CN1984131A - Method for processing distributed IPSec - Google Patents
Method for processing distributed IPSec Download PDFInfo
- Publication number
- CN1984131A CN1984131A CNA2005101264760A CN200510126476A CN1984131A CN 1984131 A CN1984131 A CN 1984131A CN A2005101264760 A CNA2005101264760 A CN A2005101264760A CN 200510126476 A CN200510126476 A CN 200510126476A CN 1984131 A CN1984131 A CN 1984131A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- subcard
- message
- spd
- handles
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A distributed IPSec processing method includes the following steps: several mother cards generate Flow ID according to IP Packet, then it will have the load sharing operations according to Flow ID and transmit IPSec to many subcards; after subcard receives the transmitted original encrypted IP packet and IPSec packet, it will have an IPSec handling and transmit to mother cards; the mother cards and subcards have an interactive information through the board. This invention transplants IPSec protocol to M * N Distributed Computing Architecture which is composed with M mother cards and N subcards. Through mother cards and subcards' distributed computing, it achieves the high performance of IPSec transmitting. It realizes high performance of IPSec transmitting, high redundancy, high reliability. It supports system capacity smooth upgrading, it has good expansibility, simple physical logic, and it is easy to realize.
Description
Technical field
The present invention relates to the Internet security fields, particularly the method for distributed IPSec processing.
Background technology
IPSec (internet protocol secure) is enclosed within network layer by one of IETF (Internet Engineering Task Force) definition IP (Internet Protocol) is provided the agreement of fail safe, is made up of a series of RFC documents.Wherein RFC2401 defines the basic structure of IPSec; The AH of RFC2402 definition IPSec (checking head); The ESP (ESP) of RFC2406 definition IPSec; The IKE (the Internet Key Exchange) of RFC2409 definition IPSec.
Fig. 1 describes ipsec protocol basic structure.
Ipsec protocol comprises: AH, ESP, IKE etc.
ESP (101) ESP provides the function of data encryption and checking for IP load.AH (102) authentication header provides the function of data integrity and checking for the IP head.Data encryption (103) is specified by SA (safety is relevant) with verification algorithm (104).IKE (105) secret key is exchanged for ipsec protocol and generates secret key.Can SPD (Security Policy Database) (106) determines communication and communication transcoding mode between two entities.The domain of interpretation (DOI) is used for making up related protocol, connects by using isakmp negotiation safety.
Fig. 2 is based on VPN (VPN (virtual private network)) principle of IPSec
Carry out communication by Internet between host A (201) and the host B (204).Ipsec gateway A (202) and ipsec gateway B (203) are respectively that host A (201) and host B (204) insert internet egress router.Pass through IKE (206) dynamic negotiation host A, the needed SA of B communication (207,208) security strategy between the gateway, and realize secure communication by the IP message being packaged into IPSec message (205).IPSec can and L2TP (layer 2 tunnel protocol), PPTP technology such as (PPTPs) use together, often be called IPSec VPN.
In the VPN based on IPSec realized, IPSec Router must handle ipsec encryption, deciphering and checking work when finishing routing forwarding, address transition.And IPSec Router often is in access and convergence-level in network, need support a large number of users simultaneously, so the forwarding task is very heavy, tends to be in the bottleneck status.
Meanwhile, ipsec encryption, deciphering and verification algorithm are very consuming time again, so system burden is far longer than common IP forwarding.
All there is following problem in present main IPSec Router implementation method:
1. the IPSec Router operational efficiency of transmitting based on CPU software is low, disposal ability is low.
2. realize that based on hardware asics acceleration or network processing unit the IPSec Router disposal ability that IPSec transmits has certain lifting, but be subjected to the hardware performance restriction, still exist and realize complicated, poor expandability, and equipment can not be realized upgrading synchronously with ipsec user's traffic growth.
Summary of the invention
The purpose of this invention is to provide the method that a kind of formula IPSec of branch handles.
For achieving the above object, the method that a kind of distributed IPSec is handled comprises step:
(1) a plurality of master cards generate Flow ID according to the IP message content, and carry out the load sharing computing according to Flow ID, IPSec is transmitted task sharing to a plurality of associations handle subcard;
(2) association handles the IP original message to be encrypted of subcard reception master card forwarding and waits to decipher the IPSec message, carries out being forwarded to master card after IPSec handles;
(3) master card and association handle between the subcard by communication interactive information between plate.
The present invention migrates to ipsec protocol by M master card and N association and handles in M * N distributed computing fabric that subcard forms, and the Distributed Calculation of handling subcard by master card and association realizes High Performance IP Sec forwarding.Efficient realization IPSec transmits at a high speed, realizes high redundancy, reliability height, back-up system capacity smooth upgrade, and extensibility is good, and physical logic is simple, and it is convenient to realize.
Description of drawings
Fig. 1 is that ipsec protocol is formed;
Fig. 2 is IPSec VPN;
Fig. 3 is the distributed forwarding structure of IPSec M * N;
Fig. 4 is an IPSec OutBound message handling process;
Fig. 5 is an IPSec InBound message handling process.
Embodiment
The present invention realizes migrating to ipsec protocol by M master card and N association and handles in M * N distributed computing fabric that subcard forms, master card and assist the processing subcard to finish the IPSec forwarding jointly by Distributed Calculation, and method for designing is as follows:
1. master card and association handle subcard and finish IPSec forwarding task jointly.
2. IPSec message handling process is in the master card: the message flow that receives ipsec protocol stack Inbound, Outbound both direction; Analyze heading, search the SPD policy database,, and distribute unique stream label for message carries out traffic classification; According to stream label, carry out load sharing and calculate, message flow is shared each self tuning processing subcard; Association's processing subcard disposes and will export after message will be gathered by master card.
3. association's processing subcard IPSec message handling process is: receive the IPSec message, search the SADB security association database, carry out the message encryption and decryption and calculate, be transmitted to master card after disposing.
4. master card needs to realize at least: ipsec protocol stack (all), SPD database, SADB database, network management, IKE, communication and other upper layer application between plate.
5. subcard needs to realize at least: IPSec transmits at a high speed, SPD database (this card relevant portion), SADB database (this card relevant portion), IKE (optional), communication and other between plate.
6. the passage of the information of transmitting between master card, subcard is refered in particular in communication between plate.Be mainly used in the SPD database, SADB database information and management information transmission.
7. all daughter card configuration are identical, and are transparent each other, do not need to know that other subcards exist.Realize the smooth upgrade of transfer capability by the subcard increase and decrease.
Fig. 3 describes distributed IPSec and transmits structure
System can handle subcard by M master card and N association and form the distributed forwarding structure of M * N.
301 Outbound direction main frames send IP original message to be encrypted to IPSec gateway.Receive the Inbound direction and deciphered the IP original message.
302 master cards receive Outbound direction main frame and send IP original message to be encrypted, after process SPD searches (forcing to realize) and ike negotiation (optional realization), obtain the information of this message correspondence, generate Flow ID; Receive Inbound direction Internet transmission and wait to decipher the IPSec message,, generate Flow ID through the heading analysis; Carry out load sharing according to Flow ID master card and calculate, message is forwarded to certain association's processing subcard carries out the IPSec processing.Master card is collected each association of Inbound direction simultaneously and is handled the IP original message that the subcard deciphering finishes, and sends to respective host; Collect each association of Outbound direction and handle subcard encryption finishing IPSec message, send to Internet.The load sharing algorithm must satisfy the SPD item or SA item corresponding data flow is fixedly shared to the monolithic subcard, so keeps transparent between each subcard, does not need by communications exchange information between plate.
303 associations handle subcard and receive the IP original message to be encrypted of master card forwarding and wait to decipher the IPSec message, carry out IPSec and handle, and are forwarded to master card after the processing.
Between 304 assistant manager subcards and the master cards by communication interactive information between plate, mutual such as SPD data, SADB data, statistical information and other configuration informations.The SPD data message need be issued to all associations by master card and handle subcard, and ike negotiation generates SA and manual configuration SA need be stored in the relevant association with forwarding of the master card processing subcard.The SPD database must be as the criterion with master card SPD database in association's processing subcard, upgrades in time.The SADB database must be as the criterion with master card SADB database in association's processing subcard, upgrades in time; But can only keep the processing subcard IPSec forwarding of this association and need part.After the ike negotiation, newly-generated SA must in time report, and refreshes master card SADB database in association's processing subcard.
Fig. 4 describes IPSec OutBound message handling process
The initial IP message that 401 main frames 301 send to master card 302.
402 analyze heading, search master card SPD database, the decision forwarding strategy.
The 403SPD lookup result abandons this message for abandoning.
404 according to the SPD lookup result, continues to search SADB, exists effective SA item then to continue, otherwise starts IKE.The IKE function promptly can be handled subcard or master card realization by association, is optional realization therefore.
405 start ike negotiation, generate SA.This function also can be handled subcard by association and finish, and is optional realization therefore.
406 obtain the SA parameter.Be optional realization.
407 search the lookup result with SADB according to SPD, generate Flow ID.
408 carry out load sharing according to Flow ID calculates, and will specify message flow to share the processing subcard to specific association.
409 messages after sharing are forwarded to association and handle subcard.
410 associations handle subcard and receive message.
411 search the SPD database again, search forwarding strategy.
412 according to the SPD lookup result, continues to search SADB, exists effective SA item then to continue, otherwise starts IKE.The IKE function promptly can be handled subcard or master card realization by association, is optional realization therefore.Realized IKE as master card, necessarily had effective SA item, the IKE process of therefore can not setting out.
413 start ike negotiation, generate SA.
414 obtain the SA parameter.
415 normal IPSec transmit and handle.
If 416 support that NAT passes through, carry out the NAT message header processing herein.
417 message fragments are handled.
418 messages that will dispose converge to master card again.
419 master cards are forwarded to Internet with message.
Fig. 5 describes IPSec InBound message handling process
501 master cards receive the IPSec message from Internet.
502 if desired, carries out the reorganization of IP message.
503 if desired, carries out NAT and pass through processing, peels off the heading that NAT passes through encapsulation.
504 analyze heading, parse information such as SPI.
505 generate Flow ID
506 carry out load sharing according to Flow ID calculates, and will specify message flow to share the processing subcard to specific association.
507 messages after sharing are forwarded to association and handle subcard.
508 associations handle subcard and receive message.
509 analyze heading, parse information such as SPI.
510 according to information such as SPI, searches the SADB database, successful then continue.
511 search the SADB failure, abandon this message.
512 read corresponding SA information among the SADB.
513 carry out IPSec according to SA handles.
514IPSec handles and makes a mistake, and abandons this message.
515 search the SPD database, and whether checking SPD strategy conforms to SA.
516 strategies do not conform to, and abandon this message.
Whether 517 exist nested following one deck IPSec heading, has then to return 508 further processing.
518 messages that will dispose converge to master card again.
519 master cards are forwarded to main frame with message.
Claims (12)
1. the method handled of a distributed IPSec comprises step:
(1) a plurality of master cards generate Flow ID according to the IP message content, and carry out the load sharing computing according to Flow ID, IPSec is transmitted task sharing to a plurality of associations handle subcard;
(2) association handles the IP original message to be encrypted of subcard reception master card forwarding and waits to decipher the IPSec message, carries out being forwarded to master card after IPSec handles;
(3) master card and association handle between the subcard by communication interactive information between plate.
2. method according to claim 1 is characterized in that described interactive information comprises SPD data, SADB data, statistical information and other configuration information.
3. method according to claim 1 is characterized in that keeping between described a plurality of subcard transparent.
4. method according to claim 2 is characterized in that being used for IPSec OutBound message and handles, and described generation Flow ID comprises step:
Carry out the message reorganization;
Analyze heading, search master card SPD database, the decision forwarding strategy;
According to the SPD lookup result, continue to search SADB;
Start ike negotiation, generate SA;
Search lookup result according to SPD, generate Flow ID with SADB.
5. method according to claim 2 is characterized in that being used for IPSec OutBound message and handles, and the processing that described association handles subcard comprises step:
Again search the SPD database, search forwarding strategy;
According to the SPD lookup result, continue to search SADB;
Start ike negotiation, generate the SA parameter;
Carry out normal IPSec and transmit processing;
The message that will dispose converges to master card again.
6. according to claim 4 or 5 described methods, it is characterized in that described step starts ike negotiation, generate SA and can handle the subcard realization by master card or association.
7. method according to claim 2 is characterized in that being used for IPSec InBound message and handles, and described generation Flow ID comprises step:
Carry out the reorganization of IP message;
Analyze heading, parse SPI lamp information;
Generate Flow ID.
8. method according to claim 2 is characterized in that being used for IPSec InBound message and handles, and the processing that described association handles subcard comprises step:
Analyze heading, parse information such as SPI;
According to information such as SPI, search the SADB database,
Read SA information corresponding among the SADB;
Carrying out IPSec according to SA handles;
Search the SPD database, whether checking SPD strategy conforms to SA;
The message that will dispose converges to master card again.
9. method according to claim 1 is characterized in that selected load sharing algorithm satisfies the SPD item or SA item corresponding data flow is fixedly shared to the monolithic subcard.
10. method according to claim 1 is characterized in that the SPD database must be as the criterion with master card SPD database in association's processing subcard, upgrades in time.
11. method according to claim 10 is characterized in that only keeping association's processing subcard IPSec forwarding and needs part.
12. method according to claim 5 is characterized in that described association handles in the subcard after the ike negotiation, newly-generated SA must in time report, and refreshes master card SADB database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101264760A CN1984131A (en) | 2005-12-14 | 2005-12-14 | Method for processing distributed IPSec |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101264760A CN1984131A (en) | 2005-12-14 | 2005-12-14 | Method for processing distributed IPSec |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1984131A true CN1984131A (en) | 2007-06-20 |
Family
ID=38166362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2005101264760A Pending CN1984131A (en) | 2005-12-14 | 2005-12-14 | Method for processing distributed IPSec |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1984131A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009082889A1 (en) * | 2008-01-03 | 2009-07-09 | Hangzhou H3C Technologies Co., Ltd. | A method for internet key exchange negotiation and device, system thereof |
| CN101345689B (en) * | 2008-09-10 | 2011-07-06 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and communication equipment for implementing IP safety service |
| US8392701B2 (en) | 2007-08-16 | 2013-03-05 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for ensuring packet transmission security |
| US8509239B2 (en) | 2008-08-18 | 2013-08-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, apparatus and system for processing packets |
| CN103457952A (en) * | 2013-09-05 | 2013-12-18 | 杭州华三通信技术有限公司 | IPSec processing method and device based on encrypting engine |
| CN108322361A (en) * | 2018-01-24 | 2018-07-24 | 杭州迪普科技股份有限公司 | Service traffics statistical method and device in a kind of IPSec vpn tunnelings |
| CN111147344A (en) * | 2019-12-16 | 2020-05-12 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN114785536A (en) * | 2022-02-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN115766172A (en) * | 2022-11-09 | 2023-03-07 | 中科驭数(北京)科技有限公司 | Message forwarding method, device, equipment and medium based on DPU and national password |
-
2005
- 2005-12-14 CN CNA2005101264760A patent/CN1984131A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8392701B2 (en) | 2007-08-16 | 2013-03-05 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for ensuring packet transmission security |
| CN101197664B (en) * | 2008-01-03 | 2010-12-08 | 杭州华三通信技术有限公司 | Method, system and device for key management protocol negotiation |
| US8327129B2 (en) | 2008-01-03 | 2012-12-04 | Hangzhou H3C Technologies Co., Ltd. | Method, apparatus and system for internet key exchange negotiation |
| WO2009082889A1 (en) * | 2008-01-03 | 2009-07-09 | Hangzhou H3C Technologies Co., Ltd. | A method for internet key exchange negotiation and device, system thereof |
| US8737388B2 (en) | 2008-08-18 | 2014-05-27 | Huawei Technologies Co., Ltd. | Method, apparatus and system for processing packets |
| US8509239B2 (en) | 2008-08-18 | 2013-08-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, apparatus and system for processing packets |
| CN101345689B (en) * | 2008-09-10 | 2011-07-06 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and communication equipment for implementing IP safety service |
| CN103457952A (en) * | 2013-09-05 | 2013-12-18 | 杭州华三通信技术有限公司 | IPSec processing method and device based on encrypting engine |
| CN103457952B (en) * | 2013-09-05 | 2017-09-01 | 新华三技术有限公司 | A kind of IPSec processing methods and equipment based on crypto engine |
| CN108322361A (en) * | 2018-01-24 | 2018-07-24 | 杭州迪普科技股份有限公司 | Service traffics statistical method and device in a kind of IPSec vpn tunnelings |
| CN108322361B (en) * | 2018-01-24 | 2020-08-04 | 杭州迪普科技股份有限公司 | Service flow statistical method and device in IPSec VPN tunnel |
| CN111147344A (en) * | 2019-12-16 | 2020-05-12 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN111147344B (en) * | 2019-12-16 | 2021-12-24 | 武汉思为同飞网络技术股份有限公司 | Virtual private network implementation method, device, equipment and medium |
| CN114785536A (en) * | 2022-02-28 | 2022-07-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN115766172A (en) * | 2022-11-09 | 2023-03-07 | 中科驭数(北京)科技有限公司 | Message forwarding method, device, equipment and medium based on DPU and national password |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1984131A (en) | Method for processing distributed IPSec | |
| US10708245B2 (en) | MACsec for encrypting tunnel data packets | |
| US7650500B2 (en) | Encryption communication system | |
| CN101262405B (en) | High-speed secure virtual private network channel based on network processor and its realization method | |
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| EP1444775B1 (en) | Method and apparatus to manage address translation for secure connections | |
| EP1515491B1 (en) | Architecture for virtual private networks | |
| EP0988736B1 (en) | An apparatus for implementing virtual private networks | |
| US6976177B2 (en) | Virtual private networks | |
| US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
| JP2018534884A (en) | Client-cloud or remote server secure data or file object encryption gateway | |
| JP2004524768A (en) | System and method for distributing protection processing functions for network applications | |
| US8175271B2 (en) | Method and system for security protocol partitioning and virtualization | |
| US11063812B2 (en) | Ipsec acceleration method, apparatus, and system | |
| CN1358386A (en) | Dynamic connection to multiple origin servers in transcoding proxy | |
| CN100499451C (en) | Network communication safe processor and its data processing method | |
| CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
| US20040158706A1 (en) | System, method, and device for facilitating multi-path cryptographic communication | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN101616084A (en) | A kind of distributed IPSec load sharing device and method | |
| CN103227742A (en) | Method for IPSec (Internet protocol security) tunnel to rapidly process messages | |
| CN110662218B (en) | Data ferrying device and method thereof | |
| CN105025004B (en) | A kind of double stack IPSec VPN devices | |
| JP4630296B2 (en) | Gateway device and authentication processing method | |
| US7864770B1 (en) | Routing messages in a zero-information nested virtual private network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20070620 |