CN109525535A - A kind of method and system for guaranteeing message in secure network and not being fragmented - Google Patents
A kind of method and system for guaranteeing message in secure network and not being fragmented Download PDFInfo
- Publication number
- CN109525535A CN109525535A CN201710839134.6A CN201710839134A CN109525535A CN 109525535 A CN109525535 A CN 109525535A CN 201710839134 A CN201710839134 A CN 201710839134A CN 109525535 A CN109525535 A CN 109525535A
- Authority
- CN
- China
- Prior art keywords
- message
- encryption
- fragmented
- network
- secure network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/36—Flow control; Congestion control by determining packet size, e.g. maximum transfer unit [MTU]
Abstract
The present invention relates to one kind to guarantee that message is not fragmented method and system in secure network.Method of the present invention is the following steps are included: increase separately an encryption and decryption equipment in server and client side, for protecting transmission safety of the data on network;All messages of encryption and decryption monitoring of tools judge whether the size of message is more than safe threshold, if it is not, then normally sending message;When the size for having message is more than safe threshold, then encryption and decryption equipment forges an icmp packet and tells host just according to the information of the message, to allow host actively to modify the value of PMTU, while the packet loss.It can guarantee that message is not fragmented in secure network, so that more efficient carries out data transmission in the encryption and decryption equipment of no IP using method and system of the present invention.
Description
Technical field
The invention belongs to technical field of network security, and in particular to a kind of to guarantee what message was not fragmented in secure network
Method and system.
Background technique
In the prior art, when carrying out the network transmission of message, it will usually the network device processing report with IP be added
The encryption and decryption of text, while the matters of MTU (maximum transmission unit) are handled, guarantee each message after encrypting
Size is no more than PMTU (Path maximum transmission unit).However, this technical solution has the following problems:
(1) it needs to add the network equipment with IP in a network, original business is had some impact on;(2) SSL VPN is usually used
Or IPSec VPN carries out networking plus NAT technology, the network planning is more complicated.
Data message after encryption, can be bigger than the network message of original unencryption.If legacy network message is big
Small already close to or equal to the maximum message segment size of PMTU will be more than after encryption the limitation of PMTU, in network transmission, meeting
Make fragment processing by other network equipments.I.e. a big message splits into 2 small messages.And the encryption and decryption letter of single message
Breath stores respectively, and such as negotiating the process key information come or random number information or even the MAC value of verification all is to exist
In single message.Since encryption and decryption equipment does not possess IP address, therefore fragment message generally can not be re-assemblied, also just can not
It is decrypted correctly the encryption message being fragmented.
In order to solve the problems, such as to guarantee that message is not fragmented in secure network, legacy network framework is not influenced, is protected again
The safety of network communication is demonstrate,proved, the equipment without IP can respectively be added in server and client side to carry out plus solve to data
It is close.But since encrypted message would generally be bigger than the message not encrypted, and this process is to client and server end
It is transparent, so encrypted message size is be easy to cause to be greater than PMTU, the message after leading to message fragment and fragment is not
It can be properly decrypt.Therefore, it is badly in need of the new technical solution of one kind to solve the above problem deposited in the prior art.
Summary of the invention
In view of the deficiencies in the prior art, the object of the present invention is to provide one kind guarantees message not in secure network
The method and system being fragmented.This method and system can guarantee message in the encryption and decryption equipment of no IP in secure network
It is not fragmented, so that more efficient carries out data transmission.
To achieve the above objectives, the technical solution adopted by the present invention is that:
A method of guaranteeing that message is not fragmented in secure network, comprising the following steps:
An encryption and decryption equipment is increased separately in server and client side, for protecting the transmission of data on internet
Safety;
All messages of encryption and decryption monitoring of tools judge whether the size of message is more than safe threshold, if it is not, then normal hair
It delivers newspaper text;
When the size for having message is more than safe threshold, then encryption and decryption equipment is forged just according to the information of the message
One icmp packet (ICMP Destination Unreachable message) tells host, so that host be allowed actively to modify
The value of PMTU, while the packet loss.
Further, the encryption and decryption equipment is the network equipment without IP address.
Further, the safe threshold is 1300-1450 byte.
Further, the safe threshold is 1400 bytes.
The present invention also provides a kind of to guarantee the system that message is not fragmented, including server and client in secure network
End, and an encryption and decryption equipment has been increased separately in server and client side, for protecting the biography of data on internet
Defeated safety, the encryption and decryption equipment are the network equipments without IP address.
Further, the encryption and decryption equipment comprises the following modules:
Judgment module, for judging whether the size of message is more than safe threshold;
Message forges module, pseudo- according to the information of the message for when the size for having message is more than safe threshold
It makes icmp packet (ICMP Destination Unreachable message) and tells host, so that host be allowed actively to repair
Change the value of PMTU, while the packet loss.
Effect of the invention is that: use method and system of the present invention, can in the encryption and decryption equipment of no IP,
Guarantee that message is not fragmented in secure network, so that more efficient carries out data transmission.
Detailed description of the invention
Fig. 1 is network architecture diagram in the prior art;
Fig. 2 is using the network architecture diagram after the method for the invention and system;
Fig. 3 is the flow chart of method described in the specific embodiment of the invention.
Specific embodiment
Present invention will be further described below with reference to the accompanying drawings and specific embodiments.
Core of the invention is all to have added an encryption and decryption to set in server and client side using the new network architecture
It is standby, for protecting the transmission safety of data on internet.The encryption and decryption equipment being newly added, in order to not influence original network
Framework can be the network equipment without IP address.
As shown in Fig. 2, a kind of system for guaranteeing message in secure network and not being fragmented, including server and client side,
And an encryption and decryption equipment is increased separately in server and client side, for protecting the transmission peace of data on internet
Entirely, the encryption and decryption equipment is the network equipment without IP address.
In the present embodiment, the encryption and decryption equipment is comprised the following modules:
Judgment module, for judging whether the size of message is more than safe threshold;
Message forges module, pseudo- according to the information of the message for when the size for having message is more than safe threshold
It makes icmp packet (ICMP Destination Unreachable message) and tells host, so that host be allowed actively to repair
Change the value of PMTU, while the packet loss.
As shown in figure 3, a kind of method for guaranteeing message in secure network and not being fragmented, comprising the following steps:
An encryption and decryption equipment is increased separately in server and client side, for protecting the transmission of data on internet
Safety;
All messages of encryption and decryption monitoring of tools judge whether the size of message is more than safe threshold, if it is not, then normal hair
It delivers newspaper text;
When the size for having message is more than safe threshold, then encryption and decryption equipment is forged just according to the information of the message
One icmp packet (ICMP Destination Unreachable message) tells host, so that host be allowed actively to modify
The value of PMTU, while the packet loss.
The encryption and decryption equipment is the network equipment without IP address, and the safe threshold is 1300-1450
Byte.In the present embodiment, the safe threshold is 1400 bytes.
In the present invention, in order to solving the problems, such as that message is fragmented, it is necessary to control message size in source, allow source
Host " thinking " as soon as the value of PMTU is a value more smaller than practical PMTU, in this way from this host issue message size pacifying
Within full valve value, by that will not be fragmented after encryption equipment.
Since encryption equipment is not possess IP address, so the negotiation and biography of PMTU can not be carried out according to standard agreement
It passs.
Solution proposed by the present invention is: when the size for having message is more than safe threshold, encryption and decryption equipment is just
According to the information of the message, forges icmp packet (ICMP Destination Unreachable message) and tell master
Machine, to allow host actively to modify the value of PMTU, while the packet loss.
It is exemplified below:
If the value of the PMTU of some destination address is 1500, encryption will reserve the redundant space of 100 bytes or so, that
Safe threshold is 1400 bytes.Namely if having received the message greater than 1400 bytes, just triggering encryption equipment to
Message source device sends pseudo- icmp packet, by " the Next-Hop MTU " in 1400 filling icmp packets, message source is allowed to set
It is standby to think that PMTU is 1400.Wherein, the destination address in icmp packet and source address use the destination address in former message and source
Address, so that evading encryption and decryption equipment does not have the problem of IP.Original IP packet is abandoned simultaneously.
It can be seen from above-described embodiment that technical solution of the present invention bring is the utility model has the advantages that the encryption and decryption in no IP is set
It is standby upper, inform one vacation PMTU of host with pseudo- icmp packet, to allow the smaller message of host transmission, encryption and decryption it is smooth into
Row, so that more efficient carries out data transmission.
It will be understood by those skilled in the art that method and system of the present invention is not limited to institute in specific embodiment
The embodiment stated, specific descriptions above are intended merely to explain the purpose of the present invention, are not intended to limit the present invention.This field skill
Art personnel can derive other implementation manners according to the technical scheme of the present invention, and also belong to the scope of the technical innovation of the present invention, this
The protection scope of invention is defined by the claims and their equivalents.
Claims (9)
1. a kind of method for guaranteeing message in secure network and not being fragmented, comprising the following steps:
An encryption and decryption equipment is increased separately in server and client side, for protecting transmission safety of the data on network;
All messages of encryption and decryption monitoring of tools judge whether the size of message is more than safe threshold, if it is not, then normal send report
Text;
When the size for having message is more than safe threshold, then encryption and decryption equipment forges one just according to the information of the message
Icmp packet tells host, to allow host actively to modify the value of PMTU, while the packet loss.
2. a kind of method for guaranteeing message in secure network and not being fragmented as described in claim 1, it is characterized in that: described
Encryption and decryption equipment is the network equipment without IP address.
3. a kind of method for guaranteeing message in secure network and not being fragmented as claimed in claim 1 or 2, it is characterized in that: institute
The safe threshold stated is 1300-1450 byte.
4. a kind of method for guaranteeing message in secure network and not being fragmented as claimed in claim 3, it is characterized in that: described
Safe threshold is 1400 bytes.
5. a kind of system for guaranteeing message in secure network and not being fragmented, including server and client side, it is characterised in that:
Server and client side has increased separately an encryption and decryption equipment, for protecting transmission safety of the data on network.
6. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 5, which is characterized in that described
Encryption and decryption equipment be the network equipment without IP address.
7. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 5, which is characterized in that described
Encryption and decryption equipment comprise the following modules:
Judgment module, for judging whether the size of message is more than safe threshold;
Message forges module, for according to the information of the message, forging one when the size for having message is more than safe threshold
A icmp packet tells host, to allow host actively to modify the value of PMTU, while the packet loss.
8. such as a kind of described in any item systems for guaranteeing message in secure network and not being fragmented of claim 5 to 7, feature
Be: the safe threshold is 1300-1450 byte.
9. a kind of system for guaranteeing message in secure network and not being fragmented as claimed in claim 8, it is characterised in that: described
Safe threshold be 1400 bytes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839134.6A CN109525535A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839134.6A CN109525535A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109525535A true CN109525535A (en) | 2019-03-26 |
Family
ID=65769357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710839134.6A Pending CN109525535A (en) | 2017-09-18 | 2017-09-18 | A kind of method and system for guaranteeing message in secure network and not being fragmented |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109525535A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633067A (en) * | 2003-12-24 | 2005-06-29 | 上海华虹集成电路有限责任公司 | A method of network data transmission |
| CN1744561A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Super-long message processing method during message conversion process |
| CN102594677A (en) * | 2012-02-15 | 2012-07-18 | 杭州华三通信技术有限公司 | Method and device for path maximum transmission unit (PMTU) learning |
| US20150324593A1 (en) * | 2014-05-09 | 2015-11-12 | International Business Machines Corporation | Intelligent security analysis and enforcement for data transfer |
-
2017
- 2017-09-18 CN CN201710839134.6A patent/CN109525535A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633067A (en) * | 2003-12-24 | 2005-06-29 | 上海华虹集成电路有限责任公司 | A method of network data transmission |
| CN1744561A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Super-long message processing method during message conversion process |
| CN102594677A (en) * | 2012-02-15 | 2012-07-18 | 杭州华三通信技术有限公司 | Method and device for path maximum transmission unit (PMTU) learning |
| US20150324593A1 (en) * | 2014-05-09 | 2015-11-12 | International Business Machines Corporation | Intelligent security analysis and enforcement for data transfer |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101136777B (en) | Security management method of dual-encryption channel cooperation in network management system | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN104601550B (en) | Reverse isolation file transmission system and method based on cluster array | |
| CN110943913A (en) | Industrial safety isolation gateway | |
| CN102420770B (en) | Method and equipment for negotiating internet key exchange (IKE) message | |
| CN106254355B (en) | A kind of security processing and system of the Internet protocol data packet | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
| US20170359214A1 (en) | IPSEC Acceleration Method, Apparatus, and System | |
| CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
| CN110535748A (en) | A kind of vpn tunneling model-based optimization method and system | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| EP3713147A1 (en) | Railway signal security encryption method and system | |
| WO2016065787A1 (en) | Rdp data collection apparatus and method | |
| CN103023741B (en) | VPN equipment obstacle management method | |
| CN109525534A (en) | A kind of method and system for guaranteeing message in secure network and not being fragmented | |
| CN109525535A (en) | A kind of method and system for guaranteeing message in secure network and not being fragmented | |
| WO2022001937A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| CN205051736U (en) | Safe high -efficient satellite data transmission system | |
| CN112714439B (en) | Method, device and equipment for secure transmission of communication data and storage medium | |
| CN105407081A (en) | Safe and high-efficiency satellite data transmission system and data synchronization and transmission method thereof | |
| CN106506461A (en) | A kind of implementation method of the safe DNP agreements based on SCADA system | |
| CN103051639A (en) | Online game gameguard system capable of realizing anti-offline plugin and online game gameguard method | |
| CN108809888B (en) | Safety network construction method and system based on safety module | |
| CN110650016B (en) | Method for realizing network data security of AC/DC control protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190326 |