CN113014559A - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN113014559A
CN113014559A CN202110186766.3A CN202110186766A CN113014559A CN 113014559 A CN113014559 A CN 113014559A CN 202110186766 A CN202110186766 A CN 202110186766A CN 113014559 A CN113014559 A CN 113014559A
Authority
CN
China
Prior art keywords
public network
interface
address
user equipment
network interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110186766.3A
Other languages
Chinese (zh)
Inventor
韩超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202110186766.3A priority Critical patent/CN113014559A/en
Publication of CN113014559A publication Critical patent/CN113014559A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message processing method and a device, wherein the method is applied to safety equipment and comprises the following steps: receiving a service message sent by first user equipment; determining a first outgoing interface and a first next hop address corresponding to a private network IP address of second user equipment according to an acquired first routing forwarding table corresponding to the first user equipment, wherein the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment; according to the first next hop address, sending the service message to a second public network interface through an IPsec VPN tunnel established between the first public network interface and the second public network interface; and sending the service message to the second user equipment through the second public network interface. According to the method and the device, the tenants in the same security device can use the public network IP address to access each other.

Description

Message processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a packet.
Background
In a cloud scenario, a Software Defined Network (SDN) admission system is arranged in a cloud platform, and the SDN admission system can realize docking and traffic pulling on security devices of tenants (such as firewall devices of tenants). Technical personnel can issue the control command to the safety equipment through the SDN admission management system so as to realize the unified management of the safety equipment of a plurality of tenants.
At present, a security device generally adopts a multi-tenant context sharing mode to realize tenant division and isolation, that is, virtualization is performed on the security device, and one security device corresponds to multiple tenants. In the tenant sharing context mode, a downlink interface of the security device is divided into a plurality of downlink sub-interfaces, and each downlink sub-interface binds to a Virtual Private Network (VPN) to which the tenant belongs. For example, the security device provides services for tenant 1 and tenant 2, the downstream sub-interface 1 on the security device binds to the VPN to which the tenant 1 belongs, and the downstream sub-interface 2 on the security device binds to the VPN to which the tenant 2 belongs.
In practical applications, tenants often have a requirement for cross-tenant Virtual Private Cloud (VPC) mutual access, and it is required that traffic of user equipment of different tenants can realize the mutual access, and security equipment is required to perform security protection, for example, tenant 1 needs to access tenant 2. However. In the SDN hosting system, security domains and address information of different tenants are not visible from each other, for example, in the SDN hosting system, when a technician configures a routing table corresponding to a user device of tenant 1, a next hop address corresponding to the user device of tenant 2 cannot be seen, and the SDN hosting system also does not allow a VPN bound to a downlink sub-interface to be a destination VPN. Static routes crossing VPN can not be configured in the SDN admission management system, and the inter-tenant access function can not be realized, so that the experience of tenants is poor.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides a message processing method and device.
According to a first aspect of an embodiment of the present application, a method for processing a packet is provided, where the method is applied to a security device, and the method includes:
receiving a service message sent by first user equipment, wherein the destination address of the service message is a private network IP address of second user equipment, and the first user equipment and the second user equipment are both user equipment accessed to the safety equipment;
determining a first outgoing interface and a first next hop address corresponding to a private network IP address of the second user equipment according to an acquired first route forwarding table corresponding to the first user equipment, wherein the first route forwarding table comprises a corresponding relation of a destination address, an outgoing interface and a next hop address, the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment;
according to the first next hop address, sending the service message to the second public network interface through an IP security (IPsec) VPN tunnel established between the first public network interface and the second public network interface;
sending the service message to the second user equipment through the second public network interface
According to a second aspect of the embodiments of the present application, there is provided a packet processing apparatus, where the apparatus is applied to a security device, and the apparatus includes:
the system comprises a receiving module, a sending module and a processing module, wherein the receiving module is used for receiving a service message sent by first user equipment, the destination address of the service message is the private network IP address of second user equipment, and the first user equipment and the second user equipment are both user equipment accessed to the safety equipment;
a determining module, configured to determine, according to an obtained first route forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address that correspond to a private network IP address of the second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first public network interface corresponding to the first user equipment on the security device, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the security device;
a first sending module, configured to send the service packet to the second public network interface through an IPsec VPN tunnel created between the first public network interface and the second public network interface according to the first next hop address;
and the second sending module is used for sending the service message to the second user equipment through the second public network interface.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, after receiving a service message sent by a first user equipment, a security device; firstly, according to an acquired first route forwarding table corresponding to first user equipment, determining a first outgoing interface and a first next hop address corresponding to a private network IP address of second user equipment, wherein the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment; then, the safety equipment sends the service message to a second public network interface through an IPsec VPN tunnel established between the first public network interface and the second public network interface according to the first next hop address; finally, the safety device sends the service message to the second user device through the second public network interface, so that the tenants in the same safety device use public network IP addresses for mutual access, and the tenant experience is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic architecture diagram of a network system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Next, examples of the present application will be described in detail.
The embodiment of the application provides a message processing method, which can be applied to security equipment, and the security equipment can be firewall equipment and other security equipment. The safety equipment can be applied to the SDN nanotube scene. The SDN is a novel network architecture, and the core idea is to separate a control plane and a forwarding plane of network equipment and perform centralized and flexible control on network traffic through a controller, so that a good platform is provided for innovation of a core network and application. In this embodiment of the application, the SDN hosting system is a control plane in the SDN network, and a technician may issue an instruction to a management server running the SDN hosting system through an administrator terminal to configure a network device (such as a security device or a routing device) in the SDN network.
Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application. The network system comprises a management server running an SDN (software defined network) admission system, a management area switch, an administrator terminal, a boundary router, a security device, an access device and user equipment (such as user equipment 1 and user equipment 2 shown in figure 1) of a tenant. The management server is connected with the security equipment through the management area switch and the access equipment. In this way, a technician can issue a control instruction to the security device through the SDN hosting system to realize unified management of the security devices of multiple tenants. The uplink interface of the security device may be connected to the border router, through which the internet is accessed. The downstream interface of the security device may be connected to an access device, which may include a core switch and an access switch. The user device may be connected to the access device for accessing the security device via the access device for network access via the security device.
In practical applications, the security device is usually virtualized into multiple virtual devices (i.e., context, chinese: virtual firewall) to provide services for tenants. The security device in the embodiment of the present application may be an independent security device, or may be a context obtained through virtualization. Taking context as an example, in the case of adopting a multi-tenant shared context manner, one security device (i.e., context) may provide services for multiple tenants. The user equipment of the tenant and the security equipment are usually communicated by establishing a VPN, based on which, the downlink interface of the security equipment is divided into a plurality of downlink sub-interfaces, and each downlink sub-interface is bound with the VPN of the tenant, so as to realize communication with different user equipment.
For example, as shown in fig. 1, the security device provides services for a user device 1 and a user device 2, a downstream interface of the security device may be divided into a downstream sub-interface 1 and a downstream sub-interface 2, a VPN bound to the downstream sub-interface 1 is a VPN1, a VPN bound to the downstream sub-interface 2 is a VPN2, the user device 1 and the user device 2 belong to different VPNs, for example, the VPN to which the user device 1 belongs is a VPN1, and the VPN to which the user device 2 belongs is a VPN2, since VPNs are usually divided for tenants, if a tenant has multiple user devices, the multiple user devices belong to the same VPN and correspond to the same downstream sub-interface.
Under the network architecture of the above network system, as shown in fig. 2, the method is applied to a security device, and the method may include the following steps:
and S21, receiving the service message sent by the first user equipment.
In this step, the destination address of the service packet is the private network IP address of the second user equipment, that is, the service packet is a service packet of the first user equipment accessing the second user equipment.
It should be noted that the first user equipment and the second user equipment are both the user equipment accessing the security equipment.
S22, determining a first outgoing interface and a first next hop address corresponding to the private network IP address of the second user equipment according to the acquired first route forwarding table corresponding to the first user equipment.
In this step, the first routing forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, where the first outgoing interface is a first public network interface corresponding to a first user device on the security device, and the first next hop address is a public network IP address of a second public network interface corresponding to a second user device on the security device.
And S23, according to the first next hop address, sending the service message to the second public network interface through the IPsec VPN tunnel established between the first public network interface and the second public network interface.
And S24, sending the service message to the second user equipment through the second public network interface.
Specifically, in this embodiment of the application, for the first user equipment in step S21, when the second user equipment needs to be accessed, the first user equipment may generate a service packet according to a preset packet generation policy, where a private network IP address of the first user equipment is used as a source address, and a private network IP address of the second user equipment is used as a destination address. Then, the first user equipment may send the service packet to the access device through the corresponding first VPN. The access device may pre-store a policy route, and then the first user device sends the service packet to the security device according to the policy route, and the subsequent security device may receive the service packet through the first downlink sub-interface bound to the first VPN.
In step S22, the first route forwarding table is obtained by the security device in the following manner:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-configured corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving a service message;
and determining a route forwarding table corresponding to the first VPN according to a pre-stored corresponding relation between the VPN and the route forwarding table, and taking the route forwarding table as the first route forwarding table.
It should be noted that, in the embodiment of the present application, each downstream subinterface of the security device may bind to a VPN to which a tenant belongs, that is, the security device stores a correspondence between the downstream subinterface and the VPN.
The safety equipment is also provided with route forwarding tables corresponding to the user equipment of each tenant so as to realize mutual access among the tenants, each route forwarding table comprises a corresponding relation of a destination address, an outgoing interface and a next hop address, and the corresponding relation between the VPN to which the tenant belongs and the route forwarding table is established. The output interface can be an interface which is specified by the security device for the tenant and is used for realizing mutual access with other tenants. These routing tables may be configured by the security device based on routing configuration instructions sent by the management server. Taking the first routing table as an example, the specific configuration process is as follows: the security device receives a routing configuration instruction configured with a first routing forwarding table sent by a management server, where the routing configuration instruction includes an identifier of a first public network interface, a private network IP address of a second user device, and a public network IP address of a second public network interface (that is, an SDN admission management system in the management server allocates a corresponding public network IP address to a public network interface of a tenant to which the second user device belongs in advance), and configures a first routing forwarding table in which contents of a forwarding table entry are a destination address of the private network IP address of the second user device, an outgoing interface of the forwarding table entry is the first public network interface, and a next hop address of the forwarding table entry is an address of the second public network interface.
As shown in table one, an example of a routing forwarding table provided in the embodiment of the present application is shown.
Watch 1
Destination address Outlet interface Next hop address
40.1.1.6 Public network interface 2 131.0.0.5
50.1.1.13 Public network interface 1 131.0.0.12
40.1.1.6 is the private network IP address of the user equipment 1 of tenant 1, the public network interface 2 is the public network interface corresponding to tenant 2, and 131.0.0.5 is the public network IP address of the public network interface corresponding to tenant 2; 50.1.1.13 is the private network IP address of the user equipment 2 of tenant 2, the public network interface 2 is the public network interface corresponding to tenant 2, and 131.0.0.5 is the public network IP address of the public network interface corresponding to tenant 1.
It should be noted that, in the embodiment of the present application, for tenants that need to perform mutual access, a public network interface is provided correspondingly, and an interconnection interface function similar to a cross-context (i.e., a security device) mode, that is, an interconnection interface inside a context, is implemented through the corresponding public network interface, so that it can be implemented that both an interface and a next hop interface are the context, and the SDN admission management system further allocates a public network IP address for the corresponding public network interface and configures a route forwarding table for cross-VPN mutual access. Because the public network interfaces are all in the context, the default VPN inter-domain strategy is all open.
Therefore, after receiving a service message sent by the first user equipment through the first downlink subinterface, the security device may analyze the service message to obtain a destination address (i.e., a private network IP address of the second user equipment) carried therein, and then, according to a pre-stored correspondence between the downlink subinterface and the VPN, the security device determines a first VPN corresponding to the first downlink subinterface, and further according to a pre-stored correspondence between the VPN and the route forwarding table, determines a first route forwarding table corresponding to the first VPN, so as to search for a first outgoing interface and a first next hop address corresponding to the destination address of the service message in the first route forwarding table. The first output interface is a first public network interface corresponding to a first user device on the security device, and the first next hop address is a public network IP address of a second public network interface corresponding to a second user device on the security device.
In the step S23, the IPsec VPN tunnel is mainly created to implement cross-tenant VPC mutual access using the public network IP address of the tenant, and the IPsec VPN tunnel is used to improve the transmission security of the service packet.
Specifically, the IPsec VPN tunnel is created between the first public network interface and the second public network interface according to tunnel configuration information when the security device receives the tunnel configuration information sent by the management server and required when the IPsec VPN tunnel is created between the first public network interface and the second public network interface. Here, the first public network interface and the second public network interface may be the same interface or different interfaces.
It should be noted that the tunnel configuration information may include a related negotiation parameter required to determine an Internet Key Exchange (IKE) Security Association (SA) in a first stage when negotiating to establish an IPsec VPN tunnel between the first public network interface and the second public network interface, and a related negotiation parameter required to determine an IPsec SA in a second stage.
It should be further noted that, since the first public network interface and the second public network interface are both on the same security device, when the security device creates the IPsec VPN tunnel, the related negotiation packet does not pass through an internal loopback (inloback) port of the security device, and other creating processes are the same as those of the existing IPsec VPN tunnel, and are not described in detail herein.
Specifically, in step S24, when the security device sends the service packet to the second user equipment through the second public network interface, the following steps may be performed:
step one, according to the corresponding relation between the public network interface and the VPN which is configured in advance, a second VPN corresponding to the second public network interface is determined.
In this step, the corresponding relationship may be configured by the security device based on a public network interface configuration instruction sent by the management server. The public network interface configuration instruction comprises identification information of each public network interface and the corresponding VPN.
And step two, determining a second route forwarding table corresponding to a second VPN according to a pre-stored corresponding relation between the VPN and the route forwarding table, wherein the second route forwarding table comprises a corresponding relation between a destination address, an outgoing interface and a next hop address.
For example, the second route forwarding table is shown in table two below.
Watch two
Destination address Outlet interface Next hop address
40.1.1.6 Public network interface 1 2.1.1.2
50.1.1.13 Public network interface 2 1.1.1.1
40.1.1.6 is the private network IP address of the user equipment 1 of tenant 1, the public network interface 1 is the public network interface corresponding to tenant 1, and 2.1.1.2 is the IP address of the downlink sub-interface corresponding to the user equipment 1; 50.1.1.13 is the private network IP address of the user equipment 2 of tenant 2, the public network interface 2 is the public network interface corresponding to tenant 2, and 1.1.1.1 is the IP address of the downlink sub-interface corresponding to user equipment 1.
And step three, according to the second routing forwarding table, determining a second outgoing interface and a second next hop address corresponding to the private network IP address of the second user equipment, wherein the second outgoing interface is a second public network interface corresponding to the second user equipment on the safety equipment, and the second next hop address is an address of a second downlink sub-interface corresponding to the second user equipment on the safety equipment.
Step four, according to the second next hop address, the service message is sent to a second downlink sub-interface through a second public network interface;
and step five, sending the service message through the second downlink sub-interface.
Through the above process, the first user equipment accesses the second user equipment by using the corresponding public network IP address, so that not only is the tenant experience improved, but also the access security is improved.
The following describes the above message processing method in detail with reference to specific embodiments.
Still taking the network architecture diagram shown in fig. 1 as an example, assume that the private network IP address of the user equipment 1 of tenant 1 is 40.1.1.6 (as shown in table one), the VPN to which tenant 1 belongs is VPN1, the downstream sub-interface 1 on the security device is bound with VPN1, and the public network IP address of the public network interface 1 corresponding to user equipment 1 is 131.0.0.5 (as shown in table one); assume that the private network IP address of the user device 2 of tenant 2 is 50.1.1.13 (as shown in table one), the VPN to which tenant 2 belongs is VPN2, the downstream sub-interface 2 on the security device binds to VPN2, and the public network IP address of the public network interface 2 corresponding to user device 2 is 131.0.0.12 (as shown in table one). Assume that the security device has established an IPsec VPN tunnel 1 between public network interface 1 and public network interface 2.
Assuming that the user equipment 1 needs to access the user equipment 2, the user equipment 1 sends a service message 1 of accessing the user equipment 2 to the security equipment through the access equipment. Wherein, the source IP address of the service packet 1 is 40.1.1.6, and the destination IP address is 50.1.1.13.
The safety device receives the service message 1 through the downlink sub-interface 1, and determines an interface and a next hop address according to the obtained routing table corresponding to the VPN 1. Assuming that the routing table corresponding to VPN1 is the second routing table in table one, the outgoing interface is public network interface 1 and the next hop address is 131.0.0.12.
Next, the security device sends the service packet 1 to the public network interface 2 through the IPsec VPN tunnel 1. Here, the specific tunnel encapsulation process is the prior art and will not be described in detail here.
After receiving the message encapsulated by the tunnel of the IPsec VPN tunnel 1 at the public network interface 2, the security device decapsulates the message to obtain a service message 1, and further determines an interface and a next hop address according to a routing forwarding table corresponding to VPN 2. Assuming that the routing table corresponding to VPN2 is the second routing table in table two, the outgoing interface is public network interface 2, and the next hop address is 1.1.1.1 (i.e., the IP address of downlink sub-interface 2).
The security device sends the service message 1 to the downlink sub-interface 2 through the public network interface 2, and further finally sends the service message 1 through the downlink sub-interface 2, that is, the service message 1 finally arrives at the user device 2.
According to the technical scheme, in the embodiment of the application, after the safety equipment receives the service message sent by the first user equipment; firstly, according to an acquired first route forwarding table corresponding to first user equipment, determining a first outgoing interface and a first next hop address corresponding to a private network IP address of second user equipment, wherein the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment; then, the safety equipment sends the service message to a second public network interface through an IPsec VPN tunnel established between the first public network interface and the second public network interface according to the first next hop address; finally, the safety device sends the service message to the second user device through the second public network interface, so that the tenants in the same safety device use public network IP addresses for mutual access, and the tenant experience is improved.
Based on the same inventive concept, the present application further provides a message processing apparatus, which is applied to a security device, for example, the security device may be a firewall device, and the schematic structural diagram of the message processing apparatus is shown in fig. 3, and specifically includes:
a receiving module 31, configured to receive a service packet sent by a first user equipment, where a destination address of the service packet is a private network IP address of a second user equipment, and the first user equipment and the second user equipment are both user equipments accessing to the security equipment;
a determining module 32, configured to determine, according to an obtained first route forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address that correspond to a private network IP address of the second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first public network interface corresponding to the first user equipment on the security device, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the security device;
a first sending module 33, configured to send the service packet to the second public network interface through an IPsec VPN tunnel created between the first public network interface and the second public network interface according to the first next hop address;
a second sending module 34, configured to send the service packet to the second user equipment through the second public network interface.
Preferably, the apparatus further comprises:
an obtaining module (not shown in fig. 3) configured to obtain a first routing forwarding table by:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-configured corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a route forwarding table corresponding to the first VPN according to a pre-stored corresponding relation between the VPN and the route forwarding table, and taking the route forwarding table as the first route forwarding table.
Preferably, the first sending module 33 is specifically configured to:
determining a second VPN corresponding to the second public network interface according to a pre-configured corresponding relationship between the public network interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a pre-stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an egress interface and a next hop address;
determining a second outgoing interface and a second next hop address corresponding to the private network IP address of the second user equipment according to the second route forwarding table, wherein the second outgoing interface is a second public network interface corresponding to the second user equipment on the security equipment, and the second next hop address is an address of a second downlink sub-interface corresponding to the second user equipment on the security equipment;
according to the second next hop address, the service message is sent to the second downlink sub-interface through the second public network interface;
and sending the service message through the second downlink sub-interface.
Preferably, the apparatus further comprises:
a first configuration module (not shown in fig. 3), configured to receive a routing configuration instruction, sent by a management server, for configuring the first routing forwarding table, where the routing configuration instruction includes an identifier of the first public network interface, a private network IP address of the second user equipment, and a public network IP address of the second public network interface;
configuring the content of the forwarding table entry as the first routing forwarding table whose destination address is the private network IP address of the second user equipment, whose outgoing interface is the first public network interface, and whose next hop address is the public network IP address of the second public network interface.
Preferably, the apparatus further comprises:
a second configuration module (not shown in fig. 3), configured to receive tunnel configuration information sent by a management server, where the tunnel configuration information is tunnel configuration information required when an IPsec VPN tunnel is created between the first public network interface and the second public network interface;
and establishing an IPsec VPN tunnel between the first public network interface and the second public network interface according to the tunnel configuration information.
According to the technical scheme, in the embodiment of the application, after the safety equipment receives the service message sent by the first user equipment; firstly, according to an acquired first route forwarding table corresponding to first user equipment, determining a first outgoing interface and a first next hop address corresponding to a private network IP address of second user equipment, wherein the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment; then, the safety equipment sends the service message to a second public network interface through an IPsec VPN tunnel established between the first public network interface and the second public network interface according to the first next hop address; finally, the safety device sends the service message to the second user device through the second public network interface, so that the tenants in the same safety device use public network IP addresses for mutual access, and the tenant experience is improved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A message processing method is applied to a security device, and the method comprises the following steps:
receiving a service message sent by first user equipment, wherein the destination address of the service message is a private Internet Protocol (IP) address of second user equipment, and the first user equipment and the second user equipment are both user equipment accessed to the safety equipment;
determining a first outgoing interface and a first next hop address corresponding to a private network IP address of the second user equipment according to an acquired first route forwarding table corresponding to the first user equipment, wherein the first route forwarding table comprises a corresponding relation of a destination address, an outgoing interface and a next hop address, the first outgoing interface is a first public network interface corresponding to the first user equipment on the safety equipment, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the safety equipment;
according to the first next hop address, sending the service message to the second public network interface through an IP security IPsec virtual private network VPN tunnel established between the first public network interface and the second public network interface;
and sending the service message to the second user equipment through the second public network interface.
2. The method of claim 1, wherein the first route forwarding table is obtained by:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-configured corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a route forwarding table corresponding to the first VPN according to a pre-stored corresponding relation between the VPN and the route forwarding table, and taking the route forwarding table as the first route forwarding table.
3. The method according to claim 1, wherein the sending the service packet to the second user equipment through the second public network interface specifically includes:
determining a second VPN corresponding to the second public network interface according to a pre-configured corresponding relationship between the public network interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a pre-stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an egress interface and a next hop address;
determining a second outgoing interface and a second next hop address corresponding to the private network IP address of the second user equipment according to the second route forwarding table, wherein the second outgoing interface is a second public network interface corresponding to the second user equipment on the security equipment, and the second next hop address is an address of a second downlink sub-interface corresponding to the second user equipment on the security equipment;
according to the second next hop address, the service message is sent to the second downlink sub-interface through the second public network interface;
and sending the service message through the second downlink sub-interface.
4. The method of claim 1, further comprising:
receiving a routing configuration instruction which is sent by a management server and used for configuring the first routing forwarding table, wherein the routing configuration instruction comprises an identifier of the first public network interface, a private network IP address of the second user equipment and a public network IP address of the second public network interface;
configuring the content of the forwarding table entry as the first routing forwarding table whose destination address is the private network IP address of the second user equipment, whose outgoing interface is the first public network interface, and whose next hop address is the public network IP address of the second public network interface.
5. The method of claim 1, further comprising:
receiving tunnel configuration information sent by a management server, wherein the tunnel configuration information is tunnel configuration information required when an IPsec VPN tunnel is established between the first public network interface and the second public network interface;
and establishing an IPsec VPN tunnel between the first public network interface and the second public network interface according to the tunnel configuration information.
6. A message processing apparatus, wherein the apparatus is applied to a security device, and the apparatus comprises:
the system comprises a receiving module, a sending module and a processing module, wherein the receiving module is used for receiving a service message sent by first user equipment, the destination address of the service message is the private network Internet Protocol (IP) address of second user equipment, and the first user equipment and the second user equipment are both user equipment accessed to the safety equipment;
a determining module, configured to determine, according to an obtained first route forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address that correspond to a private network IP address of the second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first public network interface corresponding to the first user equipment on the security device, and the first next hop address is a public network IP address of a second public network interface corresponding to the second user equipment on the security device;
a first sending module, configured to send the service packet to the second public network interface according to the first next hop address through an IP security IPsec virtual private network VPN tunnel created between the first public network interface and the second public network interface;
and the second sending module is used for sending the service message to the second user equipment through the second public network interface.
7. The apparatus of claim 6, further comprising:
an obtaining module, configured to obtain a first route forwarding table in the following manner:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-configured corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a route forwarding table corresponding to the first VPN according to a pre-stored corresponding relation between the VPN and the route forwarding table, and taking the route forwarding table as the first route forwarding table.
8. The apparatus of claim 6, wherein the first sending module is specifically configured to:
determining a second VPN corresponding to the second public network interface according to a pre-configured corresponding relationship between the public network interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a pre-stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an egress interface and a next hop address;
determining a second outgoing interface and a second next hop address corresponding to the private network IP address of the second user equipment according to the second route forwarding table, wherein the second outgoing interface is a second public network interface corresponding to the second user equipment on the security equipment, and the second next hop address is an address of a second downlink sub-interface corresponding to the second user equipment on the security equipment;
according to the second next hop address, the service message is sent to the second downlink sub-interface through the second public network interface;
and sending the service message through the second downlink sub-interface.
9. The apparatus of claim 6, further comprising:
a first configuration module, configured to receive a routing configuration instruction for configuring the first routing forwarding table sent by a management server, where the routing configuration instruction includes an identifier of the first public network interface, a private network IP address of the second user equipment, and a public network IP address of the second public network interface;
configuring the content of the forwarding table entry as the first routing forwarding table whose destination address is the private network IP address of the second user equipment, whose outgoing interface is the first public network interface, and whose next hop address is the public network IP address of the second public network interface.
10. The apparatus of claim 6, further comprising:
a second configuration module, configured to receive tunnel configuration information sent by a management server, where the tunnel configuration information is tunnel configuration information required when an IPsec VPN tunnel is created between the first public network interface and the second public network interface;
and establishing an IPsec VPN tunnel between the first public network interface and the second public network interface according to the tunnel configuration information.
CN202110186766.3A 2021-02-18 2021-02-18 Message processing method and device Withdrawn CN113014559A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110186766.3A CN113014559A (en) 2021-02-18 2021-02-18 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110186766.3A CN113014559A (en) 2021-02-18 2021-02-18 Message processing method and device

Publications (1)

Publication Number Publication Date
CN113014559A true CN113014559A (en) 2021-06-22

Family

ID=76402457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110186766.3A Withdrawn CN113014559A (en) 2021-02-18 2021-02-18 Message processing method and device

Country Status (1)

Country Link
CN (1) CN113014559A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114944952A (en) * 2022-05-20 2022-08-26 深信服科技股份有限公司 Data processing method, device, system, equipment and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114944952A (en) * 2022-05-20 2022-08-26 深信服科技股份有限公司 Data processing method, device, system, equipment and readable storage medium
CN114944952B (en) * 2022-05-20 2023-11-07 深信服科技股份有限公司 Data processing method, device, system, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN107959654B (en) Data transmission method and device and mixed cloud system
US10547463B2 (en) Multicast helper to link virtual extensible LANs
Lasserre et al. Framework for data center (DC) network virtualization
CN109561108B (en) Policy-based container network resource isolation control method
EP2995067B1 (en) A direct connect virtual private interface for a one to many connection with multiple virtual private clouds
JP2021530912A (en) Network slice control method and device, computer readable storage medium
CN103685026A (en) Virtual network access method and system
CN106302320B (en) The method, apparatus and system authorized for the business to user
CN109274570B (en) VPN construction method and device and computer readable storage medium
CN107196813A (en) Method and apparatus for two layers of enterprise network infrastructure of self-organizing
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
Naranjo et al. Underlay and overlay networks: The approach to solve addressing and segmentation problems in the new networking era: VXLAN encapsulation with Cisco and open source networks
CN112671650B (en) End-to-end SR control method, system and readable storage medium under SD-WAN scene
US11296997B2 (en) SDN-based VPN traffic scheduling method and SDN-based VPN traffic scheduling system
US20220385497A1 (en) Method for network slices to share uplink port, apparatus, and storage medium
KR20180104377A (en) Method for inter-cloud virtual networking over packet optical transport network
CN103067531A (en) Public network Internet protocol (IP) address resource management allocation method
CN114172865B (en) IPv6 dual stack implementation method under cloud network
Ranjbar et al. Domain isolation in a multi-tenant software-defined network
CN113014559A (en) Message processing method and device
CN117811875A (en) Household intercommunication network access method and device
CN108768861B (en) Method and device for sending service message
Aziz The importance of VLANs and trunk links in network communication areas
CN112671811B (en) Network access method and equipment
CN112910791B (en) Diversion system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210622