CN110768958A - IPv4 data encryption method and IPv4 data decryption method - Google Patents

IPv4 data encryption method and IPv4 data decryption method Download PDF

Info

Publication number
CN110768958A
CN110768958A CN201910893729.9A CN201910893729A CN110768958A CN 110768958 A CN110768958 A CN 110768958A CN 201910893729 A CN201910893729 A CN 201910893729A CN 110768958 A CN110768958 A CN 110768958A
Authority
CN
China
Prior art keywords
data frame
network data
network
quintuple
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910893729.9A
Other languages
Chinese (zh)
Other versions
CN110768958B (en
Inventor
白建
马星星
齐振华
范琳琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Ruth Kay Microelectronic Technology Co Ltd
Original Assignee
Xi'an Ruth Kay Microelectronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Ruth Kay Microelectronic Technology Co Ltd filed Critical Xi'an Ruth Kay Microelectronic Technology Co Ltd
Priority to CN201910893729.9A priority Critical patent/CN110768958B/en
Publication of CN110768958A publication Critical patent/CN110768958A/en
Application granted granted Critical
Publication of CN110768958B publication Critical patent/CN110768958B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Abstract

The invention discloses an IPv4 data encryption method and an IPv4 data decryption method, wherein the IPv4 data encryption method is applied to a sending network device and an encryption device which are connected with each other, and the encryption device executes the IPv4 data encryption method and comprises the following steps: receiving a first network data frame, the first network data frame being transmitted by a transmitting network device; judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption equipment, if so, encrypting the first network data frame to obtain ciphertext data, and if not, performing first preset processing on the first network data frame according to a first configuration parameter; and sending a second network data frame, wherein the second network data frame comprises ciphertext data. The quintuple encryption strategy provided by the invention can realize one-to-one, one-to-many and many-to-many encryption of network data frames on encryption equipment, encrypts specified network data in a network and is convenient for unified management.

Description

IPv4 data encryption method and IPv4 data decryption method
Technical Field
The invention belongs to the technical field of communication, and particularly relates to an IPv4 data encryption method and an IPv4 data decryption method.
Background
With the development of networks, daily work offices cannot leave the networks, and more data information needs to be transmitted through the networks. The public network has larger potential safety hazard for transmitting data, and the private network has higher cost. VPNs rely on the operator to provide services and are expensive. Public network and intranet switch more troublesome, and the switching back and forth not only influences work efficiency, and data security also is difficult to guarantee.
The existing secret data is transmitted on a public network and has great insecurity, software encryption cannot realize encryption of all network data, and unified management is inconvenient.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an IPv4 data encryption method and an IPv4 data decryption method.
The embodiment of the invention provides an IPv4 data encryption method, which is applied to a sending network device and an encryption device which are connected with each other, wherein the encryption device comprises the following steps when executing the IPv4 data encryption method:
receiving a first network data frame, the first network data frame being transmitted by the transmitting network device;
judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption equipment, if the first quintuple matched with the quintuple of the first network data frame exists in the preset quintuple list of the encryption equipment, encrypting the first network data frame to obtain ciphertext data, and if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption equipment, performing first preset processing on the first network data frame according to a first configuration parameter;
and sending a second network data frame, wherein the second network data frame comprises the ciphertext data.
In an embodiment of the present invention, encrypting the first network data frame to obtain ciphertext data includes:
acquiring first valid data from the first network data frame;
obtaining an encryption mode according to the first quintuple;
obtaining an encryption key according to the first quintuple;
and encrypting the first valid data according to the encryption mode and the encryption key to obtain ciphertext data.
In an embodiment of the present invention, the method further includes determining whether a first MAC management is configured or started, if the first MAC management is not configured or started, performing the above-mentioned any IPv4 data encryption method, if the first MAC management is configured and started, determining whether a first MAC list or a second MAC list is started, if the first MAC list is started, processing the first network data frame according to a first preset rule, and if the second MAC list is started, processing the first network data frame according to a second preset rule.
In an embodiment of the present invention, processing the first network data frame according to a first preset rule includes:
judging whether the first network data frame is matched with the first MAC list or not, if the source MAC address of the first network data frame is matched with any one of the MAC addresses in the first MAC list, performing the first preset processing on the first network data frame according to the first configuration parameter, and if the source MAC address of the first network data frame is not matched with the MAC address in the first MAC list, performing the any one of the IPv4 data encryption methods.
In an embodiment of the present invention, processing the first network data frame according to a second preset rule includes:
judging whether the first network data frame is matched with the second MAC list, if the source MAC address of the first network data frame is matched with at least one MAC address in the second MAC list, performing the above any IPv4 data encryption method, and if the source MAC address of the first network data frame is not matched with the MAC address in the second MAC list, performing the first preset processing on the first network data frame according to the first configuration parameter.
Another embodiment of the present invention provides an IPv4 data decryption method, which is applied to a decryption device and a receiving network device that are connected to each other, where the decryption device executes the IPv4 data decryption method, and includes the following steps:
receiving a third network data frame;
judging whether the quintuple of the third network data frame is matched with a preset quintuple list of the decryption device, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, decrypting the third network data frame to obtain plaintext data, and if the second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, performing second preset processing on the third network data frame according to a second configuration parameter;
sending a fourth network data frame to the receiving network device, the fourth network data frame including plaintext data.
In an embodiment of the present invention, decrypting the third network data frame to obtain plaintext data includes:
acquiring second effective data from the third network data frame;
obtaining a decryption mode according to the second quintuple;
obtaining a decryption key according to the second quintuple;
and decrypting the second valid data according to the decryption mode and the decryption secret key to obtain plaintext data.
In an embodiment of the present invention, the method further includes determining whether to configure or open a second MAC management, if the second MAC management is not configured or opened, performing the above-mentioned any IPv4 data decryption method, if the second MAC management is configured and opened, determining that a third MAC list or a fourth MAC list is opened, if the third MAC list is opened, processing the third network data frame according to a third preset rule, and if the fourth MAC list is opened, processing the third network data frame according to a fourth preset rule.
In an embodiment of the present invention, processing the third network data frame according to a third preset rule includes:
and judging whether the third network data frame is matched with the third MAC list, if the source MAC address of the third network data frame is matched with any one of the MAC addresses in the third MAC list, performing the second preset processing on the third network data frame according to the second configuration parameter, and if the source MAC address of the third network data frame is not matched with any one of the MAC addresses in the third MAC list, performing the any one of the IPv4 data decryption methods.
In an embodiment of the present invention, processing the third network data frame according to a fourth preset rule includes:
judging whether the third network data frame is matched with the fourth MAC list, if the source MAC address of the third network data frame is matched with at least one MAC address in the fourth MAC list, performing the above any one IPv4 data decryption method, and if the source MAC address of the third network data frame is not matched with the MAC address in the fourth MAC list, performing the second preset processing on the third network data frame according to the second configuration parameter.
Compared with the prior art, the invention has the beneficial effects that:
the quintuple encryption strategy provided by the invention can realize one-to-one, one-to-many and many-to-many encryption of network data of network equipment, encrypts all network data in a network and is convenient for unified management.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a schematic flowchart of an IPv4 data encryption method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a connection relationship between a sending network device and an encryption device in an IPv4 data encryption method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an IPv4 data decryption method according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a connection relationship between a decryption device and a receiving network device in an IPv4 data encryption method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a connection relationship between network devices in an IPv4 data encryption method and a data decryption method according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a connection relationship between network devices in another IPv4 data encryption method and data decryption method according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but the embodiments of the present invention are not limited thereto.
Example one
Referring to fig. 1, fig. 1 is a flowchart illustrating an IPv4 data encryption method according to an embodiment of the present invention. The embodiment of the invention provides an IPv4 data encryption method, which is applied to a sending network device and an encryption device which are connected with each other, wherein the encryption device comprises the following steps when executing the IPv4 data encryption method:
step 1, receiving a first network data frame, wherein the first network data frame is sent by sending network equipment;
step 2, judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption equipment, if the first quintuple matched with the quintuple of the first network data frame exists in the preset quintuple list of the encryption equipment, encrypting the first network data frame to obtain ciphertext data, and if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption equipment, performing first preset processing on the first network data frame according to a first configuration parameter;
and 3, sending a second network data frame, wherein the second network data frame comprises ciphertext data.
Particularly, at present, the transmission of secret data on a public network is insecure, the encryption of all network data cannot be realized by software encryption, and the unified management is inconvenient. Based on the above problem, this embodiment provides an IPv4 data decryption method, where a quintuple is used as an encryption policy, and specifically, the quintuple includes a source IPv4 address, a source port, a destination IPv4 address, a destination port, and a transport layer protocol, and a first quintuple in a preset quintuple list of an encryption device also includes a source IPv4 address, a source port, a destination IPv4 address, a destination port, and a transport layer protocol. In this embodiment, the sending network device sends the first network data frame to the encryption device, and the encryption device is configured with a preset quintuple list in advance, where the preset quintuple list includes all quintuples corresponding to network data frames that need to be encrypted in the network, and each quintuple is marked as a first quintuple. The method comprises the steps that after receiving a first network data frame, an encryption device judges whether a first quintuple matched with a quintuple of the first network data frame exists in a preset quintuple list of the encryption device, if yes, the encryption device encrypts the first network data frame to obtain ciphertext data, the ciphertext data are encapsulated again to form a second network data frame, the encryption device sends the second network data frame to a post-stage network device, the second network data frame comprises the ciphertext data, if not, the first network data frame is subjected to first preset processing according to first configuration parameters, and the first configuration parameters are configured on the encryption device according to actual network requirements. The first preset processing comprises transparent transmission, discarding or other processing, the transparent transmission is preferred in the first preset processing, and the transparent transmission is selected to realize plaintext communication with any network without affecting access to public network data.
The quintuple encryption strategy provided by the implementation can realize one-to-one, one-to-many and many-to-many encryption processing of the network data frame by the encryption equipment, encrypt the specified network data frame in the network and is convenient for unified management; the quintuple encryption strategy provided by the embodiment can be used in any network environment, uses a TCP/UDP protocol, and does not depend on any other service.
Further, in step 1, the encryption device receives a first network data frame, and the first network data frame is sent by the sending network device.
Specifically, please refer to fig. 2, where fig. 2 is a schematic diagram of a connection relationship between a sending network device and an encryption device in an IPv4 data encryption method according to an embodiment of the present invention. The sending network device sends the first network data frame to the encryption device through the network port a. Wherein, the first network data frame includes application layer data of the transmitting network device, and an ethernet ii header, an IPv4 header, a TCP header or a UDP header added on the application layer data in turn, specifically:
the frame structure of the ethernet ii header added in this embodiment is shown in table 1, and specifically includes:
TABLE 1 frame structure of Ethernet II header
Figure BDA0002209578410000071
The frame structure of the IPv4 header added in this embodiment is shown in table 2, and specifically includes:
table 2 frame structure of IPv4 header
Figure BDA0002209578410000072
The frame structure of the TCP header added in this embodiment is shown in table 3, and specifically includes:
table 3 frame structure of TCP header
Figure BDA0002209578410000081
The frame structure of the UDP header added in this embodiment is shown in table 4, and specifically includes:
table 4 frame structure of UDP header
Figure BDA0002209578410000082
As shown in table 5, the first network data frame in this embodiment is constructed and obtained according to the ethernet ii header obtained in table 1, the IPv4 header obtained in table 2, the TCP header obtained in table 3, and the application layer data obtained through portal a learning, or as shown in table 5, the first network data frame in this embodiment is constructed and obtained according to the ethernet ii header obtained in table 1, the IPv4 header obtained in table 2, and the UDP header obtained in table 4, and specifically:
table 5 structure of first network data frame
Ethernet II header IPv4 header TCP header or UDP header Application layer data
Further, step 2 determines on the encryption device whether the quintuple of the first network data frame matches a preset quintuple list of the encryption device.
Specifically, in this embodiment, each of the five tuples of the first network data frame and the preset five tuple list of the encryption device includes a source IPv4 address, a source port, a destination IPv4 address, a destination port, and a transport layer protocol. The quintuple of the first network data frame, the source IPv4 address and the destination IPv4 address in each first quintuple in the preset quintuple list of the encryption equipment both support IPv4 address wildcards, the IPv4 address wildcard can be any IPv4 address and a specified network segment range, the source port or the destination port can be any port number or a partially specified range port number, the transport layer protocol supports TCP or UDP, and the source IPv4 address and the destination IPv4 address are determined according to the actual configuration condition of network data encryption. This embodiment specifically includes step 2.1, step 2.2:
and 2.1, if a first quintuple matched with the quintuple of the first network data frame exists in a preset quintuple list of the encryption equipment, encrypting the first network data frame to obtain ciphertext data.
Specifically, in this embodiment, when a first quintuple matching with a quintuple of a first network data frame exists in a preset quintuple list of an encryption device, the encryption device encrypts the first network data frame, specifically, in this embodiment, first effective data is obtained from the first network data frame, an encryption mode is obtained according to the first quintuple, an encryption key is obtained according to the first quintuple, and an encrypted data is obtained by encrypting the first network data frame according to the encryption mode and the encryption key:
each first quintuple in the preset quintuple list of the encryption device of the embodiment corresponds to an encryption mode and a group of encryption keys, the encryption modes correspondingly set for each first quintuple can be the same or different, and the encryption keys can be the same or different. The encryption mode can adopt an encryption method such as sm4, zuc, aes, des and the like. When the encryption mode corresponding to the first quintuple is forced transparent transmission, the first network data frame can be directly transmitted without setting an encryption key; and when the encryption mode corresponding to the first quintuple is the non-forced transparent transmission mode, encrypting the first network data frame by combining the encryption key configured corresponding to the first quintuple under the encryption mode.
The encryption device of the present embodiment supports one-to-one, one-to-many, and many-to-many encryption processing of network data frames. For example, in the process of encrypting a many-to-many network data frame, a plurality of sending network devices send the network data frame at the same time, and when the encryption device receives a plurality of network data frames, it is sequentially determined on the encryption device that a quintuple of the network data frame matches a preset quintuple list of the encryption device, and if a plurality of first quintuples match a quintuple of the network data frame in the preset quintuple list of the encryption device, the network data frame is processed according to a first quintuple with the highest priority, and the priority of the first quintuple is preset in the encryption device. And for the matched network data frame, encrypting the effective data of the matched network data frame according to the encryption mode and the encryption key corresponding to the first quintuple.
In this embodiment, the encryption device has a plurality of first quintuple, and the first quintuple supports wildcards, which may cause that one first network frame is simultaneously matched with a plurality of first quintuple, and each first quintuple corresponds to an encryption method and an encryption key, that is, when the first network frame is simultaneously matched with a plurality of first quintuple, the first network data frame is encrypted according to the encryption method and the encryption key corresponding to the first quintuple with the highest priority.
The five-tuple encryption strategy provided by the implementation realizes the group management of the encryption keys of the network equipment, realizes the one-to-one, one-to-many and many-to-many encryption of the network data of the network equipment in the network, can realize the group encryption of all the network data in the network, and is convenient for unified management.
And 2.2, if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption equipment, performing first preset processing on the first network data frame according to the first configuration parameter.
Specifically, in this embodiment, quintuple is used as an encryption policy, and for a first network data frame that does not match with all first quintuple in a preset quintuple list of the encryption device, a first preset process is performed according to actual design requirements, where the first preset process includes transparent transmission, discarding or other processes, and transparent transmission is preferentially selected. The first configuration parameter can be configured in advance on the encryption device as a judgment according to the actual design requirement.
In the encryption processing of many-to-many network data frames, when a plurality of sending network devices are connected to an encryption device, the encryption device sequentially processes received first network data frames according to a receiving sequence. Except for the IP fragmentation, each received network data frame of the encryption device should be an independent network data frame, and the encryption device should process the independent network data frame separately. And (4) corresponding to the network data frame of the IP fragment, the data packet of the fragment needs to be restored into the network data frame and then encrypted.
Further, in step 3 of this embodiment, the encryption device sends a second network data frame, where the second network data frame includes the ciphertext data.
Specifically, the encryption device in this embodiment encapsulates the ciphertext data and the frame header information of the first network data frame again to form a second network data frame, and sends the second network data frame to the subsequent network device through the network port B, as shown in fig. 2, the frame header information of the first network data frame includes an ethernet ii header of table 1, an IPv4 header of table 2, a TCP header of table 3, or a UDP header of table 4. The second network data frame has the same structure as the first network data frame, and the specific content of the part in the frame is different, so that the embodiment does not modify the content of the IP header of the network data frame after encryption, only encrypts the first valid data, does not change the structure of the network data frame, and does not affect the network performance, the structure of the encrypted network data frame is completely consistent with that of the network data frame before encryption, the encrypted network data frame or the network data frame before encryption cannot be distinguished from the outside, the attack is not easy to happen, and the network security is stronger.
Further, when the encryption device executes the IPv4 data encryption method, step 4 is further included to determine whether the encryption device configures or starts the first MAC management.
Specifically, the encryption device further supports a first MAC management function, where the first MAC management function includes a first MAC list and a second MAC list, and specifically, the first MAC list is a MAC blacklist list, the second MAC list is a MAC whitelist list, and MAC addresses corresponding to all communication network devices in the network are respectively preconfigured in the MAC blacklist and the MAC whitelist of the encryption device. When the MAC blacklist list is opened, the network data frames of all source MAC addresses are allowed to be received by default, the source MAC addresses in the MAC blacklist list are not allowed to be received, the network data frames of some source MAC addresses are forbidden to be received in the opening mode of the MAC blacklist list, and the network data frames of the source MAC addresses which are forbidden to be received are directly filled in the blacklist list; similarly, when the MAC white list is turned on, the network data frames of all the source MAC addresses are prohibited from being received by default, the source MAC addresses in the MAC white list are allowed to be received, and in the turning on mode of the MAC white list, the network data frames of some source MAC addresses are allowed to be received, and the source MAC addresses of the network data frames to be allowed are directly filled in the MAC white list. Step 4 of this embodiment specifically includes step 4.1 and step 4.2:
and 4.1, not configuring or starting the first MAC management on the encryption equipment.
Specifically, in this embodiment, by default, network data frames of all source MAC addresses in the network are allowed to be received, and the encryption device performs IPv4 data encryption on the received first network data frame according to the above steps 1, 2, and 3.
And 4.2, configuring and starting first MAC management on the encryption equipment.
Specifically, if the first MAC management is configured and started in this embodiment, it needs to be determined whether the first MAC list or the second MAC list is started. Specifically, step 4.2 includes step 4.2.1, step 4.2.2:
and 4.2.1, if the first MAC list is started, processing the first network data frame according to a first preset rule.
Specifically, the first preset rule in this embodiment is specifically that whether the first network data frame is matched with the first MAC list is determined, specifically, if any one of the source MAC address of the first network data frame is matched with the MAC address in the first MAC list, the first network data frame is subjected to first preset processing according to the first configuration parameter, at this time, the first preset processing is preferably discarded, and if the source MAC address of the first network data frame is not matched with the MAC address in the first MAC list, the encryption device performs IPv4 data encryption on the first network data frame according to the above steps 1, 2, and 3.
And 4.2.2, if the second MAC list is started, processing the first network data frame according to a second preset rule.
Specifically, the second preset rule in this embodiment is specifically to determine whether the first network data frame is matched with the second MAC list, specifically, if the source MAC address of the first network data frame is matched with at least one MAC address in the second MAC list, the encryption device performs IPv4 data encryption on the first network data frame according to the above step 1, step 2, and step 3, and if the source MAC address of the first network data frame is not matched with the MAC address in the second MAC list, performs the first preset process on the first network data frame according to the first configuration parameter, where the first preset process is preferably discarded.
In the embodiment, the MAC black/white list function is configured on the encryption equipment, so that illegal equipment can be prevented from accessing the decryption equipment, and the security of network data transmission is improved.
In summary, in this embodiment, through the quintuple encryption policy and the MAC black/white list function, one-to-one, one-to-many, and many-to-many encryption of network data frames can be achieved, all network data in the network is encrypted in a packet, an illegal device can be effectively prevented from accessing the encryption and decryption device, and unified management is facilitated.
Example two
On the basis of the first embodiment, please refer to fig. 3, and fig. 3 is a flowchart illustrating an IPv4 data decryption method according to an embodiment of the present invention. The embodiment provides an IPv4 data decryption method, which is applied to a decryption device and a receiving network device that are connected to each other, and when the decryption device executes the IPv4 data decryption method, the method includes the following steps:
step 1, receiving a third network data frame;
step 2, judging whether the quintuple of the third network data frame is matched with a preset quintuple list of the decryption device, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, decrypting the third network data frame to obtain plaintext data, and if the second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, performing second preset processing on the third network data frame according to a second configuration parameter;
and 3, sending a fourth network data frame to the receiving network equipment, wherein the fourth network data frame comprises plaintext data.
Specifically, please refer to fig. 4, where fig. 4 is a schematic diagram of a connection relationship between a decryption device and a receiving network device in an IPv4 data encryption method according to an embodiment of the present invention. The decryption device is pre-configured with a preset quintuple list, the preset quintuple list comprises all quintuples corresponding to network devices needing decryption in the network, and each quintuple is marked as a second quintuple. The decryption device receives a third network data frame sent by a preceding-stage network device from the network port A, judges whether a second quintuple matched with the quintuple of the third network data frame exists in a preset quintuple list of the decryption device on the decryption device, if so, the decryption device decrypts the third network data frame to obtain plaintext data, encapsulates the plaintext data again to form a fourth network data frame, sends the second network data frame to a receiving network device through the network port B, and if not, carries out second preset processing on the third network data frame according to a second configuration parameter. And the second configuration parameter is configured on the decryption device according to the actual network requirement.
The five-tuple decryption strategy provided by the implementation can realize one-to-one, one-to-many and many-to-many decryption processing of the network data frame by the decryption equipment, decrypt the specified network data frame in the network and is convenient for unified management; the quintuple decryption strategy provided by the embodiment can be used in any network environment, uses a TCP/UDP protocol, and does not depend on any other service.
Further, a third network data frame is received in step 1.
Specifically, please refer to fig. 5, where fig. 5 is a schematic diagram of a connection relationship between network devices in an IPv4 data encryption method and a data decryption method according to an embodiment of the present invention. In this embodiment, the previous-stage network device in fig. 4 includes the sending network device and the encryption device in one connection according to the embodiment, at this time, the third network data frame received by the decryption device is the second network data frame sent by the encryption device, and the second network data frame includes the ciphertext data, that is, the third network data frame includes the encrypted ciphertext data. The third network data frame and the second network data frame have the same structure, and the specific content of the frame is different.
Further, in step 2, it is determined whether the quintuple of the third network data frame matches the preset quintuple list of the decryption device.
Specifically, referring to fig. 5 again, in this embodiment, each of the five tuples of the third network data frame and the second five tuples in the preset five tuple list of the decryption device includes a source IPv4 address, a source port, a destination IPv4 address, a destination port, and a transport layer protocol. The quintuple of the third network data frame, the source IPv4 address and the destination IPv4 address in each second quintuple in the preset quintuple list of the decryption device both support wildcards, the IPv4 address wildcard may be any IPv4 address and a specified network segment range, the source port and the destination port may be any port numbers or partially specified range port numbers, the transport layer protocol supports TCP or UDP, and the source IPv4 address and the destination IPv4 address are determined according to the actual configuration situation of network data decryption. This embodiment specifically includes step 2.1, step 2.2:
and 2.1, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, decrypting the third network data frame to obtain plaintext data.
Specifically, in this embodiment, when a second quintuple matching with a quintuple of a third network data frame exists in a preset quintuple list of the decryption device, the decryption device decrypts the third network data frame, specifically, first obtains second valid data from the third network data frame, obtains a decryption mode according to the second quintuple, obtains a decryption key according to the second quintuple, and decrypts the second valid data according to the decryption mode and the decryption key to obtain plaintext data:
each second quintuple in the preset quintuple list of the decryption device of this embodiment corresponds to a decryption mode and a set of decryption keys, the decryption modes correspondingly set for each second quintuple may be the same or different, and the decryption keys may be the same or different, when there is a matching of a second quintuple and a quintuple of the third network data frame, the decryption mode and the decryption key corresponding to the second quintuple are found according to the second quintuple, and the second valid data in the third network data frame, that is, the network data to be decrypted is decrypted by the decryption mode and the decryption key to obtain plaintext data. The decryption mode can adopt decryption methods such as sm4, zuc, aes, des and the like. When the decryption mode corresponding to the second quintuple is forced transparent transmission, the third network data frame can be directly transmitted without setting a decryption key; and when the decryption mode corresponding to the second quintuple is the non-forced transparent transmission mode, the second valid data is decrypted by combining the decryption key correspondingly configured to the second quintuple in any one decryption mode.
The quintuple decryption strategy provided by the embodiment can realize one-to-one, one-to-many and many-to-many decryption processing of the network data frame by the decryption device, decrypt the specified network data frame in the network, and is convenient for unified management; the quintuple decryption strategy provided by the embodiment can be used in any network environment, uses a TCP/UDP protocol, and does not depend on any other service.
The decryption device of the present embodiment supports one-to-one, one-to-many, and many-to-many decryption processes of network data frames. For example, in the decryption process of many-to-many network data frames, multiple sending network devices send network data frames at the same time, and the decryption device receives multiple network data frames, when it is sequentially judged on the decryption device that the quintuple of the network data frame matches the preset quintuple list of the decryption device, if multiple second quintuples exist in the preset quintuple list of the decryption device at the same time and match the quintuple of the network data frame, the decryption device processes the network data frames according to a second quintuple with the highest priority, and the priority of the second quintuple is preset in the decryption device. And for the matched network data frame, decrypting the effective data of the matched network data frame according to the decryption mode and the decryption key corresponding to the second quintuple.
In this embodiment, the decryption device includes a plurality of second quintuples, and the second quintuples support wildcards, which may cause one first network frame to be matched with the plurality of second quintuples simultaneously, and each second quintuple corresponds to a decryption method and a decryption key, that is, when the decryption device matches the plurality of second quintuples simultaneously, the decryption device decrypts the first network data frame according to the decryption method and the decryption key corresponding to the second quintuple with the highest priority.
The five-tuple decryption strategy provided by the implementation realizes the group management of decryption keys on decryption equipment, realizes the decryption of one-to-one, one-to-many and many-to-many network data of network equipment in a network, can realize the decryption of all network data in the network, and is convenient for unified management.
And 2.2, if a second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, performing second preset processing on the third network data frame according to the second configuration parameter.
Specifically, in this embodiment, a quintuple is used as an encryption policy, and for a third network data frame that does not match with all second quintuples in a preset quintuple list of the encryption device, second preset processing is performed according to actual design requirements, where the second preset processing includes transparent transmission, discarding or other processing, and at this time, the second preset processing is preferably transparent transmission. The second configuration parameter may be configured in advance on the encryption device as a judgment according to actual design requirements.
In the decryption process of many-to-many network data frames, the decryption device can only process one network data frame at a time, and when a plurality of preceding-stage network devices are connected to the decryption device, the decryption device processes the received third network data frames in sequence according to the receiving sequence. Except for the IP fragment, the network data frame received by the decryption device each time should be an independent network data frame, and the decryption device should process the independent network data frame separately. Corresponding to the IP fragment, the data packet of the fragment needs to be decrypted after being restored to the network data frame.
Further, step 3, sending a fourth network data frame to the receiving network device, where the fourth network data frame includes plaintext data.
Specifically, the decryption device in this embodiment encapsulates the plaintext data and the header information of the third network data frame again to form a fourth network data frame, and sends the fourth network data frame to the receiving network device through the port B, as shown in fig. 4 or 5, the header information of the third network data frame includes the ethernet ii header of table 1, the IPv4 header of table 2, the TCP header of table 3, or the UDP header of table 4. The fourth network data frame has the same structure as the third network data frame, and the specific content of the frame is different, so that the embodiment does not modify the content of the IP header of the network data frame after decryption, only decrypts the second valid data, does not change the structure of the network data frame, and does not affect the network performance, the structure of the decrypted network data frame is completely consistent with that of the network data frame before decryption, and the network data frame after decryption or the network data frame before encryption cannot be distinguished from the outside, so that the network data frame is not easily attacked, and the network security is strong.
Further, when the decryption device executes the IPv4 data decryption method, step 4 is further included to determine whether the decryption device configures or activates the second MAC management.
Specifically, the decryption device further supports a second MAC management function, where the second MAC management function includes a third MAC list and a fourth MAC list, specifically, the third MAC list is a MAC blacklist list, the fourth MAC list is a MAC whitelist list, and MAC addresses corresponding to all communication network devices in the network are respectively preconfigured in the MAC blacklist and the MAC whitelist of the decryption device. In the same embodiment one, when the MAC blacklist is opened, the network data frames of all source MAC addresses are allowed to be received by default, and the source MAC addresses in the MAC blacklist are not allowed to be received, and in the opening mode of the MAC blacklist, the network data frames of the source MAC addresses which are to be prevented from being received are required to be prohibited from being received, and the network data frames of the source MAC addresses which are to be prohibited from being received are directly filled in the blacklist; similarly, when the MAC white list is turned on, the network data frames of all the source MAC addresses are prohibited from being received by default, the source MAC addresses in the MAC white list are allowed to be received, and in the turning on mode of the MAC white list, the network data frames of some source MAC addresses are allowed to be received, and the source MAC addresses of the network data frames to be allowed are directly filled in the MAC white list. Step 4 of this embodiment specifically includes step 4.1 and step 4.2:
and 4.1, the second MAC management is not configured or started on the decryption equipment.
Specifically, in this embodiment, by default, network data frames of all source MAC addresses in the network are allowed to be received, and the decryption device performs IPv4 data decryption on the received third network data frame according to step 1, step 2, and step 3 of this embodiment.
And 4.2, configuring and starting second MAC management on the decryption equipment.
Specifically, if the second MAC management is configured and activated in this embodiment, it needs to be determined whether the third MAC list or the fourth MAC list is activated. Specifically, step 4.2 includes step 4.2.1, step 4.2.2:
and 4.2.1, if the third MAC list is started, processing the third network data frame according to a third preset rule.
Specifically, the third preset rule in this embodiment is specifically that whether the third network data frame is matched with the third MAC list is determined, specifically, if any one of the source MAC address of the third network data frame is matched with the MAC address in the third MAC list, the third network data frame is subjected to second preset processing according to the second configuration parameter, at this time, the second preset processing is preferably discarded, and if the source MAC address of the third network data frame is not matched with the MAC address in the third MAC list, the decryption device performs IPv4 data decryption on the third network data frame according to steps 1, 2, and 3 in this embodiment.
And 4.2.2, if the fourth MAC list is started, processing the third network data frame according to a fourth preset rule.
Specifically, the fourth preset rule in this embodiment is specifically to determine whether the third network data frame matches the fourth MAC list, specifically, if the source MAC address of the third network data frame matches at least one MAC address in the fourth MAC list, the decryption device performs IPv4 data decryption on the third network data frame according to steps 1, 2, and 3 in this embodiment, if the source MAC address of the third network data frame does not match the MAC address in the fourth MAC list, the decryption device performs the second preset process on the third network data frame according to the second configuration parameter, and at this time, the second preset process is preferably discarded.
In the embodiment, the MAC black/white list function is configured on the decryption device, so that illegal devices can be prevented from accessing the decryption device, and the security of network data transmission is improved.
In summary, in this embodiment, through the quintuple decryption policy, one-to-one, one-to-many, and many-to-many network data frames of the network device can be decrypted, all network data in the network is decrypted in a packet manner, and an illegal device can be effectively prevented from accessing the encryption and decryption device, and unified management is facilitated.
EXAMPLE III
Based on the second embodiment, in order to describe the implementation of the IPv4 data encryption method of the first embodiment and the IPv4 decryption method of the second embodiment, the following examples are used for illustration:
the encryption device and the decryption device in this embodiment should be used in combination. Because the sending network device may be a plurality of network devices connected to the encryption device through the switch, the receiving network device may also be a plurality of network devices connected to the decryption device through the switch. The encryption device or the decryption device is used for realizing one-to-one, one-to-many and many-to-many encryption processing or decryption processing on the network data frames, wherein one-to-one is that one encryption device corresponds to one decryption device, one-to-many is that one encryption device corresponds to a plurality of decryption devices, and many-to-many is that a plurality of encryption devices correspond to a plurality of decryption devices.
Referring to fig. 5 again, the network of this embodiment includes a sending network device, an encryption device, a decryption network device, and a receiving network device, which are connected in sequence, and the network implements one-to-one network data encryption and decryption processes. Specifically, the sending network device sends a first network data frame to the encryption device, the quintuple of the first network data frame is 192.168.1.200, 9000, 192.168.1.100, 9000, TCP, the encryption device is preset with a source IPv4 address, a source port, a destination IPv4 address, a destination port number, a transport layer protocol, an encryption algorithm, and an encryption key of 192.168.1.200, 9000, 192.168.1.100, 9000, TCP, des, key123456, respectively, and forms a quintuple encryption policy on the encryption device, the first quintuple is 192.168.1.200, 9000, 192.168.1.100, 9000, and TCP, during encryption, the encryption device receives the first network data frame, determines that the quintuple of the first network data frame matches a first quintuple in a quintuple list of the encryption device, and then encrypts valid data of the first network data frame to be encrypted in the first network data frame sent by the sending network device according to an encryption mode des and the encryption key123456 preset in the encryption device to obtain valid data to be encrypted, repackaging the ciphertext data and the frame header information of the first network data frame to form a second network data frame, and sending the second network data frame to the decryption device; a decryption process, in which the decryption apparatus receives a second network data frame (the third network data frame in the second embodiment), the quintuple of the second network data frame is 192.168.1.200, 9000, 192.168.1.100, 9000, TCP, the decryption apparatus sets the source IPv4 address, the source port, the destination IPv4 address, the destination port number, the transport layer protocol, the encryption algorithm, and the encryption key 192.168.1.200, 9000, 192.168.1.100, 9000, TCP, des, key123456 in advance, the quintuple decryption policy on the decryption apparatus is formed by the quintuple, the second quintuple is 192.168.1.200, 9000, 192.168.1.100, 9000, TCP, and the decryption apparatus receives the second network data frame, determines that the quintuple of the second network data frame matches a second quintuple in the quintuple list of the decryption apparatus, and decrypts the second network data frame based on the decryption manner of the des, the decryption key123456 configured in advance by the decryption apparatus, and encapsulates the plaintext data frame into a plaintext data frame of the fourth network data frame, and sending the fourth network data frame to the receiving network equipment to complete the transmission of the ciphertext data between the sending network equipment and the receiving network equipment. The whole encryption process and the whole decryption process of the embodiment ensure that the structures of the network data frames are completely consistent, so that the network security is stronger.
In this embodiment, the encryption device and the decryption device may be independent devices, as shown in fig. 5, the network data frame received by the encryption device is encrypted by the encryption device according to the IPv4 data encryption method described in the first embodiment, and the network data frame received by the decryption device is decrypted by the decryption device according to the IPv4 data decryption method described in the second embodiment. And the IP headers in the encryption process and the decryption process of the packet data in the whole network are unchanged, namely the IP headers in the first network data frame, the second network data frame, the third network data frame and the fourth network data frame are unchanged, wherein the IP headers comprise IPv4 identifiers.
The encryption device and the decryption device in this embodiment may also be the same device, and are denoted as encryption and decryption devices, where the encryption and decryption devices may perform encryption processing or decryption processing, specifically, the encryption or decryption processing on a network data frame in transmission is determined according to configuration parameters on the encryption and decryption devices, when the configuration parameters determine that the encryption processing needs to be performed on the encryption and decryption devices, the network data frame received by the encryption and decryption devices is encrypted according to the IPv4 data encryption method described in the first embodiment, and when the configuration parameters determine that the decryption processing needs to be performed on the encryption and decryption devices, the network data frame received by the encryption and decryption devices is decrypted according to the IPv4 data decryption method described in the second embodiment, and an IP header 3535is unchanged in an encryption process and a decryption process of packet data in the entire network. Referring to fig. 6, fig. 6 is a schematic diagram of a connection relationship between network devices in another IPv4 data encryption method and data decryption method according to an embodiment of the present invention, where a network in this embodiment includes a sending network device, a first encryption/decryption device, a second encryption/decryption network device, and a receiving network device that are connected in sequence, and what is implemented in the network is a one-to-one network data encryption and decryption process, specifically, as shown in fig. 6, if bidirectional data in the network needs to be encrypted: when the sending network device 192.168.1.200 sends a network data frame to the receiving network device 192.168.1.100, the network data frame is encrypted when passing through the first encryption and decryption device, and is decrypted when passing through the second encryption and decryption device; when the sending network device 192.1.8.1.100 sends the network data frame to the receiving network device 192.168.1.200, the network data frame is encrypted when passing through the second encryption and decryption device, and the network data frame is decrypted when passing through the first encryption and decryption device. The quintuple policy in the first encryption and decryption device and the quintuple policy in the second encryption and decryption device may be set in only one direction, the first encryption and decryption device and the second encryption and decryption device may automatically generate the quintuple policy in the opposite direction according to the set quintuple policy in the one direction, or the quintuple policy may be set in both directions, and the setting of the quintuple policy in the specific one direction is detailed in the design of the quintuple policy in fig. 5.
It should be noted that, the encryption device and the decryption device are set independently, or the encryption device and the decryption device are set as the same device, which is determined by the specific network environment; the IPv4 address in the five-tuple encryption and decryption policy pre-configured on the encryption device and the decryption device may be any precise IPv4 address (e.g., "192.168.1.200", "192.168.1.100"), or any IPv4 address represented by a band-pass match (e.g., "192.168.1", or "192.168", or "192. or", etc.), and the IPv4 address identifies that all hosts in the network segment can perform IPv4 data encryption and decryption processing; the port number in the pre-configured five-tuple encryption/decryption policy on the encryption device and the decryption device may be an exact number (e.g., 9000), or may be any port number or a partially specified range port number (e.g., "x", or "90? "refers to a single decimal digit; and the transport layer protocol in the quintuple encryption and decryption strategies pre-configured on the encryption equipment and the decryption equipment supports TCP or UDP.
Fig. 5 and fig. 6 are only described as an embodiment, and the connection of each device in the encryption process or the decryption process is based on the actual network design requirement, and only the IPv4 data encryption method described in the first embodiment needs to be executed on the encryption device, and the IPv4 data decryption method described in the second embodiment needs to be executed on the decryption device.
The present embodiment may implement the above-mentioned IPv4 data encryption method embodiment and the above-mentioned IPv4 data decryption method embodiment, and the implementation principle and technical effect are similar, and are not described herein again.
Example four
Based on the third embodiment, it can be seen that the encryption device and the decryption device do not need IP addresses, and all the encryption device and the decryption device do not need to configure IPv4 addresses and MAC addresses, that is, the encryption device and the decryption device may be devices without IP addresses, and can implement encryption or decryption processing of network data frames in a locally managed network, and at this time, all the network data frames can be received by setting network cards of the encryption device and the decryption device to be in a promiscuous mode.
When the embodiment implements remote management on the encryption device and the decryption device, the embodiment can implement remote management on the encryption device and the decryption device by borrowing the IPv4 address and the MAC address of the downlink device respectively connected thereto to communicate with the management server, thereby implementing encryption or decryption processing of a network data frame in a remote network.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (10)

1. An IPv4 data encryption method, applied to a sending network device and an encryption device which are connected with each other, wherein the encryption device executes the IPv4 data encryption method and comprises the following steps:
receiving a first network data frame, the first network data frame being transmitted by the transmitting network device;
judging whether the quintuple of the first network data frame is matched with a preset quintuple list of the encryption equipment, if the first quintuple matched with the quintuple of the first network data frame exists in the preset quintuple list of the encryption equipment, encrypting the first network data frame to obtain ciphertext data, and if the first quintuple matched with the quintuple of the first network data frame does not exist in the preset quintuple list of the encryption equipment, performing first preset processing on the first network data frame according to a first configuration parameter;
and sending a second network data frame, wherein the second network data frame comprises the ciphertext data.
2. The IPv4 data encryption method according to claim 1, wherein the encrypting the first network data frame to obtain ciphertext data includes:
acquiring first valid data from the first network data frame;
obtaining an encryption mode according to the first quintuple;
obtaining an encryption key according to the first quintuple;
and encrypting the first valid data according to the encryption mode and the encryption key to obtain ciphertext data.
3. The IPv4 data encryption method according to claim 1, further comprising determining whether a first MAC management is configured or enabled, and if the first MAC management is not configured or enabled, performing the IPv4 data encryption method according to any one of claims 1 to 2, if the first MAC management is configured and enabled, determining that a first MAC list or a second MAC list is enabled, if the first MAC list is enabled, processing the first network data frame according to a first preset rule, and if the second MAC list is enabled, processing the first network data frame according to a second preset rule.
4. The IPv4 data encryption method according to claim 3, wherein processing the first network data frame according to a first preset rule includes:
judging whether the first network data frame is matched with the first MAC list, if the source MAC address of the first network data frame is matched with any one of the MAC addresses in the first MAC list, performing the first preset processing on the first network data frame according to the first configuration parameter, and if the source MAC address of the first network data frame is not matched with any one of the MAC addresses in the first MAC list, performing the IPv4 data encryption method according to any one of the claims 1-2.
5. The IPv4 data encryption method according to claim 3, wherein processing the first network data frame according to a second preset rule includes:
judging whether the first network data frame is matched with the second MAC list, if the source MAC address of the first network data frame is matched with at least one MAC address in the second MAC list, performing the IPv4 data encryption method according to any one of the claims 1-2, and if the source MAC address of the first network data frame is not matched with the MAC address in the second MAC list, performing the first preset processing on the first network data frame according to the first configuration parameter.
6. An IPv4 data decryption method, applied to a decryption device and a receiving network device which are connected with each other, wherein the decryption device executes the IPv4 data decryption method and comprises the following steps:
receiving a third network data frame;
judging whether the quintuple of the third network data frame is matched with a preset quintuple list of the decryption device, if a second quintuple matched with the quintuple of the third network data frame exists in the preset quintuple list of the decryption device, decrypting the third network data frame to obtain plaintext data, and if the second quintuple matched with the quintuple of the third network data frame does not exist in the preset quintuple list of the decryption device, performing second preset processing on the third network data frame according to a second configuration parameter;
sending a fourth network data frame to the receiving network device, the fourth network data frame including plaintext data.
7. The IPv4 data decryption method of claim 6, wherein decrypting the third network data frame to obtain plaintext data includes:
acquiring second effective data from the third network data frame;
obtaining a decryption mode according to the second quintuple;
obtaining a decryption key according to the second quintuple;
and decrypting the second valid data according to the decryption mode and the decryption secret key to obtain plaintext data.
8. The IPv4 data decryption method of claim 6, further comprising determining whether a second MAC management is configured or enabled, and if the second MAC management is not configured or enabled, performing the IPv4 data decryption method of any one of claims 6 to 7, if the second MAC management is configured and enabled, determining that a third MAC list or a fourth MAC list is enabled, if the third MAC list is enabled, processing the third network data frame according to a third preset rule, and if the fourth MAC list is enabled, processing the third network data frame according to a fourth preset rule.
9. The IPv4 data decryption method of claim 8, wherein processing the third network data frame according to a third preset rule includes:
judging whether the third network data frame is matched with the third MAC list, if the source MAC address of the third network data frame is matched with any one of the MAC addresses in the third MAC list, performing the second preset processing on the third network data frame according to the second configuration parameter, and if the source MAC address of the third network data frame is not matched with any one of the MAC addresses in the third MAC list, performing the IPv4 data decryption method according to any one of claims 6 to 7.
10. The IPv4 data decryption method of claim 8, wherein processing the third network data frame according to a fourth preset rule includes:
judging whether the third network data frame is matched with the fourth MAC list, if the source MAC address of the third network data frame is matched with at least one MAC address in the fourth MAC list, performing the IPv4 data decryption method according to any one of claims 6-7, and if the source MAC address of the third network data frame is not matched with the MAC address in the fourth MAC list, performing the second preset processing on the third network data frame according to the second configuration parameter.
CN201910893729.9A 2019-09-20 2019-09-20 IPv4 data encryption method and IPv4 data decryption method Active CN110768958B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910893729.9A CN110768958B (en) 2019-09-20 2019-09-20 IPv4 data encryption method and IPv4 data decryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910893729.9A CN110768958B (en) 2019-09-20 2019-09-20 IPv4 data encryption method and IPv4 data decryption method

Publications (2)

Publication Number Publication Date
CN110768958A true CN110768958A (en) 2020-02-07
CN110768958B CN110768958B (en) 2022-08-05

Family

ID=69330701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910893729.9A Active CN110768958B (en) 2019-09-20 2019-09-20 IPv4 data encryption method and IPv4 data decryption method

Country Status (1)

Country Link
CN (1) CN110768958B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN117201005A (en) * 2023-09-08 2023-12-08 国家计算机网络与信息安全管理中心江苏分中心 IPv6 address dynamic coding method based on ZUC encryption and decryption and application method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777174A (en) * 2004-11-15 2006-05-24 中兴通讯股份有限公司 Internet safety protocol high-speed processing IP burst method
US20110314274A1 (en) * 2010-05-17 2011-12-22 Certes Networks, Inc. Method and apparatus for security encapsulating ip datagrams
CN102347870A (en) * 2010-07-29 2012-02-08 中国电信股份有限公司 Flow rate security detection method, equipment and system
US20150365378A1 (en) * 2014-06-11 2015-12-17 Electronics And Telecommunications Research Institute One-way data transmission and reception system and method
CN110099062A (en) * 2019-05-07 2019-08-06 山东渔翁信息技术股份有限公司 A kind of encryption method of network data, decryption method and relevant apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777174A (en) * 2004-11-15 2006-05-24 中兴通讯股份有限公司 Internet safety protocol high-speed processing IP burst method
US20110314274A1 (en) * 2010-05-17 2011-12-22 Certes Networks, Inc. Method and apparatus for security encapsulating ip datagrams
CN102347870A (en) * 2010-07-29 2012-02-08 中国电信股份有限公司 Flow rate security detection method, equipment and system
US20150365378A1 (en) * 2014-06-11 2015-12-17 Electronics And Telecommunications Research Institute One-way data transmission and reception system and method
CN110099062A (en) * 2019-05-07 2019-08-06 山东渔翁信息技术股份有限公司 A kind of encryption method of network data, decryption method and relevant apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800436A (en) * 2020-07-29 2020-10-20 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN111800436B (en) * 2020-07-29 2022-04-08 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method
CN117201005A (en) * 2023-09-08 2023-12-08 国家计算机网络与信息安全管理中心江苏分中心 IPv6 address dynamic coding method based on ZUC encryption and decryption and application method
CN117201005B (en) * 2023-09-08 2024-03-15 国家计算机网络与信息安全管理中心江苏分中心 IPv6 address dynamic coding method based on ZUC encryption and decryption and application method

Also Published As

Publication number Publication date
CN110768958B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
US9461975B2 (en) Method and system for traffic engineering in secured networks
US20060031936A1 (en) Encryption security in a network system
US10404588B2 (en) Path maximum transmission unit handling for virtual private networks
US7231664B2 (en) System and method for transmitting and receiving secure data in a virtual private group
US7043633B1 (en) Method and apparatus for providing adaptive self-synchronized dynamic address translation
US9712504B2 (en) Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections
US8775790B2 (en) System and method for providing secure network communications
AU2007261003B2 (en) Method and apparatus for encrypted communications using IPsec keys
CN110691074B (en) IPv6 data encryption method and IPv6 data decryption method
US20050220091A1 (en) Secure remote mirroring
KR20130096320A (en) Switch equipment and data processing method for supporting link layer security transmission
CN110768958B (en) IPv4 data encryption method and IPv4 data decryption method
US20190124055A1 (en) Ethernet security system and method
WO2016165277A1 (en) Ipsec diversion implementing method and apparatus
US11870797B2 (en) Isolating internet-of-things (IoT) devices using a secure overlay network
WO2005008997A1 (en) Hardware acceleration for unified ipsec and l2tp with ipsec processing in a device that integrates wired and wireless lan, l2 and l3 switching functionality
CN114244626B (en) Message processing method and device based on MACSec network
CN113746861B (en) Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology
Cisco Configuring IPSec Network Security
KR101845776B1 (en) MACsec adapter apparatus for Layer2 security
Park et al. A new approach to building a disguised server using the honey port against general scanning attacks
WO2024066059A1 (en) Industrial internet security system and method based on sdp and edge computing
CN117675395A (en) Quantum encryption network equipment with isolation function
CN113114607A (en) Terminal equipment
Shrivastava Threats and Security Aspects of IPv6

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant