CN114553602B - Soft and hard life aging control method and device - Google Patents

Soft and hard life aging control method and device Download PDF

Info

Publication number
CN114553602B
CN114553602B CN202210437397.5A CN202210437397A CN114553602B CN 114553602 B CN114553602 B CN 114553602B CN 202210437397 A CN202210437397 A CN 202210437397A CN 114553602 B CN114553602 B CN 114553602B
Authority
CN
China
Prior art keywords
soft
hard
counter value
software
life
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210437397.5A
Other languages
Chinese (zh)
Other versions
CN114553602A (en
Inventor
夏慧莉
王旭
孙路遥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Xingyun Zhilian Technology Co ltd
Original Assignee
Shenzhen Xingyun Zhilian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Xingyun Zhilian Technology Co ltd filed Critical Shenzhen Xingyun Zhilian Technology Co ltd
Priority to CN202210821813.1A priority Critical patent/CN115150179B/en
Priority to CN202210437397.5A priority patent/CN114553602B/en
Publication of CN114553602A publication Critical patent/CN114553602A/en
Application granted granted Critical
Publication of CN114553602B publication Critical patent/CN114553602B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Abstract

The embodiment of the application provides a soft and hard life aging control method and device. The method comprises the following steps: by software cachingStoring a pre-configured soft and hard life aging threshold, configuring a soft and hard life counter value in a hardware register according to the soft and hard life aging threshold, sending an interrupt instruction to software through hardware when the hard life counter value in the hardware register is less than or equal to the soft life counter value or the hard life counter value is 0 or the soft life counter value is 0, and judging whether the soft life aging event or the hard life aging event is a soft life aging event according to the current soft wheel number and hard wheel number after receiving the interrupt instruction through the software. The above method is configured to exceed 2 32 When the soft and hard life aging threshold is used, the soft life aging event is accurately controlled on the premise of ensuring the accuracy of the hard life aging event, the problems of data leakage and the like caused by renegotiation of SA information after the hard life aging event is expired are avoided, and the safety of data transmission is improved.

Description

Soft and hard life aging control method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for controlling soft and hard life aging.
Background
With the development of Internet technology, in order to prevent information leakage in network communication, an Internet Protocol Security (IPSec) tunnel is established between a data sender and a data receiver, the data sender can encrypt a data packet in network transmission in advance, even if the data packet is intercepted in the transmission process, the data packet is not easy to be broken and tampered, and the data receiver decrypts and verifies the integrity by using secret key information negotiated by both parties after receiving the data packet, so that the information in the data packet is ensured not to be leaked and tampered, and the Security and the integrity of network data transmission on a public network are improved.
The soft life aging means that when the transmitted or received IPSec packet reaches a soft life aging threshold value, software informs an upper layer to perform negotiation of an IPSec tunnel again to generate a new secret key; hard lifetime aging means that when a transmitted or received IPSec packet reaches a hard lifetime aging threshold, the IPSec tunnel is deleted.
In high speed networks, limited by the IPSec sequence number 32 bits (bit), 2 per transmission or reception 32 The packet needs to renegotiate IPSec Security Association (SA) information once, which is the case for a large number of data packetsSolving this problem introduces an extended Electronic Serial Number (ESN), i.e., the ESN supports 64 bits. After extending the ESN, the user configuration exceeds 2 32 When the soft and hard life aging threshold is used, the soft and hard life counter of the hardware 32bit cannot meet the soft and hard life aging requirement configured by the user, so that the control on the IPSec SA soft and hard life aging can be realized in a mode of matching software and hardware. At present, there is an error (advancing or delaying a soft life aging event) in the pre-judging processing of the soft life aging event, so that when the hard life aging event of the IPSec SA expires, renegotiation of information such as an IPSec SA key cannot be completed, and thus the IPSec tunnel disconnection brings a risk that data or key information is leaked or tampered.
Disclosure of Invention
The embodiment of the application provides a soft and hard life aging control method and device, and the configuration exceeds 2 32 When the soft and hard life aging threshold is used, the soft life aging event is accurately controlled on the premise of ensuring the accuracy of the hard life aging event, the problems of data leakage and the like caused by renegotiation of SA information after the hard life aging event is expired are avoided, and the safety of data transmission is improved.
In a first aspect, an embodiment of the present application provides a soft and hard life aging control method, including:
acquiring a first soft and hard life counter value in a current hardware register through hardware, wherein the first soft and hard life counter value comprises a first soft life counter value and a first hard life counter value;
when the hardware successfully processes the first internet security protocol IPSec packet, the hardware subtracts the first hard life counter value to obtain a second hard life counter value;
when the second hard life counter value is less than or equal to the first soft life counter value, or the second hard life counter value is 0, or the first soft life counter value is 0, sending an interrupt instruction to software through the hardware;
based on the interrupt instruction, acquiring a first soft wheel number and a first hard wheel number of the current IPSec security association SA through the software;
determining, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0.
In the method, a pre-configured soft and hard life aging threshold value is cached through software, different soft and hard life counter values are configured for a hardware register according to the range of the hard life aging threshold value, after encryption and decryption authentication of an IPSec packet is successfully carried out through an IPSec tunnel, the size of a second hard life counter value and the size of a first soft life counter value are compared through hardware, when the size relation accords with the preset size relation, the hardware sends an interrupt instruction to the software, and after the software receives the interrupt instruction, whether the IPSec SA is the soft life aging event due or the hard life aging event due is determined, so that corresponding processing is carried out. The method accurately controls the soft life aging event on the premise of ensuring the accuracy of the hard life aging event, avoids the problems of data leakage and the like caused by renegotiation of SA information after the hard life aging event expires, and improves the safety of data transmission.
In one possible implementation, the method further includes:
when the first soft wheel number is not 0 and the first hard wheel number is not 0, subtracting 1 from the first soft wheel number through the software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number;
when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value;
and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
In this embodiment of the present application, when neither the first soft round number nor the first hard round number is 0, it is determined by software that the IPSec SA is not that the soft lifetime aging event is due, nor that the hard lifetime aging event is due, at this time, it is necessary to determine whether the second hard round number is the last round, when the second hard round number is not the last round (greater than 1), it is determined that the hard lifetime aging event is not yet due, the highest position of the second hard lifetime counter value is set to 1, and when the second hard round number is the last round (equal to 1), it is determined that the hard lifetime aging event is about to be due, the first soft lifetime counter value is operated, thereby ensuring that the soft lifetime aging event is due before the hard lifetime aging event.
In one possible implementation manner, the operating, by the software, the first soft lifetime counter value according to the first modulus value and the second modulus value includes:
when the second modulus value is greater than or equal to the first modulus value, modifying the first soft vital counter value into a second soft vital counter value through the software, wherein the second soft vital counter value = b-a, wherein b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
In this embodiment of the present application, when the second hard round number is the last round (equal to 1), which indicates that a hard lifetime aging event is about to expire, the first soft lifetime counter value needs to be modified, so that a soft lifetime aging event corresponding to the modified second soft lifetime counter value expires before the hard lifetime aging event, thereby accurately controlling the soft lifetime aging event, avoiding the problems of data leakage and the like caused by renegotiation of SA information after the hard lifetime aging event expires, and improving the security of data transmission.
In one possible implementation, the method further includes:
when the hardware successfully processes the second internet security protocol IPSec packet, the hardware subtracts the third hard life counter value to obtain a fourth hard life counter value;
when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value, sending the interrupt instruction to the software through the hardware;
acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction;
determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In the embodiment of the application, the last round of IPSec SA is determined by software not to be the expiration of a soft life aging event or the expiration of a hard life aging event, and the hard life aging event is not yet due, after the encryption and decryption authentication of the IPSec packet is successfully performed through the IPSec tunnel again, the sizes of the fourth hard life counter value and the first soft life counter value in the round are compared by hardware, when the preset size relationship is met, the hardware sends an interrupt instruction to the software, and after the software receives the interrupt instruction, the software determines whether the IPSec SA in the round is the expiration of the soft life aging event or the expiration of the hard life aging event, so as to perform corresponding processing.
In one possible implementation, the method further includes:
when the hardware successfully processes the second internet security protocol IPSec packet, the hardware subtracts the second hard life counter value to obtain a fifth hard life counter value;
when the fifth hard life counter value is 0 or the second soft life counter value is 0, sending the interrupt instruction to the software through the hardware;
acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction;
determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In this embodiment of the present application, it is determined by software that IPSec SA is not due to a soft lifetime aging event or is not due to a hard lifetime aging event, and the hard lifetime aging event is about to expire, and after encryption/decryption authentication of the IPSec packet is successfully performed through the IPSec tunnel again, it is determined by hardware whether a fifth hard lifetime counter value or a second soft lifetime counter value in this round is 0, and when the fifth hard lifetime counter value is 0 or the second soft lifetime counter value is 0, the hardware sends an interrupt instruction to the software, and after receiving the interrupt instruction, the software determines whether IPSec SA in this round is due to a soft lifetime aging event or due to a hard lifetime aging event, thereby performing corresponding processing.
In one possible implementation manner, after the determining, by the software, that the SA is the soft life aging event, the method further includes:
reconfiguring, by the software, SA information, wherein the SA information comprises at least one of a mutual authentication policy, a key mechanism, and a key.
In the embodiment of the application, when the software determines that the SA is the soft life aging event, the software notifies the upper layer to renegotiate information such as the SA key and the like, so that data transmission in the IPSec tunnel is not interrupted, and the security of data transmission is improved.
In one possible implementation manner, the determining, by the software, that the SA is after the hard life aging event further includes:
and deleting the SAD table entry of the security association database corresponding to the SA information through the software.
In the embodiment of the application, when the SA is determined to be the hard life aging event due to software, the software deletes information such as SAD (SAD identifier) table entries corresponding to the SA information, establishes a new IPSec tunnel, reconfigures soft and hard life aging thresholds and the like, and accordingly ensures the safety of data transmission.
In a second aspect, an embodiment of the present application provides a soft and hard life aging control apparatus, including:
the hardware register comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a first soft and hard life counter value in a current hardware register through hardware, and the first soft and hard life counter value comprises a first soft life counter value and a first hard life counter value;
the computing unit is used for obtaining a second hard life counter value by self-subtracting the first hard life counter value through the hardware when the hardware successfully processes the first internet security protocol IPSec packet;
a sending unit, configured to send an interrupt instruction to software through the hardware when the second hard lifetime counter value is less than or equal to the first soft lifetime counter value, or the second hard lifetime counter value is 0, or the first soft lifetime counter value is 0;
the obtaining unit is configured to obtain, by the software, a first soft round number and a first hard round number of the current IPSec security association SA based on the interrupt instruction;
a determining unit, configured to determine, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0.
In one possible implementation, the computing unit is further configured to:
when the first soft wheel number is not 0 and the first hard wheel number is not 0, subtracting 1 from the first soft wheel number through the software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number;
when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value;
and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
In a possible implementation manner, the computing unit is specifically configured to:
when the second modulus value is greater than or equal to the first modulus value, modifying the first soft vital counter value into a second soft vital counter value through the software, wherein the second soft vital counter value = b-a, wherein b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
In a possible implementation manner, the computing unit is further configured to, when the hardware successfully processes the second internet security protocol IPSec packet, obtain, by the hardware, a fourth hard lifetime counter value by self-subtracting the third hard lifetime counter value;
the sending unit is further configured to send the interrupt instruction to the software through the hardware when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value;
the obtaining unit is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In a possible implementation manner, the computing unit is further configured to, when a second internet security protocol IPSec packet is successfully processed by the hardware, obtain a fifth hard lifetime counter value by self-subtracting, by the hardware, the second hard lifetime counter value;
the sending unit is further configured to send the interrupt instruction to the software through the hardware when the fifth hard lifetime counter value is 0 or the second soft lifetime counter value is 0;
the obtaining unit is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In one possible implementation, the apparatus further includes:
a configuration unit, configured to reconfigure SA information by the software, where the SA information includes at least one of a mutual authentication policy, a key mechanism, and a key.
In one possible implementation, the apparatus further includes:
and the deleting unit is used for deleting the SAD table entry of the security alliance database corresponding to the SA information through the software.
The operations and advantageous effects executed by the soft and hard life aging control device can refer to any one of the methods and advantageous effects of the first aspect, and repeated details are not repeated.
In a third aspect, the present application provides a soft and hard life aging control apparatus, where the soft and hard life aging control apparatus may be a network device, may also be an apparatus in the network device, or may be an apparatus capable of being used in cooperation with the network device. The soft-hard life aging control device may perform the method of any one of the first aspect. The functions of the soft-hard life aging control device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above. The module may be software and/or hardware. The operations and advantageous effects executed by the soft and hard life aging control device can refer to any one of the methods and advantageous effects of the first aspect, and repeated details are not repeated.
In a fourth aspect, the present application provides a soft and hard life aging control apparatus comprising a processor, wherein when the processor calls a computer program in a memory, the method according to any one of the first aspect is performed.
In a fifth aspect, the present application provides a soft and hard life aging control device, which includes a processor and a memory, wherein the memory is used for storing a computer program; the processor is configured to execute the computer program stored in the memory to cause the soft-hard life aging control apparatus to perform the method according to any one of the first aspect.
In a sixth aspect, the present application provides a soft and hard life aging control device, which includes a processor, a memory, and a transceiver, where the transceiver is used to receive a channel or a signal or transmit a channel or a signal; the memory for storing a computer program; the processor is configured to invoke the computer program from the memory to perform the method according to any of the first aspects.
In a seventh aspect, the present application provides a soft and hard life aging control apparatus, which includes a processor and an interface circuit, where the interface circuit is configured to receive a computer program and transmit the computer program to the processor; the processor runs the computer program to perform the method according to any of the first aspects.
In an eighth aspect, the present application provides a computer readable storage medium for storing a computer program which, when executed, causes the method of any one of the first aspects to be carried out.
In a ninth aspect, the present application provides a computer program product comprising a computer program that, when executed, causes the method of any one of the first aspects to be carried out.
In a tenth aspect, an embodiment of the present application provides a soft and hard life aging control system, which includes at least one server and at least one network device, where the server is configured to perform the steps of any one of the first aspect.
Drawings
The drawings used in the embodiments of the present application are described below.
Fig. 1 is a schematic architecture diagram of a soft and hard life aging control system according to an embodiment of the present application;
fig. 2 is a flowchart of a soft-hard life aging control method provided in an embodiment of the present application;
fig. 3 is a flowchart of a method for controlling life aging of soft and hard components according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a soft and hard life aging control device 400 according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a soft and hard life aging control apparatus 500 according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described below with reference to the drawings.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a soft and hard life aging control system provided in an embodiment of the present application, where the system includes a network device 101, a client 102, hardware 103, and a server 104, where:
network device 101 is a physical entity connected to the network. The network device 101 is of various types, and in a local area network, a metropolitan area network, or a wide area network, the network device physically and usually includes a network connection device such as a network card, a hub, a switch, a router, a network cable, and a transmission medium. Network device 101 may include repeaters, bridges, routers, switches, and the like.
Optionally, the network device 101 may refer to one or more of a plurality of network devices in a broad sense, and when the network device 101 serves as one end, it may be referred to as a home network device, and a network device establishing communication connection with the home network device serves as the other end, it may be referred to as an opposite network device, where the home network device may establish an IPSec tunnel with the opposite network device, and the home network device may forward the received IPSec packet to the opposite network device based on the IPSec tunnel, that is, the home network device and the opposite network device are a pair of IPSec peers. Network device 101 may encrypt, decrypt, authenticate, etc. data packets in the IPSec tunnel and hardware registers in network device 101 may configure soft and hard lifetime counter values.
The client 102 is software installed on the network device 101, and can determine whether the IPSec SA has a soft lifetime aging event or a hard lifetime aging event by operating the client 102, and meanwhile cache a soft/hard lifetime aging threshold of 64 bits, and the like.
The hardware 103 is a system-on-chip installed in the network device 101, and the system-on-chip may include a processor for supporting the network device 101 to configure, compute, process, and the like soft and hard lifetime counter values in the hardware registers. The chip system may further include a memory for storing the SA information and various entries corresponding to the SA information. The chip system may be constituted by a chip, or may include a chip and other discrete devices.
The server 104 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like. Server 104 provides computing or application services for network device 101, client 102, and hardware 103, and provides background services for data transmission in the IPSec tunnel.
Referring to fig. 2, fig. 2 is a flowchart of a method for controlling soft and hard life aging according to an embodiment of the present application, where the method includes, but is not limited to, the following steps:
s201: a first soft-hard lifetime counter value in a current hardware register is obtained by hardware.
The first soft and hard lifetime counter values include a first soft lifetime counter value and a first hard lifetime counter value.
In some embodiments, before obtaining, by hardware, the first soft-hard lifetime counter value in the current hardware register further comprises:
caching a soft and hard life aging threshold value through software; and configuring the soft and hard life counter value in the hardware register according to the soft and hard life aging threshold value through software. The soft and hard life aging threshold values comprise soft life aging threshold values and hard life aging threshold values, and the soft and hard life counter values comprise soft life counter values and hard life counter values.
Specifically, the network device receives an SA soft and hard life aging threshold configured by a user, and sends the soft and hard life aging threshold (hard _ life time and soft _ life time) of 64bit to the kernel protocol stack xfrm through a netlink message format by caching the soft and hard life aging threshold (hard _ life time and soft _ life time) of 64bit by software. And (3) registering xfrmdev _ ops through a network card driver, and configuring a soft and hard life counter value in a hardware register according to the range of a hard life aging threshold after a driver (software) acquires the soft and hard life aging threshold. The SA soft and hard life aging threshold configured by the user supports two aging modes, namely packet aging and byte aging.
Illustratively, after the soft and hard life aging thresholds of 64bit are cached by software, rounding and modulus operations are respectively performed on the soft life aging threshold and the hard life aging threshold. Obtaining a hard wheel number hard _ round after rounding the hard _ life time, and obtaining a second modulus value b after modulus of the hard _ life time; rounding the soft _ life time to obtain a soft wheel number soft _ round, and performing modulus extraction on the soft _ life time to obtain a first modulus value a, wherein the specific formula is as follows:
hard_round=hard_lifetime/2 31 ,b=hard_lifetime%2 31
soft_round=soft_lifetime/2 31 , a=soft_lifetime%2 31
then, the software configures the soft life counter value soft _ life _ count and the hard life counter value hard _ life _ count of the hardware register with the hard life aging threshold as a standard, which can be divided into the following two cases:
the first condition is as follows: when the hard life aging threshold value hard _ lifetime is less than 2 32 The specific formulas of hard _ life _ count and soft _ life _ count are as follows:
hard_lifeage_count=hard_lifetime;soft_lifeage_count=hard_lifetime-soft_lifetime。
case two: when the hard life aging threshold hard _ lifetime is greater than or equal to 2 32 The specific formulas of hard _ life _ count and soft _ life _ count are as follows:
hard_lifeage_count=2 31 +a;soft_lifeage_count=2 31
it should be noted that the soft and hard vital counter values are 32-bit binary values.
In this embodiment, the user may configure more than 2 32 The software and hardware aging threshold value is adopted, the software records the 64-bit soft and hard life threshold value through the software, and the hardware records the 32-bit soft life counter value and the 32-bit hard life counter value through the hardware, so that the hardware resource is saved, and the accurate control of the soft life aging event is realized.
Further, after the soft and hard lifetime aging threshold and the soft and hard lifetime counter value are configured, the IPSec tunnel starts to be applied to transmission of the IPSec data packet, and when the IPSec packet is received/transmitted once, the first soft and hard lifetime counter value in the current hardware register is obtained by hardware, where the first soft and hard lifetime counter value may be equal to the configured soft and hard lifetime counter value or may not be equal to the configured soft and hard lifetime counter value, and a specific value needs to be processed according to an actual condition of the IPSec packet in the IPSec tunnel.
S202: when the first IPSec packet is successfully processed by hardware, the first hard lifetime counter value is self-decremented by hardware to obtain a second hard lifetime counter value.
Specifically, the IPSec packet is received/transmitted through the network card, and when the IPSec service processing module in the hardware successfully processes (for example, encryption, decryption, authentication, and the like) the first IPSec packet, the hardware subtracts the first hard lifetime counter value in the hardware register to obtain a second hard lifetime counter value. Wherein, when the first IPSec packet is a first IPSec packet in an IPSec data stream, the first hard lifetime counter value is a hard lifetime counter value pre-configured according to a soft-hard lifetime aging threshold; and when the first IPSec packet is any IPSec data packet in the IPSec data stream and the first hard life counter value is the current hard life counter value in the hardware register when the IPSec data packet is successfully processed.
It should be noted that, when the SA soft and hard lifetime aging threshold configured by the user is based on the packet aging mode, the self-subtraction of the first hard lifetime counter value in the hardware register by the hardware is to subtract 1 from the first hard lifetime counter value, so as to obtain a second hard lifetime counter value; when the SA soft and hard lifetime aging threshold value configured by the user is based on a byte aging mode, the first hard lifetime counter value in the hardware register is subtracted by the number of bytes contained in the first IPSec packet through hardware self-subtraction to obtain a second hard lifetime counter value.
S203: and when the second hard life counter value is less than or equal to the first soft life counter value or the second hard life counter value is 0 or the first soft life counter value is 0, sending an interrupt instruction to the software through hardware.
Specifically, after a first hard life counter value is subjected to self-reduction operation through hardware to obtain a second hard life counter value, the hardware compares the hard life counter value (a second hard life counter value) in a current hardware register with a soft life counter value (a first soft life counter value), and if the second hard life counter value in the current hardware register is smaller than or equal to the first soft life counter value, or the second hard life counter value is 0, or the first soft life counter value is 0, an interrupt instruction is sent to software through the hardware, wherein the interrupt instruction is used for judging whether soft life aging time or hard life aging event occurs to IPSec SA of the current IPSec tunnel through the software.
S204: and acquiring a first soft wheel number and a first hard wheel number of the current IPSec security association SA by software based on the interrupt instruction.
The above-mentioned IPSec SA is composed of a mutual authentication policy, a mechanism for defining security service key, and a key for protecting secure communication between both communication parties in the IPSec tunnel, and each SA provides unidirectional or single-connection security protection for the responsible IPSec communication. Each IPSec session requires two SAs, and if IPSec implements secure transmission of a data stream by two Security protocols, namely, Authentication Header (AH) and Encapsulation Security Payload (ESP), the IPSec sessions of both communication parties require four SAs. The soft and hard life aging threshold, the soft and hard life counter value and corresponding data are all stored in IPSec SA information.
Specifically, when receiving an interrupt instruction sent by hardware, software reads SA information in a hardware register, and obtains a soft and hard life aging threshold, a first soft round number, and a first hard round number in current IPSec SA information.
S205: when the first soft wheel number is 0, determining SA as a soft life aging event through software; when the first soft round number is 0 and the first hard round number is 0, the SA is determined to be a hard life aging event through software.
Specifically, after a first soft round number and a first hard round number are obtained through software, whether the soft life aging event or the hard life aging event is judged. When the first soft round number is 0, determining that a soft life aging event occurs in the current IPSec SA through software, and at the moment, informing the upper layer strong wan to perform negotiation of an IPSec tunnel again by the software to generate new SA information and reconfiguring new SA information, wherein the SA information comprises at least one item of a mutual authentication strategy, a key mechanism and a key; when the first soft round number is 0 and the first hard round number is 0, determining that a hard life aging event occurs to the current IPSec SA through software, and at this time, deleting a Security Association Database (SAD) table entry, a Security Policy Database (SPD) table entry and the like corresponding to SA information through software, that is, deleting the current IPSec tunnel. The SAD includes parameter information of each SA, and the SPD includes security requirements, policy requirements, and the like required by SA establishment.
Further, when the first soft wheel number is not 0 and the first hard wheel number is not 0, subtracting 1 from the first soft wheel number through software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number; when the second hard round number is larger than 1, setting the highest position of a second hard life counter value configured in a hardware register to be 1 through software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value; when the second hard round number is equal to 1, the first soft life counter value is operated according to the first modulus value and the second modulus value through software.
In this embodiment, when neither the first soft round number nor the first hard round number is 0, it is determined by software that the IPSec SA has expired neither the soft lifetime aging event nor the hard lifetime aging event, and at this time, it is necessary to determine whether the second hard round number is the last round, and when the second hard round number is not the last round (greater than 1), it indicates that the hard lifetime aging event is not yet about to expire, the highest position of the second hard lifetime counter value is set to 1, and when the second hard round number is the last round (equal to 1), it indicates that the hard lifetime aging event is about to expire, the first soft lifetime counter value is operated, thereby ensuring that the soft lifetime aging event expires before the hard lifetime aging event.
In some embodiments, operating on the first soft vital counter value by the software according to the first modulus value and the second modulus value comprises:
when the second modulus value is larger than or equal to the first modulus value, modifying the first soft life counter value into a second soft life counter value through software, wherein the second soft life counter value = b-a, b is the second modulus value, and a is the first modulus value; or
When the second modulus value is smaller than the first modulus valueIn the case of a modulus value, the first soft-life counter value is modified by software to a second soft-life counter value, the second soft-life counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
In some embodiments, when the second hard round number is greater than 1, after the third hard life counter value is obtained by setting the highest position of the second hard life counter value configured in the hardware register to 1 by software, the method further includes:
when the second IPSec packet is successfully processed through hardware, the third hard life counter value is subjected to self-subtraction through the hardware to obtain a fourth hard life counter value;
when the fourth hard life counter value is less than or equal to the first soft life counter value, sending an interrupt instruction to the software through hardware;
acquiring a second soft wheel number and a second hard wheel number of the current SA through software based on the interrupt instruction;
when the second soft wheel number is 0, determining the SA as a soft life aging event through software; when the second soft round number is 0 and the second hard round number is 0, the SA is determined by the software to be a hard life aging event.
In this embodiment, the last round of IPSec SA is determined by software to be neither the expiration of a soft lifetime aging event nor the expiration of a hard lifetime aging event, and the hard lifetime aging event is not yet due yet, after the encryption/decryption authentication of the IPSec packet through the IPSec tunnel is successful again, the sizes of the fourth hard lifetime counter value and the first soft lifetime counter value in this round are compared by hardware, when the preset size relationship is met, the hardware sends an interrupt instruction to the software, and after the software receives the interrupt instruction, it is determined whether the IPSec SA in this round is the expiration of a soft lifetime aging event or the expiration of a hard lifetime aging event, so as to perform corresponding processing.
In some embodiments, when the second hard round number is equal to 1, after the operating, by the software, the first soft vital counter value according to the first modulus value and the second modulus value, the method further includes:
when the second IPSec packet is successfully processed through hardware, the second hard life counter value is subjected to self-subtraction through the hardware to obtain a fifth hard life counter value;
when the fifth hard life counter value is 0 or the second soft life counter value is 0, sending an interrupt instruction to the software through hardware;
acquiring a second soft wheel number and a second hard wheel number of the current SA through software based on the interrupt instruction;
when the second soft wheel number is 0, determining the SA as a soft life aging event through software; when the second soft round number is 0 and the second hard round number is 0, the SA is determined by the software to be a hard life aging event.
In this embodiment, it is determined by software that the IPSec SA of the previous round is not due to the soft lifetime aging event or the hard lifetime aging event, and the hard lifetime aging event is about to expire, and after the encryption/decryption authentication of the IPSec packet through the IPSec tunnel is successful again, it is determined by hardware whether the fifth hard lifetime counter value or the second soft lifetime counter value of the current round is 0, and when the fifth hard lifetime counter value is 0 or the second soft lifetime counter value is 0, the hardware sends an interrupt instruction to the software, and after receiving the interrupt instruction, the software determines whether the IPSec SA of the current round is due to the soft lifetime aging event or the hard lifetime aging event, so as to perform corresponding processing.
Referring to fig. 3, fig. 3 is a flowchart of a method for controlling soft and hard life aging according to an embodiment of the present application, where the method includes, but is not limited to, the following steps:
s301: a first soft-hard lifetime counter value in a current hardware register is obtained by hardware.
S302: when the first IPSec packet is successfully processed by hardware, the first hard lifetime counter value is self-decremented by hardware to obtain a second hard lifetime counter value.
S303: and when the second hard life counter value is less than or equal to the first soft life counter value or the second hard life counter value is 0 or the first soft life counter value is 0, sending an interrupt instruction to the software through hardware.
S304: and acquiring a first soft wheel number and a first hard wheel number of the current IPSec security association SA by software based on the interrupt instruction.
S305: and judging whether the first soft wheel number is 0 or not. If the first soft wheel number is 0, executing S306; if the first soft wheel number is not 0, S309 is executed.
S306: the SA is determined by the software to be a soft life aging event.
S307: and judging whether the first hard wheel number is 0 or not. If the first hard wheel number is 0, executing S308; if the first hard wheel number is not 0, S309 is executed.
S308: the SA is determined by the software to be a hard life aging event.
S309: and subtracting 1 from the first soft wheel number by software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number.
S310: and judging whether the second hard wheel number is more than 1. If the second hard wheel number is greater than 1, executing S311; if the second hard round number is not greater than 1, S312 is performed.
S311: and setting the highest position of the second hard life counter value configured in the hardware register to be 1 by software to obtain a third hard life counter value.
S312: and judging whether the second hard wheel number is equal to 1. If the second hard wheel number is equal to 1, S313 is performed.
S313: and judging whether the second modulus value is larger than or equal to the first modulus value. If the second modulus value is greater than or equal to the first modulus value, executing S314; if the second modulus value is smaller than the first modulus value, S315 is executed.
S314: the first soft-life counter value is modified by the software to a second soft-life counter value, the second soft-life counter value = b-a. Jumping to S301, executing S301.
Wherein b is the second modulus value, and a is the first modulus value.
S315: modifying, by software, the first soft-life counter value to a second soft-life counter value, the second soft-life counter value = b-a +2 31 . Jumping to S301, executing S301.
The method of the embodiments of the present application is set forth above in detail and the apparatus of the embodiments of the present application is provided below.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a soft and hard life aging control apparatus 400 according to an embodiment of the present application, and the apparatus includes an obtaining unit 401, a calculating unit 402, a sending unit 403, a determining unit 404, a configuring unit 405, and a deleting unit 406, where details of each unit are described below.
An obtaining unit 401, configured to obtain, through hardware, a first soft-hard lifetime counter value in a current hardware register, where the first soft-hard lifetime counter value includes a first soft lifetime counter value and a first hard lifetime counter value;
a calculating unit 402, configured to, when the hardware successfully processes the first internet security protocol IPSec packet, perform self-subtraction on the first hard lifetime counter value by the hardware to obtain a second hard lifetime counter value;
a sending unit 403, configured to send an interrupt instruction to software through the hardware when the second hard lifetime counter value is less than or equal to the first soft lifetime counter value, or the second hard lifetime counter value is 0, or the first soft lifetime counter value is 0;
the obtaining unit 401 is configured to obtain, by the software, a first soft round number and a first hard round number of the current IPSec security association SA based on the interrupt instruction;
a determining unit 404, configured to determine, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0.
In a possible implementation manner, the computing unit 402 is further configured to:
when the first soft wheel number is not 0 and the first hard wheel number is not 0, subtracting 1 from the first soft wheel number through the software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number;
when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value;
and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
In a possible implementation manner, the computing unit 402 is specifically configured to:
when the second modulus value is greater than or equal to the first modulus value, modifying the first soft vital counter value into a second soft vital counter value through the software, wherein the second soft vital counter value = b-a, wherein b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
In a possible implementation manner, the calculating unit 402 is further configured to, when the second internet security protocol IPSec packet is successfully processed by the hardware, self-decrement the third hard lifetime counter value by the hardware to obtain a fourth hard lifetime counter value;
the sending unit 403 is further configured to send, by the hardware, the interrupt instruction to the software when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value;
the obtaining unit 401 is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit 404 is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In a possible implementation manner, the calculating unit 402 is further configured to, when the second internet security protocol IPSec packet is successfully processed by the hardware, obtain a fifth hard lifetime counter value by self-decreasing the second hard lifetime counter value by the hardware;
the sending unit 403 is further configured to send the interrupt instruction to the software through the hardware when the fifth hard lifetime counter value is 0 or the second soft lifetime counter value is 0;
the obtaining unit 401 is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit 404 is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
In a possible implementation manner, the configuring unit 405 is configured to reconfigure, by the software, SA information, where the SA information includes at least one of a mutual authentication policy, a key mechanism, and a key.
In a possible implementation manner, the deleting unit 406 is configured to delete the security association database SAD entry corresponding to the SA information through the software.
It should be noted that the implementation and beneficial effects of each unit can also correspond to the corresponding descriptions of the method embodiments shown in fig. 2 or fig. 3.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a soft and hard life aging control apparatus 500 according to an embodiment of the present application, where the apparatus 500 includes a processor 501, a transceiver 503, and optionally a memory 502, and the processor 501, the memory 502, and the transceiver 503 are connected to each other through a bus 504.
The memory 502 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or a portable read-only memory (CD-ROM), and the memory 502 is used for related instructions and data. The transceiver 503 is used to obtain the message classification rules and routing rules configured by software.
The processor 501 may be one or more Central Processing Units (CPUs), and in the case that the processor 501 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The processor 501 in the apparatus 500 reads the program code stored in the memory 502 for performing the following operations:
acquiring a first soft and hard life counter value in a current hardware register through hardware, wherein the first soft and hard life counter value comprises a first soft life counter value and a first hard life counter value;
when the hardware successfully processes the first internet security protocol IPSec packet, the hardware subtracts the first hard life counter value to obtain a second hard life counter value;
when the second hard life counter value is less than or equal to the first soft life counter value, or the second hard life counter value is 0, or the first soft life counter value is 0, sending an interrupt instruction to software through the hardware;
based on the interrupt instruction, acquiring a first soft wheel number and a first hard wheel number of the current IPSec security association SA through the software;
determining, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0.
Optionally, the processor 501 is further configured to subtract 1 from the first soft wheel number by the software to obtain a second soft wheel number and subtract 1 from the first hard wheel number to obtain a second hard wheel number when the first soft wheel number is not 0 and the first hard wheel number is not 0; when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value; and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
Optionally, the processor 501 is further configured to modify, by the software, the first soft lifetime counter value into a second soft lifetime counter value when the second modulus value is greater than or equal to the first modulus value, where the second soft lifetime counter value = b-a, where b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
Optionally, the processor 501 is further configured to, when the hardware successfully processes the second internet security protocol IPSec packet, obtain a fourth hard lifetime counter value by subtracting the third hard lifetime counter value from the hardware; when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value, sending the interrupt instruction to the software through the hardware; acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction; determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
Optionally, the processor 501 is further configured to, when the hardware successfully processes the second internet security protocol IPSec packet, obtain a fifth hard lifetime counter value by subtracting the second hard lifetime counter value from the hardware; when the fifth hard life counter value is 0 or the second soft life counter value is 0, sending the interrupt instruction to the software through the hardware; acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction; determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
Optionally, the processor 501 is further configured to reconfigure, by the software, SA information, where the SA information includes at least one of a mutual authentication policy, a key mechanism, and a key.
Optionally, the processor 501 is further configured to delete the security association database SAD entry corresponding to the SA information through the software.
It should be noted that the implementation and beneficial effects of the respective operations may also correspond to the corresponding descriptions of the method embodiments shown in fig. 2 or fig. 3.
The embodiment of the present application further provides a chip, where the chip is hardware in the soft and hard life aging control apparatus, and is used to support a network device to implement the functions related to any of the above embodiments. In one possible design, a chip may also be formed of a chip, and may also include chips and other discrete devices.
It should be understood that one of the above described soft and hard lifetime aging control devices may be a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Network Processor (NP), or other integrated chips.
The embodiment of the application also provides a soft and hard life aging control device which comprises a processor and an interface. The processor may be adapted to perform the method of the above-described method embodiments.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.
It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
According to the method provided by the embodiment of the present application, the present application further provides a computer program product, which includes: computer program, which, when run on a computer, causes the computer to perform the method of any of the embodiments shown in fig. 2 or fig. 3.
According to the method provided by the embodiment of the present application, a computer-readable medium is also provided, which stores a computer program, and when the computer program runs on a computer, the computer is caused to execute the method of any one of the embodiments shown in fig. 2 or fig. 3.
According to the method provided by the embodiment of the application, the application also provides a soft and hard life aging control system which comprises the one or more servers and one or more network devices.
In the above embodiments, when implemented using software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disc (DVD)), or a semiconductor medium (e.g., a Solid State Disc (SSD)), among others.
Those of ordinary skill in the art will appreciate that the various illustrative logical blocks and steps (step) described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. A soft and hard life aging control method is characterized by comprising the following steps:
acquiring a first soft and hard life counter value in a current hardware register through hardware, wherein the first soft and hard life counter value comprises a first soft life counter value and a first hard life counter value;
when the hardware successfully processes the first internet security protocol IPSec packet, the hardware self-subtracts the first hard life counter value to obtain a second hard life counter value;
when the second hard life counter value is less than or equal to the first soft life counter value, or the second hard life counter value is 0, or the first soft life counter value is 0, sending an interrupt instruction to software through the hardware;
based on the interrupt instruction, acquiring a first soft wheel number and a first hard wheel number of the current IPSec security association SA through the software;
determining, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0;
when the first soft wheel number is not 0 and the first hard wheel number is not 0, subtracting 1 from the first soft wheel number through the software to obtain a second soft wheel number, and subtracting 1 from the first hard wheel number to obtain a second hard wheel number;
when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value;
and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
2. The method of claim 1, wherein the operating, by the software, the first soft vital counter value as a function of a first modulus value and a second modulus value comprises:
when the second modulus value is greater than or equal to the first modulus value, modifying the first soft vital counter value into a second soft vital counter value through the software, wherein the second soft vital counter value = b-a, wherein b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
when the hardware successfully processes the second internet security protocol IPSec packet, the hardware subtracts the third hard life counter value to obtain a fourth hard life counter value;
when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value, sending the interrupt instruction to the software through the hardware;
acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction;
determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
4. The method according to claim 1 or 2, characterized in that the method further comprises:
when the hardware successfully processes the second internet security protocol IPSec packet, the hardware subtracts the second hard life counter value to obtain a fifth hard life counter value;
when the fifth hard life counter value is 0 or the second soft life counter value is 0, sending the interrupt instruction to the software through the hardware;
acquiring the second soft wheel number and the second hard wheel number of the current SA by the software based on the interrupt instruction;
determining, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
5. The method of claim 1, wherein the determining, by the software, that the SA is subsequent to the soft life aging event further comprises:
reconfiguring, by the software, SA information, wherein the SA information comprises at least one of a mutual authentication policy, a key mechanism, and a key.
6. The method of claim 1, wherein the determining, by the software, that the SA is after the hard life aging event further comprises:
and deleting the SAD table entry of the security association database corresponding to the SA information through the software.
7. A soft or hard life aging control apparatus, comprising:
the hardware register comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a first soft and hard life counter value in a current hardware register through hardware, and the first soft and hard life counter value comprises a first soft life counter value and a first hard life counter value;
the computing unit is used for obtaining a second hard life counter value by self-subtracting the first hard life counter value through the hardware when the hardware successfully processes the first internet security protocol IPSec packet;
a sending unit, configured to send an interrupt instruction to software through the hardware when the second hard lifetime counter value is less than or equal to the first soft lifetime counter value, or the second hard lifetime counter value is 0, or the first soft lifetime counter value is 0;
the obtaining unit is configured to obtain, by the software, a first soft round number and a first hard round number of the current IPSec security association SA based on the interrupt instruction;
a determining unit, configured to determine, by the software, that the SA is a soft life aging event when the first soft round number is 0; determining, by the software, that the SA is a hard life aging event when the first soft round number is 0 and the first hard round number is 0;
the calculation unit is configured to subtract 1 from the first soft wheel number by the software to obtain a second soft wheel number and subtract 1 from the first hard wheel number to obtain a second hard wheel number when the first soft wheel number is not 0 and the first hard wheel number is not 0; when the second hard round number is larger than 1, setting the highest position of the second hard life counter value configured in the hardware register to be 1 through the software to obtain a third hard life counter value, wherein the second hard life counter value is a 32-bit binary number value; and when the second hard round number is equal to 1, operating the first soft life counter value according to a first modulus value and a second modulus value through the software, wherein the first modulus value is obtained by performing modulus operation on a pre-configured soft life aging threshold through the software, and the second modulus value is obtained by performing modulus operation on a pre-configured hard life aging threshold through the software.
8. The apparatus according to claim 7, wherein the computing unit is specifically configured to:
when the second modulus value is greater than or equal to the first modulus value, modifying the first soft vital counter value into a second soft vital counter value through the software, wherein the second soft vital counter value = b-a, wherein b is the second modulus value, and a is the first modulus value; or
Modifying, by the software, the first soft vital counter value to a second soft vital counter value when the second modulus value is less than the first modulus value, the second soft vital counter value = b-a +2 31 Wherein b is the second modulus value, and a is the first modulus value.
9. The apparatus according to claim 7 or 8,
the computing unit is further configured to, when the hardware successfully processes the second internet security protocol IPSec packet, obtain a fourth hard lifetime counter value by self-subtracting the third hard lifetime counter value by the hardware;
the sending unit is further configured to send the interrupt instruction to the software through the hardware when the fourth hard lifetime counter value is less than or equal to the first soft lifetime counter value;
the obtaining unit is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
10. The apparatus of claim 7 or 8,
the computing unit is further configured to, when the hardware successfully processes the second internet security protocol IPSec packet, obtain a fifth hard lifetime counter value by self-subtracting the second hard lifetime counter value by the hardware;
the sending unit is further configured to send the interrupt instruction to the software through the hardware when the fifth hard lifetime counter value is 0 or the second soft lifetime counter value is 0;
the obtaining unit is further configured to obtain, by the software, the second soft round number and the second hard round number of the current SA based on the interrupt instruction;
the determining unit is further configured to determine, by the software, that the SA is the soft life aging event when the second soft round number is 0; determining, by the software, that the SA is the hard life aging event when the second soft round number is 0 and the second hard round number is 0.
11. The apparatus of claim 7, further comprising:
a configuration unit, configured to reconfigure SA information by the software, where the SA information includes at least one of a mutual authentication policy, a key mechanism, and a key.
12. The apparatus of claim 7, further comprising:
and the deleting unit is used for deleting the SAD table entry of the security alliance database corresponding to the SA information through the software.
13. A soft-hard life aging control apparatus, comprising a processor and a memory, the memory being configured to store a computer program, the processor being configured to invoke the computer program to perform the method of any one of claims 1 to 6.
14. A chip, characterized in that the chip is hardware within a soft-hard life-aging control device, and when the chip is running on the soft-hard life-aging control device, the method of any one of claims 1-6 is performed.
15. A computer-readable storage medium for storing a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1-6.
CN202210437397.5A 2022-04-25 2022-04-25 Soft and hard life aging control method and device Active CN114553602B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210821813.1A CN115150179B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and related device, chip, medium and program
CN202210437397.5A CN114553602B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210437397.5A CN114553602B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202210821813.1A Division CN115150179B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and related device, chip, medium and program

Publications (2)

Publication Number Publication Date
CN114553602A CN114553602A (en) 2022-05-27
CN114553602B true CN114553602B (en) 2022-07-29

Family

ID=81666692

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210821813.1A Active CN115150179B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and related device, chip, medium and program
CN202210437397.5A Active CN114553602B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202210821813.1A Active CN115150179B (en) 2022-04-25 2022-04-25 Soft and hard life aging control method and related device, chip, medium and program

Country Status (1)

Country Link
CN (2) CN115150179B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355570A (en) * 2008-09-19 2009-01-28 杭州华三通信技术有限公司 Control method and control device for reporting aging information
CN113438094A (en) * 2020-03-23 2021-09-24 华为技术有限公司 Method and equipment for automatically updating manually configured IPSec SA

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8260708B2 (en) * 2009-04-17 2012-09-04 Empire Technology Development Llc Usage metering based upon hardware aging
US8599845B2 (en) * 2010-04-07 2013-12-03 Fujitsu Limited Software-assisted VLAN aging timer scheme for distributed switching systems
US20120221884A1 (en) * 2011-02-28 2012-08-30 Carter Nicholas P Error management across hardware and software layers
CN105407073A (en) * 2014-09-10 2016-03-16 中兴通讯股份有限公司 Flow table aging method, equipment and system based on OpenFlow protocol
CN108989107A (en) * 2018-07-17 2018-12-11 北京中科网威信息技术有限公司 A kind of the statistics adjustment method and device of the network interface card transmitting-receiving message based on Shen prestige framework
CN109271306A (en) * 2018-09-30 2019-01-25 深圳中广核工程设计有限公司 Life test method, device, equipment and medium based on direct fault location
CN112463183A (en) * 2019-09-06 2021-03-09 西安诺瓦星云科技股份有限公司 Display control card aging detection method, device and system and computer readable medium
CN113051082A (en) * 2021-03-02 2021-06-29 长沙景嘉微电子股份有限公司 Software and hardware data synchronization method and device, electronic equipment and storage medium
CN113507415B (en) * 2021-05-31 2022-11-18 新华三信息安全技术有限公司 Table item processing method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355570A (en) * 2008-09-19 2009-01-28 杭州华三通信技术有限公司 Control method and control device for reporting aging information
CN113438094A (en) * 2020-03-23 2021-09-24 华为技术有限公司 Method and equipment for automatically updating manually configured IPSec SA

Also Published As

Publication number Publication date
CN115150179A (en) 2022-10-04
CN115150179B (en) 2024-01-02
CN114553602A (en) 2022-05-27

Similar Documents

Publication Publication Date Title
US11038846B2 (en) Internet protocol security tunnel maintenance method, apparatus, and system
US10389831B2 (en) Method, apparatus and system for provisioning a push notification session
RU2728893C1 (en) Method of implementing safety, device and system
CN107682284B (en) Method and network equipment for sending message
EP2850776B1 (en) Tls abbreviated session identifier protocol
CN110999359B (en) Secure short message service through non-access stratum
JP5607655B2 (en) Unencrypted network operation solution
US20070150946A1 (en) Method and apparatus for providing remote access to an enterprise network
US20190268764A1 (en) Data transmission method, apparatus, and system
US20150156025A1 (en) Message sending and receiving method, apparatus, and system
CN110798833A (en) Method and device for verifying user equipment identification in authentication process
CN111355684B (en) Internet of things data transmission method, device and system, electronic equipment and medium
CN111901355A (en) Authentication method and device
CN109104273B (en) Message processing method and receiving end server
EP3905623A1 (en) Data transmission method and apparatus, related device, and storage medium
US9185130B2 (en) Transmission apparatus, reception apparatus, communication system, transmission method, and reception method
CN109040059B (en) Protected TCP communication method, communication device and storage medium
JP2022043097A (en) Communication method of user device, communication method of radio access node, user device, and radio access node
US11652910B2 (en) Data transmission method, device, and system
WO2021227254A1 (en) Routing access method and apparatus, electronic device, and storage medium
WO2024002143A1 (en) Root certificate updating method and apparatus
CN114553602B (en) Soft and hard life aging control method and device
EP3552367B1 (en) Method and intermediate network node for managing tcp segment
CN113783868B (en) Method and system for protecting Internet of things safety of gate based on commercial password
CN115706977A (en) Data transmission method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant