CN111083091B - Tunnel creation method, device and storage medium - Google Patents

Tunnel creation method, device and storage medium Download PDF

Info

Publication number
CN111083091B
CN111083091B CN201811223937.XA CN201811223937A CN111083091B CN 111083091 B CN111083091 B CN 111083091B CN 201811223937 A CN201811223937 A CN 201811223937A CN 111083091 B CN111083091 B CN 111083091B
Authority
CN
China
Prior art keywords
vpn tunnel
information
creating
extended
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811223937.XA
Other languages
Chinese (zh)
Other versions
CN111083091A (en
Inventor
吴水华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201811223937.XA priority Critical patent/CN111083091B/en
Priority to PCT/CN2019/107043 priority patent/WO2020078164A1/en
Publication of CN111083091A publication Critical patent/CN111083091A/en
Application granted granted Critical
Publication of CN111083091B publication Critical patent/CN111083091B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Abstract

The invention discloses a tunnel establishing method, which comprises the following steps: in an initial negotiation stage aiming at a secret key, determining that a message receiver has the capacity of establishing an expanded virtual information private network (VPN) tunnel according to interactive information in the initial negotiation stage; when the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel in the current user message; generating a spreading code for creating the spread VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the spreading code. The invention also discloses a device for establishing the tunnel and a storage medium.

Description

Tunnel creation method, device and storage medium
Technical Field
The invention relates to a network communication technology, in particular to a method and a device for establishing an internet Protocol security (IPSec) (Internet Protocol security) tunnel and a storage medium.
Background
VPN refers to a technology for establishing a private network on a public network, and supports establishment of a VPN tunnel between two communication parties, so that encryption is performed in a transmission process, and transmission security is improved. In the process of establishing the VPN tunnel, the VMs of two communication parties negotiate for a plurality of times to determine the common parameters of the VPN tunnels of the two communication parties according to the parameters, the keys, the certificates and the like configured by the VM of the two communication parties, wherein the common parameters of the VPN tunnels comprise an encryption and decryption algorithm, an authentication algorithm, the keys, the certificates and the like.
In the prior art, a TS (Traffic Selector) load is generated according to five-tuple information of a source IP address, a destination IP address, a transport layer protocol number, a source port, and a destination port, so that a single different Virtual Private Network (VPN) tunnel is created.
However, in 5G (5 th generation communication system) base station communication, the processing capability of a single VPN tunnel created by using quintuple information is limited due to the large data throughput of the user plane.
Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present invention desirably provide a method, an apparatus, and a storage medium for creating a tunnel, which can dynamically create a plurality of extended VPN tunnels to perform offloading processing on a data service flow when a data volume is large.
The technical scheme of the embodiment of the invention is realized as follows:
according to an aspect of the embodiments of the present invention, there is provided a method for creating a tunnel, the method including:
in an initial negotiation stage aiming at a secret key, determining that a message receiver has the capacity of establishing an expanded virtual information private network (VPN) tunnel according to interactive information in the initial negotiation stage;
when the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel in the current user message;
generating a spreading code for creating the spread VPN tunnel according to the characteristic information;
creating the extended VPN tunnel according to the spreading code.
In the above scheme, the method further comprises:
detecting data traffic borne in the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the data flow reaches a first preset flow threshold value, determining that the data carried in the expanded VPN tunnel meets the condition of the expanded VPN tunnel.
In the above solution, in an initial negotiation stage for a key, determining that a message receiver has a capability of creating an extended VPN tunnel according to interaction information in the initial negotiation stage includes:
extracting capability negotiation information from the interactive information in the initial negotiation stage to obtain an extraction result;
and when the extraction result represents that the capability negotiation information is successfully extracted from the interactive information in the initial negotiation stage, determining that the message receiver has the capability of creating the extended VPN tunnel.
In the foregoing solution, the feature information includes: information for creating the extended VPN tunnel other than the five tuple information;
wherein the quintuple information includes: source IP address, source port, destination IP address, destination port, and transport layer protocol number.
In the above solution, creating the extended VPN tunnel according to the spreading code includes:
loading the spreading code in a spreading field of a traffic filter TS payload in a second negotiation stage for a key;
sending second mutual information carrying the spreading code to the message receiver;
receiving first response information of the message receiver aiming at the second interaction information;
and when the first response information is determined to contain the spreading code, determining that the establishment of the spreading VPN tunnel is completed.
In the above solution, creating the extended VPN tunnel according to the spreading code includes:
in a second negotiation stage aiming at the key, sending second interactive information to the message receiver, wherein the second interactive information carries notification load information;
receiving a second response message sent by the message receiver aiming at the second interactive information;
and when the second response message is determined to carry the notification load information, establishing the expanded VPN tunnel according to the spreading code carried in the notification load information.
In the above solution, after creating the extended VPN tunnel according to the spreading code, the method further includes:
detecting the flow data of the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the flow data of the expanded VPN tunnel is smaller than a second preset flow threshold value, recovering the expanded VPN tunnel.
In the foregoing solution, the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for creating a tunnel, the apparatus including:
a determining unit, configured to determine, in an initial negotiation stage for a key, that a message receiver has a capability of creating an extended VPN tunnel according to interaction information in the initial negotiation stage;
an extracting unit, configured to extract, when data carried in the extended VPN tunnel meets a condition of an extended VPN tunnel, feature information used for creating the extended VPN tunnel in a current user message;
a generation unit configured to generate a spreading code for creating the spread VPN tunnel according to the characteristic information;
a creating unit configured to create the spread VPN tunnel according to the spreading code.
According to a third aspect in an embodiment of the present invention, there is provided an apparatus for creating a tunnel, the apparatus including: a memory and a processor;
wherein the memory is to store a computer program operable on the processor;
the processor is configured to execute the steps of any one of the above methods for creating a tunnel when the computer program is run.
According to a fourth aspect of the embodiments of the present invention, there is provided a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of any one of the above-described tunnel creation methods.
The embodiment of the invention provides a tunnel creation method, a tunnel creation device and a storage medium, wherein in an initial negotiation stage aiming at a secret key, a message receiver is determined to have the capacity of creating an extended Virtual Private Network (VPN) tunnel according to interactive information in the initial negotiation stage; when the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel in the current user message; generating a spreading code for creating the spread VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the spreading code. Thus, the expanded VPN tunnel is dynamically created according to the data traffic, the limitation that only a single IPSec tunnel can be created through quintuple information in the prior art can be broken through, and the IPSec encryption channel problem in large-traffic services such as the fifth Generation mobile communication technology (5G, 5th-Generation) is solved.
Drawings
Fig. 1 is a schematic flow chart of a tunnel creation method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of message interaction between two communication parties in an initial negotiation stage in the IKEv2 protocol process in the prior art;
FIG. 3 is a schematic diagram of message interaction of two communication parties in an initial negotiation phase in the IKEv2 protocol process according to the present application;
FIG. 4 is a schematic diagram of a TS load structure in the prior art;
FIG. 5 is a schematic diagram of the TS load structure of the present application;
FIG. 6 is a schematic diagram of message interaction for establishing a sub-safe federation using the TS payload structure shown in FIG. 5;
FIG. 7 is a schematic diagram of message interaction for establishing a child security association in the present application;
fig. 8 is a first schematic structural component diagram of a tunnel creation apparatus in the present application;
fig. 9 is a schematic structural diagram of a tunnel creation apparatus according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Fig. 1 is a schematic flow chart of a tunnel creation method according to an embodiment of the present invention; as shown in fig. 1, the method includes:
step 101, in an initial negotiation stage for a key, determining that a message receiver has the capability of creating an expanded virtual information private network (VPN) tunnel according to interactive information in the initial negotiation stage;
in the present application, the method is mainly applied to a device capable of supporting a protocol programming process, for example, the device may be a base station.
In the present application, the device may use an Internet Key Exchange protocol (IKE, Internet Key Exchange) to identify the identities of the two communication parties in the IPSec processing between the two communication parties, and may also perform security policy negotiation and session Key interaction processing.
Here, the two communication parties may be a base station and a base station, a base station and a Virtual Private Network Gateway (VPN), or a VPN and a VPN.
In the following, the second version IKEv2 protocol of IKE is taken as an example to describe in detail how the receiver determines whether it has the capability of creating an extended VPN tunnel according to the mutual information of the initial negotiation phase.
First, during the negotiation process of the IKEv2 protocol, two communication parties are generally divided into two negotiation phases. A first negotiation stage and a second negotiation stage, respectively.
The first negotiation stage is also called an initial negotiation stage, and is mainly used for negotiating ike. The second negotiation phase, also called negotiation sub-SA exchange phase, is mainly used for negotiating child. There may also be an information exchange phase, primarily to notify some of the errors, configuration, deletion, etc. between the two communicating parties in the IKEv2 protocol.
Fig. 2 is a schematic diagram of message interaction between two communication parties in an initial negotiation phase in the IKEv2 protocol process in the prior art, as shown in fig. 2:
in the initial negotiation stage, two communication parties mainly perform two message exchanges, and each message exchange comprises 2 messages.
The first message 201 in the first message interaction is a message sent by the message sender 20 to the message receiver 30, and the second message 301 in the first message interaction is a response message sent by the message receiver 30 to the message sender 20 after receiving the first message 201 sent by the message sender 20.
Specifically, the response message may be that after the message receiver 30 receives the first message 201 sent by the message sender 20, a certain proposal is selected in SAi1 to form SAr1, and KEr and Nr are sent to the message sender 20 as a Diffle-Hellman public value and a Nonce value of the message receiver 30, respectively. In addition, the message recipient 30 may also include an optional certificate in the response message 301 sent to the message sender 20.
In general, after the first message exchange (ike. sa) is completed, the seed key SKE use can be computed between the two communicating parties (message sender 20 and message receiver 30) to derive 7 other secrets: SK _ d, SK _ ai, SK _ ar, SK _ ei, SK _ er, SK _ pi, SK _ pr.
A second message exchange, i.e., ike.
As shown in fig. 2, in the second message negotiation stage (ike.auth), the two communicating parties use the encryption, authentication algorithm and key included in the ike.sa obtained in the first message interaction to perform security protection, and use the authentication load to authenticate the already finished initial negotiation stage (IKE, SA, INIT) exchange process, and finally negotiate to obtain the first child.sa, i.e., IPSec SA.
As shown in fig. 2, in the second message interaction, the first message 202 and the second message 302 are both composed of an IKEv2 header HDR and an encrypted payload, which includes an identity payload (ID), an optional certificate payload (CERT) and a certificate request payload (CERTREQ), an authentication payload (AUTH), a security association payload (SA), a traffic selection payload (TS), and so on. Wherein, SK { } represents that the contained load is encrypted and authenticated and protected by SK.e and SK.a in the corresponding direction.
Fig. 3 is a schematic diagram of message interaction between two communication parties in an initial negotiation stage in an IKEv2 protocol process according to the present application, where fig. 3 is substantially similar to the negotiation process of fig. 2, and the same points are not described herein again, but a difference is that a capability negotiation field with a dynamic VPN tunnel creation function is added to the interaction information of the initial negotiation stage in the message sender 20 and the message receiver 30 in fig. 3, for example, the capability negotiation field is a notification payload Nx. The capability negotiation field may be loaded in the first interactive message in the initial negotiation stage, or may be loaded in the second interactive message.
In the present application, when the message sender 20 sends a message carrying the capability negotiation field to the message receiver in the initial negotiation stage for the key, the message receiver 30 sends a response message for the message to the message sender 20 after receiving the message.
After receiving the response message sent by the message receiver, the message sender 20 extracts the information of the capability negotiation field from the response message, and obtains the extraction result.
And when the extraction result represents that the information of the capability negotiation field is successfully extracted from the response message, determining that the message receiver has the capability of creating the extended VPN tunnel. On the contrary, if the extraction result indicates that the extraction for the capability negotiation information in the response message fails, it is determined that the message receiver 30 does not have the capability of creating the extended VPN tunnel.
In the present application, when the capability negotiation between the message sender 20 and the message receiver 30 fails, the dynamic VPN tunnel creation is not performed subsequently.
Step 102, when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel from a current user message;
in the application, when a message sender determines that a message receiver has the capability of dynamically creating an extended VPN tunnel, data flow borne in the extended VPN tunnel is detected to obtain a detection result; and comparing the data flow in the detection result with a first preset threshold value representing that an extended VPN tunnel is created to obtain a comparison result, and determining that the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel when the comparison result represents that the data flow is greater than or equal to the first preset flow threshold value. Characteristic information for creating the extended VPN tunnel is extracted in the current user message.
Here, the user message refers to a message generated by a message sending party and a message receiving party in a negotiation process. For example, the message includes: a Tunnel Endpoint Identifier (TEID), a Differentiated Service Code Point (DSCP), and so on.
In this application, the feature information includes: information for creating the extended VPN tunnel other than the five tuple information; for example, TEID, DSCP, etc.
Wherein the quintuple information includes: source IP address, source port, destination IP address, destination port, and transport layer protocol number. In this way, when the traffic flow is large, the extended VPN tunnel can be dynamically created according to the information except the five-tuple information, so that more traffic flows can be carried through the created extended VPN tunnel.
Step 103, generating a spreading code for creating the spreading VPN tunnel according to the characteristic information;
in the application, the characteristic parameters in the characteristic information can be calculated through a HASH Algorithm (HASH) to obtain a calculation result. Then, the calculation result is generated into the spreading code.
Here, the HASH algorithm is a set of algorithms.
In the present application, the spreading code may be generated by combining each piece of sub-feature information in the feature information directly based on the feature information.
Step 104, creating said spread VPN tunnel according to said spreading code.
In the present application, the spreading code may be loaded in the spreading field of the traffic filter TS payload (see fig. 5), in particular, by the message sender during the second negotiation phase for the key.
Fig. 4 is a schematic diagram of a structure of a TS payload in the prior art, as shown in fig. 4, the TS payload includes TS type information, IP protocol ID information, sampler length information, start port, end port, start address and end address information.
Fig. 5 is a schematic diagram of a TS payload structure in the present application, and fig. 5 is substantially the same as fig. 4, and the same points are not repeated herein, except that in fig. 5, an Extended Code is loaded in an Extended field after the end address of the TS payload.
In the application, after the spreading code is loaded in the spreading field of the TS load in the second negotiation stage, the message sender also sends the interworking information carrying the spreading code to the message receiver in the second negotiation stage; when the message receiver receives the interactive message sent by the message sender in the second negotiation stage, the message receiver sends a response message aiming at the interactive message in the second negotiation stage to the message sender (see fig. 6).
Fig. 6 is a schematic diagram of message interaction for establishing a sub-security association by using the TS payload structure shown in fig. 5. As shown in figure 6 of the drawings,
the interactive messages of the message sender 20 and the message receiver 30 both carry TSi and TSr; where TSi and TSr represent spreading codes.
And after receiving response information sent by the message receiver aiming at the interactive information in the second negotiation stage, the message sender extracts the spreading code from the response information. Characterizing that the extended VPN tunnel has been created when the message sender successfully extracts the extension code in the response message.
Conversely, characterizing the extended VPN tunnel creation operation fails when the message sender fails in the response message to extract the spreading code.
In another embodiment, the message sender may also send the interactive information carrying the notification load information to the message receiver in a second negotiation stage for the key; when receiving an interactive message carrying notification load information sent by a developed message party, a message receiver sends a response message for the interactive message to a message sender (see fig. 7).
Fig. 7 is a schematic view of message interaction for establishing a sub-security association in the present application, and as shown in fig. 7, notification load information (N-EXC,) is carried in an interaction message between a message sender 20 and a message receiver 30. And (N-EXC) represents the Notify payload carrying the spreading Code (Extended Code).
Specifically, the message sender sends a message carrying notification load information to the message receiver, and when receiving the message carrying notification load information sent by the message sender, the message receiver sends a response message to the message sender for the message.
And when the message sender receives a response message aiming at the interaction information of the second coordination phase sent by the message receiver, extracting the notification load information in the response message.
And when the message sender extracts the notification load information from the response message, creating the expanded VPN tunnel according to the spreading code carried in the notification load information.
In the application, when the data traffic of the first expanded VPN tunnel reaches the first preset traffic threshold, a new spreading code is generated according to the characteristic information of the current traffic, and the new expanded VPN tunnel is negotiated by using the new spreading code.
Here, for example, the first threshold traffic threshold is 60% of the data traffic handled by the single VPN tunnel.
According to the method and the device, new spreading codes can be repeatedly generated and new spreading VPN tunnels can be created according to business needs.
In the application, after the message sender successfully creates the extended VPN tunnel according to the spreading code, the created extended VPN tunnel can be recovered according to the current service flow.
Specifically, after the message sender successfully creates the extended VPN tunnel according to the spreading code, the message sender may also detect the traffic data of the extended VPN tunnel to obtain a detection result; and comparing the flow data in the detection result with a second preset flow threshold value representing the created extended VPN tunnel for recovery, and obtaining a comparison result. And when the comparison result represents that the flow data of the expanded VPN tunnel is smaller than the second preset flow threshold value, recovering the expanded VPN tunnel. To release more traffic resources.
Of course, in the present application, when the service data is rich, the created extended VPN tunnel may not be recovered.
Here, the second preset traffic threshold value representing that the created extended VPN tunnel is recovered may be the same as or different from the first preset traffic threshold value representing that the extended VPN tunnel is created. Specifically, the setting or adjustment may be performed according to the current service resource.
Compared with the prior art, the method for dynamically establishing the extended VPN tunnel breaks through the limitation that quintuple information can only establish a single IPSec tunnel, solves the problem of an IPSec encryption channel with large throughput of 5G communication, and achieves the effect of dynamically establishing the IPSec tunnel according to service flow.
Fig. 8 is a schematic structural component diagram of a tunnel creation apparatus in the present application, and as shown in fig. 8, the apparatus includes: a determination unit 801, an extraction unit 802, a generation unit 803, and a creation unit 804;
the determining unit 801 is configured to determine, in an initial negotiation stage for a key, that a message receiver has a capability of creating an extended VPN tunnel according to interaction information in the initial negotiation stage;
the extracting unit 802 is configured to extract, when the data carried in the extended VPN tunnel meets a condition of an extended VPN tunnel, feature information used for creating the extended VPN tunnel in a current user message;
the generating unit 803 is configured to generate a spreading code for creating the spread VPN tunnel according to the feature information;
the creating unit 804 is configured to create the spread VPN tunnel according to the spreading code.
In this application, the apparatus further comprises: a detection unit 805;
the detecting unit 805 is configured to detect data traffic carried in the extended VPN tunnel, and obtain a detection result;
the determining unit 801 is further configured to determine that the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel when the detection result represents that the data traffic reaches a first preset traffic threshold.
In this application, the extracting unit 802 is further configured to extract capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result;
the determining unit 801 is specifically configured to determine that the message receiver has the capability of creating the extended VPN tunnel when the extraction result represents that the capability negotiation information is successfully extracted from the interaction information in the initial negotiation stage.
In this application, the feature information includes: information for creating the extended VPN tunnel other than the five tuple information; wherein the quintuple information includes: source IP address, source port, destination IP address, destination port, and transport layer protocol number.
In this application, the apparatus further comprises: a loading unit 806, a transmitting unit 807, and a receiving unit 808;
the loading unit 806, configured to load the spreading code in the spreading field of the traffic filter TS payload during the second negotiation stage for the key;
the sending unit 807 is configured to send second interaction information carrying the spreading code to the message receiver;
the receiving unit 808 is configured to receive first response information of the message recipient for the second interaction information;
the determining unit 801 is further specifically configured to determine that the creation of the extended VPN tunnel is completed when it is determined that the first response information includes the spreading code.
In another embodiment of the present application, the sending unit 807 is further configured to send, in a second negotiation stage for a key, second interaction information to the message receiver, where the second interaction information carries notification load information;
the receiving unit 808 is further configured to receive a second response message sent by the message recipient for the second interaction information;
the determining unit 801 is further specifically configured to, when determining that the notification load information is carried in the second response message, create the extended VPN tunnel according to a spreading code carried in the notification load information.
In this application, the apparatus further comprises: a recovery unit 809;
the recovery unit 809 is configured to recover the extended VPN tunnel when detecting that the traffic data of the extended VPN tunnel is smaller than a second preset traffic threshold.
The second preset traffic threshold may be the same as or different from the first preset traffic threshold, and may be specifically set according to the current service resource.
It should be noted that: in the tunnel creation device provided in the above embodiment, when creating an extended VPN tunnel, only the above division of each program module is taken as an example, and in practical applications, the above processing may be distributed to different program modules according to needs, that is, the internal structure of the tunnel creation device may be divided into different program modules to complete all or part of the above described processing. In addition, the tunnel creation apparatus and the tunnel creation method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
Fig. 9 is a schematic structural composition diagram ii of a tunnel creation apparatus according to an embodiment of the present invention; as shown in fig. 9, the creating apparatus 900 of the tunnel may be a mobile phone, a computer, a digital broadcast terminal, an information transceiver, a game console, a tablet device, a personal digital assistant, an information push server, a content server, an identity authentication server, and the like. The apparatus 900 for creating a tunnel shown in fig. 9 includes: at least one processor 901, memory 902, at least one network interface 904, and a user interface 903. The various components in the tunnel creator 900 are coupled together by a bus system 905. It is understood that the bus system 905 is used to enable communications among the components. The bus system 905 includes a power bus, a control bus, and a status signal bus, in addition to a data bus. For clarity of illustration, however, the various buses are labeled in fig. 9 as bus system 905.
The user interface 903 may include a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, a touch screen, or the like, among others.
It will be appreciated that the memory 902 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 902 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The memory 902 in the embodiment of the present invention is used to store various types of data to support the operation of the tunnel creation apparatus 900. Examples of such data include: any computer programs for operating on the creation device 900 of the tunnel, such as an operating system 9021 and application programs 9022; the operating system 9021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application 9022 may contain various applications such as a Media Player (Media Player), a Browser (Browser), and the like for implementing various application services. A program implementing the method of an embodiment of the present invention may be included in application 9022.
The method disclosed in the above embodiments of the present invention may be applied to the processor 901, or implemented by the processor 901. The processor 901 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the processor 901. The Processor 901 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 901 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 902, and the processor 901 reads the information in the memory 902 and performs the steps of the aforementioned methods in combination with its hardware.
In an exemplary embodiment, the creation Device 900 of the tunnel may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.
Specifically, when the processor 901 runs the computer program, it executes: in an initial negotiation stage aiming at a secret key, determining that a message receiver has the capacity of creating an expanded virtual information Virtual Private Network (VPN) tunnel according to interactive information in the initial negotiation stage;
when the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel in the current user message;
generating a spreading code for creating the spread VPN tunnel according to the characteristic information;
creating the extended VPN tunnel according to the spreading code.
When the processor 901 runs the computer program, it further executes: detecting data traffic borne in the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the data flow reaches a first preset flow threshold value, determining that the data carried in the expanded VPN tunnel meets the condition of the expanded VPN tunnel.
When the processor 901 runs the computer program, it further executes: extracting capability negotiation information from the interactive information in the initial negotiation stage to obtain an extraction result;
and when the extraction result represents that the capability negotiation information is successfully extracted from the interactive information in the initial negotiation stage, determining that the message receiver has the capability of creating the extended VPN tunnel.
When the processor 901 runs the computer program, it further executes: loading the spreading code in a spreading field of a traffic filter TS payload in a second negotiation stage for a key;
sending second mutual information carrying the spreading code to the message receiver;
receiving first response information of the message receiver aiming at the second interaction information;
and when the first response information is determined to contain the spreading code, determining that the establishment of the spreading VPN tunnel is completed.
When the processor 901 runs the computer program, it further executes: in a second negotiation stage aiming at the key, sending second interactive information to the message receiver, wherein the second interactive information carries notification load information;
receiving a second response message sent by the message receiver aiming at the second interactive information;
and when the second response message is determined to carry the notification load information, establishing the expanded VPN tunnel according to the spreading code carried in the notification load information.
When the processor 901 runs the computer program, it further executes: and when the detection result represents that the flow data of the expanded VPN tunnel is smaller than a second preset flow threshold value, recovering the expanded VPN tunnel.
The second preset threshold is the same as or different from the first preset threshold for determining that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
In an exemplary embodiment, the embodiment of the present invention further provides a computer-readable storage medium, for example, a memory 902 including a computer program, which is executable by a processor 901 of the device 900 for creating a tunnel, so as to complete the steps of the foregoing method. The computer readable storage medium can be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM; or may be a variety of devices including one or any combination of the above memories, such as a mobile phone, computer, tablet device, personal digital assistant, etc.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, performs: in an initial negotiation stage aiming at a secret key, determining that a message receiver has the capacity of creating an expanded virtual information Virtual Private Network (VPN) tunnel according to interactive information in the initial negotiation stage;
when the data carried in the extended VPN tunnel meets the condition of the extended VPN tunnel, extracting feature information for creating the extended VPN tunnel in the current user message;
generating a spreading code for creating the spread VPN tunnel according to the characteristic information;
the extended VPN tunnel is created according to the spreading code.
The computer program, when executed by the processor, further performs: detecting data traffic borne in the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the data flow reaches a first preset flow threshold value, determining that the data carried in the expanded VPN tunnel meets the condition of the expanded VPN tunnel.
The computer program, when executed by the processor, further performs: extracting capability negotiation information from the interactive information in the initial negotiation stage to obtain an extraction result;
and when the extraction result represents that the capability negotiation information is successfully extracted from the interactive information in the initial negotiation stage, determining that the message receiver has the capability of creating the extended VPN tunnel.
The computer program, when executed by the processor, further performs: loading the spreading code in a spreading field of a traffic filter TS payload in a second negotiation stage for a key;
sending second mutual information carrying the spreading code to the message receiver;
receiving first response information of the message receiver aiming at the second interaction information;
and when the first response information is determined to contain the spreading code, determining that the establishment of the spreading VPN tunnel is completed.
The computer program, when executed by the processor, further performs: in a second negotiation stage aiming at the key, sending second interactive information to the message receiver, wherein the second interactive information carries notification load information;
receiving a second response message sent by the message receiver aiming at the second interactive information;
and when the second response message is determined to carry the notification load information, establishing the expanded VPN tunnel according to the spreading code carried in the notification load information.
The computer program, when executed by the processor, further performs: detecting the flow data of the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the flow data of the expanded VPN tunnel is smaller than a second preset flow threshold value, recovering the expanded VPN tunnel.
The second preset threshold is the same as or different from the first preset threshold for determining that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present invention, and shall cover the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (9)

1. A method of tunnel creation, the method comprising:
in an initial negotiation stage aiming at a secret key, determining that a message receiver has the capacity of establishing an expanded virtual information private network VPN tunnel according to interactive information in the initial negotiation stage;
when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extracting feature information for creating a new extended VPN tunnel from a current user message, where the feature information includes: information for creating the extended VPN tunnel other than five tuple information, the five tuple information including: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol number;
generating a spreading code for creating the new spread VPN tunnel according to the characteristic information;
creating the new extended VPN tunnel according to the spreading code;
wherein the method further comprises:
detecting data traffic borne in the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the data flow reaches a first preset flow threshold value, determining that the data carried in the expanded VPN tunnel meets the condition of the expanded VPN tunnel.
2. The method of claim 1, wherein in an initial negotiation stage for a key, determining that a message receiver has the capability of creating an extended VPN tunnel according to interaction information of the initial negotiation stage comprises:
extracting capability negotiation information from the interactive information in the initial negotiation stage to obtain an extraction result;
and when the extraction result represents that the capability negotiation information is successfully extracted from the interactive information in the initial negotiation stage, determining that the message receiver has the capability of creating the extended VPN tunnel.
3. The method of claim 1, creating said new extended VPN tunnel from said spreading code, comprising:
loading the spreading code in a spreading field of a traffic TS load in a second negotiation stage for a secret key;
sending the mutual information carrying the spreading code to the message receiver;
receiving response information of the message receiver aiming at the interactive information of the second negotiation stage;
and when the response information is determined to contain the spreading code, determining that the creation of the new spreading VPN tunnel is completed.
4. The method of claim 1, creating said new extended VPN tunnel from said spreading code, comprising:
in a second negotiation stage aiming at the key, sending interactive information carrying notification load information to the message receiver;
receiving a response message sent by the message receiver aiming at the interactive information carrying the notification load information;
and when the response message is determined to carry the notification load information, creating the new expanded VPN tunnel according to the spreading code carried in the notification load information.
5. The method of claim 1, after creating said new extended VPN tunnel according to said spreading code, further comprising:
detecting the flow data of the extended VPN tunnel to obtain a detection result;
and when the detection result represents that the flow data of the expanded VPN tunnel is smaller than a second preset flow threshold value, recovering the expanded VPN tunnel.
6. The method of claim 5, wherein the second preset traffic threshold is the same or different than the first preset traffic threshold that determines that the data carried within the extended VPN tunnel satisfies the conditions of the extended VPN tunnel.
7. An apparatus for creating a tunnel, the apparatus comprising:
a determining unit, configured to determine, in an initial negotiation stage for a key, that a message receiver has a capability of creating an extended VPN tunnel according to interaction information in the initial negotiation stage;
an extracting unit, configured to extract feature information used for creating a new extended VPN tunnel from a current user message when data carried in the extended VPN tunnel meets a condition of the extended VPN tunnel, where the feature information includes: information for creating the extended VPN tunnel other than five tuple information, the five tuple information including: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol number;
a generating unit configured to generate a spreading code for creating the new spread VPN tunnel according to the characteristic information;
a creating unit configured to create the new extended VPN tunnel according to the spreading code;
wherein the apparatus further comprises: a detection unit;
the detection unit is used for detecting the data traffic borne in the extended VPN tunnel to obtain a detection result;
the determining unit is further configured to determine that the data carried in the extended VPN tunnel meets a condition of the extended VPN tunnel when the detection result represents that the data traffic reaches a first preset traffic threshold.
8. An apparatus for creating a tunnel, the apparatus comprising: a memory and a processor;
wherein the memory is to store a computer program operable on the processor;
the processor, when executing the computer program, is adapted to perform the steps of the method of any of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201811223937.XA 2018-10-19 2018-10-19 Tunnel creation method, device and storage medium Active CN111083091B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811223937.XA CN111083091B (en) 2018-10-19 2018-10-19 Tunnel creation method, device and storage medium
PCT/CN2019/107043 WO2020078164A1 (en) 2018-10-19 2019-09-20 Method and device for creating tunnel, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811223937.XA CN111083091B (en) 2018-10-19 2018-10-19 Tunnel creation method, device and storage medium

Publications (2)

Publication Number Publication Date
CN111083091A CN111083091A (en) 2020-04-28
CN111083091B true CN111083091B (en) 2022-08-02

Family

ID=70284469

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811223937.XA Active CN111083091B (en) 2018-10-19 2018-10-19 Tunnel creation method, device and storage medium

Country Status (2)

Country Link
CN (1) CN111083091B (en)
WO (1) WO2020078164A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104435B (en) * 2018-10-12 2021-04-06 中国科学院上海高等研究院 Method for realizing data in-sequence transmission
CN111884796B (en) * 2020-06-17 2022-03-18 中国电子科技集团公司第三十研究所 Method and system for carrying information based on random number field
CN114039798B (en) * 2021-11-30 2023-11-03 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium
CN115834529B (en) * 2022-11-23 2023-08-08 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117530B1 (en) * 1999-12-07 2006-10-03 Watchguard Technologies, Inc. Tunnel designation system for virtual private networks
CN1319336C (en) * 2003-05-26 2007-05-30 华为技术有限公司 Method for building special analog network
KR100667502B1 (en) * 2005-03-28 2007-01-10 주식회사 케이티프리텔 Method of mobile node's connection to virtual private network using Mobile IP
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
US20080071577A1 (en) * 2006-09-14 2008-03-20 Highley Robert D Dual-access security system for medical records
CN101079787B (en) * 2007-07-26 2010-08-18 杭州华三通信技术有限公司 Selection method and device for carrying LSP of VPN
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof
CN103067290B (en) * 2012-11-30 2016-06-01 成都卫士通信息产业股份有限公司 The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card
CN103152343B (en) * 2013-03-04 2015-09-16 北京神州绿盟信息安全科技股份有限公司 Set up method and the network equipment in internet security Protocol virtual private network tunnel
CN104104569B (en) * 2013-04-01 2017-08-29 华为技术有限公司 Set up the method and server of vpn tunneling
CN104426735B (en) * 2013-08-30 2018-06-26 中国移动通信集团公司 A kind of method and device for establishing Virtual Private Network connection
CN107786445A (en) * 2016-08-31 2018-03-09 南京中兴软件有限责任公司 The by-pass method and device of a kind of tunnel traffic

Also Published As

Publication number Publication date
CN111083091A (en) 2020-04-28
WO2020078164A1 (en) 2020-04-23

Similar Documents

Publication Publication Date Title
CN111083091B (en) Tunnel creation method, device and storage medium
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
Shin et al. A security protocol for route optimization in DMM-based smart home IoT networks
CN107534665B (en) Scalable intermediary network device utilizing SSL session ticket extensions
US11165604B2 (en) Method and system used by terminal to connect to virtual private network, and related device
JP6377669B2 (en) Context-restricted shared secret
KR101786132B1 (en) Low-latency peer session establishment
US10341118B2 (en) SSL gateway with integrated hardware security module
CN107483383B (en) Data processing method, terminal, background server and storage medium
CN109150897B (en) End-to-end communication encryption method and device
WO2019178942A1 (en) Method and system for performing ssl handshake
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
US20200228505A1 (en) Private Exchange of Encrypted Data Over A Computer Network
WO2017024804A1 (en) Data encryption method, decryption method, apparatus, and system
US20230232219A1 (en) Data transmission method and system, electronic device and computer-readable storage medium
CN114844730A (en) Network system constructed based on trusted tunnel technology
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
CN111835691B (en) Authentication information processing method, terminal and network equipment
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN111836260A (en) Authentication information processing method, terminal and network equipment
WO2016082363A1 (en) User data management method and apparatus
CN109155913B (en) Network connection method, and method and device for determining security node
WO2019076025A1 (en) Method for identifying encrypted data stream, device, storage medium, and system
WO2023141946A1 (en) Communication device and method therein for facilitating ike communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant