CN112702338A - IKE message acquisition method and device - Google Patents
IKE message acquisition method and device Download PDFInfo
- Publication number
- CN112702338A CN112702338A CN202011534201.1A CN202011534201A CN112702338A CN 112702338 A CN112702338 A CN 112702338A CN 202011534201 A CN202011534201 A CN 202011534201A CN 112702338 A CN112702338 A CN 112702338A
- Authority
- CN
- China
- Prior art keywords
- ike
- port
- message
- universal
- thread
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2517—Translation of Internet protocol [IP] addresses using port numbers
Abstract
The present specification provides an IKE message acquisition method and apparatus, the method includes: multiple IKE threads are created in advance, each listening to a different universal port. And a port conversion module is pre-established, and the established port conversion module can intercept the IKE messages of which the destination ports are IKE special ports and modify the destination ports of the messages into general ports monitored by IKE threads. The multiple IKE threads can monitor different ports respectively, and receive and process different IKE messages in parallel, thereby changing the original scheme that one IKE thread with only one IKE process monitors the special IKE port to receive and process messages. Therefore, under the condition that a plurality of opposite-end devices need to perform IKE negotiation in a short time period, the efficiency of the IKE message processing by the device is improved.
Description
Technical Field
The present disclosure relates to the field of computer application technologies, and in particular, to an IKE message acquiring method and apparatus.
Background
Internet Protocol Security (IPsec) architecture relates to a plurality of protocols and algorithms for implementing secure data transmission in a network, Including Key Exchange (IKE) Protocol, Authentication Header (AH), Encapsulating Security Payload (ESP), and algorithms for network Authentication and encryption. When data security transmission is realized through IPsec, first, two communication parties need to negotiate a key through an IKE protocol.
In the process of performing IKE negotiation between two communication devices, in order to meet the RFC standard, a plurality of IKE messages need to be interacted based on a User Datagram Protocol (UDP), and a destination port of the IKE message is required to be fixed as a dedicated port on the device, which is referred to herein as an IKE dedicated port.
In practical application, taking home terminal equipment as an example, the home terminal equipment receives, sends and processes an IKE message based on an IKE process, and specifically, the IKE process acquires the IKE message through an IKE dedicated interface on UDP socket monitoring equipment, processes the received IKE message, and sends the processed message through the IKE dedicated interface through the UDP socket.
However, the UDP socket only supports one thread, which means that the IKE process can only create one thread to send, receive and process IKE messages for the IKE specific interface. If the local end device needs to complete the IKE negotiation with multiple opposite end devices in a short period of time, a great performance pressure is faced, resulting in a relatively low IKE negotiation efficiency.
Disclosure of Invention
In order to solve the problem of low IKE negotiation efficiency in the related art, the present specification provides an IKE message acquisition method and apparatus.
According to a first aspect of an embodiment of the present specification, an IKE message acquisition method is provided, which is applied to a home terminal device; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring one universal port, different IKE threads are used for monitoring different universal ports, and different universal ports correspond to different opposite-end equipment; the method comprises the following steps:
the port conversion module converts the intercepted destination port of the IKE message into a general port corresponding to the opposite terminal equipment for sending the IKE message by the special IKE port;
each IKE thread acquires an IKE message for processing by monitoring the corresponding general port.
According to a second aspect of the embodiments of the present specification, an IKE message acquiring apparatus is provided, which is applied to a home terminal device; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring a universal port, different IKE threads are used for monitoring different ports, and different ports correspond to different opposite-end equipment; the device comprises:
the port conversion unit is used for converting the intercepted destination port of the IKE message into a port corresponding to opposite-end equipment for sending the IKE message through the port conversion module;
and the message acquisition unit is used for acquiring the IKE message for processing by monitoring the corresponding port of each IKE thread.
According to a third aspect of the embodiments of the present specification, there is provided a computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the IKE message acquisition method according to the first aspect of the embodiments of the present specification.
According to a fourth aspect of embodiments herein, there is provided a computer apparatus comprising:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the IKE message acquisition method according to the first aspect of the embodiments of the present disclosure.
In one or more embodiments of the present description, multiple IKE threads are created in advance, each listening to a different general purpose port. And a port conversion module is pre-established, and the established port conversion module can intercept the IKE messages of which the destination ports are IKE special ports and modify the destination ports of the messages into general ports monitored by IKE threads. The multiple IKE threads can monitor different ports respectively, and receive and process different IKE messages in parallel, thereby changing the original scheme that one IKE thread with only one IKE process monitors the special IKE port to receive and process messages. Therefore, under the condition that a plurality of opposite-end devices need to perform IKE negotiation in a short time period, the efficiency of the IKE message processing by the device is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1A is a diagram of a related art application scenario in the present specification.
Fig. 1B is a diagram illustrating an application scenario of an IKE message acquiring method according to an exemplary embodiment of the present disclosure.
Fig. 2 is a flowchart illustrating an IKE message acquiring method according to an exemplary embodiment of the present disclosure.
Fig. 3 is a schematic diagram illustrating an IKE message acquiring method according to an exemplary embodiment of the present disclosure.
Fig. 4 is a block diagram of an IKE message acquiring apparatus according to an exemplary embodiment.
Fig. 5 is a hardware configuration diagram of a computer device where an IKE message acquiring apparatus is located according to an exemplary embodiment.
Detailed Description
First, it is to be understood that, in various embodiments of this specification, for convenience of description, two devices performing IKE negotiation are referred to as a home device and an opposite device, where the home device may be any one of two interactive devices, which is described only from the perspective of the home device in this specification embodiment, and the method in this specification embodiment may also be applied to the opposite device, which is not limited herein. In addition, in any embodiment of the present specification, each pair of peer devices described refers to peer devices that need to complete IKE negotiation with the home device within a shorter time period, which means that the home device may need to complete IKE negotiation with different batches of peer devices within different shorter time periods, that is, different shorter time periods may correspond to different sets of peer devices.
As described above, in the related art, only one IKE thread created by one IKE process can receive, transmit, and process a packet. In some cases, when there are many peer devices performing IKE negotiation with the home device in a short time, the processing efficiency of IKE negotiation will be affected. As shown in fig. 1A, in a scenario when the home device interacts with four peer devices at the same time, since the home device needs to process IKE messages of the four peer devices at the same time, only one IKE thread processes the messages, and the efficiency is low.
In the case that the local device is a gateway device, the case that there are many opposite devices performing IKE negotiation with the local device may be: under the condition that user equipment (called public network equipment for short) connected to a public network needs to access an internal network, IKE negotiation needs to be carried out between the public network equipment and gateway equipment between the internal network and the public network, and when more public network equipment needs to access the internal network in a short time or the gateway equipment is restarted after power failure, a large number of IKE messages need to be processed in the short time; or, under the condition that the intranet architecture is a star topology structure composed of a plurality of branch gateways and a central gateway, a plurality of tunnels may be established between the central gateway and each branch gateway, and due to an IKE timeout mechanism, the tunnels need to be negotiated again every few hours, and when there are many tunnels, a processing mechanism of one IKE thread cannot meet the many IKE negotiation requirements of the central gateway device.
In order to solve the problem of low IKE negotiation efficiency, in one or more embodiments of the present specification, multiple IKE threads are created in advance, and each IKE thread listens to a different general-purpose port. And a port conversion module is pre-established, and the established port conversion module can intercept the IKE messages of which the destination ports are IKE special ports and modify the destination ports of the messages into general ports monitored by IKE threads. As shown in fig. 1B, multiple IKE threads may monitor different ports respectively, and concurrently receive and process different IKE messages, which changes the original scheme that one IKE thread having only one IKE process monitors the receiving and processing of the IKE dedicated port and processes the message. Therefore, under the condition that a plurality of opposite-end devices need to perform IKE negotiation in a short time period, the efficiency of the IKE message processing by the device is improved.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following provides a detailed description of examples of the present specification.
As shown in fig. 2, fig. 2 is a flowchart of an IKE message acquiring method according to an exemplary embodiment, which is applied to a local device; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring one universal port, different IKE threads are used for monitoring different universal ports, and different universal ports correspond to different opposite-end devices. The flow chart shown in fig. 2 comprises the following steps:
And step 204, each IKE thread acquires an IKE message for processing by monitoring the corresponding general port.
The local device may be a Central gateway device, and generally, a Central Processing Unit (CPU) of the local device has multiple cores, and may bind at least two CPU cores with a pre-created IKE thread, that is, the IKE threads are executed by at least two cores in parallel. In order to further improve the receiving and sending processing efficiency of the IKE message and exert the advantages of a multi-core CPU (central processing unit) so as to improve the IKE negotiation efficiency as good as possible, under the condition that the number of CPU cores of the gateway equipment is greater than the number of IKE threads, the CPU cores bound by different IKE threads are different; and under the condition that the number of the CPU cores of the gateway equipment is less than the number of the IKE threads, each CPU core of the gateway equipment is bound with at least one IKE thread.
The port conversion module works in a transport layer of an Open System Interconnection Reference Model (OSI), and belongs to a kernel module. And the IKE thread works after the transport layer of OSI, therefore before the Socket of the IKE thread receives the IKE message, the port conversion module can carry out the purpose port conversion to the IKE message, in order to achieve the purpose of distributing the IKE message to the IKE thread. The port conversion module can intercept an IKE message with a target port as an IKE special port by registering a Hook function through a Hook mechanism of a Linux system Netfilter, performs target port conversion on the intercepted IKE message, and then distributes the converted IKE message to a corresponding Socket receiving queue, so that an IKE thread can receive and process the IKE message through the Socket receiving queue.
As described in the background art, the IKE dedicated port refers to a port with a fixed port number during IKE negotiation between the local device and the peer device through the UDP protocol, and the port may be 500 or 4500. The general port corresponding to the IKE dedicated port may be any port other than the port that cannot be modified. For example, the generic port may be any of the dynamic port numbers (49152 to 65535).
In a plurality of pre-created IKE threads, each IKE thread monitors a general port correspondingly, each general port can only be monitored by one IKE thread due to the limitation of UDPSocket, and meanwhile, in order to improve the processing efficiency, each corresponding IKE thread only monitors one general port, that is, the IKE threads correspond to the general ports one to one.
The number of IKE threads may be determined by considering the processing capability of the system, may be determined by considering the number of peer devices that perform IKE negotiation with the home device as needed (for example, the number of purchased ipsec vpnlicense), or may be determined by considering a plurality of factors in combination.
In addition, different universal ports need to correspond to different peer devices, in other words, it is necessary to equalize the IKE messages distributed by each universal port as much as possible, and it is necessary to satisfy that a plurality of IKE messages transmitted by one peer device and the home device through one IKE negotiation need to be processed by the same IKE thread. It should be noted that, in different time periods, the corresponding relationship between the peer device and the universal port may be the same or different between different negotiations of the same peer device and the local device. For example, in a certain time period, during the IKE negotiation process between the local device and the peer device, the destination port of the IKE message of the peer device is converted to 2000; in another time period, during the IKE negotiation process between the peer device and the home device, the destination port of the IKE packet of the peer device may still be converted into 2000, or may be converted into a general port monitored by other IKE threads except 2000.
Further, the correspondence between each universal port and each pair of end devices includes: there is at least one generic port corresponding to a plurality of peer devices; or, each universal port corresponds to each pair of end equipment one by one. In order to make the IKE messages distributed by each IKE thread as balanced as possible, when the number of the IKE threads is more than that of opposite-end equipment, in order to achieve better parallel effect, the correspondence between the opposite-end equipment and a universal port can be set, namely, one IKE thread monitors one universal port; in some cases, in order to save thread resources and not allow excessive threads to preempt CPU resources, the number of IKE threads may be set to be small, and when the number of IKE threads is less than the number of peer devices, a universal port monitored by one IKE thread needs to correspond to multiple peer devices.
Before establishing a corresponding relationship between the IKE thread and the monitored universal port, a segment of port number needs to be allocated to the IKE thread in advance, so that the IKE thread can select a universal port from the segment of port number and establish the corresponding relationship, wherein the reserved port number can be 2001-3000, or 10001-10100, that is, the reserved port number can be any universal port which can be modified into a destination port, and the universal port can be monitored by the IKE processing thread. It should be noted that the reserved port number range should be large enough so that each IKE thread can select a general port within the reserved port number range to establish a corresponding relationship.
The establishing of the corresponding relationship between the IKE threads and the monitored universal ports of the IKE threads can be realized by circulating, aiming at each IKE thread, according to the sequence of the reserved universal ports from small to large, allocating a universal port for the IKE thread and establishing the corresponding relationship, under the condition of success, continuously allocating the universal port for the next IKE thread, under the condition of failure, selecting the next port from the range of the reserved ports, and establishing the corresponding relationship until the establishment of the corresponding relationship is successful.
After determining the universal port monitored by the IKE thread, the port may be issued to the port conversion module, and the universal port monitored by the IKE thread may be stored in a port array, so that the port conversion module may select a universal port from the port array as a destination port. In addition, before issuing the universal ports, the configuration of the port conversion module should be cleared, that is, the port array of the port conversion module should be cleared, so that each universal port in the port array is a port monitored by the IKE thread.
In step 202, the port conversion module may perform port conversion according to a plurality of different principles: for example, a corresponding general port is allocated to each peer device that will perform IKE negotiation with the home device in advance, in other words, a corresponding relationship between the peer device and the general port is established in advance, and when an IKE message is received, a general port corresponding to the peer device that sends the IKE message is searched in a corresponding relationship table established in advance, and a destination port of the IKE message is converted into the corresponding port.
The principle of port switching may also be: under the condition of receiving a first IKE message of opposite-end equipment, selecting an IKE thread with smaller processing pressure through a load balancing algorithm, and recording the corresponding relation between the opposite-end equipment and the IKE thread, namely changing the corresponding relation between the opposite-end equipment and a general port corresponding to the IKE thread, and under the condition of receiving the IKE message of the opposite-end equipment again, converting the port of the IKE message into a recorded general port according to the corresponding relation; and deleting the corresponding relation after processing all the messages of the IKE negotiation.
The principle of port switching may also be: converting the intercepted destination port of the IKE message into a general port corresponding to an opposite terminal device sending the IKE message by the special IKE port, which specifically comprises: aiming at each intercepted IKE message, mapping a source internet Interconnection Protocol (IP) address of opposite-end equipment sending the IKE message into a port identification of a universal port monitored by an IKE thread according to a preset mapping relation; and converting the destination port of the IKE message into a general port corresponding to the mapped port identification from the special IKE port. By the method, the corresponding relation does not need to be preserved in advance, and the universal port corresponding to the opposite terminal equipment can be quickly calculated according to the preset mapping rule, so that the target port conversion of the IKE message can be conveniently and quickly carried out.
The method for mapping a source Internet Protocol (IP) address of an opposite terminal device sending the IKE message to a port identifier of a universal port monitored by an IKE thread includes, for each intercepted IKE message, according to a preset mapping relationship: calculating a hash value of a source IP address of each intercepted IKE message, performing modulo operation on the total number of the universal ports monitored by the IKE process by using the hash value to obtain a universal port identifier, and mapping opposite-end equipment which sends the IKE messages to the universal ports which are not monitored by one IKE thread according to the universal port identifier. The method for calculating the hash value of the source IP address comprises the step of calculating the hash value of the source IP address through a jhash function. By calculating the hash value, the IKE messages can be evenly distributed to each IKE thread. By using the jhash function, hash collision can be reduced, and the hash value can be calculated more quickly.
In the case that there is a port array corresponding to the port conversion module, the port identifier may be a port order. For example, a total of 100 general ports monitored by the IKE threads are 2001 to 2100 in sequence, modulo of the hash value is 100, the obtained number is any one of 0 to 99, and the modulo values of 0 to 99 are respectively in one-to-one correspondence with the port numbers 2001 to 2100 (for example, when the port identifier is obtained by modulo is 30, the port number of the general port as the destination port is 2029).
In order to prevent the IKE message from being discarded, the checksum of the IKE message after port conversion needs to be calculated and modified for each IKE message before step 204. So that the checksum calculated by the IKE thread is the same as the checksum in the message, thereby preventing the IKE message from being discarded due to the difference of the checksums.
After the IKE thread processes the IKE message, the IKE message whose destination port is an IKE dedicated port needs to be sent out through the UDPSocket of the IKE thread.
As shown in fig. 3, fig. 3 is a schematic diagram illustrating an IKE message acquiring method. By the method, the port conversion module working in the kernel converts the destination port of the IKE message, namely, the IKE message is distributed through the port conversion of the kernel, so that different IKE threads can process different IKE messages, a plurality of IKE threads can concurrently receive and process the IKE messages, and the IKE negotiation efficiency is improved.
Because the port conversion module working on the transmission layer belongs to the kernel module, the authority is higher, the conversion is faster, and thus the distribution efficiency is higher, in the embodiment of the description, the port conversion module working on the transmission layer is selected to distribute the IKE message, instead of selecting the process working on the application layer to distribute the IKE message.
Corresponding to the embodiment of the IKE message acquisition method, the present specification also provides embodiments of an IKE message acquisition apparatus and a computer device applied thereto.
As shown in fig. 4, fig. 4 is a block diagram of an IKE message acquiring apparatus according to an exemplary embodiment, which is applied to a local device; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring a universal port, different IKE threads are used for monitoring different ports, and different ports correspond to different opposite-end equipment; the apparatus shown in fig. 4 comprises:
the port conversion unit 410 is configured to convert a destination port of the intercepted IKE packet into a port corresponding to an opposite end device that sends the IKE packet through the port conversion module.
A message obtaining unit 420, configured to obtain an IKE message for processing by monitoring a corresponding port for each IKE thread.
Further, the correspondence between each universal port and each pair of end devices includes: there is at least one generic port corresponding to a plurality of peer devices; or, each universal port corresponds to each pair of end equipment one by one.
Further, the port conversion unit 410 specifically includes: a port mapping subunit 411, configured to map, according to a preset mapping relationship, a source internet protocol IP address of an opposite-end device that sends the IKE message to a port identifier of a universal port monitored by an IKE thread, for each intercepted IKE message; a port conversion subunit 412, configured to convert the destination port of the IKE packet from the IKE dedicated port to a general port corresponding to the mapped port identifier.
Further, the port mapping subunit 411 is specifically configured to: calculating a hash value of a source IP address of each intercepted IKE message, performing modulo operation on the total number of the universal ports monitored by the IKE process by using the hash value to obtain a universal port identifier, and mapping opposite-end equipment which sends the IKE messages to the universal ports which are not monitored by one IKE thread according to the universal port identifier.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the elements can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
As shown in fig. 5, fig. 5 is a hardware structure diagram of a computer device in which an apparatus for issuing an aggregated link configuration to a switch chip according to an embodiment is located, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The embodiments of the present specification further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for acquiring an IKE message according to the first aspect of the embodiments of the present specification.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (10)
1. A key management protocol IKE message acquisition method is characterized in that the method is applied to local terminal equipment; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring one universal port, different IKE threads are used for monitoring different universal ports, and different universal ports correspond to different opposite-end equipment; the method comprises the following steps:
the port conversion module converts the intercepted destination port of the IKE message into a general port corresponding to the opposite terminal equipment for sending the IKE message by the special IKE port;
each IKE thread acquires an IKE message for processing by monitoring the corresponding general port.
2. The method of claim 1, wherein the correspondence between each universal port and each peer device comprises:
there is at least one generic port corresponding to a plurality of peer devices;
or the like, or, alternatively,
and each universal port corresponds to each pair of end equipment one by one.
3. The method according to claim 1, wherein converting the intercepted destination port of the IKE packet from the IKE dedicated port to a generic port corresponding to an opposite device that sends the IKE packet specifically includes:
aiming at each intercepted IKE message, mapping a source internet Interconnection Protocol (IP) address of opposite-end equipment sending the IKE message into a port identification of a universal port monitored by an IKE thread according to a preset mapping relation;
and converting the destination port of the IKE message into a general port corresponding to the mapped port identification from the special IKE port.
4. The method according to claim 3, wherein mapping, for each intercepted IKE packet, a source internet protocol IP address of a peer device that sends the IKE packet to a port identifier of a universal port that an IKE thread monitors according to a preset mapping relationship, specifically includes:
calculating a hash value of a source IP address of each intercepted IKE message, performing modulo operation on the total number of the universal ports monitored by the IKE process by using the hash value to obtain a universal port identifier, and mapping opposite-end equipment which sends the IKE messages to the universal ports which are not monitored by one IKE thread according to the universal port identifier.
5. An IKE message acquisition device is characterized by being applied to local terminal equipment; a port conversion module is created in advance and used for intercepting an IKE message which is sent by opposite terminal equipment and takes an IKE special port as a destination port; at least two IKE threads of an IKE process are created in advance, each IKE thread is used for monitoring a universal port, different IKE threads are used for monitoring different ports, and different ports correspond to different opposite-end equipment; the device comprises:
the port conversion unit is used for converting the intercepted destination port of the IKE message into a port corresponding to opposite-end equipment for sending the IKE message through the port conversion module;
and the message acquisition unit is used for acquiring the IKE message for processing by monitoring the corresponding port of each IKE thread.
6. The apparatus of claim 5, wherein the correspondence between each universal port and each pair of end devices comprises:
there is at least one generic port corresponding to a plurality of peer devices;
or the like, or, alternatively,
and each universal port corresponds to each pair of end equipment one by one.
7. The apparatus of claim 5, wherein the port conversion unit specifically comprises:
a port mapping subunit, configured to map, for each intercepted IKE message, a source internet protocol IP address of an opposite-end device that sends the IKE message to a port identifier of a common port monitored by an IKE thread according to a preset mapping relationship;
and the port conversion subunit is used for converting the destination port of the IKE message from the special IKE port into a general port corresponding to the mapped port identifier.
8. The apparatus of claim 7, wherein the port mapping subunit is specifically configured to:
calculating a hash value of a source IP address of each intercepted IKE message, performing modulo operation on the total number of the universal ports monitored by the IKE process by using the hash value to obtain a universal port identifier, and mapping opposite-end equipment which sends the IKE messages to the universal ports which are not monitored by one IKE thread according to the universal port identifier.
9. A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the IKE message acquisition method as recited in any one of claims 1 to 4.
10. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the IKE message acquisition method as recited in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011534201.1A CN112702338B (en) | 2020-12-22 | 2020-12-22 | IKE message acquisition method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011534201.1A CN112702338B (en) | 2020-12-22 | 2020-12-22 | IKE message acquisition method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112702338A true CN112702338A (en) | 2021-04-23 |
| CN112702338B CN112702338B (en) | 2022-07-01 |
Family
ID=75510820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011534201.1A Active CN112702338B (en) | 2020-12-22 | 2020-12-22 | IKE message acquisition method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112702338B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065672A (en) * | 2022-04-29 | 2022-09-16 | 武汉斗鱼鱼乐网络科技有限公司 | SFU system data transmission method and related equipment |
| CN115379027A (en) * | 2022-04-27 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | DNS message analysis improvement method, device, improvement equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070211690A1 (en) * | 2006-03-13 | 2007-09-13 | Microsoft Corporation | Network interface routing using computational context |
| CN102546617A (en) * | 2011-12-29 | 2012-07-04 | 汉柏科技有限公司 | Method for forwarding internet protocol security (IP Sec) in multi-core multi-thread system |
| CN102761494A (en) * | 2012-08-01 | 2012-10-31 | 杭州迪普科技有限公司 | IKE (Internet Key Exchange) negotiation processing method and device |
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| WO2015096656A1 (en) * | 2013-12-26 | 2015-07-02 | 华为技术有限公司 | Thread creation method, service request processing method and related device |
| WO2016202006A1 (en) * | 2015-06-17 | 2016-12-22 | 中兴通讯股份有限公司 | Ike negotiation control method, apparatus and system |
| US20180262598A1 (en) * | 2017-03-09 | 2018-09-13 | Fortnet, Inc. | High availability (ha) internet protocol security (ipsec) virtual private network (vpn) client |
| CN109167846A (en) * | 2018-08-02 | 2019-01-08 | 杭州迪普科技股份有限公司 | A kind of distribution method and device of communication port |
-
2020
- 2020-12-22 CN CN202011534201.1A patent/CN112702338B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070211690A1 (en) * | 2006-03-13 | 2007-09-13 | Microsoft Corporation | Network interface routing using computational context |
| CN102546617A (en) * | 2011-12-29 | 2012-07-04 | 汉柏科技有限公司 | Method for forwarding internet protocol security (IP Sec) in multi-core multi-thread system |
| CN102761494A (en) * | 2012-08-01 | 2012-10-31 | 杭州迪普科技有限公司 | IKE (Internet Key Exchange) negotiation processing method and device |
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| WO2015096656A1 (en) * | 2013-12-26 | 2015-07-02 | 华为技术有限公司 | Thread creation method, service request processing method and related device |
| WO2016202006A1 (en) * | 2015-06-17 | 2016-12-22 | 中兴通讯股份有限公司 | Ike negotiation control method, apparatus and system |
| CN106330815A (en) * | 2015-06-17 | 2017-01-11 | 中兴通讯股份有限公司 | Internet key exchange (IKE) negotiation control method, device and system |
| US20180262598A1 (en) * | 2017-03-09 | 2018-09-13 | Fortnet, Inc. | High availability (ha) internet protocol security (ipsec) virtual private network (vpn) client |
| CN109167846A (en) * | 2018-08-02 | 2019-01-08 | 杭州迪普科技股份有限公司 | A kind of distribution method and device of communication port |
Non-Patent Citations (1)
| Title |
|---|
| 杜全文等: "一种IPSec IKE协议的实现方法", 《计算机工程》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379027A (en) * | 2022-04-27 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | DNS message analysis improvement method, device, improvement equipment and storage medium |
| CN115379027B (en) * | 2022-04-27 | 2023-08-01 | 国家计算机网络与信息安全管理中心 | DNS message resolution improvement method, device, improvement equipment and storage medium |
| CN115065672A (en) * | 2022-04-29 | 2022-09-16 | 武汉斗鱼鱼乐网络科技有限公司 | SFU system data transmission method and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112702338B (en) | 2022-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108449282B (en) | Load balancing method and device | |
| US11277313B2 (en) | Data transmission method and corresponding device | |
| EP3275162B1 (en) | Systems and techniques for web communication | |
| CN106790420B (en) | A kind of more session channel method for building up and system | |
| CN112702338B (en) | IKE message acquisition method and device | |
| CN106657180B (en) | Information transmission method and device for cloud service, terminal equipment and system | |
| EP3633949A1 (en) | Method and system for performing ssl handshake | |
| CN112261094B (en) | Message processing method and proxy server | |
| CN113472817B (en) | Gateway access method and device for large-scale IPSec and electronic equipment | |
| US10623469B2 (en) | Methods and apparatuses for information transmission | |
| CN113228571B (en) | Method and apparatus for network optimization for accessing cloud services from a premise network | |
| CN112631788A (en) | Data transmission method and data transmission server | |
| WO2024067338A1 (en) | Cloud networking system, secure access method, and device and storage medium | |
| US20230137879A1 (en) | In-flight incremental processing | |
| JP2023543831A (en) | Microservices-based service mesh system and service-oriented architecture management method | |
| CN115396528A (en) | Quic data transmission method and device based on protocol family | |
| CN116366740A (en) | Data transmission method, device, system, storage medium and processor | |
| CN110073644B (en) | Information processing method and device | |
| CN112968965B (en) | Metadata service method, server and storage medium for NFV network node | |
| US20150043421A1 (en) | Wireless relay apparatus, communication system, and communication method | |
| CN113765801B (en) | Message processing method and device applied to data center, electronic equipment and medium | |
| CN110430478B (en) | Networking communication method, device, terminal equipment and storage medium | |
| WO2023186109A1 (en) | Node access method and data transmission system | |
| CN114025010B (en) | Method for establishing connection and network equipment | |
| CN115021831A (en) | Weak network testing method, device, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |