CN112491821B - IPSec message forwarding method and device - Google Patents
IPSec message forwarding method and device Download PDFInfo
- Publication number
- CN112491821B CN112491821B CN202011262816.3A CN202011262816A CN112491821B CN 112491821 B CN112491821 B CN 112491821B CN 202011262816 A CN202011262816 A CN 202011262816A CN 112491821 B CN112491821 B CN 112491821B
- Authority
- CN
- China
- Prior art keywords
- ipsec
- message
- type
- ipsec message
- processing unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The application discloses a method and a device for forwarding IPSec messages, wherein the method is applied to network equipment provided with a plurality of virtual CPUs and comprises the following steps: when receiving an IPSec message, a first-class virtual CPU matches the IPSec message with a session table according to a quintuple of the IPSec message; when the matching of the IPSec message and the session table is successful, the first type virtual CPU judges whether the IPSec message is encrypted and decrypted by using a domestic algorithm; when the IPSec message is encrypted and decrypted by using a domestic algorithm, the first type virtual CPU forwards the IPSec message to a second type virtual CPU; the second type virtual CPU carries out encryption and decryption processing on the IPSec message; and forwarding the encrypted and decrypted IPSec message. According to the method, the second type of virtual CPU is set to carry out encryption, decryption and forwarding on the IPSec message using the domestic algorithm, so that the cost is saved, and the working efficiency of the network equipment is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding an IPSec message.
Background
The IPSec Protocol (Internet Protocol Security) can provide protection such as authentication and encryption for communication data that a user requests to protect. With the continuous improvement of the information degree of enterprises, the VPN technology based on the IPSec protocol is more and more widely applied.
At present, in the related art, because IPSec messages encrypted and decrypted by using the international algorithm are relatively universal, a hardware instruction supporting the international algorithm encryption and decryption is provided at the bottom layer of a computer for a CPU to use, but for IPSec messages encrypted and decrypted by a domestic algorithm, only an encryption card can be additionally configured to complete the encryption and decryption of the messages, and the encryption card is usually expensive.
Disclosure of Invention
The application provides a method and a device for forwarding an IPSec message, which are applied to network equipment configured with a plurality of virtual CPUs. The method comprises the steps of dividing a plurality of virtual CPUs in the network equipment into a first class and a second class, and setting the second class of virtual CPUs to carry out encryption, decryption and forwarding processing on IPSec messages using a domestic algorithm.
According to a first aspect of the embodiments of the present application, a method for forwarding an IPSec packet is provided, including:
when receiving an IPSec message, a first-class virtual CPU matches the IPSec message with a session table according to a quintuple of the IPSec message;
when the matching of the IPSec message and the session table is successful, the first type virtual CPU judges whether the IPSec message is encrypted and decrypted by using a domestic algorithm;
when the IPSec message is encrypted and decrypted by using a domestic algorithm, the first type virtual CPU forwards the IPSec message to a second type virtual CPU;
the second type virtual CPU carries out encryption and decryption processing on the IPSec message;
and forwarding the encrypted and decrypted IPSec message.
According to a second aspect of the embodiments of the present application, an apparatus for forwarding an IPSec packet is provided, which includes a first-type processing unit and a second-type processing unit:
the first type processing unit is used for matching the IPSec message with a session table according to the quintuple of the IPSec message when the IPSec message is received;
the IPSec server is also used for judging whether the IPSec message uses a domestic algorithm to carry out encryption and decryption when the IPSec message is successfully matched with the session table;
the IPSec message is also used for forwarding the IPSec message to a second type processing unit when the IPSec message is encrypted and decrypted by using a domestic algorithm;
the second type processing unit is used for encrypting and decrypting the IPSec message using the domestic algorithm;
the first type processing unit or the second type processing unit is used for forwarding the IPSec message after encryption and decryption processing.
The technical scheme provided by the application is applied to the network equipment configured with a plurality of virtual CPUs, the virtual CPUs in the network equipment are divided, the second type of virtual CPU is set to perform encryption and decryption processing on the IPSec message using the domestic algorithm, and compared with the related technology, the scheme that the encryption and decryption processing is performed on the IPSec message using the domestic algorithm by an external encryption card is needed, so that the cost is saved, and the working efficiency of the network equipment is improved.
Drawings
FIG. 1 is a diagram of a networking architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a method for forwarding an IPSec message according to an embodiment of the present application;
fig. 3 is a flowchart of a method for determining whether an IPSec message is encrypted or decrypted using a home-made algorithm in the scheme of the present application;
fig. 4 is a flowchart of a method for forwarding an IPSec packet to a second type of virtual CPU in the present application;
fig. 5 is a flowchart of a method for forwarding a first IPSec message to be encrypted in the scheme of the present application;
fig. 6 is a flowchart of a method for forwarding an IPSec message to be decrypted in the present application;
fig. 7 is a hardware structure diagram of a network device where an IPSec packet forwarding apparatus provided in the present application is located;
fig. 8 is a block diagram of an embodiment of an IPSec packet forwarding apparatus provided in the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The IPSec protocol, Internet security protocol, is a network layer protocol built on the IP protocol to realize authentication and message encryption and decryption. The basic functions of IPSec are access control and the selective enforcement of security measures, i.e. only selected messages are allowed to pass or are protected by the designated security functions.
A VPN (Virtual Private Network) widely used in an enterprise is a Virtual Private Network established on top of the Internet and belonging to a specific user group (for example, all computers in an enterprise for working). The VPN is realized based on IPSec related technologies such as a firewall and the like, and has the technical effects of ensuring the privacy of data inside the VPN and reducing the external security threat.
Fig. 1 shows a networking architecture in an embodiment of the present application, where a network device a and a network device B perform a session based on an IPSec protocol, communication data of the sessions are protected by a tunnel constructed under the IPSec protocol, IPSec packets of both sides in the tunnel are encapsulated on the basis of an original IP packet, and a new IP header is added, so that real source and destination addresses of the original packet can be well concealed, and security is improved.
The network device a and the network device B may be a client terminal, a server, a gateway, or the like, and the network device a and the network device B may be respectively located in two different VPNs, or one of the network devices may be located in a VPN and the other network device may be located outside the VPN, or two network devices performing end-to-end communication may be used.
In IPSec, a specific Security service provided for a data stream is implemented by an SA (Security Association) policy, which includes contents such as a protocol, an algorithm, a key, and an encapsulation mode, and specifically determines how to process an IPSec packet.
Both parties of the session communicating based on IPSec need to perform negotiation before the session is established, and the negotiation content includes establishment of a secure tunnel and confirmation of an SA policy. After the negotiation is successful, the SA policies are inserted into an SA index table (hereinafter abbreviated as SA table), and the SA policies of each session are stored in the SA table in a unified manner, so that when the IPSec message is processed, the related encryption/decryption parameters and the like can be queried more conveniently.
In the foregoing technical background, first, a method for forwarding an IPSec packet provided in this application is described, where the method is applied to a network device configured with multiple virtual CPUs, and referring to fig. 2, the method includes:
The virtual CPU of the network equipment is a CPU constructed by using a virtual technology, each process in the network equipment can multiplex each virtual CPU in a time-sharing manner, and a plurality of virtual CPUs can multiplex the same physical CPU in a time-sharing manner.
According to the scheme provided by the embodiment of the application, a plurality of virtual CPUs are configured in the network device and are divided into the first type of virtual CPUs and the second type of virtual CPUs.
When the virtual CPU in the network device does not process the IPSec message, all the virtual CPUs can execute the work task, thereby ensuring that the normal work efficiency is not influenced. When the IPSec message needs to be processed, the divided first type of virtual CPU receives the IPSec message, matches the message with a session table, generates a new session table item, judges an algorithm used by the message and the like, and the second type of virtual CPU performs encryption and decryption processing, forwarding and the like on the IPSec message using a domestic algorithm.
In step 102, after receiving the IPSec packet, the first type virtual CPU of the network device can obtain a five-tuple of the packet from the basic header information of the packet, where the five-tuple of the packet is a source IP address, a source port number, a destination IP address, a destination port number, and a protocol of a transport layer of the packet, and a unique session to which the packet belongs can be determined according to the five-tuple of the packet.
In the network device, in order to quickly process various types of messages, a session table (also called a fast forwarding session table) is stored, and each message under the same session executes specific operations based on the contents in the session table, such as: encryption and decryption, forwarding, discarding, and the like.
After acquiring the quintuple information of the IPSec message, the first type virtual CPU in the network equipment matches with the session table according to the quintuple information of the IPSec message, and can confirm the session to which the IPSec message belongs according to the session table item hit by matching.
And step 104, when the matching between the IPSec message and the session table is successful, the first-class virtual CPU judges whether the IPSec message uses a domestic algorithm for encryption and decryption.
According to step 102, after a session entry is hit by the IPSec message quintuple matching, based on the content in the session entry, the first type of virtual CPU can determine an algorithm used when the IPSec message is encrypted and decrypted, where the encryption and decryption algorithm used for the IPSec message includes an international standard algorithm (hereinafter referred to as international algorithm), for example: DES, AES, etc., and domestic algorithms (also known as cryptographic algorithms), such as: SM3, SM4, and the like.
The method for judging the encryption and decryption algorithm used by the IPSec message by the first type of virtual CPU includes the first type of virtual CPU querying the SA index table in the network device correspondingly according to the session to which the message belongs, and the like, which is not limited in the present application.
And 106, when the IPSec message is encrypted and decrypted by using a domestic algorithm, the first-class virtual CPU forwards the IPSec message to a second-class virtual CPU.
According to step 104, after the first type virtual CPU determines that the algorithm used by the IPSec packet is obtained, when the IPSec packet is encrypted and decrypted by using an international algorithm, the first type virtual CPU can directly send the IPSec packet to the SAE core, that is, a hardware instruction is called, and encryption and decryption processing of the IPSec packet using the international algorithm is completed.
When the IPSec message is encrypted and decrypted by using a domestic algorithm, the first-class virtual CPU forwards the IPSec message to the second-class virtual CPU for encryption and decryption, and then the first-class virtual CPU can execute other work tasks without waiting for the return of the message.
And step 108, the second type virtual CPU performs encryption and decryption processing on the IPSec message.
In the solution of the embodiment of the present application, a plurality of virtual CPUs of a network device are divided into second-class virtual CPUs, receive IPSec packets using a home-made algorithm forwarded by a first-class virtual CPU, and perform encryption and decryption on the IPSec packets, which are not described in detail herein.
And step 110, forwarding the encrypted and decrypted IPSec message.
When processing and forwarding the IPSec message, the IPSec message has a characteristic that the outer IP header needs to be encapsulated and decapsulated, wherein the encryption and decryption processing of the IPSec message is determined based on the relevant information in the inner IP header, and the forwarding of the IPSec message is determined based on the relevant information in the outer IP header or the inner IP header. Therefore, after completing the encryption and decryption processing of the IPSec message, the forwarding of the message should be determined to be executed by the first type virtual CPU or the second type virtual CPU, as the case may be.
In the solution of the embodiment of the present application, a packet asynchronous processing mode is described, and the receiving, encryption, decryption, and forwarding of the IPSec packet can be completed by different virtual CPUs. When the processing of the IPSec message is transferred from the first type virtual CPU to the second type virtual CPU, the first type virtual CPU can normally execute other work tasks of the IPSec message without waiting for continuously executing other operations related to the IPSec message.
The IPSec message forwarding method provided by the application is applied to network equipment provided with a plurality of virtual CPUs, and the IPSec message using a domestic algorithm is subjected to encryption, decryption and forwarding by setting the second type of virtual CPU. The first-class and second-class virtual CPUs which are simultaneously arranged realize asynchronous processing of IPSec messages, and further improve the working efficiency of network equipment on IPSec message processing.
As shown in fig. 3, a flowchart of a method for determining whether an IPSec packet is encrypted and decrypted by using a home-made algorithm in step 104 in the technical solution of the present application is shown in the first type virtual CPU, which includes the following steps:
And when the IPSec message is successfully matched with a session table item in a session table, acquiring an SA strategy corresponding to the message according to the related information of the session in the session table item.
In one example, the obtaining of the SA policy corresponding to the IPSec packet may be obtained by querying an SA table based on the session table entry information.
In another example, when a first IPSec message of a session arrives and a first virtual CPU generates a session entry thereof, the SA table is queried correspondingly, and an SA policy corresponding to the session is added to the session entry of the session, so that the SA policy corresponding to the IPSec message is obtained directly from the SA policy mounted in the session entry successfully matched with the IPSec message.
Step 1044 of determining whether the IPSec message is encrypted or decrypted using a home-made algorithm according to the SA policy.
And judging whether the encryption and decryption algorithm used by the IPSec message is a domestic algorithm or not based on information such as an authentication mode, an algorithm and a key used by communication between two parties of the session described by the SA strategy, wherein the application does not limit the specific domestic algorithm used by the IPSec, and the specific domestic algorithm comprises SM3, SM4 algorithms and the like.
As shown in fig. 4, a flowchart of a method for forwarding an IPSec packet to a second virtual CPU by a first virtual CPU of a network device when the IPSec packet is encrypted and decrypted by using a home-made algorithm in step 106 in the technical solution of the present application is shown, which includes the following steps:
For example, 8 virtual CPUs are configured in one network device, the preset second type of virtual CPU is virtual CPU7 and virtual CPU8, and the remaining virtual CPUs 1 to 6 are all first type of virtual CPUs. The first type of virtual CPU currently executing packet forwarding is virtual CPU3, and after determining that the current IPSec packet is encrypted and decrypted by using a home-made algorithm, first virtual CPU3 polls the packet receiving queues of second type of virtual CPUs 7 and 8 to obtain the sizes of the remaining spaces of the packet receiving queues of second type of virtual CPUs 7 and 8, for example, the remaining space of the packet receiving queue of second type of virtual CPU7 is 112 packets that can be received again, and the remaining space of the packet receiving queue of second type of virtual CPU9 can receive 96 packets again.
When only one preset divided second-class virtual CPU exists, the first-class virtual CPU directly forwards the IPSec message to the second-class virtual CPU without executing the step 1062.
According to step 1062, the remaining spaces of the packet receiving queues of the second type virtual CPUs 7 and 8 are respectively 112 and 96 packets that can be received again, so that the first type virtual CPU3 that performs packet forwarding forwards the current IPSec packet to the packet receiving queue of the second type virtual CPU 7.
The first type virtual CPU polls the residual space of the second type virtual CPU packet receiving queue, and selects the largest residual space of the packet receiving queue to forward the IPSec message.
When the number of the second type virtual CPUs is multiple, the method for the first type virtual CPU to select the second type virtual CPU to forward the message includes, but is not limited to, the above manner, the first type virtual CPU may also randomly select one second type virtual CPU to forward the message, or judge the state of each second type virtual CPU, and forward the current IPSec message to the second type virtual CPU which is currently idle and is not in operation, which is not limited in the present application.
In order to make those skilled in the art better understand the technical solution in the present application, the following detailed description is made on the processing and forwarding of the IPSec message with reference to the accompanying drawings, and the embodiments described later are only a part of embodiments of the present application, but not all embodiments.
In the networking architecture shown in fig. 1, when it is assumed that network device a and network device B perform a session based on IPSec, a process of communicating with each other through IPSec packets is as follows.
Before the session based on the IPSec protocol is performed between the network device a and the network device B, the two parties negotiate the session, the negotiation content includes the establishment of the secure tunnel and the specific authentication, message algorithm, key and the like in mutual communication, and after the negotiation is successful, the SA policies of the session between the two parties obtained through negotiation are stored in their SA index tables by the network device a and the network device B, respectively.
It is assumed that the above-described network devices A, B are all configured with 8 virtual CPUs, where the preset second type of virtual CPU is virtual CPUs 7 and 8, and the first type of virtual CPU is virtual CPUs 1 to 6.
Fig. 5 is a flowchart of a method for forwarding an IPSec packet to be encrypted by taking a network device a as an example in the present application.
When the network device a starts sending an IPSec message to the network device B, the IPSec message is a first IPSec message to be encrypted of a session (hereinafter abbreviated as session a-B) between the network device a and the network device B, and the generated IPSec message reaches the first virtual CPU3 of the network device a.
After the first type virtual CPU3 of the network device a receives the IPSec packet, because the packet is the first packet of the session a-B, the first type virtual CPU3 generates a session entry for the session a-B, and queries the SA index table to obtain an SA policy of the session a-B that has been successfully negotiated, and adds the SA policy to the session entry of the session a-B, where the session entry of the session a-B is shown in table 1 below.
TABLE 1
The first type virtual CPU3 of the network device a polls the remaining space of the packet receiving queues of the second type virtual CPUs 7 and 8 in the device, and the obtained remaining space of the packet receiving queues of the second type virtual CPUs 7 and 8 is respectively 112 and 96 packets which can be received again, so that the first type virtual CPU3 transfers the IPSec packet to the second type virtual CPU7 for encryption processing.
In step 508, the second type virtual CPU of the network device a completes the encryption of the IPSec packet and the encapsulation of the outer IP header, and then returns the packet to the first type virtual CPU.
After the second type virtual CPU7 of the network device a completes the encryption processing of the IPSec packet by using a corresponding home-made algorithm based on the SA policy corresponding to the sessions a-B, the second type virtual CPU7 encapsulates an outer IP header for the IPSec packet, so that the packet can be transmitted in the IPSec tunnel, and since the second type virtual CPU does not execute the task generated by the session table entry, a new corresponding session table entry cannot be generated for the newly encapsulated outer IP header of the IPSec packet, the second type virtual CPU7 returns the IPSec packet to the first type virtual CPU3 at this time.
The first type virtual CPU3 of the network device a generates a corresponding session entry for the IPSec packet according to the outer IP header encapsulated after the IPSec packet is encrypted, and then according to the session entry corresponding to the outer IP header, the first type virtual CPU3 of the network device a forwards the IPSec packet after the encryption process, where the session entry corresponding to the outer IP header encapsulated by the IPSec packet is shown in table 2 below.
TABLE 2
The source and destination of the session corresponding to the outer IP header encapsulated after the IPSec message is encrypted may be network devices at both ends of the tunnel, or may be a transit routing device inside the VPN, which is not limited in this application.
When the network device a sends a subsequent non-first to-be-encrypted IPSec packet of the session a-B to the network device B, assuming that the non-first to-be-encrypted packet reaches the first virtual CPU3 of the network device a, according to an SA policy in the session entry of the session a-B, the first virtual CPU3 forwards the packet to a packet receiving queue of the second virtual CPU7 having a larger packet receiving queue residual space in the second virtual CPU, and the second virtual CPU7 encrypts the IPSec packet and encapsulates the outer IP header according to the SA policy in the session entry of the session a-B, and then directly forwards the IPSec packet according to the session entry corresponding to the generated outer IP header.
Fig. 6 is a flowchart of a method for forwarding an IPSec packet to be decrypted, taking a network device B as an example, in the present application.
Step 602, when the encrypted and encapsulated IPSec message reaches network device B, first virtual CPU3 of network device B decapsulates the outer IP header of the IPSec message to be decrypted first, so as to obtain a real IPSec message to be decrypted, generates a session entry of session a-B according to the five-tuple correspondence of the IPSec message, queries an SA policy of session a-B that has been successfully negotiated in an SA index table, and adds the SA policy to the session entry of session a-B.
In step 606, the first type virtual CPU3 of the network device B polls the remaining spaces of the packet receiving queues of the second type virtual CPUs 7 and 8 in the device, and the obtained remaining spaces of the packet receiving queues of the second type virtual CPUs 7 and 8 are respectively 112 and 96 packets that can be received again, so that the first type virtual CPU3 transfers the IPSec packet to the second type virtual CPU7 for decryption.
In step 608, the second type virtual CPU7 of network device B completes decryption processing on the IPSec packet.
The technical scheme is applied to the network equipment configured with a plurality of virtual CPUs, the virtual CPUs in the network equipment are divided, the second type of virtual CPU is set to encrypt and decrypt the IPSec message using the domestic algorithm, other hardware equipment for encryption and decryption does not need to be additionally configured in the network equipment, the cost is saved, and the message processing efficiency is improved. In the process of processing and forwarding the IPSec message, the first-class virtual CPU selects and forwards the message to the largest residual space of the packet receiving queue by polling the second-class virtual CPU, so that the shunting of the IPSec message before encryption and decryption is realized, and meanwhile, the first-class virtual CPU and the second-class virtual CPU which are arranged in a separated way realize the asynchronous processing of the IPSec message, so that the working efficiency of the network equipment is further improved.
Corresponding to the foregoing method embodiment for forwarding an IPSec message, the present application further provides an embodiment of an apparatus for forwarding an IPSec message.
The embodiment of the IPSec message forwarding apparatus provided by the present application can be applied to any network device configured with a plurality of virtual CPUs. The apparatus embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the network device where the software implementation is located as a logical means. From a hardware aspect, as shown in fig. 7, the present application is a hardware structure diagram of a network device where a monitoring apparatus for monitoring a health state of a server is located, where the network device where the apparatus is located in the embodiment may further include other hardware according to an actual function of the network device, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, and details of this are not repeated.
Referring to fig. 8, a block diagram of an apparatus for forwarding an IPSec packet according to an embodiment of the present application is provided, where the forwarding apparatus includes a first-type processing unit 810 and a second-type processing unit 820:
the first processing unit 810 is configured to, when receiving an IPSec packet, match the IPSec packet with a session table according to a five-tuple of the IPSec packet;
the IPSec server is also used for judging whether the IPSec message uses a domestic algorithm to carry out encryption and decryption when the IPSec message is successfully matched with the session table;
the IPSec message is also used for forwarding the IPSec message to a second type processing unit when the IPSec message is encrypted and decrypted by using a domestic algorithm;
a second-type processing unit 820, configured to perform encryption and decryption processing on the IPSec packet using the home-made algorithm;
and the first-type processing unit 810 or the second-type processing unit 820 is configured to forward the IPSec packet after the encryption and decryption processing.
Optionally, when determining whether the IPSec packet uses a home-made algorithm for encryption and decryption, the first-type processing unit 810 is specifically configured to:
the first processing unit 810 obtains an SA policy corresponding to the IPSec packet according to the session entry successfully matched with the IPSec packet;
and judging whether the IPSec message is encrypted and decrypted by using a domestic algorithm according to the SA strategy.
Optionally, when forwarding the IPSec packet using the home encryption/decryption algorithm to the second processing unit 820, the first processing unit 810 is specifically configured to:
when the number of the second-type processing units 820 is multiple, the first-type processing unit 810 polls the remaining space of the packet receiving queue of each second-type processing unit 820;
the processing unit 810 of the first type forwards the IPSec packet to the packet receiving queue of the processing unit 820 of the second type with the largest remaining space of the packet receiving queue.
Optionally, when forwarding the IPSec packet after encryption and decryption, the first-type processing unit 810 or the second-type processing unit 820 is specifically configured to:
when the IPSec message is the first message to be encrypted of any session, the second-type processing unit 820 encrypts the IPSec message and then returns the IPSec message to the first-type processing unit 810, and the first-type processing unit 810 forwards the encrypted IPSec message;
when the IPSec message is a non-first message to be encrypted of any session, the second-class processing unit 820 encrypts the IPSec message and forwards the encrypted IPSec message;
when the IPSec packet is a packet to be decrypted in any session, the second-class processing unit 820 decrypts the IPSec packet and forwards the decrypted IPSec packet.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Embodiments of the subject matter and the functional operations described in this specification can be implemented in: digital electronic circuitry, tangibly embodied computer software or firmware, computer hardware including the structures disclosed in this specification and their structural equivalents, or a combination of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode and transmit information to suitable receiver apparatus for execution by the data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform corresponding functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for the execution of a computer program include, for example, general and/or special purpose microprocessors, or any other type of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory and/or a random access memory. The basic components of a computer include a central processing unit for implementing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer does not necessarily have such a device. Moreover, a computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device such as a Universal Serial Bus (USB) flash drive, to name a few.
Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., an internal hard disk or a removable disk), magneto-optical disks, and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method for forwarding IPSec message is applied to a network device configured with a plurality of virtual CPUs, and is characterized in that the method comprises the following steps:
when receiving an IPSec message, a first-class virtual CPU matches the IPSec message with a session table according to a quintuple of the IPSec message;
when the matching of the IPSec message and the session table is successful, the first type virtual CPU judges whether the IPSec message is encrypted and decrypted by using a domestic algorithm;
when the IPSec message is encrypted and decrypted by using a domestic algorithm, the first type virtual CPU forwards the IPSec message to a second type virtual CPU;
the second type virtual CPU carries out encryption and decryption processing on the IPSec message;
and forwarding the encrypted and decrypted IPSec message.
2. The method according to claim 1, wherein the determining, by the first type of virtual CPU, whether the IPSec packet is encrypted or decrypted using a home-made algorithm comprises:
the first type of virtual CPU obtains an SA strategy corresponding to the IPSec message according to the session table item successfully matched with the IPSec message;
and judging whether the IPSec message uses a domestic algorithm to carry out encryption and decryption according to the SA strategy.
3. The method of claim 1, wherein forwarding the IPSec packet to the virtual CPU of the second type by the virtual CPU of the first type comprises:
when the number of the second type virtual CPUs is multiple, the first type virtual CPU polls the residual space of the packet receiving queue of each second type virtual CPU;
and the first type of virtual CPU forwards the IPSec message to a packet receiving queue of a second type of virtual CPU with the largest packet receiving queue residual space.
4. The method according to claim 1, wherein the forwarding the IPSec packet after the encryption and decryption processing comprises:
when the IPSec message is the first message to be encrypted for any session,
after encrypting the IPSec message, the second type virtual CPU returns the IPSec message to the first type virtual CPU, and the first type virtual CPU forwards the encrypted IPSec message;
when the IPSec packet is the non-first packet to be encrypted for any session,
and after encrypting the IPSec message, the second type virtual CPU forwards the encrypted IPSec message.
5. The method according to claim 1, wherein the forwarding the IPSec packet after the encryption and decryption processing comprises:
and when the IPSec message is a message to be decrypted of any session, the second-class virtual CPU decrypts the IPSec message and forwards the decrypted IPSec message.
6. An apparatus for forwarding an IPSec packet, the apparatus comprising a first type processing unit and a second type processing unit:
the first type processing unit is used for matching the IPSec message with a session table according to the quintuple of the IPSec message when the IPSec message is received;
the IPSec message processing module is also used for judging whether the IPSec message is encrypted and decrypted by using a domestic algorithm or not when the matching of the IPSec message and the session table is successful;
the IPSec message is also used for forwarding the IPSec message to a second type processing unit when the IPSec message is encrypted and decrypted by using a domestic algorithm;
the second type processing unit is used for encrypting and decrypting the IPSec message using the domestic algorithm;
the first type processing unit or the second type processing unit is used for forwarding the IPSec message after encryption and decryption processing.
7. The apparatus of claim 6, wherein the first type of processing unit is configured to determine whether the IPSec packet is encrypted and decrypted using a home-made algorithm, and the determining step includes:
the first type processing unit acquires an SA strategy corresponding to the IPSec message according to the session table item successfully matched with the IPSec message;
and judging whether the IPSec message is encrypted and decrypted by using a domestic algorithm according to the SA strategy.
8. The apparatus of claim 6, wherein the processing unit of the first type is configured to forward the IPSec packet to the processing unit of the second type when the IPSec packet is encrypted and decrypted using a home-made algorithm, and the method comprises:
when the number of the second-class processing units is multiple, the first-class processing unit polls the remaining space of the packet receiving queue of each second-class processing unit;
and the first-class processing unit forwards the IPSec message to a packet receiving queue of a second-class processing unit with the largest residual space of the packet receiving queue.
9. The apparatus according to claim 6, wherein the first-type processing unit or the second-type processing unit is configured to forward the IPSec packet after encryption and decryption processing, and includes:
when the IPSec message is the first message to be encrypted of any session, the second-type processing unit encrypts the IPSec message and then returns the IPSec message to the first-type processing unit, and the first-type processing unit forwards the encrypted IPSec message;
and when the IPSec message is a non-first message to be encrypted of any session, the second-class processing unit encrypts the IPSec message and forwards the encrypted IPSec message.
10. The apparatus according to claim 6, wherein the first-type processing unit or the second-type processing unit is configured to forward the IPSec packet after encryption and decryption processing, and includes:
and when the IPSec message is a message to be decrypted of any session, the second-class processing unit decrypts the IPSec message and forwards the decrypted IPSec message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011262816.3A CN112491821B (en) | 2020-11-12 | 2020-11-12 | IPSec message forwarding method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011262816.3A CN112491821B (en) | 2020-11-12 | 2020-11-12 | IPSec message forwarding method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112491821A CN112491821A (en) | 2021-03-12 |
| CN112491821B true CN112491821B (en) | 2022-05-31 |
Family
ID=74930254
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011262816.3A Active CN112491821B (en) | 2020-11-12 | 2020-11-12 | IPSec message forwarding method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112491821B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113177213B (en) * | 2021-04-29 | 2022-06-24 | 杭州迪普科技股份有限公司 | Encryption card and processing method of encrypted message thereof |
| CN113282525B (en) * | 2021-05-27 | 2023-03-28 | 杭州迪普科技股份有限公司 | Message distribution method and device |
| CN114301632B (en) * | 2021-12-02 | 2023-11-10 | 北京天融信网络安全技术有限公司 | IPsec data processing method, terminal and storage medium |
| CN114785536A (en) * | 2022-02-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Message processing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468309A (en) * | 2014-10-31 | 2015-03-25 | 成都卫士通信息产业股份有限公司 | Efficient adaptation method for low-speed SMP and high-speed password card |
| CN109257174A (en) * | 2018-11-26 | 2019-01-22 | 安徽皖通邮电股份有限公司 | A kind of application method of quantum key in VPWS business |
-
2020
- 2020-11-12 CN CN202011262816.3A patent/CN112491821B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468309A (en) * | 2014-10-31 | 2015-03-25 | 成都卫士通信息产业股份有限公司 | Efficient adaptation method for low-speed SMP and high-speed password card |
| CN109257174A (en) * | 2018-11-26 | 2019-01-22 | 安徽皖通邮电股份有限公司 | A kind of application method of quantum key in VPWS business |
Non-Patent Citations (6)
| Title |
|---|
| Xen中VCPU调度算法分析;时光等;《计算机工程与设计》;20100928(第18期);全文 * |
| 一种基于strongSwan的IPSec VPN网关的实现;蒋华等;《计算机应用与软件》;20170715(第07期);全文 * |
| 一种将国密算法添加至Openswan的方法;张朕荣;《现代计算机(专业版)》;20150225(第06期);全文 * |
| 中国CPU兆芯X86处理器芯片特性及其应用;马宇川;《集成电路应用》;20170331(第03期);全文 * |
| 基于IPSec协议的VPN系统解决方案;黄力;《柳州职业技术学院学报》;20060330(第01期);全文 * |
| 密码卡虚拟化技术研究与实现;苏振宇;《集成技术》;20190410(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112491821A (en) | 2021-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112491821B (en) | IPSec message forwarding method and device | |
| US11075892B2 (en) | Fully cloaked network communication model for remediation of traffic analysis based network attacks | |
| US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| JP2009506617A (en) | System and method for processing secure transmission information | |
| CN111385259B (en) | Data transmission method, device, related equipment and storage medium | |
| US11418434B2 (en) | Securing MPLS network traffic | |
| CN110912859B (en) | Method for sending message, method for receiving message and network equipment | |
| CN104137508A (en) | Network node with network-attached stateless security offload device | |
| EP1953954A2 (en) | Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods | |
| CN110266725B (en) | Password security isolation module and mobile office security system | |
| CN107819685A (en) | The method and the network equipment of a kind of data processing | |
| WO2016165277A1 (en) | Ipsec diversion implementing method and apparatus | |
| CN109905310B (en) | Data transmission method and device and electronic equipment | |
| CN106209401A (en) | A kind of transmission method and device | |
| CN110832806B (en) | ID-based data plane security for identity-oriented networks | |
| US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
| US10230698B2 (en) | Routing a data packet to a shared security engine | |
| CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
| US11539668B2 (en) | Selective transport layer security encryption | |
| CN111835613B (en) | Data transmission method of VPN server and VPN server | |
| CN117254976B (en) | National standard IPsec VPN realization method, device and system based on VPP and electronic equipment | |
| CN113765878B (en) | Selective transport layer security encryption | |
| JP2018116123A (en) | Gateway device and gateway system | |
| KR101424508B1 (en) | Encrypting/decrypting appratus for load balancing and method thereof | |
| Luniya et al. | SmartX--Advanced Network Security for Windows Opearating System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |