WO2013097523A1 - Procédé, appareil et système de transmission pour une commutation de tunnel de sécurité de protocole internet - Google Patents

Procédé, appareil et système de transmission pour une commutation de tunnel de sécurité de protocole internet Download PDF

Info

Publication number
WO2013097523A1
WO2013097523A1 PCT/CN2012/083291 CN2012083291W WO2013097523A1 WO 2013097523 A1 WO2013097523 A1 WO 2013097523A1 CN 2012083291 W CN2012083291 W CN 2012083291W WO 2013097523 A1 WO2013097523 A1 WO 2013097523A1
Authority
WO
WIPO (PCT)
Prior art keywords
tunnel
ipsec tunnel
ipsec
identifier
receiving end
Prior art date
Application number
PCT/CN2012/083291
Other languages
English (en)
Chinese (zh)
Inventor
董婷婷
孙宏
Original Assignee
华为数字技术(成都)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为数字技术(成都)有限公司 filed Critical 华为数字技术(成都)有限公司
Publication of WO2013097523A1 publication Critical patent/WO2013097523A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to the field of computer applications, and in particular, to a method, device and transmission system for switching an Internet protocol secure tunnel.
  • IPsec Internet Protocol Security
  • IP Internet Protocol
  • the current Internet Protocol security IPsec tunnel backup and switching has two modes: dual-system backup and single-machine dual-interface backup.
  • dual-system backup refers to Figure 1.
  • the two interfaces of the two devices function as the primary link and the backup link.
  • the two interfaces, A and B, are established respectively.
  • the Internet Protocol security IPsec tunnel can be hot standby or traffic switched.
  • the tunnel is switched and backed up by the traffic triggering method, so that data is transmitted by another tunnel.
  • This way of backing up must be provided at the same time
  • Two devices can guarantee a successful backup of the Internet Protocol Secure IPsec tunnel, which is not suitable for small and medium-sized networks.
  • a and B of one device is required for backup, wherein the two interfaces are generally an Ethernet interface and a 3G interface, and one interface, such as an A interface and a tunnel, is first used.
  • the receiving end establishes an IPsec tunnel.
  • the Internet Protocol Secure IPsec tunnel is down, that is, unavailable, it is detected by the DIP (Dead-Peer Detection), and the Internet Protocol Secure IPsec tunnel is removed.
  • An interface, that is, the B interface and the tunnel receiving end establishes an Internet Protocol secure IPsec tunnel to transmit data, thereby completing backup and switching of the Internet Protocol secure IPsec tunnel.
  • an object of the present invention is to provide a method, an apparatus, and a transmission system for switching an Internet protocol security tunnel, so as to solve the problem of disconnection caused by an Internet Protocol security tunnel in a handover process in the prior art, and the specific implementation is as follows:
  • An Internet protocol secure tunnel switching method includes:
  • Establishing a first Internet Protocol security IPsec tunnel where the first IPsec tunnel is identified by the first tunnel identifier, and the first tunnel identifier is sent to the receiving end by using the negotiation packet of the first IPsec tunnel, so that the receiving end identifies the first IPsec tunnel;
  • the second IPsec tunnel is identified by the second tunnel identifier, and the second tunnel identifier is sent to the receiving end by using the negotiation packet of the second IPsec tunnel, so that the receiving end identifies the second IPsec tunnel.
  • An Internet protocol secure tunnel switching device includes:
  • a tunnel establishment module configured to establish a first Internet Protocol secure IPsec tunnel, where the first IPsec tunnel is identified by the first tunnel identifier, and the first tunnel identifier is sent to the receiving end by using the negotiation packet of the first IPsec tunnel, Making the receiving end recognize the first IPsec tunnel;
  • a tunnel detecting module detecting whether a first IPsec tunnel for transmitting data is available
  • a tunnel switching module when the tunnel detecting module detects that the first IPsec tunnel is unavailable, before establishing the first IPsec tunnel, negotiating to establish a second IPsec tunnel, and switching the transmission data to the second IPsec tunnel.
  • the second IPsec tunnel is identified by the second tunnel identifier, and the second tunnel identifier is sent to the receiving end by using the negotiation packet of the second IPsec tunnel, so that the receiving end identifies the second IPsec tunnel.
  • the first Internet Protocol secure IPsec tunnel is established by using the method provided by the embodiment of the present invention.
  • the first IPsec tunnel is identified by the first tunnel identifier, and the first IPsec tunnel for detecting the data is detected.
  • the second IPsec tunnel is negotiated before the first IPsec tunnel is removed, and the transmission data is switched to the second IPsec tunnel.
  • the method of the embodiment of the present invention does not need to wait for the first IPsec tunnel. After the removal, a second IPsec tunnel is established, so that the data flow is switched quickly and the time between failures is reduced.
  • FIG. 1 is a schematic diagram of an Internet Protocol secure tunnel switching by a dual-machine in the prior art
  • FIG. 2 is a schematic diagram of an Internet protocol secure tunnel switching by a single machine in the prior art
  • FIG. 3 is a schematic flowchart of a working process of an Internet protocol security tunnel switching method according to an embodiment of the present disclosure
  • FIG. 4 is a schematic diagram of a working flow of another method for switching an Internet protocol security tunnel according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an Internet Protocol security tunnel switching apparatus according to an embodiment of the present invention.
  • the embodiment of the present invention provides a method for switching an Internet protocol security tunnel, which is used to solve the problem of transmission service interruption and transmission delay that occurs when a single device establishes an Internet Protocol security tunnel in the prior art.
  • a first embodiment of the present invention provides a method for switching an Internet protocol security tunnel.
  • the schematic diagram of the workflow is as shown in FIG. 3, and includes the following steps:
  • Step 301 Establish a first Internet Protocol security IPsec tunnel, where the first IPsec tunnel is identified by the first tunnel identifier.
  • the first tunnel identifier is sent to the receiving end by using the negotiation packet of the first IPsec tunnel, so that the receiving end identifies the first IPsec tunnel;
  • Step 302 Detect whether a first IPsec tunnel for transmitting data is available.
  • Step 303 When detecting that the first IPsec tunnel is unavailable, before establishing the first IPsec tunnel, negotiating to establish a second IPsec tunnel, and switching the transmission data to the second IPsec tunnel, the second IPsec The tunnel is identified by the second tunnel identifier;
  • the second tunnel identifier is sent to the receiving end by using the negotiation packet of the second IPsec tunnel, so that the receiving end identifies the second IPsec tunnel.
  • the first Internet Protocol security IPsec tunnel is established by using the method provided by the embodiment of the present invention, where the first IPsec tunnel is identified by the first tunnel identifier, and the first IPsec of the transmission data is detected. Whether the tunnel is available, and when detecting that the first IPsec tunnel is unavailable, before the first IPsec tunnel is removed, establishing a second IPsec tunnel and switching the transmission data to the second IPsec tunnel, implemented by the present invention
  • the method of the example does not need to wait for the first IPsec tunnel to be removed, and then establishes a second IPsec tunnel, so that the data flow is switched quickly, and the fault interval is reduced.
  • the tunnel identifier needs to be sent to the receiving end through the negotiation packet, and the receiving end distinguishes the different tunnels through the tunnel identifier.
  • the negotiation process of the second IPsec tunnel is completed before the first IPsec tunnel is not removed.
  • the quintuple of the two IPsec tunnels is the same, before the first IPsec tunnel is removed.
  • the negotiation establishment process of the second IPsec tunnel cannot be performed.
  • the tunnel identifier is carried in the tunnel negotiation packet authentication data IDci (ID initiator) and the responder authentication data IDcr (ID responser) field when the negotiation packet is an IKEvl protocol packet;
  • IDci ID initiator
  • ID responser responder authentication data IDcr
  • the tunnel identifier is carried in the Traffic Selector (TS) field of the tunnel negotiation packet.
  • TS Traffic Selector
  • detecting whether the first IPsec tunnel of the transmission data is available may include: when the first IPsec tunnel traffic is less than a preset threshold, sending a probe packet to determine that the first IPsec tunnel is unavailable.
  • a preset threshold may be used, and the present invention does not specifically limit it.
  • the physical link corresponding to the first IPsec tunnel is faulty, and the fault may be that the router is damaged and the switch occurs. If the fault or the configuration is changed, etc., after the first IPsec tunnel is removed, the damaged component or the changed configuration may be maintained to repair the physical link.
  • the corresponding IPsec tunnel is searched according to the tunnel identifier, and the data is sent through the corresponding IPsec tunnel.
  • the tunnel sender and the tunnel receiver record and save the tunnel identifiers corresponding to different IPsec tunnels.
  • the session initiator searches for the corresponding IPsec tunnel according to the tunnel identifier, and encapsulates the data. Send data through the corresponding IPsec tunnel. It is also possible to verify the availability of the tunnel, and then to find the corresponding IPsec tunnel through the tunnel identifier.
  • the corresponding tunnel identifier is marked as available.
  • the verification is performed. Whether the tunnel ID is available.
  • the tunnel ID is available, the corresponding IPsec tunnel is searched, the data is encapsulated, and data is sent through the corresponding IPsec tunnel.
  • a second embodiment of the present invention provides a method for switching an Internet protocol security tunnel.
  • the workflow diagram is as shown in FIG. 4, and includes the following steps:
  • Step 401 Assign different tunnel identifiers to the first IPsec tunnel and the second IPsec tunnel according to different interface types.
  • step 401 two or more interfaces are selected, so that a corresponding IPsec tunnel is established to complete the tunnel switching.
  • two interfaces in a single computer are generally selected, and the two interfaces are respectively allocated.
  • the different types of interfaces include: an Ethernet interface, a 3G interface, a wifi interface, a Token Ring network interface, an FDDI network interface, an ATM network interface, or a wireless local area network interface, and the different identifiers included include The tunnel identifier is applicable to the foregoing interface types in the embodiments of the present invention. According to different requirements, in the actual application, multiple interface types may be selected to implement the establishment of an IPsec tunnel.
  • the stability of the transmitted data, the corresponding tunnel identifiers are assigned to different interfaces, which helps to select a more stable interface to transmit data, which makes the data transmission process more stable.
  • the existing interface is a 3G interface and an Ethernet interface.
  • the priority of the Ethernet interface Higher than the 3G interface.
  • the first Internet Protocol secure IPsec tunnel is established by using the method provided by the embodiment of the present invention.
  • the first IPsec tunnel is identified by the first tunnel identifier, and the first IPsec tunnel for detecting the data is detected.
  • the second IPsec tunnel is negotiated before the first IPsec tunnel is removed, and the transmission data is switched to the second IPsec tunnel.
  • the method of the embodiment of the present invention does not need to wait for the first IPsec tunnel. After the removal, a second IPsec tunnel is established, so that the data flow is switched quickly and the time between failures is reduced.
  • the embodiment of the invention further discloses an Internet protocol security tunnel switching device. As shown in FIG. 5, the method includes:
  • the tunnel establishment module 510 is configured to establish a first Internet Protocol security IPsec tunnel, where the first IPsec tunnel is identified by the first tunnel identifier, and the first tunnel identifier is sent to the receiving end by using the negotiation packet of the first IPsec tunnel. So that the receiving end recognizes the first IPsec tunnel;
  • the tunnel detection module 520 is configured to detect whether the first IPsec tunnel for transmitting data is available.
  • the tunnel switching module 530 is configured to: when the tunnel detection module 520 detects that the first IPsec tunnel is unavailable, the first IPsec is removed. Before the tunnel, the second IPsec tunnel is negotiated, and the transmission data is switched to the second IPsec tunnel.
  • the second IPsec tunnel is identified by the second tunnel identifier, and the second tunnel identifier is negotiated by the second IPsec tunnel. The message is sent to the receiving end, so that the receiving end recognizes the second IPsec tunnel.
  • the Internet Protocol security tunnel switching device may further include:
  • the identifier allocation module 540 is configured to allocate different tunnel identifiers for the first IPsec tunnel and the second IPsec tunnel according to different interface types.
  • the Internet Protocol security tunnel switching device may further include:
  • the sending module 550 is configured to: when the first IPsec tunnel or the second IPsec tunnel transmits data, search for a corresponding IPsec tunnel according to the tunnel identifier, and send data through the corresponding IPsec tunnel.
  • the tunnel detecting module 520 includes: The traffic detecting unit 521 is configured to detect whether the first IPsec tunnel traffic is less than a preset threshold;
  • the sending unit 522 is configured to: when the traffic detecting unit detects that the first IPsec tunnel traffic is less than a preset threshold, send a probe packet to determine that the first IPsec tunnel is unavailable.
  • the embodiment of the invention further discloses an Internet protocol secure tunnel transmission system, comprising: a transmitting end and a receiving end, wherein the transmitting end and the receiving end transmit data through an IPsec tunnel,
  • the sending end is configured to establish a first IPsec tunnel with the receiving end, where the first IPsec tunnel is identified by the first tunnel identifier, and the first tunnel identifier is sent to the receiving end by using the negotiation packet of the first IPsec tunnel. So that the receiving end identifies the first IPsec tunnel; the transmitting end detects whether the first IPsec tunnel for transmitting data is available; when detecting that the first IPsec tunnel is unavailable, before the first IPsec tunnel is removed, the receiving end negotiates with the receiving end Establishing a second IPsec tunnel, and switching the transmission data to the second IPsec tunnel, where the second IPsec tunnel is identified by the second tunnel identifier, and the second tunnel identifier is sent to the negotiation packet of the second IPsec tunnel to Receiving end, so that the receiving end recognizes the second IPsec tunnel;
  • the receiving end is configured to negotiate with the sending end to establish an IPsec tunnel, and negotiate the packet through the tunnel, receive and save the tunnel identifier, and receive data from the sending end.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé de commutation de tunnel de sécurité de protocole Internet (IPsec), un appareil correspondant et un système de transmission associé. Le procédé consiste à : établir un premier tunnel IPsec identifié à l'aide d'un premier identificateur de tunnel ; détecter si le premier tunnel IPsec pour transmettre des données est ou non disponible ; lors de la détection du fait que le premier terminal IPsec n'est pas disponible, négocier pour établir un second tunnel IPsec avant d'éliminer le premier tunnel IPsec, et commuter les données de transmission vers le second tunnel IPsec. Grâce au procédé selon les modes de réalisation de l'invention, le second tunnel IPsec peut être établi sans avoir besoin d'attendre que le premier tunnel IPsec soit éliminé, permettant ainsi à un flux de données d'être commuté rapidement et de réduire le temps d'intervalle de faute.
PCT/CN2012/083291 2011-12-31 2012-10-22 Procédé, appareil et système de transmission pour une commutation de tunnel de sécurité de protocole internet WO2013097523A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201110459548.9 2011-12-31
CN201110459548 2011-12-31
CN201210049832.3 2012-02-29
CN201210049832.3A CN102594646B (zh) 2011-12-31 2012-02-29 一种因特网协议安全隧道切换方法、装置及传输系统

Publications (1)

Publication Number Publication Date
WO2013097523A1 true WO2013097523A1 (fr) 2013-07-04

Family

ID=46482864

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/083291 WO2013097523A1 (fr) 2011-12-31 2012-10-22 Procédé, appareil et système de transmission pour une commutation de tunnel de sécurité de protocole internet

Country Status (2)

Country Link
CN (1) CN102594646B (fr)
WO (1) WO2013097523A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230370379A1 (en) * 2013-04-30 2023-11-16 Comcast Cable Communications, Llc Network Validation with Dynamic Tunneling

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594646B (zh) * 2011-12-31 2015-11-25 华为数字技术(成都)有限公司 一种因特网协议安全隧道切换方法、装置及传输系统
CN102769526A (zh) * 2012-07-27 2012-11-07 汉柏科技有限公司 新旧ipsec隧道切换的方法
CN102891766B (zh) * 2012-09-25 2015-04-22 汉柏科技有限公司 一种ipsec状态恢复方法
CN103067956B (zh) * 2013-01-22 2015-07-29 迈普通信技术股份有限公司 3G网络环境中IPSec隧道备份及切换方法和设备
CN107171972B (zh) * 2013-02-28 2020-10-09 华为终端有限公司 一种基于多链路的数据传输方法及设备
CN104333554B (zh) * 2014-11-12 2018-06-15 新华三技术有限公司 一种因特网协议安全安全联盟协商方法和装置
CN108574589B (zh) * 2017-03-10 2021-09-14 华为技术有限公司 一种互联网协议安全性隧道的维护方法、装置及系统
CN109218107A (zh) * 2018-10-15 2019-01-15 迈普通信技术股份有限公司 链路切换方法、装置、网络设备及网络系统
CN112217685B (zh) * 2019-07-11 2022-03-25 奇安信科技集团股份有限公司 隧道探测方法、终端设备、系统、计算机设备和存储介质
CN111865583B (zh) * 2020-07-20 2023-04-18 北京天融信网络安全技术有限公司 隧道协商方法、装置、电子设备及存储介质
CN112448949A (zh) * 2020-11-12 2021-03-05 武汉空格信息技术有限公司 一种计算机网络监控系统
CN113259435B (zh) * 2021-05-13 2022-07-12 上海巨印科技有限公司 辐射测量仪数据传输方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442471A (zh) * 2008-12-31 2009-05-27 杭州华三通信技术有限公司 实现IPSec隧道备份和切换的方法、系统和节点设备、组网架构
CN101453744A (zh) * 2007-12-07 2009-06-10 华为技术有限公司 业务控制方法及装置
US20100306572A1 (en) * 2009-06-01 2010-12-02 Alexandro Salvarani Apparatus and method to facilitate high availability in secure network transport
CN102594646A (zh) * 2011-12-31 2012-07-18 成都市华为赛门铁克科技有限公司 一种因特网协议安全隧道切换方法、装置及传输系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1312870C (zh) * 2003-09-03 2007-04-25 中兴通讯股份有限公司 移动终端在码分多址系统与无线局域网间切换的方法
CN1832438A (zh) * 2005-03-08 2006-09-13 华为技术有限公司 下一代网络中的业务切换系统及其方法
CN101594648B (zh) * 2008-05-29 2011-07-27 上海无线通信研究中心 个域网在ip多媒体子系统中的无缝切换方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453744A (zh) * 2007-12-07 2009-06-10 华为技术有限公司 业务控制方法及装置
CN101442471A (zh) * 2008-12-31 2009-05-27 杭州华三通信技术有限公司 实现IPSec隧道备份和切换的方法、系统和节点设备、组网架构
US20100306572A1 (en) * 2009-06-01 2010-12-02 Alexandro Salvarani Apparatus and method to facilitate high availability in secure network transport
CN102594646A (zh) * 2011-12-31 2012-07-18 成都市华为赛门铁克科技有限公司 一种因特网协议安全隧道切换方法、装置及传输系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230370379A1 (en) * 2013-04-30 2023-11-16 Comcast Cable Communications, Llc Network Validation with Dynamic Tunneling

Also Published As

Publication number Publication date
CN102594646A (zh) 2012-07-18
CN102594646B (zh) 2015-11-25

Similar Documents

Publication Publication Date Title
WO2013097523A1 (fr) Procédé, appareil et système de transmission pour une commutation de tunnel de sécurité de protocole internet
CN107547383B (zh) 路径检测方法及装置
CN102595472B (zh) 一种服务质量的监测方法及装置
EP1914939A1 (fr) Procédé de déclenchement de détection de panne de détection de transfert bidirectionnel
EP2696542A1 (fr) Procédé, commutateur ToR et système de mise en oeuvre d'une commutation de protection basée sur un réseau TRILL
CN101610535A (zh) 多链路直连场景下保证bfd会话稳定性的方法、系统及装置
WO2014032435A1 (fr) Procédé et dispositif de traitement des informations de localisation d'un point de défaut
CN110958265B (zh) 一种基于行情数据实时转发的方法及装置
CN107078946A (zh) 业务流处理策略的处理方法、装置和系统
WO2011157145A2 (fr) Procédé de basculement principal / appoint entre dispositifs de communications, système et dispositif de demande de service
WO2013107046A1 (fr) Procédé d'analyse d'une cause de défaillance de liaison, et dispositifs associés
CN103716172B (zh) 一种基于多协议标签交换的oam方法及装置
WO2010006531A1 (fr) Procédé, dispositif et système de communication pour gestion de tunnellisation
TWI450537B (zh) Ssl vpn閘道器及自動控制ssl vpn通道之方法
WO2010003323A1 (fr) Procédé, système et dispositif destinés à réparer une panne de liaison
WO2015035851A1 (fr) Procédé et dispositif de transmission de données
CN101909006A (zh) 双向转发检测报文发送、接收方法及其装置与通信系统
WO2022082581A1 (fr) Procédé de communication et dispositif associé
WO2012171397A1 (fr) Procédé et dispositif de protection de liaison
CN102769552A (zh) 一种通过bfd检测lsp时传输bfd报文的方法和设备
WO2018098630A1 (fr) Procédé de transmission de service x2, et appareil de réseau
WO2015042840A1 (fr) Procédé de récupération après défaillance, noeud et unité de calcul de trajet
CN108270593A (zh) 一种双机热备份方法和系统
WO2011143891A1 (fr) Procédé et appareil de sauvegarde d'informations de service d'abonné
CN101394642A (zh) 一种上报链路异常信息的方法、装置和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12862534

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12862534

Country of ref document: EP

Kind code of ref document: A1