WO2012149745A1 - Data multiplexing transmission method, device and system - Google Patents

Data multiplexing transmission method, device and system Download PDF

Info

Publication number
WO2012149745A1
WO2012149745A1 PCT/CN2011/079809 CN2011079809W WO2012149745A1 WO 2012149745 A1 WO2012149745 A1 WO 2012149745A1 CN 2011079809 W CN2011079809 W CN 2011079809W WO 2012149745 A1 WO2012149745 A1 WO 2012149745A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
private network
logical
security gateway
tunnel
Prior art date
Application number
PCT/CN2011/079809
Other languages
French (fr)
Chinese (zh)
Inventor
席辉
严卫平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2011/079809 priority Critical patent/WO2012149745A1/en
Priority to CN201180001855.0A priority patent/CN102742247B/en
Publication of WO2012149745A1 publication Critical patent/WO2012149745A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a data split transmission method, apparatus, and system. Background technique
  • IP Security IP Security
  • IP Security IP Security
  • IP Security IP Security
  • Figure 1 is a schematic diagram of a system structure in which IPsec is applied in the prior art.
  • the source device, the security gateway, and the destination device communicate through the public network IP, and the source device and the security gateway supporting the IPsec client protocol (at least the IPSec server are supported).
  • An IPSec tunnel is established between the side protocols for secure data transmission, and data is routed to the destination device through the security gateway.
  • Embodiments of the present invention provide a data split transmission method, apparatus, and system, which can implement end-to-end data isolation between a source device and multiple destination devices.
  • the source device requests the security gateway for the private network IP address of at least two logical tunnels in the Internet Protocol security IPsec tunnel;
  • the source device Obtaining, by the source device, a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
  • the source device maps the data stream sent to the destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data flow to the security gateway, so that the security gateway will receive the data stream. Send to the corresponding destination device.
  • a data shunt transmission method includes:
  • the security gateway receives the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel;
  • the security gateway allocates a private network IP address to at least two logical tunnels in the IPsec tunnel, and feeds back the private network IP address of the at least two logical tunnels to the source device;
  • the security gateway receives the data stream sent by the source device through different logical tunnels; the security gateway identifies the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two logical tunnels The corresponding relationship between the private network IP address and each destination device sends the identified data stream to the corresponding destination device.
  • a communication device comprising:
  • An address requesting unit configured to request, from the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • An address receiving unit configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
  • a data isolation unit configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data flow to the security gateway, so that the security gateway receives the data flow Send to the corresponding destination device.
  • a security gateway including:
  • a request receiving unit configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • An address allocation unit configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
  • a data shunt transmission system includes a source device, a security gateway, and at least two destination devices, where
  • the source device is configured to request, by the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel; obtain a private network IP address of the at least two logical tunnels, and a corresponding relationship between each of the destination devices And mapping, according to the correspondence information, the data stream sent to each destination device to a corresponding logical tunnel, and transmitting the data stream to the security gateway, so that the security gateway sends the received data stream to the Corresponding destination device.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 1 is a schematic structural diagram of a system for applying IPsec in the prior art
  • FIG. 2 is a flowchart of a data split transmission method according to an embodiment of the present invention.
  • FIG. 3a is a flowchart of another data split transmission method according to an embodiment of the present invention.
  • Figure 3b is a schematic diagram of end-to-end data shunt transmission in the embodiment shown in Figure 3a;
  • FIG. 4 is a schematic diagram of an IPSec tunnel negotiation between a source device and a security gateway in the embodiment shown in FIG. 3a;
  • FIG. 5 is a schematic diagram of an IKE-SA-AUTH exchange between a source device and a security gateway in the embodiment shown in FIG. 3a;
  • Figure 6 is a diagram showing the source device and the security gateway performing CREATE_CHILD-SA handover in the embodiment shown in Figure 3a. Schematic diagram of the exchange;
  • FIG. 7 is a schematic structural diagram of a communication device according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of a data split transmission method according to an embodiment of the present invention.
  • the method can include:
  • Step 201 The source device requests the security gateway to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
  • the source device can exchange messages with the security gateway or through the source device and the security gateway.
  • the other newly added interactive message is negotiated with the security gateway to request the private network IP address of the logical tunnel in the IPsec tunnel.
  • the source device can also request the private network IP address of the logical tunnel, such as the network management system, from other intermediate network elements.
  • the number of the logical tunnels is at least two, so as to implement isolation of at least two sets of data flows, and the request may also carry other information such as a network segment of the private network IP address to be allocated.
  • Step 202 The source device obtains a private network IP address of at least two logical tunnels and corresponding relationship information with each destination device.
  • the source device obtains the private network IP address of the logical tunnel and its corresponding relationship with each destination device.
  • the private network IP address of the logical tunnel obtained by the source device may be allocated by the security gateway or the network management system. Sent to the source device.
  • the mapping between the private IP address of the logical tunnel and the destination device may be pre-assigned by the source device when requesting the private IP address of the logical tunnel, or may be assigned by the security gateway or the network management device as needed.
  • the corresponding relationship is informed to the source device. For example, when the source device initiates the logical tunnel private network IP address request, the request includes the network segment of the private network IP address of the logical tunnel corresponding to each destination device, and the security gateway allocates the network segment according to the specified network segment.
  • the source device After the IP address of the private network is received, the source device obtains the mapping between the private IP address of the logical tunnel and the destination device. The corresponding relationship may be further notified by the source device to the security gateway. Of course, the source device and the security gateway may pre-negotiate the destination device corresponding to the specified network segment, and the security gateway receives the network segment specified by the source device and allocates the private network accordingly. After the IP address, the above correspondence can be obtained.
  • the security gateway allocates the private network IP address, and establishes the correspondence between the private network IP address of each logical tunnel and the peer destination device. The security gateway then sends the private network IP address of the logical tunnel and its correspondence with the destination device to the source device.
  • the security gateway allocates the private network IP address, and the network management system assigns the correspondence between the private network IP address of the logical tunnel and the destination device, and then The gateway sends the correspondence to the source device and the security gateway.
  • the security gateway allocates the private network IP address, and the network management system assigns the correspondence between the private network IP address of the logical tunnel and the destination device, and then The gateway sends the correspondence to the source device and the security gateway.
  • the private network IP addresses of each logical tunnel are different. Further, they can be in different network segments. Correspondence between the private IP address of the logical tunnel and the destination device, for example:
  • the corresponding relationship may be divided into multiple lists for storage, and the specific storage form is not limited, and the foregoing correspondence may be included in the security gateway.
  • Step 203 The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data stream to the security gateway.
  • the source device determines a logical tunnel corresponding to each data flow according to the correspondence information between the private network IP address of the received logical tunnel and each destination device. For example, the data stream 1 to be sent by the source device to the destination device 1 is sent to the private network. In the logical tunnel 1 corresponding to the network IP address 1, the data stream to be sent by the source device to the destination device 2 is sent to the logical tunnel 2 corresponding to the private network IP address 2.
  • the source device After determining the logical tunnel corresponding to the data flow, the source device according to the private network IP address of each logical tunnel The address maps each data stream into a corresponding logical tunnel, for example, mapping data stream 1 into logical tunnel 1 and data stream 2 into logical tunnel 2.
  • the process of mapping the data stream to the corresponding logical tunnel is a process of isolating the sent data.
  • the specific mapping process may be to insert the private network IP address of the corresponding logical tunnel into the data.
  • the source device After the data flow mapping is completed, the source device sends each data stream to the security gateway through a different logical tunnel. After receiving the data flow of each logical tunnel, the security gateway can identify each data flow according to the private network IP address of the logical tunnel, that is, the private network IP address of the logical tunnel inserted in the data flow, and then according to each logical tunnel.
  • the corresponding relationship between the private network IP address and the destination device, and the identified data stream is sent to the corresponding destination device, for example, the data stream carrying the private network IP address 1 and the data stream transmitted by the logical tunnel 1 is received, according to The corresponding relationship between the private network IP address of the logical tunnel 1 and the destination device 1 is sent to the destination device 1 to complete the end-to-end data split transmission of the data from the source device to the destination device.
  • the process of obtaining the correspondence between the IP address of the logical tunnel private network and the destination device by the security gateway may be as described in step 202.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 3a a flowchart of another data split transmission method according to an embodiment of the present invention is shown.
  • FIG. 3b An example of the end-to-end data split transmission in this embodiment is as shown in FIG. 3b.
  • the two logical tunnels are set up in an IPsec tunnel as an example.
  • the method may include:
  • Step 301 The source device and the security gateway establish a pair of IKE SAs through IKE-SA-INIT exchange.
  • IKEv2-based IPSec tunnel negotiation process between the source device and the security gateway, as shown in Figure 4, the establishment of a pair of IKE SAs and a pair of IPSec SAs is completed through IKE-SA-INIT exchange and IKE-SA-AUTH exchange.
  • IKE-SA-AUTH exchange Through the CREATE-CHILD-SA exchange, another pair of IPSec SAs is established.
  • the source device and the security gateway can complete the establishment of the IPSec tunnel.
  • the IKE SA AUTH and CREATE - CHILD - SA two exchanges are adjusted to create multiple IPSec logical tunnels.
  • the process of establishing a pair of IKE SAs through IKE-SA-INIT exchange is not adjusted, which is the same as the prior art. I won't go into details here.
  • Step 302 The source device sends the first exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the first logical tunnel in the IPsec tunnel and the designated private network IP address of the first logical tunnel. Network segment.
  • the IKE-SA-AUTH exchange information in the prior art can be adjusted as the first exchange information.
  • the source device requests the security gateway to request the first logical tunnel in the IPsec tunnel through the exchange message. Private network IP address.
  • the exchange message may carry a CP and a TSr payload, where the CP payload indicates that an IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain an address; and the remaining payloads are carried as needed, and FIG. 5 is only an example.
  • Step 303 The source device sends the second exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the second logical tunnel in the IPsec tunnel and the network to which the private network IP address of the second logical tunnel belongs. segment.
  • the information exchange and the CREATE_CHILD-SA exchange information can be adjusted as the second exchange information.
  • the source device requests the security gateway to request the private network of the second logical tunnel in the IPsec tunnel through the exchange message. IP address.
  • the information exchange and the CREATE-CHILD-SA exchange message may respectively carry the CP and the TSR payload, where the CP payload indicates that the IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain the address; Carrying, Figure 6 is only an example.
  • the private network IP addresses of the logical tunnels specified by the source device belong to different network segments, and the different network segments correspond to different logical tunnels and different destination devices, for example, the private network IP address of the first network segment specified by the source device.
  • the address is corresponding to the destination device 1
  • the private network IP address of the designated second network segment is corresponding to the destination device 2.
  • the corresponding relationship between the specified network segment and the destination device may be negotiated by the source device and the security gateway in advance; in other embodiments, the subsequent security gateway may allocate the private network IP address according to the specified network segment.
  • the source device obtains the private network IP address, it informs the security gateway of the corresponding relationship between the private network IP address of the logical tunnel and the destination device.
  • Step 304 After receiving the exchange message of the source device, the security gateway is the logic in the IPsec tunnel.
  • the tunnels are assigned private network IP addresses, and the mappings between the private IP addresses of the logical tunnels and the destination devices are established.
  • the security gateway allocates the first logical tunnel according to the network segment to which the private IP address of the first logical tunnel specified in the IKE-SA-AUTH exchange information belongs, that is, the TSr payload in the IKE-SA-AUTH exchange information.
  • the IP address of the private network, and the correspondence between the private network IP address of the first logical tunnel and the first destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
  • the security gateway allocates a private network to the second logical tunnel according to the network segment to which the private IP address of the second logical tunnel specified in the information exchange and CREATE_CHILD-SA exchange information belongs, that is, according to the TSR payload in the exchange information.
  • the IP address, and the correspondence between the private network IP address of the second logical tunnel and the second destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
  • the security gateway may allocate a private network IP address for the first logical tunnel, and after receiving the request of step 303, allocate a private network IP address for the second logical tunnel, and may also receive After all the requests are received, the private network IP address is assigned to each logical tunnel, and the mapping relationship between the private IP address of the logical tunnel and the destination device is established.
  • the source device and the security gateway can complete the establishment of two logical tunnels, and then the source device can map the data to different logical tunnels for end-to-end secure transmission.
  • the process of establishing the second logical tunnel may be repeated.
  • the security gateway repeatedly allocates the private network IP address.
  • Step 305 The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the private network IP address of each logical tunnel and the corresponding relationship information with each destination device, and transmits the data to the security gateway.
  • the source device receives the private network IP address of the two logical tunnels sent by the security gateway, and further obtains the corresponding relationship between the private network IP address of the logical tunnel and the destination device according to the pre-designated network segment, and then sends the data to the destination device.
  • the data is mapped to the corresponding logical tunnel, and the mapping process is similar to the step 203 in the foregoing embodiment, and details are not described herein again.
  • Step 306 The security gateway receives the data stream sent by the source device through different logical tunnels.
  • Step 307 The security gateway identifies the received data stream according to the private network IP address of the logical tunnel in the data, and sends the identified data stream according to the correspondence between the private network IP address of the two logical tunnels and each destination device. To the corresponding destination device.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 7 a schematic structural diagram of a communication device according to an embodiment of the present invention is shown.
  • the communication device can include:
  • the address requesting unit 701 is configured to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
  • the address receiving unit 702 is configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device.
  • the data isolation unit 703 is configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data to the security gateway, so that the security gateway will receive the data.
  • the stream is sent to the corresponding destination device.
  • the address requesting unit 701 of the communication device can exchange messages with the security gateway.
  • the private network IP address of the logical tunnel in the IPsec tunnel is requested by the security gateway, and the number of the logical tunnel is at least two.
  • the address receiving unit 702 obtains the private network IP address of the at least two logical tunnels and the correspondence between the private network addresses of the logical tunnels, and obtains the private network IP address of the logical tunnel and its correspondence with each destination device.
  • the private network IP address of the obtained logical tunnel can be obtained by a security gateway or a network management system.
  • the corresponding relationship between the private network IP address of the logical tunnel and the destination device that is allocated and sent to the address receiving unit 702 may also be pre-designated by the address requesting unit 701 when requesting the private network IP address of the logical tunnel, or may be specified. After the security gateway or the network management device allocates the information as needed, the corresponding relationship is notified to the address receiving unit 702.
  • the data isolation unit 703 determines a logical tunnel corresponding to each data stream, and after determining the logical tunnel corresponding to the data flow, maps each data flow to a corresponding logical tunnel according to the private network IP address of each logical tunnel, and maps the data flow.
  • the process of the corresponding logical tunnel is a process of isolating the transmitted data.
  • each data stream is sent to the security gateway through a different logical tunnel.
  • the security gateway can identify each data flow according to the private network IP address of the logical tunnel, and then identify the data according to the correspondence between the private network IP address of the logical tunnel and the destination device. The stream is sent to the corresponding destination device.
  • the communication device in the embodiment of the present invention implements the end-to-end data transmission security of the data through the above-mentioned unit, for example, the service flow and the data flow are separately transmitted, that is, the data security is ensured and the data isolation is ensured, and the group can be better supported.
  • the network, and the method realizes saving external resources, such as an IP address, a port, etc., and can realize the end-to-end secure transmission by using the existing equipment more reasonably.
  • the method is simple to implement, and the solution can be completed by using a standard protocol.
  • the address requesting unit in the communications device may further include: a first requesting subunit, configured to exchange information by using the first exchange information, such as IKE_SA_AUTH, when the logical tunnel is two Requesting the security gateway to obtain the private IP address of the first logical tunnel.
  • a first requesting subunit configured to exchange information by using the first exchange information, such as IKE_SA_AUTH, when the logical tunnel is two Requesting the security gateway to obtain the private IP address of the first logical tunnel.
  • a second request subunit configured to: when the logical tunnel is two, pass the second exchange information, such as
  • the SA exchange information requests the security gateway to obtain the private IP address of the second logical tunnel.
  • the first exchange information and the second exchange information include a specified network segment of the requested private network IP address, and the private network IP addresses of the logical tunnels belong to different network segments.
  • FIG. 8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention.
  • the security gateway can include:
  • the request receiving unit 801 is configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • the address allocation unit 802 is configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
  • the data receiving unit 803 is configured to receive a data stream that is sent by the source device by using a different logical tunnel.
  • the data offloading unit 804 is configured to identify the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two The data relationship between the private IP address of the logical tunnel and the destination device sends the identified data stream to the corresponding destination device.
  • the request receiving unit 801 After receiving the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel, the request receiving unit 801 respectively allocates a private network IP address for the logical tunnel by the address assigning unit 802, and feeds back the above information to the source device.
  • the source device maps the different data streams to the respective logical tunnels according to the foregoing information, and then transmits the data stream to the security gateway, and the data receiving unit 803 receives the data stream, and the data stream splitting unit 804 identifies the data stream and distributes the data stream to the corresponding destination device.
  • Transmission such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking.
  • this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
  • FIG. 9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention.
  • the security gateway may also include a request receiving unit 901, an address assigning unit 902, a data receiving unit 903, and a data splitting unit 904.
  • the request receiving unit 901 may further include:
  • the first receiving subunit 9011 is configured to: when the logical tunnel is two, receive first exchange information, such as IKE_SA_AUTH exchange information, sent by the source device to request to obtain a private network IP address of the first logical tunnel;
  • first exchange information such as IKE_SA_AUTH exchange information
  • the second receiving subunit 9012 is configured to: when the logical tunnel is two, receive second exchange information, such as Informational exchange and CREATE, sent by the source device to request a private network IP address of the second logical tunnel.
  • second exchange information such as Informational exchange and CREATE
  • the first exchange information and the second exchange information include a specified network segment of the requested private network IP address.
  • the private network IP addresses of logical tunnels belong to different network segments.
  • the address allocation unit 902 is specifically configured to allocate a private network IP address for each of the two logical tunnels in the IPsec tunnel according to the specified network segment of the requested private network IP address included in the first exchange information and the second exchange information.
  • the data receiving unit 903 and the data distributing unit 904 are similar to the data receiving unit 803 and the data distributing unit 804 in the foregoing embodiments, and details are not described herein again.
  • Transmission such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking.
  • this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
  • FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
  • the system can include a source device 1001, a security gateway 1002, and at least two destination devices 1003.
  • the source device 1001 is configured to request at least two logical tunnels from the security gateway 1002.
  • the system realizes end-to-end data transmission and secure transmission.
  • the service flow and the data flow are transmitted separately, that is, the data security is ensured and the data isolation is ensured, which can better support the networking, and the method achieves the saving.
  • External resources such as IP addresses, ports, etc., can make more reliable use of existing devices to achieve end-to-end secure transmission. This method is simple to implement, and this solution can be completed by standard protocols.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An end data multiplexing transmission method, including: a source device requesting from a security gateway the private network IP addresses of at least two logic tunnels in an Internet protocol security (IPsec) tunnel; the source device obtaining the private network IP addresses of the at least two logic tunnels and information about the correlation between the same and each destination device; the source device mapping the data stream sent to each destination device to the corresponding logic tunnel and transmitting the same to the security gateway according to the correlation information, so that the security gateway sends the received data streams to the corresponding destination devices. The method realizes secure end-to-end data multiplexing transmission.

Description

一种数据分路传输方法及装置、 系统  Data branching transmission method, device and system
技术领域 Technical field
本发明涉及通信技术领域,尤其涉及一种数据分路传输方法及装置、系统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a data split transmission method, apparatus, and system. Background technique
IPSec ( IP Security, 因特网协议安全)是 IETF制定的为保证在 Internet 上传送数据的安全保密性能的三层隧道加密协议。 IPSec在 IP层对 IP报文提 供安全服务。 在 IPSec协议中定义了如何在 IP数据包中增加字段来保证 IP包 的完整性、 私有性和真实性, 以及如何加密数据包。 使用 IPSec, 数据就可以 安全地在公网上传输。  IPSec (IP Security) is a three-layer tunnel encryption protocol developed by the IETF to ensure the security and confidentiality of data transmitted over the Internet. IPSec provides security services for IP packets at the IP layer. In the IPSec protocol, how to add fields to IP packets to ensure the integrity, privacy and authenticity of IP packets and how to encrypt packets is defined. With IPSec, data can be transmitted securely over the public network.
如图 1所示为现有技术中应用 IPsec的系统结构示意图, 源设备、 安全网 关和目的设备之间通过公网 IP进行通信,支持 IPsec客户端协议的源设备与安 全网关 (至少支持 IPSec服务器侧协议 )之间建立 IPSec隧道用于安全数据传 输, 数据通过安全网关路由到目的设备。  Figure 1 is a schematic diagram of a system structure in which IPsec is applied in the prior art. The source device, the security gateway, and the destination device communicate through the public network IP, and the source device and the security gateway supporting the IPsec client protocol (at least the IPSec server are supported). An IPSec tunnel is established between the side protocols for secure data transmission, and data is routed to the destination device through the security gateway.
然而, 当源设备和安全网关的接口 (物理端口或者 IP地址)只有一个, 目的设备至少为两个时, 如目的设备 1和目的设备 2, 由于源设备发送到目的 设备 1的数据 1和源设备发送的目的设备 2的数据 2均通过 IPsec隧道传输到 安全网关, 安全网关无法识别数据 1和数据 2的去向, 此时, 数据 1、 2只能 发送的一个目的设备上, 而无法分路, 也即, 对于上述应用场景, 源设备与多 个目的设备间无法实现端到端的数据隔离。 发明内容  However, when there is only one interface (physical port or IP address) of the source device and the security gateway, and at least two destination devices, such as destination device 1 and destination device 2, data 1 and source sent by the source device to destination device 1 The data 2 of the destination device 2 sent by the device is transmitted to the security gateway through the IPsec tunnel. The security gateway cannot identify the destination of data 1 and data 2. At this time, data 1, 2 can only be sent to one destination device, and cannot be disconnected. That is, for the above application scenario, end-to-end data isolation cannot be achieved between the source device and multiple destination devices. Summary of the invention
本发明实施例提供一种数据分路传输方法及装置、 系统, 能够实现源设备 与多个目的设备间端到端的数据隔离。  Embodiments of the present invention provide a data split transmission method, apparatus, and system, which can implement end-to-end data isolation between a source device and multiple destination devices.
为了解决上述技术问题, 本发明实施例的技术方案如下:  In order to solve the above technical problem, the technical solution of the embodiment of the present invention is as follows:
源设备向安全网关请求因特网协议安全 IPsec隧道中至少两条逻辑隧道的 私网 IP地址;  The source device requests the security gateway for the private network IP address of at least two logical tunnels in the Internet Protocol security IPsec tunnel;
所述源设备获得所述至少两条逻辑隧道的私网 IP地址及其与各目的设备 间的对应关系信息; 所述源设备根据所述对应关系信息,将发送至所述各目的设备的数据流映 射到对应的逻辑隧道中, 并向所述安全网关传输, 以使所述安全网关将接收到 的数据流发送至对应的目的设备。 Obtaining, by the source device, a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device; The source device maps the data stream sent to the destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data flow to the security gateway, so that the security gateway will receive the data stream. Send to the corresponding destination device.
一种数据分路传输方法, 包括:  A data shunt transmission method includes:
安全网关接收源设备对 IPsec隧道中至少两条逻辑隧道的私网 IP地址的请 求;  The security gateway receives the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel;
所述安全网关为所述 IPsec隧道中至少两条逻辑隧道分别分配私网 IP地 址, 并向所述源设备反馈所述至少两条逻辑隧道的私网 IP地址;  The security gateway allocates a private network IP address to at least two logical tunnels in the IPsec tunnel, and feeds back the private network IP address of the at least two logical tunnels to the source device;
所述安全网关接收所述源设备通过不同逻辑隧道发送的数据流; 所述安全网关根据所述至少两条逻辑隧道的私网 IP地址识别接收到的数 据流, 并根据至少两条逻辑隧道的私网 IP地址与各目的设备间的对应关系信 息将识别出的数据流发送至对应的目的设备。  The security gateway receives the data stream sent by the source device through different logical tunnels; the security gateway identifies the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two logical tunnels The corresponding relationship between the private network IP address and each destination device sends the identified data stream to the corresponding destination device.
一种通信设备, 包括:  A communication device, comprising:
地址请求单元, 用于向安全网关请求 IPsec隧道中至少两条逻辑隧道的私 网 IP地址;  An address requesting unit, configured to request, from the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel;
地址接收单元, 用于获得所述至少两条逻辑隧道的私网 IP地址及其与各 目的设备间的对应关系信息;  An address receiving unit, configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
数据隔离单元, 用于根据所述对应关系信息,将发送至所述各目的设备的 数据流映射到对应的逻辑隧道中, 并向安全网关传输, 以使所述安全网关将接 收到的数据流发送至对应的目的设备。  a data isolation unit, configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data flow to the security gateway, so that the security gateway receives the data flow Send to the corresponding destination device.
一种安全网关, 包括:  A security gateway, including:
请求接收单元, 用于接收源设备对 IPsec隧道中至少两条逻辑隧道的私网 IP地址的请求;  a request receiving unit, configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
地址分配单元, 用于为所述 IPsec隧道中至少两条逻辑隧道分别分配私网 IP地址, 并向所述源设备反馈所述至少两条逻辑隧道的私网 IP地址;  An address allocation unit, configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
数据接收单元, 用于接收所述源设备通过不同逻辑隧道发送的数据流; 数据分流单元, 用于根据所述至少两条逻辑隧道的私网 IP地址识别接收 到的数据流, 并根据至少两条逻辑隧道的私网 IP地址与各目的设备间的对应 关系信息将识别出的数据流发送至对应的目的设备。 一种数据分路传输系统, 包括源设备、 安全网关和至少两个目的设备, 其 中, a data receiving unit, configured to receive a data stream that is sent by the source device by using a different logical tunnel; and a data offloading unit, configured to identify the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two The data relationship between the private IP address of the logical tunnel and the destination device sends the identified data stream to the corresponding destination device. A data shunt transmission system includes a source device, a security gateway, and at least two destination devices, where
所述源设备, 用于向所述安全网关请求 IPsec隧道中至少两条逻辑隧道的 私网 IP地址; 获得所述至少两条逻辑隧道的私网 IP地址及其与各目的设备间 的对应关系信息; 根据所述对应关系信息,将发送至所述各目的设备的数据流 映射到对应的逻辑隧道中, 并向所述安全网关传输, 以使所述安全网关将接收 到的数据流发送至对应的目的设备。  The source device is configured to request, by the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel; obtain a private network IP address of the at least two logical tunnels, and a corresponding relationship between each of the destination devices And mapping, according to the correspondence information, the data stream sent to each destination device to a corresponding logical tunnel, and transmitting the data stream to the security gateway, so that the security gateway sends the received data stream to the Corresponding destination device.
本发明实施例通过在 IPsec隧道中建立多条逻辑隧道, 从而可以使源设备 将发送至不同目的设备的数据流通过不同的逻辑隧道进行传输,并由安全网关 进行数据的分流, 最终发送至对应的目的设备, 实现了数据端到端的分路安全 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。 附图说明  In the embodiment of the present invention, a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding The destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented. To save external resources, such as IP addresses, ports, etc., it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲,在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1是现有技术中应用 IPsec的系统结构示意图;  1 is a schematic structural diagram of a system for applying IPsec in the prior art;
图 2本发明实施例一种数据分路传输方法流程图;  2 is a flowchart of a data split transmission method according to an embodiment of the present invention;
图 3a是本发明实施例另一种数据分路传输方法流程图;  FIG. 3a is a flowchart of another data split transmission method according to an embodiment of the present invention; FIG.
图 3b是图 3a所示实施例中端到端数据分路传输示意图 ;  Figure 3b is a schematic diagram of end-to-end data shunt transmission in the embodiment shown in Figure 3a;
图 4是图 3a所示实施例中源设备和安全网关进行 IPSec隧道协商的示意 图;  4 is a schematic diagram of an IPSec tunnel negotiation between a source device and a security gateway in the embodiment shown in FIG. 3a;
图 5是图 3a所示实施例中源设备和安全网关进行 IKE— SA— AUTH交换的 示意图;  5 is a schematic diagram of an IKE-SA-AUTH exchange between a source device and a security gateway in the embodiment shown in FIG. 3a;
图 6是图 3a所示实施例中源设备和安全网关进行 CREATE— CHILD— SA交 换的示意图; Figure 6 is a diagram showing the source device and the security gateway performing CREATE_CHILD-SA handover in the embodiment shown in Figure 3a. Schematic diagram of the exchange;
图 7是本发明实施例一种通信设备的结构示意图;  7 is a schematic structural diagram of a communication device according to an embodiment of the present invention;
图 8是本发明实施例一种安全网关的结构示意图;  8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention;
图 9是本发明实施例另一种安全网关的结构示意图;  9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention;
图 10是本发明实施例一种数据分路传输系统结构示意图。  FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
具体实施方式 detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。基于本发明中的实施例, 本领域普通技术人员在没有做出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without the creative work are all within the scope of the present invention.
下面结合附图和实施例, 对本发明的技术方案进行描述。  The technical solution of the present invention will be described below with reference to the accompanying drawings and embodiments.
参见图 2, 为本发明实施例一种数据分路传输方法流程图。  2 is a flowchart of a data split transmission method according to an embodiment of the present invention.
该方法可以包括:  The method can include:
步骤 201 , 源设备向安全网关请求 IPsec隧道中至少两条逻辑隧道的私网 IP地址。  Step 201: The source device requests the security gateway to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
在源设备与安全网关基于 IKEv2的 IPSec隧道协商过程中,或者在建立了 源设备与安全网关之间的 IPsec隧道之后, 源设备可以通过与安全网关之间的 交换消息或通过源设备与安全网关协商的其它新增的交互消息,向安全网关请 求该 IPsec隧道中逻辑隧道的私网 IP地址 , 当然, 源设备也可以向其它中间网 元请求该逻辑隧道的私网 IP地址, 例如网管等。 其中该逻辑隧道的数目至少 为两个, 以实现至少两组数据流的隔离, 该请求中还可以携带其它信息例如所 需要分配的私网 IP地址的网段等信息。  After the IKEv2-based IPSec tunnel negotiation between the source device and the security gateway, or after the IPsec tunnel between the source device and the security gateway is established, the source device can exchange messages with the security gateway or through the source device and the security gateway. The other newly added interactive message is negotiated with the security gateway to request the private network IP address of the logical tunnel in the IPsec tunnel. The source device can also request the private network IP address of the logical tunnel, such as the network management system, from other intermediate network elements. The number of the logical tunnels is at least two, so as to implement isolation of at least two sets of data flows, and the request may also carry other information such as a network segment of the private network IP address to be allocated.
步骤 202, 源设备获得至少两条逻辑隧道的私网 IP地址及其与各目的设 备间的对应关系信息。  Step 202: The source device obtains a private network IP address of at least two logical tunnels and corresponding relationship information with each destination device.
源设备获得逻辑隧道的私网 IP地址及其与各目的设备之间对应关系的方 法有多种, 其中, 源设备所获得的逻辑隧道的私网 IP地址可以是由安全网关 或网管来分配并发送给源设备的。 逻辑隧道的私网 IP地址与各目的设备间的 对应关系也可以是由源设备在请求逻辑隧道的私网 IP地址时预先指定的, 也 可以是由安全网关或网管根据需要分配后, 将该对应关系告知源设备的。 例如, 可以是源设备在发起逻辑隧道私网 IP地址请求时, 该请求中包含 了各目的设备所需要对应的逻辑隧道的私网 IP地址的网段, 由安全网关根据 指定的网段来分配私网 IP地址, 则源设备在接收到分配的私网 IP地址后, 也 即获得了逻辑隧道的私网 IP地址与目的设备之间的对应关系。 该对应关系可 以进一步由源设备告知安全网关,当然也可以是由源设备和安全网关预先协商 指定网段所对应的目的设备,在安全网关接收到源设备指定的网段并据此分配 私网 IP地址后, 即可获得上述对应关系。 The source device obtains the private network IP address of the logical tunnel and its corresponding relationship with each destination device. The private network IP address of the logical tunnel obtained by the source device may be allocated by the security gateway or the network management system. Sent to the source device. The mapping between the private IP address of the logical tunnel and the destination device may be pre-assigned by the source device when requesting the private IP address of the logical tunnel, or may be assigned by the security gateway or the network management device as needed. The corresponding relationship is informed to the source device. For example, when the source device initiates the logical tunnel private network IP address request, the request includes the network segment of the private network IP address of the logical tunnel corresponding to each destination device, and the security gateway allocates the network segment according to the specified network segment. After the IP address of the private network is received, the source device obtains the mapping between the private IP address of the logical tunnel and the destination device. The corresponding relationship may be further notified by the source device to the security gateway. Of course, the source device and the security gateway may pre-negotiate the destination device corresponding to the specified network segment, and the security gateway receives the network segment specified by the source device and allocates the private network accordingly. After the IP address, the above correspondence can be obtained.
再例如, 还可以是源设备在发起逻辑隧道私网 IP地址的请求时, 由安全 网关分配私网 IP地址, 并建立各逻辑隧道的私网 IP地址与对端目的设备之间 的对应关系, 然后由安全网关将逻辑隧道的私网 IP地址及其与目的设备之间 的对应关系发送至源设备。  For example, when the source device initiates the request for the private IP address of the logical tunnel, the security gateway allocates the private network IP address, and establishes the correspondence between the private network IP address of each logical tunnel and the peer destination device. The security gateway then sends the private network IP address of the logical tunnel and its correspondence with the destination device to the source device.
再例如, 还可以是源设备在发起逻辑隧道私网 IP地址的请求时, 由安全 网关分配私网 IP地址, 由网管分配逻辑隧道的私网 IP地址与目的设备之间的 对应关系, 然后由该网关将该对应关系发送至源设备和安全网关。 当然还可以 有其它情况, 此处不再——列举。  For example, when the source device initiates the request for the private IP address of the logical tunnel, the security gateway allocates the private network IP address, and the network management system assigns the correspondence between the private network IP address of the logical tunnel and the destination device, and then The gateway sends the correspondence to the source device and the security gateway. Of course, there are other situations, no longer here - enumeration.
每条逻辑隧道之间的私网 IP地址不同, 进一步的, 可以处于不同的网段。 逻辑隧道的私网 IP地址与目的设备的对应关系, 例如:  The private network IP addresses of each logical tunnel are different. Further, they can be in different network segments. Correspondence between the private IP address of the logical tunnel and the destination device, for example:
逻辑隧道 1——私网 IP地址 1——目的设备 1  Logical tunnel 1 - private network IP address 1 - destination device 1
逻辑隧道 2——私网 IP地址 2——目的设备 2  Logical tunnel 2 - private network IP address 2 - destination device 2
……  ......
该对应关系可以拆分为多个列表进行存储, 其具体存储形式不作限定, 只 要在安全网关中包含上述对应关系即可。  The corresponding relationship may be divided into multiple lists for storage, and the specific storage form is not limited, and the foregoing correspondence may be included in the security gateway.
步骤 203 , 源设备根据该对应关系信息, 将发送至各目的设备的数据流映 射到对应的逻辑隧道中, 并向安全网关传输。  Step 203: The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data stream to the security gateway.
源设备根据接收到的逻辑隧道的私网 IP地址与各目的设备间的对应关系 信息, 确定各数据流对应的逻辑隧道, 例如, 源设备要发送至目的设备 1的数 据流 1要发送至私网 IP地址 1对应的逻辑隧道 1中, 源设备要发送至目的设 备 2的数据流要发送至私网 IP地址 2对应的逻辑隧道 2中等。  The source device determines a logical tunnel corresponding to each data flow according to the correspondence information between the private network IP address of the received logical tunnel and each destination device. For example, the data stream 1 to be sent by the source device to the destination device 1 is sent to the private network. In the logical tunnel 1 corresponding to the network IP address 1, the data stream to be sent by the source device to the destination device 2 is sent to the logical tunnel 2 corresponding to the private network IP address 2.
在确定好数据流对应的逻辑隧道后, 源设备根据各逻辑隧道的私网 IP地 址将各数据流映射到对应的逻辑隧道中, 例如, 将数据流 1映射到逻辑隧道 1 中, 将数据流 2映射到逻辑隧道 2中。 After determining the logical tunnel corresponding to the data flow, the source device according to the private network IP address of each logical tunnel The address maps each data stream into a corresponding logical tunnel, for example, mapping data stream 1 into logical tunnel 1 and data stream 2 into logical tunnel 2.
该将数据流映射到对应的逻辑隧道的过程即为对发送数据进行隔离的过 程, 具体的映射过程可以是在数据中插入对应的逻辑隧道的私网 IP地址。  The process of mapping the data stream to the corresponding logical tunnel is a process of isolating the sent data. The specific mapping process may be to insert the private network IP address of the corresponding logical tunnel into the data.
在数据流映射完成后 ,源设备即将各数据流通过不同的逻辑隧道发送至安 全网关。 安全网关在接收到各逻辑隧道的数据流后, 根据逻辑隧道的私网 IP 地址,具体的也即数据流中插入的逻辑隧道的私网 IP地址即可识别各数据流, 进而根据各逻辑隧道的私网 IP地址与目的设备的对应关系, 将识别出的数据 流发送至对应的目的设备, 例如将接收到携带私网 IP地址 1的数据流也即由 逻辑隧道 1传输的数据流, 根据逻辑隧道 1的私网 IP地址与目的设备 1的对 应关系, 将该数据流发送至目的设备 1 , 从而完成数据由源设备到目的设备的 端到端数据分路传输。 至于安全网关获得逻辑隧道私网 IP地址与目的设备的 对应关系的过程可以如步骤 202中所述。  After the data flow mapping is completed, the source device sends each data stream to the security gateway through a different logical tunnel. After receiving the data flow of each logical tunnel, the security gateway can identify each data flow according to the private network IP address of the logical tunnel, that is, the private network IP address of the logical tunnel inserted in the data flow, and then according to each logical tunnel. The corresponding relationship between the private network IP address and the destination device, and the identified data stream is sent to the corresponding destination device, for example, the data stream carrying the private network IP address 1 and the data stream transmitted by the logical tunnel 1 is received, according to The corresponding relationship between the private network IP address of the logical tunnel 1 and the destination device 1 is sent to the destination device 1 to complete the end-to-end data split transmission of the data from the source device to the destination device. The process of obtaining the correspondence between the IP address of the logical tunnel private network and the destination device by the security gateway may be as described in step 202.
本发明实施例通过在 IPsec隧道中建立多条逻辑隧道, 从而可以使源设备 将发送至不同目的设备的数据流通过不同的逻辑隧道进行传输,并由安全网关 进行数据的分流, 最终发送至对应的目的设备, 实现了数据端到端的分路安全 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。  In the embodiment of the present invention, a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding The destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented. To save external resources, such as IP addresses, ports, etc., it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
参见图 3a, 为本发明实施例另一种数据分路传输方法流程图。  Referring to FIG. 3a, a flowchart of another data split transmission method according to an embodiment of the present invention is shown.
本实施例中端到端数据分路传输示意图如图 3b所示, 以在 IPsec隧道中 建立两条逻辑隧道为例进行说明, 该方法可以包括:  An example of the end-to-end data split transmission in this embodiment is as shown in FIG. 3b. The two logical tunnels are set up in an IPsec tunnel as an example. The method may include:
步骤 301 , 源设备和安全网关通过 IKE— SA— INIT交换建立一对 IKE SA。 在源设备与安全网关基于 IKEv2的 IPSec隧道协商过程中, 如图 4所示, 通过 IKE— SA— INIT交换和 IKE— SA— AUTH交换,完成一对 IKE SA和一对 IPSec SA的建立 , 进而通过 CREATE— CHILD— SA交换, 完成另外一对 IPSec SA的 建立, 通过上述协商, 源设备和安全网关即可完成 IPSec隧道的建立。  Step 301: The source device and the security gateway establish a pair of IKE SAs through IKE-SA-INIT exchange. In the IKEv2-based IPSec tunnel negotiation process between the source device and the security gateway, as shown in Figure 4, the establishment of a pair of IKE SAs and a pair of IPSec SAs is completed through IKE-SA-INIT exchange and IKE-SA-AUTH exchange. Through the CREATE-CHILD-SA exchange, another pair of IPSec SAs is established. Through the above negotiation, the source device and the security gateway can complete the establishment of the IPSec tunnel.
本发明实施例中基于上述隧道建立过程, 针对 IKE SA AUTH 和 CREATE— CHILD— SA两条交换进行了调整, 用于创建多条 IPSec逻辑隧道, 在本步骤中, 通过 IKE— SA— INIT交换建立一对 IKE SA的过程未调整, 与现 有技术相同, 此处不再贅述。 In the embodiment of the present invention, based on the foregoing tunnel establishment process, the IKE SA AUTH and CREATE - CHILD - SA two exchanges are adjusted to create multiple IPSec logical tunnels. In this step, the process of establishing a pair of IKE SAs through IKE-SA-INIT exchange is not adjusted, which is the same as the prior art. I won't go into details here.
步骤 302, 源设备向安全网关发送第一交换信息, 该交换信息中包括获得 IPsec隧道中第一条逻辑隧道的私网 IP地址的请求及指定的该第一条逻辑隧道 的私网 IP地址所属的网段。  Step 302: The source device sends the first exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the first logical tunnel in the IPsec tunnel and the designated private network IP address of the first logical tunnel. Network segment.
本步骤中可以对现有技术中的 IKE— SA— AUTH交换信息进行调整作为第 一交换信息, 如图 5所示, 源设备通过该交换消息向安全网关请求 IPsec隧道 中第一条逻辑隧道的私网 IP地址。  In this step, the IKE-SA-AUTH exchange information in the prior art can be adjusted as the first exchange information. As shown in FIG. 5, the source device requests the security gateway to request the first logical tunnel in the IPsec tunnel through the exchange message. Private network IP address.
具体的, 该交换消息中可以携带 CP和 TSr载荷, 其中, CP载荷表示需 要获取 IP地址; TSr载荷: 表示希望在对应的哪个网段获取地址; 其余载荷 根据需要携带, 图 5仅为示例。  Specifically, the exchange message may carry a CP and a TSr payload, where the CP payload indicates that an IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain an address; and the remaining payloads are carried as needed, and FIG. 5 is only an example.
步骤 303 , 源设备向安全网关发送第二交换信息, 交换信息中包括获得 IPsec隧道中第二条逻辑隧道的私网 IP地址的请求及指定的第二条逻辑隧道的 私网 IP地址所属的网段。  Step 303: The source device sends the second exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the second logical tunnel in the IPsec tunnel and the network to which the private network IP address of the second logical tunnel belongs. segment.
本步骤中可以对 Informational exchange和 CREATE— CHILD— SA交换信息 进行调整作为第二交换信息,如图 6所示, 源设备通过该交换消息向安全网关 请求 IPsec隧道中第二条逻辑隧道的私网 IP地址。  In this step, the information exchange and the CREATE_CHILD-SA exchange information can be adjusted as the second exchange information. As shown in FIG. 6, the source device requests the security gateway to request the private network of the second logical tunnel in the IPsec tunnel through the exchange message. IP address.
具体的, Informational exchange和 CREATE— CHILD— S A交换消息中可以 分别携带 CP和 TSr载荷, 其中, CP载荷表示需要获取 IP地址; TSr载荷: 表示希望在对应的哪个网段获取地址;其余载荷根据需要携带,图 6仅为示例。  Specifically, the information exchange and the CREATE-CHILD-SA exchange message may respectively carry the CP and the TSR payload, where the CP payload indicates that the IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain the address; Carrying, Figure 6 is only an example.
其中, 源设备所指定的各逻辑隧道的私网 IP地址属于不同网段, 而不同 的网段即对应不同的逻辑隧道和不同的目的设备,例如源设备指定的第一网段 的私网 IP地址是对应目的设备 1的, 指定的第二网段的私网 IP地址是对应目 的设备 2的。本实施例中, 该指定网段与目的设备的对应关系可以是预先由源 设备与安全网关协商好的; 在其它实施例中,也可以是在后续安全网关根据指 定网段分配私网 IP地址, 源设备获得私网 IP地址后, 由其将逻辑隧道的私网 IP与目的设备的对应关系告知安全网关。  The private network IP addresses of the logical tunnels specified by the source device belong to different network segments, and the different network segments correspond to different logical tunnels and different destination devices, for example, the private network IP address of the first network segment specified by the source device. The address is corresponding to the destination device 1, and the private network IP address of the designated second network segment is corresponding to the destination device 2. In this embodiment, the corresponding relationship between the specified network segment and the destination device may be negotiated by the source device and the security gateway in advance; in other embodiments, the subsequent security gateway may allocate the private network IP address according to the specified network segment. After the source device obtains the private network IP address, it informs the security gateway of the corresponding relationship between the private network IP address of the logical tunnel and the destination device.
步骤 304, 安全网关接收到源设备的交换消息后, 为 IPsec隧道中的逻辑 隧道分别分配私网 IP地址, 并建立各逻辑隧道的私网 IP地址与各目的设备间 的对应关系信息。 Step 304: After receiving the exchange message of the source device, the security gateway is the logic in the IPsec tunnel. The tunnels are assigned private network IP addresses, and the mappings between the private IP addresses of the logical tunnels and the destination devices are established.
安全网关根据 IKE— SA— AUTH交换信息中指定的第一条逻辑隧道的私网 IP地址所属的网段, 也即根据 IKE— SA— AUTH交换信息中的 TSr载荷, 为第 一条逻辑隧道分配私网 IP地址, 并根据预先由源设备与安全网关协商好的指 定网段与目的设备的对应关系, 建立第一条逻辑隧道的私网 IP地址与第一目 的设备的对应关系信息;  The security gateway allocates the first logical tunnel according to the network segment to which the private IP address of the first logical tunnel specified in the IKE-SA-AUTH exchange information belongs, that is, the TSr payload in the IKE-SA-AUTH exchange information. The IP address of the private network, and the correspondence between the private network IP address of the first logical tunnel and the first destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
安全网关根据 Informational exchange和 CREATE— CHILD— SA交换信息中 指定的第二条逻辑隧道的私网 IP地址所属的网段,也即根据交换信息中的 TSr 载荷, 为第二条逻辑隧道分配私网 IP地址, 并根据预先由源设备与安全网关 协商好的指定网段与目的设备的对应关系, 建立第二条逻辑隧道的私网 IP地 址与第二目的设备的对应关系信息。  The security gateway allocates a private network to the second logical tunnel according to the network segment to which the private IP address of the second logical tunnel specified in the information exchange and CREATE_CHILD-SA exchange information belongs, that is, according to the TSR payload in the exchange information. The IP address, and the correspondence between the private network IP address of the second logical tunnel and the second destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
安全网关可以在接收到步骤 302 的请求后即为第一条逻辑隧道分配私网 IP地址, 在接收到步骤 303的请求后再为第二条逻辑隧道分配私网 IP地址, 也还可以在接收到所有的请求后, 统一为各逻辑隧道分配私网 IP地址, 并建 立逻辑隧道的私网 IP地址与目的设备的对应关系信息。  After receiving the request of step 302, the security gateway may allocate a private network IP address for the first logical tunnel, and after receiving the request of step 303, allocate a private network IP address for the second logical tunnel, and may also receive After all the requests are received, the private network IP address is assigned to each logical tunnel, and the mapping relationship between the private IP address of the logical tunnel and the destination device is established.
通过上述过程, 源设备和安全网关即可完成两条逻辑隧道的建立,之后源 设备便可以将数据映射到不同的逻辑隧道上进行端到端的安全传输了。  Through the above process, the source device and the security gateway can complete the establishment of two logical tunnels, and then the source device can map the data to different logical tunnels for end-to-end secure transmission.
在其它实施例中,如果需要建立第三条乃至更多条的逻辑隧道时, 可以重 复上述建立第二条逻辑隧道的过程即可, 也即步骤 303 , 安全网关重复分配私 网 IP地址。  In other embodiments, if a third or more logical tunnel needs to be established, the process of establishing the second logical tunnel may be repeated. In step 303, the security gateway repeatedly allocates the private network IP address.
步骤 305, 源设备根据各逻辑隧道的私网 IP地址及其与各目的设备间的 对应关系信息,将发送至各目的设备的数据流映射到对应的逻辑隧道中, 并向 安全网关传输。  Step 305: The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the private network IP address of each logical tunnel and the corresponding relationship information with each destination device, and transmits the data to the security gateway.
源设备在接收到安全网关发送的两条逻辑隧道的私网 IP地址, 并进一步 根据预先指定的网段,获知逻辑隧道的私网 IP地址与目的设备的对应关系后, 将发送至不同目的设备的数据映射到对应的逻辑隧道中,该映射过程与前述实 施例中的步骤 203类似, 此处不再贅述。  The source device receives the private network IP address of the two logical tunnels sent by the security gateway, and further obtains the corresponding relationship between the private network IP address of the logical tunnel and the destination device according to the pre-designated network segment, and then sends the data to the destination device. The data is mapped to the corresponding logical tunnel, and the mapping process is similar to the step 203 in the foregoing embodiment, and details are not described herein again.
步骤 306, 安全网关接收源设备通过不同逻辑隧道发送的数据流。 步骤 307, 安全网关根据数据中的逻辑隧道的私网 IP地址识别接收到的 数据流, 并根据两条逻辑隧道的私网 IP地址与各目的设备间的对应关系信息 将识别出的数据流发送至对应的目的设备。 Step 306: The security gateway receives the data stream sent by the source device through different logical tunnels. Step 307: The security gateway identifies the received data stream according to the private network IP address of the logical tunnel in the data, and sends the identified data stream according to the correspondence between the private network IP address of the two logical tunnels and each destination device. To the corresponding destination device.
本发明实施例通过在 IPsec隧道中建立多条逻辑隧道, 从而可以使源设备 将发送至不同目的设备的数据流通过不同的逻辑隧道进行传输,并由安全网关 进行数据的分流, 最终发送至对应的目的设备, 实现了数据端到端的分路安全 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。  In the embodiment of the present invention, a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding The destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented. To save external resources, such as IP addresses, ports, etc., it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
以上是对本发明方法实施例的描述,下面对实现上述方法的装置和系统进 行介绍。  The above is a description of an embodiment of the method of the present invention, and an apparatus and system for implementing the above method will be described below.
参见图 7所示, 为本发明实施例一种通信设备的结构示意图。  Referring to FIG. 7, a schematic structural diagram of a communication device according to an embodiment of the present invention is shown.
该通信设备可以包括:  The communication device can include:
地址请求单元 701 , 用于请求 IPsec隧道中至少两条逻辑隧道的私网 IP地 址。  The address requesting unit 701 is configured to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
地址接收单元 702, 用于获得所述至少两条逻辑隧道的私网 IP地址及其 与各目的设备间的对应关系信息。  The address receiving unit 702 is configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device.
数据隔离单元 703 , 用于根据所述对应关系信息, 将发送至所述各目的设 备的数据流映射到对应的逻辑隧道中, 并向安全网关传输, 以使所述安全网关 将接收到的数据流发送至对应的目的设备。  The data isolation unit 703 is configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data to the security gateway, so that the security gateway will receive the data. The stream is sent to the corresponding destination device.
在该通信设备与安全网关基于 IKEv2的 IPSec隧道协商过程中,或者在建 立了源设备与安全网关之间的 IPsec隧道之后 ,该通信设备的地址请求单元 701 可以通过与安全网关之间的交换消息或通过源设备与安全网关协商的其它新 增的交互消息等方式,向安全网关请求该 IPsec隧道中逻辑隧道的私网 IP地址, 其中该逻辑隧道的数目至少为两个, 以实现至少两组数据流的隔离,地址接收 单元 702获得至少两条逻辑隧道的私网 IP地址及其与各目的设备间的对应关 系信息, 获得逻辑隧道的私网 IP地址及其与各目的设备之间对应关系的方法 有多种, 其中, 所获得的逻辑隧道的私网 IP地址可以是由安全网关或网管来 分配并发送给该地址接收单元 702的, 逻辑隧道的私网 IP地址与各目的设备 间的对应关系也可以是由地址请求单元 701在请求逻辑隧道的私网 IP地址时 预先指定的,也可以是由安全网关或网管根据需要分配后,将该对应关系告知 地址接收单元 702的。数据隔离单元 703确定各数据流对应的逻辑隧道,在确 定好数据流对应的逻辑隧道后, 根据各逻辑隧道的私网 IP地址将各数据流映 射到对应的逻辑隧道中,该将数据流映射到对应的逻辑隧道的过程即为对发送 数据进行隔离的过程,在数据流映射完成后, 即将各数据流通过不同的逻辑隧 道发送至安全网关。安全网关在接收到各逻辑隧道的数据流后,根据逻辑隧道 的私网 IP地址即可识别各数据流, 进而根据各逻辑隧道的私网 IP地址与目的 设备的对应关系, 将识别出的数据流发送至对应的目的设备。 After the communication device and the security gateway negotiate the IKEv2-based IPSec tunnel, or after the IPsec tunnel between the source device and the security gateway is established, the address requesting unit 701 of the communication device can exchange messages with the security gateway. The private network IP address of the logical tunnel in the IPsec tunnel is requested by the security gateway, and the number of the logical tunnel is at least two. For the isolation of the data stream, the address receiving unit 702 obtains the private network IP address of the at least two logical tunnels and the correspondence between the private network addresses of the logical tunnels, and obtains the private network IP address of the logical tunnel and its correspondence with each destination device. There are various methods, wherein the private network IP address of the obtained logical tunnel can be obtained by a security gateway or a network management system. The corresponding relationship between the private network IP address of the logical tunnel and the destination device that is allocated and sent to the address receiving unit 702 may also be pre-designated by the address requesting unit 701 when requesting the private network IP address of the logical tunnel, or may be specified. After the security gateway or the network management device allocates the information as needed, the corresponding relationship is notified to the address receiving unit 702. The data isolation unit 703 determines a logical tunnel corresponding to each data stream, and after determining the logical tunnel corresponding to the data flow, maps each data flow to a corresponding logical tunnel according to the private network IP address of each logical tunnel, and maps the data flow. The process of the corresponding logical tunnel is a process of isolating the transmitted data. After the data flow mapping is completed, each data stream is sent to the security gateway through a different logical tunnel. After receiving the data flow of each logical tunnel, the security gateway can identify each data flow according to the private network IP address of the logical tunnel, and then identify the data according to the correspondence between the private network IP address of the logical tunnel and the destination device. The stream is sent to the corresponding destination device.
本发明实施例中的通信设备通过上述单元实现了数据端到端的分路安全 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。  The communication device in the embodiment of the present invention implements the end-to-end data transmission security of the data through the above-mentioned unit, for example, the service flow and the data flow are separately transmitted, that is, the data security is ensured and the data isolation is ensured, and the group can be better supported. The network, and the method realizes saving external resources, such as an IP address, a port, etc., and can realize the end-to-end secure transmission by using the existing equipment more reasonably. The method is simple to implement, and the solution can be completed by using a standard protocol.
在本发明的另一实施例中 ,该通信设备中的地址请求单元还可以进一步包 括: 第一请求子单元, 用于当所述逻辑隧道为两条时, 通过第一交换信息如 IKE_SA_AUTH 交换信息向所述安全网关请求获得第一条逻辑隧道的私网 IP 地址。  In another embodiment of the present invention, the address requesting unit in the communications device may further include: a first requesting subunit, configured to exchange information by using the first exchange information, such as IKE_SA_AUTH, when the logical tunnel is two Requesting the security gateway to obtain the private IP address of the first logical tunnel.
第二请求子单元, 用于当所述逻辑隧道为两条时, 通过第二交换信息如 a second request subunit, configured to: when the logical tunnel is two, pass the second exchange information, such as
Informational exchange和 CREATE— CHILD— SA交换信息向所述安全网关请求 获得第二条逻辑隧道的私网 IP地址。 第一交换信息与第二交换信息中包含所 请求私网 IP地址的指定网段, 各逻辑隧道的私网 IP地址属于不同网段。 Informational exchange and CREATE - CHILD - The SA exchange information requests the security gateway to obtain the private IP address of the second logical tunnel. The first exchange information and the second exchange information include a specified network segment of the requested private network IP address, and the private network IP addresses of the logical tunnels belong to different network segments.
参见图 8, 为本发明实施例一种安全网关的结构示意图。  FIG. 8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention.
该安全网关可以包括:  The security gateway can include:
请求接收单元 801 , 用于接收源设备对 IPsec隧道中至少两条逻辑隧道的 私网 IP地址的请求;  The request receiving unit 801 is configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
地址分配单元 802, 用于为所述 IPsec隧道中至少两条逻辑隧道分别分配 私网 IP地址, 并向所述源设备反馈所述至少两条逻辑隧道的私网 IP地址; 数据接收单元 803 , 用于接收源设备通过不同逻辑隧道发送的数据流; 数据分流单元 804, 用于根据所述至少两条逻辑隧道的私网 IP地址识别 接收到的数据流, 并根据至少两条逻辑隧道的私网 IP地址与各目的设备间的 对应关系信息将识别出的数据流发送至对应的目的设备。 The address allocation unit 802 is configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels; The data receiving unit 803 is configured to receive a data stream that is sent by the source device by using a different logical tunnel. The data offloading unit 804 is configured to identify the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two The data relationship between the private IP address of the logical tunnel and the destination device sends the identified data stream to the corresponding destination device.
请求接收单元 801在接收到源设备对 IPsec隧道中至少两条逻辑隧道的私 网 IP地址的请求后 , 由地址分配单元 802为逻辑隧道分别分配私网 IP地址 , 并将上述信息反馈至源设备,源设备根据上述信息将不同数据流映射到各自的 逻辑隧道后传输至安全网关, 由数据接收单元 803接收数据流, 并由数据分流 单元 804对数据流进行识别, 并分流至对应的目的设备中。 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。  After receiving the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel, the request receiving unit 801 respectively allocates a private network IP address for the logical tunnel by the address assigning unit 802, and feeds back the above information to the source device. The source device maps the different data streams to the respective logical tunnels according to the foregoing information, and then transmits the data stream to the security gateway, and the data receiving unit 803 receives the data stream, and the data stream splitting unit 804 identifies the data stream and distributes the data stream to the corresponding destination device. in. Transmission, such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking. Moreover, this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
参见图 9, 为本发明实施例另一种安全网关的结构示意图。  FIG. 9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention.
该安全网关也可以包括请求接收单元 901 , 地址分配单元 902, 数据接收 单元 903和数据分流单元 904。  The security gateway may also include a request receiving unit 901, an address assigning unit 902, a data receiving unit 903, and a data splitting unit 904.
其中, 请求接收单元 901可以进一步包括:  The request receiving unit 901 may further include:
第一接收子单元 9011 , 用于当所述逻辑隧道为两条时, 接收所述源设备 发送的用以请求获得第一条逻辑隧道的私网 IP 地址的第一交换信息如 IKE_SA_AUTH交换信息;  The first receiving subunit 9011 is configured to: when the logical tunnel is two, receive first exchange information, such as IKE_SA_AUTH exchange information, sent by the source device to request to obtain a private network IP address of the first logical tunnel;
第二接收子单元 9012, 用于当所述逻辑隧道为两条时, 接收所述源设备 发送的用以请求获得第二条逻辑隧道的私网 IP 地址的第二交换信息如 Informational exchange和 CREATE— CHILD— S A交换信息。 其中, 第一交换信 息与第二交换信息中包含所请求私网 IP地址的指定网段。 各逻辑隧道的私网 IP地址属于不同网段。  The second receiving subunit 9012 is configured to: when the logical tunnel is two, receive second exchange information, such as Informational exchange and CREATE, sent by the source device to request a private network IP address of the second logical tunnel. — CHILD — SA exchange information. The first exchange information and the second exchange information include a specified network segment of the requested private network IP address. The private network IP addresses of logical tunnels belong to different network segments.
地址分配单元 902, 具体用于根据第一交换信息与第二交换信息中包含的 所请求私网 IP地址的指定网段,为 IPsec隧道中的两条逻辑隧道分别分配私网 IP地址。 数据接收单元 903和数据分流单元 904分别与前述实施例中的数据接收单 元 803和数据分流单元 804类似, 此处不再贅述。 传输, 如将业务流和数据流分路传输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方法实现了节省外部资源, 如 IP地址, 端口 等, 可以更加合理的利用现有设备实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。 The address allocation unit 902 is specifically configured to allocate a private network IP address for each of the two logical tunnels in the IPsec tunnel according to the specified network segment of the requested private network IP address included in the first exchange information and the second exchange information. The data receiving unit 903 and the data distributing unit 904 are similar to the data receiving unit 803 and the data distributing unit 804 in the foregoing embodiments, and details are not described herein again. Transmission, such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking. Moreover, this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
参见图 10, 为本发明实施例一种数据分路传输系统结构示意图。  FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
该系统可以包括源设备 1001 , 安全网关 1002和至少两个目的设备 1003。 其中, 源设备 1001 , 用于向安全网关 1002请求至少两条逻辑隧道的私网 The system can include a source device 1001, a security gateway 1002, and at least two destination devices 1003. The source device 1001 is configured to request at least two logical tunnels from the security gateway 1002.
IP地址; 获得所述至少两条逻辑隧道的私网 IP地址及其与各目的设备 1003 间的对应关系信息; 根据所述对应关系信息, 将发送至所述各目的设备 1003 的数据流映射到对应的逻辑隧道中, 并向所述安全网关 1002传输, 以使所述 安全网关 1002将接收到的数据流发送至对应的目的设备 1003。 Obtaining a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device 1003; mapping, according to the correspondence information, a data flow sent to each destination device 1003 to And corresponding to the logical tunnel, and transmitted to the security gateway 1002, so that the security gateway 1002 sends the received data stream to the corresponding destination device 1003.
该系统实现了数据端到端的分路安全传输, 如将业务流和数据流分路传 输, 即保障数据安全性又保障了数据隔离, 可以更好的支撑组网, 而且, 本方 法实现了节省外部资源, 如 IP地址, 端口等, 可以更加合理的利用现有设备 实现端到端的安全传输, 该方法实现简单, 本方案均可采用标准的协议完成。  The system realizes end-to-end data transmission and secure transmission. For example, the service flow and the data flow are transmitted separately, that is, the data security is ensured and the data isolation is ensured, which can better support the networking, and the method achieves the saving. External resources, such as IP addresses, ports, etc., can make more reliable use of existing devices to achieve end-to-end secure transmission. This method is simple to implement, and this solution can be completed by standard protocols.
以上所述的本发明实施方式, 并不构成对本发明保护范围的限定。任何在 本发明的精神和原则之内所作的修改、等同替换和改进等, 均应包含在本发明 的权利要求保护范围之内。  The embodiments of the present invention described above are not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the appended claims.

Claims

权 利 要 求 Rights request
1、 一种数据分路传输方法, 其特征在于, 包括:  A data split transmission method, comprising:
源设备向安全网关请求因特网协议安全 IPsec隧道中至少两条逻辑隧道的 私网 IP地址;  The source device requests the security gateway for the private network IP address of at least two logical tunnels in the Internet Protocol security IPsec tunnel;
所述源设备获得所述至少两条逻辑隧道的私网 IP地址及其与各目的设备 间的对应关系信息;  The source device obtains a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
所述源设备根据所述对应关系信息,将发送至所述各目的设备的数据流映 射到对应的逻辑隧道中, 并向所述安全网关传输, 以使所述安全网关将接收到 的数据流发送至对应的目的设备。  The source device maps the data stream sent to the destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data flow to the security gateway, so that the security gateway will receive the data stream. Send to the corresponding destination device.
2、根据权利要求 1所述的方法, 其特征在于, 当所述逻辑隧道为两条时, 所述源设备向安全网关请求 IPsec隧道中至少两条逻辑隧道的私网 IP地址,包 括:  The method according to claim 1, wherein the source device requests the security gateway to request a private network IP address of at least two logical tunnels in the IPsec tunnel, including:
所述源设备通过第一交换信息向所述安全网关请求获得第一条逻辑隧道 的私网 IP地址;  The source device requests the security gateway to obtain a private network IP address of the first logical tunnel by using the first exchange information;
所述源设备通过第二交换信息向所述安全网关请求第二条逻辑隧道的私 网 IP地址。  The source device requests the security gateway for the private network IP address of the second logical tunnel by using the second exchange information.
3、 根据权利要求 2所述的方法, 其特征在于, 所述第一交换信息与所述 第二交换信息中包含所请求私网 IP地址的指定网段。  The method according to claim 2, wherein the first exchange information and the second exchange information comprise a specified network segment of the requested private network IP address.
4、 根据权利要求 3所述的方法, 其特征在于, 所述各逻辑隧道的私网 IP 地址属于不同网段。  4. The method according to claim 3, wherein the private network IP addresses of the logical tunnels belong to different network segments.
5、 一种数据分路传输方法, 其特征在于, 包括:  5. A data shunt transmission method, comprising:
安全网关接收源设备对 IPsec隧道中至少两条逻辑隧道的私网 IP地址的请 求;  The security gateway receives the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel;
所述安全网关为所述 IPsec隧道中至少两条逻辑隧道分别分配私网 IP地 址, 并向所述源设备反馈所述至少两条逻辑隧道的私网 IP地址;  The security gateway allocates a private network IP address to at least two logical tunnels in the IPsec tunnel, and feeds back the private network IP address of the at least two logical tunnels to the source device;
所述安全网关接收所述源设备通过不同逻辑隧道发送的数据流;  Receiving, by the security gateway, a data flow that is sent by the source device through different logical tunnels;
所述安全网关根据所述至少两条逻辑隧道的私网 IP地址识别接收到的数 据流, 并根据至少两条逻辑隧道的私网 IP地址与各目的设备间的对应关系信 息将识别出的数据流发送至对应的目的设备。 The security gateway identifies the received data stream according to the private network IP address of the at least two logical tunnels, and identifies the data according to the correspondence between the private network IP address of the at least two logical tunnels and each destination device. The stream is sent to the corresponding destination device.
6、根据权利要求 5所述的方法, 其特征在于, 当所述逻辑隧道为两条时, 所述安全网关接收源设备对所述 IPsec隧道中至少两条逻辑隧道的私网 IP地址 的请求, 包括: The method according to claim 5, wherein, when the logical tunnel is two, the security gateway receives a request of a source device for a private network IP address of at least two logical tunnels in the IPsec tunnel. , including:
所述安全网关接收所述源设备发送的用以请求获得第一条逻辑隧道的私 网 IP地址的第一交换信息;  Receiving, by the security gateway, first exchange information that is sent by the source device to request to obtain a private network IP address of the first logical tunnel;
所述安全网关接收所述源设备发送的用以请求获得第二条逻辑隧道的私 网 IP地址的第二交换信息。  The security gateway receives second exchange information sent by the source device to request a private network IP address of the second logical tunnel.
7、 根据权利要求 6所述的方法, 其特征在于, 所述第一交换信息与所述 第二交换信息中包含所请求私网 IP地址的指定网段。  The method according to claim 6, wherein the first exchange information and the second exchange information comprise a specified network segment of the requested private network IP address.
8、 根据权利要求 7所述的方法, 其特征在于, 所述安全网关为所述 IPsec 隧道中至少两条逻辑隧道分别分配私网 IP地址, 具体为:  The method according to claim 7, wherein the security gateway allocates a private network IP address to at least two logical tunnels in the IPsec tunnel, specifically:
所述安全网关根据所述第一交换信息与所述第二交换信息中包含的所请 求私网 IP地址的指定网段,为所述 IPsec隧道中的两条逻辑隧道分别分配私网 IP地址。  The security gateway allocates a private network IP address to the two logical tunnels in the IPsec tunnel according to the specified network segment of the requested private network IP address included in the first exchange information and the second exchange information.
9、 一种通信设备, 其特征在于, 包括:  9. A communication device, comprising:
地址请求单元, 用于向安全网关请求 IPsec隧道中至少两条逻辑隧道的私 网 IP地址;  An address requesting unit, configured to request, from the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel;
地址接收单元, 用于获得所述至少两条逻辑隧道的私网 IP地址及其与各 目的设备间的对应关系信息;  An address receiving unit, configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
数据隔离单元, 用于根据所述对应关系信息,将发送至所述各目的设备的 数据流映射到对应的逻辑隧道中, 并向安全网关传输, 以使所述安全网关将接 收到的数据流发送至对应的目的设备。  a data isolation unit, configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data flow to the security gateway, so that the security gateway receives the data flow Send to the corresponding destination device.
10、 根据权利要求 9所述的通信设备, 其特征在于, 所述地址请求单元包 括:  10. The communication device according to claim 9, wherein the address requesting unit comprises:
第一请求子单元, 用于当所述逻辑隧道为两条时,通过第一交换信息向所 述安全网关请求获得第一条逻辑隧道的私网 IP地址;  a first requesting sub-unit, configured to: when the logical tunnel is two, request, by using the first exchange information, the private network IP address of the first logical tunnel to be obtained by using the first switching information;
第二请求子单元, 用于当所述逻辑隧道为两条时,通过第二交换信息向所 述安全网关请求第二条逻辑隧道的私网 IP地址。  And a second request subunit, configured to: when the logical tunnel is two, request the private network IP address of the second logical tunnel from the security gateway by using the second exchange information.
11、 一种安全网关, 其特征在于, 包括: 请求接收单元, 用于接收源设备对 IPsec隧道中至少两条逻辑隧道的私网 IP地址的请求; 11. A security gateway, comprising: a request receiving unit, configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
地址分配单元, 用于为所述 IPsec隧道中至少两条逻辑隧道分别分配私网 IP地址, 并向所述源设备反馈所述至少两条逻辑隧道的私网 IP地址;  An address allocation unit, configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
数据接收单元, 用于接收所述源设备通过不同逻辑隧道发送的数据流; 数据分流单元, 用于根据所述至少两条逻辑隧道的私网 IP地址识别接收 到的数据流, 并根据至少两条逻辑隧道的私网 IP地址与各目的设备间的对应 关系信息将识别出的数据流发送至对应的目的设备。  a data receiving unit, configured to receive a data stream that is sent by the source device by using a different logical tunnel; and a data offloading unit, configured to identify the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two The data relationship between the private IP address of the logical tunnel and the destination device sends the identified data stream to the corresponding destination device.
12、 根据权利要求 11所述的安全网关, 其特征在于, 所述请求接收单元 包括:  The security gateway according to claim 11, wherein the request receiving unit comprises:
第一接收子单元, 用于当所述逻辑隧道为两条时,接收所述源设备发送的 用以请求获得第一条逻辑隧道的私网 IP地址的第一交换信息;  a first receiving subunit, configured to receive, when the logical tunnel is two, first exchange information that is sent by the source device to request to obtain a private network IP address of the first logical tunnel;
第二接收子单元, 用于当所述逻辑隧道为两条时,接收所述源设备发送的 用以请求获得第二条逻辑隧道的私网 IP地址的第二交换信息。  The second receiving subunit is configured to receive, when the logical tunnel is two, second exchange information that is sent by the source device to request to obtain a private network IP address of the second logical tunnel.
13、 根据权利要求 12所述的安全网关, 其特征在于, 所述第一交换信息 与所述第二交换信息中包含所请求私网 IP地址的指定网段。  The security gateway according to claim 12, wherein the first exchange information and the second exchange information comprise a specified network segment of the requested private network IP address.
14、 根据权利要求 13所述的安全网关, 其特征在于,  14. The security gateway of claim 13 wherein:
所述地址分配单元,具体用于根据所述第一交换信息与所述第二交换信息 中包含的所请求私网 IP地址的指定网段,为所述 IPsec隧道中的两条逻辑隧道 分别分配私网 IP地址。  The address allocation unit is specifically configured to separately allocate two logical tunnels in the IPsec tunnel according to the specified network segment of the requested private network IP address included in the first exchange information and the second exchange information. Private network IP address.
15、 一种数据分路传输系统, 其特征在于, 包括源设备、 安全网关和至少 两个目的设备, 其中,  A data split transmission system, comprising: a source device, a security gateway, and at least two destination devices, wherein
所述源设备, 用于向所述安全网关请求 IPsec隧道中至少两条逻辑隧道的 私网 IP地址; 获得所述至少两条逻辑隧道的私网 IP地址及其与各目的设备间 的对应关系信息; 根据所述对应关系信息,将发送至所述各目的设备的数据流 映射到对应的逻辑隧道中, 并向所述安全网关传输, 以使所述安全网关将接收 到的数据流发送至对应的目的设备。  The source device is configured to request, by the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel; obtain a private network IP address of the at least two logical tunnels, and a corresponding relationship between each of the destination devices And mapping, according to the correspondence information, the data stream sent to each destination device to a corresponding logical tunnel, and transmitting the data stream to the security gateway, so that the security gateway sends the received data stream to the Corresponding destination device.
PCT/CN2011/079809 2011-09-19 2011-09-19 Data multiplexing transmission method, device and system WO2012149745A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2011/079809 WO2012149745A1 (en) 2011-09-19 2011-09-19 Data multiplexing transmission method, device and system
CN201180001855.0A CN102742247B (en) 2011-09-19 2011-09-19 A kind of data branches transmission method and device, system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/079809 WO2012149745A1 (en) 2011-09-19 2011-09-19 Data multiplexing transmission method, device and system

Publications (1)

Publication Number Publication Date
WO2012149745A1 true WO2012149745A1 (en) 2012-11-08

Family

ID=46995195

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/079809 WO2012149745A1 (en) 2011-09-19 2011-09-19 Data multiplexing transmission method, device and system

Country Status (2)

Country Link
CN (1) CN102742247B (en)
WO (1) WO2012149745A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601550B (en) * 2014-12-24 2020-08-11 国家电网公司 Reverse isolation file transmission system and method based on cluster array
CN109218157B (en) * 2017-07-04 2020-10-09 大唐移动通信设备有限公司 Data processing method, device and system of virtual private network system
CN107204994B (en) * 2017-07-24 2019-09-17 杭州迪普科技股份有限公司 A kind of method and apparatus that protection network segment is determined based on IKEv2
CN116074038B (en) * 2022-11-29 2023-08-22 杭州海兴电力科技股份有限公司 Gateway system and method for IPv6 data security transmission

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136778A (en) * 2006-08-02 2008-03-05 美国凹凸微系有限公司 Policy based vpn configuration for firewall/vpn security gateway appliance
CN101188542A (en) * 2006-11-17 2008-05-28 华为技术有限公司 Method for establishing IP tunnel and device for distributing IP address
CN101364910A (en) * 2007-08-09 2009-02-11 中兴通讯股份有限公司 System and method for self-organized network
WO2010043254A1 (en) * 2008-10-15 2010-04-22 Telefonaktiebolaget Lm Ericsson (Publ) Secure access in a communication network
CN101998442A (en) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 Remote access method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136778A (en) * 2006-08-02 2008-03-05 美国凹凸微系有限公司 Policy based vpn configuration for firewall/vpn security gateway appliance
CN101188542A (en) * 2006-11-17 2008-05-28 华为技术有限公司 Method for establishing IP tunnel and device for distributing IP address
CN101364910A (en) * 2007-08-09 2009-02-11 中兴通讯股份有限公司 System and method for self-organized network
WO2010043254A1 (en) * 2008-10-15 2010-04-22 Telefonaktiebolaget Lm Ericsson (Publ) Secure access in a communication network
CN101998442A (en) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 Remote access method and system

Also Published As

Publication number Publication date
CN102742247B (en) 2015-09-09
CN102742247A (en) 2012-10-17

Similar Documents

Publication Publication Date Title
CN107810627B (en) Method and apparatus for establishing a media session
US7561586B2 (en) Method and apparatus for providing network VPN services on demand
EP2136504B1 (en) Transmitting and receiving method, apparatus and system for the security policy of a multicast session
US7917948B2 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US8272046B2 (en) Network mobility over a multi-path virtual private network
WO2006010648A2 (en) Methods, apparatuses and computer-readable media for secure communication by establishing multiple secure connections
WO2009021428A1 (en) Secure protection device and method for message transfer
US10411994B2 (en) Multi-link convergence method, server, client, and system
CN101515896B (en) Safe socket character layer protocol message forwarding method, device, system and exchange
WO2011144154A1 (en) Method, device and system for allocating internet protocol address of external network in network address translation pass-through
JP2006262466A (en) Method and system for reducing number of ports allotted by relay
WO2009129707A1 (en) A method, apparatus and communication system for sending and receiving information between local area networks
WO2010020151A1 (en) A method, apparatus and system for packet processing
US20100303072A1 (en) Multicast Source Mobility
WO2016180020A1 (en) Message processing method, device and system
WO2007019809A1 (en) A method and ststem for establishing a direct p2p channel
US11647069B2 (en) Secure remote computer network
WO2012149745A1 (en) Data multiplexing transmission method, device and system
WO2008134971A1 (en) Method, system and device for auto-realizing the link of the management device and the managed device
KR20060132639A (en) Resource sharing broadband access system, methods, and devices
WO2013020267A1 (en) Ip address allocation method, system and device
CN109547392B (en) Encryption access method and system supporting multi-user isolation in SDN network
KR101686995B1 (en) IPSec VPN Apparatus and system for using software defined network and network function virtualization and method thereof broadcasting
TWI504213B (en) Method for address translator traversal in 3gpp networks
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180001855.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864861

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864861

Country of ref document: EP

Kind code of ref document: A1