CN1571399A - Network safety processing equipment and method thereof - Google Patents
Network safety processing equipment and method thereof Download PDFInfo
- Publication number
- CN1571399A CN1571399A CNA031329810A CN03132981A CN1571399A CN 1571399 A CN1571399 A CN 1571399A CN A031329810 A CNA031329810 A CN A031329810A CN 03132981 A CN03132981 A CN 03132981A CN 1571399 A CN1571399 A CN 1571399A
- Authority
- CN
- China
- Prior art keywords
- data
- data message
- processing
- module
- processing module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to network security processing installation and its method. It adopts data bus and internal storage bus to transmit data message and the SA data, this make the access of SA data do not influence the access of the other data from the system. Thus the efficiency of the system data bus is improved, and the waiting time of the network security processor is reduced. As well as, the invention adopts local-storage to save SA data, this make the capacity of the system be adjusted flexibly according to the demand in order to support more links. In addition, two Hash arithmetic units are used in the encrypt/decrypt Hash unit, moreover, the compress process module and decompress module are also installed so that the more security IPSec binding process and compressing process can be finished in one process. Thus, the entire process ability of the net security processing installation is improved.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of network safety processing equipment and method thereof.
Background technology
Along with the net development of Communication Technique, the user who inserts IP (Internet protocol) network is increasing, and for this reason, the safety that guarantees network service just becomes needs the major issue that solves in the communication network.At present, in IP network safety, adopted IPSec (internet network security protocol) to realize network security morely, the ipsec security authentication techniques comprise two kinds of security protocols, authentication authorization and accounting head (AH) agreement and ESP (ESP) agreement, the common use of these two kinds of agreements and internet key exchange protocol (IKE) just can reach and guarantee the reliable purpose of Network Communicate Security.
The function that described AH agreement provides is the authentication to entire I P message, comprises the integrality of data and the checking of Data Source, if promptly message is distorted or is not that specific object sends, authentication will can not passed through; The function that described ESP agreement provides is encryption and the authentication to message load; The IPSec of currently used binding operation is exactly to use ESP and AH agreement to handle to same IP message, thereby makes and can encrypt and authenticate the IP message simultaneously, has guaranteed the fail safe and the confidentiality of the message that transmits in the network fully.
Be by setting up the corresponding SA data of Security Association (SA) carrying in the packet based on IPSec; a kind of agreements that SA is two communication entities through consulting to set up, SA data carried by data have defined and have been used for effective life period etc. of ipsec protocol, encryption and decryption/identifying algorithm, key and key of protected data bag safety.For the recipient, search corresponding SA data among IP destination address, IP security protocol type (AH or ESP) and the SPI (Security Parameter Index) that comprises by data packet head information, content according to the SA data, the IP datagram literary composition is encrypted and authenticated, with the confidentiality (can not be cracked) that guarantees data and reliability, integrality (not distorted).The Internet Key Exchange (IKE) is the of paramount importance part of IPSec, before with IP packet of ipsec protection, must set up a SA earlier, and adds corresponding SA data in the SA of IP packet, and IKE is used for dynamically setting up SA.On behalf of ipsec protocol, IKE carry out SA and consults, and consults to obtain the SA data.
Because of message is encrypted and is authenticated need be bigger operand, so in the communication system that security performance is had relatively high expectations, use custom-designed network security processor that the message of realizing based on ipsec protocol that transmits in network is handled usually.When the encryption of carrying out the IP message and authentication processing, the network security processor need all be read processor inside to the SA data of IP datagram literary composition and message, behind the identification IP message, SA data according to the message correspondence are handled message, and the partial content in the renewal SA data, then the data message of finishing dealing with is sent.
Now currently used encryption and authentication processing process to the IP message described, specifically may further comprise the steps in conjunction with Fig. 1 and Fig. 2:
Step 21: after the both sides of communication were holding consultation, main frame was in the SA deposit data and host memory of consulting, just SA data and system's shared drive;
Step 22: when receiving that data message finds to carry out encryption, the mode by the message descriptor is data message and SA data notification DMA (direct memory visit) module;
Step 23:DMA module is according to the information of descriptor, by dma mode the SA data are read by PCI (peripheral devices is interconnected) bus and to be carried out buffer memory in the input-buffer, then data message is read by the conventional data bus in the input-buffer in the network security processor of Fig. 1 and carried out buffer memory;
Step 24: described SA data and data message are read after the input-buffer, and the network security processor is then read SA data and data message from input-buffer, and by the packet header processing module message is carried out head and handle;
If when the data message carried out IPSec binding and handle, then, need data message be read from input-buffer according to the SA data, and carry out following processing successively carrying out for the second time the reading in the process of SA data and data message;
Step 25: after head was finished dealing with, encryption and decryption/Hash (Hash) encrypted or authentication processing message the unit, sent to bag tail processing module after the processing;
Step 26: bag tail processing module is handled according to the afterbody that the result that encryption and decryption/the Hash cell processing is finished carries out message, and a data message of finishing dealing with is placed on carries out buffer memory in the output buffers;
Step 27: for the data message of finishing dealing with, dma module returns to main frame with data message by the conventional data bus; Simultaneously, dma module upgrades the content of SA data in the host memory again by the conventional data bus after write-back is finished data, finish and once wrap processing procedure.
The IPSec that handles binding if desired handles, and just needs to repeat the operation of above-mentioned steps 22~27.Promptly if the IPSec of support binding handles, data message will pass in and out chip repeatedly by data/address bus, and this will cause the reduction of systematic function.
By above-mentioned description at prior art as can be seen, because message deposits in the host memory, dma module need be by a conventional data bus or other buses carrying data message and SA data, cause this bus congested and encryption rate is lower.Simultaneously, owing to before carrying out computing such as encrypting and authenticating, must read the content of SA data earlier, and then reading of data message, so often cause the crypto engine of hardware accelerator inside to be in wait state, the encryption performance of system can't significantly be promoted.And, because the SA deposit data in host memory, if system will support more link, then needs to deposit more SA data in host memory, therefore and the capacity of the host memory of general networking equipment is limited, will cause the link capacity of system to be subject to the size of host memory.
In addition, the mechanism of available technology adopting and system data shared drive, promptly the data transmit-receive of other service cards of main frame also will be realized by the visit host memory, at this moment, the visit of the frequent host memory that causes because of cryptographic operation will cause the reduction of whole system performance.
And prior art is not supported IPComp (IP message compression protocol) yet, if system need compress the data message, then needs to increase special compression processor.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of network safety processing equipment and method thereof, to overcome the existing in prior technology problem, realize more easyly to the encryption and the verification process of data message, and do not influence the systematic function of main frame.
The object of the present invention is achieved like this:
The invention provides a kind of network safety processing equipment, comprising:
Input buffer module: receive data message and corresponding SA (security association) data that to encrypt with authentication processing, send to the packet header processing module behind the row cache of going forward side by side;
The packet header processing module: receiving data packets and SA data, and to the data message the head handle the back together send to encryption and decryption/Hash (Hash) unit with the SA data:
Encryption and decryption/Hash unit: receive through data message and SA data after the processing of packet header, and handle, send to bag tail processing module then according to the IPSec (internet network security protocol) that the SA data are bound the data message;
Bag tail processing module: receive the data message that encryption and decryption/the Hash unit is sent, send to output buffer module after the data message tail is handled;
Output buffer module: receive the data message that bag tail processing module is sent, the row cache of going forward side by side is handled, and sends then.
Described input buffer module links to each other with host memory with the conventional data bus by DMA (direct memory visit) module respectively with output buffer module, and links to each other with local storage with rambus by dma module.
Described local storage is SDRAM (static random-access memory synchronously), perhaps is DDRSDRAM (the synchronous static random-access memory of Double Data Rate).
Network safety processing equipment of the present invention also comprises:
Also be connected with the compression processing module between described input buffer module and packet header processing module, this module sends to the packet header processing module after receiving the data message that input-buffer sends and compressing processing;
Be connected with the decompression processing module between described bag tail processing module and described output buffer module, this module receives the data message that bag tail processing module is sent, and carries out sending to output buffer module after the decompression.
Described packet header processing module is: receiving data packets and SA data, and disposable for data message inserts the security header of the IPSec processing that is used to bind, together send to encryption and decryption/Hash unit with the SA data simultaneously.
Described encryption and decryption/Hash unit comprises:
ESP (ESP) processing module: receive data message and SA data that the packet header processing module is sent, and carry out giving AH (authentication header) processing module after corresponding encryption and decryption and/or the authentication processing according to SA;
AH processing module: receive data message and SA data that the ESP processing module is sent, and carry out sending to bag tail processing module after corresponding Hash (Hash) calculation process according to the SA data.
The present invention also provides a kind of network security processing method, comprising:
A, will be issued in the local storage, and the data message that receives will be stored in the system host internal memory through the SA data that consult to obtain conventional data bus and network safety processing equipment by system;
B, network safety processing equipment will be by the data messages in the conventional data bus calling system host memory, and call SA data in the local storage by rambus;
C, network safety processing equipment carry out corresponding network security processing according to the SA data of calling acquisition and data message, and send.
Described network security processing method also comprises:
According to the data message that passes through through data message after the network security processing in the conventional data bus renewal host memory, and according to the SA data of passing through through the SA data after the network security processing in the rambus update local memory.
Described step a also comprises:
The SA data of communicating pair through consulting to determine directly are issued in the local storage by the dma module of conventional data bus and network safety processing equipment.
Described step b comprises:
If it is PCI (peripheral devices the is interconnected) bus of 1~2Gbps that described conventional data bus is selected bandwidth for use, then host CPU just is handed down to network safety processing equipment with the address information of data message with the address information of SA data in local SDRAM, and carries out calling of corresponding data message and SA data by the DMA of network safety processing equipment according to corresponding address information;
If what described conventional data bus was selected for use is POS-PHY (POS physical layer interface) bus that the bandwidth maximum can reach 10Gbps, and the corresponding relation that in main frame, has SA data address information and data message, then host CPU only issues the address information of SA data to network safety processing equipment, corresponding data message front is followed by the address information of SA data, and obtains the SA data by network safety processing equipment according to the address information of SA data;
If the conventional data bus selection is more at a high speed POS-PHY bus, and the address information of SA data and the corresponding relation of data message are stored in the network safety processing equipment side, after then network safety processing equipment is received data message, to search the address information of the SA data that obtain this data message correspondence according to described corresponding relation, and obtain corresponding SA data according to the address information of SA data.
Described step c comprises:
C1, input buffer module receive calls the SA data and the data message of acquisition, and the row cache of going forward side by side sends to the packet header processing module after handling;
C2, packet header processing module are handled the head of data message, and the data message after will handling is issued encryption and decryption/Hash unit with the SA data;
C3, encryption and decryption/Hash unit carry out corresponding encryption and decryption according to the SA data to the data message to be handled, and sends to bag tail processing module;
After c4, bag tail processing module are handled accordingly to the tail of data message, send by output buffers.
Described step c1 also comprises:
Will be through the data message to be sent of input buffer module buffer memory, promptly the data message of outer outgoing direction sends to the packet header processing module after compressing processing according to the compressed format of setting;
Described step c4 also comprises:
Will be through the data message to be received after bag tail processing module is handled, promptly the data message of approach axis carries out sending by output buffers after the corresponding decompression.
Described step c2 comprises:
The packet header processing module is disposable to be used for the security header that ESP handles and AH handles for data message inserts, and the processing of filling character alternatively;
Data message after handling is issued encryption and decryption/Hash unit with the SA data.
Described step c3 comprises:
At first according to the SA data data message is carried out encryption and decryption and/or authentication processing, then, according to the SA data data message is carried out Hash (Hash) calculation process, and send to bag tail processing module by the AH processing module by the ESP processing module.
Described step c4 also comprises:
By the SA data in output buffers and the dma module update local memory, and will return to main frame through the data message after the safe handling.
Described step c4 also comprises:
Data message is written back to host memory, and after the renewal with SA data among the local SDRAM, result is reported main frame by interrupt mode.
The renewal of described SA data comprises: if processing is the data message of approach axis, then need to upgrade the sequence number of SA data; If what handle is the data message of outer outgoing direction, then need to upgrade the Mask (bob-weight is put the sequence number mask) and the sequence number of SA data.
As seen from the above technical solution provided by the invention, utilize the present invention to message encrypt with verification process in adopted conventional data bus and rambus to carry out the transmission of SA data and data message respectively, therefore to the SA data call the system that will can not have influence on to the calling of other data, promptly can the data/address bus of system not impacted; Like this, also make and to carry out in real time calling of data message, and after needn't waiting until that the SA data call is finished, and after the message processing finishes, in the return data message, can upgrade the SA data, so just reduce the stand-by period of network security processor greatly by another bus.
In addition, the present invention has also adopted special local RAM (random asccess memory) to preserve the SA data, make the capacity of system to adjust flexibly as required, if applied environment need be supported more link, just can use big SDRAM (static random-access memory synchronously) or DDR SDRAM (the synchronous static random-access memory of Double Data Rate), the size of number of links that assurance can be supported and main memory capacity is irrelevant.And, use two Hash arithmetic elements in encryption and decryption among the present invention/Hash unit, to guarantee that ESP handles and AH handles and can once finish, and be provided with compression processing module and decompress(ion) processing module, make and single treatment to finish for the higher operation that the IPSec binding is handled and the band compression is handled of fail safe, do not need software scheduling and repeatedly processing, the disposed of in its entirety performance obtains doubling promoting.
Description of drawings
Fig. 1 is the structural representation of network safety processing equipment in the prior art;
Fig. 2 is the flow chart of network security processing method in the prior art;
Fig. 3 is the application structure schematic diagram of network safety processing equipment among the present invention;
Fig. 4 is the structural representation of network safety processing equipment among the present invention;
Fig. 5 is the flow chart of network security processing method among the present invention.
Embodiment
Network safety processing equipment of the present invention and method thereof are to have adopted rambus and conventional data bus that SA data and data message are read respectively, promptly at first SA data and data message are read in the local storage of network safety processing equipment by the conventional data bus, network safety processing equipment calls corresponding SA data and data message by rambus in local storage then, and carries out corresponding network security and handle; And, the ESP that can finish simultaneously in the encryption and decryption in the network safety processing equipment provided by the invention/Hash unit the data message handles and the AH processing, simplified the network security processing procedure, simultaneously, also be provided with corresponding compression processing module and decompress(ion) processing module in the network safety processing equipment provided by the present invention, make network safety processing equipment can support compression and decompression function message.
Network safety processing equipment of the present invention is arranged in the equipment such as secure router, VPN (Virtual Private Network) gateway and fire compartment wall usually.As shown in Figure 3, described network safety processing equipment is communicated by letter with main frame and host memory by the conventional data bus usually, obtain corresponding information, also link to each other with local storage by rambus simultaneously, local storage is the SDRAM (synchronous static random-access memory) among the figure; The concrete structure of wherein said network safety processing equipment specifically comprises then as shown in Figure 4:
Input buffer module: obtain data message and corresponding SA (security association) data that to encrypt with authentication processing by interior nonresident portion from local SDRAM, send to the packet header processing module behind the row cache of going forward side by side;
Packet header processing module: receive data message and SA data that output buffer module is sent, and the head of data message is handled the back together send to encryption and decryption/Hash unit with the SA data; The processing of described packet header processing module comprises inserts security header, fills character etc., so that encryption and decryption/Hash unit is to the normal process of data message;
Encryption and decryption/Hash (Hash) unit: receive through data message and SA data after the processing of packet header, and, send to bag tail processing module then according to the IPSec processing that the SA data are bound the data message;
For the IPSec that satisfies binding handles needs, described encryption and decryption/Hash unit further comprises ESP (ESP) processing module and AH (authentication header) processing module, when the IPSec that need carry out for needs handles, then according to the SA data data message is carried out ESP and AH processing successively, make the IPSec processing of binding once just can finish, wherein:
Described ESP processing module: receive data message and SA data that the packet header processing module is sent, and carry out giving the AH processing module after corresponding encryption and decryption and/or the authentication processing according to SA; Described encryption and authentication are optional, i.e. requirement according to the SA data can be divided into three kinds of dispositions: encryption, authentication processing and encryption and authentication processing;
Described AH processing module: receive data message and SA data that the ESP processing module is sent, and carry out sending to after corresponding Hash (Hash) calculation process bag tail processing module according to the SA data, promptly carry out the Hash computing at whole data message, and authentication value is written back to the AH stem, the AH stem is (totally 96) that reserve when head is handled, when handling, head also can't obtain authentication value because carry out, only after whole message is finished dealing with, just can obtain this authentication value, and fill it into the AH stem.
Bag tail processing module: receive the data message that encryption and decryption/the Hash unit is sent, send to output buffer module after the data message tail is handled;
Afterbody is handled and to be generally included the character that approach axis is filled and remove etc.;
Output buffer module: receive the data message that bag tail processing module is sent, the row cache of going forward side by side is handled, and sends then, and the data message after promptly will handling by the conventional data bus sends to host memory, and upgrades the SA data in the host memory.
Consider in the practical communication application process, often need compress and handle the back transmission message, therefore, network safety processing equipment of the present invention also increases and is provided with compression processing module and decompress(ion) processing module, the compression protocol that set compression processing module and decompress(ion) processing module adopt can be determined as required, as adopt IPComp etc., be specially:
Be connected with the compression processing module between described input buffer module and packet header processing module, this module sends to the packet header processing module after receiving the data message that input-buffer sends and compressing processing;
Be connected with the decompression processing module between described bag tail processing module and described output buffer module, this module receives the data message that bag tail processing module is sent, and carries out sending to output buffer module after the decompression.
Based on foregoing network safety processing equipment, the present invention also provides a kind of network security processing method, as shown in Figure 5, specifically may further comprise the steps:
Step 500: will consult the described SA data that obtain conventional data bus and the network safety processing equipment by system and be issued in the local storage, the needs that also need to receive carry out being stored in the system host internal memory of data message that network security handles;
Usually after equipment such as the router reception that is provided with network safety processing equipment need be carried out the data message of network processes, at first be stored in the host memory of equipment, then, DMA by conventional data bus and network safety processing equipment is stored in the local storage of network safety processing equipment with data message, among the promptly local SDRAM;
The SA data that also in store negotiation obtains in local SDRAM, described SA data consult to determine by communicating pair, communicating pair connects the communication of carrying out about negotiation SA data by the IPSec of foundation, and direct DMA by PCI bridging chip, pci bus and network safety processing equipment is issued among the local SDRAM after consulting to determine corresponding SA data;
Local SDRAM is managed by network safety processing equipment, and the CPU of main frame (CPU) can't directly carry out read-write operation to it, if main frame need be visited local SDRAM, also only can carry out dereference to it by network safety processing equipment;
Described SA data directly are stored in and make network safety processing equipment need not to utilize the conventional data bus to obtain the SA data from host memory to the processing of data message among the local SDRAM at every turn again, have reduced taking the conventional data bus;
The bus of conventional data described in the present invention can be pci bus, also can be POS_PHY (POS physical layer interface) bus or FIFO Bus (first in first out bus).
Step 501: network safety processing equipment calls the data message that is stored in the host memory by self dma module and conventional data bus, and be sent to the input-buffer of network safety processing equipment, simultaneously, the SA data of also calling in the local storage (being local SDRAM) by rambus are given input-buffer;
When a data message need carry out the IPSec processing:
If it is the pci bus of 1~2Gbps that described conventional data bus is selected bandwidth for use, then host CPU just is handed down to network safety processing equipment with the address information of data message with the address information of SA data in local SDRAM, and the address information that issues is that the DMA that is used for network safety processing equipment carries out calling of corresponding data message and SA data according to corresponding address information;
If what described conventional data bus was selected for use is the buses such as POS-PHY that the bandwidth maximum can reach 10Gbps, and the corresponding relation that in main frame, has SA data address information and data message, then host CPU only issues the address information of SA data to network safety processing equipment, corresponding data message front is followed by the address information of SA data, so that after network safety processing equipment obtains the SA data according to the address information of SA data, handle this data message;
If the conventional data bus selection is more at a high speed buses such as POS-PHY, and the address information of SA data and the corresponding relation of data message are stored in network safety processing equipment side (for example main frame is issued to described corresponding relation in the network safety processing equipment in advance) after consulting, after then network safety processing equipment is received data message, to search the address information of the SA data that obtain this data message correspondence according to described corresponding relation, thereby obtain corresponding SA data.
Follow step 501, network safety processing equipment will carry out corresponding network security processing according to the SA data of calling acquisition and data message, and send, and specifically comprise:
Step 502: input buffer module receives SA data and data message, and the row cache of going forward side by side sends to the packet header processing module after handling;
Step 503: send to the packet header processing module after will compressing processing through the data message to be sent of input buffer module buffer memory;
After receiving the data message of going out to be sent that input-buffer sends, determine whether that according to wherein SA data needs compress processing to it, then execution in step 503 is compressed processing if desired, otherwise, directly execution in step 504 is carried out the head of data message and is handled;
In addition, then need not to carry out the compression process of step 503, and directly execution in step 504 gets final product for data message to be received.
Step 504: the packet header processing module is issued encryption and decryption/Hash unit with the SA data after the head of data message is handled;
The head of data message handled comprise and insert security header and processing such as fill character, wherein:
Described insertion security header, be used for after reciever receives this data message, by detecting security header, can judge that this data message need adopt ipsec protocol to carry out network security and handle, need carry out the network security handling process of ipsec protocol equally to it, and in the present invention unlike the prior art be that disposable insertion is used for that ESP handles and the security header of AH processing, handle so that can once finish ESP processing and AH in encryption and decryption/Hash unit, it is more easy to make network security handle;
Described filling character, encrypt the cryptographic algorithm of the symmetry that adopts grouping in the ipsec protocol, the length of encrypting grouping generally is 8 bytes or 16 bytes, if the length of the data message that receives is not the integral multiple of 8 bytes or 16 bytes, then need the processing of filling character of this data message, to satisfy the needs that ipsec protocol is handled.
Step 505: encryption and decryption/Hash unit carries out corresponding encryption and decryption according to the SA data to the data message to be handled, and sends to bag tail processing module; At first according to the SA data data message is carried out encryption and decryption and/or authentication processing, then, according to the SA data data message is carried out Hash (Hash) calculation process, and send to bag tail processing module by the AH processing module by the ESP processing module;
Wherein,, need be decrypted and/or authentication processing,, then need it is encrypted and/or authentication processing, that is: for data message to be sent to it for data message to be received
Two kinds of situations of processing of the data message processing of outgoing direction encryption and decryption/Hash unit need be divided into outside of the data of coming from input-buffer and the data message of approach axis, the data message of described outer outgoing direction is handled and is meant to sent data message and carries out encryption guaranteeing the safety of data message in the transport process, and the data message of described approach axis is handled and is meant the data message of receiving is decrypted and judges the data message that receives with checking treatment whether complete sum is legal;
The data message of described outer outgoing direction is handled and is comprised:
At first, data message is directly delivered to encryption and decryption/Hash unit handle the ESP processing, ESP handles and comprises encryption and/or authentication processing, and the ESP processing does not allow not do simultaneously encryption and authentication processing; Usually can determine that the data message is carried out following three kinds one of to be handled according to the content of SA data:
ESP encrypts and authentication processing: the load of data message (as the IP message) is delivered to encryption and decryption/Hash unit carry out encryption, and the result who encrypts is carried out corresponding authentication processing by the Hash computing again;
ESP encryption: the load of IP message is delivered to ciphering unit carry out encryption;
The ESP authentication processing: the load to the IP message authenticates by the Hash computing;
Then, if binding IP Sec handles, needing also that then the message that encryption/Hash finishes is delivered to the Hash unit and add the authentication value processing once more, promptly is to handle at AH, promptly entire I P message is carried out the Hash computing, and adds authentication value;
The data message of described approach axis is handled and is comprised:
Data message is delivered to encryption and decryption/Hash unit to be handled; If the IPSec of binding handles, at first the data message is carried out the Hash authentication operation, carry out the verification authentication value and handle, then, again data message is decrypted processing.
Step 506: after bag tail processing module is handled accordingly to the tail of data message, send to the decompression processing module.
Step 507: the decompression processing module will send by output buffers after will carrying out decompression through the data message to be received after bag tail processing module is handled;
After receiving the data message to be received that bag tail processing module sends, determine whether that according to wherein SA data needs carry out decompression processing to it, then execution in step 507 is carried out decompression processing if desired, otherwise, direct execution in step 508;
In addition, then need not to carry out the compression process of step 507, and directly execution in step 508 gets final product for data message to be sent.
Step 508: SA data after handling according to network security and data message upgrade SA data among the local SDRAM and the data message in the host memory;
If described output buffers reaches the fast state of expiring, then dma module will be initiated the operation of a data write-back, and the data message after will handling through network security is written back in the host memory by the conventional data bus;
Simultaneously, finished after the whole data message network security processing, dma module is all write all data in the output buffers in the host memory by the conventional data bus, initiate a SA Data Update operation simultaneously, the territory that needs in the SA data to upgrade is upgraded by rambus, for example, if the data message of the approach axis of handling then needs to upgrade the sequence number of SA data; If what handle is the data message of outer outgoing direction, then need to upgrade the Mask (bob-weight is put the sequence number mask) and the sequence number of SA data.
Also being included in all network security among the present invention handles after operation finishes, promptly having finished data message is written back in the host memory, and after having finished the renewal of SA data among the local SDRAM, by interrupt mode result is reported main frame, so that the final disposition of main frame awareness network safety.
Claims (17)
1, a kind of network safety processing equipment is characterized in that comprising:
Input buffer module: receive data message and corresponding SA (security association) data that to encrypt with authentication processing, send to the packet header processing module behind the row cache of going forward side by side;
The packet header processing module: receiving data packets and SA data, and to the data message the head handle the back together send to encryption and decryption/Hash (Hash) unit with the SA data:
Encryption and decryption/Hash unit: receive through data message and SA data after the processing of packet header, and handle, send to bag tail processing module then according to the IPSec (internet network security protocol) that the SA data are bound the data message;
Bag tail processing module: receive the data message that encryption and decryption/the Hash unit is sent, send to output buffer module after the data message tail is handled;
Output buffer module: receive the data message that bag tail processing module is sent, the row cache of going forward side by side is handled, and sends then.
2, network safety processing equipment according to claim 1 is characterized in that:
Described input buffer module links to each other with host memory with the conventional data bus by DMA (direct memory visit) module respectively with output buffer module, and links to each other with local storage with rambus by dma module.
3, network safety processing equipment according to claim 2 is characterized in that described local storage is SDRAM (static random-access memory synchronously), perhaps is DDR SDRAM (the synchronous static random-access memory of Double Data Rate).
4, according to claim 1,2 or 3 described network safety processing equipments, it is characterized in that:
Also be connected with the compression processing module between described input buffer module and packet header processing module, this module sends to the packet header processing module after receiving the data message that input-buffer sends and compressing processing;
Be connected with the decompression processing module between described bag tail processing module and described output buffer module, this module receives the data message that bag tail processing module is sent, and carries out sending to output buffer module after the decompression.
5, according to claim 1,2 or 3 described network safety processing equipments, it is characterized in that described packet header processing module is: receiving data packets and SA data, and disposable for data message inserts the security header of the IPSec processing that is used to bind, together send to encryption and decryption/Hash unit with the SA data simultaneously.
6,, it is characterized in that described encryption and decryption/Hash unit comprises according to claim 1,2 or 3 described network safety processing equipments:
ESP (ESP) processing module: receive data message and SA data that the packet header processing module is sent, and carry out giving AH (authentication header) processing module after corresponding encryption and decryption and/or the authentication processing according to SA;
AH processing module: receive data message and SA data that the ESP processing module is sent, and carry out sending to bag tail processing module after corresponding Hash (Hash) calculation process according to the SA data.
7, a kind of network security processing method is characterized in that comprising:
A, will be issued in the local storage, and the data message that receives will be stored in the system host internal memory through the SA data that consult to obtain conventional data bus and network safety processing equipment by system;
B, network safety processing equipment will be by the data messages in the conventional data bus calling system host memory, and call SA data in the local storage by rambus;
C, network safety processing equipment carry out corresponding network security processing according to the SA data of calling acquisition and data message, and send.
8, network security processing method according to claim 7 is characterized in that this method also comprises:
According to the data message that passes through through data message after the network security processing in the conventional data bus renewal host memory, and according to the SA data of passing through through the SA data after the network security processing in the rambus update local memory.
9, network security processing method according to claim 7 is characterized in that described step a also comprises:
The SA data of communicating pair through consulting to determine directly are issued in the local storage by the dma module of conventional data bus and network safety processing equipment.
10, network security processing method according to claim 7 is characterized in that described step b comprises:
If it is PCI (peripheral devices the is interconnected) bus of 1~2Gbps that described conventional data bus is selected bandwidth for use, then host CPU just is handed down to network safety processing equipment with the address information of data message with the address information of SA data in local SDRAM, and carries out calling of corresponding data message and SA data by the DMA of network safety processing equipment according to corresponding address information;
If what described conventional data bus was selected for use is POS-PHY (POS physical layer interface) bus that the bandwidth maximum can reach 10Gbps, and the corresponding relation that in main frame, has SA data address information and data message, then host CPU only issues the address information of SA data to network safety processing equipment, corresponding data message front is followed by the address information of SA data, and obtains the SA data by network safety processing equipment according to the address information of SA data;
If the conventional data bus selection is more at a high speed POS-PHY bus, and the address information of SA data and the corresponding relation of data message are stored in the network safety processing equipment side, after then network safety processing equipment is received data message, to search the address information of the SA data that obtain this data message correspondence according to described corresponding relation, and obtain corresponding SA data according to the address information of SA data.
11, network security processing method according to claim 7 is characterized in that described step c comprises:
C1, input buffer module receive calls the SA data and the data message of acquisition, and the row cache of going forward side by side sends to the packet header processing module after handling;
C2, packet header processing module are handled the head of data message, and the data message after will handling is issued encryption and decryption/Hash unit with the SA data;
C3, encryption and decryption/Hash unit carry out corresponding encryption and decryption according to the SA data to the data message to be handled, and sends to bag tail processing module;
After c4, bag tail processing module are handled accordingly to the tail of data message, send by output buffers.
12, network security processing method according to claim 11 is characterized in that:
Described step c1 also comprises:
Will be through the data message to be sent of input buffer module buffer memory, promptly the data message of outer outgoing direction sends to the packet header processing module after compressing processing according to the compressed format of setting;
Described step c4 also comprises:
Will be through the data message to be received after bag tail processing module is handled, promptly the data message of approach axis carries out sending by output buffers after the corresponding decompression.
13, network security processing method according to claim 11 is characterized in that described step c2 comprises:
The packet header processing module is disposable to be used for the security header that ESP handles and AH handles for data message inserts, and the processing of filling character alternatively;
Data message after handling is issued encryption and decryption/Hash unit with the SA data.
14, network security processing method according to claim 11 is characterized in that described step c3 comprises:
At first according to the SA data data message is carried out encryption and decryption and/or authentication processing, then, according to the SA data data message is carried out Hash (Hash) calculation process, and send to bag tail processing module by the AH processing module by the ESP processing module.
15, network security processing method according to claim 11 is characterized in that described step c4 also comprises:
By the SA data in output buffers and the dma module update local memory, and will return to main frame through the data message after the safe handling.
16, network security processing method according to claim 15 is characterized in that described step c4 also comprises:
Data message is written back to host memory, and after the renewal with SA data among the local SDRAM, result is reported main frame by interrupt mode.
17, network security processing method according to claim 16 is characterized in that the renewal of described SA data comprises: if processing is the data message of approach axis, then need to upgrade the sequence number of SA data; If what handle is the data message of outer outgoing direction, then need to upgrade the Mask (bob-weight is put the sequence number mask) and the sequence number of SA data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031329810A CN100502348C (en) | 2003-07-23 | 2003-07-23 | Network safety processing equipment and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031329810A CN100502348C (en) | 2003-07-23 | 2003-07-23 | Network safety processing equipment and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1571399A true CN1571399A (en) | 2005-01-26 |
| CN100502348C CN100502348C (en) | 2009-06-17 |
Family
ID=34469992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031329810A Expired - Fee Related CN100502348C (en) | 2003-07-23 | 2003-07-23 | Network safety processing equipment and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100502348C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009021428A1 (en) * | 2007-08-16 | 2009-02-19 | Hangzhou H3C Technologies Co., Ltd. | Secure protection device and method for message transfer |
| CN1878055B (en) * | 2005-06-07 | 2010-11-03 | 北京握奇数据系统有限公司 | Separation type mass data encryption/decryption device and implementing method therefor |
| CN102006285A (en) * | 2010-11-02 | 2011-04-06 | 北京天融信科技有限公司 | Message processing method and device for network security equipment |
| CN103914422A (en) * | 2012-12-28 | 2014-07-09 | 英飞凌科技股份有限公司 | Processor arrangement and method for transmitting data bit sequence |
| CN108092942A (en) * | 2016-11-21 | 2018-05-29 | 深圳市中兴微电子技术有限公司 | A kind of message processing method and device |
| CN110381034A (en) * | 2019-06-25 | 2019-10-25 | 苏州浪潮智能科技有限公司 | A kind of message processing method, device, equipment and readable storage medium storing program for executing |
| CN111835613A (en) * | 2019-04-23 | 2020-10-27 | 厦门网宿有限公司 | Data transmission method of VPN server and VPN server |
-
2003
- 2003-07-23 CN CNB031329810A patent/CN100502348C/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1878055B (en) * | 2005-06-07 | 2010-11-03 | 北京握奇数据系统有限公司 | Separation type mass data encryption/decryption device and implementing method therefor |
| US8392701B2 (en) | 2007-08-16 | 2013-03-05 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for ensuring packet transmission security |
| WO2009021428A1 (en) * | 2007-08-16 | 2009-02-19 | Hangzhou H3C Technologies Co., Ltd. | Secure protection device and method for message transfer |
| CN102006285B (en) * | 2010-11-02 | 2016-07-06 | 北京天融信科技股份有限公司 | A kind of message processing method for Network Security Device and device |
| CN102006285A (en) * | 2010-11-02 | 2011-04-06 | 北京天融信科技有限公司 | Message processing method and device for network security equipment |
| CN103914422B (en) * | 2012-12-28 | 2017-04-12 | 英飞凌科技股份有限公司 | Processor arrangement and method for transmitting data bit sequence |
| CN103914422A (en) * | 2012-12-28 | 2014-07-09 | 英飞凌科技股份有限公司 | Processor arrangement and method for transmitting data bit sequence |
| CN108092942A (en) * | 2016-11-21 | 2018-05-29 | 深圳市中兴微电子技术有限公司 | A kind of message processing method and device |
| CN108092942B (en) * | 2016-11-21 | 2020-04-10 | 深圳市中兴微电子技术有限公司 | Message processing method and device |
| CN111835613A (en) * | 2019-04-23 | 2020-10-27 | 厦门网宿有限公司 | Data transmission method of VPN server and VPN server |
| CN111835613B (en) * | 2019-04-23 | 2022-07-08 | 厦门网宿有限公司 | Data transmission method of VPN server and VPN server |
| CN110381034A (en) * | 2019-06-25 | 2019-10-25 | 苏州浪潮智能科技有限公司 | A kind of message processing method, device, equipment and readable storage medium storing program for executing |
| CN110381034B (en) * | 2019-06-25 | 2022-02-22 | 苏州浪潮智能科技有限公司 | Message processing method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100502348C (en) | 2009-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8468337B2 (en) | Secure data transfer over a network | |
| EP1203477B1 (en) | Protection of communications | |
| US7502925B2 (en) | Method and apparatus for reducing TCP frame transmit latency | |
| US7392399B2 (en) | Methods and systems for efficiently integrating a cryptographic co-processor | |
| EP2247020B1 (en) | Technique for performing layer 2 processing using a distributed memory architecture | |
| CN101068207A (en) | Communication structure, packet exchange, network node and data packet transmission method | |
| US8780938B2 (en) | Technique for coordinated RLC and PDCP processing | |
| CN1540916A (en) | Encrypted information pack processing appts, method, program and program recording medium | |
| CN101056171A (en) | An encryption communication method and device | |
| CN109714292A (en) | The method and apparatus of transmitting message | |
| US20050198498A1 (en) | System and method for performing cryptographic operations on network data | |
| CN1516386A (en) | Network communication safe processor and its data processing method | |
| CN1941695A (en) | Method and system for generating and distributing key during initial access network process | |
| CN1571399A (en) | Network safety processing equipment and method thereof | |
| CN113810397B (en) | Protocol data processing method and device | |
| US8160089B1 (en) | Dynamic inter packet gap generation system and method | |
| WO2010023951A1 (en) | Secure communication device, secure communication method, and program | |
| US7564976B2 (en) | System and method for performing security operations on network data | |
| JP3736293B2 (en) | Service quality control method and device service quality control program in encrypted communication | |
| JP4346962B2 (en) | Encrypted communication control device | |
| CN1750533A (en) | Method for realizing safety coalition backup and switching | |
| CN101741827A (en) | Network safety processing equipment and method | |
| CN111031055B (en) | IPsec acceleration device and implementation method | |
| US7787481B1 (en) | Prefetch scheme to minimize interpacket gap | |
| JP2005167870A (en) | Method and apparatus for processing data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090617 Termination date: 20150723 |
|
| EXPY | Termination of patent right or utility model |