WO2016150097A1 - Service offloading method and system - Google Patents

Service offloading method and system Download PDF

Info

Publication number
WO2016150097A1
WO2016150097A1 PCT/CN2015/088148 CN2015088148W WO2016150097A1 WO 2016150097 A1 WO2016150097 A1 WO 2016150097A1 CN 2015088148 W CN2015088148 W CN 2015088148W WO 2016150097 A1 WO2016150097 A1 WO 2016150097A1
Authority
WO
WIPO (PCT)
Prior art keywords
board
resource service
negotiation
distribution table
address
Prior art date
Application number
PCT/CN2015/088148
Other languages
French (fr)
Chinese (zh)
Inventor
郭瑞芳
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016150097A1 publication Critical patent/WO2016150097A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • This application relates to, but is not limited to, the field of communications.
  • IPsec Internet Protocol Security
  • IPsec protocol architecture consists of two secure processing protocols and one key exchange protocol.
  • the two security processing protocols are the IP Authentication Header Protocol (AH) and the IP Security Encapsulation Payload Protocol (ESP), and a Key Exchange Protocol (IKE) is used to establish a Security Association (SA).
  • AH IP Authentication Header Protocol
  • ESP IP Security Encapsulation Payload Protocol
  • IKE Key Exchange Protocol
  • IPsec IPsec
  • the distributed form allows the IPsec service to be handed over to multiple processors, greatly improving processing performance.
  • the widely used distributed processing technology is a device that uses a main control board and multiple interface boards and service boards.
  • the IPsec related processing is mainly assigned to the service board.
  • the IPsec support anti-replay function requires that the same IPsec session-related service message be processed on one processor.
  • Packets to be processed by the IPsec service include IP packets, IPsec packets (ESP or AH packets), and IKE negotiation packets.
  • the session peer In the IPsec project deployment, for the session peer, it can be divided into statically specified and dynamically changing usage scenarios. In the static designation mode, the peer network address and the interest stream are fixed. The dynamic change mode is mostly used in the dynamic user remote access scenario. The user network address and the number of users are dynamically changed.
  • This document provides a service offloading method and system to solve the problem of packet shunting related to IPsec services with different characteristics.
  • a service offloading method comprising:
  • Each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed.
  • Each interface board delivers the packet to the corresponding security association (SA) resource service board according to the selected traffic distribution table.
  • SA security association
  • the distribution table includes any one or any of the following:
  • IKE key exchange protocol
  • a ciphertext split table that records the correspondence between the Secure Parameter Index (SPI) fixed bit and the SA resource service board.
  • each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed, including:
  • the IKE offloading table is selected;
  • the plaintext distribution table is selected
  • the ciphertext distribution table is selected.
  • generating the same at least one offloading table for all interface boards according to the IPsec negotiation element includes:
  • the main control board allocates address bits for the physical address of the online SA resource service board.
  • the main control board specifies the source and destination addresses of the session and other IPsec negotiation requirements, and uses the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses.
  • the main control board generates a distribution table and delivers the distribution table to all interface boards.
  • the method further includes:
  • the SA resource service board negotiates the SA entry and records the correspondence between the interest stream and the SA after negotiation.
  • the method further includes:
  • the local interface delivers the specified flow of interest beyond the negotiation range to the SA resource service board for the specified interest flow that is out of the negotiation range.
  • the SA resource service board triggers the IPsec negotiation without the SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
  • the method further includes:
  • the main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
  • generating the same at least one traffic distribution table for all interface boards according to the dynamic user access information includes:
  • the main control board allocates address bits for the physical address of the online SA resource service board.
  • the interface board receives the IKE negotiation request packet sent by the dynamic user, extracts the source address and the destination address in the IKE negotiation request packet, and calculates the physical address of the SA resource service board of the corresponding session according to the source address and the destination address.
  • the IKE negotiation request message is delivered to the SA resource service board;
  • the SA resource service board negotiates to obtain an SA, and reports the physical address of the SA resource service board, the source address and the destination address of the negotiation parties, and the private network address allocated to the user to the main control board;
  • the main control board generates a distribution table and delivers the distribution table to all interface boards.
  • the method further includes:
  • the SA resource service board deletes the SA corresponding to the dynamic user, and notifies the main control board to delete the SA corresponding to the dynamic user.
  • the main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
  • a service offloading system includes a main control board, at least one interface board, and at least one SA resource service board;
  • the main control board is configured to: generate the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information;
  • the at least one interface board is configured to: according to the packet type of the packet to be processed, select a corresponding traffic distribution table, and distribute the packet to the corresponding SA resource service according to the selected traffic distribution table. board.
  • the main control board includes:
  • the first address bit allocation module is configured to: allocate an address bit for a physical address of the online SA resource service board;
  • the calculation module is configured to: specify the source and destination addresses of the session, and other IPsec negotiation requirements, and use the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses;
  • the first traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
  • the interface board is further configured to: when the statically specified interest flow range of the local end is greater than the negotiation scope of the two parties, the specified interest flow exceeding the negotiation scope is delivered to the SA resource for the specified interest flow beyond the negotiation scope.
  • the SA resource service board is further configured to: trigger an IPsec negotiation without SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
  • the main control board includes:
  • a second address bit allocation module configured to: allocate an address bit for a physical address of the online SA resource service board
  • the information receiving module is configured to: receive a physical address of the SA resource service board reported by the SA resource service board to the main control board, a source address and a destination address of the negotiation parties, and a private network address allocated to the user;
  • the second traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
  • a computer readable storage medium storing computer executable instructions for performing the method of any of the above.
  • the embodiment of the present invention provides a service offloading method and system, which generates the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information, and the type of the packet of each interface board according to the packet to be processed.
  • the corresponding traffic distribution table is selected, and each interface board delivers the packet to the corresponding SA resource service board according to the selected traffic distribution table. It implements the offloading and co-processing of packets related to different IPsec services, and solves the problem of packet shunting related to IPsec services with different characteristics.
  • FIG. 1 is a schematic structural diagram of a distributed flow distribution device according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic diagram of a process of statically designating a peer address mode splitting according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic diagram of a process of dynamic user access offloading according to Embodiment 1 of the present invention.
  • FIG. 5 is a schematic structural diagram of a service offloading system according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic structural view of the main control board 501 of FIG. 5.
  • Embodiments of the present invention provide a service offloading method and system. Use the different traffic distribution table to offload Internet Protocol security (IPsec) service-related packets to the security association (SA) resource service board to solve the problem of distributed IPsec services. The problem of flow.
  • IPsec Internet Protocol security
  • SA security association
  • the embodiment of the invention provides a distributed offloading device, which is composed of a main control board and a plurality of interface boards and service boards.
  • the IPsec SA negotiation is performed on the service board.
  • the service board responsible for the session is the SA resource service board.
  • the interface is configured to be offloaded to the SA resource service board by using different traffic distribution tables. That is, the key exchange protocol (Internet Key Exchange Internet, IKE) offloading table offloads the IKE negotiation message; the plaintext offloading table offloads the common IP packet; the ciphertext offloading table offloads the ciphertext message, which is the IPsec authentication header protocol (AuthenticationHeader, AH) And Encapsulating Security Payload (ESP) packets.
  • IKE Internet Key Exchange Internet
  • the traffic distribution table is distributed on the interface board.
  • the SA resource service board maintains only IPsec SA information.
  • the IKE traffic distribution table records the source and destination network addresses and the SA resource service board relationship.
  • the plaintext traffic distribution table records the relationship between the interest stream matching template and the SA resource service board physical address.
  • the interest stream matching template can be an access control list.
  • the ACL can also be a private network address assigned to the dynamic access user; the ciphertext distribution table records the correspondence between the security parameter index (SPI) fixed bit and the SA resource service board.
  • SPI security parameter index
  • each physical service board physical address is assigned a different bit representation when the distributed device service is on-line, and the bit is used in a fixed bit allocated to the session peer SPI;
  • the cipher text is directly imported, and the SPI fixed bit in the cipher text is directly extracted, and the SA resource service board is queried for shunting.
  • the split table generation mode is different for statically specifying the peer address and dynamic user access scenarios.
  • the main control board is responsible for configuration management, and generates and deletes the flow distribution table.
  • the interface board is responsible for sending and receiving packets, and the IPsec service packet is distributed to the SA resource service board according to the different types of packet query flow; the SA resource service board is responsible for IPsec SA negotiation and IPsec encryption and decryption processing.
  • the distributed offloading device includes a main control board and multiple interface boards and service boards to exchange packets through inter-board communication.
  • the main control board includes a configuration management module and a traffic distribution management module.
  • the interface board includes packets.
  • the service board includes an SA negotiation module and a message encryption and decryption module.
  • the traffic distribution management module on the main control board is responsible for calculating the address bits of the service board and statically specifying the mode. Load balancing calculates the SA resource service board, generates and deletes the traffic distribution table, and the traffic distribution management module on the interface board is responsible for: maintaining the traffic distribution table information and selecting different traffic distribution table delivery service boards and dynamic user access mode load balancing calculation according to the source message type. SA resource business board.
  • Figure 2 shows the process of statically specifying the peer address mode to offload:
  • Step 201 After the service board is online, the main control board offload management module allocates physical addresses of different service boards to address bits.
  • the traffic management module on the main control board senses the service board, and assigns a value to indicate the physical address of the service board, which is called the service board address bit.
  • the service board address bit is used to allocate security to the session peer.
  • the Security Parametres Index (SPI) is used to identify the SAs of different communication devices. That is, the packets sent from the peer device carry the SPI that the local end allocates to the peer. The SPI uniquely indexes the security association SA. When the local end receives the packet, the SPI can be found to find the corresponding SA. Different sessions correspond to different SAs, corresponding to different SPI) fixed bits.
  • Step 202 The IPsec configuration management module statically specifies the source and destination addresses of the two parties and configures other IPsec negotiation elements.
  • the traffic management module uses the load balancing algorithm to calculate the SA source service board address for the session with different source and destination addresses.
  • the traffic distribution table, the ciphertext distribution table, and the plaintext distribution table are delivered to all interface boards.
  • the IKE offloading table records the correspondence between the source and destination addresses of the session and the SA resource service board.
  • the ciphertext offload table records the correspondence between the address bits of the service board and the SA resource service board.
  • the plaintext offload table records the statically specified ACL flow and SA. Resource business board relationship.
  • Step 203 The SA resource service board negotiates a successful SA entry, and the encryption and decryption module records the interest flow and the SA after the negotiation.
  • the SA negotiation module allocates the fixed bit of the SPI as the service board address bit when the SPI is allocated. (If the SPI occupies 4 bytes, then 1 byte can directly use the bit allocated in step 201 (the bit in step 201) The bit is actually the in-position information of the service board. The other three bytes need to be allocated according to different values of different SAs.
  • the data packets sent by the peer device carry the SPI, and the local end receives the data. In the case of the packet, the 1 byte in the SPI is taken out, and it is found which service board should be delivered to the service board, that is, corresponding to step 204; the negotiation interest stream and the SA correspondence relationship are recorded.
  • the interface-based traffic distribution module delivers the traffic to the SA resource service board.
  • the corresponding SA triggers IPsec negotiation without SA.
  • Step 204 On the interface board, the IKE negotiation packet is delivered to the SA resource service board through the IKE offloading table; the plaintext is queried to the SA resource service board by querying the plaintext traffic distribution table; The bit queries the ciphertext split table and delivers it to the SA resource service board for decryption.
  • Step 205 The static configuration of the IPsec is deleted.
  • the traffic distribution management module of the main control board deletes the traffic distribution table and delivers all interface boards.
  • Figure 3 shows the process of dynamic user access offloading
  • Step 301 After the service board is online, the main control board offload management module allocates physical addresses of different service boards to address bits. Step 1 of the same static mode.
  • Step 302 The interface board receives the IKE negotiation request packet of the dynamic user, and the traffic management module extracts the source and destination address of the IKE packet, and uses a load balancing algorithm, such as the HASH algorithm, to calculate the physical address of the SA resource service board of the session;
  • the negotiation packet is delivered to the SA resource service board.
  • Step 303 The SA resource service board negotiation module negotiates the SA, and actively reports the traffic management module of the main control board, and carries the physical address information of the SA resource service board, the source and destination addresses of the two parties, and the private network address allocated to the user.
  • the SA negotiation module uses the fixed bit of the SPI as the service board address bit when allocating the SPI.
  • Step 304 The traffic distribution management module on the main control board generates an IKE traffic distribution table, a plaintext traffic distribution table, and a ciphertext traffic distribution table.
  • a plaintext offloading table is generated according to the address of the SA resource service board and the private network address assigned to the user; and the ciphertext distribution table is generated according to the SA resource service board address and the SPI fixed bit.
  • the advantage of using the private network address assigned to the user as the traffic stream matching template in the clear text distribution table is to save the query speed of the ACL on the interface board.
  • Step 305 On the interface board, the IKE negotiation packet is delivered to the SA resource service board through the IKE traffic distribution table.
  • the plain text is queried in the plaintext traffic distribution table, and the private network address of the user is delivered to different SA resource service boards for encryption.
  • the fixed feature bit queries the ciphertext offload table and delivers it to the SA resource service board for decryption.
  • Step 306 The dynamic user goes offline, and the SA on the SA resource service board is deleted, and the main control board is divided into the flow management module.
  • Step 307 The main control board deletes the traffic distribution table and delivers all interface boards.
  • the embodiment of the present invention provides a service offloading method, and the process of performing the offloading process on different IPsec packets by using the method is as shown in FIG. 4, and includes:
  • Step 401 Generate the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information.
  • the flow distribution table includes any one or any of the following:
  • An IKE offload table that records the correspondence between the source and destination network addresses and the SA resource service boards.
  • a ciphertext split table that records the correspondence between the SPI fixed bit and the SA resource service board.
  • this step includes:
  • the main control board allocates address bits for the physical address of the online SA resource service board.
  • the main control board specifies the source and destination addresses of the session and other IPsec negotiation requirements, and uses the load balancing algorithm to calculate the SA resource service board physics of the session with different source and destination addresses. address;
  • the main control board generates a flow distribution table and sends it to all interface boards
  • the SA resource service board negotiates the SA entry and records the correspondence between the interest flow and the SA after negotiation.
  • the interface board delivers the specified flow of interest beyond the negotiation range to the SA resource service board, the SA resource service board.
  • the SA resource service board delivers the specified flow of interest beyond the negotiation range to the SA resource service board, the SA resource service board.
  • this step includes:
  • the main control board allocates address bits for the physical address of the online SA resource service board.
  • the interface board receives the IKE negotiation request packet sent by the dynamic user, extracts the source address and the destination address in the IKE negotiation request packet, and calculates the physical address of the SA resource service board of the corresponding session according to the source address and the destination address. And delivering the IKE negotiation request message to the SA resource service board;
  • the SA resource service board negotiates to obtain the SA, and reports the physical address of the SA resource service board, the source address and the destination address of the negotiation parties, and the private network address allocated to the user to the main control board;
  • the main control board generates a flow distribution table and sends it to all interface boards.
  • Step 402 Each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed.
  • This step includes:
  • the IKE offloading table is selected;
  • the plaintext distribution table is selected
  • the ciphertext distribution table is selected.
  • Step 403 Each interface board delivers the message according to the selected split table. Go to the corresponding SA resource service board.
  • the main control board can also delete the traffic distribution table and control the interface board deletion.
  • the main control board deletes the traffic distribution table and sends the traffic distribution table to all the interface boards to indicate that all the interface boards delete the traffic distribution table. For dynamic user access scenarios, dynamic users are selected.
  • the SA resource service board deletes the SA corresponding to the dynamic user, and notifies the main control board to delete the SA corresponding to the dynamic user, and the main control board deletes the distribution table and delivers the distribution table to all interface boards. Instructing all the interface boards to delete the offloading table.
  • An embodiment of the present invention provides a service offloading system, and the structure thereof is as shown in FIG. 5, including:
  • the main control board 501 at least one interface board 502, and at least one SA resource service board 503;
  • the main control board 501 is configured to generate the same at least one split table for all interface boards 502 according to the IPsec negotiation element or the dynamic user access information;
  • the at least one interface board 502 is configured to: according to the packet type of the packet to be processed, select a corresponding traffic distribution table, and distribute the packet to the corresponding SA resource according to the selected traffic distribution table.
  • the structure of the main control board 501 is as shown in FIG. 6, and includes:
  • the first address bit allocation module 601 is configured to: allocate an address bit for the physical address of the online SA resource service board;
  • the calculation module 602 is configured to: specify the source and destination addresses of the session, and other IPsec negotiation requirements, and use the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses;
  • the first traffic distribution table generating module 603 is configured to generate a traffic distribution table and deliver the data to all interface boards.
  • the interface board 502 is further configured to: when the statically specified interest flow range of the local end is greater than the negotiation scope of the two parties, the specified interest flow exceeding the negotiation scope is delivered to the SA for the specified interest flow that exceeds the negotiation scope.
  • the SA resource service board 503 is further configured to: When the SA corresponding to the interest stream is specified, the IPsec negotiation without SA is triggered.
  • the main control board 501 further includes:
  • the second address bit allocation module 604 is configured to: allocate an address bit for the physical address of the online SA resource service board 503;
  • the information receiving module 605 is configured to: receive the physical address of the SA resource service board 503 reported by the SA resource service board 503 to the main control board 501, the source address and the destination address of the negotiation parties, and the private network address allocated to the user. ;
  • the second distribution table generating module 606 is configured to generate a distribution table and deliver the information to all interface boards 502.
  • the embodiment of the present invention provides a service offloading method and system, and calculates the same at least one offloading table for all the interface boards, and each interface board selects a corresponding splitting table according to the packet type of the packet to be processed. Each interface board delivers the packet to the corresponding SA resource service board according to the selected traffic distribution table. It implements the offloading and co-processing of packets related to different IPsec services, and solves the problem of packet shunting related to IPsec services with different characteristics.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • Each device/function module/functional unit in the above embodiment can be stored in a computer readable storage medium when implemented in the form of a software function module and sold or used as a stand-alone product.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the embodiment of the present invention implements the offloading and collaborative processing of packets related to different IPsec services, and solves the problem of packet offloading related to IPsec services of different characteristics.

Abstract

Disclosed are a service offloading method and system. The method comprises: generate at least one identical offloading table for all interface boards according to IPsec negotiation elements or dynamic user access information; each interface board selects a corresponding offloading table according to a message type of a message needing to be processed; and each interface board offloads and delivers the message to a corresponding security association (SA) resource service board according to the selected offloading table.

Description

业务分流方法和系统Business distribution method and system 技术领域Technical field
本申请涉及但不限于通信领域。This application relates to, but is not limited to, the field of communications.
背景技术Background technique
Internet协议安全性(Ipsec)在保护报文之前,需要先建立安全联盟(SA)。IPsec协议体系包含两个安全处理协议和一个密钥交换协议。两个安全处理协议是IP认证头协议(AH)和IP安全封装载荷协议(ESP),一个密钥交换协议(IKE)是用来建立安全联盟(SA)。Internet Protocol Security (Ipsec) requires the establishment of a Security Association (SA) before protecting packets. The IPsec protocol architecture consists of two secure processing protocols and one key exchange protocol. The two security processing protocols are the IP Authentication Header Protocol (AH) and the IP Security Encapsulation Payload Protocol (ESP), and a Key Exchange Protocol (IKE) is used to establish a Security Association (SA).
随着IPsec大规模的使用,对高性能处理提出了更高的要求。分布式的形态将IPsec业务交由多个处理器完成,大大提高了处理性能。当前普遍采用的分布式处理技术是采用主控板以及多个接口板和业务板的装置,IPsec相关处理主要交由业务板。另外IPsec支持抗重放功能要求同一个IPsec会话相关业务报文在一个处理器上完成处理。With the large-scale use of IPsec, higher requirements are imposed on high-performance processing. The distributed form allows the IPsec service to be handed over to multiple processors, greatly improving processing performance. Currently, the widely used distributed processing technology is a device that uses a main control board and multiple interface boards and service boards. The IPsec related processing is mainly assigned to the service board. In addition, the IPsec support anti-replay function requires that the same IPsec session-related service message be processed on one processor.
IPsec业务需要处理的报文有IP报文,IPsec报文(ESP或者AH报文),IKE协商报文。Packets to be processed by the IPsec service include IP packets, IPsec packets (ESP or AH packets), and IKE negotiation packets.
IPsec工程部署中,对于会话对端,可以分为静态指定和动态变化的使用场景。静态指定方式,对端网络地址以及兴趣流是固定的;动态变化方式,大多使用在动态用户远程接入的场景,用户网络地址以及用户数量都是动态变化的。In the IPsec project deployment, for the session peer, it can be divided into statically specified and dynamically changing usage scenarios. In the static designation mode, the peer network address and the interest stream are fixed. The dynamic change mode is mostly used in the dynamic user remote access scenario. The user network address and the number of users are dynamically changed.
对于不同的IPsec应用场景,分布式形态主控板以及多个接口板和业务板如何协同进行IPsec业务处理;如何将具有不同特征的IPsec业务相关的报文分流到一个业务板上是需要解决的问题。For different IPsec application scenarios, how to distribute the IPsec service to the distributed mode main control board and multiple interface boards and service boards. How to split the packets related to IPsec services with different characteristics to a service board is required to be solved. problem.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。 The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本文提供了一种业务分流方法和系统,解决了不同特征的IPsec业务相关的报文分流的问题。This document provides a service offloading method and system to solve the problem of packet shunting related to IPsec services with different characteristics.
一种业务分流方法,包括:A service offloading method, comprising:
根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表;Generating the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information;
每个接口板根据需要处理的报文的报文类型,选择相应的分流表;Each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed.
所述每个接口板根据选择的所述分流表将所述报文分流投递至对应的安全联盟(SA)资源业务板。Each interface board delivers the packet to the corresponding security association (SA) resource service board according to the selected traffic distribution table.
可选地,所述分流表包括以下任一种或任意多种:Optionally, the distribution table includes any one or any of the following:
记录源、目的网络地址和SA资源业务板间的对应关系的密钥交换协议(IKE)分流表;a key exchange protocol (IKE) offload table that records the correspondence between the source, the destination network address, and the SA resource service board;
记录兴趣流匹配模板和SA资源业务板物理地址间对应关系的明文分流表,所述兴趣流匹配模块为ACL或为动态接入用户分配的私网地址;And a clear text distribution table that records the correspondence between the interest stream matching template and the physical address of the SA resource service board, where the interest stream matching module is an ACL or a private network address allocated for the dynamic access user;
记录安全参数索引(SPI)固定比特位和SA资源业务板的对应关系的密文分流表。A ciphertext split table that records the correspondence between the Secure Parameter Index (SPI) fixed bit and the SA resource service board.
可选地,每个接口板根据需要处理的报文的报文类型,选择相应的分流表包括:Optionally, each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed, including:
当所述报文的报文类型为密钥交换协议(IKE)协商报文时,选择IKE分流表;When the packet type of the packet is an exchange protocol (IKE) negotiation packet, the IKE offloading table is selected;
当所述报文的报文类型为明文报文时,选择明文分流表;When the packet type of the packet is a plaintext packet, the plaintext distribution table is selected;
当所述报文的类型为密文报文时,选择密文分流表。When the type of the packet is a ciphertext packet, the ciphertext distribution table is selected.
可选地,根据IPsec协商要素为全部接口板生成相同的至少一个分流表包括:Optionally, generating the same at least one offloading table for all interface boards according to the IPsec negotiation element includes:
主控板为在线的SA资源业务板的物理地址分配地址比特位;The main control board allocates address bits for the physical address of the online SA resource service board.
所述主控板指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理地址; The main control board specifies the source and destination addresses of the session and other IPsec negotiation requirements, and uses the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses.
所述主控板生成分流表并下发至全部接口板。The main control board generates a distribution table and delivers the distribution table to all interface boards.
可选地,所述主控板生成分流表并下发至全部接口板的步骤之后,还包括:Optionally, after the step of generating the traffic distribution table by the main control board and delivering the information to all the interface boards, the method further includes:
SA资源业务板协商SA表项,记录双方协商后的兴趣流和SA的对应关系。The SA resource service board negotiates the SA entry and records the correspondence between the interest stream and the SA after negotiation.
可选地,该方法还包括:Optionally, the method further includes:
当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,所述接口板将该超出协商范围的指定兴趣流投递到SA资源业务板;The local interface delivers the specified flow of interest beyond the negotiation range to the SA resource service board for the specified interest flow that is out of the negotiation range.
所述SA资源业务板在查询不到所述超出协商范围的指定兴趣流对应的SA时,触发无SA的IPsec协商。The SA resource service board triggers the IPsec negotiation without the SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
可选地,该方法还包括:Optionally, the method further includes:
所述主控板删除所述分流表并下发至全部接口板,指示所述全部接口板删除所述分流表。The main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
可选地,根据动态用户接入信息为全部接口板生成相同的至少一个分流表包括:Optionally, generating the same at least one traffic distribution table for all interface boards according to the dynamic user access information includes:
主控板为在线的SA资源业务板的物理地址分配地址比特位;The main control board allocates address bits for the physical address of the online SA resource service board.
接口板接收动态用户发送的IKE协商请求报文,提取该IKE协商请求报文中的源地址和目的地址,根据所述源地址和目的地址计算出相应会话的SA资源业务板的物理地址,将所述IKE协商请求报文投递至所述SA资源业务板上;The interface board receives the IKE negotiation request packet sent by the dynamic user, extracts the source address and the destination address in the IKE negotiation request packet, and calculates the physical address of the SA resource service board of the corresponding session according to the source address and the destination address. The IKE negotiation request message is delivered to the SA resource service board;
所述SA资源业务板协商获取SA,向所述主控板上报SA资源业务板的物理地址、协商双方的源地址和目的地址以及为用户分配的私网地址;The SA resource service board negotiates to obtain an SA, and reports the physical address of the SA resource service board, the source address and the destination address of the negotiation parties, and the private network address allocated to the user to the main control board;
所述主控板生成分流表并下发至全部接口板。The main control board generates a distribution table and delivers the distribution table to all interface boards.
可选地,该方法还包括:Optionally, the method further includes:
在动态用户下线后,所述SA资源业务板删除该动态用户对应的SA,并通知所述主控板删除该动态用户对应的SA; After the dynamic user is offline, the SA resource service board deletes the SA corresponding to the dynamic user, and notifies the main control board to delete the SA corresponding to the dynamic user.
所述主控板删除所述分流表,并下发至全部接口板,指示所述全部接口板删除所述分流表。The main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
一种业务分流系统,包括主控板、至少一个接口板和至少一个SA资源业务板;A service offloading system includes a main control board, at least one interface board, and at least one SA resource service board;
所述主控板,设置为:根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表;The main control board is configured to: generate the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information;
所述至少一个接口板,设置为:根据需要处理的报文的报文类型,选择相应的分流表,并根据选择的所述分流表将所述报文分流投递至对应的所述SA资源业务板。The at least one interface board is configured to: according to the packet type of the packet to be processed, select a corresponding traffic distribution table, and distribute the packet to the corresponding SA resource service according to the selected traffic distribution table. board.
可选地,所述主控板包括:Optionally, the main control board includes:
第一地址比特位分配模块,设置为:为在线的SA资源业务板的物理地址分配地址比特位;The first address bit allocation module is configured to: allocate an address bit for a physical address of the online SA resource service board;
计算模块,设置为:指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理地址;The calculation module is configured to: specify the source and destination addresses of the session, and other IPsec negotiation requirements, and use the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses;
第一分流表生成模块,设置为:生成分流表并下发至全部接口板。The first traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
可选地,所述接口板,还设置为:当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,将该超出协商范围的指定兴趣流投递到SA资源业务板;Optionally, the interface board is further configured to: when the statically specified interest flow range of the local end is greater than the negotiation scope of the two parties, the specified interest flow exceeding the negotiation scope is delivered to the SA resource for the specified interest flow beyond the negotiation scope. Business board
所述SA资源业务板,还设置为:在查询不到所述超出协商范围的指定兴趣流对应的SA时,触发无SA的IPsec协商。The SA resource service board is further configured to: trigger an IPsec negotiation without SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
可选地,所述主控板包括:Optionally, the main control board includes:
第二地址比特位分配模块,设置为:为在线的SA资源业务板的物理地址分配地址比特位;a second address bit allocation module, configured to: allocate an address bit for a physical address of the online SA resource service board;
信息接收模块,设置为:接收所述SA资源业务板向所述主控板上报的SA资源业务板的物理地址、协商双方的源地址和目的地址以及为用户分配的私网地址; The information receiving module is configured to: receive a physical address of the SA resource service board reported by the SA resource service board to the main control board, a source address and a destination address of the negotiation parties, and a private network address allocated to the user;
第二分流表生成模块,设置为:生成分流表并下发至全部接口板。The second traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一项的方法。A computer readable storage medium storing computer executable instructions for performing the method of any of the above.
本发明实施例提供了一种业务分流方法和系统,根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表,每个接口板根据需要处理的报文的报文类型,选择相应的分流表,每个接口板再根据选择的所述分流表将所述报文分流投递至对应的SA资源业务板。实现了对不同的IPsec业务相关的报文的分流和协同处理,解决了不同特征的IPsec业务相关的报文分流的问题。The embodiment of the present invention provides a service offloading method and system, which generates the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information, and the type of the packet of each interface board according to the packet to be processed. The corresponding traffic distribution table is selected, and each interface board delivers the packet to the corresponding SA resource service board according to the selected traffic distribution table. It implements the offloading and co-processing of packets related to different IPsec services, and solves the problem of packet shunting related to IPsec services with different characteristics.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为本发明的实施例一提供的分布式分流装置的结构示意图;1 is a schematic structural diagram of a distributed flow distribution device according to Embodiment 1 of the present invention;
图2为本发明的实施例一中静态指定对端地址方式分流的过程示意图;2 is a schematic diagram of a process of statically designating a peer address mode splitting according to Embodiment 1 of the present invention;
图3为本发明的实施例一中动态用户接入分流的过程示意图;3 is a schematic diagram of a process of dynamic user access offloading according to Embodiment 1 of the present invention;
图4为本发明的实施例二提供的一种业务分流方法的流程图;4 is a flowchart of a service offloading method according to Embodiment 2 of the present invention;
图5为本发明的实施例三提供的一种业务分流系统的结构示意图;FIG. 5 is a schematic structural diagram of a service offloading system according to Embodiment 3 of the present invention; FIG.
图6为图5中主控板501的结构示意图。FIG. 6 is a schematic structural view of the main control board 501 of FIG. 5.
本发明的实施方式Embodiments of the invention
下文中将结合附图对本发明的实施方式进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
本发明的实施例提供了一种业务分流方法和系统。使用不同分流表分流Internet协议安全性(InternetProtocolSecurity,IPsec)业务相关报文到安全关联(Security association,SA)资源业务板,解决了分布式IPsec业务如何分 流的问题。Embodiments of the present invention provide a service offloading method and system. Use the different traffic distribution table to offload Internet Protocol security (IPsec) service-related packets to the security association (SA) resource service board to solve the problem of distributed IPsec services. The problem of flow.
首先结合附图,对本发明的实施例一进行说明。First, the first embodiment of the present invention will be described with reference to the accompanying drawings.
本发明实施例提供了一种分布式分流装置,采用主控板以及多个接口板和业务板组成。IPsec SA协商在业务板上进行,负责该会话的业务板为SA资源业务板。The embodiment of the invention provides a distributed offloading device, which is composed of a main control board and a plurality of interface boards and service boards. The IPsec SA negotiation is performed on the service board. The service board responsible for the session is the SA resource service board.
根据IPsec业务需要处理的报文类型,在接口板上使用不同的分流表分流至SA资源业务板。即密钥交换协议(InternetKey Exchange Internet,IKE)分流表分流IKE协商报文;明文分流表分流普通IP报文;密文分流表分流密文报文,为IPsec的认证头协议(AuthenticationHeader,AH)和封装安全载荷协议(EncapsulatingSecurityPayload,ESP)报文。分流表在接口板上全分布,SA资源业务板只维护IPsec SA信息。According to the type of packets to be processed by the IPsec service, the interface is configured to be offloaded to the SA resource service board by using different traffic distribution tables. That is, the key exchange protocol (Internet Key Exchange Internet, IKE) offloading table offloads the IKE negotiation message; the plaintext offloading table offloads the common IP packet; the ciphertext offloading table offloads the ciphertext message, which is the IPsec authentication header protocol (AuthenticationHeader, AH) And Encapsulating Security Payload (ESP) packets. The traffic distribution table is distributed on the interface board. The SA resource service board maintains only IPsec SA information.
IKE分流表,记录源、目的网络地址和SA资源业务板关系;明文分流表,记录兴趣流匹配模板和SA资源业务板物理地址关系,这里的兴趣流匹配模板可以是访问控制列表(Access Control List,ACL)也可以是给动态接入用户分配的私网地址;密文分流表,记录安全参数索引(SPI)固定比特位和SA资源业务板的对应关系。为加快查询SA资源业务板的速度,在分布式装置业务板上线时即给每个业务板物理地址分配不同比特位表示,该比特位使用在分配给会话对端的SPI的固定比特位中;在密文入向,直接提取出密文中的SPI固定比特位,查询到SA资源业务板进行分流。The IKE traffic distribution table records the source and destination network addresses and the SA resource service board relationship. The plaintext traffic distribution table records the relationship between the interest stream matching template and the SA resource service board physical address. The interest stream matching template can be an access control list. The ACL can also be a private network address assigned to the dynamic access user; the ciphertext distribution table records the correspondence between the security parameter index (SPI) fixed bit and the SA resource service board. To speed up the query of the SA resource service board, each physical service board physical address is assigned a different bit representation when the distributed device service is on-line, and the bit is used in a fixed bit allocated to the session peer SPI; The cipher text is directly imported, and the SPI fixed bit in the cipher text is directly extracted, and the SA resource service board is queried for shunting.
对于静态指定对端地址和动态用户接入场景,分流表生成方式不同。The split table generation mode is different for statically specifying the peer address and dynamic user access scenarios.
使用本发明实施例,主控板负责配置管理以及生成、删除分流表;接口板负责收发报文,根据不同类型报文查询分流表分发IPsec业务报文至SA资源业务板;SA资源业务板负责IPsec SA协商以及IPsec加密解密处理。With the embodiment of the present invention, the main control board is responsible for configuration management, and generates and deletes the flow distribution table. The interface board is responsible for sending and receiving packets, and the IPsec service packet is distributed to the SA resource service board according to the different types of packet query flow; the SA resource service board is responsible for IPsec SA negotiation and IPsec encryption and decryption processing.
如图1所示,分布式分流装置包含主控板以及多个接口板和业务板,通过板间通信交互报文;主控板上包括配置管理模块,分流管理模块;接口板上包括报文收发模块,分流管理模块;业务板上包括SA协商模块,报文加解密模块。As shown in Figure 1, the distributed offloading device includes a main control board and multiple interface boards and service boards to exchange packets through inter-board communication. The main control board includes a configuration management module and a traffic distribution management module. The interface board includes packets. The transceiver module and the traffic distribution management module; the service board includes an SA negotiation module and a message encryption and decryption module.
主控板上的分流管理模块负责:计算业务板地址比特位、静态指定方式 负载均衡计算SA资源业务板、生成、删除分流表;接口板上的分流管理模块负责:维护分流表信息以及根据来源报文类型选择不同的分流表投递业务板、动态用户接入方式负载均衡计算SA资源业务板。The traffic distribution management module on the main control board is responsible for calculating the address bits of the service board and statically specifying the mode. Load balancing calculates the SA resource service board, generates and deletes the traffic distribution table, and the traffic distribution management module on the interface board is responsible for: maintaining the traffic distribution table information and selecting different traffic distribution table delivery service boards and dynamic user access mode load balancing calculation according to the source message type. SA resource business board.
图2是静态指定对端地址方式分流的过程:Figure 2 shows the process of statically specifying the peer address mode to offload:
步骤201、业务板在线后,主控板分流管理模块将不同业务板物理地址分配出地址比特位。Step 201: After the service board is online, the main control board offload management module allocates physical addresses of different service boards to address bits.
主控板上的分流管理模块感应到业务板上线,分配出某个数值来表示该业务板物理地址,称为业务板地址比特位;该业务板地址比特位将用于分配给会话对端的安全参数索引(Security Parametres Index,SPI,是用于标识不同通信设备的SA,即对端设备中发来的报文中携带了本端分配给对端使用的SPI,该SPI唯一索引安全关联SA,在本端接收到报文时,解析出SPI可以找到对应的SA。不同会话对应不同的SA,对应不同的SPI)的固定比特位中;The traffic management module on the main control board senses the service board, and assigns a value to indicate the physical address of the service board, which is called the service board address bit. The service board address bit is used to allocate security to the session peer. The Security Parametres Index (SPI) is used to identify the SAs of different communication devices. That is, the packets sent from the peer device carry the SPI that the local end allocates to the peer. The SPI uniquely indexes the security association SA. When the local end receives the packet, the SPI can be found to find the corresponding SA. Different sessions correspond to different SAs, corresponding to different SPI) fixed bits.
步骤202、IPsec配置管理模块静态指定会话双方的源、目的地址以及配置完整其它IPsec协商要素,分流管理模块使用负载均衡算法,将不同源、目的地址的会话计算出SA资源业务板地址;生成IKE分流表,密文分流表,以及明文分流表下发至全部接口板;Step 202: The IPsec configuration management module statically specifies the source and destination addresses of the two parties and configures other IPsec negotiation elements. The traffic management module uses the load balancing algorithm to calculate the SA source service board address for the session with different source and destination addresses. The traffic distribution table, the ciphertext distribution table, and the plaintext distribution table are delivered to all interface boards.
其中,IKE分流表记录会话双方的源、目的地址和SA资源业务板对应关系;密文分流表记录业务板地址比特位和SA资源业务板对应关系;明文分流表记录静态指定的ACL流和SA资源业务板关系。The IKE offloading table records the correspondence between the source and destination addresses of the session and the SA resource service board. The ciphertext offload table records the correspondence between the address bits of the service board and the SA resource service board. The plaintext offload table records the statically specified ACL flow and SA. Resource business board relationship.
步骤203、SA资源业务板协商成功SA表项,加解密模块记录双方协商后的兴趣流以及SA。Step 203: The SA resource service board negotiates a successful SA entry, and the encryption and decryption module records the interest flow and the SA after the negotiation.
SA协商模块,分配SPI时使用SPI的固定比特位作为业务板地址比特位(假如SPI占用4个字节,那么其中1个字节可以直接使用步骤201中分配的比特位(步骤201中的比特位实际上是业务板在位信息),其他3个字节需要按照不同的SA对应不同的值进行分配。SPI分配成功之后,对端设备发来的数据包都携带该SPI,本端收到包时,取出SPI中的这1个字节,查到是应该投递至哪个业务板,即对应步骤204;记录协商兴趣流和SA对应关系。 The SA negotiation module allocates the fixed bit of the SPI as the service board address bit when the SPI is allocated. (If the SPI occupies 4 bytes, then 1 byte can directly use the bit allocated in step 201 (the bit in step 201) The bit is actually the in-position information of the service board. The other three bytes need to be allocated according to different values of different SAs. After the SPI is successfully allocated, the data packets sent by the peer device carry the SPI, and the local end receives the data. In the case of the packet, the 1 byte in the SPI is taken out, and it is found which service board should be delivered to the service board, that is, corresponding to step 204; the negotiation interest stream and the SA correspondence relationship are recorded.
当本端静态指定的兴趣流范围大于双方协商的兴趣流时,对于超出协商范围的指定兴趣流,接口板分流管理模块投递到SA资源业务板,在SA资源业务板加解密模块查询不到流量对应的SA,触发无SA的IPsec协商。If the local-defined static flow of interest is greater than the negotiated flow of interest, the interface-based traffic distribution module delivers the traffic to the SA resource service board. The corresponding SA triggers IPsec negotiation without SA.
步骤204、在接口板上,IKE协商报文通过IKE分流表投递至SA资源业务板;明文通过查询明文分流表,符合兴趣流匹配模板的投递至SA资源业务板加密;密文提取SPI固定比特位查询密文分流表,投递至SA资源业务板解密。Step 204: On the interface board, the IKE negotiation packet is delivered to the SA resource service board through the IKE offloading table; the plaintext is queried to the SA resource service board by querying the plaintext traffic distribution table; The bit queries the ciphertext split table and delivers it to the SA resource service board for decryption.
步骤205、IPsec静态配置删除,主控板分流管理模块删除分流表并下发全部接口板。Step 205: The static configuration of the IPsec is deleted. The traffic distribution management module of the main control board deletes the traffic distribution table and delivers all interface boards.
图3是动态用户接入分流的过程:Figure 3 shows the process of dynamic user access offloading:
步骤301、业务板在线后,主控板分流管理模块将不同业务板物理地址分配出地址比特位。同静态指定方式的步骤1。Step 301: After the service board is online, the main control board offload management module allocates physical addresses of different service boards to address bits. Step 1 of the same static mode.
步骤302、接口板上接收到动态用户的IKE协商请求报文,分流管理模块提取IKE报文源、目的地址,使用负载均衡算法例如HASH算法计算出该会话的SA资源业务板物理地址;将IKE协商报文投递至SA资源业务板上。Step 302: The interface board receives the IKE negotiation request packet of the dynamic user, and the traffic management module extracts the source and destination address of the IKE packet, and uses a load balancing algorithm, such as the HASH algorithm, to calculate the physical address of the SA resource service board of the session; The negotiation packet is delivered to the SA resource service board.
IPsec保护一个包之前,必须先建立一个SA,建立SA的过程就是IKE协商过程。新的动态用户在申请接入时都需要进行协商SA以及分流表计算处理,接入成功申请到私网地址之后,数据流量就按照分流表进行分流处理了。Before IPsec protects a packet, you must first establish an SA. The process of establishing an SA is the IKE negotiation process. The new dynamic user needs to negotiate the SA and the traffic distribution table when applying for access. After the access is successfully applied to the private network address, the data traffic is split according to the traffic distribution table.
步骤303、SA资源业务板协商模块协商出SA后,主动上报主控板的分流管理模块,携带SA资源业务板物理地址信息、协商双方的源、目的地址、给用户分配的私网地址。Step 303: The SA resource service board negotiation module negotiates the SA, and actively reports the traffic management module of the main control board, and carries the physical address information of the SA resource service board, the source and destination addresses of the two parties, and the private network address allocated to the user.
其中,SA协商模块,分配SPI时使用SPI的固定比特位作为业务板地址比特位。The SA negotiation module uses the fixed bit of the SPI as the service board address bit when allocating the SPI.
步骤304、主控板上的分流管理模块,生成IKE分流表,明文分流表,密文分流表。Step 304: The traffic distribution management module on the main control board generates an IKE traffic distribution table, a plaintext traffic distribution table, and a ciphertext traffic distribution table.
根据SA资源业务板地址以及协商双方的源、目的地址生成IKE分流 表;根据SA资源业务板地址以及给用户分配的私网地址生成明文分流表;根据SA资源业务板地址以及SPI固定比特位生成密文分流表。在动态用户接入场景,明文分流表中使用分配给用户的私网地址作为兴趣流匹配模板的分流索引的优点是,节省接口板上ACL的存储条目提升查询速度。Generate an IKE offload based on the address of the SA resource service board and the source and destination addresses of the negotiation source. A plaintext offloading table is generated according to the address of the SA resource service board and the private network address assigned to the user; and the ciphertext distribution table is generated according to the SA resource service board address and the SPI fixed bit. In the dynamic user access scenario, the advantage of using the private network address assigned to the user as the traffic stream matching template in the clear text distribution table is to save the query speed of the ACL on the interface board.
步骤305、在接口板上,IKE协商报文通过IKE分流表投递至SA资源业务板;明文通过查询明文分流表,不同的用户私网地址投递至不同的SA资源业务板加密;密文提取SPI固定特征位查询密文分流表,投递至SA资源业务板解密。Step 305: On the interface board, the IKE negotiation packet is delivered to the SA resource service board through the IKE traffic distribution table. The plain text is queried in the plaintext traffic distribution table, and the private network address of the user is delivered to different SA resource service boards for encryption. The fixed feature bit queries the ciphertext offload table and delivers it to the SA resource service board for decryption.
步骤306、动态用户下线,SA资源业务板上SA删除,主动通知主控板分流管理模块。Step 306: The dynamic user goes offline, and the SA on the SA resource service board is deleted, and the main control board is divided into the flow management module.
步骤307、主控板删除分流表并下发全部接口板。Step 307: The main control board deletes the traffic distribution table and delivers all interface boards.
下面结合附图,对本发明的实施例二进行说明。Embodiment 2 of the present invention will be described below with reference to the accompanying drawings.
本发明实施例提供了一种业务分流方法,使用该方法完成对不同IPsec报文进行分流处理的流程如图4所示,包括:The embodiment of the present invention provides a service offloading method, and the process of performing the offloading process on different IPsec packets by using the method is as shown in FIG. 4, and includes:
步骤401、根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表;Step 401: Generate the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information.
本发明实施例中,所述分流表包括以下任一种或任意多种:In the embodiment of the present invention, the flow distribution table includes any one or any of the following:
记录源、目的网络地址和SA资源业务板间的对应关系的IKE分流表,An IKE offload table that records the correspondence between the source and destination network addresses and the SA resource service boards.
记录兴趣流匹配模板和SA资源业务板物理地址间对应关系的明文分流表,所述兴趣流匹配模块为ACL或为动态接入用户分配的私网地址,And a clear text distribution table that records the correspondence between the interest stream matching template and the physical address of the SA resource service board, where the interest stream matching module is an ACL or a private network address allocated for the dynamic access user.
记录SPI固定比特位和SA资源业务板的对应关系的密文分流表。A ciphertext split table that records the correspondence between the SPI fixed bit and the SA resource service board.
对于静态指定对端地址场景,本步骤包括:For statically specifying the peer address scenario, this step includes:
1、主控板为在线的SA资源业务板的物理地址分配地址比特位;1. The main control board allocates address bits for the physical address of the online SA resource service board.
2、所述主控板指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理 地址;2. The main control board specifies the source and destination addresses of the session and other IPsec negotiation requirements, and uses the load balancing algorithm to calculate the SA resource service board physics of the session with different source and destination addresses. address;
3、所述主控板生成分流表并下发至全部接口板;3. The main control board generates a flow distribution table and sends it to all interface boards;
4、SA资源业务板协商SA表项,记录双方协商后的兴趣流和SA的对应关系。4. The SA resource service board negotiates the SA entry and records the correspondence between the interest flow and the SA after negotiation.
当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,所述接口板将该超出协商范围的指定兴趣流投递到SA资源业务板,所述SA资源业务板在查询不到所述超出协商范围的指定兴趣流对应的SA时,触发无SA的IPsec协商。If the local-defined static flow of interest is greater than the negotiated range of the two parties, the interface board delivers the specified flow of interest beyond the negotiation range to the SA resource service board, the SA resource service board. When the SA corresponding to the specified interest stream beyond the negotiation range is not queried, the IPsec negotiation without SA is triggered.
对于动态用户接入场景,本步骤包括:For dynamic user access scenarios, this step includes:
1、主控板为在线的SA资源业务板的物理地址分配地址比特位;1. The main control board allocates address bits for the physical address of the online SA resource service board.
2、接口板接收动态用户发送的IKE协商请求报文,提取该IKE协商请求报文中的源地址和目的地址,根据所述源地址和目的地址计算出相应会话的SA资源业务板的物理地址,将所述IKE协商请求报文投递至所述SA资源业务板上;The interface board receives the IKE negotiation request packet sent by the dynamic user, extracts the source address and the destination address in the IKE negotiation request packet, and calculates the physical address of the SA resource service board of the corresponding session according to the source address and the destination address. And delivering the IKE negotiation request message to the SA resource service board;
3、所述SA资源业务板协商获取SA,向所述主控板上报SA资源业务板的物理地址、协商双方的源地址和目的地址以及为用户分配的私网地址;3. The SA resource service board negotiates to obtain the SA, and reports the physical address of the SA resource service board, the source address and the destination address of the negotiation parties, and the private network address allocated to the user to the main control board;
4、所述主控板生成分流表并下发至全部接口板。4. The main control board generates a flow distribution table and sends it to all interface boards.
步骤402、每个接口板根据需要处理的报文的报文类型,选择相应的分流表;Step 402: Each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed.
本步骤包括:This step includes:
当所述报文的报文类型为密钥交换协议(IKE)协商报文时,选择IKE分流表;When the packet type of the packet is an exchange protocol (IKE) negotiation packet, the IKE offloading table is selected;
当所述报文的报文类型为明文报文时,选择明文分流表;When the packet type of the packet is a plaintext packet, the plaintext distribution table is selected;
当所述报文的类型为密文报文时,选择密文分流表。When the type of the packet is a ciphertext packet, the ciphertext distribution table is selected.
步骤403、所述每个接口板根据选择的所述分流表将所述报文分流投递 至对应的SA资源业务板。Step 403: Each interface board delivers the message according to the selected split table. Go to the corresponding SA resource service board.
主控板还可以删除分流表并控制接口板删除。其中,对于静态指定对端地址场景,所述主控板删除所述分流表并下发至全部接口板,指示所述全部接口板删除所述分流表;对于动态用户接入场景,在动态用户下线后,所述SA资源业务板删除该动态用户对应的SA,并通知所述主控板删除该动态用户对应的SA,主控板删除所述分流表,并下发至全部接口板,指示所述全部接口板删除所述分流表。The main control board can also delete the traffic distribution table and control the interface board deletion. The main control board deletes the traffic distribution table and sends the traffic distribution table to all the interface boards to indicate that all the interface boards delete the traffic distribution table. For dynamic user access scenarios, dynamic users are selected. After the offline, the SA resource service board deletes the SA corresponding to the dynamic user, and notifies the main control board to delete the SA corresponding to the dynamic user, and the main control board deletes the distribution table and delivers the distribution table to all interface boards. Instructing all the interface boards to delete the offloading table.
下面结合附图,对本发明的实施例三进行说明。Embodiment 3 of the present invention will be described below with reference to the accompanying drawings.
本发明实施例提供了一种业务分流系统,其结构如图5所示,包括:An embodiment of the present invention provides a service offloading system, and the structure thereof is as shown in FIG. 5, including:
主控板501、至少一个接口板502和至少一个SA资源业务板503;The main control board 501, at least one interface board 502, and at least one SA resource service board 503;
所述主控板501,设置为:根据IPsec协商要素或者动态用户接入信息为全部接口板502生成相同的至少一个分流表;The main control board 501 is configured to generate the same at least one split table for all interface boards 502 according to the IPsec negotiation element or the dynamic user access information;
所述至少一个接口板502,设置为:根据需要处理的报文的报文类型,选择相应的分流表,并根据选择的所述分流表将所述报文分流投递至对应的所述SA资源业务板503。The at least one interface board 502 is configured to: according to the packet type of the packet to be processed, select a corresponding traffic distribution table, and distribute the packet to the corresponding SA resource according to the selected traffic distribution table. Business board 503.
可选的,所述主控板501的结构如图6所示,包括:Optionally, the structure of the main control board 501 is as shown in FIG. 6, and includes:
第一地址比特位分配模块601,设置为:为在线的SA资源业务板的物理地址分配地址比特位;The first address bit allocation module 601 is configured to: allocate an address bit for the physical address of the online SA resource service board;
计算模块602,设置为:指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理地址;The calculation module 602 is configured to: specify the source and destination addresses of the session, and other IPsec negotiation requirements, and use the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses;
第一分流表生成模块603,设置为:生成分流表并下发至全部接口板。The first traffic distribution table generating module 603 is configured to generate a traffic distribution table and deliver the data to all interface boards.
可选的,所述接口板502,还设置为:当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,将该超出协商范围的指定兴趣流投递到SA资源业务板503;Optionally, the interface board 502 is further configured to: when the statically specified interest flow range of the local end is greater than the negotiation scope of the two parties, the specified interest flow exceeding the negotiation scope is delivered to the SA for the specified interest flow that exceeds the negotiation scope. Resource business board 503;
所述SA资源业务板503,还设置为:在查询不到所述超出协商范围的指 定兴趣流对应的SA时,触发无SA的IPsec协商。The SA resource service board 503 is further configured to: When the SA corresponding to the interest stream is specified, the IPsec negotiation without SA is triggered.
可选的,所述主控板501还包括:Optionally, the main control board 501 further includes:
第二地址比特位分配模块604,设置为:为在线的SA资源业务板503的物理地址分配地址比特位;The second address bit allocation module 604 is configured to: allocate an address bit for the physical address of the online SA resource service board 503;
信息接收模块605,设置为:接收所述SA资源业务板503向所述主控板501上报的SA资源业务板503的物理地址、协商双方的源地址和目的地址以及为用户分配的私网地址;The information receiving module 605 is configured to: receive the physical address of the SA resource service board 503 reported by the SA resource service board 503 to the main control board 501, the source address and the destination address of the negotiation parties, and the private network address allocated to the user. ;
第二分流表生成模块606,设置为:生成分流表并下发至全部接口板502。The second distribution table generating module 606 is configured to generate a distribution table and deliver the information to all interface boards 502.
本发明的实施例提供了一种业务分流方法和系统,为全部的接口板计算出相同的至少一个分流表,每个接口板根据需要处理的报文的报文类型,选择相应的分流表,每个接口板再根据选择的所述分流表将所述报文分流投递至对应的SA资源业务板。实现了对不同的IPsec业务相关的报文的分流和协同处理,解决了不同特征的IPsec业务相关的报文分流的问题。The embodiment of the present invention provides a service offloading method and system, and calculates the same at least one offloading table for all the interface boards, and each interface board selects a corresponding splitting table according to the packet type of the packet to be processed. Each interface board delivers the packet to the corresponding SA resource service board according to the selected traffic distribution table. It implements the offloading and co-processing of packets related to different IPsec services, and solves the problem of packet shunting related to IPsec services with different characteristics.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质 中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。Each device/function module/functional unit in the above embodiment can be stored in a computer readable storage medium when implemented in the form of a software function module and sold or used as a stand-alone product. in. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明实施例实现了对不同的IPsec业务相关的报文的分流和协同处理,解决了不同特征的IPsec业务相关的报文分流的问题。 The embodiment of the present invention implements the offloading and collaborative processing of packets related to different IPsec services, and solves the problem of packet offloading related to IPsec services of different characteristics.

Claims (14)

  1. 一种业务分流方法,包括:A service offloading method, comprising:
    根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表;Generating the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information;
    每个接口板根据需要处理的报文的报文类型,选择相应的分流表;Each interface board selects a corresponding traffic distribution table according to the packet type of the packet to be processed.
    所述每个接口板根据选择的所述分流表将所述报文分流投递至对应的安全联盟(SA)资源业务板。Each interface board delivers the packet to the corresponding security association (SA) resource service board according to the selected traffic distribution table.
  2. 根据权利要求1所述的业务分流方法,其中,所述分流表包括以下任一种或任意多种:The service distribution method according to claim 1, wherein the distribution table comprises any one or any of the following:
    记录源、目的网络地址和SA资源业务板间的对应关系的密钥交换协议(IKE)分流表;a key exchange protocol (IKE) offload table that records the correspondence between the source, the destination network address, and the SA resource service board;
    记录兴趣流匹配模板和SA资源业务板物理地址间对应关系的明文分流表,所述兴趣流匹配模块为访问控制列表(ACL)或为动态接入用户分配的私网地址;And a clear text distribution table that records a correspondence between the interest stream matching template and the physical address of the SA resource service board, where the interest stream matching module is an access control list (ACL) or a private network address allocated for the dynamic access user;
    记录安全参数索引(SPI)固定比特位和SA资源业务板的对应关系的密文分流表。A ciphertext split table that records the correspondence between the Secure Parameter Index (SPI) fixed bit and the SA resource service board.
  3. 根据权利要求2所述的业务分流方法,其中,每个接口板根据需要处理的报文的报文类型,选择相应的分流表包括:The service offloading method according to claim 2, wherein each interface board selects a corresponding offloading table according to the packet type of the packet to be processed, including:
    当所述报文的报文类型为IKE协商报文时,选择IKE分流表;When the packet type of the packet is an IKE negotiation packet, the IKE offloading table is selected.
    当所述报文的报文类型为明文报文时,选择明文分流表;When the packet type of the packet is a plaintext packet, the plaintext distribution table is selected;
    当所述报文的类型为密文报文时,选择密文分流表。When the type of the packet is a ciphertext packet, the ciphertext distribution table is selected.
  4. 根据权利要求1所述的业务分流方法,其中,根据IPsec协商要素为全部接口板生成相同的至少一个分流表包括:The service offloading method according to claim 1, wherein generating the same at least one offloading table for all interface boards according to the IPsec negotiation element comprises:
    主控板为在线的SA资源业务板的物理地址分配地址比特位;The main control board allocates address bits for the physical address of the online SA resource service board.
    所述主控板指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理地址; The main control board specifies the source and destination addresses of the session and other IPsec negotiation requirements, and uses the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses.
    所述主控板生成分流表并下发至全部接口板。The main control board generates a distribution table and delivers the distribution table to all interface boards.
  5. 根据权利要求4所述的业务分流方法,其中,所述主控板生成分流表并下发至全部接口板的步骤之后,还包括:The service offloading method according to claim 4, wherein after the step of generating the offloading table by the main control board and delivering the information to all the interface boards, the method further includes:
    SA资源业务板协商SA表项,记录双方协商后的兴趣流和SA的对应关系。The SA resource service board negotiates the SA entry and records the correspondence between the interest stream and the SA after negotiation.
  6. 根据权利要求4所述的业务分流方法,该方法还包括:The service offloading method according to claim 4, further comprising:
    当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,所述接口板将该超出协商范围的指定兴趣流投递到SA资源业务板;The local interface delivers the specified flow of interest beyond the negotiation range to the SA resource service board for the specified interest flow that is out of the negotiation range.
    所述SA资源业务板在查询不到所述超出协商范围的指定兴趣流对应的SA时,触发无SA的IPsec协商。The SA resource service board triggers the IPsec negotiation without the SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
  7. 根据权利要求4所述的业务分流方法,该方法还包括:The service offloading method according to claim 4, further comprising:
    所述主控板删除所述分流表并下发至全部接口板,指示所述全部接口板删除所述分流表。The main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
  8. 根据权利要求1所述的业务分流方法,其中,根据动态用户接入信息为全部接口板生成相同的至少一个分流表包括:The service offloading method according to claim 1, wherein generating the same at least one offloading table for all interface boards according to the dynamic user access information comprises:
    主控板为在线的SA资源业务板的物理地址分配地址比特位;The main control board allocates address bits for the physical address of the online SA resource service board.
    接口板接收动态用户发送的IKE协商请求报文,提取该IKE协商请求报文中的源地址和目的地址,根据所述源地址和目的地址计算出相应会话的SA资源业务板的物理地址,将所述IKE协商请求报文投递至所述SA资源业务板上;The interface board receives the IKE negotiation request packet sent by the dynamic user, extracts the source address and the destination address in the IKE negotiation request packet, and calculates the physical address of the SA resource service board of the corresponding session according to the source address and the destination address. The IKE negotiation request message is delivered to the SA resource service board;
    所述SA资源业务板协商获取SA,向所述主控板上报SA资源业务板的物理地址、协商双方的源地址和目的地址以及为用户分配的私网地址;The SA resource service board negotiates to obtain an SA, and reports the physical address of the SA resource service board, the source address and the destination address of the negotiation parties, and the private network address allocated to the user to the main control board;
    所述主控板生成分流表并下发至全部接口板。The main control board generates a distribution table and delivers the distribution table to all interface boards.
  9. 根据权利要求8所述的业务分流方法,该方法还包括:The service offloading method according to claim 8, further comprising:
    在动态用户下线后,所述SA资源业务板删除该动态用户对应的SA,并通知所述主控板删除该动态用户对应的SA; After the dynamic user is offline, the SA resource service board deletes the SA corresponding to the dynamic user, and notifies the main control board to delete the SA corresponding to the dynamic user.
    所述主控板删除所述分流表,并下发至全部接口板,指示所述全部接口板删除所述分流表。The main control board deletes the distribution table and sends it to all interface boards, indicating that all the interface boards delete the distribution table.
  10. 一种业务分流系统,包括主控板、至少一个接口板和至少一个SA资源业务板;A service offloading system includes a main control board, at least one interface board, and at least one SA resource service board;
    所述主控板,设置为:根据IPsec协商要素或者动态用户接入信息为全部接口板生成相同的至少一个分流表;The main control board is configured to: generate the same at least one offloading table for all interface boards according to the IPsec negotiation element or the dynamic user access information;
    所述至少一个接口板,设置为:根据需要处理的报文的报文类型,选择相应的分流表,并根据选择的所述分流表将所述报文分流投递至对应的所述SA资源业务板。The at least one interface board is configured to: according to the packet type of the packet to be processed, select a corresponding traffic distribution table, and distribute the packet to the corresponding SA resource service according to the selected traffic distribution table. board.
  11. 根据权利要求10所述的业务分流系统,其中,所述主控板包括:The service distribution system according to claim 10, wherein the main control board comprises:
    第一地址比特位分配模块,设置为:为在线的SA资源业务板的物理地址分配地址比特位;The first address bit allocation module is configured to: allocate an address bit for a physical address of the online SA resource service board;
    计算模块,设置为:指定会话双方的源、目的地址以及其他IPsec协商要求,使用负载均衡算法,计算出不同源、目的地址的会话的SA资源业务板物理地址;The calculation module is configured to: specify the source and destination addresses of the session, and other IPsec negotiation requirements, and use the load balancing algorithm to calculate the physical address of the SA resource service board of the session with different source and destination addresses;
    第一分流表生成模块,设置为:生成分流表并下发至全部接口板。The first traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
  12. 根据权利要求10所述的业务分流系统,其中,The business distribution system according to claim 10, wherein
    所述接口板,还设置为:当本端静态指定的兴趣流范围大于双方协商范围时,对于超出协商范围的指定兴趣流,将该超出协商范围的指定兴趣流投递到SA资源业务板;The interface board is further configured to: when the local-defined static interest flow range is greater than the negotiation scope of the two parties, the specified interest flow that exceeds the negotiation scope is delivered to the SA resource service board for the specified interest flow that is out of the negotiation range;
    所述SA资源业务板,还设置为:在查询不到所述超出协商范围的指定兴趣流对应的SA时,触发无SA的IPsec协商。The SA resource service board is further configured to: trigger an IPsec negotiation without SA when the SA corresponding to the specified interest flow exceeding the negotiation range is not queried.
  13. 根据权利要求10所述的业务分流系统,其中,所述主控板包括:The service distribution system according to claim 10, wherein the main control board comprises:
    第二地址比特位分配模块,设置为:为在线的SA资源业务板的物理地址分配地址比特位;a second address bit allocation module, configured to: allocate an address bit for a physical address of the online SA resource service board;
    信息接收模块,设置为:接收所述SA资源业务板向所述主控板上报的SA资源业务板的物理地址、协商双方的源地址和目的地址以及为用户分配 的私网地址;The information receiving module is configured to: receive the physical address of the SA resource service board reported by the SA resource service board to the main control board, negotiate the source address and destination address of both parties, and allocate the user Private network address;
    第二分流表生成模块,设置为:生成分流表并下发至全部接口板。The second traffic distribution table is configured to generate a traffic distribution table and deliver the data to all interface boards.
  14. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1-9任一项的方法。 A computer readable storage medium storing computer executable instructions for performing the method of any of claims 1-9.
PCT/CN2015/088148 2015-03-26 2015-08-26 Service offloading method and system WO2016150097A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510136449.5A CN106161340B (en) 2015-03-26 2015-03-26 Service distribution method and system
CN201510136449.5 2015-03-26

Publications (1)

Publication Number Publication Date
WO2016150097A1 true WO2016150097A1 (en) 2016-09-29

Family

ID=56978836

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/088148 WO2016150097A1 (en) 2015-03-26 2015-08-26 Service offloading method and system

Country Status (2)

Country Link
CN (1) CN106161340B (en)
WO (1) WO2016150097A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507431A (en) * 2021-05-17 2021-10-15 新华三信息安全技术有限公司 Message management method, device, equipment and machine readable storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603523A (en) * 2016-12-09 2017-04-26 北京东土军悦科技有限公司 Message forwarding method and network switching device
CN108092913B (en) * 2017-12-27 2022-01-25 杭州迪普科技股份有限公司 Message distribution method and multi-core CPU network equipment
CN111355698B (en) * 2018-12-24 2022-05-20 中兴通讯股份有限公司 Transmission method, device, message sending end and receiving end

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761483A (en) * 2012-06-29 2012-10-31 成都卫士通信息产业股份有限公司 Tunnel implementation method, system and device implemented without occupying IP addresses
CN103546497A (en) * 2012-07-09 2014-01-29 杭州华三通信技术有限公司 Method and device for distributed firewall IPSec (internet protocol security) business load sharing

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080267177A1 (en) * 2007-04-24 2008-10-30 Sun Microsystems, Inc. Method and system for virtualization of packet encryption offload and onload
US20110113236A1 (en) * 2009-11-02 2011-05-12 Sylvain Chenard Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761483A (en) * 2012-06-29 2012-10-31 成都卫士通信息产业股份有限公司 Tunnel implementation method, system and device implemented without occupying IP addresses
CN103546497A (en) * 2012-07-09 2014-01-29 杭州华三通信技术有限公司 Method and device for distributed firewall IPSec (internet protocol security) business load sharing

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507431A (en) * 2021-05-17 2021-10-15 新华三信息安全技术有限公司 Message management method, device, equipment and machine readable storage medium
CN113507431B (en) * 2021-05-17 2024-02-09 新华三信息安全技术有限公司 Message management method, device, equipment and machine-readable storage medium

Also Published As

Publication number Publication date
CN106161340B (en) 2020-06-09
CN106161340A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
US11848961B2 (en) HTTPS request enrichment
US9461975B2 (en) Method and system for traffic engineering in secured networks
US10341118B2 (en) SSL gateway with integrated hardware security module
US9654453B2 (en) Symmetric key distribution framework for the Internet
US7280540B2 (en) Processing of data packets within a network element cluster
US9124564B2 (en) Context awareness during first negotiation of secure key exchange
WO2017161706A1 (en) Method of controlling access to network resource in local area network, device, and gateway equipment
US20150288679A1 (en) Interposer with Security Assistant Key Escrow
WO2009021428A1 (en) Secure protection device and method for message transfer
US9225721B2 (en) Distributing overlay network ingress information
WO2019178942A1 (en) Method and system for performing ssl handshake
WO2016150097A1 (en) Service offloading method and system
EP2521311A1 (en) Resource control method, apparatus and system in peer-to-peer network
CN109936529A (en) A kind of methods, devices and systems of secure communication
US20220141191A1 (en) Secure distribution of configuration to facilitate a privacy-preserving virtual private network system
CN110830351B (en) Tenant management and service providing method and device based on SaaS service mode
Festijo et al. Software-defined security controller-based group management and end-to-end security management
CN108574573A (en) Method, encryption device and the virtual VPN service systems of cryptographic service are provided for virtual VPN
WO2016000473A1 (en) Business access method, system and device
KR20120102739A (en) System and method for accessing private digital content
WO2020029793A1 (en) Internet access behavior management system, device and method
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices
CN110430111B (en) OpenVPN data transmission method and VPN server
JPWO2018216749A1 (en) Cryptographic communication method, information processing apparatus and program
WO2016082363A1 (en) User data management method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15886026

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15886026

Country of ref document: EP

Kind code of ref document: A1