CN113872865A - Message data distribution method and device, computer equipment and storage medium - Google Patents

Message data distribution method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN113872865A
CN113872865A CN202111183075.4A CN202111183075A CN113872865A CN 113872865 A CN113872865 A CN 113872865A CN 202111183075 A CN202111183075 A CN 202111183075A CN 113872865 A CN113872865 A CN 113872865A
Authority
CN
China
Prior art keywords
message data
data
processed
receiving end
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111183075.4A
Other languages
Chinese (zh)
Inventor
冯国聪
赖宇阳
邓建锋
张丽娟
吴昊
王依云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Southern Power Grid Digital Grid Research Institute Co Ltd
Priority to CN202111183075.4A priority Critical patent/CN113872865A/en
Publication of CN113872865A publication Critical patent/CN113872865A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/22Alternate routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a message data distribution method, a message data distribution device, computer equipment and a storage medium. The method comprises the following steps: acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment; determining a data processing mode of the message data based on the message data identifier; processing the message data according to a data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode; and sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end. By adopting the method, different shunting modes can be matched with different types of messages, and the messages are transmitted in different shunting modes, so that the balanced distribution of link load flow is realized while the access speed is considered, and the safety of data transmission is improved.

Description

Message data distribution method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of network transmission technologies, and in particular, to a method and an apparatus for message data distribution, a computer device, and a storage medium.
Background
IPSEC (Internet Protocol Security, Internet Security) is a Protocol packet that protects the network transport Protocol suite (a collection of interrelated protocols) of the IP Protocol by encrypting and authenticating packets of the IP Protocol. Since all hosts supporting the TCP/IP protocol are processed by the IP layer when communicating, providing security at the IP layer is equivalent to providing a secure communication basis for the entire network. IPSEC provides two security mechanisms: authentication (AH with IPSEC) and encryption (ESP with IPSEC). The authentication mechanism enables a data receiver of the IP communication to confirm the real identity of the data sender and whether the data is tampered in the transmission process. The encryption mechanism guarantees the confidentiality of data by encoding the data to prevent the data from being intercepted in the transmission process.
In the data transmission process, some network environments allocate each link traffic in a manner of destination address matching and DNS control, and once the access speed is increased, the allocation of each link traffic is easily unbalanced.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a message data offloading method, a message data offloading device, a computer device, and a storage medium.
A message data distribution method comprises the following steps:
acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
determining a data processing mode of the message data based on the message data identifier;
processing the message data according to the data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode;
and sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
In one embodiment, the determining the data processing mode of the packet data based on the packet data identifier includes:
determining a link binding template loading the message data according to the message data identifier;
and determining a data processing mode of the message data based on the template, wherein the data processing mode comprises the step of carrying out internet security protocol processing on the message data.
In one embodiment, the processing the packet data according to the data processing method to obtain the processed packet data includes:
inserting an authentication protocol header into the message data and then packaging to obtain processed message data;
the authentication protocol is a subprotocol in the internet security protocol, the authentication protocol header comprises a field for indicating a protocol type corresponding to a header behind the authentication header, and the field corresponds to a data distribution mode of the message data.
In one embodiment, the data splitting mode includes:
a transmission mode and a tunnel mode; the transmission mode provides protection for higher layer protocol data in the message data, and the tunnel mode provides protection for the whole message data.
In one embodiment, after the processing the packet data according to the data processing manner to obtain the processed packet data, before the sending the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, the method further includes:
and backing up the processed message data by adopting a safety strategy corresponding to the processed message data.
In one embodiment, after the sending the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, the method further includes:
the receiving end is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered;
if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
In one embodiment, the receiving end is configured to verify the processed packet data after receiving the processed packet data, and includes:
the receiving end is used for determining security association information corresponding to the processed message data after receiving the processed message data;
querying the security association information in a security association database;
when the security association information is matched, querying a security policy database based on the security association information, and querying a security policy corresponding to the security association information;
if the security policy corresponding to the security association information exists, determining that the verification is passed, and if the security policy corresponding to the security association information does not exist, determining that the verification is not passed;
the security association database stores preset security association information, and the security policy database stores preset security policies corresponding to the preset security association information.
A message data distribution device, the device comprising:
the message data acquisition module is used for acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
a data processing mode determining module, configured to determine a data processing mode of the packet data based on the packet data identifier;
the message data processing module is used for processing the message data according to the data processing mode to obtain processed message data, and the processed message data comprises a data distribution mode;
a message data sending module: and the message processing module is used for sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method when executing the computer program
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method
The message data distribution method, the message data distribution device, the computer equipment and the storage medium are characterized in that firstly, message data sent by a sending end are obtained, the message data comprise message data identification and a target address of a receiving end, a data processing mode of the message data is determined based on the message data identification, then the message data are processed according to the data processing mode to obtain processed message data, and finally the processed message is sent to the receiving end according to a data distribution mode in the processed message data and the target address of the receiving end. By adopting the method of the embodiment of the application, different shunting modes can be matched with different types of messages when a large number of messages need to be transmitted, and the messages are transmitted through different shunting modes, so that the capability of a protocol stack for processing the messages is improved, the access speed is considered, and the balanced distribution of link load flow is realized.
Drawings
Fig. 1 is an application environment diagram of a message data offloading method in an embodiment;
fig. 2 is a schematic flow chart of a message data distribution method in an embodiment;
FIG. 3 is a flowchart illustrating steps of determining a data processing manner of message data based on a message data identifier according to an embodiment;
fig. 4 is a schematic flow chart of a message data distribution method in another embodiment;
fig. 5 is a block diagram of a message data offloading device in an embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The message data distribution method provided by the application can be applied to the application environment shown in fig. 1. The sending end 102, the gateway 103, and the receiving end 104 communicate with each other via a network. The sending end 102 may encapsulate the message to be transmitted, the message data identifier, and the destination address of the receiving end 104 together into message data; the gateway 103 acquires message data transmitted by the terminal based on the interface IP address of the link load balancing device, and determines the data processing mode of the message data based on the message data identifier; processing the message data according to a data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode; and sending the processed message data to the destination address of the receiving end 104 according to the data distribution mode and the destination address of the receiving end 104. The sending end 102 and the receiving end 104 may be, but are not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, the gateway 103 may be, but is not limited to, various routers, servers that enable routing protocols, and proxy servers, and the gateway is configured with a link load balancing device.
In an embodiment, as shown in fig. 2, a message data offloading method is provided, which is described by taking an example that the method is applied to the gateway in fig. 1, and includes the following steps:
step 202, obtaining message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment.
The message data is a data block, which includes data to be transmitted by the transmitting end, and also includes a message data identifier and a destination address of the receiving end.
The specific steps of the sending end sending the message data to the receiving end based on the configured interface IP address of the link load balancing equipment comprise: the sending end sends the message data according to the target address of the receiving end, when the message data passes through the static/dynamic routing, the static/dynamic routing compares the target address of the receiving end in the message data with an address table pre-established in the switch, determines the interface IP address of the link load balancing equipment corresponding to the target address, and distributes the message data to a proper physical link through the link load balancing equipment. The link load balancing device is a device which can realize load balancing among a plurality of network links through a dynamic algorithm, and is used for distributing message data to be transmitted on a plurality of physical links according to the smoothness degree of a load line.
Specifically, message data sent by a sending end is obtained, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment.
And step 204, determining a data processing mode of the message data based on the message data identifier.
The message data identifier refers to identification information that can determine which security protocol is used for sending the message data, and may be information such as a security parameter index and a security protocol identifier, that is, a data processing mode in which the message data identifier includes the message data.
The data processing mode refers to a security protocol processing mode capable of protecting the message data, the message data is processed by using a network security protocol, and the security of the message data in the network transmission process can be effectively ensured.
Specifically, after the message data sent by the sending end is obtained, the data processing mode of the message data, that is, what kind of security protocol should be used for sending the message data, is determined according to the message data identification information carried in the message data.
And step 206, processing the message data according to the data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode.
The data distribution mode refers to a forwarding mode corresponding to the processed message data.
Specifically, after the security protocol used by the message data is determined, the security protocol information and the message data are re-encapsulated to obtain the processed message data, where the security protocol information includes a forwarding mode corresponding to the processed message data.
And step 208, sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
The destination address of the receiving end refers to an address of the receiving end, and the destination address of the receiving end may be an MAC address or an IP address. The MAC Address (Media Access Control Address) is called a Media Access Control Address, which is also called a local area network Address, an ethernet Address or a physical Address. The MAC address is used to uniquely identify a network card in the network, and if one or more network cards exist in a device, each network card needs to have a unique MAC address. The MAC address is 48 bits (6 bytes) in total. The first 24 bits are decided by IEEE (institute of electrical and electronics engineers) how to allocate, and the last 24 bits are made by the manufacturer who actually produces the network device. The IP Address (Internet Protocol Address) is called an Internet Protocol Address (IP Address) and is also called an IP Address. The IP address is a uniform address format provided by the IP protocol, and it allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
Specifically, a unique data receiving end is determined according to a target address of the receiving end carried in the processed message data, a transmission mode of the processed message data is determined according to data distribution mode information carried in the processed message data, and the processed message data is sent to the corresponding receiving end according to the corresponding transmission mode.
In this embodiment, the message data splitting method includes, first, obtaining message data sent by a sending end, where the message data includes a message data identifier and a destination address of a receiving end, determining a data processing mode of the message data based on the message data identifier, then, processing the message data according to the data processing mode to obtain processed message data, and finally, sending the processed message to the receiving end according to a data splitting mode in the processed message data and the destination address of the receiving end. By adopting the method of the embodiment of the application, when a large number of messages need to be transmitted, different shunting modes can be matched for different types of messages, and the messages are transmitted through different shunting modes, so that the capability of a protocol stack for processing the messages is improved, and the balanced distribution of link load flow is realized while the access speed is considered.
In a specific embodiment, as shown in fig. 3, step 204, determining a data processing mode of the message data based on the message data identifier includes the following steps:
step 301, determining a link bound template loading message data according to the message data identifier;
the steps of loading the link binding template of the message data specifically include: the link gateway establishes simplex connection with the receiving end, and protects the specific security protocol, cryptographic algorithm, key of the message and the lifetime of the key. As will be appreciated, the cryptographic algorithms and keys include message authentication code calculation algorithms and keys, encryption algorithms and keys, and initialization vectors IV.
Specifically, a template to be bound of a link gateway where the message data is located is selected according to the message data identifier, and simplex connection is established between the link gateway where the message data is located and the receiving end based on the template corresponding to the message data identifier.
Step 302, determining a data processing mode of the message data based on the template, wherein the data processing mode comprises internet security protocol processing of the message data.
Internet Protocol Security (IPSEC) is a Protocol packet that protects the network transport Protocol suite (a collection of some interrelated protocols) of the IP Protocol by encrypting and authenticating packets of the IP Protocol. Since all hosts supporting the TCP/IP protocol are processed by the IP layer when communicating, providing security at the IP layer is equivalent to providing a secure communication basis for the entire network. IPSEC provides two security mechanisms: authentication (AH with IPSEC) and encryption (ESP with IPSEC). The authentication mechanism enables a data receiver of the IP communication to confirm the real identity of the data sender and whether the data is tampered in the transmission process. The encryption mechanism guarantees the confidentiality of data by encoding the data to prevent the data from being intercepted in the transmission process. The TCP/IP Protocol (Transmission Control Protocol/Internet Protocol ) refers to a Protocol cluster that can realize information Transmission between a plurality of different networks, and the TCP/IP Protocol refers to not only two protocols, namely TCP and IP, but also a Protocol cluster composed of protocols such as FTP, SMTP, TCP, UDP, and IP, and is called TCP/IP Protocol only because TCP Protocol and IP Protocol are most representative among TCP/IP protocols.
Specifically, a template bound by a link gateway where the message data is located is determined according to the message data identifier, and an internet security protocol processing mode required for transmitting the message data is judged according to the template.
In this embodiment, a plurality of different message data can be processed simultaneously by binding the template with the link carrying the message data and then determining that the message data needs to be processed by the internet security protocol according to the template, thereby improving the capability of the protocol stack for processing the message data.
In one embodiment, step 206, processing the message data according to a data processing manner to obtain processed message data, including:
the method comprises the steps of inserting an authentication protocol header into message data and then packaging the message data to obtain processed message data; the authentication protocol is a subprotocol in the internet security protocol, the authentication protocol header comprises a field for indicating the protocol type corresponding to a header behind the authentication header, and the field corresponds to the data distribution mode of the message data. Preferably, the data offloading mode includes a transmission mode and a tunnel mode, where the transmission mode provides protection for higher layer protocol data in the processed message data, and the tunnel mode provides protection for the entire message data.
Among them, Authentication Header (AH) is one of the main protocols in internet security protocol, and is used to ensure the integrity and authenticity of data packets during transmission, and prevent hacker stage data packets or inserting counterfeit data packets into the network. The authentication protocol header contains a hash of the key to be encrypted (which can be regarded as a digital signature, except that it does not use a certificate), which hash is computed over the entire message data, so that any modification of the processed message data invalidates the hash, ensuring the integrity of the processed message data.
Specifically, after the template bound to the link gateway where the message data is located judges that the message data needs to be processed by the internet security protocol according to the message data identifier carried by the message data, the template generates authentication protocol information according to the message data, inserts the authentication protocol header into the message data, and encapsulates the authentication protocol header again to obtain the processed message data. The authentication protocol header comprises a field for indicating a protocol type corresponding to a header behind the authentication header, if the protocol type corresponding to the field is a TCP (transmission control protocol), the processed message data is sent by adopting a transmission mode, and the original IP header of the message data is inserted into the security protocol header and then encapsulated; if the protocol type corresponding to the field is IP protocol, the processed message data is sent in tunnel mode, and a new IP header and a security protocol header are inserted before the original IP header of the message data and then encapsulated.
In this embodiment, by inserting the authentication protocol header into the message data, the message data to be transmitted is protected by using the authentication protocol in the internet security protocol, and thus the message data can be effectively prevented from being tampered in the transmission process.
In a specific embodiment, as shown in fig. 4, the message data offloading method includes:
step 402, obtaining message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment.
Step 404, determining a data processing mode of the message data based on the message data identifier.
And 406, processing the message data according to a data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode.
And step 408, backing up the processed message data by adopting the security policy corresponding to the processed message data.
Security Policy (SP) is a series of solutions given to Security requirements, determines what kind of communication is secured and what kind of Security is provided, and is usually expressed in the form of a Security Policy Database (SPD), and may establish a Security association management task for creating and deleting Security associations, where each record is a Security Policy. The security policy points to a security association or security association bundle when applying the internet security protocol to protect the message data. The security policy repository is typically maintained in a policy server, which maintains the policy repository for all nodes (hosts and routers) in the domain. Each node can copy the strategy base to the local and can also dynamically acquire the strategy through LDAP.
Specifically, the processed message data is backed up according to the security policy corresponding to the message data processed by the internet security protocol.
Step 410, according to the data distribution mode and the target address of the receiving end, the processed message data is sent to the receiving end.
In this embodiment, the processed message data is backed up according to the information for providing security protection given in the security policy corresponding to the processed message data, so that the message data can be prevented from being tampered by people in the transmission process, and the message data can be backed up and stored to prevent errors and retransmission requirements during transmission of the message data.
In an embodiment, after the step 208 sends the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, the method further includes:
the receiving end is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered; if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
Specifically, after receiving the processed message data, the receiving end verifies the message data based on the security protocol according to the information of the security protocol carried in the processed message data, determines whether the message data is tampered, if the security protocol information carried in the processed message data conforms to the protection policy of the security protocol, the receiving end considers that the verification is passed, and restores the processed message data; if the safety protocol information carried in the processed message data does not conform to the protection strategy of the safety protocol, the verification is considered to be failed, and the processed message data is discarded.
In this embodiment, after receiving the message data processed by the internet security protocol, the receiving end verifies the processed message data based on the corresponding protocol content, and processes the received message data according to the verification result. By using the message data transmission method, the message data does not need to be artificially judged whether to be tampered, and the high-efficiency processing of the message data is realized.
In a specific embodiment, the verifying the processed message data includes the following steps: the receiving end is used for determining security association information corresponding to the processed message data after receiving the processed message data; inquiring security association information in a security association database; when the security association information is matched, inquiring a security policy database based on the security association information, and inquiring a security policy corresponding to the security association information; if the security policy corresponding to the security association information exists, the verification is determined to be passed, and if the security policy corresponding to the security association information does not exist, the verification is determined not to be passed; the security association database stores preset security association information, and the security policy database stores preset security policies corresponding to the preset security association information.
Where Security Association (SA) is unidirectional, a logical connection is established between two entities (hosts or routers) using internet Security protocol, defining how the entities communicate using Security services (e.g. encryption), specifying the algorithms and key lengths used between the entities, and the actual keys themselves.
Specifically, the receiving end obtains security association information corresponding to the processed message data according to template information corresponding to the processed message data load link.
Wherein entries in a Security Association Database (SAD) define Security association related parameters. Each security association should have a record entry in the security association database.
Specifically, a security association database is queried according to the corresponding security association of the processed message data, and if security association information corresponding to the processed message data exists in the security association database, a security policy database is queried based on the security association information.
Specifically, a security policy database is queried according to security association information corresponding to the processed message data to see whether a security policy corresponding to the security association information exists, and if the security policy corresponding to the security association information exists, the verification is determined to be passed, that is, the processed message data is not tampered in the transmission process; and if the security policy corresponding to the security association information does not exist, determining that the verification fails, namely that the processed message data is tampered in the transmission process.
In this embodiment, the message data is verified by using the security association and the security policy content in the internet security protocol, so that it is more effective to distinguish whether the message data is tampered in the transmission process.
In an embodiment, after the step 208 sends the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, the method further includes: and verifying the processed message data by using a sliding window mechanism to prevent replay attack.
Among them, Replay Attacks (Replay Attacks) are also called Replay Attacks and Replay Attacks, which means that an attacker sends a packet that a destination host has received to achieve the purpose of deceiving a system, and are mainly used in an identity authentication process to destroy the correctness of authentication. The replay attack can be carried out by an initiator or an enemy intercepting and retransmitting the data, and the attacker steals the authentication credential by using network monitoring or other methods and then retransmits the authentication credential to the authentication server. Replay attacks may occur during any network communication and are one of the common attack methods used by hackers in the computer world.
Specifically, when data is processed by using the internet security protocol, a unique serial number is generated to identify the processed message data, and the serial number is stored in the inserted security protocol header and is encapsulated with the message data to form the processed message data. After receiving the processed message data, the receiving end verifies the serial number by using a sliding window mechanism, compares the serial number with all the received serial numbers, judges whether the processed message data corresponding to the serial number is received, and discards the processed message data if the processed message data is determined to be received.
In the embodiment, the processed message data is verified through a sliding window mechanism, so that replay attack can be effectively generated in the message data transmission process, system resources are saved, and the security of message data transmission is ensured.
In one embodiment, the message data is processed using an internet security protocol, and may be processed using an encryption protocol in addition to or in combination with an authentication protocol.
Among them, the encryption protocol (ESP) is another major protocol in the IPsec architecture, which is mainly designed to provide a hybrid application of Security services in IPv4 and IPv 6. When using encryption protocols, confidentiality and integrity are provided by encrypting the data that needs to be protected and placing these encrypted data in the data portion of the ESP protocol.
Specifically, if it is determined that the message data needs to be processed by the encryption protocol, an encryption protocol header is inserted into the message data and then the processed message data is encapsulated; if the message data needs to be processed by using the authentication protocol and the encryption protocol at the same time, the message data after processing is encapsulated after the authentication protocol header and the encryption protocol header are inserted into the message data at the same time.
In this embodiment, the message data is encrypted and protected by using an encryption protocol alone or in cooperation, and the encryption protocol combines the message data and the secret key through an encryption algorithm and converts the combined message data and the secret key into an encrypted format, so that the message data is prevented from being intercepted in the transmission process, reliability guarantee is provided for the transmission of the message data, and the message data is safer in the transmission process.
In a specific embodiment, the packet identifier included in the packet data includes identifier information of a protocol, an encryption algorithm, and a key used for the packet data, and the identifier information is determined after negotiation between the sending end and the receiving end.
Specifically, a sending end negotiates with a receiving end before sending message data to determine a protocol, an encryption algorithm and a key used for the message data, packages information of the protocol, the encryption algorithm and the key used for the message data into a message identifier, and encapsulates the message, the message identifier and a target address of the receiving end together to obtain the message data to be sent.
In this embodiment, the sending end and the receiving end negotiate the protocol, the encryption algorithm, and the key used by the message data, so that the key exchange mechanism is more convenient to use, and the implementation of the negotiation convention in the actual transmission process of the message data can be tracked.
It should be understood that, although the steps in the flowcharts related to the above embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in each flowchart related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In an embodiment, as shown in fig. 5, there is provided a message data offloading device, including: a message data acquisition module 502, a data processing mode determination module 504, a message data processing module 506, and a message data transmission module 508, wherein:
a message data obtaining module 502, configured to obtain message data sent by a sending end, where the message data includes a message data identifier and a destination address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment.
A data processing mode determining module 504, configured to determine a data processing mode of the packet data based on the packet data identifier.
The message data processing module 506 is configured to process the message data according to a data processing manner to obtain processed message data, where the processed message data includes a data splitting mode.
The message data sending module 508: and the message processing module is used for sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
In one embodiment, the message data offloading device further includes:
and the message data backup module is used for backing up the processed message data by adopting the security strategy corresponding to the processed message data.
In one embodiment, the message data offloading device further includes:
the message data verification module is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered; if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
When a large number of messages need to be transmitted, the message data shunting device matches different shunting modes for different types of messages, and transmits the messages through different shunting modes, so that the capability of a protocol stack for processing the messages is improved, the access speed is considered, and the balanced distribution of link load flow is realized. The message to be transmitted is protected by using the Internet security protocol, so that data is effectively prevented from being tampered in the transmission process, and the security of data transmission is improved.
For specific limitations of the message data offloading device, reference may be made to the above limitations on the message data offloading method, which is not described herein again. All modules in the message data distribution device can be completely or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing message data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a message data distribution method.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
determining a data processing mode of the message data based on the message data identifier;
processing the message data according to a data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode;
and sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
determining a link binding template loading the message data according to the message data identifier;
and determining a data processing mode of the message data based on the template, wherein the data processing mode comprises the step of carrying out internet security protocol processing on the message data.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the method comprises the steps of inserting an authentication protocol header into message data and then packaging the message data to obtain processed message data; the authentication protocol is a subprotocol in the internet security protocol, the authentication protocol header comprises a field for indicating the protocol type corresponding to a header behind the authentication header, and the field corresponds to the data distribution mode of the message data.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and backing up the processed message data by adopting a security strategy corresponding to the processed message data.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the receiving end is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered;
if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the receiving end is used for determining security association information corresponding to the processed message data after receiving the processed message data;
inquiring security association information in a security association database;
when the security association information is matched, inquiring a security policy database based on the security association information, and inquiring a security policy corresponding to the security association information;
if the security policy corresponding to the security association information exists, the verification is determined to be passed, and if the security policy corresponding to the security association information does not exist, the verification is determined not to be passed;
the security association database stores preset security association information, and the security policy database stores preset security policies corresponding to the preset security association information.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
determining a data processing mode of the message data based on the message data identifier;
processing the message data according to a data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode;
and sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
In one embodiment, the computer program when executed by the processor further performs the steps of:
determining a link binding template loading the message data according to the message data identifier;
and determining a data processing mode of the message data based on the template, wherein the data processing mode comprises the step of carrying out internet security protocol processing on the message data.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the method comprises the steps of inserting an authentication protocol header into message data and then packaging the message data to obtain processed message data; the authentication protocol is a subprotocol in the internet security protocol, the authentication protocol header comprises a field for indicating the protocol type corresponding to a header behind the authentication header, and the field corresponds to the data distribution mode of the message data.
In one embodiment, the computer program when executed by the processor further performs the steps of:
and backing up the processed message data by adopting a safety strategy corresponding to the processed message data.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the receiving end is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered;
if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
In one embodiment, the computer program when executed by the processor further performs the steps of:
the receiving end is used for determining security association information corresponding to the processed message data after receiving the processed message data;
inquiring security association information in a security association database;
when the security association information is matched, inquiring a security policy database based on the security association information, and inquiring a security policy corresponding to the security association information;
if the security policy corresponding to the security association information exists, the verification is determined to be passed, and if the security policy corresponding to the security association information does not exist, the verification is determined not to be passed;
the security association database stores preset security association information, and the security policy database stores preset security policies corresponding to the preset security association information.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A message data distribution method is characterized in that the method comprises the following steps:
acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
determining a data processing mode of the message data based on the message data identifier;
processing the message data according to the data processing mode to obtain processed message data, wherein the processed message data comprises a data distribution mode;
and sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
2. The method of claim 1, wherein the determining a data processing manner of the packet data based on the packet data identifier comprises:
determining a link binding template loading the message data according to the message data identifier;
and determining a data processing mode of the message data based on the template, wherein the data processing mode comprises the step of carrying out internet security protocol processing on the message data.
3. The method according to claim 2, wherein the processing the packet data according to the data processing manner to obtain processed packet data comprises:
inserting an authentication protocol header into the message data and then packaging to obtain processed message data;
the authentication protocol is a subprotocol in the internet security protocol, the authentication protocol header comprises a field for indicating a protocol type corresponding to a header behind the authentication header, and the field corresponds to a data distribution mode of the message data.
4. The method of claim 2, wherein the data splitting mode comprises:
a transmission mode and a tunnel mode; the transmission mode provides protection for higher layer protocol data in the message data, and the tunnel mode provides protection for the whole message data.
5. The method according to claim 2, wherein after the processing the packet data according to the data processing manner to obtain the processed packet data, before the sending the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, further comprising:
and backing up the processed message data by adopting a safety strategy corresponding to the processed message data.
6. The method according to claim 2, wherein after the sending the processed packet data to the receiving end according to the data splitting mode and the destination address of the receiving end, the method further comprises:
the receiving end is used for verifying the processed message data after receiving the processed message data so as to determine whether the processed message data is tampered;
if the verification is passed, the processed message data is restored, and if the verification is not passed, the processed message data is discarded.
7. The method of claim 6, wherein the receiving end is configured to verify the processed packet data after receiving the processed packet data, and comprises:
the receiving end is used for determining security association information corresponding to the processed message data after receiving the processed message data;
querying the security association information in a security association database;
when the security association information is matched, querying a security policy database based on the security association information, and querying a security policy corresponding to the security association information;
if the security policy corresponding to the security association information exists, determining that the verification is passed, and if the security policy corresponding to the security association information does not exist, determining that the verification is not passed;
the security association database stores preset security association information, and the security policy database stores preset security policies corresponding to the preset security association information.
8. A message data distribution device is characterized in that the device comprises:
the message data acquisition module is used for acquiring message data sent by a sending end, wherein the message data comprises a message data identifier and a target address of a receiving end; the message data is sent to the receiving end by the sending end based on the configured interface IP address of the link load balancing equipment;
a data processing mode determining module, configured to determine a data processing mode of the packet data based on the packet data identifier;
the message data processing module is used for processing the message data according to the data processing mode to obtain processed message data, and the processed message data comprises a data distribution mode;
a message data sending module: and the message processing module is used for sending the processed message data to the receiving end according to the data distribution mode and the target address of the receiving end.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202111183075.4A 2021-10-11 2021-10-11 Message data distribution method and device, computer equipment and storage medium Pending CN113872865A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111183075.4A CN113872865A (en) 2021-10-11 2021-10-11 Message data distribution method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111183075.4A CN113872865A (en) 2021-10-11 2021-10-11 Message data distribution method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113872865A true CN113872865A (en) 2021-12-31

Family

ID=78998997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111183075.4A Pending CN113872865A (en) 2021-10-11 2021-10-11 Message data distribution method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113872865A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160212098A1 (en) * 2015-01-21 2016-07-21 Huawei Technologies Co., Ltd. Load balancing internet protocol security tunnels
CN106161386A (en) * 2015-04-16 2016-11-23 中兴通讯股份有限公司 A kind of method and apparatus realizing that IPsec shunts
US20190173920A1 (en) * 2017-12-06 2019-06-06 Nicira, Inc. Deterministic load balancing of ipsec processing
CN113472817A (en) * 2021-09-03 2021-10-01 杭州网银互联科技股份有限公司 Gateway access method and device for large-scale IPSec and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160212098A1 (en) * 2015-01-21 2016-07-21 Huawei Technologies Co., Ltd. Load balancing internet protocol security tunnels
CN106161386A (en) * 2015-04-16 2016-11-23 中兴通讯股份有限公司 A kind of method and apparatus realizing that IPsec shunts
US20190173920A1 (en) * 2017-12-06 2019-06-06 Nicira, Inc. Deterministic load balancing of ipsec processing
CN113472817A (en) * 2021-09-03 2021-10-01 杭州网银互联科技股份有限公司 Gateway access method and device for large-scale IPSec and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
冯晓玲: "《电子商务安全》", 31 March 2008, 对外经济贸易大学出版社, pages: 120 - 127 *

Similar Documents

Publication Publication Date Title
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
US9838870B2 (en) Apparatus and method for authenticating network devices
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
US7051365B1 (en) Method and apparatus for a distributed firewall
US7660980B2 (en) Establishing secure TCP/IP communications using embedded IDs
US20070214502A1 (en) Technique for processing data packets in a communication network
CN113904809B (en) Communication method, device, electronic equipment and storage medium
JP2004295891A (en) Method for authenticating packet payload
US7536719B2 (en) Method and apparatus for preventing a denial of service attack during key negotiation
CN112615866A (en) Pre-authentication method, device and system for TCP connection
CN110832806B (en) ID-based data plane security for identity-oriented networks
CN113810173B (en) Method for checking application information, message processing method and device
CN114039812B (en) Data transmission channel establishment method, device, computer equipment and storage medium
JP2004194196A (en) Packet communication authentication system, communication controller and communication terminal
EP1836559B1 (en) Apparatus and method for traversing gateway device using a plurality of batons
CN113872865A (en) Message data distribution method and device, computer equipment and storage medium
US20080222693A1 (en) Multiple security groups with common keys on distributed networks
KR20110087972A (en) Method for blocking abnormal traffic using session table
JP2001111612A (en) Information leakage prevention method and system, and recording medium recording information leakage prevention program
Apiecionek et al. Authentication over internet protocol
US11805110B2 (en) Method for transmitting data packets
Budzko et al. Analysis of the level of security provided by advanced information and communication technologies
KR102086489B1 (en) Method for decrypting a secure socket layer for securing packets transmitted from a predetermined operating system
Feng et al. A Reliable Lightweight Communication Method via Chain Verification
Tselikis et al. An Efficient Impelementation of the Bundle Security Protocol for DTN-enabled Embedded Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211231