original IP packet is abandoned simultaneously.
It can be seen from above-described embodiment that technical solution of the present invention bring is the utility model has the advantages that the encryption and decryption in no IP is set
It is standby upper, inform one vacation PMTU of host with pseudo- icmp packet, to allow the smaller message of host transmission, encryption and decryption it is smooth into
Row, so that more efficient carries out data transmission.
It will be understood by those skilled in the art that method and system of the present invention is not limited to institute in specific embodiment
The embodiment stated, specific descriptions above are intended merely to explain the purpose of the present invention, are not intended to limit the present invention.This field skill
Art personnel can derive other implementation manners according to the technical scheme of the present invention, and also belong to the scope of the technical innovation of the present invention, this
The protection scope of invention is defined by the claims and their equivalents.
Claims (9)
1. a kind of method for guaranteeing message in secure network and not being fragmented, comprising the following steps:
An encryption and decryption equipment is increased separately in server and client side, for protecting transmission safety of the data on network;
The MTU value of one safety, all messages of encryption and decryption monitoring of tools are set in encryption and decryption equipment in advance, and analyze DHCP
ACK message;
When there is DHCP ACK message to pass through, device analysis goes out the IP address for distributing to client computer of the message, the IP
Location is usually in the domain " yiaddr ";
A pseudo- icmp packet is constructed in conjunction with the source IP of server, safe MTU value set in advance is inserted into icmp packet
In " Next-Hop MTU ", allow client to think that PMTU is preset value.
2. a kind of method for guaranteeing message in secure network and not being fragmented as described in claim 1, it is characterized in that: described
Encryption and decryption equipment is the network equipment without IP address.
3. a kind of method for guaranteeing message in secure network and not being fragmented as claimed in claim 1 or 2, it is characterized in that: institute
The safe threshold stated is 1300-1450 byte.
4. a kind of method for guaranteeing message in secure network and not being fragmented as claimed in claim 3, it is characterized in that: described
Safe threshold is 1400 bytes.
5. a kind of system for guaranteeing message in secure network and not being fragmented, including server and client side, it is characterised in that:
Server and client side has increased separately an encryption and decryption equipment, for protecting transmission safety of the data on network.
6. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 5, which is characterized in that described
Encryption and decryption equipment be the network equipment without IP address.
7. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 6, which is characterized in that described
Encryption and decryption equipment comprise the following modules:
MTU value setup module, for the MTU value of a safety to be arranged in encryption and decryption equipment in advance;
Monitoring messages module for monitoring all messages, and analyzes DHCP ACK message;
IP address parsing module, for when there is DHCP ACK message to pass through, what device analysis went out the message distributes to client computer
IP address, the IP address is usually in the domain " yiaddr ";
Pseudo- icmp packet constructing module will be set in advance for combining the source IP of server to construct a pseudo- icmp packet
" the Next-Hop MTU " in safe MTU value filling icmp packet set, allows client to think that PMTU is preset value.
8. such as a kind of described in any item systems for guaranteeing message in secure network and not being fragmented of claim 5 to 7, feature
Be: the safe threshold is 1300-1450 byte.
9. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 8, it is characterised in that: described
Safe threshold be 1400 bytes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839130.8A CN109525534A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839130.8A CN109525534A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109525534A true CN109525534A (en) | 2019-03-26 |
Family
ID=65768696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710839130.8A Pending CN109525534A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109525534A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113542309A (en) * | 2021-09-16 | 2021-10-22 | 渔翁信息技术股份有限公司 | Data processing system and method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0903905A2 (en) * | 1997-09-22 | 1999-03-24 | Kabushiki Kaisha Toshiba | Scheme for reliable communications via radio and wire networks using transport layer connection |
| EP1009141A1 (en) * | 1998-12-11 | 2000-06-14 | Lucent Technologies Inc. | Two phase local mobility scheme for wireless access to packet-based networks |
| CN1536832A (en) * | 2003-04-04 | 2004-10-13 | 华为技术有限公司 | Method for processing extra-long message in two-layer virtual special-purpose network |
| CN1633067A (en) * | 2003-12-24 | 2005-06-29 | 上海华虹集成电路有限责任公司 | A method of network data transmission |
| CN1716943A (en) * | 2004-06-28 | 2006-01-04 | 杭州华为三康技术有限公司 | Method and system for obtaining path maximum transmission length in channel gateway environment |
| CN1744561A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Super-long message processing method during message conversion process |
| CN1863141A (en) * | 2005-07-29 | 2006-11-15 | 华为技术有限公司 | Method for transmission processing IP fragment message |
| CN102014067A (en) * | 2010-12-14 | 2011-04-13 | 北京星网锐捷网络技术有限公司 | Message fragment sending method, device and network equipment |
| CN104348785A (en) * | 2013-07-29 | 2015-02-11 | 中国电信股份有限公司 | Method for preventing host PMTU attack in IPv6 network and device and system thereof |
-
2017
- 2017-09-18 CN CN201710839130.8A patent/CN109525534A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0903905A2 (en) * | 1997-09-22 | 1999-03-24 | Kabushiki Kaisha Toshiba | Scheme for reliable communications via radio and wire networks using transport layer connection |
| EP1009141A1 (en) * | 1998-12-11 | 2000-06-14 | Lucent Technologies Inc. | Two phase local mobility scheme for wireless access to packet-based networks |
| CN1536832A (en) * | 2003-04-04 | 2004-10-13 | 华为技术有限公司 | Method for processing extra-long message in two-layer virtual special-purpose network |
| CN1633067A (en) * | 2003-12-24 | 2005-06-29 | 上海华虹集成电路有限责任公司 | A method of network data transmission |
| CN1716943A (en) * | 2004-06-28 | 2006-01-04 | 杭州华为三康技术有限公司 | Method and system for obtaining path maximum transmission length in channel gateway environment |
| CN1744561A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Super-long message processing method during message conversion process |
| CN1863141A (en) * | 2005-07-29 | 2006-11-15 | 华为技术有限公司 | Method for transmission processing IP fragment message |
| CN102014067A (en) * | 2010-12-14 | 2011-04-13 | 北京星网锐捷网络技术有限公司 | Message fragment sending method, device and network equipment |
| CN104348785A (en) * | 2013-07-29 | 2015-02-11 | 中国电信股份有限公司 | Method for preventing host PMTU attack in IPv6 network and device and system thereof |
Non-Patent Citations (2)
| Title |
|---|
| 曾睿: "IPv6协议引入的安全新问题浅析", 《信息通信技术》 * |
| 程书红主编: "《网络操作系统管理与配置 Windows Server 2008》", 30 April 2013 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113542309A (en) * | 2021-09-16 | 2021-10-22 | 渔翁信息技术股份有限公司 | Data processing system and method |
| CN113542309B (en) * | 2021-09-16 | 2022-01-11 | 渔翁信息技术股份有限公司 | Data processing system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101136777B (en) | Security management method of dual-encryption channel cooperation in network management system | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
| CN104320332A (en) | Multi-protocol industrial communication safety gateway and communication method with gateway applied | |
| JP4107213B2 (en) | Packet judgment device | |
| CN106850191B (en) | Encryption and decryption method and device for communication protocol of distributed storage system | |
| CN106254355B (en) | A kind of security processing and system of the Internet protocol data packet | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN108900540B (en) | Service data processing method of power distribution terminal based on double encryption | |
| CN106571907A (en) | Method and system for securely transmitting data between upper computer and USB flash disk | |
| CN110535748A (en) | A kind of vpn tunneling model-based optimization method and system | |
| CN103209072A (en) | MACsec (Multi-Access Computer security) key updating method and equipment | |
| CN110383280A (en) | Method and apparatus for the end-to-end stream of packets network with network safety for Time Perception | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN105592121B (en) | A kind of RDP data acquisition devices and method | |
| CN104079578A (en) | Evidence-taking data hidden transmission method and system | |
| CN109525534A (en) | A kind of method and system for guaranteeing message in secure network and not being fragmented | |
| EP4181431A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| WO2011023010A1 (en) | Method, device and system for data security transmission and reception in a pseudo-wire network | |
| CN109525535A (en) | A kind of method and system for guaranteeing message in secure network and not being fragmented | |
| CN108809888B (en) | Safety network construction method and system based on safety module | |
| CN103532987A (en) | Protection method and system for preventing unauthenticated computer equipment from accessing enterprise intranet | |
| Hayden et al. | Multi-channel security through data fragmentation | |
| CN105407081A (en) | Safe and high-efficiency satellite data transmission system and data synchronization and transmission method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190326 |
|
| RJ01 | Rejection of invention patent application after publication |