CN113810397B - Protocol data processing method and device - Google Patents

Protocol data processing method and device Download PDF

Info

Publication number
CN113810397B
CN113810397B CN202111057065.6A CN202111057065A CN113810397B CN 113810397 B CN113810397 B CN 113810397B CN 202111057065 A CN202111057065 A CN 202111057065A CN 113810397 B CN113810397 B CN 113810397B
Authority
CN
China
Prior art keywords
message
user mode
data
module
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111057065.6A
Other languages
Chinese (zh)
Other versions
CN113810397A (en
Inventor
束林扬
李家顺
沈亚琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202111057065.6A priority Critical patent/CN113810397B/en
Publication of CN113810397A publication Critical patent/CN113810397A/en
Application granted granted Critical
Publication of CN113810397B publication Critical patent/CN113810397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a device for processing protocol data. Wherein, the method comprises the following steps: receiving a message of protocol data through a user mode message receiving and sending module; forwarding the received message to an acceleration chip through a user mode agent component; receiving application layer data after the acceleration chip decrypts the message; sending the application layer data to a user mode application module; the user mode application module processes the completed data message and transmits the data message to the user mode agent component; the user mode agent component forwards the processed application data message to the acceleration chip, receives the application layer data message encrypted by the acceleration chip, and further transmits the message to the user mode message receiving and transmitting module; and the user mode message receiving and sending module sends a protocol data message. The invention solves the technical problems that the operating system of the secure socket protocol SSL in the related technology adopts the kernel mode to forward the message, the efficiency is lower, and the CPU resource is greatly consumed by the CPU to carry out encryption and decryption calculation.

Description

Protocol data processing method and device
Technical Field
The present invention relates to the field of data security protocols, and in particular, to a method and an apparatus for processing protocol data.
Background
With the importance of network security gradually becoming prominent, network security hazard events such as user privacy and data leakage come into endless, and in order to protect the security of sensitive data in internet transmission, more and more websites or applications will deploy SSL tunnel security protocol for data protection. The SSL tunnel has a problem that the network device or security device between the original SSL client and the original SSL server cannot effectively monitor, check, filter, and count the application layer content carried by the SSL, so that the network device or security device is required to provide an SSL proxy function, so as to decrypt the SSL-based application layer protocols such as HTTPS, POP3S, SMTPS, and IMAPS, and provide application security processing, such as application identification, URL filtering, anti-virus, IPS, keyword filtering, email filtering, and file filtering, for the application layer protocol content carried by the SSL. Fig. 1 is a schematic structural diagram of an SSL proxy in the prior art, and as shown in fig. 1, the SSL proxy function can operate in the following two scenarios.
In the first scenario, when the device is used as a gateway on the side of an end user client, the SSL proxy device replaces the digital certificate of the original SSL server with the SSL proxy certificate, and sends the SSL proxy certificate to the original end user SSL client. The SSL proxy certificate is a certificate obtained by reissuing the original SSL server certificate using the certificate of the device itself.
In the second scenario, when the device is used as a gateway on the original SSL server side, the SSL proxy device can serve as an original SSL server, establish an SSL connection with an original end user SSL client using a certificate of the original SSL server, and send the decrypted traffic to the original intranet SSL server in a plaintext manner.
As is known, the SSL secure tunnel establishment needs to consume a large amount of CPU resources, and at the same time, as a network device or an SSL proxy of a security device, the SSL secure tunnel establishment needs to be connected to an original SSL client of an end user and an original SSL server, so that the SSL proxy device is easily a performance bottleneck in data transmission between the original SSL client and the original SSL server. For the performance problem of the current SSL proxy, some solutions exist in the industry at present, which solve some performance problems from different perspectives, for example:
1.SSL agent without SSL acceleration chip support: and utilizing the CPU resource to carry out SSL tunneling protocol negotiation and subsequent encryption and decryption transmission of application data.
2.SSL proxy with SSL accelerator chip: the SSL tunnel protocol and the data message are sent to an application process of a user mode through a socket to perform SSL tunnel negotiation and data encryption and decryption processing after passing through a kernel TCP/IP protocol stack of an operating system, and the application process of the user mode realizes asynchronous encryption and decryption support through an Epoll mechanism.
Nowadays, a Secure Socket Layer (SSL) tunnel in a computer network environment prevails, application services carried on the SSL tunnel are more and more, and an SSL proxy calculated by using a CPU resource or an SSL proxy using an SSL acceleration chip and a kernel TCP/IP protocol stack cannot meet the increasing requirement of security service traffic of the SSL tunnel. The operating system of the secure socket protocol SSL in the related technology adopts the kernel mode to forward the message, the efficiency is low, and the CPU resource is greatly consumed by performing encryption and decryption calculation through the CPU. Resulting in difficulties for SSL proxies to achieve desired performance and functionality in actual deployment.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method and a device for processing protocol data, which at least solve the technical problems that an operating system of a Secure Socket Layer (SSL) in the related technology adopts a kernel mode to forward a message, the efficiency is low, and CPU resources are greatly consumed by performing encryption and decryption calculation through a CPU.
According to an aspect of the embodiments of the present invention, there is provided a method for processing protocol data, including: receiving a message of protocol data through a user mode message receiving and sending module; forwarding the received message to an acceleration chip through a user mode agent component; receiving application layer data obtained by encrypting and decrypting the message by the acceleration chip through a user mode agent component; and sending the application layer data to a user mode application module through a user mode agent component.
Optionally, the user mode agent component includes a first user mode agent module and a second user mode agent module, and sending the received message to the acceleration chip through the user mode agent component includes: receiving the message through a first user mode agent module; storing the message in a first proxy connection session; acquiring the message from the first agent connection session through a second user mode agent module; and sending the message to the acceleration chip.
Optionally, storing the packet in the first proxy connection session includes: determining a characteristic field of the message; searching a corresponding first proxy connection session according to the characteristic field; under the condition that the corresponding first proxy connection session cannot be found, the first proxy connection session corresponding to the characteristic field is created; storing the message in the first proxy connection session.
Optionally, the obtaining, by the second user mode agent module, the message from the first agent connection session includes: establishing a second proxy connection session between the first user mode proxy module and the second user mode proxy module; and acquiring the message from the first proxy connection session through the second proxy connection session.
Optionally, sending the message to the acceleration chip includes: sending an asynchronous encryption and decryption request for the message to the acceleration chip through the second user mode agent module, wherein the encryption and decryption request comprises the message, and the message is one of a plurality of messages in a queue; receiving, by the user mode proxy component, the application layer data obtained by encrypting and decrypting the message by the acceleration chip includes: polling an asynchronous encryption and decryption response queue of the acceleration chip through the second user mode agent module to acquire an asynchronous response event corresponding to the message, wherein the asynchronous response event corresponds to a second agent connection session for acquiring the message; and generating the application layer data according to the asynchronous response event.
Optionally, generating the application layer data according to the asynchronous response event includes: acquiring the position of a call stack of the message when the asynchronous encryption and decryption request is sent, and according to the position of the call stack; determining output data of the asynchronous response event according to the asynchronous response event and the state of the second proxy connection session corresponding to the asynchronous response event; and taking the output data as the application layer data when the state of the second proxy connection session is a data transmission state.
Optionally, after sending the application layer data to the user mode application module through the user mode agent component, the method further includes: receiving the processing data of the application layer through the second user mode agent module; sending the processing data to the acceleration chip for encryption and decryption, and sending the encrypted and decrypted processing data to the first user mode agent module; sending the user mode message to the user mode message receiving and sending module through the first user mode agent module; and sending the processing data through the user mode message receiving and sending module.
Optionally, when the state of the second proxy connection session is a data transmission state, taking the output data as the application layer data includes: taking the output data as the application layer data under the condition that the output data is decrypted by the acceleration chip; sending the processing data to the acceleration chip for encryption and decryption, and sending the encrypted and decrypted processing data to the first user mode agent module comprises: and sending the processing data to the acceleration chip for encryption, and sending the encrypted processing data to the first user mode agent module.
According to another aspect of the embodiments of the present invention, there is also provided a device for processing protocol data, including: the user mode message receiving and sending module is used for receiving the message of the protocol data; the user mode agent component is used for forwarding the received message to the acceleration chip; receiving the application layer data after the acceleration chip encrypts and decrypts the message; and sending the application layer data to a user mode application module.
According to another aspect of the embodiments of the present invention, there is further provided a processor, where the processor is configured to execute a program, where the program executes the method for processing protocol data described in any one of the foregoing methods when running.
According to another aspect of the embodiments of the present invention, a computer storage medium is further provided, where the computer storage medium includes a stored program, and when the program runs, a device where the computer storage medium is located is controlled to execute the processing method of the protocol data.
In the embodiment of the invention, a protocol data message is received by a user mode message transceiving module; forwarding the received message to an acceleration chip through a user mode agent component; receiving application layer data obtained by encrypting and decrypting the message by the acceleration chip through the user mode agent component; the method has the advantages that the message is transmitted to the acceleration chip for encryption and decryption by the user mode message transceiving module and the agent component in the user mode in a mode of transmitting the application layer data to the user mode application module by the user mode agent component, so that the protocol data is processed by the integrated user mode device, frequent switching of the message between the user mode and the kernel mode is avoided, and the purpose of efficient data processing is realized, so that the technical effects of improving the processing efficiency of the protocol data, reducing the burden of a CPU (central processing unit) and reducing the occupation of CPU resources are realized, and further, the technical problem that the efficiency is low, encryption and decryption calculation is performed by the CPU, and the CPU resources are greatly consumed by an operating system of a secure socket protocol SSL in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic diagram of a structure of an SSL proxy in the prior art;
fig. 2 is a flowchart of a protocol data processing method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a related art SSL proxy according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an SSL proxy according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the encryption logic of the CPU and acceleration chip according to an embodiment of the present invention;
fig. 6 is a flow diagram of SSL proxying according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a protocol data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In accordance with an embodiment of the present invention, there is provided a method embodiment of a method for processing protocol data, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that herein.
Fig. 2 is a flowchart of a protocol data processing method according to an embodiment of the present invention, and as shown in fig. 2, the method includes the following steps:
step S202, receiving a message of protocol data through a user mode message receiving and sending module;
step S204, forwarding the received message to an acceleration chip through a user mode agent component;
step S206, receiving the application layer data after the acceleration chip encrypts and decrypts the message through the user mode agent component;
and step S208, sending the application layer data to the user mode application module through the user mode agent component.
Through the steps, a message of protocol data is received through a user mode message receiving and sending module; forwarding the received message to an acceleration chip through a user mode agent component; receiving application layer data obtained by encrypting and decrypting the message by the acceleration chip through the user mode agent component; the method has the advantages that the message is transmitted to the acceleration chip for encryption and decryption by the user mode agent component through the mode that the application layer data is transmitted to the user mode application module, the message transmitting and receiving module and the agent component in the user mode are utilized, the aim of processing the protocol data through the integrated user mode device is achieved, frequent switching of the message between the user mode and the kernel mode is avoided, and the purpose of efficient data processing is achieved, so that the technical effects of improving the processing efficiency of the protocol data, reducing the burden of a CPU (central processing unit) and reducing the occupation of CPU resources are achieved, the technical problem that in the related technology, the efficiency is low, encryption and decryption calculation is performed through the CPU, and the CPU resources are greatly consumed by an operating system of a secure socket protocol SSL is solved.
The protocol data may be a transmission protocol used by the proxy component, for example, an SSL secure socket protocol, and the proxy component is configured to implement the transmission protocol, and data passing through the transmission protocol is used as the protocol data, and the protocol data is transmitted between different devices, where the proxy component includes an input device and an output device, and performs unidirectional or bidirectional data transmission between the two devices according to different protocols. When the input device inputs data, the data is input in the form of a message, namely the message of the protocol data.
The user mode message transceiver module may be a functional module of a CPU of the system, and is configured to receive a message of the protocol data, and the message may be directly received as user mode data through the user mode message transceiver module.
The user mode agent component can also be a functional module of the CPU, and is connected to the user mode message transceiver module, and transmits a message of protocol data received by the user mode message transceiver module to the user mode agent component, and the user mode agent component sends the message to the accelerator chip for encryption and decryption, receives encrypted and decrypted application layer data, and sends the application layer data to the user mode application module, that is, to an output device of the protocol data, and the user mode application module inputs the protocol data to an application program for related operations.
The device of the whole system is in a user state, and the message is forwarded to the acceleration chip for encryption and decryption by utilizing the message transceiving module and the proxy component in the user state, so that the purpose of processing protocol data through the integrated user state device is achieved, frequent switching of the message between the user state and the kernel state is avoided, and efficient data processing is realized, thereby realizing the technical effects of improving the processing efficiency of the protocol data, reducing the burden of a CPU (central processing unit) and reducing the occupation of CPU resources, further solving the technical problems that the operating system of the secure socket protocol SSL in the related art adopts the kernel state for message forwarding, the efficiency is low, encryption and decryption calculation is performed through the CPU, and the CPU resources are greatly consumed.
Optionally, the user mode agent component includes a first user mode agent module and a second user mode agent module, and sending the received message to the acceleration chip through the user mode agent component includes: receiving a message through a first user mode agent module; storing the message in a first proxy connection session; acquiring a message from the first agent connection session through a second user mode agent module; and sending the message to the acceleration chip.
The user mode agent component comprises a first user mode agent module and a second user mode agent module. The first user mode agent module can be a user mode TCP agent module, the second user mode agent module can be a user mode SSL agent module, when SSL agent is realized, an SSL tunnel protocol and a data message pass through a kernel TCP/IP protocol stack of an operating system and are sent to a user mode application process through a socket to carry out SSL tunnel negotiation and data encryption and decryption processing, and the user mode application process realizes asynchronous encryption and decryption support through an Epoll mechanism. That is, the TCP proxy is to support the SSL proxy and assist its work.
The first user mode agent module is connected with the user mode message receiving and sending module, receives the message received by the user mode message receiving and sending module and stores the message in the first agent connection session. The second user mode agent module is connected with the first user mode agent module, obtains a message from the first agent connection session of the first user mode agent module, and sends the message to the acceleration chip.
Optionally, storing the packet in the first proxy connection session includes: determining a characteristic field of the message; searching for a corresponding first proxy connection session according to the characteristic field; under the condition that the corresponding first proxy connection session cannot be found, the first proxy connection session corresponding to the characteristic field is created; the message is stored in the first proxy connection session.
Specifically, taking the first user mode proxy module as a user mode TCP proxy module as an example, the user mode TCP proxy module (for example, an OFP TCP/IP stack open source library) receives an IP packet, and for a TCP data packet that needs to be made into an SSL proxy (for example, assuming that the TCP port 443 is an SSL connection port), based on a characteristic field (for example, 5-tuple information, a source IP, a destination IP, a source port, a destination port, and an IP protocol number) of the TCP packet, searches for a TCP proxy connection session (if not found, a new TCP proxy connection session is created), and at the same time, invokes a callback function of the SSL proxy module, and creates a mapping-associated SSL proxy connection session. Finally, finding the associated TCP proxy connection session according to the characteristic field (such as 5-tuple information) of the original TCP data message received from the network card, and caching the TCP data message into the associated TCP proxy connection session.
Optionally, the obtaining, by the second user mode agent module, the message from the first agent connection session includes: establishing a second agent connection session between the first user mode agent module and the second user mode agent module; and acquiring the message from the first proxy connection session through the second proxy connection session.
The second proxy connection session has a corresponding relationship with the first proxy connection session. The message is acquired from the first proxy connection session through the second proxy connection session, and the cached message can be read from the first proxy connection associated with the second proxy connection session by traversing the second proxy connection session.
Optionally, sending the message to the acceleration chip includes: sending an asynchronous encryption and decryption request for the message to the acceleration chip through a second user mode agent module, wherein the encryption and decryption request comprises the message, and the message is one of a plurality of messages in the queue; receiving the application layer data after the message is encrypted and decrypted by the acceleration chip through the user mode agent component comprises the following steps: polling an asynchronous encryption and decryption response queue of the acceleration chip through a second user mode agent module to acquire an asynchronous response event corresponding to the message, wherein the asynchronous response event corresponds to a second agent connection session for acquiring the message; and generating the application layer data according to the asynchronous response event.
The asynchronous encryption and decryption request for the message is sent to the acceleration chip through the second user mode agent module, the asynchronous encryption and decryption request can be sent to a user mode acceleration chip driving module (such as an Intel QAT acceleration chip and an engine driver), the position of the current call stack is recorded, and the execution context switching of the user mode occurs.
And polling the asynchronous encryption and decryption response queue of the acceleration chip by the second user mode agent module to acquire an asynchronous response event corresponding to the message, polling the asynchronous encryption and decryption response queue of the user mode acceleration chip driving module by the second user mode agent module by adopting a heuristic mechanism, and generating an asynchronous response event corresponding to a second agent connection session.
Optionally, generating the application layer data according to the asynchronous response event includes: acquiring the position of a call stack of a message when an asynchronous encryption and decryption request is sent, and according to the position of the call stack; determining output data of the asynchronous response event according to the asynchronous response event and the state of a second agent connection session corresponding to the asynchronous response event; and in the case that the state of the second proxy connection session is the data transmission state, taking the output data as the application layer data.
And the second user mode agent module restores the previously recorded call stack position and acquires the output data of the asynchronous encryption and decryption response event aiming at each asynchronous encryption and decryption response event and the current state of the second agent connection session related to the event.
When the second proxy connection session is in a handshake negotiation state, the second proxy connection session continues to handshake negotiation to establish a second proxy tunnel, and the second proxy connection session does not enter an application data transmission state until the second proxy tunnel is successfully established; and when the second proxy connection session is in the application data transmission state, informing the user mode application layer module of processing the decrypted plaintext data for the decrypted plaintext application data stream.
Optionally, after the application layer data is sent to the user mode application module by the user mode agent component, the method further includes: receiving processing data of an application layer through a second user mode agent module; the processing data are sent to the acceleration chip for encryption and decryption, and the encrypted and decrypted processing data are sent to the first user mode agent module; sending the message to a user mode message receiving and sending module through a first user mode agent module; and sending the processing data through the user mode message receiving and sending module.
The data of the user mode application module can be reversely encrypted and decrypted through the second user mode agent module to obtain processed data, and the processed data is transmitted to the user mode message receiving and transmitting module through the first user mode agent module to be transmitted.
Optionally, when the state of the second proxy connection session is the data transmission state, taking the output data as the application layer data includes: under the condition that the output data is decrypted by the acceleration chip, the output data is used as application layer data; sending the processing data to an acceleration chip for encryption and decryption, and sending the encrypted and decrypted processing data to a first user mode agent module comprises: and sending the processed data to the acceleration chip for encryption, and sending the encrypted processed data to the first user mode agent module.
Specifically, in this embodiment, when the second user mode agent module sends data to the user mode application module, the data needs to be encrypted and transmitted from the acceleration chip, and when the second user mode agent module sends the data of the user mode application module to the user mode message transceiver module, the data needs to be decrypted from the acceleration chip.
It should be noted that the present application also provides an alternative implementation, and the details of the implementation are described below.
Fig. 3 is a schematic diagram of a related art SSL proxy according to an embodiment of the present invention, and as shown in fig. 3, there are main problems in the existing technical solutions:
A. the kernel state TCP/IP protocol stack of the operating system is used as one of the rings of the application process interactive application data messages of the user state, data copying between the operating system and the application process of the user state is involved in data message forwarding and transmission, and a series of system calls, the SSL tunnel connection new establishment rate and the throughput performance of the SSL tunnel application data are difficult to greatly improve due to the design architecture restriction.
B. The CPU resource is used for encryption and decryption calculation, the CPU resource is greatly consumed, and the SSL tunnel connection new rate and the throughput performance of SSL tunnel application data are greatly limited by the CPU resource. This scheme corresponds to fig. 3, with the SSL accelerator card portion removed in dashed outline.
The embodiment provides a user-mode integrated high-performance SSL agent architecture and device aiming at the problems, and realizes the user-mode integrated high-performance SSL agent architecture and device with clear architecture, high-efficiency flow and feasible technology on network equipment or safety equipment. The integrated design improves the utilization efficiency of CPU resources, accelerates the negotiation process of SSL asymmetric encryption and decryption tunnels and the transmission process of SSL symmetric encryption and decryption application data, thereby greatly improving the overall processing performance and expandability of SSL agents, and realizing the qualitative leap of the newly-built rate of SSL agent connection sessions and the application data forwarding throughput performance of the SSL agent connection sessions.
The SSL proxy performance enhancement analysis in the embodiment is as follows:
the SSL agent design integrated in the user mode is adopted, and the extra expenses caused by task switching of the message in the user mode and the kernel mode and message memory copying are reduced.
The mechanism that the user mode network card drives the transceiving queue to be bound with the CPU core is adopted, the frequent switching of the context of the CPU execution process level is reduced, and meanwhile, the utilization efficiency of the CPU instruction cache and the data cache is improved.
The SSL accelerator card is used for asynchronous encryption and decryption mechanism, a large amount of calculation tasks required by encryption and decryption are carried out by the SSL accelerator card, the burden of a CPU is greatly reduced, meanwhile, the asynchronous encryption and decryption mechanism is used, the CPU does not need to block and wait for synchronous completion of SSL encryption and decryption requests, and the utilization efficiency of the CPU is improved.
By utilizing SSL accelerator card logic multi-instance support and a CPU core and SSL accelerator card logic instance binding mechanism, the lock-free operation of reading and writing of an SSL accelerator card encryption and decryption queue is realized, and the CPU multi-core concurrent processing capacity is improved.
And a heuristic mechanism is utilized to poll the asynchronous encryption and decryption response queue of the SSL acceleration card, so that the polling efficiency and the polling timeliness are improved, and the message forwarding efficiency is improved.
Fig. 4 is a schematic diagram of an SSL proxy according to an embodiment of the present invention, and as shown in fig. 4, the architecture of the high-performance SSL proxy according to the embodiment is as follows:
the high-performance SSL proxy architecture mainly comprises three parts (in fig. 4, the user mode application layer processing part is only for understanding convenience, and no separate explanation is made), and first, a user mode network card message transceiving queue is provided, and the part directly receives and transmits messages from the network card by using a user mode network card driver. And secondly, a user mode TCP/IP protocol stack which is responsible for the processing of the recombination, retransmission and the like of the TCP message. And finally, the SSL agent is in charge of reading TCP data stream from the user-mode TCP/IP protocol stack, and sending an asynchronous encryption and decryption request to the SSL acceleration chip and polling and processing asynchronous encryption and decryption response according to the current state of the SSL agent.
The basic precondition of the design scheme of the high-performance SSL proxy technology of this embodiment is as follows:
the SSL software architecture supports an asynchronous encryption and decryption mechanism aiming at the SSL acceleration chip, namely, the CPU sends out an asynchronous encryption and decryption request without synchronously waiting for encryption and decryption response, so that the waiting time of the CPU can be greatly released. The existing asynchronous encryption and decryption mechanism is mainly realized by a user-level context switching mechanism when an application process is executed. As shown in fig. 5, the sending of the encryption/decryption request by the CPU is asynchronous to the polling of the encryption/decryption response.
SSL acceleration chip and its drive support the multiple instances of the logic level, so CPU multiple core can realize the asynchronous encryption and decryption queue operation without lock when encrypting and decrypting. Fig. 5 is a schematic diagram of encryption logic of a CPU and an acceleration chip according to an embodiment of the present invention, and as shown in fig. 5, there is a one-to-one correspondence relationship between multiple cores of the CPU and encryption/decryption examples.
For convenience of describing the technical solution, the following user mode network card driving message transceiving queue takes an Intel DPDK as an example, the user mode TCP/IP protocol stack takes an OFP as an example, the SSL takes an OpenSSL supporting an Intel QAT acceleration engine as an example, and the SSL acceleration card takes an Intel QAT SSL acceleration card as an example.
Fig. 6 is a flowchart of SSL proxy according to an embodiment of the present invention, and as shown in fig. 6, the detailed steps of the complete solution of the high-performance SSL proxy of the present embodiment are as follows:
a. the user mode network card driving message receiving and sending module (such as an Intel DPDK open source library) receives the network card message and caches the network card message to the network card message receiving queue.
b. The user state TCP proxy module (e.g. an OFP TCP/IP stack open source library) receives an IP packet from the network card receiving queue, and for a TCP data packet that needs to be SSL proxied (e.g. assuming that the TCP port 443 is an SSL connection port), based on a characteristic field (e.g. 5-tuple information, a source IP, a destination IP, a source port, a destination port, and an IP protocol number) of the TCP packet, searches for a TCP proxy connection session (if not found, a new TCP proxy connection session is created), and at the same time, invokes a callback function of the SSL proxy module, and creates an SSL proxy connection session that is mapped and associated with the TCP data packet. Finally, finding the associated TCP proxy connection session according to the characteristic field (such as 5-tuple information) of the original TCP data message received from the network card, and caching the TCP data message into the associated TCP proxy connection session.
c. And traversing the SSL proxy connection session by a user-mode SSL proxy module (such as an OpenSSL open source library), reading the cached TCP data message from the TCP proxy connection associated with the user-mode SSL proxy connection session, executing a state machine of the SSL proxy connection session according to the state of the current SSL proxy connection session, and calling an OpenSSL encryption and decryption interface function.
d. And in the process of calling the OpenSSL encryption and decryption interface function of the last step, the user-state SSL agent module sends an asynchronous encryption and decryption request to a user-state acceleration chip driving module (such as an Intel QAT acceleration chip and an engine driver), records the position of the current call stack and performs user-state execution context switching.
e. The user SSL agent module adopts a heuristic mechanism to poll the asynchronous encryption and decryption response queue of the user acceleration chip driving module and generates an asynchronous response event corresponding to the SSL agent connection session.
f. And the user-state SSL agent module recovers the previously recorded call stack position and acquires the output data of the asynchronous encryption and decryption response event aiming at each asynchronous encryption and decryption response event and the current state of the SSL agent connection session related to the event, and continuously executes the state machine of the SSL agent connection session. When the SSL agent connection session is in a handshake negotiation state, the SSL agent connection session continues to be in handshake negotiation to establish an SSL agent tunnel, and the SSL agent connection session can not enter an application data transmission state until the SSL agent tunnel is successfully established; when the SSL proxy connection session is in an application data transmission state, the user mode application layer module is informed of processing decrypted plaintext data for the decrypted plaintext application data stream, and otherwise, the user mode TCP proxy module is informed of sending the ciphertext application data stream for the encrypted ciphertext application data stream.
g. And the user mode application layer module continues to perform corresponding protocol analysis and protocol identification processing according to the decrypted plaintext application data stream, and respectively performs corresponding application layer protocol processing (such as IPS/AV/AI/NBC/URL Filter/Email Filter and the like) according to the strategy configuration of the relevant application protocol, and simultaneously outputs the plaintext application data stream processed by the application layer.
h. And the user-mode SSL agent module executes the state machine of the SSL agent connection session again and calls an OpenSSL encryption and decryption interface function according to the plaintext application data output by the application layer processing module and the state of the current SSL agent connection session.
i. The same as the step d.
j. The same as step e.
k. The same as step f.
And l, the user-state TCP agent module receives the SSL tunnel negotiation message or the ciphertext application data stream from the user-state SSL agent module and performs TCP related processing (such as TCP segmentation, retransmission and the like).
m, the user mode network card driving message receiving and sending module receives the IP message sent by the user mode TCP agent module and puts the IP message into a network card message sending queue.
And n, the user mode network card drives the message transceiving module and finally sends the IP data message to the outside through the network card interface.
The embodiment is applicable to network devices (including but not limited to network traffic security devices, network data forwarding devices, network traffic analysis devices, network traffic management devices, such as FW/NGFW, IDS/IPS, WAF, ADC, BDS, router, etc.), and is also applicable to virtualized network functions or virtualized network devices, including but not limited to virtualized network traffic security functions or devices, virtualized network data forwarding functions or devices, virtualized network traffic analysis functions or devices, virtualized network traffic management functions or devices, such as vFW/vnfw, vlids/vsps, vWAF, vmadc, vBDS, vruter, etc.
The system of the embodiment integrates user mode network card driving message receiving and sending, a user mode TCP/IP protocol stack and an SSL accelerator card, and designs a high-performance SSL agent from the architectural level. The SSL agent technical solution with high performance and high cost performance is provided for users.
1. The application range is wide: the method is suitable for various network devices or safety devices or network function software or network safety software such as bare computers, virtualization, container platforms and the like.
2. The expansibility is strong: as the number of CPU cores increases and the SSL acceleration chip is enhanced, the performance of the SSL agent can be increased linearly.
3. The performance is improved remarkably: the design framework can bring remarkable performance improvement for the newly-built rate of the SSL proxy connection session and the application data forwarding throughput performance of the SSL proxy connection session.
The embodiment utilizes the technical design scheme of the overall architecture of the user-state SSL high-performance agent, which integrates a user-state network card driving message receiving and sending, a user-state TCP/IP protocol stack and an SSL acceleration card. The application of the above general architecture technical design scheme of the SSL high-performance agent in various network devices or safety devices, network functions or safety functions, network software or safety software, and network platforms or safety platforms is realized. Here, the device/function/software/platform includes a target subject in various situations such as a physical environment, a virtualization environment, and a container environment.
Fig. 7 is a schematic diagram of a device for processing protocol data according to an embodiment of the present invention, and as shown in fig. 7, according to another aspect of the embodiment of the present invention, there is further provided a device for processing protocol data, including: a user mode messaging module 72 and a user mode agent component 74, which are described in more detail below.
A user mode message transceiver module 72, configured to receive a message of protocol data; a user mode agent component 74, connected to the user mode message transceiver module 72, for forwarding the received message to the acceleration chip; receiving application layer data after the acceleration chip encrypts and decrypts the message; and sending the application layer data to a user mode application module.
By the device, the message of the protocol data is received by the user mode message receiving and sending module; forwarding the received message to an acceleration chip through a user mode agent component; receiving application layer data obtained by encrypting and decrypting the message by the acceleration chip through the user mode agent component; the method has the advantages that the message is transmitted to the acceleration chip for encryption and decryption by the user mode agent component through the mode that the application layer data is transmitted to the user mode application module, the message transmitting and receiving module and the agent component in the user mode are utilized, the aim of processing the protocol data through the integrated user mode device is achieved, frequent switching of the message between the user mode and the kernel mode is avoided, and the purpose of efficient data processing is achieved, so that the technical effects of improving the processing efficiency of the protocol data, reducing the burden of a CPU (central processing unit) and reducing the occupation of CPU resources are achieved, the technical problem that in the related technology, the efficiency is low, encryption and decryption calculation is performed through the CPU, and the CPU resources are greatly consumed by an operating system of a secure socket protocol SSL is solved.
According to another aspect of the embodiments of the present invention, there is also provided a processor, where the processor is configured to execute a program, where the program executes a processing method of protocol data in any one of the above.
According to another aspect of the embodiments of the present invention, there is also provided a computer storage medium, where the computer storage medium includes a stored program, and when the program runs, the apparatus where the computer storage medium is located is controlled to execute the processing method of the protocol data in any one of the above.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or may not be executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A method for processing protocol data, comprising:
receiving a message of protocol data through a user mode message receiving and sending module;
forwarding the received message to an acceleration chip through a user mode agent component;
receiving application layer data obtained by encrypting and decrypting the message by the acceleration chip through a user mode agent component;
sending the application layer data to a user mode application module through a user mode agent component;
the user mode agent component comprises a first user mode agent module and a second user mode agent module, and the application layer data obtained by receiving the encrypted and decrypted message by the acceleration chip through the user mode agent component comprises the following steps:
polling an asynchronous encryption and decryption response queue of the acceleration chip through the second user mode agent module to acquire an asynchronous response event corresponding to the message, wherein the asynchronous response event corresponds to a second agent connection session for acquiring the message;
and generating the application layer data according to the asynchronous response event.
2. The method of claim 1, wherein sending the received message to an acceleration chip via a user mode proxy component comprises:
receiving the message through the first user mode agent module;
storing the message in a first proxy connection session;
acquiring the message from the first agent connection session through the second user mode agent module;
and sending the message to the acceleration chip.
3. The method of claim 2, wherein storing the message in a first proxy connection session comprises:
determining a characteristic field of the message;
searching a corresponding first proxy connection session according to the characteristic field;
under the condition that the corresponding first proxy connection session cannot be found, the first proxy connection session corresponding to the characteristic field is created;
storing the message in the first proxy connection session.
4. The method of claim 2, wherein obtaining the message from the first proxy connection session via the second user mode proxy module comprises:
establishing a second proxy connection session between the first user mode proxy module and the second user mode proxy module;
and acquiring the message from the first proxy connection session through the second proxy connection session.
5. The method of claim 4, wherein sending the message to the acceleration chip comprises:
and sending an asynchronous encryption and decryption request for the message to the acceleration chip through the second user mode agent module, wherein the encryption and decryption request comprises the message, and the message is one of a plurality of messages in a queue.
6. The method of claim 5, wherein generating the application layer data from the asynchronous response event comprises:
acquiring the position of a call stack of the message when the asynchronous encryption and decryption request is sent;
determining output data of the asynchronous response event according to the position of the call stack, the asynchronous response event and the state of the second proxy connection session corresponding to the asynchronous response event;
and taking the output data as the application layer data when the state of the second proxy connection session is a data transmission state.
7. The method of claim 6, wherein after sending the application layer data to a user mode application module via a user mode agent component, further comprising:
receiving the processing data of the application layer through the second user mode agent module;
sending the processing data to the acceleration chip for encryption and decryption, and sending the encrypted and decrypted processing data to the first user mode agent module;
sending the user mode message to the user mode message receiving and sending module through the first user mode agent module;
and sending the processing data through the user mode message receiving and sending module.
8. The method of claim 7,
when the state of the second proxy connection session is a data transfer state, the processing unit is configured to determine the output data as the application layer data, including: taking the output data as the application layer data under the condition that the output data is decrypted by the acceleration chip;
sending the processing data to the acceleration chip for encryption and decryption, and sending the encrypted and decrypted processing data to the first user mode agent module includes: and sending the processing data to the acceleration chip for encryption, and sending the encrypted processing data to the first user mode agent module.
9. An apparatus for processing protocol data, comprising:
the user mode message receiving and sending module is used for receiving the message of the protocol data;
the user mode agent component is used for forwarding the received message to the acceleration chip;
receiving the application layer data after the acceleration chip encrypts and decrypts the message;
sending the application layer data to a user mode application module;
the user mode agent component comprises a first user mode agent module and a second user mode agent module, and the receiving of the application layer data obtained by encrypting and decrypting the message by the acceleration chip comprises:
polling an asynchronous encryption and decryption response queue of the acceleration chip through the second user mode agent module to acquire an asynchronous response event corresponding to the message, wherein the asynchronous response event corresponds to a second agent connection session for acquiring the message;
and generating the application layer data according to the asynchronous response event.
10. A processor, characterized in that the processor is configured to execute a program, wherein the program executes a method for processing protocol data according to any one of claims 1 to 8.
CN202111057065.6A 2021-09-09 2021-09-09 Protocol data processing method and device Active CN113810397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111057065.6A CN113810397B (en) 2021-09-09 2021-09-09 Protocol data processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111057065.6A CN113810397B (en) 2021-09-09 2021-09-09 Protocol data processing method and device

Publications (2)

Publication Number Publication Date
CN113810397A CN113810397A (en) 2021-12-17
CN113810397B true CN113810397B (en) 2023-04-18

Family

ID=78940527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111057065.6A Active CN113810397B (en) 2021-09-09 2021-09-09 Protocol data processing method and device

Country Status (1)

Country Link
CN (1) CN113810397B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426403A (en) * 2022-08-23 2022-12-02 奇安信网神信息技术(北京)股份有限公司 Data processing method and device, electronic equipment and storage medium
CN117376012A (en) * 2023-11-17 2024-01-09 中科驭数(北京)科技有限公司 Message detection method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105245271A (en) * 2015-10-27 2016-01-13 航天恒星科技有限公司 Satellite communication network acceleration device and method
CN110602155A (en) * 2018-06-13 2019-12-20 网宿科技股份有限公司 Proxy server and method for processing data message thereof

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867558B (en) * 2009-04-17 2012-11-14 深圳市永达电子股份有限公司 User mode network protocol stack system and method for processing message
US11792307B2 (en) * 2018-03-28 2023-10-17 Apple Inc. Methods and apparatus for single entity buffer pool management
CN111835613B (en) * 2019-04-23 2022-07-08 厦门网宿有限公司 Data transmission method of VPN server and VPN server
CN110324227A (en) * 2019-06-26 2019-10-11 厦门网宿有限公司 Data transmission method and vpn server in a kind of vpn server
CN110493329A (en) * 2019-08-08 2019-11-22 西藏宁算科技集团有限公司 A kind of concurrent Push Service method and system based on User space protocol stack
CN112699397B (en) * 2021-01-22 2023-11-14 山西大学 Software encryption and decryption method and system based on virtual environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105245271A (en) * 2015-10-27 2016-01-13 航天恒星科技有限公司 Satellite communication network acceleration device and method
CN110602155A (en) * 2018-06-13 2019-12-20 网宿科技股份有限公司 Proxy server and method for processing data message thereof

Also Published As

Publication number Publication date
CN113810397A (en) 2021-12-17

Similar Documents

Publication Publication Date Title
US7634650B1 (en) Virtualized shared security engine and creation of a protected zone
CN103259762B (en) A kind of file encryption based on cloud storage, decryption method and system
CN113810397B (en) Protocol data processing method and device
JP2019528604A (en) System and method for virtual multipath data transport
US11539747B2 (en) Secure communication session resumption in a service function chain
CN106790221B (en) Internet protocol security IPSec protocol encryption method and network equipment
CN110535742B (en) Message forwarding method and device, electronic equipment and machine-readable storage medium
US11729042B2 (en) IPSec acceleration method, apparatus, and system
CN110138553B (en) IPSec VPN gateway data packet processing device and method
CN112699397B (en) Software encryption and decryption method and system based on virtual environment
US6983382B1 (en) Method and circuit to accelerate secure socket layer (SSL) process
CN106464596A (en) Openflow communication method, system, controller, and service gateway
CN108964880A (en) A kind of data transmission method and device
Kim et al. A case for smartnic-accelerated private communication
Huang et al. Implementing publish/subscribe pattern for CoAP in fog computing environment
CN109905310B (en) Data transmission method and device and electronic equipment
CN111131245A (en) Data transmission method and device, electronic equipment and storage medium
WO2015027931A1 (en) Method and system for realizing cross-domain remote command
CN111163102B (en) Data processing method and device, network equipment and readable storage medium
CN111669374B (en) Encryption and decryption performance expansion method for single tunnel software of IPsec VPN
US9219712B2 (en) WAN optimization without required user configuration for WAN secured VDI traffic
WO2024040846A1 (en) Data processing method and apparatus, electronic device, and storage medium
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
JP2004328359A (en) Packet processor
CN117640289B (en) Gateway and equipment based on user mode WireGuard protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant