CN1529473A - Safety union nesting method for realizing different safety terminalsin IPsec standard - Google Patents
Safety union nesting method for realizing different safety terminalsin IPsec standard Download PDFInfo
- Publication number
- CN1529473A CN1529473A CNA2003101018076A CN200310101807A CN1529473A CN 1529473 A CN1529473 A CN 1529473A CN A2003101018076 A CNA2003101018076 A CN A2003101018076A CN 200310101807 A CN200310101807 A CN 200310101807A CN 1529473 A CN1529473 A CN 1529473A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- semaphore
- packet
- database
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method includes two procedures: input and output. For output treating flow, under condition: network interface application IPsec standard of input data packet is validated and the said packet is not a multicast data packet, SP query is carried out. SA query is carried out right along if denotation of SP is application of Ipsec standard. When SA is not void, IPsec encapsulation treatment is carried out for the data packet according to the SA. Finally, off, len in IP head of data packet are converted to sequence of local byte; semaphores of security policy database and security union database are released. The invention guarantees that security union nesting with different security destination points in IPsec implementation of policy matching and SP query can be executed correctly, raising treatment efficiency and IPsec integral efficiency.
Description
Technical field:
The present invention relates to communication and information security field, relate in particular to the nested solution of IPsec (internet protocol secure) protection of different safe terminal points.
Background technology:
The fast development of information technology has brought the major transformation of social development and life style, and the Computers and Communication technology has been infiltrated growing field day by day, becomes main social instrument.Meanwhile, for the protection of information security especially communication security, also become the problem that receives publicity day by day, under these circumstances, various safety standards are also just arisen at the historic moment.Wherein, IPsec is exactly the main security protocol standard that a kind of IETF (Internet Engineering TaskForce, internet engineering task group) tissue proposes.This standard is passed through at IP (internet protocol; Internet Protocol) layer is encrypted and is authenticated the IP packet; realize safeguard protections such as access control, data integrity, data confidentiality, data source authentication, anti-replay, finite data stream confidentiality; thereby on open INTERNET, realize escape way, the safety that the communication data of protection by this passage exchanges with communicating pair.In fact; IPsec has obtained application more and more widely at present just because of having considerable advantage, is for example setting up VPN (Virtual Private Network; Virtual Private Network), protection internal data safety, mobile subscriber protects under the situation such as in-house network, all have widely and use.In the IPsec handling process, comprise generally for the processing of packet that output is handled and two flow processs are handled in input.The output processing is meant data is wrapped in SA (security association, Security Association) starting point is used the handling process of IPsec encapsulation, and the input handling process then is that a packet of handling through IPsec is handled in the IPsec decapsulation that the terminal point of its SA carries out.
Handle for output, its basic procedure is as described below: at first, system receives a packet, at first according to SP (security policy, security strategy) selector (five-tuple: source/purpose IP address, source/destination interface, upper-layer protocol) is inquired about the SP of this packet to SPD (security policydatabase, Security Policy Database).If SP is expressed as and abandons, then abandon this bag and do daily record; If SP is expressed as and walks around IPsec, then directly give data link layer deals; If SP then finds the corresponding SA with this SP according to SP for using IPsec.Use this SA that the IP packet of input is carried out the IPsec encapsulation process.To give data link layer deals through the packet of IPsec encapsulation process then.Input is handled and for IPsec, its basic handling flow process is described below: at first system receives a packet, judge at first whether this bag is the bag that handled for local ground IPsec a destination, if not, then find SP to carry out strategy matching,, then abandon this bag and do daily record if can not pass through strategy matching to wrapping according to the SP selector, if, then give transport layer process by strategy matching; Be local IPsec pack processing if this bag is a destination, then the SAid (SA index, tlv triple comprise spi, agreement, destination address) according to this bag finds the corresponding SA of this bag.Carrying out the IPsec decapsulation according to this SA then handles.Last find the SP of this corresponding bag and SP that SA points to carry out strategy matching according to the SP selector again,,, mate, then give transport layer process as if passing through then to its this bag and do daily record if can not pass through strategy matching.
Yet, there is big shortcoming in said method in a lot of applied environments, for example, need and during the inner a certain server B secure communication of applied environment, at the host C of applied environment outside when one in order to prevent to derive from the assailant of applied environment outside, the gateway RA of needs and applied environment, set up an IPsec passage, leak into other departments of applied environment for some the department's secret that prevents applied environment simultaneously, also must set up an IPsec passage at the gateway RB of department.The i.e. different nested situation of IPsec passage of terminal point corresponding to starting point is identical, it is special if the IPsec between host C and department server RB is treated to transmission mode, output processing for host C will run into following trouble: after finishing ground floor IPsec processing, if drop into the IP formation again, because transmission mode does not change the IP head, it is still identical when handling for the first time then the SP selector that obtains to be inquired about in this this processing again, thereby lead to errors with regard to circular treatment, simultaneously drop into the IP formation again and need wait in line to handle next time, efficient will reduce.And when handling for the input of host C, if after handling ground floor IPsec it is dropped into IP formation wait processing next time again, same because transmission mode is the process IP head not, when the IPsec decapsulation second time is carried out strategy matching later on, because the SP that SA points to handles corresponding SP for the second time, and the SP that finds according to the SP selector is still for handling corresponding SP for the first time, thereby causes the strategy matching failure and make a mistake.And present existing IPsec implementation method is not supported this situation, and in fact this situation has sizable demand in actual applications.
Summary of the invention:
Technical problem to be solved by this invention is: when the IPsec standard application when having identical and the nested applied environment of IPsec passage that terminal point is different of starting point, the mistake of bringing because of strategy matching and SP inquiry failure that causes easily, in the hope of provide a kind of IPsec that guarantees accurately to carry out strategy matching and SP inquiry realize in the Security Association nesting method of different safe terminal points.
For achieving the above object, the present invention proposes the Security Association nesting method of different safe terminal points in a kind of Ipsec of realization standard, it is characterized in that, comprises two processes of input and output:
For exporting handling process: use the Ipsec standard at the network interface of confirming the input packet, and when being not multicast packet, carry out the SP inquiry, when being expressed as application Ipsec standard, SP proceeds the SA inquiry, at SA is not under the situation of sky, according to this SA this packet is carried out the IPsec encapsulation process, and off, the len with packet IP head changes into local syllable sequence at last, discharge the semaphore of Security Policy Database and security association database, correct end process;
For importing handling process: in the network interface application Ipsec standard of confirming to receive packet, and when being not multicast packet, whether the judgment data bag is that purpose is the IPsec wrapper of this machine, and carry out respective handling according to different situations, if fragmented packets is then recombinated, then mate the reconciliation encapsulation process if not fragmented packets, off, len with packet IP head changes into local syllable sequence at last, discharge Security Policy Database and security association database semaphore, correct end process.
Specifically, the output handling process further may further comprise the steps:
(1) whether the network interface of judging the input packet uses the Ipsec standard, does not then discharge SPD and SADB (security association database, security association database) semaphore, end process process if do not use; If need to use the Ipsec standard, then continue;
(2) judge whether this bag is multicast packet, if then discharge the semaphore of SPD and SADB, the end process process; If not then continue;
(3) application SPD semaphore and SADB semaphore is for SP and SA inquiry provide interface;
(4) from packet, find the SP selector spidx of this packet, use this selector in SPD, to inquire about corresponding SP, as can not find out the value that then will give tacit consent to and be made as SP;
(5) if this SP is expressed as and walks around, then discharge the semaphore of SPD and SADB, the end process process; If this SP is expressed as and abandons, then abandon this bag, discharge SADB and SPD (Security Policy Database) semaphore, return ERROR information, the end process process; If SP then continues for using the Ipsec standard;
(6) off, the len with this packet IP head changes into the network bytes preface;
(7) pointer of restrainting by SP sensing SA finds first SA of this SP correspondence;
(8) judge if this SA is empty, then notify IKE to initiate new negotiation, abandon this bag and discharge SPD and SADB semaphore, return ERROR information; If SA is not empty, then this packet is carried out the IPsec encapsulation process according to this SA;
(9) judge whether the pointer that SA bundle points to next SA is empty, if be empty, shows that then the SA bundle of this SP correspondence is not also handled, and changes (8) processing over to; If empty, show that then the SA of current SP correspondence finishes dealing with, change (10) over to;
(10) judge that whether the pointer that current SP points to next SP is empty,, show then that the IPsec passage that also has different terminal points is nested not handle, SP is pointed to next SP, change (7) processing over to if be empty; If empty, show that then the SP of SP chain handles, off, the len of this packet IP head changed into local syllable sequence, change (11) over to;
(11) discharge SPD and SADB semaphore, correct end process;
The input handling process further may further comprise the steps:
(1) judges whether the network interface that receives packet uses the Ipsec standard, if do not use, then discharges SPD and SADB semaphore, returns correct information, the end process process; If need to use the Ipsec standard, then continue;
(2) judge that whether this packet is multicast packet, if then discharge SPD and SADB semaphore, returns correct information, the end process process; If not then continue;
(3) judge whether this bag is that purpose is the IPsec wrapper of this machine;
(3-1) if not, then this bag is carried out segmentation and judges;
If (3-1-1) fragmented packets, the processing of then recombinating;
(3-1-1-1) if reconstructing failure then discharges SPD and SADB
Semaphore returns ERROR information, the end process process;
(3-1-1-2) if recombinate successfully then according to the SP selector
Find the SP of the SA array correspondence of the SP chain of this bag and storage
Carry out strategy matching one by one, then discharge SPD if the match is successful
With the SADB semaphore, correct end process process; If have
A coupling is unsuccessful, then discharges SPD and SADB signal
Amount is returned ERROR information, the end process process;
(3-1-2) if not fragmented packets then finds this bag according to the SP selector
The SP chain and the SA array of storage carry out strategy matching, if a coupling is arranged not
Successful then discharge SPD and SADB semaphore, correct end process process; If
Coupling is unsuccessful, then discharges SPD and SADB semaphore, returns the ERROR letter
Breath, the end process process;
If (3-2) purpose is the IPsec wrapper of this machine, then change 4 over to);
(4) judge whether this bag is fragmented packets;
If (4-1) fragmented packets, the processing of then recombinating is if reconstructing failure is then released
Put SPD and SADB semaphore, return ERROR information, the end process process; If
Recombinate and successfully change 5 over to);
(4-2), then change 5 if this bag is not a fragmented packets) handle;
(5) id, off, the len with the IP head is converted to the network bytes preface;
(6) obtain corresponding SAid according to this bag, find corresponding SA, this SA is stored in the array with this SAid;
(7) with the SA that finds this bag is carried out corresponding IPsec decapsulation and handle, this SA is stored, judge again whether the pointer that this SA points to next SA is empty, if be not next SA with the SA assignment then for sky, changes 6 over to); If sky then continues;
(8) off, the len with the IP head is converted to this machine preface, discharges the semaphore of SPD and SADB, finishes the output processing procedure.
The SP of the method for the invention nested protection of IPsec of different terminal points by belonging to same starting point links with a chained list; according to the disposable processing of finishing all nested IPsec protections of the sequencing of chained list; not only successfully realize the correct processing of the nested IPsec of the multiple IPsec passage application scenario that the starting point same endpoint is different; and because all nested situations all are the disposable encapsulation of finishing; not needing to drop into again the IP formation waits in line; therefore improve treatment effeciency greatly, further improved the IPsec whole efficiency.
Description of drawings:
Fig. 1 is the nested practical application schematic diagram of the Security Association of different terminal points.
Fig. 2 is that basic flow sheet is handled in IPsec output.
Fig. 3 is that basic flow sheet is handled in the IPsec input.(the same)
Fig. 4 is an IPsec input process chart in the method for the invention.
Fig. 5 is an IPsec output process chart in the method for the invention.
Embodiment:
Below in conjunction with embodiment the method for the invention is described further:
Method of the present invention is actual to be that the IPsec that how to solve different safe terminal points efficiently protects nested problem when the IPsec that solves at information security field realizes.This method be mainly concerned with two kinds nested, a kind of is that the SA bundle of same SP correspondence is nested, this moment, corresponding situation was that nested IPsec passage starting point and terminal point is identical; And another kind of situation is the nested of SP chain correspondence, the identical and terminal point difference of nested IPsec passage starting point this moment.In the nested situation of two classes of the present invention, pairing SP will be stored among the SPD (Security Policy Database) with the form of SP chain, when carrying out the IPsec processing, with each SP in the SP chain serves as according to one by one the SA of all SP correspondences being handled, and then gives transport layer protocol and handle and needn't drop into the IP formation processing of requeuing.The SA that it should be noted that each SP correspondence can be nested SA bundle, and the nested starting point of the SA of this moment is all the same with terminal point.
Describe the execution mode of the inventive method below in detail with the application scenarios shown in the accompanying drawing 1.Fig. 2 is the basic procedure of an IPsec protection output, is a general simple general flow process, is the flow process of a principle of relativity; And Fig. 5 is the detailed handling process after application the inventive method, but is the flow process of a Project Realization, and the relation of Fig. 3 and Fig. 4 is similar.Comprise two among Fig. 1 and use IPsec gateway RA and RB, one at the host C of outer net and be in the department server D of Intranet and the main frame of other departments interconnects by internet and internal lan.The host C of enterprise network outside will with the server host D secure communication of certain department in the enterprise; at first for preventing attack from the enterprise outside; need between host C and enterprise gateway RA, use the IPsec protection; for to prevent enterprises attack outdoors, need between host C and the gateway RB of department, set up the IPsec protection simultaneously.Wherein, the SP organization definition is as follows: (1) SP relevant information itself; (2) pointer of sensing SP structure.
At configure host C during to the security strategy of main frame D; the security strategy SP1 of the IPsec between configure host C and department server RB protection at first; (the SA bundle that the SP1 sensing is set is that two SA are nested to SP1: SA1 SA2) except that comprising own relevant information own; also comprise a pointer that points to SP2, wherein SP2 is the security strategy (the SA bundle that SP2 points to has only a SA:SA3) of the IPsec protection between host C and the enterprise gateway RA.And SP2 is except that comprising relevant information of strategy itself, and the pointer that points to the SP structure is NULL.Owing to the security strategy SP of nested IPsec protection is connected into a chained list by pointer chain, so this method is called SP chain method.For host C,, use SP chain method to need the packet output of the nested protection of IPsec to handle and be described in detail as follows it owing to there are two nested protections of IPsec (RA and RB) that safe terminal point is different:
1, application SPD semaphore and SADB semaphore provides interface for SP and SA inquiry.
2, from packet, find the SP selector spidx of this packet, the P1 of element S in fact that uses this selector in SPD, to inquire about then to find the SP chain.
3, off, the len with this packet IP head changes into the network bytes preface.
4, find first security alliance SA 1 of this SP1 correspondence by the pointer of SP1 sensing SA bundle.
5, judge if this SA1 is empty, then notify IKE to initiate new negotiation, abandon this bag and discharge SPD and SADB semaphore, return an ERROR.If SA1 is not empty, then this packet is carried out the IPsec encapsulation process according to SA1.
6, find SA2 according to SA1 again, encapsulate being carried out IPsec again according to SA2 then by the packet after the SA1 encapsulation.Because last of the SA bundle that SA2 is SP1 to be pointed to finished dealing with to SP1, changes 7 treatment S P2 over to.
7, the pointer according to the next SP of the sensing of SP1 finds SP2, has more SP2 again and finds corresponding SA3, uses SA3 that packet is carried out the IPsec encapsulation.
8, because the pointer that SP2 points to next SP is NULL, show that nested IPsec protection finishes dealing with, off, the len of this packet IP head changed into the main frame preface, discharge SPD and SADB semaphore, correct end process.
And be the packet through IPsec nested protection of main frame D to source address, host C calls input, and to handle its concrete handling process as follows:
1, the semaphore of application inquiry SPD and SADB.
2, judge whether this bag is fragmented packets, if the 2-1 fragmented packets, the processing of then recombinating if reconstructing failure then discharges SPD and SADB semaphore, is returned ERROR, finishes; Successfully change 3 over to if recombinate; 2-2 then changes 3 and handles if this bag is not a fragmented packets.
3, id, off, the len with the IP head is converted to the network bytes preface.
4, obtain corresponding SAid according to this bag and find the SA3 that carries out the IPsec encapsulation for the last time, and SA3 is pressed in the storehouse.
5, with SA3 this packet is carried out the IPsec decapsulation and handle,, therefore change 6 and handle because the pointer of the next SA of the sensing of SA3 is empty.
6, judge owing to the IPsec that to remain a purpose after the SA3 decapsulation be this machine, find the SA2 of correspondence again according to the SAid of this bag, then SA2 is pressed into storehouse.
7, use SA2 that packet is carried out the IPsec decapsulation and handle, find the SA1 that belongs to a SA bundle together by SA2 again.
8, using SA1 that packet is carried out the IPsec decapsulation handles.Because SA1 and SA2 belong to a SA bundle together, therefore no longer SA1 are pressed into storehouse.
9, the packet through the SA1 decapsulation no longer is an IPsec bag, therefore changes 11 over to and carries out the strategy matching processing.
10, find the SP chain of this bag according to the SP selector of the packet after the decapsulation, at first relatively the SP1 of first element S A2 sensing of first SP1 of SP chain and storehouse ejection is identical.Then relatively second SP2 of SP chain and storehouse eject the SP2 that points to of second element S A1 be identical.Last because SP chain is for the sky storehouse also be a sky, so strategy matching is passed through.
11, id, off, the len with the IP head is converted to this machine preface, discharges the semaphore of SPD and SADB, correct end process.
Claims (5)
1, a kind of Security Association nesting method of realizing different safe terminal points in the Ipsec standard is characterized in that, comprises two processes of input and output:
For exporting handling process: use the Ipsec standard at the network interface of confirming the input packet, and when being not multicast packet, carry out the SP inquiry, when being expressed as application Ipsec standard, SP proceeds the SA inquiry, at SA is not under the situation of sky, according to this SA this packet is carried out the IPsec encapsulation process, and off, the len with packet IP head changes into local syllable sequence at last, discharge the semaphore of Security Policy Database and security association database, correct end process;
For importing handling process: in the network interface application Ipsec standard of confirming to receive packet, and when being not multicast packet, whether the judgment data bag is that purpose is the IPsec wrapper of this machine, and carry out respective handling according to different situations, if fragmented packets is then recombinated, then mate the reconciliation encapsulation process if not fragmented packets, off, len with packet IP head changes into local syllable sequence at last, discharge Security Policy Database and security association database semaphore, correct end process.
2, the Security Association nesting method of different safe terminal points in the realization Ipsec standard according to claim 1 is characterized in that described output handling process further may further comprise the steps:
(1) whether the network interface of judging the input packet uses the Ipsec standard, does not then discharge Security Policy Database and security association database semaphore, end process process if do not use; If need to use the Ipsec standard, then continue;
(2) judge whether this bag is multicast packet, if then discharge the semaphore of Security Policy Database and security association database, the end process process; If not then continue;
(3) application Security Policy Database semaphore and security association database semaphore is for SP and SA inquiry provide interface;
(4) from packet, find the SP selector spidx of this packet, use this selector in Security Policy Database, to inquire about corresponding SP, as can not find out the value that then will give tacit consent to and be made as SP;
(5) if this SP is expressed as and walks around, then discharge the semaphore of Security Policy Database and security association database, the end process process; If this SP is expressed as and abandons, then abandon this bag, discharge security association database and Security Policy Database semaphore, return ERROR information, the end process process; If SP then continues for using the Ipsec standard;
(6) off, the len with this packet IP head changes into the network bytes preface;
(7) pointer of restrainting by SP sensing SA finds first SA of this SP correspondence;
(8) judge if this SA is empty, then notify IKE to initiate new negotiation, abandon this bag and discharge Security Policy Database and security association database semaphore, return ERROR information; If SA is not empty, then this packet is carried out the IPsec encapsulation process according to this SA;
(9) judge whether the pointer that SA bundle points to next SA is empty, if be empty, shows that then the SA bundle of this SP correspondence is not also handled, and changes (8) processing over to; If empty, show that then the SA of current SP correspondence finishes dealing with, change (10) over to;
(10) judge that whether the pointer that current SP points to next SP is empty,, show then that the IPsec passage that also has different terminal points is nested not handle, SP is pointed to next SP, change (7) processing over to if be empty; If empty, show that then the SP of SP chain handles, off, the len of this packet IP head changed into local syllable sequence, change (11) over to;
(11) discharge Security Policy Database and security association database semaphore, correct end process.
3, the Security Association nesting method of different safe terminal points in the realization Ipsec standard according to claim 1 is characterized in that described input handling process further may further comprise the steps:
(1) judges whether the network interface that receives packet uses the Ipsec standard, if do not use, then discharges Security Policy Database and security association database semaphore, returns correct information, the end process process; If need to use the IPsec standard, then continue;
(2) judge that whether this packet is multicast packet, if then discharge Security Policy Database and security association database semaphore, returns correct information, the end process process; If not then continue;
(3) judge that whether this bag is that purpose is the IPsec wrapper of this machine, and carry out respective handling;
(4) judge whether this bag is fragmented packets, and carry out respective handling;
(5) id, off, the len with the IP head is converted to the network bytes preface;
(6) obtain corresponding SAid according to this bag, find corresponding SA, this SA is stored in the array with this SAid;
(7) with the SA that finds this bag is carried out corresponding IPsec decapsulation and handle, this SA is stored, judge again whether the pointer that this SA points to next SA is empty, if be not next SA with the SA assignment then for sky, changes over to (6); If sky then continues;
(8) off, the len with the IP head is converted to this machine syllable sequence, discharges the semaphore of Security Policy Database and security association database, finishes the output processing procedure.
4, the Security Association nesting method of different safe terminal points in the realization Ipsec standard according to claim 3 is characterized in that described step (3) further may further comprise the steps:
(3-1) if not, then this bag is carried out segmentation and judges;
If (3-1-1) fragmented packets, the processing of then recombinating;
(3-1-1-1), return ERROR information, the end process process if reconstructing failure then discharges Security Policy Database and security association database semaphore;
(3-1-1-2) find the SP of the SA array correspondence of the SP chain of this bag and storage to carry out strategy matching one by one according to the SP selector, then discharge Security Policy Database and security association database semaphore as if the match is successful, correctly the end process process if recombinate successfully then; If there is a coupling unsuccessful, then discharge Security Policy Database and security association database semaphore, return ERROR information, the end process process;
(3-1-2) if not fragmented packets then finds the SP chain of this bag and the SA array of storage to carry out strategy matching according to the SP selector, if a unsuccessful Security Policy Database and a security association database semaphore of then discharging of coupling, correct end process process are arranged; If coupling is unsuccessful, then discharge Security Policy Database and security association database semaphore, return ERROR information, the end process process;
If (3-2) purpose is the IPsec wrapper of this machine, then change step (4) over to.
5, the Security Association nesting method of different safe terminal points in the realization Ipsec standard according to claim 3 is characterized in that described step (4) further may further comprise the steps:
If (4-1) fragmented packets, the processing of then recombinating if reconstructing failure then discharges Security Policy Database and security association database semaphore, is returned ERROR information, the end process process; Successfully change step (5) over to if recombinate;
(4-2) if this bag is not a fragmented packets, then changes step (5) and handle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101018076A CN100463427C (en) | 2003-10-17 | 2003-10-17 | Safety union nesting method for realizing different safety terminalsin IPsec standard |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101018076A CN100463427C (en) | 2003-10-17 | 2003-10-17 | Safety union nesting method for realizing different safety terminalsin IPsec standard |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1529473A true CN1529473A (en) | 2004-09-15 |
| CN100463427C CN100463427C (en) | 2009-02-18 |
Family
ID=34304202
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101018076A Expired - Fee Related CN100463427C (en) | 2003-10-17 | 2003-10-17 | Safety union nesting method for realizing different safety terminalsin IPsec standard |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100463427C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009021428A1 (en) * | 2007-08-16 | 2009-02-19 | Hangzhou H3C Technologies Co., Ltd. | Secure protection device and method for message transfer |
| CN1777174B (en) * | 2004-11-15 | 2010-06-23 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| CN101138260B (en) * | 2006-02-14 | 2010-10-06 | 中兴通讯股份有限公司 | Method for determining slide window size in mobile wireless communicating system |
| CN1791098B (en) * | 2004-12-13 | 2010-12-01 | 华为技术有限公司 | Method for realizing safety coalition synchronization |
| CN101378326B (en) * | 2008-09-18 | 2011-03-16 | 中兴通讯股份有限公司 | Method for multicast user inquiring and aging |
| CN101499965B (en) * | 2008-02-29 | 2011-11-02 | 沈建军 | Method for network packet routing forwarding and address converting based on IPSec security association |
| CN106850672A (en) * | 2017-03-08 | 2017-06-13 | 迈普通信技术股份有限公司 | The Security Association lookup method and device of ipsec tunnel |
| CN115225414A (en) * | 2022-09-21 | 2022-10-21 | 北京中科网威信息技术有限公司 | Encryption strategy matching method and device based on IPSEC (Internet protocol Security), and communication system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2363549B (en) * | 2000-11-16 | 2002-05-29 | Ericsson Telefon Ab L M | Securing voice over IP traffic |
| KR100414669B1 (en) * | 2001-10-29 | 2004-01-13 | 삼성전자주식회사 | Data translation apparatus of atm in mobile communication |
| US20030135616A1 (en) * | 2002-01-11 | 2003-07-17 | Carrico Sandra Lynn | IPSec Through L2TP |
-
2003
- 2003-10-17 CN CNB2003101018076A patent/CN100463427C/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1777174B (en) * | 2004-11-15 | 2010-06-23 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
| CN1791098B (en) * | 2004-12-13 | 2010-12-01 | 华为技术有限公司 | Method for realizing safety coalition synchronization |
| CN101138260B (en) * | 2006-02-14 | 2010-10-06 | 中兴通讯股份有限公司 | Method for determining slide window size in mobile wireless communicating system |
| WO2009021428A1 (en) * | 2007-08-16 | 2009-02-19 | Hangzhou H3C Technologies Co., Ltd. | Secure protection device and method for message transfer |
| US8392701B2 (en) | 2007-08-16 | 2013-03-05 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for ensuring packet transmission security |
| CN101499965B (en) * | 2008-02-29 | 2011-11-02 | 沈建军 | Method for network packet routing forwarding and address converting based on IPSec security association |
| CN101378326B (en) * | 2008-09-18 | 2011-03-16 | 中兴通讯股份有限公司 | Method for multicast user inquiring and aging |
| CN106850672A (en) * | 2017-03-08 | 2017-06-13 | 迈普通信技术股份有限公司 | The Security Association lookup method and device of ipsec tunnel |
| CN106850672B (en) * | 2017-03-08 | 2019-09-03 | 迈普通信技术股份有限公司 | The Security Association lookup method and device of ipsec tunnel |
| CN115225414A (en) * | 2022-09-21 | 2022-10-21 | 北京中科网威信息技术有限公司 | Encryption strategy matching method and device based on IPSEC (Internet protocol Security), and communication system |
| CN115225414B (en) * | 2022-09-21 | 2022-12-13 | 北京中科网威信息技术有限公司 | Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100463427C (en) | 2009-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1842000A (en) | Method for realizing access authentication of WLAN | |
| CN1747380A (en) | The block encryption data are decrypted | |
| CN1455556A (en) | Wireless LAN safety connecting-in control method | |
| CN1765079A (en) | Packet encryption substituting device | |
| CN1536847A (en) | Method for authority discrimination grouping and effective loading | |
| CN1864390A (en) | Method and apparatus for providing network security using security labeling | |
| CN101040496A (en) | VPN gateway device and hosting system | |
| CN1456006A (en) | Methods and arrangements in a telecommunications system | |
| CN1378735A (en) | Protection of communications | |
| CN1756234A (en) | Server, VPN client, VPN system, and software | |
| CN1929483A (en) | Admittance control method for IPv6 switch-in network true source address access | |
| CN1949705A (en) | Dynamic tunnel construction method for safety access special LAN and apparatus therefor | |
| CN101345689B (en) | Method, apparatus and communication equipment for implementing IP safety service | |
| CN1270481C (en) | Access gate wireless local area network and implementation for guaranteeing network safety | |
| CN1747436A (en) | Access method and system for client end of virtual private network | |
| CN1523808A (en) | Method for encrypting data of an access virtual private network (vpn) | |
| CN101030935A (en) | Method for crossing NAT-PT by IPSec | |
| CN1529473A (en) | Safety union nesting method for realizing different safety terminalsin IPsec standard | |
| US20170170986A1 (en) | Transport protocol task offload emulation to detect chunks of data for communication with a private network | |
| CN1516386A (en) | Network communication safe processor and its data processing method | |
| CN101039181A (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN100352220C (en) | Safety access method based on dynamic host configuration arrangment and network gate verification | |
| CN1753569A (en) | System and method for treating mobile communication data business based on false code | |
| CN1627682A (en) | Method for creating dynamic cipher at time of building connection in network transmission | |
| CN112367160B (en) | Virtual quantum link service method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090218 Termination date: 20131017 |