CN109802954A - A kind of method and device for being deleted in data transmission IPSec SA - Google Patents
A kind of method and device for being deleted in data transmission IPSec SA Download PDFInfo
- Publication number
- CN109802954A CN109802954A CN201811641177.4A CN201811641177A CN109802954A CN 109802954 A CN109802954 A CN 109802954A CN 201811641177 A CN201811641177 A CN 201811641177A CN 109802954 A CN109802954 A CN 109802954A
- Authority
- CN
- China
- Prior art keywords
- ike
- chained list
- notification message
- ipsec
- newly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
Embodiment of the invention discloses a kind of method and devices for being deleted in data transmission IPSec SA, when detecting that IKE SA aging is deleted, by aging IKE SA storage into one individually newly-built chained list.After aging IKE SA aging is deleted, to decrypt notification message by aging IKE SA, IPSec SA is deleted, then notification message can be decrypted by newly-built chained list, find the IPSec SA deleted.By creating storage of the chained list to aging IKE SA, so that the deletion on aging IKE SA does not influence the decrypting process to notification message, it avoids and fails since aging IKE SA is deleted not decrypting IPSec SA caused by notification message and delete, ensure that the normal operation of business.
Description
Technical field
The present embodiments relate to data security transmission technical fields, more particularly, to one kind for right in data transmission
The method and device that IPSec SA is deleted.
Background technique
IPSec (IP Security) agreement results among the formulation of IPv6, is a kind of frame structure of open standard,
The communication of safety to ensure to be maintained secrecy on Internet protocol (IP) network by using the security service of encryption.?
It include a Key Management Protocol in ipsec protocol, which is known as Internet Key Exchange IKE, can dynamically recognize
Ipsec peer is demonstrate,proved, negotiates security service, and automatically generate shared key.Security alliance SA records every IP security path
Strategy and policing parameter, SA are the bases of IPSec, are a kind of agreements that communicating pair is established, determine for protecting data packet
Agreement, transcoding mode, key and key validity period etc..
Ipsec negotiation is divided into two parts, the IPSec SA of IKE SA and two-stage including a stage, the originating end of communication
The communication that just can guarantee when consistent with the IPSec SA in responder is normally carried out.However, being deleted to IPSec SA
Operation in, if responder received in IKE SA aging delete IPSec SA notification message, can be because of the IKE of aging
SA is deleted and can not decrypt notification message, so that the IPSec SA for needing to delete can not be found, causes originating end and responder
Interior IPSec SA is inconsistent, and traffic affecting is normally carried out.
In realizing application process, inventor's discovery is easy to delete IPSec SA because that can not execute in IKE SA aging
Except operation, causes the IPSec SA in originating end and responder inconsistent, influence service operation.
Summary of the invention
The invention solves existing in IKE SA aging is easy delete operation because that can not execute to IPSec SA, leads
The problem of causing the IPSec SA in originating end and responder inconsistent, influencing service operation.
Against the above technical problems, the embodiment provides one kind for carrying out in data transmission to IPSec SA
The method of deletion, comprising:
When detecting that IKE SA aging is deleted, the aging IKE SA that will be deleted is stored to newly-built newly-built chained list
In;
During the encrypted authentication of data transmission, if receiving notification message, judge whether that existing IKE can be passed through
SA stores chained list and decrypts the notification message, if cannot, the notification message is decrypted by the newly-built chained list, is decrypted
Content;
If needing to delete IPSec SA according to decryption content judgement, obtaining from the decryption content is needed
Corresponding first SPI of the IPSec SA to be deleted is stored in chained list in IPSec SA by the first SPI and is searched IPSec
SA deletes the IPSec SA found.
The embodiment provides a kind of devices for being deleted in data transmission IPSec SA, comprising:
Memory module, the aging IKE SA for that will delete when detecting that IKE SA aging is deleted are stored to new
In the newly-built chained list built;
Deciphering module, during the encrypted authentication of data transmission, if receiving notification message, judging whether can be by existing
Some IKE SA storage chained lists decrypt the notification message, if cannot, the notification message is decrypted by the newly-built chained list,
Obtain decryption content;
Removing module, if for needing to delete IPSec SA according to decryption content judgement, from the solution
Corresponding first SPI of IPSec SA for needing to delete is obtained in close content, and chained list is stored in IPSec SA by the first SPI
Middle lookup IPSec SA, deletes the IPSec SA found.
The embodiment provides a kind of electronic equipment, comprising:
At least one processor, at least one processor, communication interface and bus;Wherein,
The processor, memory, communication interface complete mutual communication by the bus;
The communication interface is for the information transmission between the electronic equipment and the communication equipment of other electronic equipments;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to
Order is able to carry out the process described above.
Present embodiments provide a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Matter stores computer instruction, and the computer instruction makes the computer execute the process described above.
The embodiment provides a kind of for the method and device deleted IPSec SA in data transmission,
When detecting that IKE SA aging is deleted, by aging IKE SA storage into one individually newly-built chained list.In aging IKE
After SA aging is deleted, to decrypt notification message by aging IKE SA, IPSec SA is deleted, then can be passed through
Newly-built chained list decrypts notification message, finds the IPSec SA deleted.By newly-built chained list to aging IKE SA's
Storage, so that the deletion on aging IKE SA does not influence the decrypting process to notification message, avoids due to aging IKE SA quilt
Deletion can not decrypt IPSec SA caused by notification message and delete failure, ensure that the normal operation of business.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of method for being deleted in data transmission IPSec SA provided by one embodiment of the present invention
Flow diagram;
Fig. 2 is a kind of dress for being deleted in data transmission IPSec SA that another embodiment of the present invention provides
The structural block diagram set;
Fig. 3 is the structural block diagram for the electronic equipment that another embodiment of the present invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
In the transmission of general data, if aging occurs for IKE SA, IKE SA can be negotiated again when aging occurs,
So that the aging of IKE SA does not interfere with IPSec SA.However, there is also originating ends or responder because of configuration in practice
Modification or manually deletion cause the case where actively deleting IPSec SA.In this case, opposite end, which can be sent, deletes IPSec
The notification message of SA after receiving end receives notification message, executes the operation for deleting IPSec SA.
The process of IPSec SA is deleted by notification message are as follows: corresponding IKE SA is found by the SPI in notification message,
New IV is generated by the initial IV in IKE SA and the Message ID in notification message, by the Key in IKE SA and newly
IV decrypts notification message, obtains the SPI of second stage, corresponding IPSec SA is searched by the SPI of second stage, by this
IPSec SA is deleted.
When sending deletion IPSec SA notification message it is more, and issue notification message be just stuck in IKE SA aging
Time point when, receiving end received notification message before IKE SA aging can normally execute the deletion to IPSec SA behaviour
Make, then the notification message received after IKE SA aging, then can be deleted because of IKE SA, and can not find and notification message
In the corresponding IKE SA of SPI can not also find the IPSec for needing to be implemented delete operation so that notification message can not be decrypted
SA causes business to be affected because the IPSec SA at both ends is inconsistent.In order to solve this problem, Fig. 1 be the present embodiment provides
It is a kind of in data transmission to the flow diagram of the IPSec SA method deleted, referring to Fig. 1, this method comprises:
101: when detecting that IKE SA aging is deleted, the aging IKE SA that will be deleted is stored to newly-built new link setup
In table;
102: during the encrypted authentication of data transmission, if receiving notification message, judging whether to pass through existing
IKE SA stores chained list and decrypts the notification message, if cannot, the notification message is decrypted by the newly-built chained list, is obtained
Decrypt content;
103: if needing to delete IPSec SA according to decryption content judgement, being obtained from the decryption content
Corresponding first SPI of the IPSec SA for taking needs to delete is stored in chained list in IPSec SA by the first SPI and is searched
IPSec SA deletes the IPSec SA found.
Method provided in this embodiment deletes the receiving end execution of the notification message of IPSec SA, the receiving end by receiving
It can be server or terminal device (for example, mobile phone or computer), the present embodiment is not particularly limited this.IKE SA tool
There is the time-to-live of setting, when survival expires, the IKE SA of IKE SA aging, aging can be deleted.It is provided in this embodiment
In addition method creates an independent newly-built chained list, when IKE SA aging is deleted, IKE SA is stored, when by existing
It, can be by new when some IKE SA storage chained list inquiries are less than IKE SA corresponding with the 2nd SPI carried in notification message
Link setup table searches corresponding IKE SA, realizes the decryption to notification message, avoids the aging of IKE SA to deletion IPSec SA's
It influences, guarantees that business operates normally.
A kind of method and device for being deleted in data transmission IPSec SA is present embodiments provided, is being detected
When being deleted to IKE SA aging, by aging IKE SA storage into one individually newly-built chained list.In aging IKE SA aging
After being deleted, to decrypt notification message by aging IKE SA, IPSec SA is deleted, then can pass through new link setup
Table decrypts notification message, finds the IPSec SA deleted.By creating storage of the chained list to aging IKE SA, make
The decrypting process to notification message is not influenced on deletions of aging IKE SA, avoid due to aging IKE SA is deleted can not
It decrypts IPSec SA caused by notification message and deletes failure, ensure that the normal operation of business.
Further, on the basis of the above embodiments, described when detecting that IKE SA aging is deleted, it will delete
Aging IKE SA store into newly-built newly-built chained list, comprising:
Aging IKE SA corresponding SPI, the Key and initial IV that will be deleted when detecting that IKE SA aging is deleted
It stores in newly-built newly-built chained list.
Only the partial information of aging IKE SA is stored when aging IKE SA is deleted, for example, only in new link setup
Aging IKE SA corresponding SPI, Key and initial IV is stored in table, it is this to deposit for storing complete aging IKE SA
The method of storage aging IKE SA partial information has saved memory space, improves resource utilization.
A kind of method for being deleted in data transmission IPSec SA is present embodiments provided, only by aging IKE
The useful useful information of the decryption to notification message is stored into newly-built chained list in SA, same not influencing to decrypt notification message
When save resource space.
Further, on the basis of the various embodiments described above,
If described receive notification message, the chained list decryption notice can be stored by existing IKE SA by, which judging whether, disappears
Breath, if cannot, the notification message is decrypted by the newly-built chained list, obtains decryption content, comprising:
If receiving notification message, the 2nd SPI carried in the notification message is obtained, judges to store in the IKE SA
Whether with twoth SPI corresponding IKE SA can be inquired in chained list;
If IKE SA corresponding with the 2nd SPI can be inquired in IKE SA storage chained list, pass through inquiry
The IKE SA arrived decrypts the notification message, obtains decryption content;
If IKE SA corresponding with the 2nd SPI cannot be inquired in IKE SA storage chained list, judge
Whether with twoth SPI corresponding IKE SA can be inquired in the newly-built chained list, if so, passing through the IKE SA solution inquired
The close notification message obtains decryption content, otherwise, issues not inquiring and mentions with the 2nd corresponding IKE SA of SPI
Show information.
The corresponding Security Parameter Index SPI of IKE SA by decryption notification message, that is, second are carried in notification message
SPI.After receiving end receives notification message, if can be inquired in original IKE SA storage chained list corresponding with the 2nd SPI
IKE SA, then notification message is decrypted by the IKE SA that inquires.It is inquired and the if cannot be stored in chained list in IKE SA
The corresponding IKE SA of two SPI then inquires IKE SA corresponding with the 2nd SPI by newly-built chained list, by looking into newly-built chained list
The IKE SA decryption notification message ask.When IKE SA corresponding with the 2nd SPI also can not be inquired in newly-built chained list, then
Prompt information is issued, so that related personnel can understand the reason of influencing service operation, it is normal to take timely measure recovery business
Operation.Prompting message can be to be realized by way of sending short message or mail to related personnel, and the present embodiment does not do this
Concrete restriction.
A kind of method for being deleted in data transmission IPSec SA is present embodiments provided, by notification message
The 2nd SPI carried searches corresponding IKE SA, decrypts notification message by searching for the IKE SA arrived, obtains decryption content, holds
The instruction of row decryption content.
Further, on the basis of the various embodiments described above, the IKE SA decryption notice by inquiring disappears
Breath, obtaining decryption content includes:
IKE the SA corresponding Key and initial IV inquired is obtained, and obtains the Message ID in the notification message,
New IV is generated according to the Message ID and the initial IV;
The notification message is decrypted by new IV Key corresponding with the IKE SA inquired, obtains decryption content.
Notification message is encrypted after being calculated by Key, initial IV, Message ID etc. in IKE SA, is connect
After receiving end receives notification message, IKE SA is searched by the 2nd SPI carried in notification message, by searching for the IKE SA arrived
Decryption notification message obtains decryption content.It include the new SPI that decryption obtains in decryption content, what this SPI was required to look up
Corresponding first SPI of IPSec SA.When decrypting content is to execute delete operation to IPSec SA, go to look by the first SPI
IPSec SA is looked for, the IPSec SA found is deleted.
A kind of method for being deleted in data transmission IPSec SA is present embodiments provided, by disappearing to notice
The new SPI ceased in the decryption content that is decrypted stores enquiring IPSec SA in chained list in IPSec SA, to inquiring
IPSec SA execute the operation that is indicated by decryption content.
Further, on the basis of the various embodiments described above,
Further include:
When by aging IKE SA storage into the newly-built chained list, the IKE SA is stored in chained list positioned at described old
IKE SA before changing IKE SA is stored into the newly-built chained list;
Wherein, the total number for being stored in the IKE SA in the newly-built chained list is less than predetermined number, and is stored in described new
The time-to-live of IKE SA in link setup table is less than the default time-to-live.
Further, the life cycle that the time-to-live is IKE SA is preset.
The number for the IKE SA being stored in newly-built chained list is limited, prevents excessive IKE SA from occupying more money
Source space.By the way that the time-to-live is arranged, the time-to-live too long IKE SA that will not be used in newly-built chained list is cleared up in time, is avoided
Occupancy of the useless IKE SA to resource space.
A kind of method for being deleted in data transmission IPSec SA is present embodiments provided, predetermined number is passed through
Setting with the default time-to-live ensure that the IKE SA in newly-built chained list will not be excessive, and it is biggish to avoid newly-built chained list occupancy
Memory space has carried out reasonable utilization to resource space.
Specifically, method provided in this embodiment by the IKE SA of aging SPI, Key and initial IV retain, remember
Record is in an individual chained list, and the IKE SA of aging only needs to record the partial content of the IKE SA of last aging, can
With the number of customized record.One timer can be set for the part of reservation, self defined time carries out aging.
When IKE SA aging and notified message occurs, can be found by the SPI value in notification message corresponding
Key and initial IV decrypts notification message by calculating, obtains the SPI of two-stage, and the chained list of storage IPSec SA is then gone to look into
It looks for, the IPSec SA found is subjected to delete processing.
Method provided in this embodiment is constant to the process flow of message, only increases a chained list inquiry operation.When
It when notified message, is preferentially searched in the IKE SA chained list being successfully established, is gone always when searching failure, then with SPI
It is searched in the IKE SA chained list of change, is calculated after finding, then execute delete operation.The perfect IKE SA of this method is old
Process flow after change is solved because IKE SA aging is searched less than relevant information used in corresponding solution confidential information, can not be handled
The problem of failure is deleted caused by message.
Fig. 2 shows a kind of dresses for being deleted in data transmission IPSec SA that the embodiment of the present invention provides
The structural block diagram set, it is referring to fig. 2, provided in this embodiment for including to the IPSec SA device deleted in data transmission
Memory module 201, deciphering module 202 and removing module 203, wherein
Memory module 201, the aging IKE SA storage for that will delete when detecting that IKE SA aging is deleted are arrived
In newly-built newly-built chained list;
Deciphering module 202, if receiving notification message, judges whether to lead to during the encrypted authentication of data transmission
It crosses existing IKE SA storage chained list and decrypts the notification message, if cannot, the notice is decrypted by the newly-built chained list
Message obtains decryption content;
Removing module 203, if for needing to delete IPSec SA according to decryption content judgement, from described
Corresponding first SPI of IPSec SA for needing to delete is obtained in decryption content, by the first SPI in IPSec SA storage chains
IPSec SA is searched in table, deletes the IPSec SA found.
Device provided in this embodiment for being deleted in data transmission IPSec SA is suitable for above-described embodiment
The method for being deleted in data transmission IPSec SA of middle offer, details are not described herein.
The embodiment provides a kind of for the method and device deleted IPSec SA in data transmission,
When detecting that IKE SA aging is deleted, by aging IKE SA storage into one individually newly-built chained list.In aging IKE
After SA aging is deleted, to decrypt notification message by aging IKE SA, IPSec SA is deleted, then can be passed through
Newly-built chained list decrypts notification message, finds the IPSec SA deleted.By newly-built chained list to aging IKE SA's
Storage, so that the deletion on aging IKE SA does not influence the decrypting process to notification message, avoids due to aging IKE SA quilt
Deletion can not decrypt IPSec SA caused by notification message and delete failure, ensure that the normal operation of business.
Fig. 3 is the structural block diagram for showing electronic equipment provided in this embodiment.
Referring to Fig. 3, the electronic equipment includes: processor (processor) 301, memory (memory) 302, communication
Interface (Communications Interface) 303 and bus 304;
Wherein,
The processor 301, memory 302, communication interface 303 complete mutual communication by the bus 304;
The communication interface 303 is for the information transmission between the electronic equipment and the communication equipment of other electronic equipments;
The processor 301 is used to call the program instruction in the memory 302, to execute above-mentioned each method embodiment
Provided method, for example, when detecting that IKE SA aging is deleted, the aging IKE SA that will be deleted is stored to new
In the newly-built chained list built;During the encrypted authentication of data transmission, if receiving notification message, judge whether to pass through existing
IKE SA storage chained list decrypt the notification message, if cannot, the notification message is decrypted by the newly-built chained list, is obtained
To decryption content;If needing to delete IPSec SA according to decryption content judgement, obtained from the decryption content
Corresponding first SPI of the IPSec SA for taking needs to delete is stored in chained list in IPSec SA by the first SPI and is searched
IPSec SA deletes the IPSec SA found.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute method provided by above-mentioned each method embodiment, example
It such as include: when detecting that IKE SA aging is deleted, the aging IKE SA that will be deleted is stored into newly-built newly-built chained list;
During the encrypted authentication of data transmission, if receiving notification message, judging whether can be by existing IKE SA storage chains
Table decrypts the notification message, if cannot, the notification message is decrypted by the newly-built chained list, obtains decryption content;If
It needs to delete IPSec SA according to decryption content judgement, then obtains what needs were deleted from the decryption content
Corresponding first SPI of IPSec SA, is stored in IPSec SA by the first SPI and searches IPSec SA in chained list, and deletion is looked into
The IPSec SA found.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine executes, computer is able to carry out method provided by above-mentioned each method embodiment, it may for example comprise: detecting IKE SA
When aging is deleted, the aging IKE SA that will be deleted is stored into newly-built newly-built chained list;In the encrypted authentication of data transmission
In the process, if receiving notification message, chained list can be stored by existing IKE SA by, which judging whether, decrypts the notification message, if
Cannot, then the notification message is decrypted by the newly-built chained list, obtains decryption content;If judging need according to the decryption content
IPSec SA is deleted, then obtain corresponding first SPI of IPSec SA for needing to delete from the decryption content, lead to
It crosses the first SPI and searches IPSec SA in IPSec SA storage chained list, delete the IPSec SA found.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light
The various media that can store program code such as disk.
The embodiments such as electronic equipment described above are only schematical, wherein it is described as illustrated by the separation member
Unit may or may not be physically separated, and component shown as a unit may or may not be object
Manage unit, it can it is in one place, or may be distributed over multiple network units.It can select according to the actual needs
Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying wound
In the case where the labour for the property made, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above various embodiments is only to illustrate the technical solution of the embodiment of the present invention, rather than it is right
It is limited;Although the embodiment of the present invention is described in detail referring to foregoing embodiments, the ordinary skill of this field
Personnel are it is understood that it is still possible to modify the technical solutions described in the foregoing embodiments, or to part
Or all technical features are equivalently replaced;And these are modified or replaceed, it does not separate the essence of the corresponding technical solution
The range of each embodiment technical solution of the embodiment of the present invention.
Claims (12)
1. a kind of method for being deleted in data transmission IPSec SA characterized by comprising
When detecting that IKE SA aging is deleted, the aging IKE SA that will be deleted is stored into newly-built newly-built chained list;
During the encrypted authentication of data transmission, if receiving notification message, judge whether to deposit by existing IKE SA
It stores up chained list and decrypts the notification message, if cannot, the notification message is decrypted by the newly-built chained list, is obtained in decryption
Hold;
If needing to delete IPSec SA according to decryption content judgement, is obtained from the decryption content and need to delete
Corresponding first SPI of the IPSec SA removed is stored in IPSec SA by the first SPI and is searched IPSec SA in chained list, deleted
Except the IPSec SA found.
2. will delete the method according to claim 1, wherein described when detecting that IKESA aging is deleted
The aging IKE SA removed is stored into newly-built newly-built chained list, comprising:
Aging IKE SA corresponding SPI, the Key that will be deleted when detecting that IKE SA aging is deleted and initial IV storage
Into newly-built newly-built chained list.
3. according to the method described in claim 2, judge whether to pass through it is characterized in that, if described receive notification message
Existing IKE SA storage chained list decrypts the notification message, if cannot, the notice is decrypted by the newly-built chained list and is disappeared
Breath obtains decryption content, comprising:
If receiving notification message, the 2nd SPI carried in the notification message is obtained, judges to store chained list in the IKE SA
In whether can inquire IKESA corresponding with the 2nd SPI;
If IKE SA corresponding with the 2nd SPI can be inquired in IKE SA storage chained list, pass through what is inquired
IKE SA decrypts the notification message, obtains decryption content;
If IKE SA corresponding with the 2nd SPI cannot be inquired in IKE SA storage chained list, judge described
IKE SA corresponding with the 2nd SPI whether can be inquired in newly-built chained list, if so, decrypting institute by the IKE SA inquired
Notification message is stated, decryption content is obtained, otherwise, issues the prompt letter that can not inquire IKE SA corresponding with the 2nd SPI
Breath.
4. according to the method described in claim 3, it is characterized in that, the IKE SA decryption notice by inquiring disappears
Breath, obtaining decryption content includes:
IKE the SA corresponding Key and initial IV inquired is obtained, and obtains the Message ID in the notification message, according to
The Message ID and the initial IV generate new IV;
The notification message is decrypted by new IV Key corresponding with the IKE SA inquired, obtains decryption content.
5. the method according to claim 1, wherein further include:
When by aging IKE SA storage into the newly-built chained list, the IKE SA is stored and is located at the aging in chained list
IKE SA before IKE SA is stored into the newly-built chained list;
Wherein, the total number for being stored in the IKE SA in the newly-built chained list is less than predetermined number, and is stored in the new link setup
The time-to-live of IKE SA in table is less than the default time-to-live.
6. a kind of device for being deleted in data transmission IPSec SA characterized by comprising
Memory module, the aging IKE SA for that will delete when detecting that IKE SA aging is deleted are stored to newly-built
In newly-built chained list;
Deciphering module, if receiving notification message, judges whether to pass through existing during the encrypted authentication of data transmission
IKE SA stores chained list and decrypts the notification message, if cannot, the notification message is decrypted by the newly-built chained list, is obtained
Decrypt content;
Removing module, if for needing to delete IPSec SA according to decryption content judgement, out of described decryption
Corresponding first SPI of IPSec SA for needing to delete is obtained in appearance, is stored in chained list and is looked into IPSec SA by the first SPI
IPSec SA is looked for, the IPSec SA found is deleted.
7. device according to claim 6, which is characterized in that the memory module is also used to detecting IKE SA aging
When being deleted, aging IKE SA corresponding SPI, the Key that will delete and initial IV storage are into newly-built newly-built chained list.
8. device according to claim 7, which is characterized in that if the deciphering module is also used to receive notification message,
Obtain the 2nd SPI carried in the notification message, judge the IKE SA store chained list in whether can inquire with it is described
The corresponding IKESA of 2nd SPI;If IKE SA corresponding with the 2nd SPI can be inquired in IKE SA storage chained list,
The notification message is then decrypted by the IKE SA inquired, obtains decryption content;If in IKE SA storage chained list not
IKESA corresponding with the 2nd SPI can be inquired, then judges whether can inquire and described second in the newly-built chained list
The corresponding IKESA of SPI obtains decryption content, otherwise, hair if so, decrypting the notification message by the IKE SA inquired
The prompt information of IKE SA corresponding with the 2nd SPI can not be inquired out.
9. device according to claim 7, which is characterized in that the deciphering module is also used to obtain the IKE SA inquired
Corresponding Key and initial IV, and obtain the Message ID in the notification message, according to the Message ID and it is described just
Beginning IV generates new IV;The notification message is decrypted by new IV Key corresponding with the IKE SA inquired, is obtained in decryption
Hold.
10. device according to claim 6, which is characterized in that the memory module is also used to deposit by aging IKE SA
When storing up in the newly-built chained list, the IKE SA IKE SA stored before being located at the aging IKE SA in chained list is stored
Into the newly-built chained list;
Wherein, the total number for being stored in the IKE SA in the newly-built chained list is less than predetermined number, and is stored in the new link setup
The time-to-live of IKE SA in table is less than the default time-to-live.
11. a kind of electronic equipment characterized by comprising
At least one processor, at least one processor, communication interface and bus;Wherein,
The processor, memory, communication interface complete mutual communication by the bus;
The communication interface is for the information transmission between the electronic equipment and the communication equipment of other electronic equipments;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough methods executed as described in any one of claims 1 to 5.
12. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute such as method described in any one of claim 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641177.4A CN109802954A (en) | 2018-12-29 | 2018-12-29 | A kind of method and device for being deleted in data transmission IPSec SA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641177.4A CN109802954A (en) | 2018-12-29 | 2018-12-29 | A kind of method and device for being deleted in data transmission IPSec SA |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109802954A true CN109802954A (en) | 2019-05-24 |
Family
ID=66558260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811641177.4A Pending CN109802954A (en) | 2018-12-29 | 2018-12-29 | A kind of method and device for being deleted in data transmission IPSec SA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109802954A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1652502A (en) * | 2004-02-06 | 2005-08-10 | 松下电器产业株式会社 | Communications device and communications program |
| CN1710851A (en) * | 2004-06-16 | 2005-12-21 | 华为技术有限公司 | Internal safety communication method |
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN104079570A (en) * | 2014-06-27 | 2014-10-01 | 东湖软件产业股份有限公司 | Trusted network connecting method based on IPsec |
| CN104394148A (en) * | 2014-11-26 | 2015-03-04 | 东南大学 | IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6) |
| US20170126645A1 (en) * | 2015-11-03 | 2017-05-04 | Qualcomm Incorporated | Internet key exchange (ike) for secure association between devices |
| CN107682284A (en) * | 2017-08-02 | 2018-02-09 | 华为技术有限公司 | Send the method and the network equipment of message |
| CN109547487A (en) * | 2018-12-28 | 2019-03-29 | 北京奇安信科技有限公司 | Message treatment method, apparatus and system |
-
2018
- 2018-12-29 CN CN201811641177.4A patent/CN109802954A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1652502A (en) * | 2004-02-06 | 2005-08-10 | 松下电器产业株式会社 | Communications device and communications program |
| CN1710851A (en) * | 2004-06-16 | 2005-12-21 | 华为技术有限公司 | Internal safety communication method |
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN104079570A (en) * | 2014-06-27 | 2014-10-01 | 东湖软件产业股份有限公司 | Trusted network connecting method based on IPsec |
| CN104394148A (en) * | 2014-11-26 | 2015-03-04 | 东南大学 | IPSec (Internet Protocol Security) protocol outgoing processing hardware implementation system under IPv6 (Internet Protocol version 6) |
| US20170126645A1 (en) * | 2015-11-03 | 2017-05-04 | Qualcomm Incorporated | Internet key exchange (ike) for secure association between devices |
| CN107682284A (en) * | 2017-08-02 | 2018-02-09 | 华为技术有限公司 | Send the method and the network equipment of message |
| CN109547487A (en) * | 2018-12-28 | 2019-03-29 | 北京奇安信科技有限公司 | Message treatment method, apparatus and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4550879B2 (en) | Mechanisms for policy-based UMTS QoS and IP QoS management in mobile IP networks | |
| US8607304B2 (en) | System and method for policy-enabled mobile service gateway | |
| US7231027B2 (en) | Encapsulation, compression, and encryption of PCM data | |
| US7917939B2 (en) | IPSec processing device, network system, and IPSec processing program | |
| CN107347047B (en) | Attack protection method and device | |
| US20130094363A1 (en) | Method, network device, and network system for processing data service | |
| JP2008504792A (en) | System and method for network access advancement | |
| CN107438074A (en) | The means of defence and device of a kind of ddos attack | |
| CN110535748B (en) | VPN tunnel mode optimization method and system | |
| CN111787025B (en) | Encryption and decryption processing method, device and system and data protection gateway | |
| CN102761494B (en) | A kind of ike negotiation processing method and device | |
| CN1863048B (en) | Method of internet key exchange consultation between user and cut-in apparatus | |
| WO2016165505A1 (en) | Connection control method and apparatus | |
| CN108964880A (en) | A kind of data transmission method and device | |
| JP2008228273A (en) | Method for securing security of data stream | |
| CN110519259B (en) | Method and device for configuring communication encryption between cloud platform objects and readable storage medium | |
| CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
| US20070192846A1 (en) | System and Method for Providing Security In A Network Environment Using Accounting Information | |
| CN110943996B (en) | Management method, device and system for business encryption and decryption | |
| CN104426864A (en) | Cross-domain remote command realization method and system | |
| CN109802954A (en) | A kind of method and device for being deleted in data transmission IPSec SA | |
| CN100499649C (en) | Method for realizing safety coalition backup and switching | |
| CN114173332B (en) | Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot | |
| CN116094696A (en) | Data security protection method, data security management platform, system and storage medium | |
| US20230037602A1 (en) | Information processing method and apparatus, node device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190524 |