WO2014153989A1 - 一种防止dpd探测失败导致ipsec隧道震荡的方法 - Google Patents
一种防止dpd探测失败导致ipsec隧道震荡的方法 Download PDFInfo
- Publication number
- WO2014153989A1 WO2014153989A1 PCT/CN2013/089245 CN2013089245W WO2014153989A1 WO 2014153989 A1 WO2014153989 A1 WO 2014153989A1 CN 2013089245 W CN2013089245 W CN 2013089245W WO 2014153989 A1 WO2014153989 A1 WO 2014153989A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- ipsec
- ike
- peer
- dpd
- negotiation
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Definitions
- the present invention relates to the field of computer networks, and more particularly to preventing ipsec from being caused by failure of dpd detection.
- An Ipsec tunnel consists of protocol packets and data packets.
- the protocol packets are IKE packets processed by the host.
- the sa is an agreement between certain IPsec peers.
- Ipsec can establish sa through IKE negotiation. .
- the IKE negotiation is divided into two phases when the sa is established: a first negotiation phase and a second negotiation phase; the first negotiation phase is used to generate a key for encrypting the protocol packet, that is, ike sa; The second negotiation phase is used to generate a key for encrypting the data packet, that is, ipsec sa, and send a data packet after the negotiation succeeds in the second negotiation phase.
- the ipsec peer triggers the IKE negotiation at the same time because the packet is retransmitted, for example, the firewall a and the firewall b simultaneously send the request negotiation packet in the first negotiation phase, thereby generating the original address and the destination address.
- the two identical pairs of ike sa illustrate the scenario:
- the ike sa-end that has failed to negotiate has been negotiated (that is, ike sa a2 exists).
- the other end has no negotiation due to packet loss due to protocol packet loss (the corresponding ike sa b2 does not exist).
- Sa a2 sends a dpd packet, and the peer does not have a corresponding ike sa b2 to respond to the dpd packet, then fw a deletes the ike sa corresponding to the local dpd packet, and deletes the original address and the destination address.
- Ike sa the same ipsec sa, so ipsec oscillates.
- the present invention provides a method for preventing ipsec tunnel flapping caused by the failure of the dpd detection, so that when the ipsec peer triggers the IKE negotiation at the same time, the ipsec tunnel flapping caused by the erroneous deletion of the ipsec tunnel is reduced. .
- the present invention provides a method for preventing ipsec tunnel flapping caused by failure of dpd detection, including the following steps:
- the ipsec peers at both ends trigger IKE negotiation and complete the negotiation of ike sa.
- the ipsec peer continuously sends multiple dpd detection packets, and determines whether the ipsec peer receives the dpd response detection packet of the peer ipsec peer in a preset period. If yes, continue. Complete the negotiation of ipsec sa; if not, proceed to step S3;
- the step S2 further includes:
- the ipsec peer continuously sends a plurality of dpd detection packets with a cookie, and determines whether the ipsec peer receives the dpd response detection packet of the peer ipsec peer in a preset period.
- the step S2 further includes: the ipsec peer continuously sends five dpd probe messages with a cookie.
- the step S1 further includes:
- FIG. 1 is a flow chart of an embodiment of the present invention. detailed description
- the peer ipsec peer when the ipsec peer sends the ipsec peer dpd message to the peer, the peer ipsec peer cannot find the ike sa of the same cookie in the dpd message. The description indicates that the dpd packet cannot be processed, and is directly discarded.
- the ipsec peer continuously sends five dpd packets and does not respond to the dpd packet, the link is abnormal and the local dpd is deleted. Ike sa also deletes the same ipsec sa as the original address and destination address, which will cause the ipsec tunnel to oscillate.
- the present invention provides a method for preventing ipsec tunnel flapping caused by failure of dpd detection, including the following steps:
- the ipsec peers at both ends trigger IKE negotiation and complete the negotiation of ike sa.
- the ipsec peer continuously sends multiple dpd detection packets, and determines whether the ipsec peer receives the dpd response detection packet of the peer ipsec peer in a preset period. If yes, continue. Complete the negotiation of ipsec sa; if not, proceed to step S3;
- the step S2 further includes:
- the ipsec peer continuously sends a plurality of dpd detection packets with a cookie, and determines whether the ipsec peer receives the dpd response detection packet of the peer ipsec peer in a preset period; that is, each A dpd message with a unique pair of cookies corresponding to ike sa, that is, each pair of ike sa cookies are different.
- the step S2 further includes: the ipsec peer continuously sends five dpd probe messages with a cookie.
- the step S1 further includes: the ipsec peers at both ends trigger the IKE negotiation at the same time, and complete the negotiation of the ike sa through the aggressive mode.
- the present invention provides a method for preventing ipsec tunnel flapping caused by failure of dpd detection, so that when ipsec peers trigger ike negotiation at the same time, the ipsec tunnel flapping problem caused by erpo tunnel erroneous deletion is reduced by optimizing the dpd detection mode. .
- the present invention provides a method for preventing ipsec tunnel flapping caused by failure of dpd detection, so that when the ipsec peer triggers ike negotiation at the same time, the ipsec tunnel flapping problem caused by erpo tunnel erroneous deletion is reduced by optimizing the dpd detection mode. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种防止dpd探测失败导致ipsec隧道震荡的方法,当所述 ipsec对等体连续发送多个dpd探测报文后仍没有收到对端ipsec对等体的dpd 响应探测报文时,继续判断是否有与该ipsec对等体的ike sa原地址和目的地址相同的ike sa,若没有,则删除该ipsec对等体的ike sa,若有,则不删除与该ipsec对等体的ike sa原地址和目的地址相同的ike sa其对应的ipsec sa;本发明使得在ipsec对等体同时触发ike协商时,通过优化dpd的探测方式来减少因ipsec隧道的错误删除而导致的ipsec隧道震荡的问题。
Description
一种防止 dpd探测失败导致 i pS ec隧道震荡的方法 技术领域
本发明涉及计算机网络领域, 特别涉及一种防止 dpd探测失败导致 ipsec
背景技术
Ipsec隧道包括协议报文和数据报文两种, 其中, 协议报文是由主机报文 处理的 ike报文; sa是 Ipsec对等体间对某些要素的约定, Ipsec可以通过 ike协商 建立 sa。 所述 ike协商在建立 sa时分为两个阶段: 第一协商阶段和第二协商阶 段; 所述第一协商阶段用于生成对所述协议报文进行加密的密钥, 即 ike sa; 所述第二协商阶段用于生成对所述数据报文加密的密钥, 即 ipsec sa, 且在第 二协商阶段协商成功后发送数据报文。
但是, 网络上由于报文重传等原因会导致 ipsec对等体同时触发 ike协商, 如防火墙 a和防火墙 b在所述第一协商阶段同时发送请求协商报文, 从而生成 了原地址和目的地址完全相同的两对 ike sa, 举例说明场景:
fw a fw b
Ike sa al ike sa bl
Ike sa a2 ike sa b2
如上所述, 这两条 ike sa如果都是完整的状态, 则没有任何问题, 如果协 商过程中只有一对儿 ike sa协商成功,则协商成功的 ike sa继续进行所述第二协 商阶段, 以生成 ipsec sa; 而另一对儿 ike sa协商失败, 且协商失败的所述 ike sa 的一端已经协商完毕, 具体场景如下:
Ike sa al ike sa bl
Ike sa a2
协商失败的 ike sa—端已经协商完毕(即 ike sa a2存在), 另一端由于协议 报文丟包导致没有协商成功而没有此 ike sa时(即相应的 ike sa b2不存在), 此 时 ike sa a2发送 dpd报文, 而对端没有对应的 ike sa b2来回应所述 dpd报文, 则 fw a就会删除本端 dpd报文所对应的 ike sa, 同时删除原地址和目的地址与该
ike sa相同的 ipsec sa, 从而出现 ipsec随道震荡。
基于此, 现有技术确实有待于改善。 发明内容
针对现有技术的不足,本发明提供一种防止 dpd探测失败导致 ipsec隧道震 荡的方法, 使得在 ipsec对等体同时触发 ike协商时, 减少因 ipsec隧道的错误删 除而导致的 ipsec隧道震荡的问题。
为实现以上目的, 本发明通过以下技术方案予以实现:
本发明提供一种防止 dpd探测失败导致 ipsec隧道震荡的方法,包括以下步 骤:
51、 两端 ipsec对等体同时触发 ike协商, 并完成 ike sa的协商;
52、 所述 ipsec对等体连续发送多个 dpd探测报文, 并在预设周期内, 判断 该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文, 若是, 则继续完 成 ipsec sa的协商; 若不是, 则执行步骤 S3;
53、 判断是否有与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa, 若没有, 则删除该 ipsec对等体的 ike sa, 若有, 则不删除与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa其对应的 ipsec sa。
优选的, 所述步骤 S2进一步包括:
所述 ipsec对等体连续发送多个带有 cookie的 dpd探测报文, 并在预设周期 内, 判断该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文。
优选的, 所述步骤 S2进一步包括: 所述 ipsec对等体连续发送 5个带有 cookie的 dpd探测报文。
优选的, 所述步骤 S1进一步包括:
两端 ipsec对等体同时触发 ike协商, 并通过野蛮模式完成 ike sa的协商。 本发明提供一种防止 dpd探测失败导致 ipsec隧道震荡的方法,使得在 ipsec 对等体同时触发 ike协商时, 通过优化 dpd的探测方式来减少因 ipsec隧道的错 误删除而导致的 ipsec隧道震荡的问题。 附图说明
图 1 为本发明一实施例的流程图。 具体实施方式
下面对于本发明所提出的一种防止 dpd探测失败导致 ipsec隧道震荡的方 法, 结合附图和实施例详细说明。
在现有技术中, 当所述 ipsec对等体发送给所述对端 ipsec对等体 dpd报文 时, 所述对端 ipsec对等体如果找不到 dpd报文中相同 cookie的 ike sa, 则说明此 dpd报文不能处理, 则直接丟弃, 当所述 ipsec对等体连续发送 5个 dpd报文仍然 没有回应 dpd报文时, 说明此链路已经异常就会删除本端 dpd对应的 ike sa, 同 时也删除原地址和目的地址与此 ike sa相同的 ipsec sa, 这将导致 ipsec隧道震 荡。
如图 1所示,本发明提供一种防止 dpd探测失败导致 ipsec隧道震荡的方法, 包括以下步骤:
51、 两端 ipsec对等体同时触发 ike协商, 并完成 ike sa的协商;
52、 所述 ipsec对等体连续发送多个 dpd探测报文, 并在预设周期内, 判断 该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文, 若是, 则继续完 成 ipsec sa的协商; 若不是, 则执行步骤 S3;
53、 判断是否有与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa, 若没有, 则删除该 ipsec对等体的 ike sa, 若有, 则说明有备用隧道, 那么不删 除与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa其对应的 ipsec sa。
优选的, 所述步骤 S2进一步包括:
所述 ipsec对等体连续发送多个带有 cookie的 dpd探测报文, 并在预设周期 内, 判断该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文; 即每个 dpd报文带着对应于 ike sa唯一的一对 cookie,也就是每对儿 ike sa的 cookie都不 一样。
优选的, 所述步骤 S2进一步包括: 所述 ipsec对等体连续发送 5个带有 cookie的 dpd探测报文。
优选的, 所述步骤 S1进一步包括: 两端 ipsec对等体同时触发 ike协商, 并 通过野蛮模式完成 ike sa的协商。
本发明提供一种防止 dpd探测失败导致 ipsec隧道震荡的方法,使得在 ipsec 对等体同时触发 ike协商时, 通过优化 dpd的探测方式来减少因 ipsec隧道的错 误删除而导致的 ipsec隧道震荡的问题。
以上实施方式仅用于说明本发明, 而并非对本发明的限制, 有关技术领 域的普通技术人员, 在不脱离本发明的精神和范围的情况下, 还可以做出各 种变化和变型, 因此所有等同的技术方案也属于本发明的范畴, 本发明的专 利保护范围应由权利要求限定。 工业实用性
本发明提供一种防止 dpd探测失败导致 ipsec隧道震荡的方法, 使得在 ipsec对等体同时触发 ike协商时,通过优化 dpd的探测方式来减少因 ipsec 隧道的错误删除而导致的 ipsec隧道震荡的问题。
Claims
权 利 要 求 书
1、 一种防止 dpd探测失败导致 ipsec隧道震荡的方法, 其特征在于, 包 括以下步骤:
51、 两端 ipsec对等体同时触发 ike协商, 并完成 ike sa的协商;
52、 所述 ipsec对等体连续发送多个 dpd探测报文, 并在预设周期内, 判断 该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文, 若是, 则继续完 成 ipsec sa的协商; 若不是, 则执行步骤 S3;
53、 判断是否有与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa, 若没有, 则删除该 ipsec对等体的 ike sa, 若有, 则不删除与该 ipsec对等体的 ike sa原地址和目的地址相同的 ike sa其对应的 ipsec sa。
2、 如权利要求 1所述的方法, 其特征在于, 所述步骤 S2进一步包括: 所述 ipsec对等体连续发送多个带有 cookie的 dpd探测报文, 并在预设周期 内, 判断该 ipsec对等体是否收到对端 ipsec对等体的 dpd响应探测报文。
3、 如权利要求 2所述的方法, 其特征在于, 所述步骤 S2进一步包括: 所 述 ipsec对等体连续发送 5个带有 cookie的 dpd探测报文。
4、 如权利要求 1-3任一项所述的方法, 其特征在于, 所述步骤 S1进一步 包括:
两端 ipsec对等体同时触发 ike协商, 并通过野蛮模式完成 ike sa的协商。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310099380.4 | 2013-03-26 | ||
CN201310099380.4A CN103227777B (zh) | 2013-03-26 | 2013-03-26 | 一种防止dpd探测失败导致ipsec隧道震荡的方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014153989A1 true WO2014153989A1 (zh) | 2014-10-02 |
Family
ID=48838038
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2013/089245 WO2014153989A1 (zh) | 2013-03-26 | 2013-12-12 | 一种防止dpd探测失败导致ipsec隧道震荡的方法 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN103227777B (zh) |
WO (1) | WO2014153989A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018194844A1 (en) * | 2017-04-17 | 2018-10-25 | Microsoft Technology Licensing, Llc | Collision prevention in secure connection establishment |
CN111641545A (zh) * | 2020-05-15 | 2020-09-08 | 深信服科技股份有限公司 | 一种隧道探测方法及装置、设备、存储介质 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103227777B (zh) * | 2013-03-26 | 2015-11-25 | 汉柏科技有限公司 | 一种防止dpd探测失败导致ipsec隧道震荡的方法 |
CN103475647A (zh) * | 2013-08-23 | 2013-12-25 | 天津汉柏汉安信息技术有限公司 | 一种防止ipsec隧道重协商失败的方法 |
CN106170949B (zh) * | 2014-12-30 | 2019-10-15 | 华为技术有限公司 | 失效对等体检测方法、IPsec对等体和网络设备 |
CN106302248B (zh) * | 2016-08-31 | 2021-10-12 | 新华三技术有限公司 | 一种邻居建立方法及装置 |
CN111327394B (zh) * | 2018-12-17 | 2022-10-11 | 北京华为数字技术有限公司 | 一种报文发送方法及装置 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1917516A (zh) * | 2006-07-31 | 2007-02-21 | 杭州华为三康技术有限公司 | 一种协商安全联盟的方法 |
US20110078436A1 (en) * | 2009-09-30 | 2011-03-31 | Canon Kabushiki Kaisha | Communication apparatus, method for controlling communication apparatus and storage medium |
CN102420770A (zh) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Ike报文协商方法及设备 |
CN102946333A (zh) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | 一种基于IPsec的DPD探测方法和设备 |
CN102970293A (zh) * | 2012-11-20 | 2013-03-13 | 杭州华三通信技术有限公司 | 一种设备间安全联盟同步方法及装置 |
CN103227777A (zh) * | 2013-03-26 | 2013-07-31 | 汉柏科技有限公司 | 一种防止dpd探测失败导致ipsec隧道震荡的方法 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1562346A1 (en) * | 2004-02-06 | 2005-08-10 | Matsushita Electric Industrial Co., Ltd. | Method and system for reliably disconnecting IPSec security associations |
CN101227485B (zh) * | 2008-02-04 | 2011-07-27 | 杭州华三通信技术有限公司 | 协商因特网密钥交换安全联盟生存周期的方法及设备 |
CN101309273B (zh) * | 2008-07-16 | 2011-06-01 | 杭州华三通信技术有限公司 | 一种生成安全联盟的方法和装置 |
CN101442471B (zh) * | 2008-12-31 | 2012-04-18 | 杭州华三通信技术有限公司 | 实现IPSec隧道备份和切换的方法、系统和节点设备、组网系统 |
-
2013
- 2013-03-26 CN CN201310099380.4A patent/CN103227777B/zh not_active Expired - Fee Related
- 2013-12-12 WO PCT/CN2013/089245 patent/WO2014153989A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1917516A (zh) * | 2006-07-31 | 2007-02-21 | 杭州华为三康技术有限公司 | 一种协商安全联盟的方法 |
US20110078436A1 (en) * | 2009-09-30 | 2011-03-31 | Canon Kabushiki Kaisha | Communication apparatus, method for controlling communication apparatus and storage medium |
CN102420770A (zh) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Ike报文协商方法及设备 |
CN102946333A (zh) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | 一种基于IPsec的DPD探测方法和设备 |
CN102970293A (zh) * | 2012-11-20 | 2013-03-13 | 杭州华三通信技术有限公司 | 一种设备间安全联盟同步方法及装置 |
CN103227777A (zh) * | 2013-03-26 | 2013-07-31 | 汉柏科技有限公司 | 一种防止dpd探测失败导致ipsec隧道震荡的方法 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018194844A1 (en) * | 2017-04-17 | 2018-10-25 | Microsoft Technology Licensing, Llc | Collision prevention in secure connection establishment |
US10432675B2 (en) | 2017-04-17 | 2019-10-01 | Microsoft Technology Licensing, Llc | Collision prevention in secure connection establishment |
CN111641545A (zh) * | 2020-05-15 | 2020-09-08 | 深信服科技股份有限公司 | 一种隧道探测方法及装置、设备、存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN103227777B (zh) | 2015-11-25 |
CN103227777A (zh) | 2013-07-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2014153989A1 (zh) | 一种防止dpd探测失败导致ipsec隧道震荡的方法 | |
US8219606B2 (en) | Methods, systems, and computer program products for sharing information for detecting an idle TCP connection | |
US10044585B2 (en) | Virtual private network dead peer detection | |
US7689722B1 (en) | Methods and apparatus for virtual private network fault tolerance | |
WO2019024880A1 (zh) | 发送报文的方法和网络设备 | |
US10986217B1 (en) | Methods, systems, and computer program products for sharing information for detecting at least one time period for a connection | |
EP2109980A2 (en) | Method and system for providing peer liveness for high speed environments | |
US10111192B2 (en) | Method for effective PMTU discovery in VPN environment | |
US20110213893A1 (en) | Methods, systems, and computer program products for detecting an idle tcp connection | |
WO2017063537A1 (en) | Device, system and method for supporting high availability services in dtls using secure sequence number negotiation | |
US9300642B2 (en) | Restarting network reachability protocol sessions based on transport layer authentication | |
JP2006352500A (ja) | 自動鍵交換処理装置および自動鍵交換処理方法 | |
US10075565B1 (en) | Methods, systems, and computer program products for sharing information for detecting an idle TCP connection | |
WO2018120799A1 (zh) | 一种慢协议报文处理方法及相关装置 | |
WO2021018150A1 (zh) | 一种链路检测的方法和装置 | |
JP4268200B2 (ja) | 冗長化データ中継装置および冗長化データ中継装置を用いた暗号化通信方法 | |
JP2011170157A (ja) | Ipsec通信装置、ipsec通信方法、およびipsec通信システム | |
JP2012160941A (ja) | 情報処理装置、情報処理方法及びプログラム | |
JP5535757B2 (ja) | クライアント装置、及びプログラム | |
JP6228370B2 (ja) | 通信装置、通信方法、及びプログラム | |
WO2020048214A1 (zh) | 发送报文的方法、网络设备及计算机存储介质 | |
JP2006270835A (ja) | インターネットキーエクスチェンジプロセス衝突発生防止の方法と装置 | |
KR101401008B1 (ko) | 연결성 검출 방법 및 이를 위한 컴퓨터 판독 가능한 기록매체 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13879946 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13879946 Country of ref document: EP Kind code of ref document: A1 |