CN115766172A - Message forwarding method, device, equipment and medium based on DPU and national password - Google Patents

Message forwarding method, device, equipment and medium based on DPU and national password Download PDF

Info

Publication number
CN115766172A
CN115766172A CN202211397840.7A CN202211397840A CN115766172A CN 115766172 A CN115766172 A CN 115766172A CN 202211397840 A CN202211397840 A CN 202211397840A CN 115766172 A CN115766172 A CN 115766172A
Authority
CN
China
Prior art keywords
ipsec
dpu
vpn gateway
opposite
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211397840.7A
Other languages
Chinese (zh)
Other versions
CN115766172B (en
Inventor
张宇
苏鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yusur Technology Co ltd
Original Assignee
Yusur Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yusur Technology Co ltd filed Critical Yusur Technology Co ltd
Priority to CN202211397840.7A priority Critical patent/CN115766172B/en
Publication of CN115766172A publication Critical patent/CN115766172A/en
Application granted granted Critical
Publication of CN115766172B publication Critical patent/CN115766172B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present disclosure relates to a packet forwarding method, apparatus, device and medium based on a DPU and a cryptographic key, the method comprising: transmitting the received message of at least one client virtual machine to the DPU; inquiring whether the DPU stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not; and if the data is stored, triggering the DPU to encrypt the message based on the IPSec SA and the national encryption algorithm, and forwarding the encrypted data to the opposite-end VPN gateway. According to the method and the device, the calculation power of the server is released by unloading the national encryption and data forwarding to the DPU, and a plurality of clients can share one DPU due to the fact that the DPU has stronger data processing capacity, and the client cost is saved.

Description

Message forwarding method, device, equipment and medium based on DPU and national password
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a packet forwarding method, apparatus, device, and medium based on a DPU and a cryptographic key.
Background
Currently, an IPSec (Internet Protocol Security) tunnel can be used to protect an IP (Internet Protocol, internet interconnection Protocol) packet from being attacked, and the IPSec technology is widely used, which can significantly improve the Security level of information in the local area network and the Internet environment in the network transmission process. The international IPSec protocol family, which defines 12 RFCs (Request For Comments) and dozens of draft, can meet the current industry standards. However, the international general IPSec protocol encounters difficulties such as a series of algorithm security and protocol security, so the national crypto-algorithm administration sets up a VPN (Virtual Private Network) technical specification < IPSec VPN technical specification > of the national crypto-algorithm standard, and aims to provide a reference specification for IPSec products of the national crypto-algorithm. The VPN gateway based on the national cryptographic algorithm mainly adopts the national cipher to ensure the network communication security.
At present, many security products on the market support the national encryption algorithm, but only hardware unloading of the security algorithm is supported, flow forwarding still needs to be carried out by depending on software, and only encryption and decryption context is accelerated by using hardware, so that the performance of the VPN is limited.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, the present disclosure provides a packet forwarding method, apparatus, device and medium based on a DPU and a cryptographic key.
In a first aspect, the present disclosure provides a packet forwarding method based on a DPU and a cryptographic key, including:
transmitting the received message of at least one client virtual machine to the DPU;
inquiring whether the DPU stores IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway or not;
and if the message is stored, triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
Optionally, the method further includes:
and if the data is not stored, renegotiating the data with the VPN gateway at the opposite end to obtain the IPSec SA, and synchronizing the IPSec SA to the DPU.
Optionally, renegotiating with the opposite-end VPN gateway to obtain the IPSec SA includes:
performing state-encryption IKE negotiation with the opposite-end VPN gateway to obtain IKE SA;
and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
Optionally, the DPU includes DOE engine, PPE engine, and CRYPTO;
the querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not comprises the following steps:
inquiring whether the DOE engine stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
the triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and to forward the encrypted data to the opposite-end VPN gateway, includes:
triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
In a second aspect, the present disclosure provides a packet forwarding apparatus based on a DPU and a country key, including:
a receiving module, configured to transmit a received message of at least one client virtual machine to a DPU;
the query module is used for querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
and the forwarding module is used for triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm if the message is stored, and forwarding the encrypted data to the opposite-end VPN gateway.
Optionally, the apparatus further includes a negotiation module, configured to renegotiate with the VPN gateway of the opposite end to obtain the IPSec SA if the IPSec SA is not stored, and synchronize the IPSec SA to the DPU.
Optionally, the negotiation module is specifically configured to perform state-encryption IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA when renegotiating with the opposite-end VPN gateway to obtain the IPSec SA; and negotiating with the opposite end VPN gateway based on the IKE SA to obtain the IPSec SA.
Optionally, the DPU includes DOE engine, PPE engine, and CRYPTO; the query module is configured to query whether the DPU stores the IPSec SA matched with the packet, and is configured to query whether the DOE engine stores the IPSec SA matched with the packet, and is configured to send the packet to an opposite-end VPN gateway, when the IPSec SA matched with the packet is sent to the opposite-end VPN gateway; the forwarding module is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national cryptographic algorithm, and forward the encrypted data to the opposite-end VPN gateway, and is specifically configured to trigger the PPE engine to call the national cryptographic CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
In a third aspect, the present disclosure provides an electronic device, comprising:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of the first aspect.
In a fourth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method according to the first aspect.
Compared with the prior art, the technical scheme provided by the disclosure has the following advantages:
according to the message forwarding method, device, equipment and medium based on the DPU and the national password, the received message of the client virtual machine is transmitted to the DPU, then whether the DPU stores the IPSec SA used for sending the message to the opposite-end VPN gateway or not is inquired, if yes, the DPU is triggered to encrypt the message based on the IPSec SA and the national password algorithm, the encrypted data is forwarded to the opposite-end VPN gateway, the national password and the data forwarding and unloading are achieved to the DPU, the calculation power of a server is released, and due to the fact that the data processing capacity of the DPU is stronger, a plurality of clients can share one DPU, and the client cost is saved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of a packet forwarding method based on a DPU and a cryptographic key according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an application scenario provided by the embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a packet forwarding apparatus based on a DPU and a cryptographic key according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
The VPN gateway can establish a safe and reliable encryption channel between a VPC (virtual private cloud) and an enterprise data center or other regional VPCs, different network interconnection can be realized through a VPN technology, and the VPN gateway is the best form for the intercommunication between a headquarters network and a branch network. The VPC cannot directly communicate with the local data center, and a VPN gateway can be selected if the network is to be connected safely. The VPN gateway supports national cryptographic algorithm unloading and is a necessary threshold of government affair cloud and financial cloud. Compared with an international algorithm, the national cryptographic algorithm is safer, but because flow forwarding still depends on software forwarding, hardware acceleration is only used for encrypting and decrypting a context, and the performance of the VPN is limited. Based on this, the embodiment of the present disclosure provides a packet forwarding method based on a DPU and a national secret, where hardware depends on the DPU, and the method can be widely applied to a VPN gateway, and the method can offload IPSec traffic to the DPU for forwarding.
Fig. 1 is a flowchart of a packet forwarding method based on a DPU and a cryptographic key according to the present disclosure, where the method may be executed by a packet forwarding device of a VPN gateway, where the packet forwarding device of the VPN gateway may be implemented by combining software and hardware, and the packet forwarding device of the VPN gateway may be configured in an electronic device, such as a server. In addition, fig. 2 is a schematic diagram of an application scenario provided by the embodiment of the present disclosure, and the method may be applied to the application scenario shown in fig. 2, where the application scenario shown in fig. 2 includes a server 201, a DPU202, a VPN gateway 203, and a client virtual machine 204.
The packet forwarding method based on the DPU and the country key shown in fig. 1 is described below with reference to the application scenario shown in fig. 2, for example, the server 201 in fig. 2 may execute the method. The method comprises the following steps:
s101, transmitting the received message of at least one client virtual machine to the DPU.
Illustratively, when the server 201 receives the message from the client virtual machine 204 through the MAC, the message is transmitted to the DPU202, and the DPU202 performs message forwarding in subsequent steps. Specifically, in the example of fig. 2, the Packet Processing Engine is a Packet Processing Engine, which is transmitted to the PPE Engine 2022 in the DPU202, and is used to forward the Packet.
S102, inquiring whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to the opposite-end VPN gateway.
Server 201 queries whether DPU202 stores IPSec SA for sending the packet from client virtual machine 204 to VPN gateway 203. In the example of fig. 2, it is specifically queried whether the IPSec SA is stored in the DOE Engine 2021 in the DPU202, where the DOE (Data Offload Engine) is a Data storage Engine.
The SA (Security Association) is an agreement between communicating peers on certain elements, which describes how the peers communicate securely using secure services (e.g. encryption). These factors include what security protocol is used between peers, the characteristics of the data stream that needs to be protected, the encapsulation mode of the data transmitted between peers, the encryption and authentication algorithms employed by the protocol, and the lifetime of the SA and keys used for data security conversion, transmission, etc.
If yes, directly executing S104;
if not, executing S103 first, and then executing S104;
in some embodiments, the method further includes S103, renegotiating with the correspondent VPN gateway to obtain IPSec SA, and synchronizing the IPSec SA into the DPU.
When the DPU202 does not inquire the IPSec SA for sending the packet of the client virtual machine 204 to the VPN gateway 203, the server 201 renegotiates with the VPN gateway to obtain the IPSec SA, and synchronizes the IPSec SA to the DPU 202.
S104, triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
When the IPSec SA is stored in DPU202, DPU202 is triggered to encrypt the packet based on the cryptographic algorithm included in the IPSec SA to obtain encrypted data, and the encrypted data is forwarded to VPN gateway 203 based on the IPSec SA. In the example of fig. 2, specifically, when the DOE engine 2021 stores the IPSec SA, the PPE engine 2022 in the DPU202 is triggered to invoke the national password CRYPTO to encrypt the packet by the national password CRYPTO algorithm, so as to obtain an encrypted packet data packet, then the PPE engine 2022 forwards the encrypted packet data packet to the VPN gateway 203 based on the IPSec SA, and then the VPN gateway 203 decrypts the encrypted packet data packet, and routes the decrypted packet to the corresponding client virtual machine.
According to the embodiment of the disclosure, the received message of the client virtual machine is transmitted to the DPU, then whether the DPU stores the IPSec SA used for transmitting the message to the opposite-end VPN gateway is inquired, if yes, the DPU is triggered to encrypt the message based on the IPSec SA and a national cryptographic algorithm, and the encrypted data is forwarded to the opposite-end VPN gateway, so that national cryptographic encryption and data forwarding are unloaded to the DPU, thereby releasing the computing power of a server, and as the data processing capacity of the DPU is stronger, a plurality of clients can share one DPU, and the client cost is saved.
In some embodiments, renegotiating with the correspondent VPN gateway to obtain the IPSec SA comprises: performing state-encryption IKE negotiation with an opposite-end VPN gateway to obtain an IKE SA; and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
Since all the parameters required for establishing the SA in the manual IPSec SA configuration mode require manual configuration by the user and can only be manually refreshed, in the medium and large networks, the key management cost of this mode is very high, so the IPSec SA is usually established by the IKE mode. In the IKE mode, the encryption and authentication keys required for establishing the IPSec SA are generated by a DH algorithm and can be dynamically refreshed, so that the key management cost is low and the security is high. The IKE approach is to negotiate an IKE SA first, and negotiate IPSec SA based on the IKE SA encryption. The Internet key exchange IKE Protocol is established on a framework defined by an Internet SA and a key management Protocol ISAKMP, and is an application layer Protocol based on a UDP (User data program) 500 port number.
In the example of fig. 2, the SOC2024 (System on Chip) of the DPU202 is installed with a DPDK (DPDK: data Plane Development Kit), and the DPDK is a Development Kit for directly mapping the Data packets received from the network card to the user space. In the process of negotiating the IPSec SA, the IKE process in the server 201 first performs a secret IKE negotiation with the VPN gateway 203 to obtain the IKE SA, then performs a secret IPSec negotiation on the basis of the IKE SA obtained by the negotiation to obtain the IPSec SA, then the server 201 synchronizes the IPSec SA obtained by the negotiation to the IPSec process in the SOC2024 on the DPU202, the IPSec process synchronizes the stream information and the IPSec SA information to the hardware engine through the RTE _ FLOW interface (the RTE _ FLOW interface provides a general API for the DPDK for configuring hardware to match specific Ingress or Egress traffic), and stores the hardware in the DOE engine 2021, and the data packet of the subsequent packet is forwarded to the VPN gateway 203 by the PPE engine 2022 based on the IPSec SA obtained by the negotiation, and the PPE engine 2022 is used to accelerate the hardware for forwarding the packet traffic data, so as to improve the traffic forwarding efficiency of the VPN, thereby achieving the purpose of offloading of the relevant IPSec operation data to the DPU hardware engine.
According to the embodiment of the disclosure, the IKE SA is obtained through negotiation, and then the IPSec SA is obtained through negotiation with the opposite-end VPN gateway based on the IKE SA, so that the key management cost is reduced, the security is improved, and meanwhile, the IPSec SA obtained through negotiation is synchronized into a DPU, so that the data message of the subsequent message is forwarded by the DPU, the related IPsec flow operation data is unloaded to the DPU, and the calculation power of a server side is released.
On the basis of the above embodiment, the DPU comprises a DOE engine, a PPE engine and a national password CRYPTO; inquiring whether the DPU stores the IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway or not, wherein the IPSec SA comprises the following steps: inquiring whether an IPSec SA matched with the message and used for sending the message to an opposite-end VPN gateway is stored in the DOE engine; triggering the DPU to encrypt the message based on IPSec SA and national cryptographic algorithm, and forwarding the encrypted data to the opposite-end VPN gateway, comprising: and triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
With reference to fig. 2, included in the dpu202 are a DOE engine 2021, a PPE engine 2022, and a CRYPTO crypt 2023, which are hardware engines, where the DOE engine 2021 is a data storage engine for storing IPSec SA information; the PPE engine 2022 is a packet processing engine, and is configured to forward traffic data of a packet and perform hardware acceleration during forwarding; the cryptographic CRYPTO2023 is a cryptographic algorithm implemented by hardware logic, and can accelerate the encryption of messages by hardware.
Querying, in the server 201, whether IPSec SA for sending a packet for sending the client virtual machine 204 to the VPN gateway 203 is stored in the DPU202, specifically, querying from the DOE engine 2021 in the DPU 202; when the DPU202 is triggered to encrypt the packet based on the IPSec SA and the national cryptographic algorithm and forward the encrypted data to the VPN gateway 203, specifically, the PPE engine 2022 is triggered to call the national cryptographic CRYPTO2023 to encrypt the packet, the national cryptographic CRYPTO2023 is used to perform hash operation, encryption and ESP header addition on the packet, the algorithms used are the national cryptographic algorithms, hardware acceleration for encrypting the national cryptographic algorithms is realized, and then the PPE engine 2022 forwards the encrypted data to the VPN gateway 203 based on the IPSec SA, and hardware acceleration for forwarding the IPSec traffic is realized.
The cryptographic algorithm is issued by the national cryptology agency and comprises symmetric encryption algorithms SM1, SM3 and SM4, a Hash algorithm, an asymmetric algorithm SM2 and other cryptographic algorithms. For example, the cryptographic CRYPTO may be a hardware implementation of SM3 algorithm and SM4 algorithm, and both SM3 and SM4 algorithms are open source algorithms. ESP (Encapsulating Security Payload) is a protocol for Encapsulating Security Payload, belonging to IPsec, and is used to provide confidentiality and data integrity of IP packets, and functions of data source authentication and replay attack resistance.
According to the embodiment of the disclosure, a DOE engine, a PPE engine and a national secret CryPTO are arranged in a DPU, the DOE engine stores IPSec SA information, the PPE engine calls the national secret CryPTO to encrypt a message, and the PPE engine forwards the encrypted data to an opposite-end VPN gateway based on the IPSec SA, so that encryption of a national secret algorithm and forwarding and unloading of message flow to the DPU are realized, the message DOEs not need to be processed by a server, and the computing power of a CPU (central processing unit) at the server side is released.
Fig. 3 is a schematic structural diagram of a packet forwarding apparatus based on a DPU and a cryptographic key according to an embodiment of the present disclosure. The DPU and cryptographic based message forwarding apparatus may be a component or assembly in a server as in the above embodiments. The packet forwarding apparatus based on the DPU and the country secret provided by the embodiment of the present disclosure may execute the processing procedure provided by the packet forwarding method based on the DPU and the country secret, as shown in fig. 3, the packet forwarding apparatus 300 based on the DPU and the country secret includes: a receiving module 301, configured to transmit a received message of at least one client virtual machine to a DPU; an inquiring module 302, configured to inquire whether an IPSec SA that matches the packet is stored in the DPU, and is used to send the packet to the VPN gateway at the opposite end; and the forwarding module 303 is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national cryptographic algorithm if the packet is stored, and forward the encrypted data to the opposite-end VPN gateway.
In some embodiments, the packet forwarding apparatus 300 based on DPU and country password further includes a negotiation module 304, configured to renegotiate with the VPN gateway of the opposite end to obtain the IPSec SA if the packet forwarding apparatus does not store the IPSec SA, and synchronize the IPSec SA to the DPU.
In some embodiments, the negotiation module 304 is specifically configured to perform a cryptographic IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA when renegotiating with the opposite-end VPN gateway to obtain an IPSec SA; and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
In some embodiments, the DPU includes a DOE engine, a PPE engine, and a national password CRYPTO; the query module 302 is configured to, when querying whether the DPU stores the IPSec SA that matches the packet and is used to send the packet to the VPN gateway at the opposite end, specifically query whether the DOE engine stores the IPSec SA that matches the packet and is used to send the packet to the VPN gateway at the opposite end; the forwarding module 303 is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national secret algorithm, and forward the encrypted data to the opposite-end VPN gateway, and is specifically configured to trigger the PPE engine to call the national secret CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
The packet forwarding device based on the DPU and the cryptographic key in the embodiment shown in fig. 3 may be used to implement the technical solution of the method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure. The electronic device may be a server as in the above embodiments. The electronic device provided in the embodiment of the present disclosure may execute the processing flow provided in the embodiment of the packet forwarding method based on the DPU and the country key, and as shown in fig. 4, the electronic device 400 includes: memory 401, processor 402, computer programs and communications interface 403; wherein a computer program is stored in the memory 401 and is configured to be executed by the processor 402 for the above DPU and cryptographic based message forwarding method.
In addition, the embodiment of the present disclosure also provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the packet forwarding method based on the DPU and the cryptographic key of the foregoing embodiment.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A message forwarding method based on DPU and country password is characterized by comprising the following steps:
transmitting the received message of at least one client virtual machine to the DPU;
inquiring whether the DPU stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway or not;
and if the packet is stored, triggering the DPU to encrypt the packet based on the IPSec SA and the national encryption algorithm, and forwarding the encrypted data to the opposite-end VPN gateway.
2. The method of claim 1, wherein the method further comprises:
and if the data is not stored, renegotiating the data with the VPN gateway at the opposite end to obtain the IPSec SA, and synchronizing the IPSec SA to the DPU.
3. The method of claim 2, wherein the renegotiating with the correspondent VPN gateway to obtain the IPSec SA comprises:
performing state-encryption IKE negotiation with the opposite-end VPN gateway to obtain an IKE SA;
and negotiating with the opposite-end VPN gateway based on the IKE SA to obtain the IPSec SA.
4. The method of claim 1, wherein the DPU comprises a DOE engine, a PPE engine, and a Citizen CRYPTO;
the querying whether the DPU stores the IPSec SA matched with the packet and used for sending the packet to the VPN gateway at the opposite end includes:
inquiring whether the DOE engine stores IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
the triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm and forward the encrypted data to the opposite-end VPN gateway includes:
triggering the PPE engine to call the national password CRYPTO to encrypt the message, and forwarding the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
5. A message forwarding device based on DPU and national password is characterized by comprising:
a receiving module, configured to transmit a received message of at least one client virtual machine to a DPU;
the query module is used for querying whether the DPU stores the IPSec SA which is matched with the message and is used for sending the message to an opposite-end VPN gateway;
and the forwarding module is used for triggering the DPU to encrypt the message based on the IPSec SA and the national cryptographic algorithm if the message is stored, and forwarding the encrypted data to the opposite-end VPN gateway.
6. The apparatus of claim 5, wherein the apparatus further comprises a negotiation module to renegotiate with the correspondent VPN gateway to obtain the IPSec SA and synchronize the IPSec SA to the DPU if not stored.
7. The apparatus according to claim 6, wherein the negotiation module, when renegotiating with the correspondent VPN gateway to obtain the IPSec SA, is specifically configured to perform a national key IKE negotiation with the correspondent VPN gateway to obtain an IKE SA; and negotiating with the opposite end VPN gateway based on the IKE SA to obtain the IPSec SA.
8. The apparatus of claim 5, wherein the DPU comprises a DOE engine, a PPE engine, and a national password CRYPTO;
the query module is configured to query whether the DPU stores the IPSec SA matched with the packet, and is configured to query whether the DOE engine stores the IPSec SA matched with the packet, and is configured to send the packet to an opposite-end VPN gateway, when the IPSec SA matched with the packet is sent to the opposite-end VPN gateway;
the forwarding module is configured to trigger the DPU to encrypt the packet based on the IPSec SA and the national secret algorithm, and forward the encrypted data to the opposite-end VPN gateway, and specifically, to trigger the PPE engine to call the national secret CRYPTO to encrypt the packet, and forward the encrypted data to the opposite-end VPN gateway based on the IPSec SA.
9. An electronic device, comprising:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of any one of claims 1-4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
CN202211397840.7A 2022-11-09 2022-11-09 Message forwarding method, device, equipment and medium based on DPU and national cipher Active CN115766172B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211397840.7A CN115766172B (en) 2022-11-09 2022-11-09 Message forwarding method, device, equipment and medium based on DPU and national cipher

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211397840.7A CN115766172B (en) 2022-11-09 2022-11-09 Message forwarding method, device, equipment and medium based on DPU and national cipher

Publications (2)

Publication Number Publication Date
CN115766172A true CN115766172A (en) 2023-03-07
CN115766172B CN115766172B (en) 2024-09-27

Family

ID=85369826

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211397840.7A Active CN115766172B (en) 2022-11-09 2022-11-09 Message forwarding method, device, equipment and medium based on DPU and national cipher

Country Status (1)

Country Link
CN (1) CN115766172B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117424739A (en) * 2023-10-31 2024-01-19 中科驭数(北京)科技有限公司 Message forwarding method and system based on DPU, user mode protocol stack and IP core
CN117811787A (en) * 2023-12-26 2024-04-02 中科驭数(北京)科技有限公司 Information configuration method, device, equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1984131A (en) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 Method for processing distributed IPSec
CN101616084A (en) * 2009-07-29 2009-12-30 中兴通讯股份有限公司 A kind of distributed IPSec load sharing device and method
CN102170434A (en) * 2011-04-02 2011-08-31 京信通信系统(中国)有限公司 Multi-core-processor-based Internet protocol security (IPSEC) realization method and device
CN105763557A (en) * 2016-04-07 2016-07-13 烽火通信科技股份有限公司 Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU
CN113194097A (en) * 2021-04-30 2021-07-30 北京数盾信息科技有限公司 Data processing method and device for security gateway and security gateway
CN215769721U (en) * 2021-12-30 2022-02-08 北京大禹智芯科技有限公司 Data processing unit board card
US11329806B1 (en) * 2020-12-04 2022-05-10 The Florida International University Board Of Trustees Systems and methods for authentication and key agreement in a smart grid

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1984131A (en) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 Method for processing distributed IPSec
CN101616084A (en) * 2009-07-29 2009-12-30 中兴通讯股份有限公司 A kind of distributed IPSec load sharing device and method
CN102170434A (en) * 2011-04-02 2011-08-31 京信通信系统(中国)有限公司 Multi-core-processor-based Internet protocol security (IPSEC) realization method and device
CN105763557A (en) * 2016-04-07 2016-07-13 烽火通信科技股份有限公司 Method and system for message IPSEC (Internet Protocol Security) encryption by switching chip or NP collaborated with CPU
US11329806B1 (en) * 2020-12-04 2022-05-10 The Florida International University Board Of Trustees Systems and methods for authentication and key agreement in a smart grid
CN113194097A (en) * 2021-04-30 2021-07-30 北京数盾信息科技有限公司 Data processing method and device for security gateway and security gateway
CN215769721U (en) * 2021-12-30 2022-02-08 北京大禹智芯科技有限公司 Data processing unit board card

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
中国科学院计算技术研究所等: ""专用数据处理器(DPU)性能基准评测方法与实现"技术白皮书", pages 81, Retrieved from the Internet <URL:https://www.sdnlab.com/25402.html> *
唐僧: "DPU技术讲堂的听后感", pages 2 - 3, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/541359388> *
张怡, 孙志刚: "基于IPSec的下一代高性能安全处理器的体系结构", 国防科技大学学报, no. 02 *
李兆斌;刘丹丹;黄鑫;曹浩;: "基于国密算法的安全接入设备设计与实现", 信息网络安全, no. 11 *
郑占彬;陈健;: "基于网络处理器IXP2350的IPSec协议实现设计", 网络安全技术与应用, no. 09 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117424739A (en) * 2023-10-31 2024-01-19 中科驭数(北京)科技有限公司 Message forwarding method and system based on DPU, user mode protocol stack and IP core
CN117811787A (en) * 2023-12-26 2024-04-02 中科驭数(北京)科技有限公司 Information configuration method, device, equipment and storage medium
CN117811787B (en) * 2023-12-26 2024-10-18 中科驭数(北京)科技有限公司 Information configuration method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN115766172B (en) 2024-09-27

Similar Documents

Publication Publication Date Title
US10673818B2 (en) Method and system for sending a message through a secure connection
US8984268B2 (en) Encrypted record transmission
EP1374533B1 (en) Facilitating legal interception of ip connections
CN115766172B (en) Message forwarding method, device, equipment and medium based on DPU and national cipher
CN110719248A (en) Method and device for forwarding user datagram protocol message
US20220263811A1 (en) Methods and Systems for Internet Key Exchange Re-Authentication Optimization
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR100948604B1 (en) Security method of mobile internet protocol based server
CN113726795A (en) Message forwarding method and device, electronic equipment and readable storage medium
CN115001686A (en) Global quantum security device and system
CN113746861B (en) Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology
Mosko et al. Mobile sessions in content-centric networks
US11652910B2 (en) Data transmission method, device, and system
JPH06318939A (en) Cipher communication system
CN114039812B (en) Data transmission channel establishment method, device, computer equipment and storage medium
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
WO2021208644A1 (en) Inter-node privacy communication method and network node
WO2021147369A1 (en) Message verification method and apparatus
WO2001022685A1 (en) Method and arrangement for communications security
WO2009149579A1 (en) Secure communication method and apparatus based on ibe algorithm in the store and forward manner
US11343089B2 (en) Cryptography system and method
Yoon et al. Mutual Authentication Scheme for Lightweight IoT Devices
CN115767535A (en) Terminal vpn network access authentication method and system under 5G scene
Badra et al. Flexible and fast security solution for wireless LAN
CN116506142A (en) Method for realizing security gateway in FC network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant