CN116389035A - Data message processing method, chip and forwarding equipment - Google Patents

Data message processing method, chip and forwarding equipment Download PDF

Info

Publication number
CN116389035A
CN116389035A CN202211737745.7A CN202211737745A CN116389035A CN 116389035 A CN116389035 A CN 116389035A CN 202211737745 A CN202211737745 A CN 202211737745A CN 116389035 A CN116389035 A CN 116389035A
Authority
CN
China
Prior art keywords
encryption
data message
decryption
resource management
management module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211737745.7A
Other languages
Chinese (zh)
Inventor
姚飞
龚海东
米特特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Centec Communications Co Ltd
Original Assignee
Suzhou Centec Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Centec Communications Co Ltd filed Critical Suzhou Centec Communications Co Ltd
Priority to CN202211737745.7A priority Critical patent/CN116389035A/en
Publication of CN116389035A publication Critical patent/CN116389035A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/041Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 using an encryption or decryption engine integrated in transmitted data
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Multi Processors (AREA)

Abstract

The invention provides a data message processing method, a chip and forwarding equipment, wherein the method is applied to the chip of the forwarding equipment; a loop-back path is formed among a forwarding core module, a resource management module and an encryption and decryption engine in a chip, and the loop-back path comprises: s1: after the forwarding core module obtains the data message, searching encryption and decryption parameters corresponding to the data message from the encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module; s2: the resource management module sends the data message and encryption and decryption parameters to the encryption and decryption engine; s3: the encryption and decryption engine encrypts and decrypts the data message by using the encryption and decryption parameters and sends the encrypted and decrypted data message to the resource management module; s4: the resource management module sends the encrypted and decrypted data message to the forwarding core module; and repeatedly executing S1 to S4 until the encryption and decryption engine determines that the data message is encrypted and decrypted in multiple layers. The invention greatly reduces the load of the data path between the CPU and the chip and the occupancy rate of CPU resources.

Description

Data message processing method, chip and forwarding equipment
Technical Field
The present invention relates to the field of network communications technologies, and in particular, to a data packet processing method, a chip, and a forwarding device.
Background
In the existing network, the requirement on data security is increasingly increased, and the operation of encrypting and decrypting the data message is also becoming the basic requirement of the data forwarding device. Single-layer encryption or even multi-layer encryption of data messages becomes a new challenge for data forwarding device design.
Because the encryption and decryption operations for the data message consume more CPU, the encryption and decryption and unloading modes are generally adopted in the actual data forwarding equipment, namely, the operation of encrypting and decrypting the data message is put down on a hardware chip to become a common scheme.
However, the above scheme requires the chip to send the data message to the CPU for multiple times, so as to perform the lookup of encryption and decryption parameters and the forwarding operation of the service plane, which results in multiple occupation of the data path between the chip and the CPU, thus seriously affecting the utilization rate of the data path between the chip and the CPU, and also unnecessarily consuming the resources of the CPU, thereby seriously affecting the performance of the whole data forwarding device.
Disclosure of Invention
One of the purposes of the present invention is to provide a data message processing method, a chip and a forwarding device, which are used for greatly reducing the load of a data path between a CPU and the chip and reducing the occupancy rate of CPU resources.
In a first aspect, the present invention provides a data packet processing method, applied to a chip of a forwarding device; the chip comprises a forwarding core module, an encryption and decryption engine and a resource management module; a loop-back path is formed among the forwarding core module, the resource management module and the encryption and decryption engine, and the method comprises the following steps: s1: after the forwarding core module obtains the data message, searching encryption and decryption parameters corresponding to the data message from an encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module; s2: the resource management module sends the data message and the encryption and decryption parameters to the encryption and decryption engine; s3: the encryption and decryption engine encrypts and decrypts the data message by utilizing the encryption and decryption parameters and sends the encrypted and decrypted data message to the resource management module; s4: the resource management module sends the encrypted and decrypted data message to the forwarding core module; and repeatedly executing the S1 to the S4 until the encryption and decryption engine determines that the data message is subjected to multi-layer encryption and decryption.
In a second aspect, the present invention provides a chip, applied to a forwarding device, where the chip includes a forwarding core module, an encryption and decryption engine, and a resource management module; a loop-back path is formed among the forwarding core module, the resource management module and the encryption and decryption engine; the forwarding core module is configured to execute S1: after obtaining a data message, searching encryption and decryption parameters corresponding to the data message from an encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module; the resource management module is configured to execute S2: sending the data message and the encryption and decryption parameters to the encryption and decryption engine; the encryption and decryption engine is configured to execute S3: encrypting and decrypting the data message by using the encryption and decryption parameters, and sending the encrypted and decrypted data message to the resource management module; the resource management module is configured to S4: sending the encrypted and decrypted data message to the forwarding core module; and repeatedly executing the S1 to the S4 until the encryption and decryption engine determines that the data message is subjected to multi-layer encryption and decryption.
In a third aspect, the present invention provides a forwarding device, including a chip and a CPU, where the chip and the CPU are communicatively connected; the chip comprises a forwarding core module, an encryption and decryption engine and a resource management module; and a loopback path is formed among the forwarding core module, the resource management module and the encryption and decryption engine, and the chip is used for executing the data message processing method according to the first aspect.
After receiving a data message, the forwarding core module in the chip searches encryption and decryption parameters, then sends the encryption and decryption parameters and the data message to an encryption and decryption engine through a resource management module, and after encrypting and decrypting the data message by using the encryption and decryption parameters, sends the encrypted and decrypted data message to the forwarding core module through a loopback path, repeatedly executes the above processes until the multi-layer encryption and decryption are completed, and searches encryption and decryption information which is originally required to be processed by a CPU end to be unloaded to a hardware chip entity through a loopback mechanism combined with the chip forwarding core. The load of the data path between the CPU and the chip is greatly reduced, and the utilization rate of CPU resources is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is an exemplary diagram of a VxLAN message;
FIG. 2 is a schematic diagram of a prior art double-layer encrypted data message entering a forwarding device for double-layer decryption and forwarding;
FIG. 3 is a schematic diagram of a chip according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a data message processing method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a method for encrypting and decrypting a data message in a double layer according to an embodiment of the present invention;
fig. 6 is a block diagram of a forwarding device according to an embodiment of the present invention.
Icon: 100-chip; 200-CPU; 300-forwarding device; 101-a forwarding core module; 102-an encryption and decryption engine; 103-a resource management module; 101-1-an ingress direction processing engine; 101-2-out of the direction processing engine.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, if the terms "upper", "lower", "inner", "outer", and the like indicate an azimuth or a positional relationship based on the azimuth or the positional relationship shown in the drawings, or the azimuth or the positional relationship in which the inventive product is conventionally put in use, it is merely for convenience of describing the present invention and simplifying the description, and it is not indicated or implied that the apparatus or element referred to must have a specific azimuth, be configured and operated in a specific azimuth, and thus it should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," and the like, if any, are used merely for distinguishing between descriptions and not for indicating or implying a relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
At present, single-layer encryption or even multi-layer encryption for data messages becomes a new challenge for designing data forwarding equipment. Taking a virtual extensible local area network (VxLAN) service as an example, fig. 1 is an exemplary diagram of VxLAN messages, where VxLAN messages need to be encrypted by an inner layer message based on a service message, and after the inner layer message is encrypted, forwarding is performed based on an outer layer message. Since there are multiple encryption or decryption operations, and the last encryption method depends on the data after the previous encryption or decryption, the multiple operations are also divided into multiple times at the time line level.
Because the encryption and decryption operations for the message have high consumption on the CPU, the encryption and decryption and unloading modes are generally adopted in the actual SoC scheme, namely the operation of encrypting and decrypting the message is put on a hardware chip to be a common scheme. In general, as shown in fig. 2, fig. 2 is a schematic diagram of a two-layer encrypted data packet in the prior art entering a forwarding device for two-layer decryption and forwarding, and meanwhile, after two-layer encryption is performed in an outgoing direction, the data packet is sent from the forwarding device, and specific steps are as follows:
s01: the double-layer encrypted message enters a chip, the chip sends the message to a CPU, the CPU searches the outer ciphertext decryption parameters, determines the outer ciphertext decryption parameters, and sends the outer ciphertext decryption parameters to an encryption and decryption engine of the chip for outer message decryption;
s02: the encryption and decryption engine of the chip decrypts the outer layer message, and the decrypted message is sent to the CPU again;
s03: the CPU searches the inner ciphertext decryption parameters, determines the inner ciphertext decryption parameters, and sends the inner ciphertext decryption parameters to an encryption and decryption engine of the chip for inner message decryption;
s04: the encryption and decryption engine of the chip decrypts the inner layer message and sends the plaintext to the CPU again.
S05: after the CPU performs forwarding editing behavior of the service plane according to the plaintext, the CPU performs inner layer encryption parameter searching for the message in the outgoing direction, determines the inner layer message encryption parameter, and sends the inner layer message encryption parameter back to the encryption and decryption engine of the chip to encrypt the inner layer message.
S06: the encryption and decryption engine of the chip encrypts the inner layer message and sends the ciphertext to the CPU.
S07: the CPU searches the outer layer encryption parameters, determines the outer layer message encryption parameters, and sends the message to the encryption and decryption engine of the chip.
S08: the encryption and decryption engine of the chip performs outer encryption, and the ciphertext is sent out by the forwarding core module of the chip.
From the scheme shown in fig. 2, a message needs to be sent to the CPU for multiple times in the above scenario (respectively in step S01, step S02 and step S04), so that the searching of encryption and decryption parameters and the forwarding operation of the service plane are performed, unnecessary consumption of resources of the CPU is also generated, multiple times of occupation of a data path between the chip and the CPU is generated, the utilization rate of the data path between the chip and the CPU is seriously affected, and the processing performance of the CPU often determines the forwarding performance of the forwarding device, so that the scheme shown in fig. 2 is also extremely serious for the performance of the whole forwarding device.
In view of the above-mentioned scheme of multiple occupation of access resources between the chip and the CPU and multiple consumption of resources saved by the CPU, the embodiments of the present invention provide a chip and a data packet processing method based on the chip, which aims to reduce occupation of access resources between the chip and the CPU, reduce consumption of CPU resources, and improve the effective utilization rate of the CPU.
Referring to fig. 3, fig. 3 is a schematic diagram of a chip provided in an embodiment of the present invention, which may be applied in a forwarding device, where the chip 100 may be communicatively connected to a CPU200 in the forwarding device; the chip 100 includes: a forwarding core module 101, an encryption/decryption engine 102, and a resource management module 103; the forwarding core module 101 may include an ingress direction processing engine 101-1 and an egress direction processing engine 101-2, where a loopback path is formed between the forwarding core module 101, the resource management module 103, and the encryption/decryption engine 102. The functional blocks of the chip 100 are described in detail below.
The forwarding core module 101 comprises an input direction processing engine 101-1 and an output direction processing engine 101-2, wherein the input direction processing engine 101-1 mainly searches encryption and decryption parameters of a data message at a chip inlet and a data message looped back through a loopback path; the outbound direction processing engine 101-2 sends the multi-layered encrypted data message out of the chip 100.
The resource management module 103 is mainly responsible for scheduling the resources of the data messages entering the module and outputting the data messages according to the priority of the data messages, wherein the data messages entering the resource management module 103 mainly come from the input direction processing engine 101-1 and the encryption and decryption engine 102, and the data messages output from the resource management module 103 are sent to the encryption and decryption engine 102, the input direction processing engine 101-1 and the output direction processing engine 101-2.
The chip encryption and decryption engine 102 is configured to perform encryption and decryption processing and authentication on the obtained data packet. Encryption and decryption algorithms supported by the chip encryption and decryption engine 102 include, but are not limited to: GCM-AES, GCM-SM4, CBC-AES, CBC-SM4, etc., which support authentication algorithms including, but not limited to SHA1, SHA256, SM3, etc.
It can be summarized from the above chip structure that, in the loopback path, the data packets entering the loopback path mainly come from two directions:
1. data messages entering the chip from the ingress of the chip 100.
Cpu200 issues a data message to encryption and decryption engine 102.
The data message output from the loop-back path is sent to two directions:
1. the encryption and decryption engine 102 sends the multi-layer decrypted data message to the CPU200.
2. The resource management module 103 sends the multi-layer decrypted data message to the outbound direction processing engine 101-2.
The connections between the various modules in the chip 100 are described in detail below in connection with fig. 3 above:
pathway 0: in the embodiment of the present invention, the paths between the ingress direction processing engine 101-1 and the resource management module 103 transmit data messages and encryption and decryption parameters, specifically, the ingress direction processing engine 101-1 sends information related to the data messages and the packets carrying the encryption and decryption parameters to the resource management module 103 through the path 0 for storage and waiting for scheduling.
Pathway 1: the resource management module 103 loops back to the path between the inbound processing engines 101-1. In the embodiment of the invention, the data messages which are subjected to encryption and decryption processing at least once are transmitted between the channels.
Pathway 2: the main point of the path from the resource management module 103 to the outbound processing engine 101-2 in the embodiment of the present invention is to send the multi-layer encrypted data packet out of the forwarding core model 101.
Passageway 3: the path from the resource management module 103 to the encryption and decryption engine 102 is, in the embodiment of the present invention, a data message to be encrypted and decrypted and encryption and decryption parameters are transmitted.
Passageway 4: the path from the encryption and decryption engine 102 to the resource management module 103. In the embodiment of the invention, the data message which is subjected to encryption and decryption processing at least once is transmitted.
Passageway 5: a bi-directional path for message passing between the chip 100 and the CPU200.
Passageway 6: for the loopback path provided by the embodiment of the present invention, the embodiment of the present invention implements operations of encrypting and decrypting a multi-layer message, authenticating, and encrypting a single-layer message after encrypting and decrypting or after authenticating and encrypting by using the hardware loopback architecture of the chip 100.
Among the various paths described above, data transfer means include, but are not limited to: direct memory read-write DMA (DMA) data transfer, BUS transfer, and the like.
Based on the above chip 100, an embodiment of the present invention provides a data packet processing method, as shown in fig. 4, fig. 4 is a schematic flowchart of the data packet processing method provided by the embodiment of the present invention, which may include the following steps:
s1: after the forwarding core module obtains the data message, searching encryption and decryption parameters corresponding to the data message from the encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module;
the data messages related in the embodiment of the invention are all multi-layer messages, namely, the multi-layer encryption and decryption are needed for the multi-layer messages.
It may be appreciated that, in an encryption scenario, the forwarding core module may search, according to the message information of the data message, an encryption parameter from an encryption flow table, where the encryption flow table is used to maintain the encryption parameter, where the encryption parameter may include, but is not limited to, an encryption type, an encryption algorithm, a key, and a key length; in a decryption scenario, the forwarding core module may look up decryption parameters from a decryption flow table according to the message information of the data message, where the decryption flow table is used to maintain the decryption parameters, and the decryption parameters may include, but are not limited to, a decryption type, a decryption algorithm, a key, and a key length.
From the above-mentioned loop-back path, it can be seen that the data message obtained by the incoming direction processing engine may be the data message which is looped back by the loop-back path and is encrypted and decrypted at least once, or may be the chip entry.
S2: the resource management module sends the data message and the encryption and decryption parameters to the encryption and decryption engine.
S3: and the encryption and decryption engine encrypts and decrypts the data message by using the encryption and decryption parameters and sends the encrypted and decrypted data message to the resource management module.
It can be understood that in the encryption scenario, the encryption and decryption engine receives the encryption parameters and then encrypts the data message by using the encryption parameters; in the decryption scenario, the encryption and decryption engine receives the decryption parameters, and then decrypts the data message by using the decryption parameters.
S4: the resource management module sends the encrypted and decrypted data message to the forwarding core module.
It can be understood that after the forwarding core module receives the encrypted and decrypted data message, the forwarding core module searches the encryption and decryption parameters again, then sends the searched encryption and decryption parameters and the data message to the encryption and decryption engine for encryption and decryption through the resource management module, and repeatedly executes S1 to S4 until the encryption and decryption engine determines that the data message is encrypted and decrypted in multiple layers.
It can be seen that in the above data message processing method, after a data message is received, the forwarding core module in the chip performs encryption and decryption parameter searching, then sends the encryption and decryption parameters and the data message to the encryption and decryption engine through the resource management module, and after the encryption and decryption engine encrypts and decrypts the data message by using the encryption and decryption parameters, sends the encrypted and decrypted data message to the forwarding core module through the loopback path, repeatedly executes the above process until the multi-layer encryption and decryption are completed, and searches for the encryption and decryption information which originally needs to be processed by the CPU end to be unloaded to the hardware chip entity to a greater extent through combining the loopback mechanism of the forwarding core of the chip. The load of the data path between the CPU and the chip is greatly reduced, and the utilization rate of CPU resources is reduced.
As can be seen from the above-mentioned chip architecture shown in fig. 3, step S1 is performed by the ingress direction processing engine of the forwarding core module in the implementation process.
Optionally, the resource management module mainly performs a resource scheduling task entering the module and outputs the resource scheduling task from the output end according to the corresponding priority, so in step S2 and step S4, when a plurality of data messages exist, the resource management module determines the priority of each data message and sends the plurality of data messages and encryption and decryption parameters to the encryption and decryption engine according to the priority.
In the implementation process, the resource management module can determine the priority of each data message according to the message type, message information, preset priority policy and other information of the plurality of data messages.
Optionally, after the chip completes the multi-layer decryption of the data message, the following steps may be further performed:
and a step a1, the encryption and decryption engine sends the multi-layer decrypted data message to the CPU so that the CPU edits service information of the data message to obtain a target data message, and sends the target data message, inner layer encryption parameters corresponding to the target data message and forwarding information to the encryption and decryption engine.
And a2, after receiving the target data message, the inner encryption parameters corresponding to the target data message and the forwarding information, the encryption and decryption engine carries out multi-layer encryption on the target data message.
In the embodiment of the invention, after receiving the data message after multi-layer decryption, the CPU carries out message service plane forwarding lookup, confirms a forwarding outlet and executes related message editing actions to finish service plane operation to obtain a target data message, simultaneously carries out inner-layer message encryption parameter lookup based on the service plane to determine inner-layer encryption parameters, then sends the target data message, the inner-layer encryption parameters and forwarding information to an encryption and decryption engine together, and the information enters a loopback path from the encryption and decryption engine until the multi-layer encryption of the target data message is finished, and then the resource management module sends the multi-layer encrypted target data message to an outgoing direction processing engine, and the outgoing direction processing engine sends the multi-layer encrypted target data message out of a chip.
In practice, forwarding information may include, but is not limited to: source IP address, destination IP address, port number, and outgoing interface information, etc. The forwarding information is used for searching the encryption parameters corresponding to the target data message from the encryption flow table according to the forwarding information in the multi-layer encryption process.
Optionally, after the chip completes the multi-layer encryption of the data packet, the following steps may be further performed:
step b1: the encryption and decryption engine sends the multi-layer encrypted data message to the resource management module;
step b2: the resource management module sends the multi-layer encrypted data message to the forwarding core module;
step b3: and the forwarding core module sends the multilayer encrypted data message out of the chip.
With reference to fig. 3, in an implementation process, the resource management module sends the multi-layer encrypted data message to the outbound direction processing engine; the forwarding core module sends the multilayer encrypted data message out of the chip, and the forwarding core module comprises: the outbound direction processing engine sends the multilayer encrypted data message out of the chip.
In order to facilitate understanding of the complete implementation flow of the data message processing method, please refer to fig. 5, fig. 5 is a schematic diagram of a data message double-layer encryption and decryption method provided by an embodiment of the present invention, and it should be noted that the resource management module 103 in the chip 100 in fig. 5 is omitted, and may include the following steps:
s11: the forwarding core module analyzes the data message, searches the decryption flow table, obtains the outer message decryption parameters, and sends the data message and the outer message decryption parameters to the encryption and decryption engine.
S12: and the encryption and decryption engine decrypts the outer message of the data message according to the outer message decryption parameters and sends the decrypted data message to the forwarding core module.
S13: the forwarding core module searches the decryption flow table to obtain an inner layer message decryption flow table, confirms the inner layer message decryption parameters and sends the inner layer message decryption parameters to the chip encryption and decryption engine.
S14: and the encryption and decryption engine decrypts the inner layer message of the data message according to the inner layer message decryption parameters, and then sends the decrypted data message to the CPU.
S15: the CPU performs message service face forwarding searching, confirms a forwarding outlet and executes related message editing actions to obtain a target data message, and simultaneously performs inner layer message encryption parameter searching based on the service face to determine inner layer encryption parameters, and the target data message, the inner layer message encryption parameters and forwarding information are issued to an encryption and decryption engine.
S16: and the encryption and decryption engine encrypts the inner layer message of the target data message according to the inner layer encryption parameters. After the inner layer message encryption is completed, the encrypted target data message forwarding information is sent to a forwarding core module.
S17: and the forwarding core module is used for entering the encryption flow table according to the forwarding information to obtain the encryption parameters of the outer layer message, and sending the encryption parameters of the outer layer message to the encryption and decryption engine.
S18: and the encryption and decryption engine encrypts the target data message according to the outer message encryption parameters, and after the outer message encryption is completed, the target data message encrypted by the inner layer and the outer layer is issued to the forwarding core module, and the forwarding core module directly sends the target data message out of the chip.
As can be seen by comparing the processing procedure shown in fig. 5 with the processing procedure shown in fig. 2, in the data message processing method provided by the embodiment of the invention, in the encryption and decryption processing process of the data message, the number of times of sending the data to the CPU is obviously reduced, multiple occupation of access resources between the chip and the CPU is avoided, consumption of CPU resources can be reduced, and the effective utilization rate of the CPU is improved.
Optionally, the method may further include: authenticating the multi-layer encrypted and decrypted data message by using a preset authentication algorithm; or before the data message is subjected to multi-layer encryption and decryption, authenticating the data message by using a preset authentication algorithm.
In the specific implementation process, in the authentication process, any one of the following may be adopted: encrypting and decrypting the inner layer message, and authenticating the outer layer message; the inner layer message authentication and the outer layer message encryption and decryption; and (3) inner layer message authentication and outer layer message authentication.
As can be seen from the foregoing embodiments, the data message processing method provided by the embodiment of the present invention may be applied to the following scenarios: in the forwarding equipment, a CPU encrypts and decrypts an inner layer message to be processed, and authenticates an outer layer message; the CPU authenticates the inner layer message and encrypts and decrypts the outer layer message; the CPU encrypts and decrypts the inner layer message and the outer layer message; the CPU performs the scene of the inner layer message authentication and the outer layer message authentication.
Based on the same inventive concept, the chip 100 provided in the embodiment of the present invention, wherein the resource management module is configured to execute S2: transmitting the data message and encryption and decryption parameters to an encryption and decryption engine; the encryption and decryption engine is used for executing S3: encrypting and decrypting the data message by using the encryption and decryption parameters, and sending the encrypted and decrypted data message to a resource management module; a resource management module, configured to S4: sending the encrypted and decrypted data message to a forwarding core module; and repeatedly executing S1 to S4 until the encryption and decryption engine determines that the data message is encrypted and decrypted in multiple layers.
In an alternative embodiment, the encryption and decryption engine is further configured to send the multi-layer decrypted data packet to the CPU, so that the CPU edits service information of the data packet to obtain a target data packet, and send the target data packet, an inner layer encryption parameter corresponding to the target data packet, and forwarding information to the encryption and decryption engine. The encryption and decryption engine is also used for carrying out multi-layer encryption on the target data message after receiving the target data message, the inner-layer encryption parameters corresponding to the target data message and the forwarding information; the forwarding information is used for searching the encryption parameters corresponding to the target data message from the encryption flow table according to the forwarding information in the multi-layer encryption process.
In an alternative embodiment, the encryption and decryption engine is further configured to send the multi-layer encrypted data packet to the resource management module; the resource management module is also used for sending the multi-layer encrypted data message to the forwarding core module; the forwarding core module is also used for sending the multilayer encrypted data message out of the chip.
In an alternative embodiment, the resource management module is specifically configured to: when a plurality of data messages exist, determining the priority of each data message, and sending the data messages and encryption and decryption parameters to an encryption and decryption engine according to the priority.
In an alternative embodiment, the encryption and decryption engine is further configured to authenticate the data packet encrypted and decrypted by using a preset authentication algorithm; or before the data message is subjected to multi-layer encryption and decryption, authenticating the data message by using a preset authentication algorithm.
Referring to fig. 6, fig. 6 is a block diagram of a forwarding device according to an embodiment of the present invention, where forwarding device 300 includes a chip 100 and a CPU200, and chip 100 may be used to execute any of the data packet processing methods provided in the embodiments of the present invention.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. The data message processing method is characterized by being applied to a chip of forwarding equipment; the chip comprises a forwarding core module, an encryption and decryption engine and a resource management module; a loop-back path is formed among the forwarding core module, the resource management module and the encryption and decryption engine, and the method comprises the following steps:
s1: after the forwarding core module obtains the data message, searching encryption and decryption parameters corresponding to the data message from an encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module;
s2: the resource management module sends the data message and the encryption and decryption parameters to the encryption and decryption engine;
s3: the encryption and decryption engine encrypts and decrypts the data message by utilizing the encryption and decryption parameters and sends the encrypted and decrypted data message to the resource management module;
s4: the resource management module sends the encrypted and decrypted data message to the forwarding core module;
and repeatedly executing the S1 to the S4 until the encryption and decryption engine determines that the data message is subjected to multi-layer encryption and decryption.
2. The method of claim 1, wherein the forwarding device further comprises a CPU, the CPU being communicatively coupled to the chip, the method further comprising:
the encryption and decryption engine sends the data message decrypted by multiple layers to the CPU so that the CPU edits service information of the data message to obtain a target data message, and sends the target data message, inner encryption parameters corresponding to the target data message and forwarding information to the encryption and decryption engine;
after receiving the target data message, the inner layer encryption parameters corresponding to the target data message and the forwarding information, the encryption and decryption engine carries out multi-layer encryption on the target data message; and the forwarding core module searches the encryption parameters corresponding to the target data message from the encryption flow table according to the forwarding information in the multi-layer encryption process.
3. The method according to claim 1, wherein the method further comprises:
the encryption and decryption engine sends the data message encrypted by multiple layers to the resource management module;
the resource management module sends the data message encrypted by multiple layers to the forwarding core module;
and the forwarding core module sends the data message encrypted by the multiple layers out of the chip.
4. The method of claim 1, wherein in S2, the resource management module sends the data message and the encryption and decryption parameters to the encryption and decryption engine, comprising:
when a plurality of data messages exist, determining the priority of each data message, and sending the data messages and the encryption and decryption parameters to the encryption and decryption engine according to the priority.
5. A method according to any one of claims 1 to 3, wherein the forwarding core module comprises an ingress direction processing engine and an egress direction processing engine; the incoming direction processing engine and the outgoing direction processing engine are respectively in communication connection with the resource management module; in the step S1, after the forwarding core module obtains a data packet, the forwarding core module searches an encryption and decryption parameter corresponding to the data packet from an encryption and decryption flow table, and sends the data packet and the encryption and decryption parameter to the resource management module, where the forwarding core module includes:
after the data message is obtained by the incoming direction processing engine, the encryption and decryption parameters corresponding to the data message are searched from an encryption and decryption flow table, and the data message and the encryption and decryption parameters are sent to the resource management module.
6. The method of claim 5, wherein the resource management module sending the data message encrypted in multiple layers to the forwarding core module comprises:
the resource management module sends the multilayer encrypted data message to the outgoing direction processing engine;
the forwarding core module sends the data message encrypted by the multiple layers out of the chip, including:
and the outgoing direction processing engine sends the data message encrypted by the multiple layers out of the chip.
7. The method according to claim 1, wherein the method further comprises:
authenticating the data message encrypted and decrypted by a plurality of layers by using a preset authentication algorithm; or before carrying out multi-layer encryption and decryption on the data message, authenticating the data message by using a preset authentication algorithm.
8. The chip is characterized by being applied to forwarding equipment and comprising a forwarding core module, an encryption and decryption engine and a resource management module; a loop-back path is formed among the forwarding core module, the resource management module and the encryption and decryption engine;
the forwarding core module is configured to execute S1: after obtaining a data message, searching encryption and decryption parameters corresponding to the data message from an encryption and decryption flow table, and sending the data message and the encryption and decryption parameters to the resource management module;
the resource management module is configured to execute S2: sending the data message and the encryption and decryption parameters to the encryption and decryption engine;
the encryption and decryption engine is configured to execute S3: encrypting and decrypting the data message by using the encryption and decryption parameters, and sending the encrypted and decrypted data message to the resource management module;
the resource management module is configured to S4: sending the encrypted and decrypted data message to the forwarding core module;
and repeatedly executing the S1 to the S4 until the encryption and decryption engine determines that the data message is subjected to multi-layer encryption and decryption.
9. The chip of claim 8, wherein the forwarding device further comprises a CPU, the CPU being communicatively coupled to the chip;
the encryption and decryption engine is further configured to send the data packet decrypted in multiple layers to the CPU, so that the CPU edits service information of the data packet to obtain a target data packet, and send the target data packet, an inner layer encryption parameter corresponding to the target data packet, and forwarding information to the encryption and decryption engine;
the encryption and decryption engine is further configured to perform multi-layer encryption on the target data packet after receiving the target data packet, an inner layer encryption parameter corresponding to the target data packet, and forwarding information; and the forwarding core module searches the encryption parameters corresponding to the target data message from the encryption flow table according to the forwarding information in the multi-layer encryption process.
10. The forwarding equipment is characterized by comprising a chip and a CPU, wherein the chip is in communication connection with the CPU; the chip comprises a forwarding core module, an encryption and decryption engine and a resource management module; and a loopback path is formed among the forwarding core module, the resource management module and the encryption and decryption engine, and the chip is used for executing the data message processing method according to any one of claims 1-7.
CN202211737745.7A 2022-12-30 2022-12-30 Data message processing method, chip and forwarding equipment Pending CN116389035A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211737745.7A CN116389035A (en) 2022-12-30 2022-12-30 Data message processing method, chip and forwarding equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211737745.7A CN116389035A (en) 2022-12-30 2022-12-30 Data message processing method, chip and forwarding equipment

Publications (1)

Publication Number Publication Date
CN116389035A true CN116389035A (en) 2023-07-04

Family

ID=86977549

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211737745.7A Pending CN116389035A (en) 2022-12-30 2022-12-30 Data message processing method, chip and forwarding equipment

Country Status (1)

Country Link
CN (1) CN116389035A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117439765A (en) * 2023-09-08 2024-01-23 重庆数智融合创新科技有限公司 Data storage forwarding method and system based on application awareness

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117439765A (en) * 2023-09-08 2024-01-23 重庆数智融合创新科技有限公司 Data storage forwarding method and system based on application awareness

Similar Documents

Publication Publication Date Title
US8112622B2 (en) Chaining port scheme for network security
US20160248734A1 (en) Multi-Wrapped Virtual Private Network
CN104935593A (en) Data message transmitting method and device
CN111865872B (en) Method and equipment for realizing terminal security policy in network slice
CN106301765B (en) Encryption and decryption chip and method for realizing encryption and decryption
CN107454590A (en) A kind of data ciphering method, decryption method and wireless router
US20040196979A1 (en) Encryption/decryption device and method for a wireless local area network
WO2022155803A1 (en) Data encryption method, data transmission method, related apparatuses and device
CN116389035A (en) Data message processing method, chip and forwarding equipment
CN103457952A (en) IPSec processing method and device based on encrypting engine
US7523306B2 (en) Simplified CCMP mode for a wireless local area network
US8504832B2 (en) Mobile terminal for sharing resources, method of sharing resources within mobile terminal and method of sharing resources between web server and terminal
US10230698B2 (en) Routing a data packet to a shared security engine
US20230114198A1 (en) Device in network
CN111431706A (en) Method, system and equipment for improving SM4 algorithm speed by using FPGA logic
US11611875B2 (en) Optimized simultaneous authentication of equals (SAE) authentication in wireless networks
US11677727B2 (en) Low-latency MACsec authentication
US11595367B2 (en) Selectively disclosing content of data center interconnect encrypted links
CN101753588B (en) Method and system for controlling integrated service operation
CN116074028A (en) Access control method, device and system for encrypted traffic
CN113905094A (en) Industrial Internet integration method, device and system
US7263186B2 (en) Speed-up hardware architecture for CCMP encryption protocol
US20090028122A1 (en) Wireless lan terminal allowing another processing in its waiting or idle state
CN113455034A (en) Communication method and device
CN110929297A (en) FPGA asynchronous encryption and decryption system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination