CN115766063A - Data transmission method, device, equipment and medium - Google Patents
Data transmission method, device, equipment and medium Download PDFInfo
- Publication number
- CN115766063A CN115766063A CN202211172634.6A CN202211172634A CN115766063A CN 115766063 A CN115766063 A CN 115766063A CN 202211172634 A CN202211172634 A CN 202211172634A CN 115766063 A CN115766063 A CN 115766063A
- Authority
- CN
- China
- Prior art keywords
- data packet
- vxlan
- packet
- data
- inner layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data transmission method, a device, equipment and a medium, wherein the method is applied to the overlay network environment of a VXLAN network host, and comprises the following steps: sending an IP data packet, encrypting an inner layer IP packet of the IP data packet after the IP data packet is subjected to VXLAN encapsulation, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP header of the inner layer IP packet is not encrypted; the VXLAN gateway de-encapsulates the IP data packet, de-encapsulates the IP data packet again after determining the sending address of the IP data packet, and forwards the IP data packet according to the IP address; and decrypting the IP data packet, then carrying out VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party. The invention can solve the conflict problem of VXLAN encapsulation and IPsec.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a data transmission method, a data transmission device, data transmission equipment and a data transmission medium.
Background
VXLAN (virtual extensible local area network) is widely used in cloud data centers as a common encapsulation protocol to implement extended interconnection of large two-layer networks. VXLAN has two application deployment modes, which are a centralized gateway and a distributed gateway.
The security of data transmission needs to be considered after the network interconnection. IPsec (internet security protocol) is a collection of protocols and services that provide security for IP networks, and a network transport protocol cluster of the IP protocol is protected by encrypting and authenticating IP protocol data.
In a VXLAN network host overlay (overlay network/overlay network) environment, after a standard IPsec mechanism is used to provide encryption protection for an IP packet encapsulated by VXLAN, an inner layer IP header and a VXLAN header are both encrypted, and when a ciphertext packet passes through a VTEP (VXLAN tunnel endpoint) gateway, normal VXLAN decapsulation cannot be performed, and routing matching cannot be performed to obtain inner layer IP address information, which results in service forwarding failure.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a data transmission method, a device, equipment and a medium, compared with a transmission and tunnel encapsulation mode supported by standard IPsec, the invention provides a new encapsulation mode, which realizes the encryption of the transmission mode of an inner layer IP packet encapsulated by VXLAN, and the encryption of an outer layer IP head, a UDP head, a VXLAN head and an inner layer IP head is not realized, thereby solving the problem that the decapsulation and route matching of VXLAN after the IPsec encryption fails and ensuring the interconnection and intercommunication among subnets in the VXLAN network.
The purpose of the invention is realized by the following technical scheme:
a data transmission method, the method is applied to an overlay network environment of VXLAN network hosts, the method comprises:
sending an IP data packet, carrying out VXLAN packaging on the IP data packet, then encrypting an inner layer IP packet of the IP data packet, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP head of the inner layer IP packet is not encrypted;
after the VXLAN gateway de-encapsulates the VXLAN and determines the sending address of the IP data packet, carrying out VXLAN encapsulation on the IP data packet again and forwarding the IP data packet;
and decrypting the IP data packet, then carrying out VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party.
Further, the IP data packet includes an outer IP header, a UDP header, a VXLAN header, and an inner IP packet, and the encrypted IP data packet includes an outer IP header, a UDP header, a VXLAN header, an inner IP header, an ESP header, a ciphertext payload, and an ESP trailer.
Furthermore, the IP data packet sent by the sender is subjected to VXLAN encapsulation through the first VTEP gateway, and the IP data packet received by the receiver is subjected to VXLAN decapsulation through the second VTEP gateway.
Further, forwarding the IP packet after the VXLAN gateway determines the sending address of the IP packet specifically includes:
carrying out VXLAN decapsulation on the encrypted IP data packet to obtain an inner layer IP packet, and carrying out route matching on the IP data packet;
and after carrying out VXLAN encapsulation on the inner layer IP packet again according to the route matching result, sending the IP data packet to a second security gateway to decrypt the IP data packet.
Further, the performing the route matching on the IP data packet includes:
route matching is performed through the inner IP address contained in the inner IP header.
Further, the encryption of the IP data packet is realized through a first security gateway, and the decryption of the IP data packet is realized through a second security gateway.
On the other hand, the present invention further provides a data transmission apparatus, where the apparatus is configured to implement the foregoing data transmission method, and the apparatus includes:
the data packet sending module is used for sending an IP data packet, encrypting an inner layer IP packet of the IP data packet after carrying out VXLAN packaging on the IP data packet, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP head of the inner layer IP packet is not encrypted;
the data packet forwarding module is used for performing VXLAN decapsulation on the IP data packet, determining an IP address and then performing VXLAN encapsulation again, and forwarding the IP data packet after determining the sending address of the IP data packet;
and the data packet delivery module is used for decrypting the IP data packet, then carrying out VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party.
In another aspect, the present invention further provides a computer device, which includes a processor and a memory, where the memory stores a computer program, and the computer program is loaded and executed by the processor to implement any one of the above-mentioned data transmission methods.
In another aspect, the present invention further provides a computer-readable storage medium, in which a computer program is stored, and the computer program is loaded and executed by a processor to implement any one of the above-mentioned data transmission methods.
The invention has the beneficial effects that:
the invention improves the encryption mode of IPsec, changes the mode of directly encrypting the IP data packet into the mode of encrypting the transmission mode of the inner IP packet, and does not encrypt the outer IP head, the UDP head, the VXLAN head and the inner IP head, thereby achieving the purpose of not influencing the interconnection and the intercommunication among subnets on the premise of ensuring the security of IP data. The problem of VXLAN encapsulation and IPsec collisions can be solved. The VTEP nodes located between IPsec gateways can normally perform VXLAN decapsulation, route matching, and re-encapsulation on the encrypted packets.
Drawings
Fig. 1 is a schematic flow chart of a data transmission method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an exemplary deployment of a centralized gateway according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an IP packet structure before and after transmission mode encryption of standard IPsec;
FIG. 4 is a schematic diagram of a pre-encryption and post-encryption structure of an IP data packet according to an embodiment of the present invention;
fig. 5 is a block diagram of a data transmission apparatus according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the features in the following embodiments and examples may be combined with each other without conflict.
All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
In a VXLAN network host overlay (overlay network/overlay network) environment, after a standard IPsec mechanism is used to provide encryption protection for an IP packet encapsulated by VXLAN, an inner layer IP header and a VXLAN header are both encrypted, and when a ciphertext packet passes through a VTEP (VXLAN tunnel endpoint) gateway, normal VXLAN decapsulation cannot be performed, and routing matching cannot be performed to obtain inner layer IP address information, which results in service forwarding failure.
In order to solve the above technical problems, the following embodiments of the data transmission method, apparatus, device and medium of the present invention are proposed.
Example 1
The embodiment provides an IPsec encapsulation method in a VXLAN network host overlay environment aiming at the problem that the IPsec affects VXLAN encapsulation and route matching, compared with a transmission and tunnel encapsulation mode supported by standard IPsec, the invention provides a new encapsulation mode, which realizes the transmission mode encryption of an inner layer IP packet encapsulated by VXLAN, and the outer layer IP head, a UDP head, a VXLAN head and an inner layer IP head are not encrypted, thereby solving the problem that the VXLAN decapsulation and route matching are failed after the IPsec encryption, and ensuring the interconnection and intercommunication among subnets in the VXLAN network.
Referring to fig. 2, as shown in fig. 2, a typical deployment diagram of a centralized gateway in this embodiment is shown, after an IPsec gateway is deployed in a VXLAN environment in the figure, when interworking is performed between different subnets, if an outer IP is directly encrypted and encapsulated in an encapsulation mode defined by standard IPsec, when a subnet 1 sends a data packet to a subnet 2, first, the IPsec gateway at an outlet of the subnet 1 captures the data packet and encrypts the data packet into a ciphertext; then, after the encrypted data packet passes through the VXLAN gateway, the VXLAN gateway needs to perform VXLAN decapsulation first, and then performs route lookup according to the inner layer IP address, and since the VXLAN header and the inner layer IP header are both encrypted, VTEP3 cannot perform VXLAN decapsulation on the ciphertext packet, which will cause service failure. Referring to fig. 3, as shown in fig. 3, which is a schematic diagram of the structure of an IP packet before and after encryption in the transmission mode of the standard IPsec, after encryption, a UDP header, a VXLAN header, and the entire inner IP packet are all turned into ciphertexts, and VTEP3 cannot extract fields in the VXLAN header and the inner IP header to perform VXLAN decapsulation and route lookup.
The embodiment provides an improved IPsec encapsulation manner by analyzing an IP packet. In this embodiment, the outer IP header, UDP header, VXLAN header, and inner IP header are sent in plaintext. The VXLAN gateway can directly perform VXLAN decapsulation and route lookup forwarding on the ciphertext packet.
Referring to fig. 1, as shown in fig. 1, a schematic flow chart of the data transmission method provided in this embodiment is shown, and the method specifically includes:
and sending an IP data packet, encrypting an inner layer IP packet of the IP data packet after the IP data packet is subjected to VXLAN encapsulation, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP header of the inner layer IP packet is not encrypted.
In this embodiment, the IP data of the subnet 1 is VXLAN encapsulated by VTEP1, and then the data packet is encrypted by IPsec gateway 1 and IPsec gateway 1. The transmission mode encryption is performed for the inner layer IP packet, and the outer layer IP header, the UDP header, the VXLAN header and the inner layer IP header are not encrypted.
And after the sending address of the IP data packet is determined, the IP data packet is forwarded.
After the ciphertext packet reaches the VXLAN gateway, the VXLAN is unpacked first. Because the outer layer IP head, the UDP head and the VXLAN head are not encrypted, the VXLAN gateway can normally de-encapsulate the encrypted packet by VXLAN to obtain the inner layer IP packet. And then, carrying out route matching according to the inner layer IP address, wherein the route matching can be normally finished because the inner layer IP head is not encrypted. And finally, carrying out VXLAN packaging on the inner layer IP packet again according to the route matching result, and sending the inner layer IP packet to the VTEP2.
And decrypting the IP data packet, then performing VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party.
After receiving the encrypted data packet forwarded by the VXLAN gateway, the IPsec gateway 2 may decrypt the data packet. The IPsec gateway 2 sends the decrypted data packet to VTEP2, and after VXLAN decapsulation is performed by VTEP2, the packet is sent to the host on the subnet 2. At this point, the data transmission ends. Referring to fig. 4, fig. 4 is a schematic diagram illustrating the structure of the IP packet before and after encryption in this embodiment.
The data transmission method provided in this embodiment improves the encryption mode of IPsec, and modifies the way of directly encrypting an IP data packet into the way of encrypting an inner layer IP packet in a transmission mode, and the outer layer IP header, the UDP header, the VXLAN header, and the inner layer IP header are not encrypted, so as to achieve the purpose of not affecting interconnection and intercommunication between subnets on the premise of ensuring the security of IP data. The problem of conflict between VXLAN encapsulation and IPsec can be solved. The VTEP nodes located between IPsec gateways can normally perform VXLAN decapsulation, route matching, and re-encapsulation on the encrypted packets.
Example 2
Referring to fig. 5, as shown in fig. 5, a data transmission apparatus provided in this embodiment is a data transmission apparatus, where the apparatus is configured to implement the foregoing data transmission method, and the apparatus includes:
the data packet sending module is used for sending an IP data packet, encrypting an inner layer IP packet of the IP data packet after carrying out VXLAN packaging on the IP data packet, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP head of the inner layer IP packet is not encrypted;
the data packet forwarding module is used for performing VXLAN decapsulation on the IP data packet, determining an IP address and then performing VXLAN encapsulation again, and forwarding the IP data packet after determining the sending address of the IP data packet;
and the data packet delivery module is used for decrypting the IP data packet, then carrying out VXLAN decapsulation, and transmitting the decapsulated IP data packet to the receiving party.
The beneficial effects of the data transmission device provided in this embodiment are detailed in the foregoing embodiments, and are not described herein again.
Example 3
The preferred embodiment provides a computer device, which can implement the steps in any embodiment of the data transmission method provided in the embodiments of the present application, and therefore, the beneficial effects of the data transmission method provided in the embodiments of the present application can be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
Example 4
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor. To this end, an embodiment of the present invention provides a storage medium, in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps of any embodiment of the data transmission method provided in the embodiment of the present invention.
Wherein the storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any data transmission method embodiment provided in the embodiments of the present invention, beneficial effects that can be achieved by any data transmission method provided in the embodiments of the present invention may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (9)
1. A data transmission method applied to an overlay network environment of VXLAN network hosts, the method comprising:
sending an IP data packet, carrying out VXLAN packaging on the IP data packet, then encrypting an inner layer IP packet of the IP data packet, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP head of the inner layer IP packet is not encrypted;
the VXLAN gateway conducts VXLAN decapsulation on the IP data packet, conducts VXLAN encapsulation again after determining the sending address of the IP data packet, and forwards the IP data packet according to the IP address;
and decrypting the IP data packet, then carrying out VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party.
2. The data transmission method of claim 1, wherein the IP packet comprises an outer IP header, a UDP header, a VXLAN header, and an inner IP packet, and the encrypted IP packet comprises an outer IP header, a UDP header, a VXLAN header, an inner IP header, an ESP header, a cipher text payload, and an ESP trailer.
3. The data transmission method according to claim 1, wherein the IP packet sent by the sender is VXLAN encapsulated by the first VTEP gateway, and the IP packet received by the receiver is VXLAN decapsulated by the second VTEP gateway.
4. The data transmission method according to claim 1, wherein the VXLAN gateway decapsulates the IP packet by VXLAN, determines the sending address of the IP packet, and then performs VXLAN encapsulation again, and forwards the IP packet according to the IP address specifically includes:
carrying out VXLAN decapsulation on the encrypted IP data packet to obtain an inner layer IP packet, and carrying out route matching on the IP data packet;
and after carrying out VXLAN packaging on the inner layer IP packet again according to the route matching result, sending the IP data packet to a second security gateway to decrypt the IP data packet.
5. The data transmission method as claimed in claim 4, wherein said performing route matching on the IP data packet comprises:
route matching is performed through the inner IP address contained in the inner IP header.
6. The data transmission method of claim 1, wherein the encrypting the IP data packet is performed by a first security gateway, and the decrypting the IP data packet is performed by a second security gateway.
7. A data transmission apparatus, characterized in that the apparatus is used for implementing the data transmission method of claim 1, and the apparatus comprises:
the data packet sending module is used for sending an IP data packet, encrypting an inner layer IP packet of the IP data packet after carrying out VXLAN packaging on the IP data packet, and sending the encrypted IP data packet to a VXLAN gateway, wherein an inner layer IP head of the inner layer IP packet is not encrypted;
the data packet forwarding module is used for performing VXLAN decapsulation on the IP data packet, determining an IP address and then performing VXLAN encapsulation again, and forwarding the IP data packet after determining the sending address of the IP data packet;
and the data packet sending module is used for decrypting the IP data packet, then performing VXLAN decapsulation, and transmitting the decapsulated IP data packet to a receiving party.
8. A computer arrangement, characterized in that the computer arrangement comprises a processor and a memory, in which a computer program is stored, which computer program is loaded and executed by the processor to implement the data transmission method according to any one of claims 1-6.
9. A computer-readable storage medium, in which a computer program is stored which is loaded and executed by a processor to implement the data transmission method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211172634.6A CN115766063A (en) | 2022-09-26 | 2022-09-26 | Data transmission method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211172634.6A CN115766063A (en) | 2022-09-26 | 2022-09-26 | Data transmission method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766063A true CN115766063A (en) | 2023-03-07 |
Family
ID=85351948
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211172634.6A Pending CN115766063A (en) | 2022-09-26 | 2022-09-26 | Data transmission method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766063A (en) |
-
2022
- 2022-09-26 CN CN202211172634.6A patent/CN115766063A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9838362B2 (en) | Method and system for sending a message through a secure connection | |
| US9992310B2 (en) | Multi-hop Wan MACsec over IP | |
| CN107995052B (en) | Method and apparatus for common control protocol for wired and wireless nodes | |
| US9712504B2 (en) | Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections | |
| EP3096497B1 (en) | Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network | |
| US7961725B2 (en) | Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels | |
| US8132000B2 (en) | Secure transport of multicast traffic | |
| US9369550B2 (en) | Protocol for layer two multiple network links tunnelling | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| US20080075073A1 (en) | Security encapsulation of ethernet frames | |
| US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| US20190372948A1 (en) | Scalable flow based ipsec processing | |
| KR100748698B1 (en) | Apparatus and method of packet processing in security communication system | |
| CN113852552B (en) | Network communication method, system and storage medium | |
| CN112600802B (en) | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices | |
| WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device | |
| CN111866865B (en) | Data transmission method, 5G private network establishment method and system | |
| CN115766063A (en) | Data transmission method, device, equipment and medium | |
| US11750581B1 (en) | Secure communication network | |
| CN114338116B (en) | Encryption transmission method and device and SD-WAN network system | |
| JP6075871B2 (en) | Network system, communication control method, communication control apparatus, and communication control program | |
| RU2517405C2 (en) | Method of providing security associations for encrypted packet data | |
| CN114567478A (en) | Communication method and device | |
| Zhang | The solution and management of VPN based IPSec technology | |
| JP2005252464A (en) | Communication method, communication terminal and gateway unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |