WO2012149745A1 - Procédé, dispositif et système de transmission à multiplexage de données - Google Patents

Procédé, dispositif et système de transmission à multiplexage de données Download PDF

Info

Publication number
WO2012149745A1
WO2012149745A1 PCT/CN2011/079809 CN2011079809W WO2012149745A1 WO 2012149745 A1 WO2012149745 A1 WO 2012149745A1 CN 2011079809 W CN2011079809 W CN 2011079809W WO 2012149745 A1 WO2012149745 A1 WO 2012149745A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
private network
logical
security gateway
tunnel
Prior art date
Application number
PCT/CN2011/079809
Other languages
English (en)
Chinese (zh)
Inventor
席辉
严卫平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201180001855.0A priority Critical patent/CN102742247B/zh
Priority to PCT/CN2011/079809 priority patent/WO2012149745A1/fr
Publication of WO2012149745A1 publication Critical patent/WO2012149745A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a data split transmission method, apparatus, and system. Background technique
  • IP Security IP Security
  • IP Security IP Security
  • IP Security IP Security
  • Figure 1 is a schematic diagram of a system structure in which IPsec is applied in the prior art.
  • the source device, the security gateway, and the destination device communicate through the public network IP, and the source device and the security gateway supporting the IPsec client protocol (at least the IPSec server are supported).
  • An IPSec tunnel is established between the side protocols for secure data transmission, and data is routed to the destination device through the security gateway.
  • Embodiments of the present invention provide a data split transmission method, apparatus, and system, which can implement end-to-end data isolation between a source device and multiple destination devices.
  • the source device requests the security gateway for the private network IP address of at least two logical tunnels in the Internet Protocol security IPsec tunnel;
  • the source device Obtaining, by the source device, a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
  • the source device maps the data stream sent to the destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data flow to the security gateway, so that the security gateway will receive the data stream. Send to the corresponding destination device.
  • a data shunt transmission method includes:
  • the security gateway receives the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel;
  • the security gateway allocates a private network IP address to at least two logical tunnels in the IPsec tunnel, and feeds back the private network IP address of the at least two logical tunnels to the source device;
  • the security gateway receives the data stream sent by the source device through different logical tunnels; the security gateway identifies the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two logical tunnels The corresponding relationship between the private network IP address and each destination device sends the identified data stream to the corresponding destination device.
  • a communication device comprising:
  • An address requesting unit configured to request, from the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • An address receiving unit configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device;
  • a data isolation unit configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data flow to the security gateway, so that the security gateway receives the data flow Send to the corresponding destination device.
  • a security gateway including:
  • a request receiving unit configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • An address allocation unit configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
  • a data shunt transmission system includes a source device, a security gateway, and at least two destination devices, where
  • the source device is configured to request, by the security gateway, a private network IP address of at least two logical tunnels in the IPsec tunnel; obtain a private network IP address of the at least two logical tunnels, and a corresponding relationship between each of the destination devices And mapping, according to the correspondence information, the data stream sent to each destination device to a corresponding logical tunnel, and transmitting the data stream to the security gateway, so that the security gateway sends the received data stream to the Corresponding destination device.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 1 is a schematic structural diagram of a system for applying IPsec in the prior art
  • FIG. 2 is a flowchart of a data split transmission method according to an embodiment of the present invention.
  • FIG. 3a is a flowchart of another data split transmission method according to an embodiment of the present invention.
  • Figure 3b is a schematic diagram of end-to-end data shunt transmission in the embodiment shown in Figure 3a;
  • FIG. 4 is a schematic diagram of an IPSec tunnel negotiation between a source device and a security gateway in the embodiment shown in FIG. 3a;
  • FIG. 5 is a schematic diagram of an IKE-SA-AUTH exchange between a source device and a security gateway in the embodiment shown in FIG. 3a;
  • Figure 6 is a diagram showing the source device and the security gateway performing CREATE_CHILD-SA handover in the embodiment shown in Figure 3a. Schematic diagram of the exchange;
  • FIG. 7 is a schematic structural diagram of a communication device according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of a data split transmission method according to an embodiment of the present invention.
  • the method can include:
  • Step 201 The source device requests the security gateway to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
  • the source device can exchange messages with the security gateway or through the source device and the security gateway.
  • the other newly added interactive message is negotiated with the security gateway to request the private network IP address of the logical tunnel in the IPsec tunnel.
  • the source device can also request the private network IP address of the logical tunnel, such as the network management system, from other intermediate network elements.
  • the number of the logical tunnels is at least two, so as to implement isolation of at least two sets of data flows, and the request may also carry other information such as a network segment of the private network IP address to be allocated.
  • Step 202 The source device obtains a private network IP address of at least two logical tunnels and corresponding relationship information with each destination device.
  • the source device obtains the private network IP address of the logical tunnel and its corresponding relationship with each destination device.
  • the private network IP address of the logical tunnel obtained by the source device may be allocated by the security gateway or the network management system. Sent to the source device.
  • the mapping between the private IP address of the logical tunnel and the destination device may be pre-assigned by the source device when requesting the private IP address of the logical tunnel, or may be assigned by the security gateway or the network management device as needed.
  • the corresponding relationship is informed to the source device. For example, when the source device initiates the logical tunnel private network IP address request, the request includes the network segment of the private network IP address of the logical tunnel corresponding to each destination device, and the security gateway allocates the network segment according to the specified network segment.
  • the source device After the IP address of the private network is received, the source device obtains the mapping between the private IP address of the logical tunnel and the destination device. The corresponding relationship may be further notified by the source device to the security gateway. Of course, the source device and the security gateway may pre-negotiate the destination device corresponding to the specified network segment, and the security gateway receives the network segment specified by the source device and allocates the private network accordingly. After the IP address, the above correspondence can be obtained.
  • the security gateway allocates the private network IP address, and establishes the correspondence between the private network IP address of each logical tunnel and the peer destination device. The security gateway then sends the private network IP address of the logical tunnel and its correspondence with the destination device to the source device.
  • the security gateway allocates the private network IP address, and the network management system assigns the correspondence between the private network IP address of the logical tunnel and the destination device, and then The gateway sends the correspondence to the source device and the security gateway.
  • the security gateway allocates the private network IP address, and the network management system assigns the correspondence between the private network IP address of the logical tunnel and the destination device, and then The gateway sends the correspondence to the source device and the security gateway.
  • the private network IP addresses of each logical tunnel are different. Further, they can be in different network segments. Correspondence between the private IP address of the logical tunnel and the destination device, for example:
  • the corresponding relationship may be divided into multiple lists for storage, and the specific storage form is not limited, and the foregoing correspondence may be included in the security gateway.
  • Step 203 The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the correspondence information, and transmits the data stream to the security gateway.
  • the source device determines a logical tunnel corresponding to each data flow according to the correspondence information between the private network IP address of the received logical tunnel and each destination device. For example, the data stream 1 to be sent by the source device to the destination device 1 is sent to the private network. In the logical tunnel 1 corresponding to the network IP address 1, the data stream to be sent by the source device to the destination device 2 is sent to the logical tunnel 2 corresponding to the private network IP address 2.
  • the source device After determining the logical tunnel corresponding to the data flow, the source device according to the private network IP address of each logical tunnel The address maps each data stream into a corresponding logical tunnel, for example, mapping data stream 1 into logical tunnel 1 and data stream 2 into logical tunnel 2.
  • the process of mapping the data stream to the corresponding logical tunnel is a process of isolating the sent data.
  • the specific mapping process may be to insert the private network IP address of the corresponding logical tunnel into the data.
  • the source device After the data flow mapping is completed, the source device sends each data stream to the security gateway through a different logical tunnel. After receiving the data flow of each logical tunnel, the security gateway can identify each data flow according to the private network IP address of the logical tunnel, that is, the private network IP address of the logical tunnel inserted in the data flow, and then according to each logical tunnel.
  • the corresponding relationship between the private network IP address and the destination device, and the identified data stream is sent to the corresponding destination device, for example, the data stream carrying the private network IP address 1 and the data stream transmitted by the logical tunnel 1 is received, according to The corresponding relationship between the private network IP address of the logical tunnel 1 and the destination device 1 is sent to the destination device 1 to complete the end-to-end data split transmission of the data from the source device to the destination device.
  • the process of obtaining the correspondence between the IP address of the logical tunnel private network and the destination device by the security gateway may be as described in step 202.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 3a a flowchart of another data split transmission method according to an embodiment of the present invention is shown.
  • FIG. 3b An example of the end-to-end data split transmission in this embodiment is as shown in FIG. 3b.
  • the two logical tunnels are set up in an IPsec tunnel as an example.
  • the method may include:
  • Step 301 The source device and the security gateway establish a pair of IKE SAs through IKE-SA-INIT exchange.
  • IKEv2-based IPSec tunnel negotiation process between the source device and the security gateway, as shown in Figure 4, the establishment of a pair of IKE SAs and a pair of IPSec SAs is completed through IKE-SA-INIT exchange and IKE-SA-AUTH exchange.
  • IKE-SA-AUTH exchange Through the CREATE-CHILD-SA exchange, another pair of IPSec SAs is established.
  • the source device and the security gateway can complete the establishment of the IPSec tunnel.
  • the IKE SA AUTH and CREATE - CHILD - SA two exchanges are adjusted to create multiple IPSec logical tunnels.
  • the process of establishing a pair of IKE SAs through IKE-SA-INIT exchange is not adjusted, which is the same as the prior art. I won't go into details here.
  • Step 302 The source device sends the first exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the first logical tunnel in the IPsec tunnel and the designated private network IP address of the first logical tunnel. Network segment.
  • the IKE-SA-AUTH exchange information in the prior art can be adjusted as the first exchange information.
  • the source device requests the security gateway to request the first logical tunnel in the IPsec tunnel through the exchange message. Private network IP address.
  • the exchange message may carry a CP and a TSr payload, where the CP payload indicates that an IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain an address; and the remaining payloads are carried as needed, and FIG. 5 is only an example.
  • Step 303 The source device sends the second exchange information to the security gateway, where the exchange information includes the request for obtaining the private network IP address of the second logical tunnel in the IPsec tunnel and the network to which the private network IP address of the second logical tunnel belongs. segment.
  • the information exchange and the CREATE_CHILD-SA exchange information can be adjusted as the second exchange information.
  • the source device requests the security gateway to request the private network of the second logical tunnel in the IPsec tunnel through the exchange message. IP address.
  • the information exchange and the CREATE-CHILD-SA exchange message may respectively carry the CP and the TSR payload, where the CP payload indicates that the IP address needs to be obtained; the TSr payload: indicates which network segment is desired to obtain the address; Carrying, Figure 6 is only an example.
  • the private network IP addresses of the logical tunnels specified by the source device belong to different network segments, and the different network segments correspond to different logical tunnels and different destination devices, for example, the private network IP address of the first network segment specified by the source device.
  • the address is corresponding to the destination device 1
  • the private network IP address of the designated second network segment is corresponding to the destination device 2.
  • the corresponding relationship between the specified network segment and the destination device may be negotiated by the source device and the security gateway in advance; in other embodiments, the subsequent security gateway may allocate the private network IP address according to the specified network segment.
  • the source device obtains the private network IP address, it informs the security gateway of the corresponding relationship between the private network IP address of the logical tunnel and the destination device.
  • Step 304 After receiving the exchange message of the source device, the security gateway is the logic in the IPsec tunnel.
  • the tunnels are assigned private network IP addresses, and the mappings between the private IP addresses of the logical tunnels and the destination devices are established.
  • the security gateway allocates the first logical tunnel according to the network segment to which the private IP address of the first logical tunnel specified in the IKE-SA-AUTH exchange information belongs, that is, the TSr payload in the IKE-SA-AUTH exchange information.
  • the IP address of the private network, and the correspondence between the private network IP address of the first logical tunnel and the first destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
  • the security gateway allocates a private network to the second logical tunnel according to the network segment to which the private IP address of the second logical tunnel specified in the information exchange and CREATE_CHILD-SA exchange information belongs, that is, according to the TSR payload in the exchange information.
  • the IP address, and the correspondence between the private network IP address of the second logical tunnel and the second destination device is established according to the correspondence between the specified network segment and the destination device negotiated by the source device and the security gateway.
  • the security gateway may allocate a private network IP address for the first logical tunnel, and after receiving the request of step 303, allocate a private network IP address for the second logical tunnel, and may also receive After all the requests are received, the private network IP address is assigned to each logical tunnel, and the mapping relationship between the private IP address of the logical tunnel and the destination device is established.
  • the source device and the security gateway can complete the establishment of two logical tunnels, and then the source device can map the data to different logical tunnels for end-to-end secure transmission.
  • the process of establishing the second logical tunnel may be repeated.
  • the security gateway repeatedly allocates the private network IP address.
  • Step 305 The source device maps the data stream sent to each destination device to the corresponding logical tunnel according to the private network IP address of each logical tunnel and the corresponding relationship information with each destination device, and transmits the data to the security gateway.
  • the source device receives the private network IP address of the two logical tunnels sent by the security gateway, and further obtains the corresponding relationship between the private network IP address of the logical tunnel and the destination device according to the pre-designated network segment, and then sends the data to the destination device.
  • the data is mapped to the corresponding logical tunnel, and the mapping process is similar to the step 203 in the foregoing embodiment, and details are not described herein again.
  • Step 306 The security gateway receives the data stream sent by the source device through different logical tunnels.
  • Step 307 The security gateway identifies the received data stream according to the private network IP address of the logical tunnel in the data, and sends the identified data stream according to the correspondence between the private network IP address of the two logical tunnels and each destination device. To the corresponding destination device.
  • a plurality of logical tunnels are set up in an IPsec tunnel, so that the source device can transmit data streams sent to different destination devices through different logical tunnels, and the data is shunted by the security gateway, and finally sent to the corresponding
  • the destination device realizes the end-to-end secure transmission of data, such as splitting the service flow and the data flow, that is, ensuring data security and ensuring data isolation, which can better support the networking, and the method is implemented.
  • To save external resources, such as IP addresses, ports, etc. it is possible to use end-to-end secure transmission with existing equipment more reasonably. This method is simple to implement, and this solution can be completed by standard protocols.
  • FIG. 7 a schematic structural diagram of a communication device according to an embodiment of the present invention is shown.
  • the communication device can include:
  • the address requesting unit 701 is configured to request a private network IP address of at least two logical tunnels in the IPsec tunnel.
  • the address receiving unit 702 is configured to obtain a private network IP address of the at least two logical tunnels and corresponding relationship information with each destination device.
  • the data isolation unit 703 is configured to map, according to the correspondence information, a data flow sent to each destination device to a corresponding logical tunnel, and transmit the data to the security gateway, so that the security gateway will receive the data.
  • the stream is sent to the corresponding destination device.
  • the address requesting unit 701 of the communication device can exchange messages with the security gateway.
  • the private network IP address of the logical tunnel in the IPsec tunnel is requested by the security gateway, and the number of the logical tunnel is at least two.
  • the address receiving unit 702 obtains the private network IP address of the at least two logical tunnels and the correspondence between the private network addresses of the logical tunnels, and obtains the private network IP address of the logical tunnel and its correspondence with each destination device.
  • the private network IP address of the obtained logical tunnel can be obtained by a security gateway or a network management system.
  • the corresponding relationship between the private network IP address of the logical tunnel and the destination device that is allocated and sent to the address receiving unit 702 may also be pre-designated by the address requesting unit 701 when requesting the private network IP address of the logical tunnel, or may be specified. After the security gateway or the network management device allocates the information as needed, the corresponding relationship is notified to the address receiving unit 702.
  • the data isolation unit 703 determines a logical tunnel corresponding to each data stream, and after determining the logical tunnel corresponding to the data flow, maps each data flow to a corresponding logical tunnel according to the private network IP address of each logical tunnel, and maps the data flow.
  • the process of the corresponding logical tunnel is a process of isolating the transmitted data.
  • each data stream is sent to the security gateway through a different logical tunnel.
  • the security gateway can identify each data flow according to the private network IP address of the logical tunnel, and then identify the data according to the correspondence between the private network IP address of the logical tunnel and the destination device. The stream is sent to the corresponding destination device.
  • the communication device in the embodiment of the present invention implements the end-to-end data transmission security of the data through the above-mentioned unit, for example, the service flow and the data flow are separately transmitted, that is, the data security is ensured and the data isolation is ensured, and the group can be better supported.
  • the network, and the method realizes saving external resources, such as an IP address, a port, etc., and can realize the end-to-end secure transmission by using the existing equipment more reasonably.
  • the method is simple to implement, and the solution can be completed by using a standard protocol.
  • the address requesting unit in the communications device may further include: a first requesting subunit, configured to exchange information by using the first exchange information, such as IKE_SA_AUTH, when the logical tunnel is two Requesting the security gateway to obtain the private IP address of the first logical tunnel.
  • a first requesting subunit configured to exchange information by using the first exchange information, such as IKE_SA_AUTH, when the logical tunnel is two Requesting the security gateway to obtain the private IP address of the first logical tunnel.
  • a second request subunit configured to: when the logical tunnel is two, pass the second exchange information, such as
  • the SA exchange information requests the security gateway to obtain the private IP address of the second logical tunnel.
  • the first exchange information and the second exchange information include a specified network segment of the requested private network IP address, and the private network IP addresses of the logical tunnels belong to different network segments.
  • FIG. 8 is a schematic structural diagram of a security gateway according to an embodiment of the present invention.
  • the security gateway can include:
  • the request receiving unit 801 is configured to receive, by the source device, a request for a private network IP address of at least two logical tunnels in the IPsec tunnel;
  • the address allocation unit 802 is configured to separately allocate a private network IP address to at least two logical tunnels in the IPsec tunnel, and feed back, to the source device, a private network IP address of the at least two logical tunnels;
  • the data receiving unit 803 is configured to receive a data stream that is sent by the source device by using a different logical tunnel.
  • the data offloading unit 804 is configured to identify the received data stream according to the private network IP address of the at least two logical tunnels, and according to at least two The data relationship between the private IP address of the logical tunnel and the destination device sends the identified data stream to the corresponding destination device.
  • the request receiving unit 801 After receiving the request of the source device for the private network IP address of at least two logical tunnels in the IPsec tunnel, the request receiving unit 801 respectively allocates a private network IP address for the logical tunnel by the address assigning unit 802, and feeds back the above information to the source device.
  • the source device maps the different data streams to the respective logical tunnels according to the foregoing information, and then transmits the data stream to the security gateway, and the data receiving unit 803 receives the data stream, and the data stream splitting unit 804 identifies the data stream and distributes the data stream to the corresponding destination device.
  • Transmission such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking.
  • this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
  • FIG. 9 is a schematic structural diagram of another security gateway according to an embodiment of the present invention.
  • the security gateway may also include a request receiving unit 901, an address assigning unit 902, a data receiving unit 903, and a data splitting unit 904.
  • the request receiving unit 901 may further include:
  • the first receiving subunit 9011 is configured to: when the logical tunnel is two, receive first exchange information, such as IKE_SA_AUTH exchange information, sent by the source device to request to obtain a private network IP address of the first logical tunnel;
  • first exchange information such as IKE_SA_AUTH exchange information
  • the second receiving subunit 9012 is configured to: when the logical tunnel is two, receive second exchange information, such as Informational exchange and CREATE, sent by the source device to request a private network IP address of the second logical tunnel.
  • second exchange information such as Informational exchange and CREATE
  • the first exchange information and the second exchange information include a specified network segment of the requested private network IP address.
  • the private network IP addresses of logical tunnels belong to different network segments.
  • the address allocation unit 902 is specifically configured to allocate a private network IP address for each of the two logical tunnels in the IPsec tunnel according to the specified network segment of the requested private network IP address included in the first exchange information and the second exchange information.
  • the data receiving unit 903 and the data distributing unit 904 are similar to the data receiving unit 803 and the data distributing unit 804 in the foregoing embodiments, and details are not described herein again.
  • Transmission such as the transmission of traffic and data streams, guarantees data security and data isolation, which can better support networking.
  • this method saves external resources, such as IP addresses, ports, etc. More reasonable use of existing equipment to achieve end-to-end secure transmission, the method is simple to implement, this solution can be completed using standard protocols.
  • FIG. 10 is a schematic structural diagram of a data split transmission system according to an embodiment of the present invention.
  • the system can include a source device 1001, a security gateway 1002, and at least two destination devices 1003.
  • the source device 1001 is configured to request at least two logical tunnels from the security gateway 1002.
  • the system realizes end-to-end data transmission and secure transmission.
  • the service flow and the data flow are transmitted separately, that is, the data security is ensured and the data isolation is ensured, which can better support the networking, and the method achieves the saving.
  • External resources such as IP addresses, ports, etc., can make more reliable use of existing devices to achieve end-to-end secure transmission. This method is simple to implement, and this solution can be completed by standard protocols.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un procédé de transmission à multiplexage de données d'extrémité, comprenant les opérations suivantes : un dispositif source demande à une passerelle de sécurité les adresses IP de réseau privé d'au moins deux tunnels logiques dans un tunnel de sécurité de protocole Internet (IPsec); le dispositif source obtient les adresses IP de réseau privé des au moins deux tunnels logiques et des informations concernant la corrélation entre celles-ci et chaque dispositif destinataire; le dispositif source mappe le flux de données envoyé à chaque dispositif destinataire au tunnel logique correspondant et le transmet à la passerelle de sécurité conformément aux informations de corrélation, de sorte que la passerelle de sécurité envoie les flux de données reçus au dispositif destinataire correspondant. Le procédé réalise une transmission à multiplexage de données de bout en bout sécurisée.
PCT/CN2011/079809 2011-09-19 2011-09-19 Procédé, dispositif et système de transmission à multiplexage de données WO2012149745A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201180001855.0A CN102742247B (zh) 2011-09-19 2011-09-19 一种数据分路传输方法及装置、系统
PCT/CN2011/079809 WO2012149745A1 (fr) 2011-09-19 2011-09-19 Procédé, dispositif et système de transmission à multiplexage de données

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/079809 WO2012149745A1 (fr) 2011-09-19 2011-09-19 Procédé, dispositif et système de transmission à multiplexage de données

Publications (1)

Publication Number Publication Date
WO2012149745A1 true WO2012149745A1 (fr) 2012-11-08

Family

ID=46995195

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/079809 WO2012149745A1 (fr) 2011-09-19 2011-09-19 Procédé, dispositif et système de transmission à multiplexage de données

Country Status (2)

Country Link
CN (1) CN102742247B (fr)
WO (1) WO2012149745A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601550B (zh) * 2014-12-24 2020-08-11 国家电网公司 基于集群阵列的反向隔离文件传输系统及其方法
CN109218157B (zh) * 2017-07-04 2020-10-09 大唐移动通信设备有限公司 一种虚拟专用网络系统的数据处理方法、装置和系统
CN107204994B (zh) * 2017-07-24 2019-09-17 杭州迪普科技股份有限公司 一种基于IKEv2确定保护网段的方法和装置
CN116074038B (zh) * 2022-11-29 2023-08-22 杭州海兴电力科技股份有限公司 一种用于IPv6数据安全传输的网关系统及方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136778A (zh) * 2006-08-02 2008-03-05 美国凹凸微系有限公司 防火墙/vpn安全网关设备的基于vpn配置的策略
CN101188542A (zh) * 2006-11-17 2008-05-28 华为技术有限公司 建立ip隧道的方法及系统及分发ip地址的装置
CN101364910A (zh) * 2007-08-09 2009-02-11 中兴通讯股份有限公司 一种自组织网络的系统和方法
WO2010043254A1 (fr) * 2008-10-15 2010-04-22 Telefonaktiebolaget Lm Ericsson (Publ) Accès sécurisé au sein d'un réseau de communication
CN101998442A (zh) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 一种远程接入方法和系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136778A (zh) * 2006-08-02 2008-03-05 美国凹凸微系有限公司 防火墙/vpn安全网关设备的基于vpn配置的策略
CN101188542A (zh) * 2006-11-17 2008-05-28 华为技术有限公司 建立ip隧道的方法及系统及分发ip地址的装置
CN101364910A (zh) * 2007-08-09 2009-02-11 中兴通讯股份有限公司 一种自组织网络的系统和方法
WO2010043254A1 (fr) * 2008-10-15 2010-04-22 Telefonaktiebolaget Lm Ericsson (Publ) Accès sécurisé au sein d'un réseau de communication
CN101998442A (zh) * 2009-08-10 2011-03-30 北京三星通信技术研究有限公司 一种远程接入方法和系统

Also Published As

Publication number Publication date
CN102742247A (zh) 2012-10-17
CN102742247B (zh) 2015-09-09

Similar Documents

Publication Publication Date Title
CN107810627B (zh) 用于建立媒体会话的方法和装置
US7561586B2 (en) Method and apparatus for providing network VPN services on demand
EP2136504B1 (fr) Procédé d'émission et de réception, appareil et système pour la politique de sécurité d'une session en multidiffusion
US7917948B2 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US8272046B2 (en) Network mobility over a multi-path virtual private network
WO2006010648A2 (fr) Procedes et systemes de communication securises
WO2009021428A1 (fr) Dispositif de protection sécurisé et procédé permettant le transfert de messages
US10411994B2 (en) Multi-link convergence method, server, client, and system
CN101515896B (zh) 安全套接字层协议报文转发方法、装置、系统及交换机
WO2011144154A1 (fr) Procédé, dispositif et système d'attribution d'adresse de protocole internet de réseau externe dans une fonction d'intercommunication à traduction d'adresse réseau
JP2006262466A (ja) リレーによって割り当てられるポート数を削減する方法およびシステム
WO2009129707A1 (fr) Procédé, appareil et système de communication pour envoyer et recevoir des informations entre réseaux locaux
WO2010020151A1 (fr) Procédé, appareil et système de traitement de paquet
US20100303072A1 (en) Multicast Source Mobility
WO2016180020A1 (fr) Procédé, dispositif et système de traitement de message
WO2007019809A1 (fr) Procede et systeme d'etablissement d'un canal direct point par point
US11647069B2 (en) Secure remote computer network
WO2012149745A1 (fr) Procédé, dispositif et système de transmission à multiplexage de données
WO2008134971A1 (fr) Procédé, système et dispositif d'auto-réalisation de la liaison du dispositif de gestion et du dispositif géré
KR20060132639A (ko) 자원 공유 광대역 액세스 시스템, 방법, 및 장치
WO2013020267A1 (fr) Procédé, système et dispositif d'attribution d'adresse ip
CN109547392B (zh) 一种在sdn网络中支持多用户隔离的加密接入方法及系统
KR101686995B1 (ko) 소프트웨어 정의 네트워크와 네트워크 기능 가상화를 이용하는 IPSec VPN 장치, IPSec VPN 시스템 및 IPSec VPN 방법
TWI504213B (zh) 第三代合作夥伴計劃網路中位址轉譯器穿越方法
KR101329968B1 (ko) IPSec VPN 장치들 사이의 보안 정책을 결정하기 위한 방법 및 시스템

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180001855.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864861

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864861

Country of ref document: EP

Kind code of ref document: A1