CN114301735B - Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data - Google Patents
Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data Download PDFInfo
- Publication number
- CN114301735B CN114301735B CN202111509910.9A CN202111509910A CN114301735B CN 114301735 B CN114301735 B CN 114301735B CN 202111509910 A CN202111509910 A CN 202111509910A CN 114301735 B CN114301735 B CN 114301735B
- Authority
- CN
- China
- Prior art keywords
- threshold
- data packet
- tuple
- data
- ipsec tunnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application relates to a method, a system, a terminal and a storage medium for managing and controlling IPSEC tunnel data distribution as required, belonging to the field of IPSEC tunnel management and control, wherein the method comprises the steps of obtaining a data packet; adding identification tags for the data packets based on preset marking rules; when the identification tag accords with a preset encryption condition, transmitting the corresponding data packet to an IPSEC tunnel for encryption; otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel. By adding an identification tag to each data packet, whether each data packet needs to be encrypted by the IPSEC tunnel or not is judged, and accurate transmission control of the encrypted data packets is facilitated. The IPSEC tunnel management and control method has the effects of high management and control precision and high management and control flexibility of the IPSEC tunnel.
Description
Technical Field
The present invention relates to the field of IPSEC tunnel management and control, and in particular, to a method, a system, a terminal, and a storage medium for managing and controlling on-demand distribution of IPSEC tunnel data.
Background
IPSEC is an open standard framework that uses encrypted security services to ensure that packets are communicated securely and privately over an Internet protocol network. When two subnets need to communicate, an IPSEC tunnel is established between the two subnets by using IPSEC, and the data packet flows through the IPSEC tunnel. In the circulation process, searching a corresponding encryption and decryption strategy of the data packet through a security strategy module of the IPSEC tunnel, and then carrying out encryption and decryption by utilizing an encryption and decryption module of the IPSEC tunnel.
In the related art, a data packet is usually subjected to tunnel encryption and decryption work at a network layer, and in practical application, the inventor discovers that in the communication process of different gateways, part of the data packet needs to be subjected to encryption and decryption of an IPSEC tunnel, and part of the data packet does not need to be subjected to encryption and decryption of the IPSEC tunnel, for example, the data packet has already undergone encryption, and for the data packet which does not need to be subjected to encryption of the IPSEC tunnel, the data packet also undergoes a security policy module and an encryption and decryption module of IPSEC, so that the control precision of the IPSEC tunnel is lower.
Disclosure of Invention
In order to facilitate improving the management and control precision of the IPSEC tunnel, the invention provides a method, a system, a terminal and a storage medium for managing and controlling the on-demand distribution of IPSEC tunnel data.
In a first aspect, a method for managing and controlling on-demand distribution of IPSEC tunnel data provided by the present application adopts the following technical scheme:
a method of managing on-demand distribution of IPSEC tunnel data, comprising:
acquiring a data packet;
adding identification tags for the data packets based on preset marking rules;
when the identification tag accords with a preset encryption condition, transmitting the corresponding data packet to an IPSEC tunnel for encryption;
otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel.
By adopting the technical scheme, after the data packet is obtained, an identification tag is added to the data packet, then the identification tag carried by the data packet is judged before the data packet is transmitted, and if the encryption condition is met, the corresponding data packet is transmitted to a corresponding IPSEC tunnel for encryption; if the encryption condition is not met, the encrypted data packet is not encrypted through the IPSEC tunnel, so that accurate transmission control of the encrypted data packet is facilitated, namely the type of the data packet entering the IPSEC tunnel is controlled, and the control accuracy of the IPSEC tunnel is improved conveniently.
Optionally, a value assignment table is preset, wherein the value assignment table comprises a plurality of five-tuple threshold groups and the identification tag corresponding to the five-tuple threshold groups; the quintuple threshold group comprises a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold and a source port threshold;
the step of adding an identification tag to each data packet based on a preset marking rule comprises the following steps:
acquiring five-tuple data of the data packet; the five-tuple data comprises a source address, a destination address, a protocol type, a destination port and a source port;
when the five-tuple data corresponds to any five-tuple threshold value group in the assignment table, the corresponding identification tag is called;
and endowing the called identification tag with the corresponding data packet.
By adopting the technical scheme, the five-tuple information in the transmission layer is utilized to endow the data packet with the identification label, on one hand, the five-tuple threshold value group in the assignment table is convenient to modify, so that the configuration flexibility of the IPSEC tunnel is convenient to improve, and the transmission trend of the data packet can be controlled more conveniently; on the other hand, the control of the data packet transmission path is more flexible, so that the probability that the encrypted data packet enters the IPSEC tunnel is reduced, and the load of the IPSEC tunnel is reduced.
Optionally, the assignment table is a Netfilter NAT table, and the five-tuple threshold group and the identification tag are stored in a PREROUTING chain of the Netfilter NAT table.
By adopting the technical scheme, the Netfilter NAT table technology is applied, so that each data packet is convenient to be matched with a rule only once, namely, the situation that each data packet carries two identification tags is difficult to occur, on one hand, the ordered transmission of the data packet is facilitated, and the packet loss is difficult to occur; on the other hand, helps to reduce the pressure applied to the identification tag.
Optionally, the step of determining that the quintuple data corresponds to the quintuple threshold set includes:
judging whether the source address accords with the source address threshold, whether the destination address accords with the destination address threshold, whether the protocol type accords with the protocol type threshold, whether the destination port accords with the destination port threshold and whether the source port accords with the source port threshold;
if the five-tuple data are both in accordance with the five-tuple threshold set, the corresponding five-tuple data are considered to correspond to the corresponding five-tuple threshold set;
otherwise, it is considered as not corresponding.
Optionally, when the five-tuple threshold set and/or the identification tag in the assignment table change, deleting the identification tag of the data packet related to the changed five-tuple threshold set or the identification tag, and adding a new identification tag to the data packet based on the changed five-tuple threshold set and/or the changed identification tag.
By adopting the technical scheme, when the five-tuple threshold set and/or the identification label are changed, the identification label of the related data packet is updated, so that the management and control precision is improved.
Optionally, before the identification tag meets a preset encryption condition, the method further includes:
judging whether the identification tag carried by the data packet is a preset identification threshold value or not;
if yes, the identification tag meets the encryption condition;
otherwise, the identification tag is not in accordance with the encryption condition.
By adopting the technical scheme, whether the data packet needs to be encrypted by the IPSEC tunnel or not is judged by setting the identification threshold, so that the resource occupation is reduced, and the management and control efficiency of the data packet is improved.
In a second aspect, a system for managing and controlling on-demand distribution of IPSEC tunnel data provided by the present application adopts the following technical scheme:
a system for managing and controlling the on-demand distribution of IPSEC tunnel data comprises an acquisition module for acquiring data packets;
the marking module is used for adding identification tags for the data packets based on preset marking rules;
the processing module is used for judging whether the identification tag accords with a preset encryption condition or not; when the identification tag accords with a preset encryption condition, transmitting the corresponding data packet to an IPSEC tunnel for encryption; otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel.
By adopting the technical scheme, each data packet is marked in a marking mode. When the marks carried by the data packets, namely the identification tags, meet preset encryption conditions, the data packets are transmitted to the IPSEC tunnel for encryption, otherwise, the encryption step of the IPSEC tunnel is crossed, which data packets need to be encrypted and which data packets do not need to be encrypted, so that the management and control precision of the IPSEC tunnel is improved.
Optionally, the system further comprises a database, wherein a value assignment table is pre-stored, and the value assignment table comprises a plurality of five-tuple threshold groups and the identification tag corresponding to the five-tuple threshold groups; the quintuple threshold group comprises a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold and a source port threshold;
the marking module comprises a grabbing sub-module which is used for acquiring five-tuple data of the data packet; the five-tuple data comprises a source address, a destination address, a protocol type, a destination port and a source port;
and the calling sub-module is used for calling the corresponding identification tag when the five-tuple data corresponds to any five-tuple threshold value group in the assignment table, and giving the called identification tag to the corresponding data packet.
By adopting the technical scheme, the five-tuple data of the data packet belongs to the data packet which is judged whether to need to carry out the IPSEC tunnel by the transmission layer, and compared with the management and control of the IPSEC tunnel in the related technology, the management and control of the IPSEC tunnel is convenient to be accurate to each data packet.
In a third aspect, the present application provides an intelligent terminal that adopts the following technical scheme:
an intelligent terminal comprises a memory and a processor, wherein a program for controlling the on-demand distribution of IPSEC tunnel data is stored in the memory, and the processor is used for adopting any one of the methods when executing the program for controlling the on-demand distribution of the IPSEC tunnel data.
By adopting the technical scheme, corresponding programs can be stored and processed, so that the management and control precision of the IPSEC tunnel can be conveniently improved.
In a fourth aspect, a storage medium provided in the present application adopts the following technical scheme:
a storage medium storing a computer program capable of being loaded by a processor and executing any one of the methods described above.
By adopting the technical scheme, the corresponding program can be stored, so that the management and control precision of the IPSEC tunnel can be conveniently improved.
In summary, by adding the identification tag to each data packet, it is determined whether each data packet needs to be encrypted by the IPSEC tunnel, which is conducive to performing accurate transmission control on the encrypted data packet, and improves management and control accuracy of the IPSEC tunnel.
The five-tuple information is used for giving the identification label to the data packet, so that the five-tuple threshold group can be conveniently changed, and the management and control flexibility of the IPSEC tunnel is improved; and the method is also beneficial to more accurately controlling the data packets, so that the data packets which do not meet the encryption conditions of the IPSEC tunnel skip the encryption process of the IPSEC tunnel.
Drawings
Figure 1 is a flow chart of a method of managing on-demand distribution of IPSEC tunnel data in accordance with an embodiment.
Fig. 2 is a flowchart of step S200 in a method for managing on-demand distribution of IPSEC tunnel data according to an embodiment.
Fig. 3 is a block diagram of a system for managing on-demand distribution of IPSEC tunnel data according to an embodiment.
Reference numerals illustrate:
1. an acquisition module; 2. marking module; 21. grabbing a sub-module; 22. a sub-module is called; 3. a processing module; 4. and (5) a database.
Detailed Description
The embodiment of the application discloses a method for managing and controlling on-demand distribution of IPSEC tunnel data. Referring to fig. 1, the method for managing the on-demand distribution of IPSEC tunnel data includes:
s100, acquiring a data packet.
A data packet refers to data that needs to be transmitted.
S200, adding identification tags for each data packet based on a preset marking rule.
Specifically, a value table is preset in the database, and the value table comprises a plurality of quintuple threshold groups and identification tags, and each quintuple threshold group corresponds to one identification tag. In this embodiment, the assignment table is a Netfilter NAT table, and the quintuple threshold set and the identification tag are both stored in a PREROUTING chain of the Netfilter NAT table, so that the data packet of the same quintuple only matches the marking rule in the assignment table once. Netfilter is a firewall of linux, runs in a kernel layer, and can mark or otherwise operate data packets according to filtering rules set by a user; netfilter includes mangle, nat, filter and raw four tables, each containing INPUT, OUTPUT, FORWARD, PREROUTING and postcount five chains.
The five-tuple threshold set includes a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold, and a source port threshold. For ease of understanding, the five-tuple threshold set is described in detail. The source address threshold may be a segment or range, such as 1.1.1.1 or 1.1.1.1-1.1.2.1; the destination address threshold may be a time segment or range, such as 2.2.2.2 or 2.2.2.2-3.3.3.3; protocol type thresholds include TCP and UDP; destination port threshold, e.g., 80, source port threshold, e.g., 80.
Identification tag
Referring to fig. 2, step S200 includes:
s210, acquiring five-tuple data of the data packet.
It should be noted that, in the embodiment of the present application, the data packet is judged at the network four layer, that is, the transport layer, and whether encryption and decryption through the IPSEC tunnel are needed, so five-tuple data of each data packet can be obtained. The five-tuple data comprises a source address, a destination address, a protocol type, a destination port and a source port.
S220, when the quintuple data corresponds to any quintuple threshold value group in the assignment table, the corresponding identification tag is called.
Wherein, the step of judging that the quintuple data corresponds to the quintuple threshold group comprises the following steps:
whether the source address accords with the source address threshold, whether the destination address accords with the destination address threshold, whether the protocol type accords with the protocol type threshold, whether the destination port accords with the destination port threshold and whether the source port accords with the source port threshold is judged.
If the five-tuple data are in accordance with the five-tuple threshold value set, the corresponding five-tuple data are considered to correspond to the corresponding five-tuple threshold value set; otherwise, it is considered as not corresponding.
By coincidence, it is meant that the source address is the same as the source address threshold or falls within the source address threshold; the destination address is the same as the destination address threshold or belongs to the destination address threshold range; the protocol type belongs to one of the protocol type thresholds; the destination port is the same as the destination port threshold; the source port is the same as the source port threshold.
S230, the called identification tag is assigned to the corresponding data packet.
Referring to fig. 1, after step S200, further includes:
s300, judging whether the identification tag meets preset encryption conditions.
If yes, S400, transmitting the corresponding data packet to an IPSEC tunnel for encryption; otherwise, S500, the corresponding data packet is transmitted to other transmission paths, and is not encrypted through the IPSEC tunnel. The encryption condition is preset and is used for judging whether the identification label on the data packet means that the corresponding data packet needs to be encrypted by the IPSEC tunnel. In this embodiment, the encryption condition is preset to a value, and the corresponding identification tag is also a value. If the value represented by the identification tag of the data packet is the same as the value of the encryption condition, the identification tag is considered to accord with the encryption condition; and if the encryption conditions are different, the encryption conditions are not met.
In addition, the data packet is transmitted to the IPSEC tunnel for encryption, namely the data packet enters the IPSEC tunnel, sequentially passes through the security policy module and the encryption and decryption module, and is transmitted; the encryption of the data packet without passing through the IPSEC tunnel comprises two cases, wherein one case is that the data packet is not transmitted by the IPSEC tunnel any more and is transmitted by other transmission modes; the other case is that the data packet still enters the IPSEC tunnel, but skips the security policy magic block and the encryption and decryption module to directly carry out subsequent transmission.
In this embodiment, in order to facilitate improving the control flexibility and accuracy of the IPSEC tunnel, when the five-tuple threshold set and/or the identification label in the assignment table is changed, the identification label of the data packet related to the changed five-tuple threshold set or identification label is deleted, and a new identification label is added for the corresponding data packet based on the changed five-tuple threshold set and/or identification label.
The data packet related to the changed quintuple threshold group is the corresponding relation between the quintuple data of the data packet and the changed quintuple threshold group; the data packet associated with the changed identification tag is the same as the identification tag of the data packet.
Deleting the identification label of the data packet related to the changed quintuple threshold group or the identification label, and adding a new identification label for the corresponding data packet based on the changed quintuple threshold group and/or the identification label, namely re-matching the identification label for the data packet losing the identification label due to the modification of the quintuple threshold group and/or the identification label. For example: if the identification tag of the data packet a is deleted due to the change of the five-tuple threshold group and/or the identification tag, searching the assignment table for the identification tag of the five-tuple threshold group corresponding to the five-tuple data of the data packet a, and giving the found identification tag to the data packet a.
It should be noted that, whether the data packet needs to be decrypted through the IPSEC tunnel is judged by the identification tag carried by the data packet in the same manner as the encryption process.
The implementation principle of the method for managing and controlling the on-demand distribution of IPSEC tunnel data in the embodiment of the application is as follows: after the data packet enters the transmission layer of the network layer, the data packet corresponds to five-tuple data. At the moment, adding an identification tag for each data packet based on five-tuple data of the data packet and a preset marking rule; before the data packet passes through the security policy module of the IPSEC tunnel, judging whether the identification tag of the data packet accords with a preset encryption condition. If the data packet accords with the security policy module, the data packet is proved to be encrypted, and the data packet is transmitted to the security policy module of the IPSEC tunnel at the moment. The security policy module searches a corresponding encryption rule for the data packet, and then the data packet is encrypted by the encryption and decryption module of the IPSEC tunnel. If the identification tag does not accord with the encryption condition, the data packet is proved to be unnecessary to encrypt the IPSEC tunnel, and the data packet skips the security policy module and the encryption and decryption module.
The embodiment of the application also discloses a system for managing and controlling the on-demand distribution of IPSEC tunnel data, referring to FIG. 3, comprising an acquisition module 1, a marking module 2, a processing module 3 and a database 4; the marking module 2 comprises a grabbing sub-module 21 and a calling sub-module 22. The acquisition module 1 is used for acquiring a data packet; the marking module 2 is configured to add an identification tag to each data packet based on a preset marking rule.
Specifically, a database 4 is pre-stored with an assignment table, wherein the assignment table comprises a plurality of quintuple threshold groups and identification tags corresponding to the quintuple threshold groups; the five-tuple threshold set includes a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold, and a source port threshold. The grabbing submodule 21 is used for obtaining quintuple data of the data packet, wherein the quintuple data comprises a source address, a destination address, a protocol type, a destination port and a source port.
The calling sub-module 22 is configured to call a corresponding identification tag when the quintuple data corresponds to any quintuple threshold set in the assignment table, and assign the called identification tag to a corresponding data packet.
The processing module 3 is used for judging whether the identification tag accords with a preset encryption condition, and transmitting the corresponding data packet to the IPSEC tunnel for encryption when the identification tag accords with the preset encryption condition; otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel.
The embodiment of the application also discloses an intelligent terminal, which comprises a memory and a processor, wherein the memory stores a program for controlling the on-demand distribution of IPSEC tunnel data, and the processor is used for adopting the method when executing the program for controlling the on-demand distribution of the IPSEC tunnel data.
The embodiment of the application also discloses a storage medium which stores a computer program capable of being loaded by a processor and executing the method.
The foregoing are all preferred embodiments of the present application, and are not intended to limit the scope of the present application in any way, therefore: all equivalent changes in structure, shape and principle of this application should be covered in the protection scope of this application.
Claims (7)
1. A method for managing and controlling on-demand distribution of IPSEC tunnel data, comprising:
acquiring a data packet;
adding identification tags for the data packets based on preset marking rules;
when the identification tag accords with a preset encryption condition, transmitting the corresponding data packet to an IPSEC tunnel for encryption;
otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel;
presetting an assignment table, wherein the assignment table comprises a plurality of quintuple threshold groups and the identification tags corresponding to the quintuple threshold groups; the quintuple threshold group comprises a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold and a source port threshold;
the step of adding an identification tag to each data packet based on a preset marking rule comprises the following steps:
acquiring five-tuple data of the data packet; the five-tuple data comprises a source address, a destination address, a protocol type, a destination port and a source port;
when the five-tuple data corresponds to any five-tuple threshold value group in the assignment table, the corresponding identification tag is called;
assigning the called identification tag to the corresponding data packet;
and deleting the identification label of the data packet related to the changed five-tuple threshold group or the identification label when the five-tuple threshold group and/or the identification label in the assignment table are changed, and adding a new identification label for the data packet based on the changed five-tuple threshold group and/or the changed identification label.
2. The method for managing and controlling on-demand distribution of IPSEC tunnel data according to claim 1, characterized in that: the assignment table is a Netfilter NAT table, and the five-tuple threshold group and the identification tag are stored in a PREROUTING chain of the Netfilter NAT table.
3. The method for managing on-demand distribution of IPSEC tunnel data according to claim 1 or 2, wherein the step of determining that the quintuple data corresponds to the quintuple threshold group comprises:
judging whether the source address accords with the source address threshold, whether the destination address accords with the destination address threshold, whether the protocol type accords with the protocol type threshold, whether the destination port accords with the destination port threshold and whether the source port accords with the source port threshold;
if the five-tuple data are both in accordance with the five-tuple threshold set, the corresponding five-tuple data are considered to correspond to the corresponding five-tuple threshold set;
otherwise, it is considered as not corresponding.
4. The method for managing on-demand distribution of IPSEC tunnel data according to claim 1, further comprising, before the identification label meets a preset encryption condition:
judging whether the identification tag carried by the data packet is a preset identification threshold value or not;
if yes, the identification tag meets the encryption condition;
otherwise, the identification tag is not in accordance with the encryption condition.
5. A system for managing and controlling on-demand distribution of IPSEC tunnel data, characterized in that: comprises an acquisition module (1) for acquiring data packets;
the marking module (2) is used for adding identification tags to the data packets based on preset marking rules;
and a processing module (3) for judging whether the identification tag accords with a preset encryption condition; when the identification tag accords with a preset encryption condition, transmitting the corresponding data packet to an IPSEC tunnel for encryption; otherwise, the corresponding data packet is transmitted to other transmission paths without being encrypted through the IPSEC tunnel;
the system also comprises a database (4) in which an assignment table is pre-stored, wherein the assignment table comprises a plurality of quintuple threshold groups and the identification tags corresponding to the quintuple threshold groups; the quintuple threshold group comprises a source address threshold, a destination address threshold, a protocol type threshold, a destination port threshold and a source port threshold;
the marking module comprises a grabbing sub-module (21) for acquiring five-tuple data of the data packet; the five-tuple data comprises a source address, a destination address, a protocol type, a destination port and a source port;
and a calling sub-module (22) for calling the corresponding identification tag and giving the called identification tag to the corresponding data packet when the five-tuple data corresponds to any five-tuple threshold group in the assignment table;
and deleting the identification label of the data packet related to the changed five-tuple threshold group or the identification label when the five-tuple threshold group and/or the identification label in the assignment table are changed, and adding a new identification label for the data packet based on the changed five-tuple threshold group and/or the changed identification label.
6. An intelligent terminal, its characterized in that: comprising a memory in which a program for managing the on-demand distribution of IPSEC tunnel data is stored, and a processor for employing the method according to any of claims 1-4 when executing the program for managing the on-demand distribution of IPSEC tunnel data.
7. A storage medium, characterized by: a computer program stored which can be loaded by a processor and which performs the method according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111509910.9A CN114301735B (en) | 2021-12-10 | 2021-12-10 | Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111509910.9A CN114301735B (en) | 2021-12-10 | 2021-12-10 | Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301735A CN114301735A (en) | 2022-04-08 |
| CN114301735B true CN114301735B (en) | 2023-05-02 |
Family
ID=80967218
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111509910.9A Active CN114301735B (en) | 2021-12-10 | 2021-12-10 | Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301735B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217769A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100594690C (en) * | 2007-05-22 | 2010-03-17 | 网御神州科技(北京)有限公司 | Method and device for safety strategy uniformly treatment in safety gateway |
| CN100596062C (en) * | 2007-08-16 | 2010-03-24 | 杭州华三通信技术有限公司 | Secure protection device and method for distributed packet transfer |
| US9813343B2 (en) * | 2013-12-03 | 2017-11-07 | Akamai Technologies, Inc. | Virtual private network (VPN)-as-a-service with load-balanced tunnel endpoints |
| CN104935593B (en) * | 2015-06-16 | 2018-11-27 | 新华三技术有限公司 | The transmission method and device of data message |
| CN105763557B (en) * | 2016-04-07 | 2019-01-22 | 烽火通信科技股份有限公司 | Exchange chip or NP cooperate with the method and system for completing message IPSEC encryption with CPU |
| US10778651B2 (en) * | 2017-11-15 | 2020-09-15 | Nicira, Inc. | Performing context-rich attribute-based encryption on a host |
| CN110691074B (en) * | 2019-09-20 | 2022-04-22 | 西安瑞思凯微电子科技有限公司 | IPv6 data encryption method and IPv6 data decryption method |
| CN112218292A (en) * | 2020-09-16 | 2021-01-12 | 浙江双成电气有限公司 | Encryption method and system for wireless communication, electronic device and readable storage medium |
-
2021
- 2021-12-10 CN CN202111509910.9A patent/CN114301735B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217769A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301735A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10158568B2 (en) | Method and apparatus for service function forwarding in a service domain | |
| US7412507B2 (en) | Efficient cascaded lookups at a network node | |
| EP2643938B1 (en) | Method for optimizing a network prefix-list search | |
| US20180198643A1 (en) | Packet transmission method and apparatus | |
| EP3523940B1 (en) | Enforcing network security policy using pre-classification | |
| US9596300B2 (en) | Technologies for processing data packets in batches | |
| CN111181857B (en) | Message processing method and device, storage medium and optical network terminal | |
| US11184281B2 (en) | Packet processing method and apparatus | |
| CN110266517A (en) | External service call method, device and terminal device based on gateway | |
| CN107786437A (en) | Message forwarding method and device | |
| EP2953302B1 (en) | Service packet processing method, apparatus and system | |
| CN112398755A (en) | Flow forwarding method, service card and system | |
| CN114301735B (en) | Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data | |
| EP3292660B1 (en) | Packet forwarding in a vxlan switch | |
| US10541872B2 (en) | Network policy distribution | |
| US20040095941A1 (en) | Layer 2 switch and method of processing expansion VLAN tag of layer 2 frame | |
| CN1921489A (en) | Secure communication equipment for processing send data packets | |
| CN112637223A (en) | Application protocol identification method and device, computer equipment and storage medium | |
| CN112637081A (en) | Bandwidth speed limiting method and device | |
| US20100238930A1 (en) | Router and method of forwarding ipv6 packets | |
| US20230089071A1 (en) | Improved packet transfer | |
| CN113688289B (en) | Data packet key field matching method, device, equipment and storage medium | |
| CN111464443B (en) | Message forwarding method, device, equipment and storage medium based on service function chain | |
| CN112583687B (en) | Flow control method, system, computer device and storage medium | |
| CN113810308A (en) | Data transmission method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |