CN114143061B - Method and system for realizing safe and reliable data transmission based on user mode protocol stack - Google Patents
Method and system for realizing safe and reliable data transmission based on user mode protocol stack Download PDFInfo
- Publication number
- CN114143061B CN114143061B CN202111415901.3A CN202111415901A CN114143061B CN 114143061 B CN114143061 B CN 114143061B CN 202111415901 A CN202111415901 A CN 202111415901A CN 114143061 B CN114143061 B CN 114143061B
- Authority
- CN
- China
- Prior art keywords
- protocol
- stack
- data packet
- protocol stack
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 142
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000004891 communication Methods 0.000 claims abstract description 96
- 238000012545 processing Methods 0.000 claims abstract description 78
- 238000013467 fragmentation Methods 0.000 claims abstract description 16
- 238000006062 fragmentation reaction Methods 0.000 claims abstract description 16
- 230000008569 process Effects 0.000 claims description 33
- 238000005538 encapsulation Methods 0.000 claims description 29
- 239000012634 fragment Substances 0.000 claims description 19
- 230000007246 mechanism Effects 0.000 claims description 17
- 238000012790 confirmation Methods 0.000 claims description 13
- 230000006798 recombination Effects 0.000 claims description 10
- 238000005215 recombination Methods 0.000 claims description 10
- 238000005259 measurement Methods 0.000 claims description 9
- 238000004806 packaging method and process Methods 0.000 claims description 7
- 230000005856 abnormality Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000008521 reorganization Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of network security, and particularly relates to a method and a system for realizing safe and reliable data transmission based on a user mode protocol stack, wherein a safe communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is encapsulated in the user mode protocol stack by setting a calling function; determining a user state protocol stack of an application service request, and creating an interface data calling function; the interface data calling function is used for associating with the calling function in the corresponding user mode protocol stack, and an application service data packet is sent to the determined user mode protocol stack; and the user state protocol stack carries out stack pushing and stack pulling data packet processing on the received application service message according to the associated calling function, and forwards the processed data packet to the application service corresponding to the user state protocol stack. The invention integrates the safety communication protocol in the user mode protocol stack, thereby meeting the requirements of reliability and availability in the data transmission process and simultaneously providing safety protection for high-performance data forwarding.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a system for realizing safe and reliable data transmission based on a user mode protocol stack.
Background
Since the birth of the internet, the relationship between the network protocol stack and the kernel is so close that the kernel is used as a controller of an operating system and is responsible for a plurality of key operations, and the functions, the performances and the stability of the kernel protocol stack are always improved along with the development of time. With the development of internet technology, people optimize by using a cluster mode, a distributed mode and the like to continuously improve the service capability of a network, but the same kernel is used as a manager, is not suitable for providing service to the outside, is not suitable for occupying resources, and has the problem of facing single-point performance bottleneck no matter how to develop. Therefore, the thought of people on the user mode protocol stack is induced, the kernel can better concentrate on system call, and other complex processes are all moved to the user mode for processing, so that the development is more free.
At present, most user mode protocol stacks focus on the aspect of high concurrency and high data transmission performance of the protocol stacks. For example: in the application publication number CN110278161, the application date is 2019.09.24, and corresponding shunting processing is carried out on different data packets based on a user state protocol stack, so that the performance of application service is improved; in application publication number CN104951357a, the application date is 2015.09.30, and much attention is paid to load balancing and fault recovery in the data forwarding process; as another example, in the article "high performance network protocol stack compatibility research" published in the journal of telecommunications science (2019, 05), the compatibility problem of the network protocol stack is focused, and the network forwarding performance is improved by solving the compatibility problem. The above solutions are provided by relying on the underlying network protocol in terms of security, and security is not considered in the user mode.
Disclosure of Invention
Therefore, the invention provides a method and a system for realizing safe and reliable data transmission based on a user mode protocol stack, which can provide safety protection for a high-performance data forwarding process while meeting the reliability and availability requirements in the data transmission process by integrating a safe communication protocol in the user mode protocol stack.
According to the design scheme provided by the invention, the method for realizing safe and reliable data transmission based on the user mode protocol stack comprises the following steps:
a security communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is encapsulated in a user state protocol stack by setting a calling function;
creating an interface data calling function aiming at an application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
the user state protocol stack performs the process of inserting and extracting data packets of the received application service message according to the associated calling function, and forwards the processed data packets to the application service corresponding to the user state protocol stack, wherein the process of inserting and extracting data packets at least comprises the processes of data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an authentication and key exchange protocol for providing a service for negotiating shared key parameters for both communication entities, a transmission security protocol for providing a data packet authentication, encapsulation and decapsulation service for both communication entities, a key update protocol for providing a key update service in a key update period for both communication entities, a data transmission protocol for providing a data fragment reassembly service for both communication entities, a reliable data transmission protocol for providing a data fragment reassembly and timeout retransmission acknowledgement service for both communication entities, an RTT measurement protocol for providing a service for calculating message round trip time for both communication entities, and a heartbeat protocol for providing a service for providing a communication link connection anomaly check for both communication entities, wherein each protocol in the security communication protocol corresponds to a calling function, wherein the calling functions of the key update protocol and the authentication and key exchange protocol are associated with the calling functions of the transmission security protocol, the data transmission protocol and the reliable data transmission protocol, so as to provide a key and encryption and decryption parameters in the authentication and encryption and decryption processes in the data transmission process, and the RTT measurement protocol provides a timeout retransmission acknowledgement service reference for the reliable data transmission through the calling function, and provides a communication link data state for the reliable data transmission protocol through the calling function.
The method for realizing safe and reliable data transmission based on the user mode protocol stack comprises the following steps: the method comprises the steps of providing a packet security authentication protocol SPA of a source authentication service and a replay attack resistant service for both communication entities and providing a package security payload protocol ESP of a data confidentiality and integrity service for both communication entities by adopting an encryption and verification mechanism.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an alarm protocol for providing transmission abnormality alarm service for both communication entities and a flow control protocol for providing data transmission flow control service for both communication entities, wherein both ends of a channel between both communication entities monitor data transmission abnormality and flow through calling functions of the alarm protocol and the flow control protocol.
The method for realizing safe and reliable data transmission based on the user state protocol stack is further characterized in that the user state protocol stack encapsulates protocols in a link layer, a network layer, a transmission layer, a session layer, a presentation layer and an application layer according to an OSI model in ISO 7498.
The method for realizing safe and reliable data transmission based on the user state protocol stack is further characterized in that in the data transmission and forwarding process, the user state protocol stack is positioned between an upper layer load protocol and a lower layer load protocol, and the user state protocol stack shields the lower layer load protocol from the upper layer load protocol, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user state protocol stack, and the lower layer load protocol is a protocol for processing a user state protocol load service data packet.
In the method for realizing safe and reliable data transmission based on the user-mode protocol stack, the user-mode protocol stack performs stack stripping processing on the data packet, firstly, a safety association in communication connection is searched according to a safety association identifier in the stack stripping data packet between two communication entities, if the safety association is searched, a data transmission protocol or a reliable data transmission protocol in the user-mode protocol stack safety communication protocol is extracted according to the communication safety requirement to fragment the stack stripping data packet, and head authentication and password encapsulation processing are added to the stack stripping data packet after the fragment processing by utilizing the transmission safety protocol in the user-mode protocol stack safety communication protocol; if the security association is not found, discarding the data packet; the security association identifier comprises a source identifier and a destination identifier.
The invention is used as a method for realizing safe and reliable data transmission based on a user mode protocol stack, further, the reliable data transmission protocol in the user mode protocol stack safe communication protocol is extracted by calling a function according to the communication safety requirement to carry out fragmentation and overtime retransmission confirmation processing on the popped data packet, and then an authentication head and a password encapsulation processing are added to the popped data packet after the fragmentation processing, wherein the overtime retransmission confirmation processing comprises the following steps: when the push receives the data packet sent by the push, the push end sends a confirmation packet to the push end, and if the push end does not receive the confirmation packet within a preset time length, the push end retransmits the data packet sent by the push.
In the method for realizing safe and reliable data transmission based on the user-mode protocol stack, the user-mode protocol stack performs the push processing, firstly, the safety association in the communication connection is searched according to the safety association identification in the push data packet between the two communication entities, if the safety association is searched, the push data packet sent by the push terminal is processed by the transmission safety protocol in the user-mode protocol stack safety communication protocol, the authentication header added by the push terminal is extracted to authenticate and remove the password package, and the push data packet is subjected to fragment recombination by extracting the data transmission protocol in the user-mode protocol stack safety communication protocol according to the data transmission type of the push data packet by calling a function and is transferred to the corresponding application service.
Further, the invention also provides a system for realizing safe and reliable data transmission based on the user mode protocol stack, which comprises: a protocol setting module, a data processing module and a data transmission module, wherein,
the protocol setting module is used for packaging a safety communication protocol for carrying out encryption authentication and fragmentation processing on the application service request data packet by setting a calling function in a user state protocol stack;
the data processing module is used for creating an interface data calling function aiming at the application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
and the data transmission module is used for carrying out stack pushing and stack pulling data packet processing on the received application service message according to the associated calling function and forwarding the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack pushing and stack pulling data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing.
The invention has the beneficial effects that:
the invention integrates a plurality of safety communication protocols in the user mode protocol stack, meets the requirements of reliability and availability in the data transmission process, and simultaneously provides safety protection for the high-performance data forwarding process; the method can form a user state protocol stack which is homomorphic with a kernel tcp/ip protocol, can provide security protection in the data forwarding process in a layered manner by combining 9 protocols such as a data security transmission protocol, a data reliability transmission protocol and the like, can support the construction of a virtual local area network and a virtual generalized network, and has a good application prospect.
Description of the drawings:
FIG. 1 is a flowchart of a method for realizing safe and reliable data transmission based on a user mode protocol stack in an embodiment;
FIG. 2 is a schematic diagram of a user state protocol stack in an embodiment;
FIG. 3 is a schematic diagram of a user state protocol stack operation model in an embodiment;
fig. 4 is a flow chart illustrating data forwarding based on a user mode protocol stack in an embodiment;
fig. 5 is a schematic diagram of a timeout retransmission time calculation formula in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
The embodiment of the invention provides a method for realizing safe and reliable data transmission based on a user mode protocol stack, which comprises the following steps:
s101, a safe communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is packaged in a user state protocol stack by setting a calling function;
s102, creating an interface data calling function aiming at an application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
s103, the user state protocol stack carries out stack-entering and stack-exiting data packet processing on the received application service message according to the associated calling function, and forwards the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack-entering and stack-exiting data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing.
The user mode protocol stack builds an abstract service layer on the actual transmission network and the concrete bearing protocol thereof, and provides a safety transmission mechanism and safety service for data transmission. In the scheme, a user mode protocol stack is used for integrating a secure communication protocol, and network security is realized by using an authentication encryption mechanism, wherein the authentication encryption mechanism can comprise communication confidentiality and integrity protection, an access control mechanism, a traffic filling mechanism and source authentication, and is resistant to replay attacks and denial of service attacks. While providing port hiding, authentication-based firewall functionality, and NAT (network address translation) mechanisms in view of security of network boundary access. The method meets the requirements of reliability and availability in the data transmission process, and simultaneously provides safety protection for the high-performance data forwarding process.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an authentication and key exchange protocol for providing a service for negotiating shared key parameters for both communication entities, a transmission security protocol for providing a data packet authentication, encapsulation and decapsulation service for both communication entities, a key update protocol for providing a key update service in a key update period for both communication entities, a data transmission protocol for providing a data fragment reassembly service for both communication entities, a reliable data transmission protocol for providing a data fragment reassembly and timeout retransmission acknowledgement service for both communication entities, an RTT measurement protocol for providing a service for calculating message round trip time for both communication entities, and a heartbeat protocol for providing a service for providing a communication link connection anomaly check for both communication entities, wherein each protocol in the security communication protocol corresponds to a calling function, wherein the calling functions of the key update protocol and the authentication and key exchange protocol are associated with the calling functions of the transmission security protocol, the data transmission protocol and the reliable data transmission protocol, so as to provide a key and encryption and decryption parameters in the authentication and encryption and decryption processes in the data transmission process, and the RTT measurement protocol provides a timeout retransmission acknowledgement service reference for the reliable data transmission through the calling function, and provides a communication link data state for the reliable data transmission protocol through the calling function. Further, the transmission security protocol includes: the method comprises the steps of providing a packet security authentication protocol SPA of a source authentication service and a replay attack resistant service for both communication entities and providing a package security payload protocol ESP of a data confidentiality and integrity service for both communication entities by adopting an encryption and verification mechanism. Further, the secure communication protocol further comprises: the system comprises an alarm protocol for providing transmission abnormality alarm service for both communication entities and a flow control protocol for providing data transmission flow control service for both communication entities, wherein both ends of a channel between both communication entities monitor data transmission abnormality and flow through calling functions of the alarm protocol and the flow control protocol.
The user state protocol stack can carry out network communication security architecture according to 7498-2, and can realize four security services of authentication, access control, confidentiality and integrity, and six security mechanisms of data encryption, digital signature, access control, data integrity, authentication exchange and service flow filling. In this embodiment, the user state security protocol stack may further implement a security management function by integrating an alarm protocol and a flow control protocol, so that an abnormal problem occurring in the security protocol stack protocol executing process may be fed back, and some corresponding processes may be executed.
Referring to fig. 2, an authentication and key update protocol is used to negotiate some security parameters that result in a security association between devices at both ends of a communication. The protocol is based on RFC8446, and besides the cipher suite specified by RFC8446, the cipher suite of the national encryption algorithm is added; digital certificates may also be augmented with digital certificates that contain cryptographic algorithms. The transport security protocol includes two protocols: packet security authentication protocol (SPA) and packet security encapsulation protocol (ESP). The SPA protocol provides source authentication services and replay attack resistant services for both communication parties. The ESP protocol provides confidentiality and integrity of information for both parties. When the key updating protocol, namely the working key of the security association, reaches the key updating period, the old key is replaced by the new key, and the capability of key updating is provided for the network data security transmission protocol. Protocol implementations may maintain a copy of key lifetime metrics that have values that are less than the actual lifetime. When the working key reaches the value specified by this copy, a key update is initiated. The data transmission protocol provides a software definable transmission mechanism for data transmission, with the main functions being reorganized and reordered by fragmentation. The data slicing and reorganizing mainly aims to prevent the length of data from being increased after the data passes through SPA, ESP and other protocols, and avoid the loss of the data caused by the fact that a receiving end cannot authenticate or decrypt the data after the data passes through a network card slicing in the forwarding process. The reliable data transmission protocol provides definable safety reliability for the data transmission channel, and has the main functions of fragment reorganization, reordering, timeout retransmission and confirmation mechanism. Wherein the fragment reorganization and reordering function is consistent with the data transmission protocol. The timeout retransmission and acknowledgement mechanism is that the receiving end uses an acknowledgement mechanism for each data packet of the transmitting end, and returns an acknowledgement data packet every time a data packet is received. However, if the receiving end does not receive the data message within the specified time, the sending end starts the timeout retransmission. The RTT measurement protocol is used for calculating the round trip time of the message from the starting end to the receiving end, and providing RTT service for other protocols. The heartbeat protocol is used for checking whether the connection is normal or not, judging whether the two communication parties are connected normally or not, and ensuring that the data transmitting end and the receiving end are reachable. The alert protocol reports to the peer some alarm information that occurs during the secure transmission. The flow control protocol provides software definable flow control for the data transmission process, detects the congestion condition in the data transmission process, and executes corresponding flow control according to the congestion condition transmitting end.
As a method for implementing secure and reliable data transmission based on a user mode protocol stack in the embodiment of the present invention, further, the user mode protocol stack encapsulates protocols in a link layer, a network layer, a transport layer, a session layer, a presentation layer and an application layer according to an OSI model in ISO 7498. Further, in the data transmission forwarding process, the user mode protocol stack is located between an upper layer load protocol and a lower layer load protocol, and the user mode protocol stack shields the lower layer load protocol from the upper layer load protocol, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user mode protocol stack, and the lower layer load protocol is a protocol for processing a user mode protocol load service data packet.
Referring to the working model of the user mode protocol stack shown in fig. 3, the user mode protocol stack is located between an upper layer load protocol and a lower layer load protocol. The bearer protocol refers to a lower layer protocol for bearing user mode protocol data, and the payload protocol is a payload part of the user mode protocol. The user state protocol stack encapsulates the load protocol based on the password, and simultaneously shields the load protocol of the bearing layer for the load protocol of the upper layer. The upper layer of the user mode protocol stack is called the payload layer, and for the user mode protocol stack, the payload protocol is the application data of the upper layer plus the network layer protocol part to be encapsulated, and the network layer protocol part can start from any one layer from layers 2 to 7 of the OSI network model, so that the user mode protocol stack can encapsulate the protocols from the second layer to the seventh layer according to the OSI model in ISO 7498. When the two-layer encapsulation and data forwarding of the user mode protocol stack are used, the user mode protocol stack can be used as a two-layer exchange protocol to support the enterprise-level virtual local area network. When the three-layer encapsulation and data forwarding of the user mode protocol stack are used, the user mode protocol stack can be used as a three-layer switching protocol to support an enterprise-level virtual local area network. When three or more layers of the protocol stack are used for encapsulation and data forwarding, the protocol stack can be used as a VPN gateway protocol to support an enterprise-level virtual wide area network. For example, from the network layer (third layer), the encapsulation starts, and the load protocol is: application layer data + transport layer header + network layer header. In the use process of the user state protocol stack, the user state protocol stack can be called by a special application program, the application program transmits the load layer data to be processed to the user state protocol stack for processing, and after the user state protocol stack is processed, the application program transmits the load layer data to other functional modules for carrying out subsequent bearing layer protocol encapsulation. For example: the load layer protocol is application layer HTTP request data of a user, after being processed by a user state protocol stack, the data can still be regarded as application layer HTTP request data, but after being processed by a series of user state protocol stacks such as encryption, authentication, fragmentation and the like, the load layer protocol is added by other functional modules, for example, a switch module adds four-layer to two-layer protocol packages, and then the data is forwarded by a network card, so that the high-performance data forwarding and the reliable and safe transmission of the user state protocol stack are sequentially completed.
The process of processing the data packet by the user mode protocol stack comprises a push processing and a pop processing. A push protocol packet, or referred to as a push packet, is the payload received by the protocol stack from the lower layer; the pop protocol packet, or referred to as a pop packet, is a packet that the protocol stack needs to forward further to the underlying bearer protocol. The user mode protocol stack workflow of high performance data forwarding is mainly divided into two workflows of push and push. The push is a process of processing a data packet received by a protocol stack from a lower layer bearer protocol, and the pop is a processing flow before the protocol stack gives the data packet forwarded by the lower layer bearer protocol. First, both parties to the communication need to perform a Security Association (SA) procedure, which is mainly used to establish and maintain a secure communication connection. The SA mainly contains a source identifier and a destination identifier.
Referring to fig. 4, data received from a specific network card is grabbed to a user state protocol stack through an interface provided by the system, forwarded through a network port of a transmitting end after being popped from the user state protocol stack, and received from a network port of a receiving end is processed by the user state protocol stack in a push mode.
And (3) a data packet pop process: the user state protocol stack searches SA for the data packet which is popped, if no associated SA exists, the packet is discarded; if so, continuing the subsequent packet processing process. Depending on the security requirements of the communication, a data transmission protocol or a reliable data transmission protocol is selected to be used, and the two protocols are different in that one is reliable data transmission, one is unreliable, the unreliable means that the data packet cannot be guaranteed to reach the receiving end, and the reliable data transmission protocol provides a confirmation and retransmission mechanism of the data packet. In the data transmission protocol, the data packet is mainly fragmented and recombined, and the process mainly carries out corresponding fragmentation and adds fragmentation identification according to whether the size of the data packet exceeds the maximum transmission unit or not and if so. The function of sending the traffic filling message is also added, and the traffic filling mechanism of 7498-2 is realized. Processing a secure transmission protocol, firstly performing authentication processing through a secure authentication protocol (SPA), and adding an authentication header; the cryptographic processing and encapsulation is then performed by the encapsulation protocol (ESP).
The stacking flow of the data packet: it is also necessary to find the SA first, if not, reject the packet push, if so, select an appropriate push path for the data packet, and then follow the subsequent packet processing procedure. The security transmission protocol is processed, authentication processing is firstly carried out through a security authentication protocol (SPA), then encryption processing is continuously carried out through an encapsulation protocol (ESP), and encapsulation is released. And selecting to use a data transmission protocol or a reliable data transmission protocol for processing according to the data transmission type of the data packet. Firstly, judging whether the packet is a fragmented packet, if so, carrying out subsequent data packet fragmentation recombination. If the data transmission protocol is reliable, a data packet confirmation message is required to be sent; if the sending end does not receive the confirmation message for a long time, the message retransmission is also carried out. After the data is packaged, the data is forwarded by the network card and transmitted.
For the data packets which are popped, a reliable data transmission protocol or a data transmission protocol is selectively used according to the reliability requirement of communication. The two protocols have the common feature that the data packets are packetized, and the slicing operation is performed mainly according to whether the size of the data packets exceeds the maximum transmission unit or not. The reliability of reliable transport protocols is mainly reflected in data retransmission and acknowledgement. After the slicing, the data packet is encrypted and authenticated, the security transmission protocol is used in the process, the authentication header is added mainly through the security authentication protocol (SPA), and the encryption processing and encapsulation are carried out through the encapsulation protocol (ESP).
For the data packet to be put on stack, authentication processing is required to be performed through a secure authentication protocol (SPA), and then encryption processing is performed through an encapsulation protocol (ESP) to remove encapsulation. The process of slicing and reassembling the data packet is mainly to use a reliable data transmission protocol and a data transmission protocol, where the reliable data transmission protocol also sends an acknowledgement message to each received data packet, and if the opposite end does not receive the acknowledgement message for a long time, the previously sent data packet is retransmitted.
User state protocol stack security: and (3) carrying out data packet authentication, wherein an authentication part function is added through a secure authentication (SPA) protocol in the pop process and is used for carrying out authentication processing on the data packet in the push process, and the subsequent processing can be carried out through the authenticated data packet. In the data transmission process, encryption processing and package integrity verification are carried out through a package security encapsulation protocol ESP in a security transmission protocol. The encryption, the integrity check and the encryption parameters used in the authentication process are updated by a key updating protocol.
The reliability protection of the user mode protocol stack data transmission process: the reliable data transmission protocol not only can carry out fragment recombination on the data packets, but also provides a timeout retransmission and confirmation mechanism and solves the problem of packet loss in the transmission process. The RTT measurement protocol serves as a reliable data transmission protocol and provides a reference for the round trip delay time for packet retransmission. The specific formula is shown in fig. 5, where RTO is a timeout retransmission time and RTT is a round trip time of a given channel measured by a measurement protocol. The heartbeat protocol serves a reliable data transmission protocol and ensures that the communication link provided by the channel is reachable. The flow control protocol is used for ensuring the speed matching of the transmitted and received data at two ends of the channel and avoiding the occurrence of packet loss caused by mismatching of the speed of the transmitted and received data. The alarm protocol reports to the peer some alarm information that occurs during the secure transmission.
Further, the embodiment of the invention also provides a system for realizing safe and reliable data transmission based on the user mode protocol stack, which comprises: a protocol setting module, a data processing module and a data transmission module, wherein,
the protocol setting module is used for packaging a safety communication protocol for carrying out encryption authentication and fragmentation processing on the application service request data packet by setting a calling function in a user state protocol stack;
the data processing module is used for creating an interface data calling function aiming at the application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
the data transmission module is used for carrying out stack-entering and stack-pulling data packet processing on the received application service message according to the associated calling function by the user state protocol stack, and forwarding the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack-entering and stack-pulling data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
Based on the above method and/or system, the embodiment of the present invention further provides a server, including: one or more processors; and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above-described method and/or system, embodiments of the present invention also provide a computer-readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the above-described method.
Any particular values in all examples shown and described herein are to be construed as merely illustrative and not a limitation, and thus other examples of exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. The method for realizing safe and reliable data transmission based on the user mode protocol stack is characterized by comprising the following steps:
a security communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is encapsulated in a user state protocol stack by setting a calling function;
aiming at an application service request, determining a user state protocol stack and creating an interface data calling function; the interface data calling function is used for associating with the calling function in the corresponding user mode protocol stack, and the application service data packet is sent to the determined user mode protocol stack for processing;
the user state protocol stack performs the stack-entering and stack-exiting data packet processing on the received application service message according to the associated calling function, and forwards the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack-entering and stack-exiting data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing; in the data transmission and forwarding process, the user state protocol stack is positioned between an upper layer load protocol and a lower layer load protocol, and the lower layer load protocol is shielded from the upper layer load protocol by the user state protocol stack, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user state protocol stack, and the lower layer load protocol is a protocol for processing a user state protocol load service data packet; in the process of carrying out stack release processing on a data packet by a user state protocol stack, firstly, searching for a security association in communication connection according to a security association identifier in a stack release data packet between two parties of a communication entity, extracting a data transmission protocol or a reliable data transmission protocol in a user state protocol stack security communication protocol according to a communication security requirement if the security association is searched, slicing the stack release data packet, and adding header authentication and password encapsulation processing to the sliced stack release data packet by the transmission security protocol in the user state protocol stack security communication protocol; if the security association is not found, discarding the data packet; the security association identifier comprises a source identifier and a destination identifier.
2. The method for implementing safe and reliable data transmission based on user mode protocol stack according to claim 1, wherein the safe communication protocol at least comprises: the system comprises an authentication and key exchange protocol for providing a service for negotiating shared key parameters for both communication entities, a transmission security protocol for providing a data packet authentication, encapsulation and decapsulation service for both communication entities, a key update protocol for providing a key update service in a key update period for both communication entities, a data transmission protocol for providing a data fragment reassembly service for both communication entities, a reliable data transmission protocol for providing a data fragment reassembly and timeout retransmission acknowledgement service for both communication entities, an RTT measurement protocol for providing a service for calculating message round trip time for both communication entities, and a heartbeat protocol for providing a service for providing a communication link connection anomaly check for both communication entities, wherein each protocol in the security communication protocol corresponds to a calling function, wherein the calling functions of the key update protocol and the authentication and key exchange protocol are associated with the calling functions of the transmission security protocol, the data transmission protocol and the reliable data transmission protocol, so as to provide a key and encryption and decryption parameters in the authentication and encryption and decryption processes in the data transmission process, and the RTT measurement protocol provides a timeout retransmission acknowledgement service reference for the reliable data transmission through the calling function, and provides a communication link data state for the reliable data transmission protocol through the calling function.
3. The method for implementing data secure and reliable transmission based on user mode protocol stack according to claim 2, wherein the transmission security protocol comprises: the method comprises the steps of providing a packet security authentication protocol SPA of a source authentication service and a replay attack resistant service for both communication entities and providing a package security payload protocol ESP of a data confidentiality and integrity service for both communication entities by adopting an encryption and verification mechanism.
4. The method for implementing secure and reliable data transmission based on user mode protocol stack according to claim 2, wherein the secure communication protocol further comprises: the system comprises an alarm protocol for providing transmission abnormality alarm service for both communication entities and a flow control protocol for providing data transmission flow control service for both communication entities, wherein both ends of a channel between both communication entities monitor data transmission abnormality and flow through calling functions of the alarm protocol and the flow control protocol.
5. The method for implementing safe and reliable data transmission based on user mode protocol stack according to claim 1, wherein the user mode protocol stack encapsulates protocols in link layer, network layer, transport layer, session layer, presentation layer and application layer according to OSI model in ISO 7498.
6. The method for realizing safe and reliable data transmission based on user-mode protocol stack according to claim 1, wherein the method is characterized in that the reliable data transmission protocol in the user-mode protocol stack safe communication protocol is extracted by calling a function according to the communication safety requirement to carry out fragmentation and timeout retransmission confirmation processing on the popped data packet, and then an authentication header and password encapsulation processing are added to the popped data packet after the fragmentation processing, wherein the timeout retransmission confirmation processing comprises: when the push receives the data packet sent by the push, the push end sends a confirmation packet to the push end, and if the push end does not receive the confirmation packet within a preset time length, the push end retransmits the data packet sent by the push.
7. The method for realizing safe and reliable data transmission based on user-mode protocol stack according to claim 1, wherein in the process of inserting the user-mode protocol stack, firstly, searching the security association in the communication connection according to the security association identification in the inserted data packet between the two communication entities, if the security association is found, carrying out protocol stack processing on the inserted data packet sent from the pop terminal by utilizing the transmission security protocol in the user-mode protocol stack security communication protocol, extracting the authentication header added from the pop terminal to authenticate and remove the password package, extracting the data transmission protocol in the user-mode protocol stack security communication protocol by calling a function according to the data transmission type of the inserted data packet, carrying out fragment recombination on the inserted data packet, and transferring the corresponding application service.
8. A system for implementing secure and reliable data transmission based on a user mode protocol stack, comprising: a protocol setting module, a data processing module and a data transmission module, wherein,
the protocol setting module is used for packaging a safety communication protocol for carrying out encryption authentication and fragmentation processing on the application service request data packet by setting a calling function in a user state protocol stack;
the data processing module is used for creating an interface data calling function aiming at the application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
the data transmission module is used for carrying out stack pushing and stack pulling data packet processing on the received application service message according to the associated calling function, and forwarding the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack pushing and stack pulling data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing; in the data transmission and forwarding process, the user state protocol stack is positioned between an upper layer load protocol and a lower layer load protocol, and the lower layer load protocol is shielded from the upper layer load protocol by the user state protocol stack, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user state protocol stack, and the lower layer load protocol is a protocol for processing a user state protocol load service data packet; in the process of carrying out stack release processing on a data packet by a user state protocol stack, firstly, searching for a security association in communication connection according to a security association identifier in a stack release data packet between two parties of a communication entity, extracting a data transmission protocol or a reliable data transmission protocol in a user state protocol stack security communication protocol according to a communication security requirement if the security association is searched, slicing the stack release data packet, and adding header authentication and password encapsulation processing to the sliced stack release data packet by the transmission security protocol in the user state protocol stack security communication protocol; if the security association is not found, discarding the data packet; the security association identifier comprises a source identifier and a destination identifier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111415901.3A CN114143061B (en) | 2021-11-25 | 2021-11-25 | Method and system for realizing safe and reliable data transmission based on user mode protocol stack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111415901.3A CN114143061B (en) | 2021-11-25 | 2021-11-25 | Method and system for realizing safe and reliable data transmission based on user mode protocol stack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143061A CN114143061A (en) | 2022-03-04 |
| CN114143061B true CN114143061B (en) | 2023-06-02 |
Family
ID=80387838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111415901.3A Active CN114143061B (en) | 2021-11-25 | 2021-11-25 | Method and system for realizing safe and reliable data transmission based on user mode protocol stack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143061B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117544693B (en) * | 2023-10-31 | 2024-06-04 | 慧之安信息技术股份有限公司 | VPN gateway method and system supporting multiple VPN protocols |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951378A (en) * | 2010-09-26 | 2011-01-19 | 北京品源亚安科技有限公司 | Protocol stack system structure for SSL VPN and data processing method |
| CN106302199A (en) * | 2016-08-10 | 2017-01-04 | 成都广达新网科技股份有限公司 | A kind of User space protocol stack realization method and system based on L3 Switching machine equipment |
| CN110278161A (en) * | 2019-05-06 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Message diversion method, apparatus and system based on User space protocol stack |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7502922B1 (en) * | 2000-03-01 | 2009-03-10 | Novell, Inc. | Computer network having a security layer interface independent of the application transport mechanism |
| CN101867558B (en) * | 2009-04-17 | 2012-11-14 | 深圳市永达电子股份有限公司 | User mode network protocol stack system and method for processing message |
| CN103840994B (en) * | 2012-11-23 | 2017-06-06 | 华耀(中国)科技有限公司 | A kind of user terminal accesses the system and method for Intranet by VPN |
| CN110875799B (en) * | 2018-09-04 | 2023-07-07 | 华为技术有限公司 | Transmission control method and device |
| CN113055269B (en) * | 2019-12-27 | 2023-03-07 | 厦门网宿有限公司 | Virtual private network data transmission method and device |
| CN111628976B (en) * | 2020-05-15 | 2022-06-07 | 绿盟科技集团股份有限公司 | Message processing method, device, equipment and medium |
| CN113467964A (en) * | 2021-05-24 | 2021-10-01 | 派日科技(广州)有限公司 | Method, system, device and storage medium for realizing access to user mode protocol stack |
-
2021
- 2021-11-25 CN CN202111415901.3A patent/CN114143061B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951378A (en) * | 2010-09-26 | 2011-01-19 | 北京品源亚安科技有限公司 | Protocol stack system structure for SSL VPN and data processing method |
| CN106302199A (en) * | 2016-08-10 | 2017-01-04 | 成都广达新网科技股份有限公司 | A kind of User space protocol stack realization method and system based on L3 Switching machine equipment |
| CN110278161A (en) * | 2019-05-06 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Message diversion method, apparatus and system based on User space protocol stack |
Non-Patent Citations (2)
| Title |
|---|
| 构件化网络协议栈;王风涛,陈榕,文立,殷人昆;计算机工程与应用(36);全文 * |
| 高性能网络协议栈兼容性研究;姜惠友;李峻峰;李丹;;电信科学(05);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143061A (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7353380B2 (en) | Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols | |
| US7441262B2 (en) | Integrated VPN/firewall system | |
| US9467290B2 (en) | Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols | |
| JP4271451B2 (en) | Method and apparatus for fragmenting and reassembling Internet key exchange data packets | |
| US20020035681A1 (en) | Strategy for handling long SSL messages | |
| US20030123481A1 (en) | Enhancements for TCP performance enhancing proxies | |
| US20030014624A1 (en) | Non-proxy internet communication | |
| US20110113236A1 (en) | Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism | |
| US20100313023A1 (en) | Method, apparatus and system for internet key exchange negotiation | |
| CN104067595A (en) | System and method for innovative management of transport layer security session tickets in a network environment | |
| JP2004524768A (en) | System and method for distributing protection processing functions for network applications | |
| Thornburgh | Adobe's Secure Real-Time Media Flow Protocol | |
| WO2008085388A1 (en) | Fragmenting security encapsulated ethernet frames | |
| CN106357690A (en) | Data transmission method, data sending device and data receiving device | |
| CN102546658A (en) | Method and system for preventing address resolution protocol (ARP) gateway spoofing | |
| CN113784298B (en) | Communication system of big dipper short message based on quantum key | |
| CN114143061B (en) | Method and system for realizing safe and reliable data transmission based on user mode protocol stack | |
| EP3944554A1 (en) | Rollover of encryption keys in a packet-compatible network | |
| CN114244577A (en) | Message processing method based on ESP | |
| CN116015943A (en) | Privacy protection method based on multi-level tunnel confusion | |
| JP2003069642A (en) | Multiple packet coupling transmission system for layer 2 tunneling device | |
| Hohendorf et al. | Secure End-to-End Transport Over SCTP. | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
| WO2020233412A1 (en) | Data leakage prevention | |
| CN114039795A (en) | Software-defined router and data forwarding method based on same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240606 Address after: Room 0706, 6th Floor, No. 113 Zhichun Road, Haidian District, Beijing, 100080 Patentee after: Beijing Xinda Cloud Valley Technology Co.,Ltd. Country or region after: China Address before: 450000 floors 1-5 and 5 of Building 2, building 1, block D, No. 55, Lianhua street, high tech Industrial Development Zone, Zhengzhou, Henan Province Patentee before: Zhengzhou Xinda Information Technology Research Institute Co.,Ltd. Country or region before: China |