CN110365570B - IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment - Google Patents

IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment Download PDF

Info

Publication number
CN110365570B
CN110365570B CN201910653932.9A CN201910653932A CN110365570B CN 110365570 B CN110365570 B CN 110365570B CN 201910653932 A CN201910653932 A CN 201910653932A CN 110365570 B CN110365570 B CN 110365570B
Authority
CN
China
Prior art keywords
target
ipsec
table entry
historical
renegotiation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910653932.9A
Other languages
Chinese (zh)
Other versions
CN110365570A (en
Inventor
黄春平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201910653932.9A priority Critical patent/CN110365570B/en
Publication of CN110365570A publication Critical patent/CN110365570A/en
Application granted granted Critical
Publication of CN110365570B publication Critical patent/CN110365570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The application provides an IPSec traffic forwarding method, an IPSec traffic forwarding device, an electronic device and a machine-readable storage medium. In the application, a target fast forwarding table entry corresponding to the target IPSec traffic is obtained from a preset fast forwarding table; monitoring whether the initial negotiation SA strategy is expired; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy; updating the SA driving table based on the renegotiation SA strategy and the historical SA table items; updating the target fast rotation table item based on the updated SA driving table; based on the updated target fast forwarding table entry, performing corresponding encryption and encapsulation on the target IPSec traffic, and forwarding the encrypted and encapsulated target IPSec traffic to the opposite-end device, so that the negotiated SA policy can be smoothly switched to the renegotiation SA policy, IPSec traffic can be guaranteed to be continuously forwarded, and IPSec traffic interruption caused by updating of the renegotiation SA policy is avoided.

Description

IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to an IPSec traffic forwarding method and apparatus, an electronic device, and a machine-readable storage medium.
Background
Due to rapid development of economy and society and improvement of enterprise informatization degree, a common requirement is that information interaction and transmission are performed across the internet for the headquarters of the same enterprise in each division company or office, and a Virtual Private Network (VPN) is a remote access technology for meeting the requirement. The VPNs are divided according to application modes, and may include multiple types, where a tunnel Protocol IPSec (Internet Protocol Security, Internet Security Protocol) is one of the tunnel protocols, and encryption of data based on the IPSec VPN is performed in units of data packets, instead of in units of entire data streams, which is not only flexible but also helps to further improve Security of IP data packets, and can effectively prevent network attacks.
The VPN using IPSec as a VPN tunneling protocol provides high-quality, interoperable, and cryptography-based security guarantees for data transmitted over the internet. The security services such as data confidentiality, data integrity, data source authentication and the like are provided among a plurality of communication parties based on the IPSec VPN through encryption, data source authentication and the like at an IP layer.
Disclosure of Invention
The application provides an IPSec traffic forwarding method, which is applied to IPSec peers in an IPSec VPN (virtual private network) networking, wherein when the IPSec VPN networking is operated, the IPSec peers can be configured into local terminal equipment or opposite terminal equipment; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is a local terminal device, the method comprises the following steps:
acquiring a target fast forwarding table item corresponding to the target IPSec traffic in a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry;
monitoring whether the initial negotiation SA strategy is expired; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy;
updating the SA driving table based on the renegotiation SA strategy and the historical SA table items;
updating the target fast rotation table item based on the updated SA driving table;
and based on the updated target fast forwarding table entry, performing corresponding encryption and encapsulation on the target IPSec traffic, and forwarding the encrypted and encapsulated target IPSec traffic to the opposite-end device.
Optionally, the updating the SA driving table based on the renegotiation SA policy and the historical SA entry includes:
generating a renegotiation table item corresponding to the renegotiation SA policy;
sending the renegotiation table entry and the historical SA table entry to the SA driving table, and setting an updating identifier; wherein the update identifier is used for indicating an update relationship between the historical SA table entry and the renegotiated table entry;
and setting an aging period corresponding to the historical SA table entry.
Optionally, when the target IPSec traffic continuously exists and the historical SA entry is not deleted by aging, the updating the target fast forwarding entry based on the updated SA driving table includes:
acquiring an update identifier corresponding to the historical SA table entry;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
Optionally, when the target IPSec traffic is actively interrupted and the historical SA entry is not deleted by aging, the updating the target fast forwarding entry based on the updated SA driving table further includes:
polling and checking whether a plurality of SA table items in the SA driving table have corresponding updating identifications according to a preset period;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
The application also provides an IPSec traffic forwarding device, which is applied to IPSec peers in an IPSec VPN networking, wherein when the IPSec VPN networking is operated, the IPSec peers can be configured into local terminal equipment or opposite terminal equipment; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is a local device, the apparatus includes:
the acquisition module is used for acquiring a target fast forwarding table item corresponding to the target IPSec flow from a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry;
the renegotiation module is used for monitoring whether the initial negotiation SA strategy is overdue or not; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy;
the updating module updates the SA driving table based on the renegotiation SA strategy and the historical SA table items;
the updating module further updates the target fast forwarding table item based on the updated SA driving table;
and the forwarding module is used for executing corresponding encryption and encapsulation on the target IPSec traffic based on the updated target fast forwarding table entry, and forwarding the target IPSec traffic after encryption and encapsulation to the opposite-end equipment.
Optionally, the update module further:
generating a renegotiation table item corresponding to the renegotiation SA policy;
sending the renegotiation table entry and the historical SA table entry to the SA driving table, and setting an updating identifier; wherein the update identifier is used for indicating an update relationship between the historical SA table entry and the renegotiated table entry;
and setting an aging period corresponding to the historical SA table entry.
Optionally, when the target IPSec traffic continuously exists and the historical SA entry is not deleted by aging, the updating module further:
acquiring an update identifier corresponding to the historical SA table entry;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
Optionally, when the target IPSec traffic is actively interrupted and the historical SA entry is not aged and deleted, the updating module further:
polling and checking whether a plurality of SA table items in the SA driving table have corresponding updating identifications according to a preset period;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
The application also provides an electronic device, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are mutually connected through the bus;
the memory stores machine-readable instructions, and the processor executes the method by calling the machine-readable instructions.
The present application also provides a machine-readable storage medium having stored thereon machine-readable instructions which, when invoked and executed by a processor, implement the above-described method.
Through the embodiment, after the SA renegotiation strategy negotiation is successful based on the IPSec flow, a pair of associated SA table items corresponding to the SA renegotiation strategy negotiation and the initial negotiation SA strategy are issued to the SA driving table at the same time; and setting the corresponding update identifier of the associated SA table entry, and further updating the corresponding fast-forwarding table entry of the IPSec flow, so that the negotiated SA strategy can be smoothly switched to the renegotiated SA strategy, the IPSec flow can be ensured to be continuously forwarded, and the IPSec flow interruption caused by the updating of the renegotiated SA strategy is avoided.
Drawings
Fig. 1 is a topology diagram of an IPSec VPN networking provided by an exemplary embodiment;
fig. 2 is a flowchart of a method for IPSec traffic forwarding according to an exemplary embodiment;
fig. 3 is a block diagram of an IPSec traffic forwarding apparatus according to an exemplary embodiment;
fig. 4 is a hardware block diagram of an electronic device according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In order to enable those skilled in the art to better understand the technical solution in the embodiment of the present application, a brief description will be given below to the related technology of IPSec traffic forwarding related to the embodiment of the present application.
Referring to fig. 1, fig. 1 is a topology diagram of an IPSec VPN networking according to an embodiment of the present disclosure.
The IPSec VPN networking shown in fig. 1 includes: SW1 (home device), SW2 (peer device); SW1 and SW2 may establish an IPSec tunnel, and SW1 may forward the received IPSec traffic to SW2 based on the IPSec tunnel, that is, SW1 and SW2 are a pair of IPSec peers.
In some scenarios, based on the networking shown in fig. 1, when the SA policy negotiated by SW1 and SW2 for the IPSec traffic exceeds the lifetime, the SA policy is the old SA policy; SW1 and SW2 need to renegotiate a new SA policy, and after negotiating a new SA policy, the prior art solution typically performs the following two steps: firstly, deleting the related table items of the old SA strategy from a user mode to a kernel mode; and step two, issuing the related user state corresponding to the new SA strategy to the related table entry of the kernel state.
Based on the above scenario, it can be seen that a certain time difference exists between the time when the old SA policy is deleted and the time when the new SA policy is issued, which may cause that the home terminal device may not process and forward the IPSec traffic according to the old SA policy and the new SA policy, and thus IPSec traffic interruption occurs.
On the basis of the networking architecture shown above, the present application aims to provide a method for simultaneously issuing historical SA entries, renegotiation entries and updating relations thereof corresponding to target IPSec traffic; and updating the target fast forwarding table entry corresponding to the target IPSec traffic to execute the technical scheme of IPSec traffic forwarding.
When the IPSec VPN networking is realized, an IPSec peer is included in the IPSec VPN networking, and when the IPSec VPN networking is operated, the IPSec peer can be configured as local terminal equipment or opposite terminal equipment; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item.
Further, when the IPSec peer is a home device, the home device obtains a target fast forwarding table entry corresponding to the target IPSec traffic in a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry; monitoring whether the initial negotiation SA strategy is expired; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy; updating the SA driving table based on the renegotiation SA strategy and the historical SA table items; updating the target fast rotation table item based on the updated SA driving table; and based on the updated target fast forwarding table entry, performing corresponding encryption and encapsulation on the target IPSec traffic, and forwarding the encrypted and encapsulated target IPSec traffic to the opposite-end device.
In the above scheme, after the negotiation of the SA policy is successful based on the IPSec flow, a pair of associated SA table items corresponding to the negotiation of the SA policy and the initial negotiation of the SA policy are issued to the SA driving table at the same time; and setting the corresponding update identifier of the associated SA table entry, and further updating the corresponding fast-forwarding table entry of the IPSec flow, so that the negotiated SA strategy can be smoothly switched to the renegotiated SA strategy, the IPSec flow can be ensured to be continuously forwarded, and the IPSec flow interruption caused by the updating of the renegotiated SA strategy is avoided.
The present application is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 2, fig. 2 is a flowchart of an IPSec traffic forwarding method provided in an embodiment of the present application, where the method is applied to IPSec peers in an IPSec VPN networking, and when the IPSec VPN networking is in operation, the IPSec peers may be configured as a local device or an opposite device; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is the local terminal equipment, the method executes the following steps:
step 202, obtaining a target fast forwarding table entry corresponding to the target IPSec traffic in a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry.
Step 204, monitoring whether the initial negotiation SA strategy is overdue; and if so, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy.
Step 206, updating the SA driving table based on the renegotiation SA policy and the historical SA entry.
And step 208, updating the target fast forwarding table entry based on the updated SA driving table.
Step 210, based on the updated target fast forwarding table entry, performing corresponding encryption and encapsulation on the target IPSec traffic, and forwarding the encrypted and encapsulated target IPSec traffic to the opposite-end device.
In this specification, the IPSec peer means that IPSec provides secure communication between two end points, namely two network devices supporting the IPSec protocol, which are also referred to as IPSec peers; the IPSec peer can be configured as a local terminal device or an opposite terminal device.
For example, as shown in fig. 1, SW1 and SW2 support establishing an IPSec tunnel based on the IPSec protocol, and SW1 and SW2 are IPSec peers;
in this specification, the local device refers to the IPSec peer serving as the local device; the peer device refers to the IPSec peer on the other side of the IPSec tunnel corresponding to the local device.
Continuing the example following the example above, SW1 and SW2 support establishing an IPSec tunnel based on the IPSec protocol; when IPSec traffic is sent from SW1 to SW2, the local device is SW1, and the peer device is SW 2.
In this specification, the IPSec VPN networking may include a VPN networking based on an IPSec protocol between the local device and the opposite device, where the local device and the opposite device communicate with each other based on the IPSec protocol.
Continuing with the above example, please refer to fig. 1 for the IPSec VPN networking, please refer to the foregoing description, and details thereof are not described here.
In this specification, the target IPSec traffic refers to a network packet matching a specified IP quintuple of any data content to be sent by the local device to the peer device through the IPSec tunnel.
For example, in implementation, the target IPSec traffic is a network packet matching the IP quintuple information.
It should be noted that the IP quintuple is a communication term commonly used in the field of network communication, and specifically includes a source IP, a source port, a destination IP, a destination port, and a transport protocol corresponding to a network packet.
In this specification, the SA policy for initial negotiation refers to an SA (Security Association ) with a life cycle obtained by negotiation corresponding to the IPSec tunnel established by the local device and the opposite device for forwarding the target IPSec traffic.
For example, when implemented, the above-mentioned initial negotiation SA policy includes a series of security protocols, algorithms, keys, and the like.
It should be noted that, in the process of performing, by the local device, corresponding IPSec encapsulation, encryption, and forwarding on the target IPSec traffic based on the initial negotiation SA policy, the initial negotiation SA policy is not invariant, that is, the initial negotiation SA policy has a life cycle, and after the initial negotiation SA policy reaches the life cycle, the local device needs to perform, based on a new SA policy renegotiated with the opposite device, IPSec encapsulation, encryption, and forwarding corresponding to the target IPSec traffic.
In this specification, the SA driver table refers to an SA table that is corresponding to an SA policy obtained by the target IPSec traffic negotiation and that can be accessed by a driver integrated with the local device;
for example, in implementation, the SA table may be stored in a specific hardware chip, and the local device may quickly access an SA entry corresponding to an SA policy in the SA table in the hardware chip through an integrated driver.
In this specification, the target SA entry refers to an SA entry corresponding to the initial negotiation SA policy in the SA driver table;
the SA table entry stores all parameters related to encryption and decryption of the corresponding SA policy.
For example, in implementation, the target SA entry may be an SA entry corresponding to the initial negotiation SA policy in a plurality of SA entries in the SA driving table; the SA entry stores all encryption and decryption related parameters (including but not limited to an encryption and decryption algorithm, an execution protocol, a key, a working mode, and the like) corresponding to the initial negotiation SA policy, and for detailed parameters, reference is made to descriptions of the IPSec protocol, which is not described herein again.
In this specification, the historical SA entry refers to the target SA entry obtained by the local device, and is stored as a backup SA entry for write-back; wherein, the target SA table entry corresponds to the life cycle of the initial negotiation SA policy.
For example, in implementation, the life cycle of the initial SA negotiation policy is 12 hours, the historical SA entry, that is, the life cycle of the initial SA negotiation policy is 12 hours, the home device obtains the target SA entry and saves and backs up the target SA entry, where the backup is the historical SA entry; the local device may subsequently write back the historical SA entry to the SA driver table (see the following description for details).
In this specification, the fast forwarding table refers to a forwarding table established on the local device and supporting fast forwarding of IPSec traffic at a driver layer.
For example, in implementation, the fast forwarding table may include several fast forwarding table entries corresponding to several IPSec traffics, respectively. The local device may perform matching on the IP quintuple of the target IPSec traffic and the preset IP quintuple of the fast forwarding table entry in the fast forwarding table, so as to determine a forwarding rule (including, but not limited to, performing a protocol working mode, etc.) corresponding to the matched target IPSec traffic.
In this specification, the target fast forwarding table entry refers to a fast forwarding table entry corresponding to the target IPSec traffic in the fast forwarding table;
wherein the target fast-forwarding table entry at least comprises an SA index pointing to the target SA table entry.
For example, in implementation, the fast forwarding table entry may further include an SA index pointing to the target SA table entry corresponding to the target IPSec traffic, in addition to the preset IP quintuple.
In this specification, the local device obtains the target fast forwarding table entry corresponding to the target IPSec traffic in the fast forwarding table.
For example, in implementation, the local device may obtain a series of algorithms, keys, and encapsulation formats for performing encapsulation and encryption on the target IPSec traffic through the SA index of the target fast forwarding entry pointing to the target SA entry.
In this specification, the renegotiation of the SA policy refers to an SA policy corresponding to the target IPSec traffic, which is obtained by renegotiation between the local device and the peer device after the initial negotiation of the SA policy has passed.
In this specification, the home device monitors whether the initial negotiation SA policy is expired; and if so, renegotiating the target IPSec flow with the opposite terminal equipment to obtain a corresponding renegotiation SA strategy.
If the initial negotiation SA policy exceeds 12 hours after successful negotiation, indicating that the initial negotiation SA policy is expired, and renegotiating the local device and the peer device to obtain the renegotiation SA policy for the target IPSec traffic.
Of course, if the initial negotiation SA policy is not expired, the local device may continue to use the initial negotiation SA policy to perform corresponding IPSec processing on the target IPSec traffic.
In this specification, after obtaining the renegotiation SA policy, the local device updates the SA driver table based on the renegotiation SA policy and the historical SA entry.
In this specification, the renegotiation table entry refers to an SA table entry corresponding to the renegotiation SA policy to be stored in the SA driver table.
In an illustrated embodiment, the local device generates the renegotiation entry corresponding to the renegotiation SA policy.
For example, in implementation, the format of the renegotiation entry is the same as that of the target SA entry, and specific contents thereof are different, and for the specific format of the renegotiation entry, please refer to the above description corresponding to the target SA entry, which is not described herein again.
In this specification, further, the local device issues the renegotiation table entry and the historical SA table entry to the SA driver table, and sets an update identifier;
wherein, the update identifier is used to indicate the update relationship between the historical SA entry and the renegotiation entry.
For example, in implementation, the local device issues the renegotiation entry and the historical SA entry to the SA driving table, and sets a corresponding update identifier for the historical SA entry, where the update identifier may be an entry address or an entry number corresponding to the renegotiation entry.
It should be noted that, since the initial negotiation SA policy has expired, the target SA entry corresponding to the initial negotiation SA policy in the SA driving table has been deleted, so that the target SA entry pointed by the SA index of the target fast-forwarding entry does not actually exist.
In this specification, the local device further sets an aging period corresponding to the historical SA entry.
For example, in implementation, the local device sets an aging period corresponding to the historical SA entry, where the aging period is a preset threshold (for example, 5 seconds), and when the historical SA entry exceeds the aging period, the local device is triggered to automatically delete the historical SA entry, and certainly, in the aging period, the historical SA entry remains.
In this specification, after the SA driving table is updated, the local device further updates the target fast forwarding entry based on the updated SA driving table.
In an illustrated embodiment, when the target IPSec traffic continuously exists and the historical SA entry is not aged and deleted, the home device obtains an update identifier corresponding to the historical SA entry; if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast-forwarding table entry is updated to point to the renegotiation table entry.
For example, when the target IPSec traffic is continuously present and the historical SA entries are not aged and deleted, the local device traverses and checks a plurality of SA entries in the SA driving table, and if an update identifier corresponding to the historical SA entry is found to be present, updates the SA index of the target fast forwarding entry to point to the renegotiation entry.
It should be noted that, when the target IPSec traffic continuously exists, the local device may be triggered to perform the target fast forwarding entry updating, and if the target IPSec traffic is actively interrupted due to a service reason (for example, the target IPSec traffic is a video program, and the video program is temporarily suspended), the target fast forwarding entry is not triggered to be updated.
In another embodiment shown, when the target IPSec traffic is actively interrupted and the historical SA entries are not aged and deleted, the target fast forwarding entries are not triggered to be updated by the target IPSec traffic, and the local device polls and checks whether corresponding update identifiers exist in a plurality of SA entries in the SA driving table according to a preset period; if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast-forwarding table entry is updated to point to the renegotiation table entry.
For example, in implementation, the local device may use one of its integrated CPUs to poll, at a preset period (e.g., 100ms), whether corresponding update identifiers exist in a plurality of SA entries in the SA driving table; if the SA index exists, the SA index of the target fast forwarding entry corresponding to the update identifier is updated to point to the renegotiation entry.
It should be noted that, the local device actively triggers and checks whether an update identifier exists in the SA driver table based on a preset period check, and further updates the SA index of the target fast forwarding table entry to point to the renegotiation table entry according to the update identifier, so that when the target fast forwarding table entry cannot be passively triggered and updated due to active interruption of the target IPSec flow, the target fast forwarding table entry may also be updated.
In this specification, after the target fast forwarding table entry is updated, the local device performs corresponding encryption and encapsulation on the target IPSec traffic based on the updated target fast forwarding table entry, and forwards the encrypted and encapsulated target IPSec traffic to the opposite device.
It should be noted that, the SA driving table may simultaneously store the historical SA entries and the corresponding renegotiation entries. The local terminal equipment only needs to quickly update the SA index to point to the renegotiation table item in the target fast forwarding table item, so that the time for switching the historical SA table item to the renegotiation table item is greatly reduced, and the problem that the IPSec flow is interrupted due to the fact that a certain time difference exists in the process of deleting the old SA strategy and issuing the table item related to the new SA strategy, which is caused by the prior art scheme, the local terminal equipment cannot process and forward the IPSec flow according to the old SA strategy and the new SA strategy is avoided.
In the above technical solution, after the negotiation of the renegotiation SA policy is successful based on the IPSec traffic, a pair of associated SA table entries corresponding to the renegotiation SA policy negotiation and the initial negotiation SA policy are simultaneously issued to the SA drive table; and setting the corresponding update identifier of the associated SA table entry, and further updating the corresponding fast-forwarding table entry of the IPSec flow, so that the negotiated SA strategy can be smoothly switched to the renegotiated SA strategy, the IPSec flow can be ensured to be continuously forwarded, and the IPSec flow interruption caused by the updating of the renegotiated SA strategy is avoided.
Fig. 3 is a block diagram of an IPSec traffic forwarding apparatus according to an exemplary embodiment of the present application. Corresponding to the embodiment of the method, the application also provides an embodiment of an IPSec traffic forwarding apparatus, where the apparatus is applied to IPSec peers in an IPSec VPN networking, and when the IPSec VPN networking is in operation, the IPSec peers may be configured as local end devices or opposite end devices; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is a local device, please refer to fig. 3 for an exemplary IPSec traffic forwarding apparatus 30, which includes:
an obtaining module 301, configured to obtain a target fast forwarding table entry corresponding to the target IPSec traffic in a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry;
a renegotiation module 302 for monitoring whether the initial negotiation SA policy is expired; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy;
an updating module 303, configured to update the SA driving table based on the renegotiation SA policy and the historical SA entry;
the updating module 303 further updates the target fast forwarding entry based on the updated SA driving table;
the forwarding module 304, based on the updated target fast forwarding table entry, performs corresponding encryption and encapsulation on the target IPSec traffic, and forwards the encrypted and encapsulated target IPSec traffic to the peer device.
In this embodiment, the updating module 303 further:
generating a renegotiation table item corresponding to the renegotiation SA policy;
sending the renegotiation table entry and the historical SA table entry to the SA driving table, and setting an updating identifier; wherein the update identifier is used for indicating an update relationship between the historical SA table entry and the renegotiated table entry;
and setting an aging period corresponding to the historical SA table entry.
In this embodiment, when the target IPSec traffic persists and the historical SA entry is not aged and deleted, the updating module 303 further:
acquiring an update identifier corresponding to the historical SA table entry;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
In this embodiment, when the target IPSec traffic is actively interrupted and the historical SA entry is not aged and deleted, the updating module 303 further:
polling and checking whether a plurality of SA table items in the SA driving table have corresponding updating identifications according to a preset period;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The systems, devices, modules or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by an article of manufacture with certain functionality. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiment of the IPSec traffic forwarding apparatus in this application can be applied to the electronic device shown in fig. 4. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is a machine executable instruction formed by reading a corresponding computer program instruction in a machine readable storage medium through a processor of the electronic device where the device is located and then running the computer program instruction. In terms of hardware, as shown in fig. 4, the hardware structure of the electronic device where the IPSec traffic forwarding apparatus of the present application is located is shown in fig. 4, except for the processor, the communication interface, the bus and the machine-readable storage medium shown in fig. 4, the electronic device where the apparatus is located in the embodiment may also include other hardware according to the actual function of the electronic device, which is not described again.
Correspondingly, an embodiment of the present application further provides a hardware structure of an electronic device of the apparatus shown in fig. 3, please refer to fig. 4, and fig. 4 is a schematic diagram of the hardware structure of the electronic device provided in the embodiment of the present application. The apparatus comprises: a communication interface 401, a processor 402, a machine-readable storage medium 403, and a bus 404; the communication interface 401, the processor 402 and the machine-readable storage medium 403 are configured to communicate with each other via a bus 404. The communication interface 401 is used for performing network communication. The processor 402 may be a Central Processing Unit (CPU), and the processor 402 may execute machine-readable instructions stored in a machine-readable storage medium 403 to implement the methods described above.
The machine-readable storage medium 403 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 403 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Up to this point, the description of the hardware configuration shown in fig. 4 is completed.
Further, the present application provides a machine-readable storage medium, such as machine-readable storage medium 403 in fig. 4, including machine-executable instructions, which can be executed by processor 402 in the data processing apparatus to implement the data processing method described above.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. An IPSec traffic forwarding method is characterized in that the method is applied to IPSec peers in an IPSec VPN network, and when the IPSec VPN network is operated, the IPSec peers can be configured into local terminal equipment or opposite terminal equipment; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is a local terminal device, the method comprises the following steps:
acquiring a target fast forwarding table item corresponding to the target IPSec traffic in a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry;
monitoring whether the initial negotiation SA strategy is expired; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy;
generating a renegotiation table item corresponding to the renegotiation SA strategy based on the renegotiation SA strategy; sending the renegotiation table entry and the historical SA table entry to the SA driving table, and setting an update identifier to update the SA driving table; wherein the update identifier is used for indicating an update relationship between the historical SA table entry and the renegotiated table entry; setting an aging period corresponding to the historical SA table entry; updating the target fast rotation table item based on the updated SA driving table;
and based on the updated target fast forwarding table entry, performing corresponding encryption and encapsulation on the target IPSec traffic, and forwarding the encrypted and encapsulated target IPSec traffic to the opposite-end device.
2. The method of claim 1, wherein updating the target fast forwarding table entry based on the updated SA driven table when the target IPSec traffic persists and the historical SA entry is not aged out comprises:
acquiring an update identifier corresponding to the historical SA table entry;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
3. The method of claim 1, wherein when the target IPSec traffic is actively suspended and the historical SA entries are not aged out, the updating the target fast forwarding entries based on the updated SA driver table further comprises:
polling and checking whether a plurality of SA table items in the SA driving table have corresponding updating identifications according to a preset period;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
4. An IPSec traffic forwarding apparatus is applied to IPSec peers in an IPSec VPN networking, and when the IPSec VPN networking is in operation, the IPSec peers can be configured as local terminal equipment or opposite terminal equipment; the local terminal device holds an initial negotiation SA strategy which is obtained by negotiation with the opposite terminal device and used for forwarding target IPSec flow, and a target SA table item which is positioned in a preset SA driving table and corresponds to the initial negotiation SA strategy and serves as a historical SA table item; when the IPSec peer is a local device, the apparatus includes:
the acquisition module is used for acquiring a target fast forwarding table item corresponding to the target IPSec flow from a preset fast forwarding table; wherein the target fast-forwarding table entry comprises at least an SA index pointing to the target SA table entry;
the renegotiation module is used for monitoring whether the initial negotiation SA strategy is overdue or not; if yes, renegotiating the target IPSec flow with the opposite-end equipment to obtain a corresponding renegotiation SA strategy;
the updating module generates a renegotiation table item corresponding to the renegotiation SA strategy based on the renegotiation SA strategy; sending the renegotiation table entry and the historical SA table entry to the SA driving table, and setting an update identifier to update the SA driving table; wherein the update identifier is used for indicating an update relationship between the historical SA table entry and the renegotiated table entry; setting an aging period corresponding to the historical SA table entry;
the updating module further updates the target fast forwarding table item based on the updated SA driving table;
and the forwarding module is used for executing corresponding encryption and encapsulation on the target IPSec traffic based on the updated target fast forwarding table entry, and forwarding the target IPSec traffic after encryption and encapsulation to the opposite-end equipment.
5. The apparatus of claim 4, wherein when the target IPSec traffic persists and the historical SA entry is not aged-deleted, the update module is further to:
acquiring an update identifier corresponding to the historical SA table entry;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
6. The apparatus of claim 4, wherein when the target IPSec traffic is actively disrupted and the historical SA table entries are not aged-deleted, the update module is further to:
polling and checking whether a plurality of SA table items in the SA driving table have corresponding updating identifications according to a preset period;
if the update identifier corresponding to the historical SA table entry exists, the SA index of the target fast forwarding table entry is updated to point to the renegotiation table entry.
7. An electronic device is characterized by comprising a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory has stored therein machine-readable instructions, the processor executing the method of any of claims 1 to 3 by calling the machine-readable instructions.
8. A machine-readable storage medium having stored thereon machine-readable instructions which, when invoked and executed by a processor, carry out the method of any of claims 1 to 3.
CN201910653932.9A 2019-07-19 2019-07-19 IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment Active CN110365570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910653932.9A CN110365570B (en) 2019-07-19 2019-07-19 IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910653932.9A CN110365570B (en) 2019-07-19 2019-07-19 IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN110365570A CN110365570A (en) 2019-10-22
CN110365570B true CN110365570B (en) 2021-05-28

Family

ID=68221141

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910653932.9A Active CN110365570B (en) 2019-07-19 2019-07-19 IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN110365570B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112910893A (en) * 2021-02-01 2021-06-04 武汉思普崚技术有限公司 Method, device, equipment and storage medium for preventing packet loss after IPsec SA aging

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710851A (en) * 2004-06-16 2005-12-21 华为技术有限公司 Internal safety communication method
CN101163088A (en) * 2007-07-31 2008-04-16 杭州华三通信技术有限公司 Multicast data transmitting method and equipment
CN107682284A (en) * 2017-08-02 2018-02-09 华为技术有限公司 Send the method and the network equipment of message
CN108322361A (en) * 2018-01-24 2018-07-24 杭州迪普科技股份有限公司 Service traffics statistical method and device in a kind of IPSec vpn tunnelings
WO2018234849A1 (en) * 2017-06-20 2018-12-27 Telefonaktiebolaget Lm Ericsson (Publ) Flow multiplexing in ipsec
CN109905310A (en) * 2019-03-26 2019-06-18 杭州迪普科技股份有限公司 Data transmission method, device, electronic equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1602214B1 (en) * 2003-03-04 2016-11-02 Lukas Wunner Method, system and storage medium for establishing compatibility between IPsec and dynamic routing
JPWO2007069327A1 (en) * 2005-12-15 2009-05-21 富士通株式会社 RELAY DEVICE, RELAY METHOD, RELAY PROGRAM, COMPUTER-READABLE RECORDING MEDIUM CONTAINING RELAY PROGRAM, AND INFORMATION PROCESSING DEVICE

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710851A (en) * 2004-06-16 2005-12-21 华为技术有限公司 Internal safety communication method
CN101163088A (en) * 2007-07-31 2008-04-16 杭州华三通信技术有限公司 Multicast data transmitting method and equipment
WO2018234849A1 (en) * 2017-06-20 2018-12-27 Telefonaktiebolaget Lm Ericsson (Publ) Flow multiplexing in ipsec
CN107682284A (en) * 2017-08-02 2018-02-09 华为技术有限公司 Send the method and the network equipment of message
CN108322361A (en) * 2018-01-24 2018-07-24 杭州迪普科技股份有限公司 Service traffics statistical method and device in a kind of IPSec vpn tunnelings
CN109905310A (en) * 2019-03-26 2019-06-18 杭州迪普科技股份有限公司 Data transmission method, device, electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
IPSec安全策略及实现;dolphin98629;《blog.csdn.net/dolphin98629/article/details/19543775》;20140220;全文 *

Also Published As

Publication number Publication date
CN110365570A (en) 2019-10-22

Similar Documents

Publication Publication Date Title
USRE46113E1 (en) Technique for maintaining secure network connections
US8086858B2 (en) Secure method of termination of service notification
JP5772946B2 (en) Computer system and offloading method in computer system
US10587579B2 (en) Varying encryption level of traffic through network tunnels
US8418244B2 (en) Instant communication with TLS VPN tunnel management
US10341118B2 (en) SSL gateway with integrated hardware security module
EP1911192B1 (en) Suspension and resumption of secure data connection session
CN106712932A (en) Secret key management method, device and system
US20150295936A1 (en) Get vpn group member registration
JP5270692B2 (en) Method, apparatus, and computer program for selective loading of security association information to a security enforcement point
WO2020007308A1 (en) Message processing method and receiving-end server
CN115022101B (en) Account data changing method and device, computer equipment and storage medium
CN110365570B (en) IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment
CN109905310B (en) Data transmission method and device and electronic equipment
WO2006002237A1 (en) Method, apparatuses and program storage device for efficient policy change management in virtual private networks
JP2007134819A (en) Method and apparatus for notifying apparatus setting information
US11283768B1 (en) Systems and methods for managing connections
JP2004135134A (en) Adapter for wireless communication
CN114915583A (en) Message processing method, client device, server device, and medium
CN109617922B (en) Processing method and device for VPN protection network segment conflict, and electronic equipment
US7814168B2 (en) Unit-to-unit data exchange system, and unit, exchange completion data keeping device and program for use in the same
JP2000090048A (en) Security information update system and record medium
US11546411B1 (en) Backing up confidential data to user devices on the same local network
CN117692239A (en) Signaling communication method, device, system and nonvolatile storage medium
CN114268499A (en) Data transmission method, device, system, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant