CN1791098B - Method for realizing safety coalition synchronization - Google Patents
Method for realizing safety coalition synchronization Download PDFInfo
- Publication number
- CN1791098B CN1791098B CN 200410098823 CN200410098823A CN1791098B CN 1791098 B CN1791098 B CN 1791098B CN 200410098823 CN200410098823 CN 200410098823 CN 200410098823 A CN200410098823 A CN 200410098823A CN 1791098 B CN1791098 B CN 1791098B
- Authority
- CN
- China
- Prior art keywords
- security association
- equipment
- stand
- security
- host apparatus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 230000008859 change Effects 0.000 claims description 30
- 230000001360 synchronised effect Effects 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 14
- 238000012795 verification Methods 0.000 claims description 14
- 230000015572 biosynthetic process Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007306 turnover Effects 0.000 description 2
- 206010037660 Pyrexia Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method to realize synchronization for security league. Wherein, the primary deice sends opposite information of self-built security league to standby device; the latter builds itself security league according to received information. This invention backups the information of security league in primary and standby devices to avoid negotiate again and build new security league, and can update information of security league after switching in time without effect to security league.
Description
Technical field
The present invention relates to internet (Internet) safe practice, specially refer to a kind of method that realizes that Security Association is synchronous.
Background technology
At the security needs of Internet, Internet engineering duty group (IETF) has been issued the safety standard IPSec of IP layer.Ipsec protocol family carries out high-intensity safe handling at the IP layer to packet; can provide to comprise access control, connectionless integrity control, data source authentication, anti-protection and confidentiality or the like service of replaying, these services can provide the protection to IP agreement and upper-layer protocol.IPSec is encryption and the checking that realizes data in network layer, and network security scheme end to end is provided, because the data encrypted bag remains general IP packet, therefore this structure can well be applied on the Internet.
The assembly of IPSec comprises security protocol verification head (AH) and ESP (ESP), Security Association (SA) and cipher key change (IKE) and encryption and verification algorithm etc.
Wherein, AH is a security protocol head, for the IP bag provides connectionless integrity verification, data source authentication and selectivity the anti-service of replaying; ESP also is a security protocol head, and it adopts encryption and authentication mechanism, for IP datagram provides data origin authentication, data integrity, the anti-replay and the confidentiality security service; Security Association is that two unidirectional logics of using between the IPSec service function entity connect; for each entity; usually all comprise an input Security Association and an output safety alliance; these two Security Associations have determined this entity in sending direction or the employed security strategy of receive direction, the problem what information each has determined to need protection between these two entities, how to have protected and protected by whom four Security Associations using the IPSec service function entity.Security Association can be used the tactful pointer SAID unique identification of being determined by purpose IP address, Security Parameter Index (SPI) and security protocol identifier; IKE is used to realize the negotiation of Security Association, the functions such as definite and automatic distribution of key; Encryption and verification algorithm have then defined the encryption and the verification algorithm of ESP and AH use.
In addition, the realization of IPSec service function need be safeguarded two databases relevant with Security Association, Security Policy Database (SPD) and security association database (SAD).SPD comprises for the realization of IPSec provides the configuration of security strategy: source, purpose IP address, mask, port, transport layer protocol, the action of security strategy, turnover sign, identifier, corresponding Security Association and tactful pointer or the like; SAD is the set of Security Association, and its content comprises: the lifetime of purpose IP address, security protocol, SPI, sequence number counter, sequence number overflow indicator, anti replay window, Security Association, turnover sign, the state of Security Association, protocol mode, cryptographic algorithm and the verification algorithm etc. of IPSec.Each Security Association all exists an entry corresponding with it in SAD.SAD and SPD are mutually related by tactful pointer SAID, promptly by checking the tactful pointer said value of certain security strategy (SP) record among the SPD, just can search the Security Association that finds this security strategy to implement in SAD.Need to prove, these two databases all be consult at the equipment that the IPSec service function is provided, set up Security Association before by the pre-configured generation of system.
Above-mentioned IP Sec standard is encrypted the IP packet by the IPSec SA that sets up and is verified, and by the ike negotiation encrypted secret key, guarantees the confidentiality and the credibility of packet; Simultaneously, by the IPSec SA that sets up packet is encapsulated, some communication features of hiding data bag can be resisted communications analysis, have strengthened safety of data transmission.At present, a lot of communication equipments all provide ipsec capability, in order to strengthen safety of data transmission, reliability.
On the other hand, under normal conditions, Modern Communication System has all adopted the mechanism of backup to the communication equipment of key, like this, under the situation of a device fails, data can be switched to stand-by equipment and handle therein, the assurance data service can not interrupted.
But; these provide the communication equipment of ipsec capability that the backup functionality of ipsec security service still can not be provided at present; therefore; in the above-mentioned device fails that ipsec capability is provided; and when data communication is switched to stand-by equipment and handles; can not provide continuous ipsec protection between the equipment that communicates, promptly after switching, need again negotiation to establish safety alliance between the communication equipment.And between period of negotiation, the packet on all upper stratas will be dropped, and this will cause the interruption of upper-layer service to a certain extent.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of Security Association synchronous method between primary, spare equipment that realizes, can realize ipsec capability active and standby with the backed up in synchronization between the communication equipment, upper-layer service can not interrupted during guaranteeing to switch.
In the method for the invention, when host apparatus normally moves, have only host apparatus to utilize the Security Association of self setting up to carry out the processing of message, this method may further comprise the steps:
When a, host apparatus normally move the Security Association relevant information of self setting up is sent to stand-by equipment;
B, stand-by equipment receive the Security Association relevant information, and set up the Security Association of self according to the Security Association relevant information that receives.
The described transmission of step a is specially: host apparatus sends to stand-by equipment by the special purpose interface between the primary, spare equipment with the Security Association identical information.
Security Association relevant information of the present invention comprises: bob-weight broadcast counting, sequence number overflow indicator, security protocol verification head verification algorithm with and key, the Security Association term of validity, the encapsulation mode of key, ESP cryptographic algorithm, cipher key initialization vector, cipher key initialization arrow pattern, ESP verification algorithm and the use thereof used.
Step a specifically may further comprise the steps:
A11, after stand-by equipment starts, the IPSec module of host apparatus reads in the host apparatus security association database all Security Association relevant informations of having set up;
The IPSec module of a12, host apparatus sends to the Security Association relevant information that reads the IPSec module of stand-by equipment.
Described step a12 further comprises: the Security Association expiration parameter that host apparatus calculating is read and the difference of host apparatus system operation time, and with the difference that calculates as the Security Association expiration parameter in the Security Association relevant information, send to stand-by equipment.
Step a specifically may further comprise the steps:
A21, set up or upgrade the IPSec module of Security Association message to host apparatus when the cipher key change module of host apparatus sends, the new Security Association of IPSec module creation of notice host apparatus or when upgrading the Security Association of having set up, the cipher key change module of host apparatus is with described foundation or upgrade the cipher key change module that Security Association message sends to stand-by equipment;
The cipher key change module of a22, stand-by equipment is with described foundation or upgrade the IPSec module that the Security Association forwards is given stand-by equipment, and notice stand-by equipment IPSec module is created Security Association or renewal with the host apparatus corresponding Security Association corresponding with host apparatus at self.
Described step a21 further comprises: the cipher key change module of host apparatus is duplicated newly-generated Security Parameter Index, and the Security Parameter Index that duplicates is sent to the cipher key change module of stand-by equipment;
Described step a22 further comprises: the Security Parameter Index that the IPSec module of stand-by equipment uses the described Security Parameter Index that duplicates to replace the IPSec module self of stand-by equipment to produce.
The described stand-by equipment of step b is set up Security Association and is specially:
The backup Security Association relevant information that b1, basis receive makes up the Security Association structure;
B2, the purpose IP address according in the Security Association relevant information, Security Parameter Index and security protocol identifier extract the tactful pointer value of this Security Association;
B3, the Security Association structure that makes up is joined among the SAD of stand-by equipment according to the tactful pointer value of extracting;
B4, set up the mapping relations of corresponding security strategy in this Security Association and the Security Policy Database.
The method of the invention further comprises: bob-weight is broadcast count parameter to stand-by equipment in the host apparatus cycle transmission Security Association, and the bob-weight of upgrading in the corresponding Security Association of stand-by equipment is broadcast the count parameter value.
The method of the invention further comprises: send bob-weight at host apparatus and broadcast count parameter before the stand-by equipment, host apparatus is broadcast count value for the bob-weight that sends in advance and is added a side-play amount according to the average speed that receives or send datagram in the current one-period.
The method of the invention further comprises: after c, upper-layer service were switched to stand-by equipment, the IPSec module proactive notification cipher key change module of stand-by equipment began new negotiations process, upgraded from the Security Association of host apparatus backup.
The each Security Association number that upgrades of stand-by equipment setting cycle timer of the present invention and cipher key change module, the cipher key change module is upgraded Security Association and specifically be may further comprise the steps:
C1, start-up period timer;
C2, when described cycle timer is overtime, whether the backup Security Association that does not upgrade is as yet arranged on the stand-by equipment IPSec module scanning stand-by equipment, if having, execution in step c3; Otherwise, stop this described cycle timer;
C3, definite backup Security Association number that does not upgrade as yet, send message to the cipher key change module, notify this module to upgrade the backup Security Association, the each Security Association number that upgrades of the backup Security Association number that the cipher key change module is not more upgraded and the cipher key change module of setting, if greater than the number of setting, step c2 is returned in then scanning and more the backup Security Association of new settings number then; If be less than or equal to the number of setting, scan and upgrade the backup Security Association that all do not upgrade as yet, stop this described cycle timer then.
Described scanning of step c3 and renewal are specially: scan successively and upgrade all backup Security Associations according to the order of Security Association in the security association database.
Described scanning of step c3 and renewal are specially: according to all backup Security Associations that order scans successively and renewal is corresponding with the current safety strategy of security strategy in the Security Policy Database.
The method of the invention further comprises: safeguard that in the cipher key change module of stand-by equipment one is used formation, if the transmitting-receiving of packet has been arranged on the Security Association that backup is come, then charges to this Security Association this use formation;
Described scanning of step c3 and renewal are specially: priority scan also upgrades the Security Association that uses in the formation.
This shows, use the synchronous method of realization Security Association of the present invention by identical IPSec SA is backed up with communication equipment active and standby, guarantee after upper-layer service is switched to stand-by equipment, still can use stand-by equipment to set up synchronously or the IPSec SA that upgrades encrypts data and verifies according to corresponding IPSec SA in the host apparatus, and do not need to consult again immediately to set up new Security Association, the data message that guarantees upper-layer service can be normally processed before and after switching, and no message is dropped.
In addition, method of the present invention is after upper-layer service is switched to stand-by equipment, and the Security Association relevant information that can upgrade in time does not exert an influence to the fail safe of IPSec.
Description of drawings
Fig. 1 is the described Security Association synchronization mechanism of an a preferred embodiment of the invention schematic diagram;
Fig. 2 is the described Security Association synchronization mechanism of an another preferred embodiment of the present invention schematic diagram;
Fig. 3 carries out the method for updating flow chart for the standby equipment I KE module in back of switching of the present invention to Security Association.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The invention discloses a kind of method that realizes that Security Association is synchronous, this method Security Association relevant information of backing up in realtime between host apparatus and stand-by equipment is promptly preserved identical Security Association between host apparatus that the IPSec service is provided and stand-by equipment.When system normally moves, have only host apparatus to the data message encrypt, decipher, processing such as checking, and with the Security Association relevant information stand-by equipment of backing up in realtime; And after switching, new host apparatus, be the original stand-by equipment safety alliance information that uses backup to follow-up data message encrypt, decipher, processing such as checking, guarantee that the data message of upper-layer service can be normally processed, and can not produce service disconnection.Simultaneously, after switching, new host apparatus can normally carry out flow processs such as ike negotiation, guarantees the establishment of Security Association and key and upgrades normally carrying out of operation.
According to the IPSee agreement of IETF regulation, the relevant information of Security Association comprises: bob-weight broadcast counter, sequence number overflow indicator, AH verification algorithm with and key of key, ESP cryptographic algorithm, ESP cipher key initialization vector IV, ESP cipher key initialization vector IV pattern, ESP verification algorithm and the use thereof used, the Security Association term of validity, encapsulation mode or the like.
In the equipment of reality, the management function of Security Association is born by two functional modules in realization usually: IPSec module and IKE module.Wherein, the IPSec module is directly managed the IPSec SA among the SAD; The IKE module then is in charge of IKE SA, and is responsible for notice IPSec module creation, renewal or deletion IPSec SA.Here, IKE SA provides the negotiation passage of a safety for operations such as IPSec SA establishment, renewal or deletion between the IPSec service equipment are provided.
The synchronous method of Security Association of the present invention is divided into two kinds of situations according to the operating state of host apparatus and stand-by equipment: first kind of situation is in the host apparatus operate as normal, and set up after several IKE SA and the IPSec SA, when stand-by equipment just started, IPSec SA's was synchronous; Second kind of situation is all to be in normal condition at primary and backup equipment, and host apparatus is set up new IPSec SA or when the IPSec SA that has set up upgraded, IPSec SA synchronously.
Embodiment 1:
Fig. 1 is an IPSec SA method for synchronous schematic diagram under first kind of situation.In this case, stand-by equipment needs to set up synchronously all IPSec SA that set up at host apparatus after startup.
As shown in Figure 1, after stand-by equipment started, the backup method of IPSec SA mainly comprised following step:
Step 101: the IPSec module of host apparatus reads the Security Association relevant information of all IPSec SA1 that set up among the host apparatus SAD.
Step 102: the IPSec module of host apparatus adopts the mode of self-defined message the Security Association relevant information that reads to be sent to the IPSec module of stand-by equipment by the special purpose interface between the primary, spare equipment.Wherein, described special purpose interface is the interface that is exclusively used in transmission security alliance relevant information between the primary, spare equipment.
It should be noted that, in this step, the Security Association expiration parameter is not the Security Association expiration parameter that directly reads from the SAD of host apparatus in the described Security Association relevant information that transmits, but Security Association expiration parameter that is read and the difference between the host apparatus system operation time.This be because, regulation according to ipsec protocol, the Security Association expiration parameter is that the time of moving with system is an absolute time value of reference, because the system operation time of host apparatus and stand-by equipment is inconsistent usually, if directly transmit the Security Association parameter that reads, will cause the term of validity of the term of validity of the Security Association that stand-by equipment sets up and the corresponding Security Association of host apparatus inconsistent.
Step 103: the IPSec module of stand-by equipment is set up IPSec SA1 according to the Security Association relevant information that receives.
In this step, the method for setting up IPSec SA1 specifically comprises following step:
At first, the IPSec module of stand-by equipment according to the backup Security Association relevant information that receives within it portion make up IPSec SA1 structure;
Then, the IPSec module of stand-by equipment is extracted the tactful pointer said value of this IPSec SA1 according to purpose IP address, SPI and security protocol identifier in the described Security Association relevant information, and according to the said value of extracting the IPSec SA1 structure that makes up is joined among the SAD of stand-by equipment;
At last, according to the IPSec SA1 information of coming from the host apparatus backup, the mapping relations among foundation and self SPD between the corresponding security strategy.Need to prove that for security policy information because stand-by equipment can use the method for data configuration to keep the consistency of security strategy on primary, spare equipment usually, therefore, this type of security policy information does not need backup.
From said process as can be seen, stand-by equipment is after startup, by the Security Association synchronizing process of above-mentioned steps 101 to 103, just can obtain the corresponding Security Association relevant information of Security Association set up with host apparatus, realize IPSec SA1 between primary, spare equipment synchronously.Like this, even when upper-layer service is switched, stand-by equipment also can use the Security Association relevant information of backup that datagram is handled, and can not cause the interruption of upper-layer service.
Embodiment 2:
Fig. 2 is an IPSec SA method for synchronous schematic diagram under second kind of situation.In this case, if host apparatus is set up new IPSec SA or the IPSec SA that has set up is upgraded, corresponding IPSec SA need be set up or upgrade to stand-by equipment synchronously.
As shown in Figure 2, the described IPSec SA of present embodiment method for synchronous may further comprise the steps:
Step 201: in the new negotiation flow process of initiating, the IPSec SA2 that IPSec SA2 that the IKE module notice IPSec module creation of host apparatus is new or renewal have been set up;
Step 202: the IKE module of host apparatus is sent to the notification message of above-mentioned foundation or renewal IPSec SA2 the IKE module of stand-by equipment simultaneously by the special purpose interface between the primary, spare equipment;
Step 203: the IKE module of stand-by equipment is transmitted to the IPSec module of stand-by equipment with above-mentioned notification message, notifies this IPSec module to carry out the operation synchronous with host apparatus, promptly sets up in the SAD of stand-by equipment or upgrades IPSec SA2.
Need to prove, in above-mentioned steps 202 and 203, if IPSec SA2 is newly-established Security Association, in step 202, the SPI value in the IPSec SA2 Security Association relevant information that the IKE module of host apparatus also needs host apparatus IPSec module is set up is sent to stand-by equipment IKE module by special purpose interface so; And in step 203, the IKE module of stand-by equipment can be transmitted to the SPI value that the host apparatus that receives is set up the IPSec module of stand-by equipment, in order to replace the SPI value that this module self produces when setting up IPSec SA2.This be because, stipulate according to ipsec protocol, the IPSec module can generate a SPI value automatically when setting up Security Association, if stand-by equipment uses the SPI value that self produces when setting up IPSec SA2, will cause the SPI value of corresponding Security Association IPSec SA2 on stand-by equipment and the host apparatus inconsistent, and then cause stand-by equipment to be switched to behind the host apparatus, can't with the opposite equip. proper communication.
In addition, it is identical to set up the method for IPSec SA1 in above-mentioned steps 201 and the method for setting up IPSec SA2 described in 203 and the step 103.
By above-mentioned flow process, stand-by equipment just can be when host apparatus be set up new Security Association or is upgraded the Security Association of having set up, obtain the Security Association relevant information identical with host apparatus, realize IPSec SA2 between primary, spare equipment synchronously.Like this, if switching of upper-layer service taken place this moment, stand-by equipment can use through synchronous Security Association relevant information datagram is handled, and can not interrupt upper-layer service.
In above-mentioned two embodiment, the Security Association relevant information of backup includes but not limited to the Security Association relevant parameter that defines in the above-mentioned agreement, and can adjust accordingly according to specific implementation.
In addition, what pay particular attention to is, finish above-mentioned Security Association relevant information synchronously after, also need parameter to dynamic change in those Security Association relevant informations, carry out upgrading synchronously in real time.Broadcasting count parameter with the bob-weight of the replay attack of other communication equipments of being used for preventing network below is that example describes.Bob-weight is broadcast the sequence number that count parameter is generally used for indicating the current transmission of communication equipment and estimates the datagram of reception, the value of this parameter constantly increases along with the mutual of datagram between the communication equipment usually, if therefore this parameter is not carried out upgrading synchronously in real time, so, the bob-weight of stand-by equipment is broadcast the count parameter value and generally can be broadcast the count parameter value less than the bob-weight of host apparatus and opposite equip..Like this, when stand-by equipment is switched to host apparatus, broadcast the count parameter value according to its bob-weight, stand-by equipment will use less sequence number to send datagram, and the sequence number of this datagram can drop in the serial number range that the opposite end received usually, thereby this datagram will be abandoned by the opposite end communication equipment; And since the bob-weight of the corresponding Security Association of opposite equip. to broadcast the count parameter value bigger, therefore, the sequence number of a large amount of replay of data newspapers that opposite equip. sends will drop on stand-by equipment not to be had in the serial number range of reception, these datagrams will normally be received by stand-by equipment, cause stand-by equipment can't avoid replay attack, cause upper-layer service normally not carry out.
Above-mentioned parameter to dynamic change in the Security Association relevant information is carried out synchronous method for updating can two kinds: wherein a kind of mode that adopts the periodic fever backup, the periodic refreshing bob-weight is broadcast counting, guarantees that bob-weight is broadcast the synchronous of counting between the primary, spare equipment.Further, the average speed that can also receive/send datagram according to host apparatus in the current one-period, broadcast in the current bob-weight of stand-by equipment and to add a suitable side-play amount on the count parameter, make the bob-weight of primary, spare equipment broadcast count parameter and keep synchronously as far as possible.The cycle of described Hot Spare can rule of thumb be worth setting by communication system.
Another kind method is before switching, the parameter of host apparatus and the synchronous described dynamic change of stand-by equipment.But it is the situation of switching that this method only is suitable for the people, and is not suitable for because the situation of switching that accident causes.
As can be seen from the above-described embodiment, by Security Association of the present invention synchronous method between primary, spare equipment, in the security association database of stand-by equipment, set up the IPSec SA identical with host apparatus, guarantee after being switched to stand-by equipment, still can use the IPSec SA of backup that data are encrypted and verify, and do not need again negotiation to establish safety alliance, and guaranteeing that the data message of upper-layer service can be normally processed before and after switching, no message is dropped.
Contrast above-mentioned two described methods of preferred embodiment, the method of embodiment 1 described direct backup IPSecSA also is of little use, because all be to keep Hot Spare in real time at existing network primary, spare equipment in service usually, therefore many times, the method of the message between embodiment 2 described backup IPSec modules and the IKE module is more practical, and has significantly reduced artificial intervention.
But, because the method for the invention does not have backed up in synchronization IKE SA in stand-by equipment, therefore, after switching, stand-by equipment, the IPSec SA of promptly new host apparatus can not upgrade automatically, and is only effective in its term of validity.If the IPSec SA that works as certain backup is to after date, new host apparatus and opposite end communication equipment also have datagram mutual, will trigger the IKE module and begin new negotiation flow process, thereby create new IPSec SA and IKE SA.But generally, in above-mentioned negotiation flow process, several leading datagram between the communication equipment will be dropped, and this also will cause the interruption in short-term of upper-layer service.
In order to guarantee the continuity of upper-layer service, in method of the present invention, increased and switched the negotiations process again that back IPSec module is initiatively initiated, promptly after stand-by equipment is switched to new host apparatus, its IPSec module can proactive notification IKE module be restarted new negotiation, promptly upgrade the Security Association of coming synchronously from former host apparatus, guarantee before the IPSec SA of backup expires, to set up new IPSec SA and the IKE SA corresponding with this upper-layer service, like this, the Security Association relevant information that upgrades in time after just can guaranteeing to switch and back up, and then the continuity of assurance upper-layer service.
To introduce the method for the passive renewal Security Association of new host apparatus IKE module of the present invention below in detail.Owing in new host apparatus, may have the Security Association of a large amount of needs renewals,, then will take the long time of stand-by equipment central processing unit (CPU) if once finish negotiation again to all Security Associations.For fear of above-mentioned situation takes place, described method is before the renewal of carrying out Security Association, set the one-period timer, only when each this cycle timer is overtime, just the Security Association that part is come from former host apparatus backed up in synchronization upgrades, method of the present invention has also been set the number that the IKE module is upgraded Security Association at every turn, guarantee in the one-period of described cycle timer, only there is the sub-fraction time to be used for the renewal of Security Association, and At All Other Times, CPU can be used to handle other processes.Wherein, the cycle of described cycle timer and the IKE module number that at every turn upgrades Security Association all can be determined according to the disposal ability of system.
Fig. 3 is the flow chart of the passive renewal Security Association of new host apparatus IKE module of the present invention method.As shown in Figure 3, when stand-by equipment is switched to new host apparatus, new host apparatus will be carried out following steps:
Step 301: start-up period timer;
Step 302: when described cycle timer was overtime, whether the IPSec module scans as yet the backup Security Association of coming synchronously from host apparatus that does not upgrade on the new host apparatus, if having, and execution in step 303; Otherwise, stop this described cycle timer;
Owing to leading, each Security Association all has corresponding Status Flag sign to know the state of this Security Association among the SAD of stand-by equipment, for example, if the Security Association on the host apparatus has backed up or has been updated to stand-by equipment, then the Status Flag word of this Security Association is set to " backing up ", if the Security Association on the stand-by equipment is come from host apparatus synchronously, then the Status Flag word of this Security Association is set to " from the host apparatus backup ", if Security Association is that stand-by equipment is consulted to set up by self after switching to new host apparatus on the stand-by equipment, or new host apparatus process self negotiation renewal, then the Status Flag word of this Security Association is set to " normally ", therefore, new host apparatus can determine that whether this Security Association is the backup Security Association of coming synchronously from former host apparatus that does not upgrade as yet by the Status Flag word that detects Security Association;
Step 303: determine as yet the not backup Security Association number of renewal, send message, notify it to carry out new negotiation, upgrade the above-mentioned backup Security Association that does not upgrade as yet to the IKE module;
Backup Security Association number that step 304:IKE module is not more upgraded and the number of setting the each renewal of IKE module, if greater than the each number that upgrades of the IKE module of setting, then execution in step 305; If smaller or equal to the number of setting, then execution in step 306;
Step 305: scan also the more backup Security Association of new settings number, return step 302 then;
Step 306: scan and upgrade the backup Security Association that all do not upgrade as yet, stop this described cycle timer then.
Scanning and the method for upgrading Security Association can have multiple in above-mentioned steps 305 and 306: a kind of method be according to SAD in the order of Security Association record scan successively and upgrade all Security Associations.Another kind method is that the order according to security strategy record among the SPD scans successively and upgrades corresponding with it Security Association, promptly at first specify a security strategy among the SPD, scanning and upgraded all Security Associations corresponding with it after, scan again and all Security Associations that renewal is corresponding with next security strategy among the SPD.Second kind of scanning and the method for upgrading Security Association are compared advantage with first method and be: the IKE module is when consulting again, directly just can find input and output Security Association that should security strategy according to the structure of security strategy, can upgrade the safety alliance information of correspondence simultaneously, shorten the process that scanner uni upgrades greatly with the output and the input of pair of end communication entity.This be because, when Security Association is created, corresponding to not necessarily interrelated between the Security Association with the input and output of pair of end communication entity, therefore if scan according to first method and upgrade, may also to continue to search the input Security Association corresponding after finding the Security Association of an output with it, so that upgrade simultaneously, this will cause scanning renewal process relative complex, and consumed time is also longer.
Also having a kind of method is to adopt the principle of " using preferential " to scan and upgrade, promptly in the IKE module, safeguard one and use formation, if in new host apparatus, the transmitting-receiving of packet has been arranged on the Security Association of coming synchronously, then this Security Association is charged to the use formation, in the time of each timer expiry, priority scan uses formation, earlier to being upgraded by the Security Association of " use ".And then handle the Security Association that other is come synchronously.
More than lift preferred embodiment; the purpose, technical solutions and advantages of the present invention have been carried out further detailed description; institute is understood that; the above is the preferred embodiments of the present invention; not in order to show the present invention; within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1. a method that realizes that Security Association is synchronous is characterized in that, when host apparatus normally moves, has only host apparatus to utilize the Security Association of self setting up to carry out the processing of message, said method comprising the steps of:
When a, host apparatus normally move the Security Association relevant information of self setting up is sent to stand-by equipment;
B, stand-by equipment receive the Security Association relevant information, and set up the Security Association of self according to the Security Association relevant information that receives;
After c, upper-layer service were switched to stand-by equipment, stand-by equipment utilized the Security Association relevant information of described reception to carry out the processing of message.
2. the method for claim 1 is characterized in that, the described transmission of step a is specially: host apparatus sends to stand-by equipment by the special purpose interface between the primary, spare equipment with the Security Association relevant information.
3. the method for claim 1, it is characterized in that described Security Association relevant information comprises: bob-weight broadcast counting, sequence number overflow indicator, security protocol verification head verification algorithm with and key, the Security Association term of validity, the encapsulation mode of key, ESP cryptographic algorithm, cipher key initialization vector, cipher key initialization arrow pattern, ESP verification algorithm and the use thereof used.
4. the method for claim 1 is characterized in that, step a specifically may further comprise the steps:
A11, after stand-by equipment starts, the IPSec module of host apparatus reads in the host apparatus security association database all Security Association relevant informations of having set up;
The IPSec module of a12, host apparatus sends to the Security Association relevant information that reads the IPSec module of stand-by equipment.
5. method as claimed in claim 4, it is characterized in that, described step a12 further comprises: the Security Association expiration parameter that host apparatus calculating is read and the difference of host apparatus system operation time, and with the difference that calculates as the Security Association expiration parameter in the Security Association relevant information, send to stand-by equipment.
6. the method for claim 1 is characterized in that, step a specifically may further comprise the steps:
A21, set up or upgrade the IPSec module of Security Association message to host apparatus when the cipher key change module of host apparatus sends, the new Security Association of IPSec module creation of notice host apparatus or when upgrading the Security Association of having set up, the cipher key change module of host apparatus is with described foundation or upgrade the cipher key change module that Security Association message sends to stand-by equipment;
The cipher key change module of a22, stand-by equipment is with described foundation or upgrade the IPSec module that the Security Association forwards is given stand-by equipment, and notice stand-by equipment IPSec module is created Security Association or renewal with the host apparatus corresponding Security Association corresponding with host apparatus at self.
7. method as claimed in claim 6 is characterized in that, described step a21 further comprises: the cipher key change module of host apparatus is duplicated newly-generated Security Parameter Index, and the Security Parameter Index that duplicates is sent to the cipher key change module of stand-by equipment;
Described step a22 further comprises: the Security Parameter Index that the IPSec module of stand-by equipment uses the described Security Parameter Index that duplicates to replace the IPSec module self of stand-by equipment to produce.
8. the method for claim 1 is characterized in that, the described stand-by equipment of step b is set up Security Association and is specially:
The backup Security Association relevant information that b1, basis receive makes up the Security Association structure;
B2, the purpose IP address according in the Security Association relevant information, Security Parameter Index and security protocol identifier extract the tactful pointer value of this Security Association;
B3, the Security Association structure that makes up is joined among the SAD of stand-by equipment according to the tactful pointer value of extracting;
B4, set up the mapping relations of corresponding security strategy in this Security Association and the Security Policy Database.
9. the method for claim 1 is characterized in that, described method further comprises: bob-weight is broadcast count parameter to stand-by equipment in the host apparatus cycle transmission Security Association, and the bob-weight of upgrading in the corresponding Security Association of stand-by equipment is broadcast the count parameter value.
10. method as claimed in claim 9, it is characterized in that, described method further comprises: send bob-weight at host apparatus and broadcast count parameter before the stand-by equipment, host apparatus is broadcast count value for the bob-weight that sends in advance and is added a side-play amount according to the average speed that receives or send datagram in the current one-period.
11. the method for claim 1, it is characterized in that, switching services is behind stand-by equipment at the middle and upper levels for step c, and described method also comprises: the IPSec module proactive notification cipher key change module of stand-by equipment begins new negotiations process, upgrades from the Security Association of host apparatus backup.
12. method as claimed in claim 11 is characterized in that, the each Security Association number that upgrades of described stand-by equipment setting cycle timer and cipher key change module, and the cipher key change module is upgraded Security Association and specifically be may further comprise the steps:
C1, start-up period timer;
C2, when described cycle timer is overtime, whether the backup Security Association that does not upgrade is as yet arranged on the stand-by equipment IPSec module scanning stand-by equipment, if having, execution in step c3; Otherwise, stop this described cycle timer;
C3, definite backup Security Association number that does not upgrade as yet, send message to the cipher key change module, notify this module to upgrade the backup Security Association, the each Security Association number that upgrades of the backup Security Association number that the cipher key change module is not more upgraded and the cipher key change module of setting, if greater than the number of setting, step c2 is returned in then scanning and more the backup Security Association of new settings number then; If be less than or equal to the number of setting, scan and upgrade the backup Security Association that all do not upgrade as yet, stop this described cycle timer then.
13. method as claimed in claim 12 is characterized in that, described scanning of step c3 and renewal are specially: scan successively and upgrade all backup Security Associations according to the order of Security Association in the security association database.
14. method as claimed in claim 12 is characterized in that, described scanning of step c3 and renewal are specially: according to all backup Security Associations that order scans successively and renewal is corresponding with the current safety strategy of security strategy in the Security Policy Database.
15. method as claimed in claim 12, it is characterized in that, described method further comprises: safeguard that in the cipher key change module of stand-by equipment one is used formation, if the transmitting-receiving of packet has been arranged on the Security Association that backup is come, then charges to this Security Association this use formation;
Described scanning of step c3 and renewal are specially: priority scan also upgrades the Security Association that uses in the formation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410098823 CN1791098B (en) | 2004-12-13 | 2004-12-13 | Method for realizing safety coalition synchronization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410098823 CN1791098B (en) | 2004-12-13 | 2004-12-13 | Method for realizing safety coalition synchronization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1791098A CN1791098A (en) | 2006-06-21 |
| CN1791098B true CN1791098B (en) | 2010-12-01 |
Family
ID=36788594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410098823 Expired - Fee Related CN1791098B (en) | 2004-12-13 | 2004-12-13 | Method for realizing safety coalition synchronization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1791098B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101106449B (en) | 2006-07-13 | 2010-05-12 | 华为技术有限公司 | System and method for realizing multi-party communication security |
| CN102035597B (en) * | 2009-09-30 | 2014-12-31 | 华为技术有限公司 | Method, device and system for switching between main terminal and standby terminal of passive optical network (PON) |
| CN101714916B (en) | 2009-11-26 | 2013-06-05 | 华为数字技术(成都)有限公司 | Method, equipment and system for backing up |
| CN102891766B (en) * | 2012-09-25 | 2015-04-22 | 汉柏科技有限公司 | Internet protocol security (IPSec) state recovery method |
| CN102904901B (en) * | 2012-10-29 | 2015-07-29 | 杭州华三通信技术有限公司 | The method of synchronous IPsec SA, group membership and group key server |
| CN102970293B (en) * | 2012-11-20 | 2016-05-04 | 杭州华三通信技术有限公司 | A kind of equipment room Security Association synchronous method and device |
| CN103209187B (en) * | 2013-04-11 | 2016-01-06 | 汉柏科技有限公司 | A kind of method improving ike negotiation speed |
| CN104168205B (en) * | 2014-08-06 | 2017-08-08 | 新华三技术有限公司 | message processing method and device |
| CN105991352B (en) * | 2015-07-22 | 2019-05-07 | 杭州迪普科技股份有限公司 | A kind of safety coalition backup method and device |
| CN113852590A (en) * | 2020-06-28 | 2021-12-28 | 中兴通讯股份有限公司 | Method, device, equipment and storage medium for supporting dynamic migration of TCP (Transmission control protocol) by high-capacity equipment |
| WO2023024540A1 (en) * | 2021-08-24 | 2023-03-02 | 华为技术有限公司 | Methods and apparatus for processing message and obtaining sa information, system, and medium |
| CN115225414B (en) * | 2022-09-21 | 2022-12-13 | 北京中科网威信息技术有限公司 | Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004049656A1 (en) * | 2002-11-27 | 2004-06-10 | Netseal Mobility Technologies - Nmt Oy | Scalable and secure packet server-cluster |
| WO2004066579A1 (en) * | 2003-01-17 | 2004-08-05 | Netseal Mobility Technologies - Nmt Oy | Stateless server cluster for internet traffic |
| CN1529473A (en) * | 2003-10-17 | 2004-09-15 | 中兴通讯股份有限公司 | Safety union nesting method for realizing different safety terminalsin IPsec standard |
| CN1750533A (en) * | 2004-09-15 | 2006-03-22 | 华为技术有限公司 | Method for realizing safety coalition backup and switching |
-
2004
- 2004-12-13 CN CN 200410098823 patent/CN1791098B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004049656A1 (en) * | 2002-11-27 | 2004-06-10 | Netseal Mobility Technologies - Nmt Oy | Scalable and secure packet server-cluster |
| WO2004066579A1 (en) * | 2003-01-17 | 2004-08-05 | Netseal Mobility Technologies - Nmt Oy | Stateless server cluster for internet traffic |
| CN1529473A (en) * | 2003-10-17 | 2004-09-15 | 中兴通讯股份有限公司 | Safety union nesting method for realizing different safety terminalsin IPsec standard |
| CN1750533A (en) * | 2004-09-15 | 2006-03-22 | 华为技术有限公司 | Method for realizing safety coalition backup and switching |
Non-Patent Citations (1)
| Title |
|---|
| 王慧莉,李之棠.基于IPSec 的安全集中管理系统设计与实现.华中科技大学学报31.2003,31159-161. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1791098A (en) | 2006-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
| CN1791098B (en) | Method for realizing safety coalition synchronization | |
| Wilhelm et al. | Introducing trusted third parties to the mobile agent paradigm | |
| CN111355684B (en) | Internet of things data transmission method, device and system, electronic equipment and medium | |
| CN102111349A (en) | Security certificate gateway | |
| CN102868526B (en) | Method and system for protecting smart card or universal serial bus (USB) key | |
| EP4319080A1 (en) | Method and apparatus for remote control | |
| CN103297429A (en) | Embedded upgrading file transmission method | |
| CN107370751B (en) | Method for updating session key in intelligent equipment communication | |
| CN114448727B (en) | Information processing method and system based on industrial internet identification analysis system | |
| CN111143856A (en) | PLC remote firmware upgrading system and method | |
| CN100550030C (en) | On portable terminal host, add the method for credible platform | |
| CN113923655B (en) | Data decryption receiving method and device based on adjacent nodes | |
| CN111049648B (en) | Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane | |
| CN113992427B (en) | Data encryption sending method and device based on adjacent nodes | |
| CN112202773B (en) | Computer network information security monitoring and protection system based on internet | |
| CN103475465B (en) | MACsec key update method and device in ISSU process | |
| CN104168110A (en) | Symmetric key online updating method | |
| CN110120866B (en) | User management method of field device | |
| CN100499649C (en) | Method for realizing safety coalition backup and switching | |
| CN105933140A (en) | Intelligent cross-network operation and maintenance monitoring technology | |
| CN113569260A (en) | Industrial Internet of things safety communication device and system | |
| CN112422223B (en) | TCP/IP-based time synchronization device, time synchronization method and time mark monitoring system | |
| CN113660285A (en) | Multimedia conference on-line terminal control method, device, equipment and storage medium | |
| CN114036576A (en) | Method and device for recovering ipsec tunnel and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101201 |