CN117811785A - Method and device for encrypting data packet, storage medium and electronic equipment - Google Patents
Method and device for encrypting data packet, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN117811785A CN117811785A CN202311798062.7A CN202311798062A CN117811785A CN 117811785 A CN117811785 A CN 117811785A CN 202311798062 A CN202311798062 A CN 202311798062A CN 117811785 A CN117811785 A CN 117811785A
- Authority
- CN
- China
- Prior art keywords
- vpn
- data packet
- hardware encryption
- queue
- packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000012545 processing Methods 0.000 claims abstract description 193
- 230000006870 function Effects 0.000 claims description 31
- 238000001914 filtration Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Abstract
The application relates to a method, a device, a storage medium and electronic equipment for encrypting a data packet. The method comprises the following steps: the control security chip classifies the VPN data packets so as to divide the VPN data packets into a plurality of queues; the control data packet processing tool forwards VPN data packets of a plurality of queues to the vector packet processing engine, and controls the vector packet processing engine to filter the VPN data packets of each queue at the same time; the control data packet processing tool calls an application programming interface of the hardware encryption chip to operate the hardware encryption chip and simultaneously conduct hardware encryption processing on the filtered VPN data packet of each queue; the control packet processing means forwards the encrypted VPN packets for each queue to the corresponding destination address. The method and the device solve the technical problems that the CPU overhead is large and the safety is low due to the adoption of software encryption to realize the VPN function.
Description
Technical Field
The present invention relates to the field of industrial communications, and in particular, to a method and apparatus for encrypting a data packet, a storage medium, and an electronic device.
Background
A typical switch typically has no hardware chip dedicated to handling security related functions, and in order to implement VPN functions, the switch employs a security service module in a network protocol stack. These modules are responsible for handling VPN connections but rely to a large extent on software-level operations, with software encryption being employed in the VPN functions, which means that security operations are performed by software, which is typically relatively slow and thus low VPN performance is achieved. In one aspect, the security service module is usually part of a network protocol stack, and using the kernel protocol stack may cause frequent switching between kernel mode and user mode, increasing CPU overhead. On the other hand, the encryption mode of pure software is relatively easy to attack, and the security is low.
Disclosure of Invention
The application provides a method, a device, a storage medium and electronic equipment for encrypting a data packet, so as to solve the technical problems of high CPU (Central processing Unit) overhead and lower safety caused by adopting software encryption to realize VPN (virtual private network) functions.
In a first aspect, the present application provides a method for encrypting a data packet, including: the control security chip classifies the VPN data packets so as to divide the VPN data packets into a plurality of queues; the control data packet processing tool forwards VPN data packets of a plurality of queues to the vector packet processing engine, and controls the vector packet processing engine to filter the VPN data packets of each queue at the same time; controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously perform hardware encryption processing on the filtered VPN data packet of each queue; and controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to a corresponding destination address.
In a second aspect, the present application provides an apparatus for encrypting a data packet, including: the first control module is used for controlling the security chip to classify a plurality of VPN data packets so as to divide the VPN data packets into a plurality of queues; the second control module is used for controlling the data packet processing tool to forward the VPN data packets of the queues to the vector packet processing engine and controlling the vector packet processing engine to filter the VPN data packets of each queue at the same time; the third control module is used for controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue; and the fourth control module is used for controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to a corresponding destination address.
As an optional example, the first control module includes: an obtaining unit, configured to obtain a policy file, where the policy file includes metadata of a flow hash, a queue reference, and a policy name, where the metadata is a source address of a VPN data packet, the queue reference is that VPN data packets of a same flow are divided into different queues, and the policy name is a queue name; and the first processing unit is used for carrying out flow hash processing on the VPN data packets according to the strategy file so as to divide the VPN data packets with the same flow into different queues.
As an alternative example, the first processing unit includes: an input subunit, configured to input a source address of each VPN data packet to a hash function, to obtain a corresponding hash value; a determining subunit, configured to determine, when a difference between a first hash value of a first VPN packet and a second hash value of a second VPN packet is less than or equal to a preset value, the first VPN packet and the second VPN packet as VPN packets of a same flow, where the first VPN packet and the second VPN packet are any two VPN packets of the plurality of VPN packets, and a dividing subunit configured to divide VPN packets of the same flow into different queues according to the policy name and the queue criterion.
As an optional example, the second control module includes: the second processing unit is configured to take each VPN data packet in each queue as a current VPN data packet, and perform the following operations on the current VPN data packet: acquiring the MAC address of the current VPN data packet, and filtering the current VPN data packet under the condition that the MAC address is not the local MAC address; and acquiring a service module of the current VPN data packet, and filtering the current VPN data packet under the condition that the service module is not an encryption service.
As an alternative example, the above apparatus further includes: and the processing module is used for carrying out code reconstruction on the encryption flow of the vector packet processing engine before controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the VPN data packet of each queue, so that the data packet processing tool can call the application programming interface of the hardware encryption chip when carrying out the encryption flow, and the hardware encryption chip is operated to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
As an alternative example, the above apparatus further includes: and the loading module is used for loading the corresponding hardware driver of the hardware encryption chip in the data packet processing tool before controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the VPN data packet of each queue, so that the vector packet processing engine can call the application programming interface of the hardware encryption chip through the data packet processing tool when carrying out encryption flow, and the hardware encryption chip is operated to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
As an optional example, the third control module includes: and the control unit is used for controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip to simultaneously carry out hardware encryption processing on the VPN data packet filtered by each queue according to the corresponding hardware encryption function.
In a third aspect, the present application provides a storage medium having a computer program stored therein, wherein the computer program, when executed by a processor, performs a method of encrypting a data packet as described above.
In a fourth aspect, the present application also provides an electronic device comprising a memory in which a computer program is stored and a processor arranged to perform the method of encrypting a data packet as described above by means of the computer program.
In the embodiment of the application, a control security chip is adopted to classify a plurality of VPN data packets so as to divide the VPN data packets into a plurality of queues; the control data packet processing tool forwards VPN data packets of a plurality of queues to the vector packet processing engine, and controls the vector packet processing engine to filter the VPN data packets of each queue at the same time; controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously perform hardware encryption processing on the filtered VPN data packet of each queue; the method for controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to the corresponding destination address is characterized in that in the method, the user state protocol stack high-performance forwarding is realized by using the data packet processing tool and the architecture of the vector packet processing engine, and on the basis, hardware encryption is carried out on the VPN data packet by using a hardware encryption chip, so that the encryption load is transferred from a CPU to the hardware encryption chip, and the VPN performance is improved by reducing the CPU cost. The multi-thread multi-receiving queue is configured in the data packet processing tool, so that multi-core load sharing is realized, hardware parallel encryption is realized, the encryption speed of VPN data packets is improved, the VPN performance is further improved, the primary distribution is realized by using the security chip, the security chip is used as a multi-queue receiving data source of the vector packet processing engine, the security chip is provided with a random number generator, the security is not easy to crack, and the security of the data transmission process is improved. Therefore, the aims of reducing CPU overhead and improving the safety of the data transmission process are achieved by adopting hardware and software collaborative encryption, and the technical problems of high CPU overhead and lower safety caused by adopting software encryption to achieve VPN functions are further solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.
FIG. 1 is a flow chart of an alternative method of encryption of data packets according to an embodiment of the present application;
FIG. 2 is an overall architecture diagram of an alternative method of encryption of data packets according to an embodiment of the present application;
FIG. 3 is a flow diagram of an alternative method of encryption of data packets according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an alternative apparatus for encryption of data packets according to an embodiment of the present application;
fig. 5 is a schematic diagram of an alternative electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
The following disclosure provides many different embodiments, or examples, for implementing different structures of the application. In order to simplify the disclosure of the present application, the components and arrangements of specific examples are described below. Of course, they are merely examples and are not intended to limit the present application. Furthermore, the present application may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.
According to a first aspect of an embodiment of the present application, there is provided a method for encrypting a data packet, optionally, as shown in fig. 1, the method includes:
s102, the control security chip classifies a plurality of VPN data packets to divide the VPN data packets into a plurality of queues;
s104, controlling the data packet processing tool to forward VPN data packets of a plurality of queues to the vector packet processing engine, and controlling the vector packet processing engine to filter the VPN data packets of each queue at the same time;
s106, controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue;
s108, controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to a corresponding destination address.
Alternatively, in this embodiment, the security chip may be a ls1043a chip, and the own controller chip (FMC, frame Manager Configuration Tool) of the ls1043a chip is a command line tool for configuring and managing the data packets. The method can classify and filter the data packets according to the preset strategy, and the high-efficiency processing of VPN data packets is realized. VPN (Virtual Private Network ) establishes a private network over a public network for encrypted communications. The data packet processing tool can adopt DPDK (Data Plane Development Kit ), mainly operates based on a Linux system, is used for fast data packet processing, and can greatly improve data processing performance and throughput and improve the working efficiency of data plane application programs. The vector packet processing engine can adopt VPP (Vector Packet Processing), the VPP provides an extensible and modularized architecture, and the vector data plane is used to realize efficient processing of a large number of data packets, and the vector data plane is used as a user mode protocol stack and contains rich service functions.
Optionally, in this embodiment, first, the FMC tool of the security chip is used to initially split the VPN packets, classify the VPN packets, and divide the VPN packets into a plurality of different queues. The classified VPN packets are then extracted from the plurality of queues using DPDK and forwarded to the VPP. After receiving the VPN data packets, the VPP simultaneously performs filtering operations on the data packets of each queue, including checking packet header information, verifying identity, executing an access control policy, etc., so as to ensure that only the data packets meeting the specified conditions are further processed. After filtering, the VPN data packet of each queue is subjected to hardware encryption processing by using DPDK. To this end, it calls the Application Programming Interface (API) of the hardware encryption chip. The API provides an interface for communication with the hardware encryption chip so that the data packet can be efficiently encrypted by the hardware. And controlling the DPDK to realize hardware encryption processing on VPN data packets of each queue in parallel by calling an API of the hardware encryption chip. Finally, the packet processing tool forwards the VPN packets of each queue that have undergone hardware encryption processing to their respective destination addresses.
Optionally, in this embodiment, as shown in the architecture diagram of fig. 2, the architecture of the packet processing tool and the vector packet processing engine is used to implement high performance forwarding of the user mode protocol stack, and on this basis, the hardware encryption chip is used to perform hardware encryption on the VPN packet, so that the encryption load is transferred from the CPU to the hardware encryption chip, so as to improve VPN performance by reducing the CPU overhead. The multi-thread multi-receiving queue is configured in the data packet processing tool, so that multi-core load sharing is realized, hardware parallel encryption is realized, the encryption speed of VPN data packets is improved, the VPN performance is further improved, the primary distribution is realized by using the security chip, the security chip is used as a multi-queue receiving data source of the vector packet processing engine, the security chip is provided with a random number generator, the security is not easy to crack, and the security of the data transmission process is improved. Therefore, the aims of reducing CPU overhead and improving the safety of the data transmission process are achieved by adopting hardware and software collaborative encryption, and the technical problems of high CPU overhead and lower safety caused by adopting software encryption to achieve VPN functions are further solved.
Optionally, in this embodiment, the above method describes a hardware encryption process for the VPN packet, and is also applicable to a hardware decryption process for the VPN packet, which is similar in steps.
As an alternative example, the controlling the security chip to classify the plurality of VPN data packets to split the plurality of VPN data packets into a plurality of queues includes:
obtaining a policy file, wherein the policy file comprises metadata of a stream hash, a queue reference and a policy name, the metadata is a source address of a VPN data packet, the queue reference is that the VPN data packet of the same stream is divided into different queues, and the policy name is the queue name;
and carrying out stream hash processing on the VPN data packets according to the strategy file so as to divide the VPN data packets of the same stream into different queues.
Optionally, in this embodiment, the FMC tool of the security chip performs preliminary splitting on the VPN packets, classifies the VPN packets, and divides the VPN packets into a plurality of different queues. Specifically, a policy file containing specific information is acquired. This document includes: metadata of the stream hash, data used for stream hash calculation, typically includes information such as source address of VPN packet. A queue reference for determining to which queue VPN packets of the same stream should be divided. Policy name, the name of the queue, the name used to identify the particular policy. The stream hash processing is to perform stream hash processing on a plurality of VPN packets by the system using stream hash metadata provided in the policy file. Stream hashing is an algorithm that performs a hash calculation on specific data to obtain a hash value of a fixed size, which is typically used to uniquely identify a data stream. By stream hashing, VPN packets of the same stream will have the same hash value. The system divides the data packets with the same hash value into different queues according to the queue reference and the policy name. This partitioning may be done by some policy that ensures that packets of the same stream are sent to different queues to increase the efficiency of packet processing. VPN data packets of the same flow are divided into different queues through flow hash processing, and therefore network performance can be optimized.
As an alternative example, performing flow hash processing on the plurality of VPN packets according to the policy file, so as to divide VPN packets of the same flow into different queues includes:
inputting the source address of each VPN data packet into a hash function to obtain a corresponding hash value;
determining the first VPN data packet and the second VPN data packet as VPN data packets of the same flow under the condition that the difference value between the first hash value of the first VPN data packet and the second hash value of the second VPN data packet is smaller than or equal to a preset value, wherein the first VPN data packet and the second VPN data packet are any two VPN data packets in a plurality of VPN data packets;
and dividing VPN data packets of the same flow into different queues according to the policy names and the queue references.
Optionally, in this embodiment, when performing flow hash processing on a plurality of VPN data packets according to a policy file to divide VPN data packets of the same flow into different queues, whether the VPN data packets belong to the same data flow is determined by inputting a source address of each VPN data packet into a hash function and then comparing differences of hash values. Specifically, for each VPN packet, its source address is passed as input to a hash function, which is an algorithm that maps the input data to a hash value of fixed length, where the source address is the input data. And for each VPN data packet, the hash function processes the source address to obtain a corresponding hash value. Each packet will have a unique hash value. For two VPN packets, as shown in fig. 3, such as a first VPN packet and a second VPN packet, their hash values are calculated, and if the difference is less than or equal to a preset value, the two VPN packets are determined to belong to the same data stream, i.e. they are determined to be VPN packets of the same stream. For any two of the plurality of VPN packets, the same flow hashing method may be used to determine whether they belong to the same data flow, so as to effectively identify and process the packets of the same data flow, and further may divide the VPN packets of the same flow into different queues.
As an alternative example, controlling the vector packet processing engine to filter VPN packets for each queue simultaneously includes:
taking each VPN data packet of each queue as a current VPN data packet, and executing the following operations on the current VPN data packet:
acquiring an MAC address of a current VPN data packet, and filtering the current VPN data packet under the condition that the MAC address is not a local MAC address;
and acquiring a service module of the current VPN data packet, and filtering the current VPN data packet under the condition that the service module is not an encryption service.
Optionally, in this embodiment, after receiving each queue VPN packet after the classification forwarded by the DPDK, the VPP needs to filter the VPN packet of each queue at the same time, specifically, taking a queue as an example, when filtering and identifying the current VPN packet, the MAC address of the current VPN packet is obtained, and the MAC (Media Access Control address) address is a unique identifier of the VPN packet in the network, and is usually associated with a physical network card address of the device. After the MAC address of the current VPN packet is obtained, it is checked whether this MAC address matches the native MAC address. If there is no match, i.e., the MAC address of the current VPN packet is not the native MAC address, then the VPN packet is filtered, i.e., no further processing is performed. The VPN packet typically carries information about its load, including an identification of the service module, indicating the specific service to which the VPN packet belongs. The VPP will check the traffic module of the current VPN packet to see if it belongs to encrypted traffic. If the service module identifier indicates that the VPN packet does not belong to encrypted service, it is filtered, i.e. the VPN packet is not allowed to pass through. Together, these two filtering conditions ensure efficient filtering of VPN packets. The MAC address filtering ensures that only VPN packets originating from the native source are processed, avoiding processing non-native packets. The service module filters to ensure that only VPN packets belonging to encrypted services are processed, and VPN packets of non-encrypted services are ignored. Such a filtering strategy helps to ensure that the system only processes VPN packets that meet certain conditions, thereby improving the processing efficiency of subsequent hardware encryption processes.
As an alternative example, before the control packet processing tool invokes an application programming interface of the hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets of each queue, the method further includes:
and carrying out code reconstruction on the encryption flow of the vector packet processing engine, so that when the vector packet processing engine carries out the encryption flow, the application programming interface of the hardware encryption chip can be called through the data packet processing tool to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
Optionally, in this embodiment, the VPP uses OpenSSL as a default encryption engine, and uses software encryption, that is, an algorithm is implemented by software to simulate an encryption process, so if the VPP wants to use hardware encryption, it is necessary to control the DPDK to call an application programming interface of the hardware encryption chip, so as to operate the hardware encryption chip and simultaneously perform hardware encryption processing on the filtered VPN data packet of each queue, so that the VPP encryption process needs to perform code reconstruction, so that when the VPP performs the encryption process, it is ensured that the DPDK can be controlled to call the application programming interface of the hardware encryption chip. For example, the default software algorithm encryption flow is: dpdk-input- & gt ethernet-input- & gt ip 4-lookup- & gt ip-write- & gt ipsecX-output- & gt ipsecX-tx- & gt ep 4-encrypt- & gt ip 4-lookup- & gt interface-output, the encryption flow after code reconstruction becomes: the node dpdk-esp4-encryption in the encryption flow of the code reconstruction can load a hardware encryption function.
As an alternative example, before the control packet processing tool invokes an application programming interface of the hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets of each queue, the method further includes:
and loading the corresponding hardware driver of the hardware encryption chip in the data packet processing tool, so that the vector packet processing engine can call an application programming interface of the hardware encryption chip through the data packet processing tool when carrying out encryption flow, and the hardware encryption chip is operated to carry out hardware encryption processing on the filtered VPN data packet of each queue.
Optionally, in this embodiment, before controlling the DPDK to call an application programming interface of the hardware encryption chip to operate the hardware encryption chip and simultaneously perform hardware encryption processing on the filtered VPN data packet of each queue, a corresponding hardware driver of the hardware encryption chip needs to be loaded in the data packet processing tool.
As an alternative example, the controlling the packet processing tool to call an application programming interface of the hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets of each queue includes:
The control data packet processing tool calls an application programming interface of the hardware encryption chip to operate the hardware encryption chip to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue according to the corresponding hardware encryption function.
Because the hardware encryption functions corresponding to different hardware encryption chips are different, when the hardware encryption chips are used for encryption, hardware encryption processing is carried out on the filtered VPN data packet of each queue according to the corresponding hardware encryption functions. Specifically, the model or serial number of the hardware encryption chip and the hardware encryption function can be bound and mapped, after knowing the model or serial number of the hardware encryption chip, the corresponding hardware encryption function is obtained from the binding mapping table, and the hardware encryption processing is performed on the filtered VPN data packet according to the corresponding hardware encryption function.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
According to another aspect of the embodiments of the present application, there is further provided an apparatus for encrypting a data packet, as shown in fig. 4, including:
a first control module 402, configured to control the security chip to classify the plurality of VPN data packets, so as to divide the plurality of VPN data packets into a plurality of queues;
a second control module 404, configured to control the packet processing tool to forward VPN packets of the plurality of queues to the vector packet processing engine, and control the vector packet processing engine to filter VPN packets of each queue at the same time;
a third control module 406, configured to control the packet processing tool to call an application programming interface of the hardware encryption chip, so as to operate the hardware encryption chip and perform hardware encryption processing on the VPN packets after filtering in each queue;
a fourth control module 408, configured to control the packet processing tool to forward the encrypted VPN packet of each queue to a corresponding destination address.
Alternatively, in this embodiment, the security chip may be a ls1043a chip, and the own controller chip (FMC, frame Manager Configuration Tool) of the ls1043a chip is a command line tool for configuring and managing the processing of the data packet. The method can classify and filter the data packets according to the preset strategy, and the high-efficiency processing of VPN data packets is realized. VPN (Virtual Private Network ) establishes a private network over a public network for encrypted communications. The data packet processing tool can adopt DPDK (Data Plane Development Kit ), mainly operates based on a Linux system, is used for fast data packet processing, and can greatly improve data processing performance and throughput and improve the working efficiency of data plane application programs. The vector packet processing engine can adopt VPP (Vector Packet Processing), the VPP provides an extensible and modularized architecture, and the vector data plane is used to realize efficient processing of a large number of data packets, and the vector data plane is used as a user mode protocol stack and contains rich service functions.
Optionally, in this embodiment, first, the FMC tool controlling the security chip is used to initially split the VPN packets, classify the VPN packets, and divide the VPN packets into a plurality of different queues. The classified VPN packets are then extracted from the plurality of queues using DPDK and forwarded to the VPP. After receiving the VPN data packets, the VPP simultaneously performs filtering operations on the data packets of each queue, including checking packet header information, verifying identity, executing an access control policy, etc., so as to ensure that only the data packets meeting the specified conditions are further processed. After filtering, the VPN data packet of each queue is subjected to hardware encryption processing by using DPDK. To this end, it calls the Application Programming Interface (API) of the hardware encryption chip. The API provides an interface for communication with the hardware encryption chip so that the data packet can be efficiently encrypted by the hardware. And controlling the DPDK to realize hardware encryption processing on VPN data packets of each queue in parallel by calling an API of the hardware encryption chip. Finally, the packet processing tool forwards the VPN packets of each queue that have undergone hardware encryption processing to their respective destination addresses.
Optionally, in this embodiment, as shown in the architecture diagram of fig. 2, the architecture of the packet processing tool and the vector packet processing engine is used to implement high-performance forwarding of the user mode protocol stack, and on this basis, the hardware encryption chip is used to perform hardware encryption on the VPN packet, so that the encryption load is transferred from the CPU to the hardware encryption chip, so as to improve the VPN performance by reducing the CPU overhead. The multi-thread multi-receiving queue is configured in the data packet processing tool, so that multi-core load sharing is realized, hardware parallel encryption is realized, the encryption speed of VPN data packets is improved, the VPN performance is further improved, the primary distribution is realized by using the security chip, the security chip is used as a multi-queue receiving data source of the vector packet processing engine, the security chip is provided with a random number generator, the security is not easy to crack, and the security of the data transmission process is improved. Therefore, the aims of reducing CPU overhead and improving the safety of the data transmission process are achieved by adopting hardware and software collaborative encryption, and the technical problems of high CPU overhead and lower safety caused by adopting software encryption to achieve VPN functions are further solved.
Optionally, in this embodiment, the above method describes a hardware encryption process for the VPN packet, and is also applicable to a hardware decryption process for the VPN packet, which is similar in steps.
As an alternative example, the first control module includes:
the system comprises an acquisition unit, a strategy file generation unit and a strategy generation unit, wherein the strategy file comprises metadata of flow hash, a queue benchmark and a strategy name, the metadata is a source address of a VPN data packet, the queue benchmark is that the VPN data packet of the same flow is divided into different queues, and the strategy name is a queue name;
and the first processing unit is used for carrying out flow hash processing on the VPN data packets according to the strategy file so as to divide the VPN data packets of the same flow into different queues.
Optionally, in this embodiment, the FMC tool of the security chip performs preliminary splitting on the VPN packets, classifies the VPN packets, and divides the VPN packets into a plurality of different queues. Specifically, a policy file containing specific information is acquired. This document includes: metadata of the stream hash, data used for stream hash calculation, typically includes information such as source address of VPN packet. A queue reference for determining to which queue VPN packets of the same stream should be divided. Policy name, the name of the queue, the name used to identify the particular policy. The stream hash processing is to perform stream hash processing on a plurality of VPN packets by the system using stream hash metadata provided in the policy file. Stream hashing is an algorithm that performs a hash calculation on specific data to obtain a hash value of a fixed size, which is typically used to uniquely identify a data stream. By stream hashing, VPN packets of the same stream will have the same hash value. The system divides the data packets with the same hash value into different queues according to the queue standard. This partitioning may be done by some policy that ensures that packets of the same stream are sent to the same queue to increase the efficiency of packet processing. VPN data packets of the same flow are divided into different queues through flow hash processing, and therefore network performance can be optimized.
As an alternative example, the first processing unit includes:
an input subunit, configured to input a source address of each VPN data packet to a hash function, to obtain a corresponding hash value;
a determining subunit, configured to determine the first VPN data packet and the second VPN data packet as VPN data packets of the same flow when a difference between the first hash value of the first VPN data packet and the second hash value of the second VPN data packet is less than or equal to a preset value, where the first VPN data packet and the second VPN data packet are any two VPN data packets of the plurality of VPN data packets
And the dividing subunit divides the VPN data packets of the same stream into different queues according to the policy names and the queue references.
Optionally, in this embodiment, when performing flow hash processing on a plurality of VPN data packets according to a policy file to divide VPN data packets of the same flow into different queues, whether the VPN data packets belong to the same data flow is determined by inputting a source address of each VPN data packet into a hash function and then comparing differences of hash values. Specifically, for each VPN packet, its source address is passed as input to a hash function, which is an algorithm that maps the input data to a hash value of fixed length, where the source address is the input data. And for each VPN data packet, the hash function processes the source address to obtain a corresponding hash value. Each packet will have a unique hash value. For two VPN packets, as shown in fig. 3, such as a first VPN packet and a second VPN packet, their hash values are calculated, and if the difference is less than or equal to a preset value, the two VPN packets are determined to belong to the same data stream, i.e. they are determined to be VPN packets of the same stream. For any two of the plurality of VPN packets, the same flow hashing method may be used to determine whether they belong to the same data flow, so as to effectively identify and process the packets of the same data flow, and further may divide the VPN packets of the same flow into different queues.
As an alternative example, the second control module includes:
the second processing unit is used for taking each VPN data packet of each queue as a current VPN data packet, and executing the following operations on the current VPN data packet:
acquiring an MAC address of a current VPN data packet, and filtering the current VPN data packet under the condition that the MAC address is not a local MAC address;
and acquiring a service module of the current VPN data packet, and filtering the current VPN data packet under the condition that the service module is not an encryption service.
Optionally, in this embodiment, after receiving each queue VPN packet after the classification forwarded by the DPDK, the VPP needs to filter the VPN packet of each queue at the same time, specifically, taking a queue as an example, when filtering and identifying the current VPN packet, the MAC address of the current VPN packet is obtained, and the MAC (Media Access Control address) address is a unique identifier of the VPN packet in the network, and is usually associated with a physical network card address of the device. After the MAC address of the current VPN packet is obtained, it is checked whether this MAC address matches the native MAC address. If there is no match, i.e., the MAC address of the current VPN packet is not the native MAC address, then the VPN packet is filtered, i.e., no further processing is performed. The VPN packet typically carries information about its load, including an identification of the service module, indicating the specific service to which the VPN packet belongs. The VPP will check the traffic module of the current VPN packet to see if it belongs to encrypted traffic. If the service module identifier indicates that the VPN packet does not belong to encrypted service, it is filtered, i.e. the VPN packet is not allowed to pass through. Together, these two filtering conditions ensure efficient filtering of VPN packets. The MAC address filtering ensures that only VPN packets originating from the native source are processed, avoiding processing non-native packets. The service module filters to ensure that only VPN packets belonging to encrypted services are processed, and VPN packets of non-encrypted services are ignored. Such a filtering strategy helps to ensure that the system only processes VPN packets that meet certain conditions, thereby improving the processing efficiency of subsequent hardware encryption processes.
As an alternative example, the above apparatus further includes:
the processing module is used for carrying out code reconstruction on the encryption flow of the vector packet processing engine before the control data packet processing tool calls the application programming interface of the hardware encryption chip to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the VPN data packet of each queue, so that the vector packet processing engine can call the application programming interface of the hardware encryption chip through the data packet processing tool when carrying out encryption flow, and the hardware encryption chip is operated to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
Optionally, in this embodiment, the VPP uses OpenSSL as a default encryption engine, and uses software encryption, that is, an algorithm is implemented by software to simulate an encryption process, so if the VPP wants to use hardware encryption, it is necessary to control the DPDK to call an application programming interface of the hardware encryption chip, so as to operate the hardware encryption chip and simultaneously perform hardware encryption processing on VPN data packets of each queue, so that the VPP encryption process needs to perform code reconstruction, so as to ensure that when the VPP performs the encryption process, the DPDK can be controlled to call the application programming interface of the hardware encryption chip.
As an alternative example, the above apparatus further includes:
and the loading module is used for loading the corresponding hardware driver of the hardware encryption chip in the data packet processing tool before controlling the data packet processing tool to call the application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the VPN data packet of each queue, so that the vector packet processing engine can call the application programming interface of the hardware encryption chip through the data packet processing tool when carrying out encryption flow, and the hardware encryption chip is operated to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
Optionally, in this embodiment, before controlling the DPDK to call an application programming interface of the hardware encryption chip to operate the hardware encryption chip and simultaneously perform hardware encryption processing on VPN data packets in each queue, a corresponding hardware driver of the hardware encryption chip needs to be loaded in the data packet processing tool.
As an alternative example, the third control module includes:
the control unit is used for controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue according to the corresponding hardware encryption function.
Optionally, in this embodiment, when the hardware encryption chip performs parallel hardware encryption processing on the VPN data packet of each queue, the hardware encryption chip performs hardware encryption processing on the filtered VPN data packet of each queue according to a corresponding hardware encryption function.
For other examples of this embodiment, please refer to the above examples, and are not described herein.
Fig. 5 is a schematic diagram of an alternative electronic device, as shown in fig. 5, including a processor 502, a communication interface 504, a memory 505, and a communication bus 508, wherein the processor 502, the communication interface 504, and the memory 506 communicate with each other via the communication bus 508, wherein,
a memory 505 for storing a computer program;
the processor 502 is configured to execute the computer program stored in the memory 506, and implement the following steps:
the control security chip classifies the VPN data packets so as to divide the VPN data packets into a plurality of queues;
the control data packet processing tool forwards VPN data packets of a plurality of queues to the vector packet processing engine, and controls the vector packet processing engine to filter the VPN data packets of each queue at the same time;
the control data packet processing tool calls an application programming interface of the hardware encryption chip to operate the hardware encryption chip and simultaneously conduct hardware encryption processing on the filtered VPN data packet of each queue;
The control packet processing means forwards the encrypted VPN packets for each queue to the corresponding destination address.
Alternatively, in the present embodiment, the above-described communication bus may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or an EISA (Extended Industry Standard Architecture ) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus. The communication interface is used for communication between the electronic device and other devices.
The memory may include RAM or may include non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
As an example, the memory 505 may include, but is not limited to, a first control module 402, a second control module 404, a third control module 406, and a fourth control module 408 in an apparatus including encryption of the data packet. In addition, other module units in the device for encrypting the data packet may be included, but are not limited to, and are not described in detail in this example.
The processor may be a general purpose processor and may include, but is not limited to: CPU (Central Processing Unit ), NP (Network Processor, network processor), etc.; but also DSP (Digital Signal Processing, digital signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be understood by those skilled in the art that the structure shown in fig. 5 is only illustrative, and the device implementing the method for encrypting the data packet may be a terminal device, and the terminal device may be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, a palm computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 5 does not limit the structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, etc.
According to yet another aspect of embodiments of the present application, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program, when executed by a processor, performs steps in the method of encrypting a data packet as described above.
Alternatively, in this embodiment, it will be understood by those skilled in the art that all or part of the steps in the methods of the above embodiments may be performed by a program for instructing a terminal device to execute the steps, where the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the methods described in the various embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method of encrypting a data packet, comprising:
the method comprises the steps that a plurality of VPN data packets are classified by a control security chip, so that the VPN data packets are divided into a plurality of queues in a bisecting mode;
The method comprises the steps of controlling a data packet processing tool to forward VPN data packets of a plurality of queues to a vector packet processing engine, and controlling the vector packet processing engine to filter the VPN data packets of each queue at the same time;
controlling the data packet processing tool to call an application programming interface of a hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue;
and controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to a corresponding destination address.
2. The method of claim 1, wherein the controlling the security chip to classify the plurality of VPN data packets to split the plurality of VPN data packets into a plurality of queues comprises:
obtaining a policy file, wherein the policy file comprises metadata of stream hash, a queue reference and a policy name, the metadata is a source address of a VPN data packet, the queue reference is that the VPN data packet of the same stream is divided into different queues, and the policy name is a queue name;
and carrying out flow hash processing on the VPN data packets according to the strategy file so as to divide the VPN data packets of the same flow into different queues.
3. The method of claim 2, wherein the performing flow hashing on the plurality of VPN packets according to the policy file to divide VPN packets of a same flow into different queues comprises:
inputting the source address of each VPN data packet into a hash function to obtain a corresponding hash value;
determining the first VPN data packet and the second VPN data packet as VPN data packets with the same flow under the condition that the difference value between the first hash value of the first VPN data packet and the second hash value of the second VPN data packet is smaller than or equal to a preset value, wherein the first VPN data packet and the second VPN data packet are any two VPN data packets in the plurality of VPN data packets;
and dividing VPN data packets of the same flow into different queues according to the policy names and the queue references.
4. The method of claim 1, wherein controlling the vector packet processing engine to simultaneously filter VPN packets for each queue comprises:
taking each VPN data packet of each queue as a current VPN data packet, and executing the following operations on the current VPN data packet:
acquiring an MAC address of the current VPN data packet, and filtering the current VPN data packet under the condition that the MAC address is not a local MAC address;
And acquiring a service module of the current VPN data packet, and filtering the current VPN data packet under the condition that the service module is not an encryption service.
5. The method of claim 1, wherein prior to controlling the packet processing tool to invoke an application programming interface of a hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets for each queue, the method further comprises:
and carrying out code reconstruction on the encryption flow of the vector packet processing engine, so that when the vector packet processing engine carries out encryption flow, the application programming interface of the hardware encryption chip can be called through the data packet processing tool to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue.
6. The method of claim 1, wherein prior to controlling the packet processing tool to invoke an application programming interface of a hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets for each queue, the method further comprises:
And loading a corresponding hardware driver of the hardware encryption chip in the data packet processing tool, so that the vector packet processing engine can call an application programming interface of the hardware encryption chip through the data packet processing tool when carrying out encryption flow, and the hardware encryption chip is operated to carry out hardware encryption processing on the filtered VPN data packet of each queue.
7. The method of claim 1, wherein controlling the packet processing tool to invoke an application programming interface of a hardware encryption chip to operate the hardware encryption chip while performing hardware encryption processing on the filtered VPN packets for each queue comprises:
and controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip to simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue according to the corresponding hardware encryption function.
8. An apparatus for encrypting a data packet, comprising:
the first control module is used for controlling the security chip to classify a plurality of VPN data packets so as to divide the VPN data packets into a plurality of queues;
The second control module is used for controlling the data packet processing tool to forward the VPN data packets of the queues to the vector packet processing engine and controlling the vector packet processing engine to filter the VPN data packets of each queue at the same time;
the third control module is used for controlling the data packet processing tool to call an application programming interface of the hardware encryption chip so as to operate the hardware encryption chip and simultaneously carry out hardware encryption processing on the filtered VPN data packet of each queue;
and the fourth control module is used for controlling the data packet processing tool to forward the encrypted VPN data packet of each queue to a corresponding destination address.
9. A computer-readable storage medium, having stored thereon a computer program, characterized in that the computer program, when executed by a processor, performs the method of any of claims 1 to 7.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method according to any of the claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311798062.7A CN117811785A (en) | 2023-12-25 | 2023-12-25 | Method and device for encrypting data packet, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311798062.7A CN117811785A (en) | 2023-12-25 | 2023-12-25 | Method and device for encrypting data packet, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117811785A true CN117811785A (en) | 2024-04-02 |
Family
ID=90429326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311798062.7A Pending CN117811785A (en) | 2023-12-25 | 2023-12-25 | Method and device for encrypting data packet, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117811785A (en) |
-
2023
- 2023-12-25 CN CN202311798062.7A patent/CN117811785A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11677851B2 (en) | Accelerated network packet processing | |
| JP4488077B2 (en) | Virtualization system, virtualization method, and virtualization program | |
| US20170171159A1 (en) | Packet tagging for improved guest system security | |
| EP3275140B1 (en) | Technique for achieving low latency in data center network environments | |
| WO2015058698A1 (en) | Data forwarding | |
| WO2018023498A1 (en) | Network interface card, computer device and data packet processing method | |
| CN113326228B (en) | Message forwarding method, device and equipment based on remote direct data storage | |
| JP2018500830A (en) | Method, apparatus and system for attack data packet processing | |
| US9015822B2 (en) | Automatic invocation of DTN bundle protocol | |
| WO2015058699A1 (en) | Data forwarding | |
| JP2017117448A (en) | Application-level network queueing | |
| CN106357726B (en) | Load-balancing method and device | |
| CN111698167B (en) | Message processing method and device | |
| CN111614631A (en) | User mode assembly line framework firewall system | |
| JP2017507374A (en) | Network service processing method and network service processing apparatus | |
| CN107483369B (en) | Message processing method and virtual switch | |
| CN111262782B (en) | Message processing method, device and equipment | |
| CN117811785A (en) | Method and device for encrypting data packet, storage medium and electronic equipment | |
| CN113453278B (en) | TCP packet segmentation packaging method based on 5G UPF and terminal | |
| US8914467B2 (en) | Information processing apparatus, system, and storage medium | |
| CN113810397A (en) | Protocol data processing method and device | |
| US8149709B2 (en) | Serialization queue framework for transmitting packets | |
| CN110311868B (en) | Service processing method, device, member equipment and machine-readable storage medium | |
| CN109257227B (en) | Coupling management method, device and system in data transmission | |
| CN109639555B (en) | Link layer message generation method, link layer message generation device and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |