CN115766172A - Message forwarding method, device, equipment and medium based on DPU and national password - Google Patents
Message forwarding method, device, equipment and medium based on DPU and national password Download PDFInfo
- Publication number
- CN115766172A CN115766172A CN202211397840.7A CN202211397840A CN115766172A CN 115766172 A CN115766172 A CN 115766172A CN 202211397840 A CN202211397840 A CN 202211397840A CN 115766172 A CN115766172 A CN 115766172A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- dpu
- vpn gateway
- opposite
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 44
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 abstract description 9
- 238000004364 calculation method Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000001960 triggered effect Effects 0.000 description 6
- 230000001133 acceleration Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000005129 volume perturbation calorimetry Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present disclosure relates to a packet forwarding method, apparatus, device and medium based on a DPU and a cryptographic key, the method comprising: transmitting the received message of at least one client virtual machine to the DPU; inquiring whether the DPU stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not; and if the data is stored, triggering the DPU to encrypt the message based on the IPSec SA and the national encryption algorithm, and forwarding the encrypted data to the opposite-end VPN gateway. According to the method and the device, the calculation power of the server is released by unloading the national encryption and data forwarding to the DPU, and a plurality of clients can share one DPU due to the fact that the DPU has stronger data processing capacity, and the client cost is saved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a packet forwarding method, apparatus, device, and medium based on a DPU and a cryptographic key.
Background
Currently, an IPSec (Internet Protocol Security) tunnel can be used to protect an IP (Internet Protocol, internet interconnection Protocol) packet from being attacked, and the IPSec technology is widely used, which can significantly improve the Security level of information in the local area network and the Internet environment in the network transmission process. The international IPSec protocol family, which defines 12 RFCs (Request For Comments) and dozens of draft, can meet the current industry standards. However, the international general IPSec protocol encounters difficulties such as a series of algorithm security and protocol security, so the national crypto-algorithm administration sets up a VPN (Virtual Private Network) technical specification < IPSec VPN technical specification > of the national crypto-algorithm standard, and aims to provide a reference specification for IPSec products of the national crypto-algorithm. The VPN gateway based on the national cryptographic algorithm mainly adopts the national cipher to ensure the network communication security.
At present, many security products on the market support the national encryption algorithm, but only hardware unloading of the security algorithm is supported, flow forwarding still needs to be carried out by depending on software, and only encryption and decryption context is accelerated by using hardware, so that the performance of the VPN is limited.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the present disclosure provides a packet forwarding method, apparatus, device and medium based on a DPU and a cryptographic key.
In a first aspect, the present disclosure provides a packet forwarding method based on a DPU and a cryptographic key, including:
transmitting the received message of at least one client virtual machine to the DPU;
inquiring whether the DPU stores IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway or not;
and if the message is stored, triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
Optionally, the method further includes:
and if the data is not stored, renegotiating the data with the VPN gateway at the opposite end to obtain the IPSec SA, and synchronizing the IPSec SA to the DPU.
Optionally, renegotiating with the opposite-end VPN gateway to obtain the IPSec SA includes:
performing state-encryption IKE negotiation with the opposite-end VPN gateway to obtain IKE SA;
and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
Optionally, the DPU includes DOE engine, PPE engine, and CRYPTO;
the querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not comprises the following steps:
inquiring whether the DOE engine stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
the triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and to forward the encrypted data to the opposite-end VPN gateway, includes:
triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
In a second aspect, the present disclosure provides a packet forwarding apparatus based on a DPU and a country key, including:
a receiving module, configured to transmit a received message of at least one client virtual machine to a DPU;
the query module is used for querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
and the forwarding module is used for triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm if the message is stored, and forwarding the encrypted data to the opposite-end VPN gateway.
Optionally, the apparatus further includes a negotiation module, configured to renegotiate with the VPN gateway of the opposite end to obtain the IPSec SA if the IPSec SA is not stored, and synchronize the IPSec SA to the DPU.
Optionally, the negotiation module is specifically configured to perform state-encryption IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA when renegotiating with the opposite-end VPN gateway to obtain the IPSec SA; and negotiating with the opposite end VPN gateway based on the IKE SA to obtain the IPSec SA.
Optionally, the DPU includes DOE engine, PPE engine, and CRYPTO; the query module is configured to query whether the DPU stores the IPSec SA matched with the packet, and is configured to query whether the DOE engine stores the IPSec SA matched with the packet, and is configured to send the packet to an opposite-end VPN gateway, when the IPSec SA matched with the packet is sent to the opposite-end VPN gateway; the forwarding module is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national cryptographic algorithm, and forward the encrypted data to the opposite-end VPN gateway, and is specifically configured to trigger the PPE engine to call the national cryptographic CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
In a third aspect, the present disclosure provides an electronic device, comprising:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of the first aspect.
In a fourth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method according to the first aspect.
Compared with the prior art, the technical scheme provided by the disclosure has the following advantages:
according to the message forwarding method, device, equipment and medium based on the DPU and the national password, the received message of the client virtual machine is transmitted to the DPU, then whether the DPU stores the IPSec SA used for sending the message to the opposite-end VPN gateway or not is inquired, if yes, the DPU is triggered to encrypt the message based on the IPSec SA and the national password algorithm, the encrypted data is forwarded to the opposite-end VPN gateway, the national password and the data forwarding and unloading are achieved to the DPU, the calculation power of a server is released, and due to the fact that the data processing capacity of the DPU is stronger, a plurality of clients can share one DPU, and the client cost is saved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of a packet forwarding method based on a DPU and a cryptographic key according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an application scenario provided by the embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a packet forwarding apparatus based on a DPU and a cryptographic key according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
The VPN gateway can establish a safe and reliable encryption channel between a VPC (virtual private cloud) and an enterprise data center or other regional VPCs, different network interconnection can be realized through a VPN technology, and the VPN gateway is the best form for the intercommunication between a headquarters network and a branch network. The VPC cannot directly communicate with the local data center, and a VPN gateway can be selected if the network is to be connected safely. The VPN gateway supports national cryptographic algorithm unloading and is a necessary threshold of government affair cloud and financial cloud. Compared with an international algorithm, the national cryptographic algorithm is safer, but because flow forwarding still depends on software forwarding, hardware acceleration is only used for encrypting and decrypting a context, and the performance of the VPN is limited. Based on this, the embodiment of the present disclosure provides a packet forwarding method based on a DPU and a national secret, where hardware depends on the DPU, and the method can be widely applied to a VPN gateway, and the method can offload IPSec traffic to the DPU for forwarding.
Fig. 1 is a flowchart of a packet forwarding method based on a DPU and a cryptographic key according to the present disclosure, where the method may be executed by a packet forwarding device of a VPN gateway, where the packet forwarding device of the VPN gateway may be implemented by combining software and hardware, and the packet forwarding device of the VPN gateway may be configured in an electronic device, such as a server. In addition, fig. 2 is a schematic diagram of an application scenario provided by the embodiment of the present disclosure, and the method may be applied to the application scenario shown in fig. 2, where the application scenario shown in fig. 2 includes a server 201, a DPU202, a VPN gateway 203, and a client virtual machine 204.
The packet forwarding method based on the DPU and the country key shown in fig. 1 is described below with reference to the application scenario shown in fig. 2, for example, the server 201 in fig. 2 may execute the method. The method comprises the following steps:
s101, transmitting the received message of at least one client virtual machine to the DPU.
Illustratively, when the server 201 receives the message from the client virtual machine 204 through the MAC, the message is transmitted to the DPU202, and the DPU202 performs message forwarding in subsequent steps. Specifically, in the example of fig. 2, the Packet Processing Engine is a Packet Processing Engine, which is transmitted to the PPE Engine 2022 in the DPU202, and is used to forward the Packet.
S102, inquiring whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to the opposite-end VPN gateway.
The SA (Security Association) is an agreement between communicating peers on certain elements, which describes how the peers communicate securely using secure services (e.g. encryption). These factors include what security protocol is used between peers, the characteristics of the data stream that needs to be protected, the encapsulation mode of the data transmitted between peers, the encryption and authentication algorithms employed by the protocol, and the lifetime of the SA and keys used for data security conversion, transmission, etc.
If yes, directly executing S104;
if not, executing S103 first, and then executing S104;
in some embodiments, the method further includes S103, renegotiating with the correspondent VPN gateway to obtain IPSec SA, and synchronizing the IPSec SA into the DPU.
When the DPU202 does not inquire the IPSec SA for sending the packet of the client virtual machine 204 to the VPN gateway 203, the server 201 renegotiates with the VPN gateway to obtain the IPSec SA, and synchronizes the IPSec SA to the DPU 202.
S104, triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
When the IPSec SA is stored in DPU202, DPU202 is triggered to encrypt the packet based on the cryptographic algorithm included in the IPSec SA to obtain encrypted data, and the encrypted data is forwarded to VPN gateway 203 based on the IPSec SA. In the example of fig. 2, specifically, when the DOE engine 2021 stores the IPSec SA, the PPE engine 2022 in the DPU202 is triggered to invoke the national password CRYPTO to encrypt the packet by the national password CRYPTO algorithm, so as to obtain an encrypted packet data packet, then the PPE engine 2022 forwards the encrypted packet data packet to the VPN gateway 203 based on the IPSec SA, and then the VPN gateway 203 decrypts the encrypted packet data packet, and routes the decrypted packet to the corresponding client virtual machine.
According to the embodiment of the disclosure, the received message of the client virtual machine is transmitted to the DPU, then whether the DPU stores the IPSec SA used for transmitting the message to the opposite-end VPN gateway is inquired, if yes, the DPU is triggered to encrypt the message based on the IPSec SA and a national cryptographic algorithm, and the encrypted data is forwarded to the opposite-end VPN gateway, so that national cryptographic encryption and data forwarding are unloaded to the DPU, thereby releasing the computing power of a server, and as the data processing capacity of the DPU is stronger, a plurality of clients can share one DPU, and the client cost is saved.
In some embodiments, renegotiating with the correspondent VPN gateway to obtain the IPSec SA comprises: performing state-encryption IKE negotiation with an opposite-end VPN gateway to obtain an IKE SA; and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
Since all the parameters required for establishing the SA in the manual IPSec SA configuration mode require manual configuration by the user and can only be manually refreshed, in the medium and large networks, the key management cost of this mode is very high, so the IPSec SA is usually established by the IKE mode. In the IKE mode, the encryption and authentication keys required for establishing the IPSec SA are generated by a DH algorithm and can be dynamically refreshed, so that the key management cost is low and the security is high. The IKE approach is to negotiate an IKE SA first, and negotiate IPSec SA based on the IKE SA encryption. The Internet key exchange IKE Protocol is established on a framework defined by an Internet SA and a key management Protocol ISAKMP, and is an application layer Protocol based on a UDP (User data program) 500 port number.
In the example of fig. 2, the SOC2024 (System on Chip) of the DPU202 is installed with a DPDK (DPDK: data Plane Development Kit), and the DPDK is a Development Kit for directly mapping the Data packets received from the network card to the user space. In the process of negotiating the IPSec SA, the IKE process in the server 201 first performs a secret IKE negotiation with the VPN gateway 203 to obtain the IKE SA, then performs a secret IPSec negotiation on the basis of the IKE SA obtained by the negotiation to obtain the IPSec SA, then the server 201 synchronizes the IPSec SA obtained by the negotiation to the IPSec process in the SOC2024 on the DPU202, the IPSec process synchronizes the stream information and the IPSec SA information to the hardware engine through the RTE _ FLOW interface (the RTE _ FLOW interface provides a general API for the DPDK for configuring hardware to match specific Ingress or Egress traffic), and stores the hardware in the DOE engine 2021, and the data packet of the subsequent packet is forwarded to the VPN gateway 203 by the PPE engine 2022 based on the IPSec SA obtained by the negotiation, and the PPE engine 2022 is used to accelerate the hardware for forwarding the packet traffic data, so as to improve the traffic forwarding efficiency of the VPN, thereby achieving the purpose of offloading of the relevant IPSec operation data to the DPU hardware engine.
According to the embodiment of the disclosure, the IKE SA is obtained through negotiation, and then the IPSec SA is obtained through negotiation with the opposite-end VPN gateway based on the IKE SA, so that the key management cost is reduced, the security is improved, and meanwhile, the IPSec SA obtained through negotiation is synchronized into a DPU, so that the data message of the subsequent message is forwarded by the DPU, the related IPsec flow operation data is unloaded to the DPU, and the calculation power of a server side is released.
On the basis of the above embodiment, the DPU comprises a DOE engine, a PPE engine and a national password CRYPTO; inquiring whether the DPU stores the IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway or not, wherein the IPSec SA comprises the following steps: inquiring whether an IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway is stored in the DOE engine; triggering the DPU to encrypt the message based on IPSec SA and national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway, comprising: and triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
With reference to fig. 2, included in the dpu202 are a DOE engine 2021, a PPE engine 2022, and a CRYPTO crypt 2023, which are hardware engines, where the DOE engine 2021 is a data storage engine for storing IPSec SA information; the PPE engine 2022 is a packet processing engine, and is configured to forward traffic data of a packet and perform hardware acceleration during forwarding; the cryptographic CRYPTO2023 is a cryptographic algorithm implemented by hardware logic, and can accelerate the encryption of messages by hardware.
Querying, in the server 201, whether IPSec SA for sending a packet for sending the client virtual machine 204 to the VPN gateway 203 is stored in the DPU202, specifically, querying from the DOE engine 2021 in the DPU 202; when the DPU202 is triggered to encrypt the packet based on the IPSec SA and the national cryptographic algorithm and forward the encrypted data to the VPN gateway 203, specifically, the PPE engine 2022 is triggered to call the national cryptographic CRYPTO2023 to encrypt the packet, the national cryptographic CRYPTO2023 is used to perform hash operation, encryption and ESP header addition on the packet, the algorithms used are the national cryptographic algorithms, hardware acceleration for encrypting the national cryptographic algorithms is realized, and then the PPE engine 2022 forwards the encrypted data to the VPN gateway 203 based on the IPSec SA, and hardware acceleration for forwarding the IPSec traffic is realized.
The cryptographic algorithm is issued by the national cryptology agency and comprises symmetric encryption algorithms SM1, SM3 and SM4, a Hash algorithm, an asymmetric algorithm SM2 and other cryptographic algorithms. For example, the cryptographic CRYPTO may be a hardware implementation of SM3 algorithm and SM4 algorithm, and both SM3 and SM4 algorithms are open source algorithms. ESP (Encapsulating Security Payload) is a protocol for Encapsulating Security Payload, belonging to IPsec, and is used to provide confidentiality and data integrity of IP packets, and functions of data source authentication and replay attack resistance.
According to the embodiment of the disclosure, a DOE engine, a PPE engine and a national secret CryPTO are arranged in a DPU, the DOE engine stores IPSec SA information, the PPE engine calls the national secret CryPTO to encrypt a message, and the PPE engine forwards the encrypted data to an opposite-end VPN gateway based on the IPSec SA, so that encryption of a national secret algorithm and forwarding and unloading of message flow to the DPU are realized, the message DOEs not need to be processed by a server, and the computing power of a CPU (central processing unit) at the server side is released.
Fig. 3 is a schematic structural diagram of a packet forwarding apparatus based on a DPU and a cryptographic key according to an embodiment of the present disclosure. The DPU and cryptographic based message forwarding apparatus may be a component or assembly in a server as in the above embodiments. The packet forwarding apparatus based on the DPU and the country secret provided by the embodiment of the present disclosure may execute the processing procedure provided by the packet forwarding method based on the DPU and the country secret, as shown in fig. 3, the packet forwarding apparatus 300 based on the DPU and the country secret includes: a receiving module 301, configured to transmit a received message of at least one client virtual machine to a DPU; an inquiring module 302, configured to inquire whether an IPSec SA that matches the packet is stored in the DPU, and is used to send the packet to the VPN gateway at the opposite end; and the forwarding module 303 is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national cryptographic algorithm if the packet is stored, and forward the encrypted data to the opposite-end VPN gateway.
In some embodiments, the packet forwarding apparatus 300 based on DPU and country password further includes a negotiation module 304, configured to renegotiate with the VPN gateway of the opposite end to obtain the IPSec SA if the packet forwarding apparatus does not store the IPSec SA, and synchronize the IPSec SA to the DPU.
In some embodiments, the negotiation module 304 is specifically configured to perform a cryptographic IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA when renegotiating with the opposite-end VPN gateway to obtain an IPSec SA; and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
In some embodiments, the DPU includes a DOE engine, a PPE engine, and a national password CRYPTO; the query module 302 is configured to, when querying whether the DPU stores the IPSec SA that matches the packet and is used to send the packet to the VPN gateway at the opposite end, specifically query whether the DOE engine stores the IPSec SA that matches the packet and is used to send the packet to the VPN gateway at the opposite end; the forwarding module 303 is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national secret algorithm, and forward the encrypted data to the opposite-end VPN gateway, and is specifically configured to trigger the PPE engine to call the national secret CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
The packet forwarding device based on the DPU and the cryptographic key in the embodiment shown in fig. 3 may be used to implement the technical solution of the method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure. The electronic device may be a server as in the above embodiments. The electronic device provided in the embodiment of the present disclosure may execute the processing flow provided in the embodiment of the packet forwarding method based on the DPU and the country key, and as shown in fig. 4, the electronic device 400 includes: memory 401, processor 402, computer programs and communications interface 403; wherein a computer program is stored in the memory 401 and is configured to be executed by the processor 402 for the above DPU and cryptographic based message forwarding method.
In addition, the embodiment of the present disclosure also provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the packet forwarding method based on the DPU and the cryptographic key of the foregoing embodiment.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A message forwarding method based on DPU and country password is characterized by comprising the following steps:
transmitting the received message of at least one client virtual machine to the DPU;
inquiring whether the DPU stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not;
and if the packet is stored, triggering the DPU to encrypt the packet based on the IPSec SA and the national encryption algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
2. The method of claim 1, wherein the method further comprises:
and if the data is not stored, renegotiating the data with the VPN gateway at the opposite end to obtain the IPSec SA, and synchronizing the IPSec SA to the DPU.
3. The method of claim 2, wherein the renegotiating with the correspondent VPN gateway to obtain the IPSec SA comprises:
performing state-encryption IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA;
and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
4. The method of claim 1, wherein the DPU comprises a DOE engine, a PPE engine, and a Citizen CRYPTO;
the querying whether the DPU stores the IPSec SA matched with the packet and used for sending the packet to the VPN gateway at the opposite end includes:
inquiring whether the DOE engine stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
the triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm and forward the encrypted data to the opposite-end VPN gateway includes:
triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
5. A message forwarding device based on DPU and national password is characterized by comprising:
a receiving module, configured to transmit a received message of at least one client virtual machine to a DPU;
the query module is used for querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
and the forwarding module is used for triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm if the message is stored, and forwarding the encrypted data to the opposite-end VPN gateway.
6. The apparatus of claim 5, wherein the apparatus further comprises a negotiation module to renegotiate with the correspondent VPN gateway to obtain the IPSec SA and synchronize the IPSec SA to the DPU if not stored.
7. The apparatus according to claim 6, wherein the negotiation module, when renegotiating with the correspondent VPN gateway to obtain the IPSec SA, is specifically configured to perform a national key IKE negotiation with the correspondent VPN gateway to obtain an IKE SA; and negotiating with the opposite end VPN gateway based on the IKE SA to obtain the IPSec SA.
8. The apparatus of claim 5, wherein the DPU comprises a DOE engine, a PPE engine, and a national password CRYPTO;
the query module is configured to query whether the DPU stores the IPSec SA matched with the packet, and is configured to query whether the DOE engine stores the IPSec SA matched with the packet, and is configured to send the packet to an opposite-end VPN gateway, when the IPSec SA matched with the packet is sent to the opposite-end VPN gateway;
the forwarding module is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national secret algorithm, and forward the encrypted data to the opposite-end VPN gateway, and specifically, to trigger the PPE engine to call the national secret CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
9. An electronic device, comprising:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of any one of claims 1-4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211397840.7A CN115766172B (en) | 2022-11-09 | 2022-11-09 | Message forwarding method, device, equipment and medium based on DPU and national cipher |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211397840.7A CN115766172B (en) | 2022-11-09 | 2022-11-09 | Message forwarding method, device, equipment and medium based on DPU and national cipher |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115766172A true CN115766172A (en) | 2023-03-07 |
CN115766172B CN115766172B (en) | 2024-09-27 |
Family
ID=85369826
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211397840.7A Active CN115766172B (en) | 2022-11-09 | 2022-11-09 | Message forwarding method, device, equipment and medium based on DPU and national cipher |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115766172B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117424739A (en) * | 2023-10-31 | 2024-01-19 | 中科驭数(北京)科技有限公司 | Message forwarding method and system based on DPU, user mode protocol stack and IP core |
CN117811787A (en) * | 2023-12-26 | 2024-04-02 | 中科驭数(北京)科技有限公司 | Information configuration method, device, equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1984131A (en) * | 2005-12-14 | 2007-06-20 | 北京三星通信技术研究有限公司 | Method for processing distributed IPSec |
CN101616084A (en) * | 2009-07-29 | 2009-12-30 | 中兴通讯股份有限公司 | A kind of distributed IPSec load sharing device and method |
CN102170434A (en) * | 2011-04-02 | 2011-08-31 | 京信通信系统(中国)有限公司 | Multi-core-processor-based Internet protocol security (IPSEC) realization method and device |
CN105763557A (en) * | 2016-04-07 | 2016-07-13 | 烽火通信科技股份有限公司 | Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU |
CN113194097A (en) * | 2021-04-30 | 2021-07-30 | 北京数盾信息科技有限公司 | Data processing method and device for security gateway and security gateway |
CN215769721U (en) * | 2021-12-30 | 2022-02-08 | 北京大禹智芯科技有限公司 | Data processing unit board card |
US11329806B1 (en) * | 2020-12-04 | 2022-05-10 | The Florida International University Board Of Trustees | Systems and methods for authentication and key agreement in a smart grid |
-
2022
- 2022-11-09 CN CN202211397840.7A patent/CN115766172B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1984131A (en) * | 2005-12-14 | 2007-06-20 | 北京三星通信技术研究有限公司 | Method for processing distributed IPSec |
CN101616084A (en) * | 2009-07-29 | 2009-12-30 | 中兴通讯股份有限公司 | A kind of distributed IPSec load sharing device and method |
CN102170434A (en) * | 2011-04-02 | 2011-08-31 | 京信通信系统(中国)有限公司 | Multi-core-processor-based Internet protocol security (IPSEC) realization method and device |
CN105763557A (en) * | 2016-04-07 | 2016-07-13 | 烽火通信科技股份有限公司 | Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU |
US11329806B1 (en) * | 2020-12-04 | 2022-05-10 | The Florida International University Board Of Trustees | Systems and methods for authentication and key agreement in a smart grid |
CN113194097A (en) * | 2021-04-30 | 2021-07-30 | 北京数盾信息科技有限公司 | Data processing method and device for security gateway and security gateway |
CN215769721U (en) * | 2021-12-30 | 2022-02-08 | 北京大禹智芯科技有限公司 | Data processing unit board card |
Non-Patent Citations (5)
Title |
---|
中国科学院计算技术研究所等: ""专用数据处理器(DPU)性能基准评测方法与实现"技术白皮书", pages 81, Retrieved from the Internet <URL:https://www.sdnlab.com/25402.html> * |
唐僧: "DPU技术讲堂的听后感", pages 2 - 3, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/541359388> * |
张怡, 孙志刚: "基于IPSec的下一代高性能安全处理器的体系结构", 国防科技大学学报, no. 02 * |
李兆斌;刘丹丹;黄鑫;曹浩;: "基于国密算法的安全接入设备设计与实现", 信息网络安全, no. 11 * |
郑占彬;陈健;: "基于网络处理器IXP2350的IPSec协议实现设计", 网络安全技术与应用, no. 09 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117424739A (en) * | 2023-10-31 | 2024-01-19 | 中科驭数(北京)科技有限公司 | Message forwarding method and system based on DPU, user mode protocol stack and IP core |
CN117811787A (en) * | 2023-12-26 | 2024-04-02 | 中科驭数(北京)科技有限公司 | Information configuration method, device, equipment and storage medium |
CN117811787B (en) * | 2023-12-26 | 2024-10-18 | 中科驭数(北京)科技有限公司 | Information configuration method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN115766172B (en) | 2024-09-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10673818B2 (en) | Method and system for sending a message through a secure connection | |
US8984268B2 (en) | Encrypted record transmission | |
EP1374533B1 (en) | Facilitating legal interception of ip connections | |
CN115766172B (en) | Message forwarding method, device, equipment and medium based on DPU and national cipher | |
CN110719248A (en) | Method and device for forwarding user datagram protocol message | |
US20220263811A1 (en) | Methods and Systems for Internet Key Exchange Re-Authentication Optimization | |
KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
KR100948604B1 (en) | Security method of mobile internet protocol based server | |
CN113726795A (en) | Message forwarding method and device, electronic equipment and readable storage medium | |
CN115001686A (en) | Global quantum security device and system | |
CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
Mosko et al. | Mobile sessions in content-centric networks | |
US11652910B2 (en) | Data transmission method, device, and system | |
JPH06318939A (en) | Cipher communication system | |
CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
CN113765900B (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
WO2021208644A1 (en) | Inter-node privacy communication method and network node | |
WO2021147369A1 (en) | Message verification method and apparatus | |
WO2001022685A1 (en) | Method and arrangement for communications security | |
WO2009149579A1 (en) | Secure communication method and apparatus based on ibe algorithm in the store and forward manner | |
US11343089B2 (en) | Cryptography system and method | |
Yoon et al. | Mutual Authentication Scheme for Lightweight IoT Devices | |
CN115767535A (en) | Terminal vpn network access authentication method and system under 5G scene | |
Badra et al. | Flexible and fast security solution for wireless LAN | |
CN116506142A (en) | Method for realizing security gateway in FC network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |